From c39ad145aa6563f67ffb46b37b5704268a996c41ff9ae3405342a76110a7c184 Mon Sep 17 00:00:00 2001 From: Dario Faggioli Date: Tue, 21 Jun 2022 13:17:32 +0000 Subject: [PATCH] Accepting request 984177 from home:dfaggioli:old_qemu - Fix bugs boo#1200557 and boo#1199924 - Now that boo#1199924 is fixed, re-enable FORTIFY_SOURCE=3 * Patches added: pci-fix-overflow-in-snprintf-string-form.patch sphinx-change-default-language-to-en.patch OBS-URL: https://build.opensuse.org/request/show/984177 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=721 --- bundles.tar.xz | 4 +- ...fix-overflow-in-snprintf-string-form.patch | 101 ++++++++++++++++++ qemu.changes | 9 ++ qemu.spec | 8 +- qemu.spec.in | 4 +- sphinx-change-default-language-to-en.patch | 33 ++++++ 6 files changed, 151 insertions(+), 8 deletions(-) create mode 100644 pci-fix-overflow-in-snprintf-string-form.patch create mode 100644 sphinx-change-default-language-to-en.patch diff --git a/bundles.tar.xz b/bundles.tar.xz index bc595ff0..9059f106 100644 --- a/bundles.tar.xz +++ b/bundles.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:c205305cd9e7d29be6220fe76cab04d5a7be4019e998cfeb643ac6a4e31de0a3 -size 136912 +oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8 +size 139264 diff --git a/pci-fix-overflow-in-snprintf-string-form.patch b/pci-fix-overflow-in-snprintf-string-form.patch new file mode 100644 index 00000000..e3687bca --- /dev/null +++ b/pci-fix-overflow-in-snprintf-string-form.patch @@ -0,0 +1,101 @@ +From: Claudio Fontana +Date: Tue, 31 May 2022 13:47:07 +0200 +Subject: pci: fix overflow in snprintf string formatting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Git-commit: 36f18c6989a3d1ff1d7a0e50b0868ef3958299b4 +References: bsc#1199924 + +the code in pcibus_get_fw_dev_path contained the potential for a +stack buffer overflow of 1 byte, potentially writing to the stack an +extra NUL byte. + +This overflow could happen if the PCI slot is >= 0x10000000, +and the PCI function is >= 0x10000000, due to the size parameter +of snprintf being incorrectly calculated in the call: + + if (PCI_FUNC(d->devfn)) + snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn)); + +since the off obtained from a previous call to snprintf is added +instead of subtracted from the total available size of the buffer. + +Without the accurate size guard from snprintf, we end up writing in the +worst case: + +name (32) + "@" (1) + SLOT (8) + "," (1) + FUNC (8) + term NUL (1) = 51 bytes + +In order to provide something more robust, replace all of the code in +pcibus_get_fw_dev_path with a single call to g_strdup_printf, +so there is no need to rely on manual calculations. + +Found by compiling QEMU with FORTIFY_SOURCE=3 as the error: + +*** buffer overflow detected ***: terminated + +Thread 1 "qemu-system-x86" received signal SIGABRT, Aborted. +[Switching to Thread 0x7ffff642c380 (LWP 121307)] +0x00007ffff71ff55c in __pthread_kill_implementation () from /lib64/libc.so.6 +(gdb) bt + #0 0x00007ffff71ff55c in __pthread_kill_implementation () at /lib64/libc.so.6 + #1 0x00007ffff71ac6f6 in raise () at /lib64/libc.so.6 + #2 0x00007ffff7195814 in abort () at /lib64/libc.so.6 + #3 0x00007ffff71f279e in __libc_message () at /lib64/libc.so.6 + #4 0x00007ffff729767a in __fortify_fail () at /lib64/libc.so.6 + #5 0x00007ffff7295c36 in () at /lib64/libc.so.6 + #6 0x00007ffff72957f5 in __snprintf_chk () at /lib64/libc.so.6 + #7 0x0000555555b1c1fd in pcibus_get_fw_dev_path () + #8 0x0000555555f2bde4 in qdev_get_fw_dev_path_helper.constprop () + #9 0x0000555555f2bd86 in qdev_get_fw_dev_path_helper.constprop () + #10 0x00005555559a6e5d in get_boot_device_path () + #11 0x00005555559a712c in get_boot_devices_list () + #12 0x0000555555b1a3d0 in fw_cfg_machine_reset () + #13 0x0000555555bf4c2d in pc_machine_reset () + #14 0x0000555555c66988 in qemu_system_reset () + #15 0x0000555555a6dff6 in qdev_machine_creation_done () + #16 0x0000555555c79186 in qmp_x_exit_preconfig.part () + #17 0x0000555555c7b459 in qemu_init () + #18 0x0000555555960a29 in main () + +Found-by: Dario Faggioli +Found-by: Martin Liška +Cc: qemu-stable@nongnu.org +Signed-off-by: Claudio Fontana +Message-Id: <20220531114707.18830-1-cfontana@suse.de> +Reviewed-by: Ani Sinha +Signed-off-by: Dario Faggioli +--- + hw/pci/pci.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/hw/pci/pci.c b/hw/pci/pci.c +index e5993c1ef52b7c9e39faa7de4020..87c419836b3c990ee862f623fd89 100644 +--- a/hw/pci/pci.c ++++ b/hw/pci/pci.c +@@ -2576,15 +2576,15 @@ static char *pci_dev_fw_name(DeviceState *dev, char *buf, int len) + static char *pcibus_get_fw_dev_path(DeviceState *dev) + { + PCIDevice *d = (PCIDevice *)dev; +- char path[50], name[33]; +- int off; +- +- off = snprintf(path, sizeof(path), "%s@%x", +- pci_dev_fw_name(dev, name, sizeof name), +- PCI_SLOT(d->devfn)); +- if (PCI_FUNC(d->devfn)) +- snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn)); +- return g_strdup(path); ++ char name[33]; ++ int has_func = !!PCI_FUNC(d->devfn); ++ ++ return g_strdup_printf("%s@%x%s%.*x", ++ pci_dev_fw_name(dev, name, sizeof(name)), ++ PCI_SLOT(d->devfn), ++ has_func ? "," : "", ++ has_func, ++ PCI_FUNC(d->devfn)); + } + + static char *pcibus_get_dev_path(DeviceState *dev) diff --git a/qemu.changes b/qemu.changes index 261f31c5..39440f7b 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue Jun 21 07:30:46 UTC 2022 - Dario Faggioli + +- Fix bugs boo#1200557 and boo#1199924 +- Now that boo#1199924 is fixed, re-enable FORTIFY_SOURCE=3 +* Patches added: + pci-fix-overflow-in-snprintf-string-form.patch + sphinx-change-default-language-to-en.patch + ------------------------------------------------------------------- Fri May 27 14:07:50 UTC 2022 - Dario Faggioli diff --git a/qemu.spec b/qemu.spec index a9ef32b0..9d4c77e2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -248,6 +248,8 @@ Patch00104: python-aqmp-add-start_server-and-accept-.patch Patch00105: python-aqmp-fix-race-condition-in-legacy.patch Patch00106: python-aqmp-drop-_bind_hack.patch Patch00107: block-qdict-Fix-Werror-maybe-uninitializ.patch +Patch00108: pci-fix-overflow-in-snprintf-string-form.patch +Patch00109: sphinx-change-default-language-to-en.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1278,6 +1280,8 @@ This package records qemu testsuite results and represents successful testing. %patch00105 -p1 %patch00106 -p1 %patch00107 -p1 +%patch00108 -p1 +%patch00109 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 @@ -1394,8 +1398,6 @@ cp %{SOURCE13} docs/supported.rst mkdir -p %blddir cd %blddir -# We want to enforce _FORTIFY_SOURCE=2. See bsc#1199924 -EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g') -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" %srcdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ @@ -1405,7 +1407,7 @@ EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g --docdir=%_docdir \ --firmwarepath=%_datadir/%name \ --python=%_bindir/python3 \ - --extra-cflags="${EXTRA_CFLAGS}" \ + --extra-cflags="%{optflags}" \ --with-git-submodules=ignore \ --disable-fuzzing \ --disable-multiprocess \ diff --git a/qemu.spec.in b/qemu.spec.in index 2a3da5d0..6b87be3f 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -1128,8 +1128,6 @@ cp %{SOURCE13} docs/supported.rst mkdir -p %blddir cd %blddir -# We want to enforce _FORTIFY_SOURCE=2. See bsc#1199924 -EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g') -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" %srcdir/configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ @@ -1139,7 +1137,7 @@ EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g --docdir=%_docdir \ --firmwarepath=%_datadir/%name \ --python=%_bindir/python3 \ - --extra-cflags="${EXTRA_CFLAGS}" \ + --extra-cflags="%{optflags}" \ --with-git-submodules=ignore \ --disable-fuzzing \ --disable-multiprocess \ diff --git a/sphinx-change-default-language-to-en.patch b/sphinx-change-default-language-to-en.patch new file mode 100644 index 00000000..eaa7f91a --- /dev/null +++ b/sphinx-change-default-language-to-en.patch @@ -0,0 +1,33 @@ +From: =?UTF-8?q?Martin=20Li=C5=A1ka?= +Date: Fri, 17 Jun 2022 16:02:56 +0200 +Subject: sphinx: change default language to 'en' + +Git-commit: 0000000000000000000000000000000000000000 +References: bsc#1200557 + +Fixes the following Sphinx warning (treated as error) starting +with 5.0 release: + +Warning, treated as error: +Invalid configuration value found: 'language = None'. Update your configuration to a valid langauge code. Falling back to 'en' (English). + +Signed-off-by: Martin Liska +Reviewed-by: Peter Maydell +Acked-by: Dario Faggioli +--- + docs/conf.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/docs/conf.py b/docs/conf.py +index 763e7d2434487bb558111d34f07f..84b593e12af8a17412b731ef4366 100644 +--- a/docs/conf.py ++++ b/docs/conf.py +@@ -120,7 +120,7 @@ finally: + # + # This is also used if you do content translation via gettext catalogs. + # Usually you set "language" from the command line for these cases. +-language = None ++language = 'en' + + # List of patterns, relative to source directory, that match files and + # directories to ignore when looking for source files.