diff --git a/0069-qemu-nbd-Ignore-SIGPIPE.patch b/0069-qemu-nbd-Ignore-SIGPIPE.patch new file mode 100644 index 00000000..68118f54 --- /dev/null +++ b/0069-qemu-nbd-Ignore-SIGPIPE.patch @@ -0,0 +1,47 @@ +From 40c9dcf30be29a4d76aeb85b5510cea071423b81 Mon Sep 17 00:00:00 2001 +From: Max Reitz +Date: Sun, 11 Jun 2017 14:37:14 +0200 +Subject: [PATCH] qemu-nbd: Ignore SIGPIPE + +qemu proper has done so for 13 years +(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have +done so for four years (526eda14a68d5b3596be715505289b541288ef2a). +Ignoring this signal is especially important in qemu-nbd because +otherwise a client can easily take down the qemu-nbd server by dropping +the connection when the server wants to send something, for example: + +$ qemu-nbd -x foo -f raw -t null-co:// & +[1] 12726 +$ qemu-io -c quit nbd://localhost/bar +can't open device nbd://localhost/bar: No export with name 'bar' available +[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co:// + +In this case, the client sends an NBD_OPT_ABORT and closes the +connection (because it is not required to wait for a reply), but the +server replies with an NBD_REP_ACK (because it is required to reply). + +Signed-off-by: Max Reitz +Message-Id: <20170611123714.31292-1-mreitz@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 041e32b8d9d076980b4e35317c0339e57ab888f1) +[BR: BSC#1046636 CVE-2017-10664] +Signed-off-by: Bruce Rogers +--- + qemu-nbd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index b44764eb87..83bf9cb46c 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -581,6 +581,10 @@ int main(int argc, char **argv) + sa_sigterm.sa_handler = termsig_handler; + sigaction(SIGTERM, &sa_sigterm, NULL); + ++#ifdef CONFIG_POSIX ++ signal(SIGPIPE, SIG_IGN); ++#endif ++ + module_call_init(MODULE_INIT_TRACE); + qcrypto_init(&error_fatal); + diff --git a/0070-usb-redir-fix-stack-overflow-in-usb.patch b/0070-usb-redir-fix-stack-overflow-in-usb.patch new file mode 100644 index 00000000..871512ae --- /dev/null +++ b/0070-usb-redir-fix-stack-overflow-in-usb.patch @@ -0,0 +1,50 @@ +From 416a6f3bf137b8e6782dd7c1f9563afe8ee97b19 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 9 May 2017 13:01:28 +0200 +Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don't reinvent a broken wheel, just use the hexdump function we have. + +Impact: low, broken code doesn't run unless you have debug logging +enabled. + +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +Message-id: 20170509110128.27261-1-kraxel@redhat.com +(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d) +[BR: BSC#1047674 CVE-2017-10806] +Signed-off-by: Bruce Rogers +--- + hw/usb/redirect.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 0efe62f725..eb70dc7218 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) + static void usbredir_log_data(USBRedirDevice *dev, const char *desc, + const uint8_t *data, int len) + { +- int i, j, n; +- + if (dev->debug < usbredirparser_debug_data) { + return; + } +- +- for (i = 0; i < len; i += j) { +- char buf[128]; +- +- n = sprintf(buf, "%s", desc); +- for (j = 0; j < 8 && i + j < len; j++) { +- n += sprintf(buf + n, " %02X", data[i + j]); +- } +- error_report("%s", buf); +- } ++ qemu_hexdump((char *)data, stderr, desc, len); + } + + /* diff --git a/0071-exec-use-qemu_ram_ptr_length-to-acc.patch b/0071-exec-use-qemu_ram_ptr_length-to-acc.patch new file mode 100644 index 00000000..0e768686 --- /dev/null +++ b/0071-exec-use-qemu_ram_ptr_length-to-acc.patch @@ -0,0 +1,43 @@ +From f6658a500e003e91225f59bc2c2305c6b7d2f0d1 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 12 Jul 2017 18:08:40 +0530 +Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram + +When accessing guest's ram block during DMA operation, use +'qemu_ram_ptr_length' to get ram block pointer. It ensures +that DMA operation of given length is possible; And avoids +any OOB memory access situations. + +Reported-by: Alex +Signed-off-by: Prasad J Pandit +Message-Id: <20170712123840.29328-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 04bf2526ce87f21b32c9acba1c5518708c243ad0) +[BR: BSC#1048902 CVE-2017-11334] +Signed-off-by: Bruce Rogers +--- + exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index b47b3f9096..1de9107b61 100644 +--- a/exec.c ++++ b/exec.c +@@ -2767,7 +2767,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(ptr, buf, l); + invalidate_and_set_dirty(mr, addr1, l); + } +@@ -2858,7 +2858,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(buf, ptr, l); + } + diff --git a/0072-slirp-check-len-against-dhcp-option.patch b/0072-slirp-check-len-against-dhcp-option.patch new file mode 100644 index 00000000..9df6d832 --- /dev/null +++ b/0072-slirp-check-len-against-dhcp-option.patch @@ -0,0 +1,33 @@ +From 9ba94af263d7c64137cc748abd9cf3c23e07decc Mon Sep 17 00:00:00 2001 +From: P J P +Date: Tue, 25 Jul 2017 13:34:29 -0600 +Subject: [PATCH] slirp: check len against dhcp options array end + +From: Prasad J Pandit + +While parsing dhcp options string in 'dhcp_decode', if an options' +length 'len' appeared towards the end of 'bp_vend' array, ensuing +read could lead to an OOB memory access issue. Add check to avoid it. + +Reported-by: Reno Robert +Signed-off-by: Prasad J Pandit +[BR: BSC#1049381 CVE-2017-11434] +Signed-off-by: Bruce Rogers +--- + slirp/bootp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/slirp/bootp.c b/slirp/bootp.c +index 5a4646c182..5dd1a415b5 100644 +--- a/slirp/bootp.c ++++ b/slirp/bootp.c +@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + if (p >= p_end) + break; + len = *p++; ++ if (p + len > p_end) { ++ break; ++ } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); + + switch(tag) { diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 18a821ce..c9d64cf2 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Tue Jul 25 19:36:58 UTC 2017 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 +* Patches added: + 0069-qemu-nbd-Ignore-SIGPIPE.patch + 0070-usb-redir-fix-stack-overflow-in-usb.patch + 0071-exec-use-qemu_ram_ptr_length-to-acc.patch + 0072-slirp-check-len-against-dhcp-option.patch + ------------------------------------------------------------------- Tue Jul 18 19:51:49 UTC 2017 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 7d1856b4..ba9cf6b4 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -94,6 +94,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch +Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch +Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch +Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch +Patch0072: 0072-slirp-check-len-against-dhcp-option.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -215,6 +219,10 @@ run cross-architecture builds. %patch0066 -p1 %patch0067 -p1 %patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 +%patch0071 -p1 +%patch0072 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 0c91c65a..730297d0 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Jul 25 19:36:55 UTC 2017 - brogers@suse.com + +- Address various security/stability issues +* Fix DOS vulnerability in qemu-nbd (bsc#1046636 CVE-2017-10664) + 0069-qemu-nbd-Ignore-SIGPIPE.patch +* Fix DOS from stack overflow in debug messages of usb redirection + support (bsc#1047674 CVE-2017-10806) + 0070-usb-redir-fix-stack-overflow-in-usb.patch +* Fix OOB access during DMA operation (CVE-2017-11334 bsc#1048902) + 0071-exec-use-qemu_ram_ptr_length-to-acc.patch +* Fix OOB access parsing dhcp slirp options (CVE-2017-11434 bsc#1049381) + 0072-slirp-check-len-against-dhcp-option.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + +------------------------------------------------------------------- +Tue Jul 25 16:51:20 UTC 2017 - brogers@suse.com + +- Fix support docs to indicate ARM64 is now fully L3 supported in + SLES 12 SP3. Apply a few additional clarifications in the support + docs. (bsc#1050268) +- Adjust to libvdeplug-devel package naming changes. + ------------------------------------------------------------------- Tue Jul 18 19:51:45 UTC 2017 - brogers@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 318a9ea1..5aa07c15 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -198,6 +198,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch +Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch +Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch +Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch +Patch0072: 0072-slirp-check-len-against-dhcp-option.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -334,7 +338,11 @@ BuildRequires: libssh2-devel %if 0%{?suse_version} > 1310 BuildRequires: libusb-1_0-devel %endif +%if 0%{?suse_version} > 1320 +BuildRequires: libvdeplug-devel +%else BuildRequires: libvdeplug3-devel +%endif BuildRequires: lzo-devel %if 0%{?suse_version} > 1220 BuildRequires: makeinfo @@ -914,6 +922,10 @@ This package provides a service file for starting and stopping KSM. %patch0066 -p1 %patch0067 -p1 %patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 +%patch0071 -p1 +%patch0072 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index 0c91c65a..730297d0 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Jul 25 19:36:55 UTC 2017 - brogers@suse.com + +- Address various security/stability issues +* Fix DOS vulnerability in qemu-nbd (bsc#1046636 CVE-2017-10664) + 0069-qemu-nbd-Ignore-SIGPIPE.patch +* Fix DOS from stack overflow in debug messages of usb redirection + support (bsc#1047674 CVE-2017-10806) + 0070-usb-redir-fix-stack-overflow-in-usb.patch +* Fix OOB access during DMA operation (CVE-2017-11334 bsc#1048902) + 0071-exec-use-qemu_ram_ptr_length-to-acc.patch +* Fix OOB access parsing dhcp slirp options (CVE-2017-11434 bsc#1049381) + 0072-slirp-check-len-against-dhcp-option.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + +------------------------------------------------------------------- +Tue Jul 25 16:51:20 UTC 2017 - brogers@suse.com + +- Fix support docs to indicate ARM64 is now fully L3 supported in + SLES 12 SP3. Apply a few additional clarifications in the support + docs. (bsc#1050268) +- Adjust to libvdeplug-devel package naming changes. + ------------------------------------------------------------------- Tue Jul 18 19:51:45 UTC 2017 - brogers@suse.com diff --git a/qemu.spec b/qemu.spec index 87611348..53b1a52b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -198,6 +198,10 @@ Patch0065: 0065-hid-Reset-kbd-modifiers-on-reset.patch Patch0066: 0066-input-Decrement-queue-count-on-kbd-.patch Patch0067: 0067-xhci-only-update-dequeue-ptr-on-com.patch Patch0068: 0068-vnc-Set-default-kbd-delay-to-10ms.patch +Patch0069: 0069-qemu-nbd-Ignore-SIGPIPE.patch +Patch0070: 0070-usb-redir-fix-stack-overflow-in-usb.patch +Patch0071: 0071-exec-use-qemu_ram_ptr_length-to-acc.patch +Patch0072: 0072-slirp-check-len-against-dhcp-option.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -334,7 +338,11 @@ BuildRequires: libssh2-devel %if 0%{?suse_version} > 1310 BuildRequires: libusb-1_0-devel %endif +%if 0%{?suse_version} > 1320 +BuildRequires: libvdeplug-devel +%else BuildRequires: libvdeplug3-devel +%endif BuildRequires: lzo-devel %if 0%{?suse_version} > 1220 BuildRequires: makeinfo @@ -914,6 +922,10 @@ This package provides a service file for starting and stopping KSM. %patch0066 -p1 %patch0067 -p1 %patch0068 -p1 +%patch0069 -p1 +%patch0070 -p1 +%patch0071 -p1 +%patch0072 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index 39e0a2a1..0cb8d743 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -267,7 +267,11 @@ BuildRequires: libssh2-devel %if 0%{?suse_version} > 1310 BuildRequires: libusb-1_0-devel %endif +%if 0%{?suse_version} > 1320 +BuildRequires: libvdeplug-devel +%else BuildRequires: libvdeplug3-devel +%endif BuildRequires: lzo-devel %if 0%{?suse_version} > 1220 BuildRequires: makeinfo @@ -315,14 +319,14 @@ BuildRequires: zlib-devel %if "%{name}" == "qemu-testsuite" BuildRequires: bc BuildRequires: qemu-arm = %version +BuildRequires: qemu-block-curl = %version +BuildRequires: qemu-block-dmg = %version BuildRequires: qemu-extra = %version BuildRequires: qemu-guest-agent = %version BuildRequires: qemu-ppc = %version BuildRequires: qemu-s390 = %version BuildRequires: qemu-tools = %version BuildRequires: qemu-x86 = %version -BuildRequires: qemu-block-curl = %version -BuildRequires: qemu-block-dmg = %version %if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315 BuildRequires: qemu-block-gluster = %version %endif diff --git a/supported.arm.txt b/supported.arm.txt index 7dfb8ddd..a68e7a3b 100644 --- a/supported.arm.txt +++ b/supported.arm.txt @@ -10,13 +10,12 @@ Overview quality or value. The linux kernel includes components which contribute KVM virtualization features as well. This document was created to assist the user in deciding which features can be relied upon to build enterprise class - virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64) - and for IBM System z (s390x) are offered at the L3 (full support) level, - while KVM for the ARM64 architecture (AArch64) is L3 supported for certain - partner-specific use cases. The bulk of this document deals with L3 supported - features and is primarily ARM64 centric. This document should be considered a - companion to the standard virtualization documentation delivered with the - product. + virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64), + for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered + at the L3 (full support) level. The bulk of this document deals with L3 + supported features and is primarily ARM64 centric. This document should be + considered a companion to the standard virtualization documentation delivered + with the product. KVM is implemented in linux kernel modules which enable the linux kernel to function as an integral part of the KVM hypervisor. The hypervisor-guest @@ -57,9 +56,6 @@ Major QEMU/KVM Supported Features Since a KVM guest runs in the context of a normal linux process, some types of execution controls are managed with linux tools. -- Various standard vCPU types are available, along with the ability to specify - individual CPU features visible to the guest. - - QEMU is compatible with EDK based UEFI firmware available with SLES12-SP3, which allow boot options common to physical systems along with other features tailored to virtualization. Various VGABIOS ROMs, from the SEABIOS project, @@ -79,8 +75,8 @@ Major QEMU/KVM Supported Features take place either from certain prior SLES versioned hosts to a SLES 12 SP3 or between hosts of the same version. Certain other restrictions also apply. -- Security considerations include seccomp2 based sandboxing, privileged - helpers and a security model which allows running guests as a non-root user. +- Security considerations include privileged helpers and a security model which + allows running guests as a non-root user. - QEMU provides best effort reuse of existing disk images, including those with systems installed, through geometry probing. Also disk images produced by diff --git a/supported.s390.txt b/supported.s390.txt index 99e3dbf8..8bbd9f65 100644 --- a/supported.s390.txt +++ b/supported.s390.txt @@ -10,21 +10,20 @@ Overview quality or value. The linux kernel includes components which contribute KVM virtualization features as well. This document was created to assist the user in deciding which features can be relied upon to build enterprise class - virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64) - and for IBM System z (s390x) are offered at the L3 (full support) level, - while KVM for the ARM64 architecture (AArch64) is L3 supported for certain - partner-specific use cases. The bulk of this document deals with L3 supported - features and is primarily s390x centric. This document should be considered a - companion to the standard virtualization documentation delivered with the - product. + virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64), + for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered + at the L3 (full support) level. The bulk of this document deals with L3 + supported features and is primarily s390x centric. This document should be + considered a companion to the standard virtualization documentation delivered + with the product. KVM is implemented in linux kernel modules which enable the linux kernel to function as an integral part of the KVM hypervisor. The hypervisor-guest interaction is managed by QEMU through the /dev/kvm ioctl interface. The linux host assists in the virtualization of storage, networking and display - resources as well as allowing direct hardware passthrough of PCI and USB - devices. Linux memory and cpu management features are used by QEMU/KVM to - enable guests to share those host resources as efficiently as possible. + resources as well as allowing direct hardware passthrough of PCI devices. + Linux memory and cpu management features are used by QEMU/KVM to enable guests + to share those host resources as efficiently as possible. QEMU is a primary component of KVM based virtualization. The legacy qemu-kvm program is provided for continuity with pre SLES 12 usage, including in @@ -59,9 +58,6 @@ Major QEMU/KVM Supported Features Since a KVM guest runs in the context of a normal linux process, some types of execution controls are managed with linux tools. -- Various standard vCPU types are available, along with the ability to specify - individual CPU features visible to the guest. - - QEMU incorporates virtualized, 390 specific, ccw bus based firmware for booting s390 guests. This firmware is automatically incorporated and doesn't need to be explicitly referenced. @@ -80,8 +76,8 @@ Major QEMU/KVM Supported Features take place either from certain prior SLES versioned hosts to a SLES 12 SP3 or between hosts of the same version. Certain other restrictions also apply. -- Security considerations include seccomp2 based sandboxing, privileged - helpers and a security model which allows running guests as a non-root user. +- Security considerations include privileged helpers and a security model which + allows running guests as a non-root user. - QEMU provides best effort reuse of existing disk images, including those with systems installed, through geometry probing. Also disk images produced by @@ -97,8 +93,8 @@ Major QEMU/KVM Supported Features - Guest performance is enhanced through the use of virtio devices, various disk caching modes, network acceleration via the vhost-net kernel module, multi- queue network transmit capabilities, host transparent huge pages (THP) and - direct hugetlb usage. Physical PCI and USB devices may also be passed through - to the guest, including SR-IOV VF's. + direct hugetlb usage. Physical PCI devices may also be passed through to the + guest, including SR-IOV VF's. - The guest UI is accessable via GTK, SDL, VNC, Spice, and serial (including curses TUI) interfaces. diff --git a/supported.x86.txt b/supported.x86.txt index dcea0f0b..9f547d62 100644 --- a/supported.x86.txt +++ b/supported.x86.txt @@ -10,13 +10,12 @@ Overview quality or value. The linux kernel includes components which contribute KVM virtualization features as well. This document was created to assist the user in deciding which features can be relied upon to build enterprise class - virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64) - and for IBM System z (s390x) are offered at the L3 (full support) level, - while KVM for the ARM64 architecture (AArch64) is L3 supported for certain - partner-specific use cases. The bulk of this document deals with L3 supported - features and is primarily x86 centric. This document should be considered a - companion to the standard virtualization documentation delivered with the - product. + virtualization solutions. KVM based virtualization for x86 (Intel 64/AMD64), + for IBM System z (s390x) and for the ARM64 architecture (AArch64) are offered + at the L3 (full support) level. The bulk of this document deals with L3 + supported features and is primarily x86 centric. This document should be + considered a companion to the standard virtualization documentation delivered + with the product. KVM is implemented in linux kernel modules which enable the linux kernel to function as an integral part of the KVM hypervisor. The hypervisor-guest