Accepting request 718651 from home:lyan:branches:Virtualization

security fixes

OBS-URL: https://build.opensuse.org/request/show/718651
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=482
This commit is contained in:
Bruce Rogers 2019-07-25 21:18:09 +00:00 committed by Git OBS Bridge
parent c631d28615
commit ea444bfb8a
9 changed files with 140 additions and 33 deletions

View File

@ -1,21 +1,21 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Fri, 1 Mar 2019 21:40:52 +0100
Date: Wed, 15 May 2019 15:10:10 +0100
Subject: target/i386: define md-clear bit
md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction. Add the new feature, and pass it down to
Hypervisor.framework guests.
the VERW instruction.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Message-Id: <20190515141011.5315-2-berrange@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0)
[BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
CVE-2019-11091]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 1 +
target/i386/hvf/x86_cpuid.c | 3 ++-
3 files changed, 4 insertions(+), 2 deletions(-)
target/i386/cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index d6bb57d210..4ea78a4939 100644
@ -30,29 +30,3 @@ index d6bb57d210..4ea78a4939 100644
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 572290c3d6..d3bd0943ec 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */
#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
index 4d957fe896..b453552fb4 100644
--- a/target/i386/hvf/x86_cpuid.c
+++ b/target/i386/hvf/x86_cpuid.c
@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
}
ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
+ CPUID_7_0_EDX_MD_CLEAR;
} else {
ebx = 0;
ecx = 0;

View File

@ -0,0 +1,33 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 25 Apr 2019 12:05:34 +0530
Subject: qxl: check release info object
When releasing spice resources in release_resource() routine,
if release info object 'ext.info' is null, it leads to null
pointer dereference. Add check to avoid it.
Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20190425063534.32747-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99)
[LY: BSC#1135902 CVE-2019-12155]
Signed-off-by: Liang Yan <lyan@suse.com>
---
hw/display/qxl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 5c38e6e906..3880a7410b 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -768,6 +768,9 @@ static void interface_release_resource(QXLInstance *sin,
uint32_t prod;
uint64_t id;
+ if (!ext.info) {
+ return;
+ }
if (ext.group_id == MEMSLOT_GROUP_HOST) {
/* host group -> vga mode update request */
QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);

View File

@ -0,0 +1,48 @@
From: Liang Yan <lyan@suse.com>
Date: Thu, 25 Jul 2019 13:28:26 -0400
Subject: qemu-bridge-helper: restrict interface name
The interface names in qemu-bridge-helper are defined to be
of size IFNAMSIZ(=16), including the terminating null('\0') byte.
The same is applied to interface names read from 'bridge.conf'
file to form ACLs rules. If user supplied '--br=bridge' name
is not restricted to the same length, it could lead to ACL bypass
issue. Restrict bridge name to IFNAMSIZ, including null byte.
Reported-by: Riccardo Schirone <rschiron@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[LY: BSC#1140402 CVE-2019-13164]
Signed-off-by: Liang Yan <lyan@suse.com>
---
qemu-bridge-helper.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
index cafe2bf27b..8ae6104ec4 100644
--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
@@ -109,6 +109,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
}
*argend = 0;
+ if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
+ fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
+ fclose(f);
+ errno = EINVAL;
+ return -1;
+ }
+
if (strcmp(cmd, "deny") == 0) {
acl_rule = calloc(1, sizeof(*acl_rule));
if (!acl_rule) {
@@ -264,6 +271,10 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
}
+ if (strlen(bridge) >= IFNAMSIZ) {
+ fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
+ return EXIT_FAILURE;
+ }
if (bridge == NULL || unixfd == -1) {
usage();

View File

@ -1,4 +1,13 @@
-------------------------------------------------------------------
Thu Jul 25 20:51:24 UTC 2019 - Liang Yan <lyan@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
* Patches added:
0049-qxl-check-release-info-object.patch
0050-qemu-bridge-helper-restrict-interfa.patch
* Patches changed:
0043-target-i386-define-md-clear-bit.patch
-------------------------------------------------------------------
Wed May 29 16:03:58 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0

View File

@ -82,6 +82,8 @@ Patch0045: 0045-kbd-state-fix-autorepeat-handling.patch
Patch0046: 0046-target-ppc-ensure-we-get-null-termi.patch
Patch0047: 0047-configure-only-populate-roms-if-sof.patch
Patch0048: 0048-pc-bios-s390-ccw-net-avoid-warning-.patch
Patch0049: 0049-qxl-check-release-info-object.patch
Patch0050: 0050-qemu-bridge-helper-restrict-interfa.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
ExcludeArch: s390
@ -160,6 +162,8 @@ syscall layer occurs on the native hardware and operating system.
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%build
%define _lto_cflags %{nil}

View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Thu Jul 25 20:51:23 UTC 2019 - Liang Yan <lyan@suse.com>
- Security fix for null pointer dereference while releasing spice resources
(CVE-2019-12155, bsc#1135902)
0049-qxl-check-release-info-object.patch
- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long
(CVE-2019-13164, bsc#1140402)
0050-qemu-bridge-helper-restrict-interfa.patch
- Replace patch 0043 with an upstream version
0043-target-i386-define-md-clear-bit.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Tue Jun 11 09:47:44 UTC 2019 - Christian Goll <cgoll@suse.com>
- fixed regression for ksm.service was (bsc#1112646)
-------------------------------------------------------------------
Mon Jun 10 16:41:24 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -192,6 +192,8 @@ Patch0045: 0045-kbd-state-fix-autorepeat-handling.patch
Patch0046: 0046-target-ppc-ensure-we-get-null-termi.patch
Patch0047: 0047-configure-only-populate-roms-if-sof.patch
Patch0048: 0048-pc-bios-s390-ccw-net-avoid-warning-.patch
Patch0049: 0049-qxl-check-release-info-object.patch
Patch0050: 0050-qemu-bridge-helper-restrict-interfa.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -1009,6 +1011,8 @@ This package provides a service file for starting and stopping KSM.
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
pushd roms/seabios
%patch1100 -p1

View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Thu Jul 25 20:51:23 UTC 2019 - Liang Yan <lyan@suse.com>
- Security fix for null pointer dereference while releasing spice resources
(CVE-2019-12155, bsc#1135902)
0049-qxl-check-release-info-object.patch
- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long
(CVE-2019-13164, bsc#1140402)
0050-qemu-bridge-helper-restrict-interfa.patch
- Replace patch 0043 with an upstream version
0043-target-i386-define-md-clear-bit.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
-------------------------------------------------------------------
Tue Jun 11 09:47:44 UTC 2019 - Christian Goll <cgoll@suse.com>

View File

@ -192,6 +192,8 @@ Patch0045: 0045-kbd-state-fix-autorepeat-handling.patch
Patch0046: 0046-target-ppc-ensure-we-get-null-termi.patch
Patch0047: 0047-configure-only-populate-roms-if-sof.patch
Patch0048: 0048-pc-bios-s390-ccw-net-avoid-warning-.patch
Patch0049: 0049-qxl-check-release-info-object.patch
Patch0050: 0050-qemu-bridge-helper-restrict-interfa.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -1009,6 +1011,8 @@ This package provides a service file for starting and stopping KSM.
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
pushd roms/seabios
%patch1100 -p1