Accepting request 718651 from home:lyan:branches:Virtualization

security fixes OBS-URL: https://build.opensuse.org/request/show/718651 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=482
2019-07-25 21:18:09 +00:00 · 2019-07-25 21:18:09 +00:00 · ea444bfb8a
commit ea444bfb8a
parent c631d28615
9 changed files with 140 additions and 33 deletions
--- a/0043-target-i386-define-md-clear-bit.patch
+++ b/0043-target-i386-define-md-clear-bit.patch
@ -1,21 +1,21 @@
 From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Fri, 1 Mar 2019 21:40:52 +0100
+Date: Wed, 15 May 2019 15:10:10 +0100
 Subject: target/i386: define md-clear bit

 md-clear is a new CPUID bit which is set when microcode provides the
 mechanism to invoke a flush of various exploitable CPU buffers by invoking
-the VERW instruction.  Add the new feature, and pass it down to
-Hypervisor.framework guests.
+the VERW instruction.

 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Message-Id: <20190515141011.5315-2-berrange@redhat.com>
+Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
+(cherry picked from commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0)
 [BR: BSC#1111331 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130
 CVE-2019-11091]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---
 target/i386/cpu.c | 2 +-
- target/i386/cpu.h           | 1 +
- target/i386/hvf/x86_cpuid.c | 3 ++-
- 3 files changed, 4 insertions(+), 2 deletions(-)
+ 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/target/i386/cpu.c b/target/i386/cpu.c
 index d6bb57d210..4ea78a4939 100644
@ -30,29 +30,3 @@ index d6bb57d210..4ea78a4939 100644
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
-diff --git a/target/i386/cpu.h b/target/i386/cpu.h
-index 572290c3d6..d3bd0943ec 100644
--- a/target/i386/cpu.h
-+++ b/target/i386/cpu.h
-@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
- 
- #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
- #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
-+#define CPUID_7_0_EDX_MD_CLEAR      (1U << 10) /* Microarchitectural Data Clear */
- #define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Speculation Control */
- #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29)  /*Arch Capabilities*/
- #define CPUID_7_0_EDX_SPEC_CTRL_SSBD  (1U << 31) /* Speculative Store Bypass Disable */
-diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
-index 4d957fe896..b453552fb4 100644
--- a/target/i386/hvf/x86_cpuid.c
-+++ b/target/i386/hvf/x86_cpuid.c
-@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx,
-             }
- 
-             ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
-            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
-+            edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \
-+                   CPUID_7_0_EDX_MD_CLEAR;
-         } else {
-             ebx = 0;
-             ecx = 0;
--- a/0049-qxl-check-release-info-object.patch
+++ b/0049-qxl-check-release-info-object.patch
@ -0,0 +1,33 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: qxl: check release info object
+
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99)
+[LY: BSC#1135902 CVE-2019-12155]
+Signed-off-by: Liang Yan <lyan@suse.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 5c38e6e906..3880a7410b 100644
+--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
+@@ -768,6 +768,9 @@ static void interface_release_resource(QXLInstance *sin,
+     uint32_t prod;
+     uint64_t id;
+ 
+    if (!ext.info) {
+        return;
+    }
+     if (ext.group_id == MEMSLOT_GROUP_HOST) {
+         /* host group -> vga mode update request */
+         QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
--- a/0050-qemu-bridge-helper-restrict-interfa.patch
+++ b/0050-qemu-bridge-helper-restrict-interfa.patch
@ -0,0 +1,48 @@
+From: Liang Yan <lyan@suse.com>
+Date: Thu, 25 Jul 2019 13:28:26 -0400
+Subject: qemu-bridge-helper: restrict interface name
+
+The interface names in qemu-bridge-helper are defined to be
+of size IFNAMSIZ(=16), including the terminating null('\0') byte.
+The same is applied to interface names read from 'bridge.conf'
+file to form ACLs rules. If user supplied '--br=bridge' name
+is not restricted to the same length, it could lead to ACL bypass
+issue. Restrict bridge name to IFNAMSIZ, including null byte.
+
+Reported-by: Riccardo Schirone <rschiron@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+[LY: BSC#1140402 CVE-2019-13164]
+Signed-off-by: Liang Yan <lyan@suse.com>
+---
+ qemu-bridge-helper.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/qemu-bridge-helper.c b/qemu-bridge-helper.c
+index cafe2bf27b..8ae6104ec4 100644
+--- a/qemu-bridge-helper.c
+++ b/qemu-bridge-helper.c
+@@ -109,6 +109,13 @@ static int parse_acl_file(const char *filename, ACLList *acl_list)
+         }
+         *argend = 0;
+ 
+        if (!g_str_equal(cmd, "include") && strlen(arg) >= IFNAMSIZ) {
+            fprintf(stderr, "name `%s' too long: %zu\n", arg, strlen(arg));
+            fclose(f);
+            errno = EINVAL;
+            return -1;
+        }
+
+         if (strcmp(cmd, "deny") == 0) {
+             acl_rule = calloc(1, sizeof(*acl_rule));
+             if (!acl_rule) {
+@@ -264,6 +271,10 @@ int main(int argc, char **argv)
+             return EXIT_FAILURE;
+         }
+     }
+    if (strlen(bridge) >= IFNAMSIZ) {
+        fprintf(stderr, "name `%s' too long: %zu\n", bridge, strlen(bridge));
+        return EXIT_FAILURE;
+    }
+ 
+     if (bridge == NULL || unixfd == -1) {
+         usage();
--- a/qemu-linux-user.changes
+++ b/qemu-linux-user.changes
@ -1,4 +1,13 @@
 -------------------------------------------------------------------
+Thu Jul 25 20:51:24 UTC 2019 - Liang Yan <lyan@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+* Patches added:
+  0049-qxl-check-release-info-object.patch
+  0050-qemu-bridge-helper-restrict-interfa.patch
+* Patches changed:
+  0043-target-i386-define-md-clear-bit.patch
+-------------------------------------------------------------------
 Wed May 29 16:03:58 UTC 2019 - Bruce Rogers <brogers@suse.com>

 - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
--- a/qemu-linux-user.spec
+++ b/qemu-linux-user.spec
@ -82,6 +82,8 @@ Patch0045:      0045-kbd-state-fix-autorepeat-handling.patch
 Patch0046:      0046-target-ppc-ensure-we-get-null-termi.patch
 Patch0047:      0047-configure-only-populate-roms-if-sof.patch
 Patch0048:      0048-pc-bios-s390-ccw-net-avoid-warning-.patch
+Patch0049:      0049-qxl-check-release-info-object.patch
+Patch0050:      0050-qemu-bridge-helper-restrict-interfa.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@ -160,6 +162,8 @@ syscall layer occurs on the native hardware and operating system.
 %patch0046 -p1
 %patch0047 -p1
 %patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1

 %build
 %define _lto_cflags %{nil}
--- a/qemu-testsuite.changes
+++ b/qemu-testsuite.changes
@ -1,3 +1,21 @@
+-------------------------------------------------------------------
+Thu Jul 25 20:51:23 UTC 2019 - Liang Yan <lyan@suse.com>
+
+- Security fix for null pointer dereference while releasing spice resources
+  (CVE-2019-12155, bsc#1135902)
+  0049-qxl-check-release-info-object.patch
+- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long
+  (CVE-2019-13164, bsc#1140402)
+  0050-qemu-bridge-helper-restrict-interfa.patch
+- Replace patch 0043 with an upstream version
+  0043-target-i386-define-md-clear-bit.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+
+-------------------------------------------------------------------
+Tue Jun 11 09:47:44 UTC 2019 - Christian Goll <cgoll@suse.com>
+
+- fixed regression for ksm.service was (bsc#1112646) 
+
 -------------------------------------------------------------------
 Mon Jun 10 16:41:24 UTC 2019 - Bruce Rogers <brogers@suse.com>

--- a/qemu-testsuite.spec
+++ b/qemu-testsuite.spec
@ -192,6 +192,8 @@ Patch0045:      0045-kbd-state-fix-autorepeat-handling.patch
 Patch0046:      0046-target-ppc-ensure-we-get-null-termi.patch
 Patch0047:      0047-configure-only-populate-roms-if-sof.patch
 Patch0048:      0048-pc-bios-s390-ccw-net-avoid-warning-.patch
+Patch0049:      0049-qxl-check-release-info-object.patch
+Patch0050:      0050-qemu-bridge-helper-restrict-interfa.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.

@ -1009,6 +1011,8 @@ This package provides a service file for starting and stopping KSM.
 %patch0046 -p1
 %patch0047 -p1
 %patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1

 pushd roms/seabios
 %patch1100 -p1
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Thu Jul 25 20:51:23 UTC 2019 - Liang Yan <lyan@suse.com>
+
+- Security fix for null pointer dereference while releasing spice resources
+  (CVE-2019-12155, bsc#1135902)
+  0049-qxl-check-release-info-object.patch
+- Security fix for qemu-bridge-helper ACL can be bypassed when names are too long
+  (CVE-2019-13164, bsc#1140402)
+  0050-qemu-bridge-helper-restrict-interfa.patch
+- Replace patch 0043 with an upstream version
+  0043-target-i386-define-md-clear-bit.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.0
+
 -------------------------------------------------------------------
 Tue Jun 11 09:47:44 UTC 2019 - Christian Goll <cgoll@suse.com>

--- a/qemu.spec
+++ b/qemu.spec
@ -192,6 +192,8 @@ Patch0045:      0045-kbd-state-fix-autorepeat-handling.patch
 Patch0046:      0046-target-ppc-ensure-we-get-null-termi.patch
 Patch0047:      0047-configure-only-populate-roms-if-sof.patch
 Patch0048:      0048-pc-bios-s390-ccw-net-avoid-warning-.patch
+Patch0049:      0049-qxl-check-release-info-object.patch
+Patch0050:      0050-qemu-bridge-helper-restrict-interfa.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.

@ -1009,6 +1011,8 @@ This package provides a service file for starting and stopping KSM.
 %patch0046 -p1
 %patch0047 -p1
 %patch0048 -p1
+%patch0049 -p1
+%patch0050 -p1

 pushd roms/seabios
 %patch1100 -p1