Accepting request 688939 from home:bfrogers:branches:Virtualization

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
* Patches added:
  0061-slirp-check-sscanf-result-when-emul.patch
  0062-ppc-add-host-serial-and-host-model-.patch
  0063-i2c-ddc-fix-oob-read.patch
- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
  Also add a corresponding Recommends for qemu-tools as part of
  this packaging adjustment (bsc#1130484)
- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
  0061-slirp-check-sscanf-result-when-emul.patch
- Add method to specify whether or not to expose certain ppc64 host
  information, which can be considered a security issue
  (CVE-2019-8934 bsc#1126455)
  0062-ppc-add-host-serial-and-host-model-.patch
- Fix OOB memory access and information leak in virtual monitor
  interface (CVE-2019-03812 bsc#1125721) 
  0063-i2c-ddc-fix-oob-read.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
  Also add a corresponding Recommends for qemu-tools as part of
  this packaging adjustment (bsc#1130484)
- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
  0061-slirp-check-sscanf-result-when-emul.patch
- Add method to specify whether or not to expose certain ppc64 host
  information, which can be considered a security issue
  (CVE-2019-8934 bsc#1126455)
  0062-ppc-add-host-serial-and-host-model-.patch
- Fix OOB memory access and information leak in virtual monitor
  interface (CVE-2019-03812 bsc#1125721) 
  0063-i2c-ddc-fix-oob-read.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1

OBS-URL: https://build.opensuse.org/request/show/688939
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=460

0061-slirp-check-sscanf-result-when-emul.patch

@@ -0,0 +1,47 @@
+From: William Bowling <will@wbowling.info>
+Date: Fri, 1 Mar 2019 21:45:56 +0000
+Subject: slirp: check sscanf result when emulating ident
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When emulating ident in tcp_emu, if the strchr checks passed but the
+sscanf check failed, two uninitialized variables would be copied and
+sent in the reply, so move this code inside the if(sscanf()) clause.
+
+Signed-off-by: William Bowling <will@wbowling.info>
+Cc: qemu-stable@nongnu.org
+Cc: secalert@redhat.com
+Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
+[BR: BSC#1129622 CVE-2019-9824 To pass our checkpatch check, I changed
+the patch to use spaces, not tabs, as in the initially proposed]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ slirp/tcp_subr.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 7a23ce738c..a6fd8626a8 100644
+--- a/slirp/tcp_subr.c
++++ b/slirp/tcp_subr.c
+@@ -661,12 +661,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
+ 							break;
+ 						}
+ 					}
++                                        so_rcv->sb_cc = snprintf(so_rcv->sb_data,
++                                                                 so_rcv->sb_datalen,
++                                                                 "%d,%d\r\n", n1, n2);
++                                        so_rcv->sb_rptr = so_rcv->sb_data;
++                                        so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 				}
+-                                so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+-                                                         so_rcv->sb_datalen,
+-                                                         "%d,%d\r\n", n1, n2);
+-				so_rcv->sb_rptr = so_rcv->sb_data;
+-				so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
+ 			}
+ 			m_free(m);
+ 			return 0;

0062-ppc-add-host-serial-and-host-model-.patch

@@ -0,0 +1,153 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Feb 2019 23:43:49 +0530
+Subject: ppc: add host-serial and host-model machine attributes
+ (CVE-2019-8934)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+On ppc hosts, hypervisor shares following system attributes
+
+  - /proc/device-tree/system-id
+  - /proc/device-tree/model
+
+with a guest. This could lead to information leakage and misuse.[*]
+Add machine attributes to control such system information exposure
+to a guest.
+
+[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
+
+Reported-by: Daniel P. Berrangé <berrange@redhat.com>
+Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit 27461d69a0f108dea756419251acc3ea65198f1b)
+[BR: BSC#1126455 CVE-2019-03812]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/ppc/spapr.c         | 73 ++++++++++++++++++++++++++++++++++++++----
+ include/hw/ppc/spapr.h |  2 ++
+ 2 files changed, 69 insertions(+), 6 deletions(-)
+
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
+index 7afd1a175b..d3098d520e 100644
+--- a/hw/ppc/spapr.c
++++ b/hw/ppc/spapr.c
+@@ -1244,13 +1244,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
+      * Add info to guest to indentify which host is it being run on
+      * and what is the uuid of the guest
+      */
+-    if (kvmppc_get_host_model(&buf)) {
+-        _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+-        g_free(buf);
++    if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
++        if (g_str_equal(spapr->host_model, "passthrough")) {
++            /* -M host-model=passthrough */
++            if (kvmppc_get_host_model(&buf)) {
++                _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
++                g_free(buf);
++            }
++        } else {
++            /* -M host-model=<user-string> */
++            _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
++        }
+     }
+-    if (kvmppc_get_host_serial(&buf)) {
+-        _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+-        g_free(buf);
++
++    if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
++        if (g_str_equal(spapr->host_serial, "passthrough")) {
++            /* -M host-serial=passthrough */
++            if (kvmppc_get_host_serial(&buf)) {
++                _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
++                g_free(buf);
++            }
++        } else {
++            /* -M host-serial=<user-string> */
++            _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
++        }
+     }
+ 
+     buf = qemu_uuid_unparse_strdup(&qemu_uuid);
+@@ -3031,6 +3048,36 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
+     visit_type_uint32(v, name, (uint32_t *)opaque, errp);
+ }
+ 
++static char *spapr_get_host_model(Object *obj, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    return g_strdup(spapr->host_model);
++}
++
++static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    g_free(spapr->host_model);
++    spapr->host_model = g_strdup(value);
++}
++
++static char *spapr_get_host_serial(Object *obj, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    return g_strdup(spapr->host_serial);
++}
++
++static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
++{
++    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
++
++    g_free(spapr->host_serial);
++    spapr->host_serial = g_strdup(value);
++}
++
+ static void spapr_instance_init(Object *obj)
+ {
+     sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+@@ -3067,6 +3114,17 @@ static void spapr_instance_init(Object *obj)
+                                     " the host's SMT mode", &error_abort);
+     object_property_add_bool(obj, "vfio-no-msix-emulation",
+                              spapr_get_msix_emulation, NULL, NULL);
++
++    object_property_add_str(obj, "host-model",
++        spapr_get_host_model, spapr_set_host_model,
++        &error_abort);
++    object_property_set_description(obj, "host-model",
++        "Set host's model-id to use - none|passthrough|string", &error_abort);
++    object_property_add_str(obj, "host-serial",
++        spapr_get_host_serial, spapr_set_host_serial,
++        &error_abort);
++    object_property_set_description(obj, "host-serial",
++        "Set host's system-id to use - none|passthrough|string", &error_abort);
+ }
+ 
+ static void spapr_machine_finalizefn(Object *obj)
+@@ -3961,6 +4019,9 @@ static const TypeInfo spapr_machine_info = {
+  */
+ static void spapr_machine_3_1_instance_options(MachineState *machine)
+ {
++    sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
++    spapr->host_model = g_strdup("passthrough");
++    spapr->host_serial = g_strdup("passthrough");
+ }
+ 
+ static void spapr_machine_3_1_class_options(MachineClass *mc)
+diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
+index 6279711fe8..63692a13bd 100644
+--- a/include/hw/ppc/spapr.h
++++ b/include/hw/ppc/spapr.h
+@@ -171,6 +171,8 @@ struct sPAPRMachineState {
+ 
+     /*< public >*/
+     char *kvm_type;
++    char *host_model;
++    char *host_serial;
+ 
+     const char *icp_type;
+     int32_t irq_map_nr;

0063-i2c-ddc-fix-oob-read.patch

@@ -0,0 +1,32 @@
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 8 Jan 2019 11:23:01 +0100
+Subject: i2c-ddc: fix oob read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Suggested-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190108102301.1957-1-kraxel@redhat.com
+(cherry picked from commit b05b267840515730dbf6753495d5b7bd8b04ad1c)
+[BR: BSC#1125721 CVE-2019-3812]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/i2c/i2c-ddc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
+index be34fe072c..0a0367ff38 100644
+--- a/hw/i2c/i2c-ddc.c
++++ b/hw/i2c/i2c-ddc.c
+@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
+     I2CDDCState *s = I2CDDC(i2c);
+ 
+     int value;
+-    value = s->edid_blob[s->reg];
++    value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
+     s->reg++;
+     return value;
+ }

qemu-linux-user.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Mar 25 20:45:10 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+* Patches added:
+  0061-slirp-check-sscanf-result-when-emul.patch
+  0062-ppc-add-host-serial-and-host-model-.patch
+  0063-i2c-ddc-fix-oob-read.patch
+
 -------------------------------------------------------------------
 Fri Feb 15 22:49:26 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu-linux-user.spec

@@ -92,6 +92,9 @@ Patch0057:      0057-s390x-Return-specification-exceptio.patch
 Patch0058:      0058-Revert-target-i386-kvm-add-VMX-migr.patch
 Patch0059:      0059-memory-Fix-the-memory-region-type-a.patch
 Patch0060:      0060-target-i386-sev-Do-not-pin-the-ram-.patch
+Patch0061:      0061-slirp-check-sscanf-result-when-emul.patch
+Patch0062:      0062-ppc-add-host-serial-and-host-model-.patch
+Patch0063:      0063-i2c-ddc-fix-oob-read.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@@ -183,6 +186,9 @@ syscall layer occurs on the native hardware and operating system.
 %patch0058 -p1
 %patch0059 -p1
 %patch0060 -p1
+%patch0061 -p1
+%patch0062 -p1
+%patch0063 -p1
 
 %build
 ./configure \

qemu-testsuite.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Mar 25 20:45:08 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
+  Also add a corresponding Recommends for qemu-tools as part of
+  this packaging adjustment (bsc#1130484)
+- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
+  0061-slirp-check-sscanf-result-when-emul.patch
+- Add method to specify whether or not to expose certain ppc64 host
+  information, which can be considered a security issue
+  (CVE-2019-8934 bsc#1126455)
+  0062-ppc-add-host-serial-and-host-model-.patch
+- Fix OOB memory access and information leak in virtual monitor
+  interface (CVE-2019-03812 bsc#1125721) 
+  0063-i2c-ddc-fix-oob-read.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+
 -------------------------------------------------------------------
 Fri Mar  8 17:49:54 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu-testsuite.spec

@@ -203,6 +203,9 @@ Patch0057:      0057-s390x-Return-specification-exceptio.patch
 Patch0058:      0058-Revert-target-i386-kvm-add-VMX-migr.patch
 Patch0059:      0059-memory-Fix-the-memory-region-type-a.patch
 Patch0060:      0060-target-i386-sev-Do-not-pin-the-ram-.patch
+Patch0061:      0061-slirp-check-sscanf-result-when-emul.patch
+Patch0062:      0062-ppc-add-host-serial-and-host-model-.patch
+Patch0063:      0063-i2c-ddc-fix-oob-read.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -344,7 +347,6 @@ BuildRequires:  libxkbcommon-devel
 BuildRequires:  lzo-devel
 BuildRequires:  makeinfo
 %if 0%{?suse_version} > 1320
-BuildRequires:  multipath-tools
 BuildRequires:  multipath-tools-devel
 %endif
 BuildRequires:  ncurses-devel
@@ -843,6 +845,7 @@ Release:        0
 Provides:       %name:%_libexecdir/qemu-bridge-helper
 Requires(pre):  permissions
 Requires(pre):  shadow
+Recommends:     multipath-tools
 Recommends:     qemu-block-curl
 %if 0%{?with_rbd}
 Recommends:     qemu-block-rbd
@@ -1001,6 +1004,9 @@ This package provides a service file for starting and stopping KSM.
 %patch0058 -p1
 %patch0059 -p1
 %patch0060 -p1
+%patch0061 -p1
+%patch0062 -p1
+%patch0063 -p1
 
 pushd roms/seabios
 %patch1100 -p1

qemu.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Mon Mar 25 20:45:08 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
+  Also add a corresponding Recommends for qemu-tools as part of
+  this packaging adjustment (bsc#1130484)
+- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
+  0061-slirp-check-sscanf-result-when-emul.patch
+- Add method to specify whether or not to expose certain ppc64 host
+  information, which can be considered a security issue
+  (CVE-2019-8934 bsc#1126455)
+  0062-ppc-add-host-serial-and-host-model-.patch
+- Fix OOB memory access and information leak in virtual monitor
+  interface (CVE-2019-03812 bsc#1125721) 
+  0063-i2c-ddc-fix-oob-read.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+
 -------------------------------------------------------------------
 Fri Mar  8 17:49:54 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu.spec

@@ -203,6 +203,9 @@ Patch0057:      0057-s390x-Return-specification-exceptio.patch
 Patch0058:      0058-Revert-target-i386-kvm-add-VMX-migr.patch
 Patch0059:      0059-memory-Fix-the-memory-region-type-a.patch
 Patch0060:      0060-target-i386-sev-Do-not-pin-the-ram-.patch
+Patch0061:      0061-slirp-check-sscanf-result-when-emul.patch
+Patch0062:      0062-ppc-add-host-serial-and-host-model-.patch
+Patch0063:      0063-i2c-ddc-fix-oob-read.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -344,7 +347,6 @@ BuildRequires:  libxkbcommon-devel
 BuildRequires:  lzo-devel
 BuildRequires:  makeinfo
 %if 0%{?suse_version} > 1320
-BuildRequires:  multipath-tools
 BuildRequires:  multipath-tools-devel
 %endif
 BuildRequires:  ncurses-devel
@@ -843,6 +845,7 @@ Release:        0
 Provides:       %name:%_libexecdir/qemu-bridge-helper
 Requires(pre):  permissions
 Requires(pre):  shadow
+Recommends:     multipath-tools
 Recommends:     qemu-block-curl
 %if 0%{?with_rbd}
 Recommends:     qemu-block-rbd
@@ -1001,6 +1004,9 @@ This package provides a service file for starting and stopping KSM.
 %patch0058 -p1
 %patch0059 -p1
 %patch0060 -p1
+%patch0061 -p1
+%patch0062 -p1
+%patch0063 -p1
 
 pushd roms/seabios
 %patch1100 -p1

qemu.spec.in

@@ -282,7 +282,6 @@ BuildRequires:  libxkbcommon-devel
 BuildRequires:  lzo-devel
 BuildRequires:  makeinfo
 %if 0%{?suse_version} > 1320
-BuildRequires:  multipath-tools
 BuildRequires:  multipath-tools-devel
 %endif
 BuildRequires:  ncurses-devel
@@ -781,6 +780,7 @@ Release:        0
 Provides:       %name:%_libexecdir/qemu-bridge-helper
 Requires(pre):  permissions
 Requires(pre):  shadow
+Recommends:     multipath-tools
 Recommends:     qemu-block-curl
 %if 0%{?with_rbd}
 Recommends:     qemu-block-rbd
@@ -1176,7 +1176,6 @@ make %{?_smp_mflags} -C roms efirom
 make                 -C roms sgabios \
   HOSTCC=cc
 
-
 %if %{force_fit_virtio_pxe_rom}
 pushd roms/ipxe
 patch -p1 < %{SOURCE301}