Accepting request 984177 from home:dfaggioli:old_qemu

- Fix bugs boo#1200557 and boo#1199924
- Now that boo#1199924 is fixed, re-enable FORTIFY_SOURCE=3
* Patches added:
  pci-fix-overflow-in-snprintf-string-form.patch
  sphinx-change-default-language-to-en.patch

OBS-URL: https://build.opensuse.org/request/show/984177
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=721
This commit is contained in:
Dario Faggioli 2022-06-21 13:17:32 +00:00 committed by Git OBS Bridge
parent f76560bd5f
commit c39ad145aa
6 changed files with 151 additions and 8 deletions

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c205305cd9e7d29be6220fe76cab04d5a7be4019e998cfeb643ac6a4e31de0a3
size 136912
oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8
size 139264

View File

@ -0,0 +1,101 @@
From: Claudio Fontana <cfontana@suse.de>
Date: Tue, 31 May 2022 13:47:07 +0200
Subject: pci: fix overflow in snprintf string formatting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 36f18c6989a3d1ff1d7a0e50b0868ef3958299b4
References: bsc#1199924
the code in pcibus_get_fw_dev_path contained the potential for a
stack buffer overflow of 1 byte, potentially writing to the stack an
extra NUL byte.
This overflow could happen if the PCI slot is >= 0x10000000,
and the PCI function is >= 0x10000000, due to the size parameter
of snprintf being incorrectly calculated in the call:
if (PCI_FUNC(d->devfn))
snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
since the off obtained from a previous call to snprintf is added
instead of subtracted from the total available size of the buffer.
Without the accurate size guard from snprintf, we end up writing in the
worst case:
name (32) + "@" (1) + SLOT (8) + "," (1) + FUNC (8) + term NUL (1) = 51 bytes
In order to provide something more robust, replace all of the code in
pcibus_get_fw_dev_path with a single call to g_strdup_printf,
so there is no need to rely on manual calculations.
Found by compiling QEMU with FORTIFY_SOURCE=3 as the error:
*** buffer overflow detected ***: terminated
Thread 1 "qemu-system-x86" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff642c380 (LWP 121307)]
0x00007ffff71ff55c in __pthread_kill_implementation () from /lib64/libc.so.6
(gdb) bt
#0 0x00007ffff71ff55c in __pthread_kill_implementation () at /lib64/libc.so.6
#1 0x00007ffff71ac6f6 in raise () at /lib64/libc.so.6
#2 0x00007ffff7195814 in abort () at /lib64/libc.so.6
#3 0x00007ffff71f279e in __libc_message () at /lib64/libc.so.6
#4 0x00007ffff729767a in __fortify_fail () at /lib64/libc.so.6
#5 0x00007ffff7295c36 in () at /lib64/libc.so.6
#6 0x00007ffff72957f5 in __snprintf_chk () at /lib64/libc.so.6
#7 0x0000555555b1c1fd in pcibus_get_fw_dev_path ()
#8 0x0000555555f2bde4 in qdev_get_fw_dev_path_helper.constprop ()
#9 0x0000555555f2bd86 in qdev_get_fw_dev_path_helper.constprop ()
#10 0x00005555559a6e5d in get_boot_device_path ()
#11 0x00005555559a712c in get_boot_devices_list ()
#12 0x0000555555b1a3d0 in fw_cfg_machine_reset ()
#13 0x0000555555bf4c2d in pc_machine_reset ()
#14 0x0000555555c66988 in qemu_system_reset ()
#15 0x0000555555a6dff6 in qdev_machine_creation_done ()
#16 0x0000555555c79186 in qmp_x_exit_preconfig.part ()
#17 0x0000555555c7b459 in qemu_init ()
#18 0x0000555555960a29 in main ()
Found-by: Dario Faggioli <Dario Faggioli <dfaggioli@suse.com>
Found-by: Martin Liška <martin.liska@suse.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Claudio Fontana <cfontana@suse.de>
Message-Id: <20220531114707.18830-1-cfontana@suse.de>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
---
hw/pci/pci.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index e5993c1ef52b7c9e39faa7de4020..87c419836b3c990ee862f623fd89 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -2576,15 +2576,15 @@ static char *pci_dev_fw_name(DeviceState *dev, char *buf, int len)
static char *pcibus_get_fw_dev_path(DeviceState *dev)
{
PCIDevice *d = (PCIDevice *)dev;
- char path[50], name[33];
- int off;
-
- off = snprintf(path, sizeof(path), "%s@%x",
- pci_dev_fw_name(dev, name, sizeof name),
- PCI_SLOT(d->devfn));
- if (PCI_FUNC(d->devfn))
- snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
- return g_strdup(path);
+ char name[33];
+ int has_func = !!PCI_FUNC(d->devfn);
+
+ return g_strdup_printf("%s@%x%s%.*x",
+ pci_dev_fw_name(dev, name, sizeof(name)),
+ PCI_SLOT(d->devfn),
+ has_func ? "," : "",
+ has_func,
+ PCI_FUNC(d->devfn));
}
static char *pcibus_get_dev_path(DeviceState *dev)

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue Jun 21 07:30:46 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
- Fix bugs boo#1200557 and boo#1199924
- Now that boo#1199924 is fixed, re-enable FORTIFY_SOURCE=3
* Patches added:
pci-fix-overflow-in-snprintf-string-form.patch
sphinx-change-default-language-to-en.patch
-------------------------------------------------------------------
Fri May 27 14:07:50 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>

View File

@ -248,6 +248,8 @@ Patch00104: python-aqmp-add-start_server-and-accept-.patch
Patch00105: python-aqmp-fix-race-condition-in-legacy.patch
Patch00106: python-aqmp-drop-_bind_hack.patch
Patch00107: block-qdict-Fix-Werror-maybe-uninitializ.patch
Patch00108: pci-fix-overflow-in-snprintf-string-form.patch
Patch00109: sphinx-change-default-language-to-en.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@ -1278,6 +1280,8 @@ This package records qemu testsuite results and represents successful testing.
%patch00105 -p1
%patch00106 -p1
%patch00107 -p1
%patch00108 -p1
%patch00109 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1
@ -1394,8 +1398,6 @@ cp %{SOURCE13} docs/supported.rst
mkdir -p %blddir
cd %blddir
# We want to enforce _FORTIFY_SOURCE=2. See bsc#1199924
EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g') -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
%srcdir/configure \
--prefix=%_prefix \
--sysconfdir=%_sysconfdir \
@ -1405,7 +1407,7 @@ EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g
--docdir=%_docdir \
--firmwarepath=%_datadir/%name \
--python=%_bindir/python3 \
--extra-cflags="${EXTRA_CFLAGS}" \
--extra-cflags="%{optflags}" \
--with-git-submodules=ignore \
--disable-fuzzing \
--disable-multiprocess \

View File

@ -1128,8 +1128,6 @@ cp %{SOURCE13} docs/supported.rst
mkdir -p %blddir
cd %blddir
# We want to enforce _FORTIFY_SOURCE=2. See bsc#1199924
EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g') -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
%srcdir/configure \
--prefix=%_prefix \
--sysconfdir=%_sysconfdir \
@ -1139,7 +1137,7 @@ EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g
--docdir=%_docdir \
--firmwarepath=%_datadir/%name \
--python=%_bindir/python3 \
--extra-cflags="${EXTRA_CFLAGS}" \
--extra-cflags="%{optflags}" \
--with-git-submodules=ignore \
--disable-fuzzing \
--disable-multiprocess \

View File

@ -0,0 +1,33 @@
From: =?UTF-8?q?Martin=20Li=C5=A1ka?= <mliska@suse.cz>
Date: Fri, 17 Jun 2022 16:02:56 +0200
Subject: sphinx: change default language to 'en'
Git-commit: 0000000000000000000000000000000000000000
References: bsc#1200557
Fixes the following Sphinx warning (treated as error) starting
with 5.0 release:
Warning, treated as error:
Invalid configuration value found: 'language = None'. Update your configuration to a valid langauge code. Falling back to 'en' (English).
Signed-off-by: Martin Liska <mliska@suse.cz>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Acked-by: Dario Faggioli <dfaggioli@suse.com>
---
docs/conf.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/docs/conf.py b/docs/conf.py
index 763e7d2434487bb558111d34f07f..84b593e12af8a17412b731ef4366 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -120,7 +120,7 @@ finally:
#
# This is also used if you do content translation via gettext catalogs.
# Usually you set "language" from the command line for these cases.
-language = None
+language = 'en'
# List of patterns, relative to source directory, that match files and
# directories to ignore when looking for source files.