Accepting request 689893 from home:bfrogers:branches:Virtualization

Upstream changed the fix for a security bug. Adjust accordingly. Sorry for the churn!

OBS-URL: https://build.opensuse.org/request/show/689893
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=462

0065-spapr-Simplify-handling-of-host-ser.patch

@@ -0,0 +1,167 @@
+From: David Gibson <david@gibson.dropbear.id.au>
+Date: Wed, 27 Mar 2019 13:54:11 +1100
+Subject: spapr: Simplify handling of host-serial and host-model values
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+27461d69a0f "ppc: add host-serial and host-model machine attributes
+(CVE-2019-8934)" introduced 'host-serial' and 'host-model' machine
+properties for spapr to explicitly control the values advertised to the
+guest in device tree properties with the same names.
+
+The previous behaviour on KVM was to unconditionally populate the device
+tree with the real host serial number and model, which leaks possibly
+sensitive information about the host to the guest.
+
+To maintain compatibility for old machine types, we allowed those props
+to be set to "passthrough" to take the value from the host as before.  Or
+they could be set to "none" to explicitly omit the device tree items.
+
+Special casing specific values on what's otherwise a user supplied string
+is very ugly.  So, this patch simplifies things by implementing the
+backwards compatibility in a different way: we have a machine class flag
+set for the older machines, and we only load the host values into the
+device tree if A) they're not set by the user and B) we have that flag set.
+
+This does mean that the "passthrough" functionality is no longer available
+with the current machine type.  That's ok though: if a user or management
+layer really wants the information passed through they can read it
+themselves (OpenStack Nova already does something similar for x86).
+
+It also means the user can't explicitly ask for the values to be omitted
+on the old machine types.  I think that's an acceptable trade-off: if you
+care enough about not leaking the host information you can either move to
+the new machine type, or use a dummy value for the properties.
+
+For the new machine type, this also removes an odd inconsistency
+between running on a POWER and non-POWER (or non-Linux) hosts: if the
+host information couldn't be read from where we expect (in the host's
+device tree as exposed by Linux), we'd fallback to omitting the guest
+device tree items.
+
+While we're there, improve some poorly worded comments, and the help text
+for the properties.
+
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Tested-by: Greg Kurz <groug@kaod.org>
+(cherry picked from commit 0a794529bd1109aeea0c407784b40a2605e808b9)
+[BR: BSC#1126455 CVE-2019-03812]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/ppc/spapr.c         | 56 +++++++++++++++---------------------------
+ include/hw/ppc/spapr.h |  1 +
+ 2 files changed, 21 insertions(+), 36 deletions(-)
+
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
+index d3098d520e..b60e1702fc 100644
+--- a/hw/ppc/spapr.c
++++ b/hw/ppc/spapr.c
+@@ -1240,38 +1240,8 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
+     _FDT(fdt_setprop_string(fdt, 0, "model", "IBM pSeries (emulated by qemu)"));
+     _FDT(fdt_setprop_string(fdt, 0, "compatible", "qemu,pseries"));
+ 
+-    /*
+-     * Add info to guest to indentify which host is it being run on
+-     * and what is the uuid of the guest
+-     */
+-    if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
+-        if (g_str_equal(spapr->host_model, "passthrough")) {
+-            /* -M host-model=passthrough */
+-            if (kvmppc_get_host_model(&buf)) {
+-                _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+-                g_free(buf);
+-            }
+-        } else {
+-            /* -M host-model=<user-string> */
+-            _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
+-        }
+-    }
+-
+-    if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
+-        if (g_str_equal(spapr->host_serial, "passthrough")) {
+-            /* -M host-serial=passthrough */
+-            if (kvmppc_get_host_serial(&buf)) {
+-                _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+-                g_free(buf);
+-            }
+-        } else {
+-            /* -M host-serial=<user-string> */
+-            _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
+-        }
+-    }
+-
++    /* Guest UUID & Name*/
+     buf = qemu_uuid_unparse_strdup(&qemu_uuid);
+-
+     _FDT(fdt_setprop_string(fdt, 0, "vm,uuid", buf));
+     if (qemu_uuid_set) {
+         _FDT(fdt_setprop_string(fdt, 0, "system-id", buf));
+@@ -1283,6 +1253,21 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
+                                 qemu_get_vm_name()));
+     }
+ 
++    /* Host Model & Serial Number */
++    if (spapr->host_model) {
++        _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
++    } else if (smc->broken_host_serial_model && kvmppc_get_host_model(&buf)) {
++        _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
++        g_free(buf);
++    }
++
++    if (spapr->host_serial) {
++        _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
++    } else if (smc->broken_host_serial_model && kvmppc_get_host_serial(&buf)) {
++        _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
++        g_free(buf);
++    }
++
+     _FDT(fdt_setprop_cell(fdt, 0, "#address-cells", 2));
+     _FDT(fdt_setprop_cell(fdt, 0, "#size-cells", 2));
+ 
+@@ -3119,12 +3104,12 @@ static void spapr_instance_init(Object *obj)
+         spapr_get_host_model, spapr_set_host_model,
+         &error_abort);
+     object_property_set_description(obj, "host-model",
+-        "Set host's model-id to use - none|passthrough|string", &error_abort);
++        "Host model to advertise in guest device tree", &error_abort);
+     object_property_add_str(obj, "host-serial",
+         spapr_get_host_serial, spapr_set_host_serial,
+         &error_abort);
+     object_property_set_description(obj, "host-serial",
+-        "Set host's system-id to use - none|passthrough|string", &error_abort);
++        "Host serial number to advertise in guest device tree", &error_abort);
+ }
+ 
+ static void spapr_machine_finalizefn(Object *obj)
+@@ -4019,14 +4004,13 @@ static const TypeInfo spapr_machine_info = {
+  */
+ static void spapr_machine_3_1_instance_options(MachineState *machine)
+ {
+-    sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
+-    spapr->host_model = g_strdup("passthrough");
+-    spapr->host_serial = g_strdup("passthrough");
+ }
+ 
+ static void spapr_machine_3_1_class_options(MachineClass *mc)
+ {
+     /* Defaults for the latest behaviour inherited from the base class */
++    sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
++    smc->broken_host_serial_model = true;
+ }
+ 
+ DEFINE_SPAPR_MACHINE(3_1, "3.1", true);
+diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
+index 63692a13bd..d3142e0d26 100644
+--- a/include/hw/ppc/spapr.h
++++ b/include/hw/ppc/spapr.h
+@@ -105,6 +105,7 @@ struct sPAPRMachineClass {
+     bool use_ohci_by_default;  /* use USB-OHCI instead of XHCI */
+     bool pre_2_10_has_unused_icps;
+     bool legacy_irq_allocation;
++    bool broken_host_serial_model; /* present real host info to the guest */
+ 
+     void (*phb_placement)(sPAPRMachineState *spapr, uint32_t index,
+                           uint64_t *buid, hwaddr *pio, 

qemu-linux-user.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Mar 29 13:13:59 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+* Patches added:
+  0065-spapr-Simplify-handling-of-host-ser.patch
+
 -------------------------------------------------------------------
 Wed Mar 27 16:59:53 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu-linux-user.spec

@@ -96,6 +96,7 @@ Patch0061:      0061-slirp-check-sscanf-result-when-emul.patch
 Patch0062:      0062-ppc-add-host-serial-and-host-model-.patch
 Patch0063:      0063-i2c-ddc-fix-oob-read.patch
 Patch0064:      0064-device_tree.c-Don-t-use-load_image.patch
+Patch0065:      0065-spapr-Simplify-handling-of-host-ser.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 ExcludeArch:    s390
@@ -191,6 +192,7 @@ syscall layer occurs on the native hardware and operating system.
 %patch0062 -p1
 %patch0063 -p1
 %patch0064 -p1
+%patch0065 -p1
 
 %build
 ./configure \

qemu-testsuite.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Mar 29 13:13:57 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Adjust fix for CVE-2019-8934 (bsc#1126455) to match the latest
+  upstream adjustments for the same. Basically now the security fix
+  is to provide a dummy host-model and host-serial value, which
+  overrides getting that value from the host
+  0065-spapr-Simplify-handling-of-host-ser.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+
 -------------------------------------------------------------------
 Wed Mar 27 16:59:46 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu-testsuite.spec

@@ -207,6 +207,7 @@ Patch0061:      0061-slirp-check-sscanf-result-when-emul.patch
 Patch0062:      0062-ppc-add-host-serial-and-host-model-.patch
 Patch0063:      0063-i2c-ddc-fix-oob-read.patch
 Patch0064:      0064-device_tree.c-Don-t-use-load_image.patch
+Patch0065:      0065-spapr-Simplify-handling-of-host-ser.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -1011,6 +1012,7 @@ This package provides a service file for starting and stopping KSM.
 %patch0062 -p1
 %patch0063 -p1
 %patch0064 -p1
+%patch0065 -p1
 
 pushd roms/seabios
 %patch1100 -p1

qemu.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Mar 29 13:13:57 UTC 2019 - Bruce Rogers <brogers@suse.com>
+
+- Adjust fix for CVE-2019-8934 (bsc#1126455) to match the latest
+  upstream adjustments for the same. Basically now the security fix
+  is to provide a dummy host-model and host-serial value, which
+  overrides getting that value from the host
+  0065-spapr-Simplify-handling-of-host-ser.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
+
 -------------------------------------------------------------------
 Wed Mar 27 16:59:46 UTC 2019 - Bruce Rogers <brogers@suse.com>
 

qemu.spec

@@ -207,6 +207,7 @@ Patch0061:      0061-slirp-check-sscanf-result-when-emul.patch
 Patch0062:      0062-ppc-add-host-serial-and-host-model-.patch
 Patch0063:      0063-i2c-ddc-fix-oob-read.patch
 Patch0064:      0064-device_tree.c-Don-t-use-load_image.patch
+Patch0065:      0065-spapr-Simplify-handling-of-host-ser.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -1011,6 +1012,7 @@ This package provides a service file for starting and stopping KSM.
 %patch0062 -p1
 %patch0063 -p1
 %patch0064 -p1
+%patch0065 -p1
 
 pushd roms/seabios
 %patch1100 -p1