From df8a80613e3446a841b36f2e6396fb3ffbf5272271a4b338b6960e645b00f486 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 31 Aug 2017 20:04:54 +0000 Subject: [PATCH] Accepting request 520017 from home:bfrogers:branches:Virtualization A few post v2.10 patches needed to fix issues identified too late to get in. Also enable seccomp for all arch's we build for, and use better package references for rdma support OBS-URL: https://build.opensuse.org/request/show/520017 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=361 --- ...-string-input-visitor-Fix-uint64-par.patch | 4 +- ...-test-string-input-visitor-Add-int-t.patch | 20 ++--- ...-slirp-fix-clearing-ifq_so-from-pend.patch | 81 +++++++++++++++++++ 0035-s390-ccw-Fix-alignment-for-CCW1.patch | 38 +++++++++ qemu-linux-user.changes | 8 ++ qemu-linux-user.spec | 4 + qemu-testsuite.changes | 13 +++ qemu-testsuite.spec | 15 ++-- qemu.changes | 13 +++ qemu.spec | 15 ++-- qemu.spec.in | 11 +-- 11 files changed, 189 insertions(+), 33 deletions(-) create mode 100644 0034-slirp-fix-clearing-ifq_so-from-pend.patch create mode 100644 0035-s390-ccw-Fix-alignment-for-CCW1.patch diff --git a/0029-string-input-visitor-Fix-uint64-par.patch b/0029-string-input-visitor-Fix-uint64-par.patch index d407b7c..cc0a781 100644 --- a/0029-string-input-visitor-Fix-uint64-par.patch +++ b/0029-string-input-visitor-Fix-uint64-par.patch @@ -97,13 +97,13 @@ index 67a0a4a58b..1c73e5aeae 100644 + error_setg(errp, QERR_INVALID_PARAMETER_TYPE, name ? name : "null", + "integer"); + return; - } ++ } + + parse_str(siv, name, true, errp); + + if (!siv->ranges) { + goto error; -+ } + } + + if (!siv->cur_range) { + Range *r; diff --git a/0030-test-string-input-visitor-Add-int-t.patch b/0030-test-string-input-visitor-Add-int-t.patch index fad79b6..f179fb2 100644 --- a/0030-test-string-input-visitor-Add-int-t.patch +++ b/0030-test-string-input-visitor-Add-int-t.patch @@ -17,18 +17,18 @@ diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor index 79313a7f7a..e00194a649 100644 --- a/tests/test-string-input-visitor.c +++ b/tests/test-string-input-visitor.c -@@ -58,6 +58,14 @@ static void test_visitor_in_int(TestInputVisitorData *data, - visit_type_int(v, NULL, &res, &err); - g_assert(!err); - g_assert_cmpint(res, ==, value); +@@ -55,6 +55,14 @@ static void test_visitor_in_int(TestInputVisitorData *data, + + v = visitor_input_test_init(data, "-42"); + ++ visit_type_int(v, NULL, &res, &err); ++ g_assert(!err); ++ g_assert_cmpint(res, ==, value); + visitor_input_teardown(data, unused); + + value = INT64_MAX; + v = visitor_input_test_init(data, g_strdup_printf("%" PRId64, value)); + -+ visit_type_int(v, NULL, &res, &err); -+ g_assert(!err); -+ g_assert_cmpint(res, ==, value); - - v = visitor_input_test_init(data, "not an int"); - + visit_type_int(v, NULL, &res, &err); + g_assert(!err); + g_assert_cmpint(res, ==, value); diff --git a/0034-slirp-fix-clearing-ifq_so-from-pend.patch b/0034-slirp-fix-clearing-ifq_so-from-pend.patch new file mode 100644 index 0000000..17f9f23 --- /dev/null +++ b/0034-slirp-fix-clearing-ifq_so-from-pend.patch @@ -0,0 +1,81 @@ +From dc8c3677038bae1bd06dca0167a790776f3e6b3b Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Fri, 25 Aug 2017 01:35:53 +0200 +Subject: [PATCH] slirp: fix clearing ifq_so from pending packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The if_fastq and if_batchq contain not only packets, but queues of packets +for the same socket. When sofree frees a socket, it thus has to clear ifq_so +from all the packets from the queues, not only the first. + +Signed-off-by: Samuel Thibault +Reviewed-by: Philippe Mathieu-Daudé +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell +(cherry picked from commit 1201d308519f1e915866d7583d5136d03cc1d384) +[BR: BSC#1056291 CVE-2017-13711] +Signed-off-by: Bruce Rogers +--- + slirp/socket.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/slirp/socket.c b/slirp/socket.c +index ecec0295a9..cb7b5b608d 100644 +--- a/slirp/socket.c ++++ b/slirp/socket.c +@@ -59,6 +59,27 @@ socreate(Slirp *slirp) + return(so); + } + ++/* ++ * Remove references to so from the given message queue. ++ */ ++static void ++soqfree(struct socket *so, struct quehead *qh) ++{ ++ struct mbuf *ifq; ++ ++ for (ifq = (struct mbuf *) qh->qh_link; ++ (struct quehead *) ifq != qh; ++ ifq = ifq->ifq_next) { ++ if (ifq->ifq_so == so) { ++ struct mbuf *ifm; ++ ifq->ifq_so = NULL; ++ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { ++ ifm->ifq_so = NULL; ++ } ++ } ++ } ++} ++ + /* + * remque and free a socket, clobber cache + */ +@@ -66,23 +87,9 @@ void + sofree(struct socket *so) + { + Slirp *slirp = so->slirp; +- struct mbuf *ifm; + +- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; +- (struct quehead *) ifm != &slirp->if_fastq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } +- +- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; +- (struct quehead *) ifm != &slirp->if_batchq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } ++ soqfree(so, &slirp->if_fastq); ++ soqfree(so, &slirp->if_batchq); + + if (so->so_emu==EMU_RSH && so->extra) { + sofree(so->extra); diff --git a/0035-s390-ccw-Fix-alignment-for-CCW1.patch b/0035-s390-ccw-Fix-alignment-for-CCW1.patch new file mode 100644 index 0000000..8badeb4 --- /dev/null +++ b/0035-s390-ccw-Fix-alignment-for-CCW1.patch @@ -0,0 +1,38 @@ +From adee899fc239f9eca87881a7f6c6e1dae346922e Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Fri, 25 Aug 2017 09:24:46 -0400 +Subject: [PATCH] s390-ccw: Fix alignment for CCW1 + +The commit 198c0d1f9df8c4 s390x/css: check ccw address validity +exposes an alignment issue in ccw bios. + +According to PoP the CCW must be doubleword aligned. Let's fix +this in the bios. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Farhan Ali +Reviewed-by: Halil Pasic +Reviewed-by: Eric Farman +Acked-by: Christian Borntraeger +Message-Id: <3ed8b810b6592daee6a775037ce21f850e40647d.1503667215.git.alifm@linux.vnet.ibm.com> +Signed-off-by: Cornelia Huck +(cherry picked from commit 3a1e4561ad63b303b092387ae006bd41468ece63) +[BR: BSC#1056680] +Signed-off-by: Bruce Rogers +--- + pc-bios/s390-ccw/cio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/cio.h b/pc-bios/s390-ccw/cio.h +index f5b4549ea3..55eaeee4b6 100644 +--- a/pc-bios/s390-ccw/cio.h ++++ b/pc-bios/s390-ccw/cio.h +@@ -133,7 +133,7 @@ struct ccw1 { + __u8 flags; + __u16 count; + __u32 cda; +-} __attribute__ ((packed)); ++} __attribute__ ((packed, aligned(8))); + + #define CCW_FLAG_DC 0x80 + #define CCW_FLAG_CC 0x40 diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 44c8371..fdbc822 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:32 UTC 2017 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 +* Patches added: + 0034-slirp-fix-clearing-ifq_so-from-pend.patch + 0035-s390-ccw-Fix-alignment-for-CCW1.patch + ------------------------------------------------------------------- Wed Aug 30 19:52:36 UTC 2017 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 22b3e10..75da3ff 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -59,6 +59,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -145,6 +147,8 @@ run cross-architecture builds. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index addfedd..889b292 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:22 UTC 2017 - brogers@suse.com + +- Update BuildRequires packages libibverbs-devel and librdmacm-devel + to the more correct rdma-core-devel +- Enable seccomp for s390x, aarch64, and ppc64le +- Fix OOB issue (use after free) in slirp network stack (CVE-2017-13711 + bsc#1056291) + 0034-slirp-fix-clearing-ifq_so-from-pend.patch +- Fix a misalignment in the s390 ccw firmware (bsc#1056680) + 0035-s390-ccw-Fix-alignment-for-CCW1.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 + ------------------------------------------------------------------- Thu Aug 31 18:34:27 UTC 2017 - jfehlig@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index de704b7..ba67e88 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -165,6 +165,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -247,9 +249,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -283,9 +282,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -315,6 +311,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif @@ -850,6 +849,8 @@ This package provides a service file for starting and stopping KSM. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index addfedd..889b292 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:22 UTC 2017 - brogers@suse.com + +- Update BuildRequires packages libibverbs-devel and librdmacm-devel + to the more correct rdma-core-devel +- Enable seccomp for s390x, aarch64, and ppc64le +- Fix OOB issue (use after free) in slirp network stack (CVE-2017-13711 + bsc#1056291) + 0034-slirp-fix-clearing-ifq_so-from-pend.patch +- Fix a misalignment in the s390 ccw firmware (bsc#1056680) + 0035-s390-ccw-Fix-alignment-for-CCW1.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 + ------------------------------------------------------------------- Thu Aug 31 18:34:27 UTC 2017 - jfehlig@suse.com diff --git a/qemu.spec b/qemu.spec index f9f9f3f..9b17908 100644 --- a/qemu.spec +++ b/qemu.spec @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -165,6 +165,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -247,9 +249,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -283,9 +282,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -315,6 +311,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif @@ -850,6 +849,8 @@ This package provides a service file for starting and stopping KSM. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index 078e83e..b75325c 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -215,9 +215,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -251,9 +248,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -283,6 +277,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif