From ea444bfb8aa8824b25e556ce2fa6047baee37bdb2d0f80cd2ec7fd82eb789fa6 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 25 Jul 2019 21:18:09 +0000 Subject: [PATCH] Accepting request 718651 from home:lyan:branches:Virtualization security fixes OBS-URL: https://build.opensuse.org/request/show/718651 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=482 --- 0043-target-i386-define-md-clear-bit.patch | 40 +++------------- 0049-qxl-check-release-info-object.patch | 33 +++++++++++++ ...-qemu-bridge-helper-restrict-interfa.patch | 48 +++++++++++++++++++ qemu-linux-user.changes | 9 ++++ qemu-linux-user.spec | 4 ++ qemu-testsuite.changes | 18 +++++++ qemu-testsuite.spec | 4 ++ qemu.changes | 13 +++++ qemu.spec | 4 ++ 9 files changed, 140 insertions(+), 33 deletions(-) create mode 100644 0049-qxl-check-release-info-object.patch create mode 100644 0050-qemu-bridge-helper-restrict-interfa.patch diff --git a/0043-target-i386-define-md-clear-bit.patch b/0043-target-i386-define-md-clear-bit.patch index e2aa5e20..8335aff6 100644 --- a/0043-target-i386-define-md-clear-bit.patch +++ b/0043-target-i386-define-md-clear-bit.patch @@ -1,21 +1,21 @@ From: Paolo Bonzini -Date: Fri, 1 Mar 2019 21:40:52 +0100 +Date: Wed, 15 May 2019 15:10:10 +0100 Subject: target/i386: define md-clear bit md-clear is a new CPUID bit which is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking -the VERW instruction. Add the new feature, and pass it down to -Hypervisor.framework guests. +the VERW instruction. Signed-off-by: Paolo Bonzini +Message-Id: <20190515141011.5315-2-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0) [BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091] Signed-off-by: Bruce Rogers --- - target/i386/cpu.c | 2 +- - target/i386/cpu.h | 1 + - target/i386/hvf/x86_cpuid.c | 3 ++- - 3 files changed, 4 insertions(+), 2 deletions(-) + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/i386/cpu.c b/target/i386/cpu.c index d6bb57d210..4ea78a4939 100644 @@ -30,29 +30,3 @@ index d6bb57d210..4ea78a4939 100644 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index 572290c3d6..d3bd0943ec 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; - - #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ - #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ -+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ - #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ - #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ - #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ -diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c -index 4d957fe896..b453552fb4 100644 ---- a/target/i386/hvf/x86_cpuid.c -+++ b/target/i386/hvf/x86_cpuid.c -@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, - } - - ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; -- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; -+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ -+ CPUID_7_0_EDX_MD_CLEAR; - } else { - ebx = 0; - ecx = 0; diff --git a/0049-qxl-check-release-info-object.patch b/0049-qxl-check-release-info-object.patch new file mode 100644 index 00000000..f3d5ed1f --- /dev/null +++ b/0049-qxl-check-release-info-object.patch @@ -0,0 +1,33 @@ +From: Prasad J Pandit +Date: Thu, 25 Apr 2019 12:05:34 +0530 +Subject: qxl: check release info object + +When releasing spice resources in release_resource() routine, +if release info object 'ext.info' is null, it leads to null +pointer dereference. Add check to avoid it. + +Reported-by: Bugs SysSec +Signed-off-by: Prasad J Pandit +Message-id: 20190425063534.32747-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99) +[LY: BSC#1135902 CVE-2019-12155] +Signed-off-by: Liang Yan +--- + hw/display/qxl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index 5c38e6e906..3880a7410b 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -768,6 +768,9 @@ static void interface_release_resource(QXLInstance *sin, + uint32_t prod; + uint64_t id; + ++ if (!ext.info) { ++ return; ++ } + if (ext.group_id == MEMSLOT_GROUP_HOST) { + /* host group -> vga mode update request */ + QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id); diff --git a/0050-qemu-bridge-helper-restrict-interfa.patch b/0050-qemu-bridge-helper-restrict-interfa.patch new file mode 100644 index 00000000..b047047e --- /dev/null +++ b/0050-qemu-bridge-helper-restrict-interfa.patch @@ -0,0 +1,48 @@ +From: Liang Yan +Date: Thu, 25 Jul 2019 13:28:26 -0400 +Subject: qemu-bridge-helper: restrict interface name + +The interface names in qemu-bridge-helper are defined to be +of size IFNAMSIZ(=16), including the terminating null('\0') byte. +The same is applied to interface names read from 'bridge.conf' +file to form ACLs rules. If user supplied '--br=bridge' name +is not restricted to the same length, it could lead to ACL bypass +issue. Restrict bridge name to IFNAMSIZ, including null byte. + +Reported-by: Riccardo Schirone +Signed-off-by: Prasad J Pandit +[LY: BSC#1140402 CVE-2019-13164] +Signed-off-by: Liang Yan +--- + qemu-bridge-helper.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c +index cafe2bf27b..8ae6104ec4 100644 +--- a/qemu-bridge-helper.c ++++ b/qemu-bridge-helper.c +@@ -109,6 +109,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list) + } + *argend = 0; + ++ if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) { ++ fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg)); ++ fclose(f); ++ errno = EINVAL; ++ return -1; ++ } ++ + if (strcmp(cmd, "deny") == 0) { + acl_rule = calloc(1, sizeof(*acl_rule)); + if (!acl_rule) { +@@ -264,6 +271,10 @@ int main(int argc, char **argv) + return EXIT_FAILURE; + } + } ++ if (strlen(bridge) >= IFNAMSIZ) { ++ fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge)); ++ return EXIT_FAILURE; ++ } + + if (bridge == NULL || unixfd == -1) { + usage(); diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 12690d55..b93572dd 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,4 +1,13 @@ ------------------------------------------------------------------- +Thu Jul 25 20:51:24 UTC 2019 - Liang Yan + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 +* Patches added: + 0049-qxl-check-release-info-object.patch + 0050-qemu-bridge-helper-restrict-interfa.patch +* Patches changed: + 0043-target-i386-define-md-clear-bit.patch +------------------------------------------------------------------- Wed May 29 16:03:58 UTC 2019 - Bruce Rogers - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 65a56ed2..bfa517cf 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -82,6 +82,8 @@ Patch0045: 0045-kbd-state-fix-autorepeat-handling.patch Patch0046: 0046-target-ppc-ensure-we-get-null-termi.patch Patch0047: 0047-configure-only-populate-roms-if-sof.patch Patch0048: 0048-pc-bios-s390-ccw-net-avoid-warning-.patch +Patch0049: 0049-qxl-check-release-info-object.patch +Patch0050: 0050-qemu-bridge-helper-restrict-interfa.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -160,6 +162,8 @@ syscall layer occurs on the native hardware and operating system. %patch0046 -p1 %patch0047 -p1 %patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 %build %define _lto_cflags %{nil} diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index b6f0b7d3..4c535dfa 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Thu Jul 25 20:51:23 UTC 2019 - Liang Yan + +- Security fix for null pointer dereference while releasing spice resources + (CVE-2019-12155, bsc#1135902) + 0049-qxl-check-release-info-object.patch +- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long + (CVE-2019-13164, bsc#1140402) + 0050-qemu-bridge-helper-restrict-interfa.patch +- Replace patch 0043 with an upstream version + 0043-target-i386-define-md-clear-bit.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + +------------------------------------------------------------------- +Tue Jun 11 09:47:44 UTC 2019 - Christian Goll + +- fixed regression for ksm.service was (bsc#1112646) + ------------------------------------------------------------------- Mon Jun 10 16:41:24 UTC 2019 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 02624d13..adeaacc6 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -192,6 +192,8 @@ Patch0045: 0045-kbd-state-fix-autorepeat-handling.patch Patch0046: 0046-target-ppc-ensure-we-get-null-termi.patch Patch0047: 0047-configure-only-populate-roms-if-sof.patch Patch0048: 0048-pc-bios-s390-ccw-net-avoid-warning-.patch +Patch0049: 0049-qxl-check-release-info-object.patch +Patch0050: 0050-qemu-bridge-helper-restrict-interfa.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -1009,6 +1011,8 @@ This package provides a service file for starting and stopping KSM. %patch0046 -p1 %patch0047 -p1 %patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index b790a919..4c535dfa 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Jul 25 20:51:23 UTC 2019 - Liang Yan + +- Security fix for null pointer dereference while releasing spice resources + (CVE-2019-12155, bsc#1135902) + 0049-qxl-check-release-info-object.patch +- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long + (CVE-2019-13164, bsc#1140402) + 0050-qemu-bridge-helper-restrict-interfa.patch +- Replace patch 0043 with an upstream version + 0043-target-i386-define-md-clear-bit.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0 + ------------------------------------------------------------------- Tue Jun 11 09:47:44 UTC 2019 - Christian Goll diff --git a/qemu.spec b/qemu.spec index 16365b6d..65d9911d 100644 --- a/qemu.spec +++ b/qemu.spec @@ -192,6 +192,8 @@ Patch0045: 0045-kbd-state-fix-autorepeat-handling.patch Patch0046: 0046-target-ppc-ensure-we-get-null-termi.patch Patch0047: 0047-configure-only-populate-roms-if-sof.patch Patch0048: 0048-pc-bios-s390-ccw-net-avoid-warning-.patch +Patch0049: 0049-qxl-check-release-info-object.patch +Patch0050: 0050-qemu-bridge-helper-restrict-interfa.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -1009,6 +1011,8 @@ This package provides a service file for starting and stopping KSM. %patch0046 -p1 %patch0047 -p1 %patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 pushd roms/seabios %patch1100 -p1