rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity

Accepting request 536899 from home:bfrogers:branches:Virtualization

Browse Source 
Add note about QED format support being withdrawn.
Also add a few more security fixes

OBS-URL: https://build.opensuse.org/request/show/536899
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=372
This commit is contained in:
Bruce Rogers 2017-10-26 14:38:26 +00:00 committed by Git OBS Bridge
parent e3edfcd663
commit 40d6206ff1
13 changed files with 288 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
0040-io-monitor-encoutput-buffer-size-fr.patch Normal file
View File

@ -0,0 +1,77 @@
From e0032c4d69b0c6b3eeeded2ab496db61c4632e46 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Wed, 18 Oct 2017 14:51:33 -0600
Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.
This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.
This issue is assigned CVE-2017-15268, publically reported in
https://bugs.launchpad.net/qemu/+bug/1718964
(cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493)
Reviewed-by: Eric Blake <eblake@redhat.com>
[Dan: Added extra checks to deal with code refactored in master but
not stable 2.10]
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[BR: BSC#1062942 CVE-2017-15268]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
io/channel-websock.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/io/channel-websock.c b/io/channel-websock.c
index 5a3badbec2..19116dc148 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
#include "trace.h"
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
if (wsource->wioc->rawinput.offset) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}
@@ -1022,7 +1022,7 @@ qio_channel_websock_source_check(GSource *source)
if (wsource->wioc->rawinput.offset) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}
@@ -1041,7 +1041,7 @@ qio_channel_websock_source_dispatch(GSource *source,
if (wsource->wioc->rawinput.offset) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}

57
0041-cirrus-fix-oob-access-in-mode4and5-.patch Normal file
View File

@ -0,0 +1,57 @@
From f3c7b39cec549039b89fa1c6b2ab238b4bac1a97 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 18 Oct 2017 14:54:15 -0600
Subject: [PATCH] cirrus: fix oob access in mode4and5 write functions
Move dst calculation into the loop, so we apply the mask on each
interation and will not overflow vga memory.
Cc: Prasad J Pandit <pjp@fedoraproject.org>
Reported-by: Niu Guoxiang <niuguoxiang@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20171011084314.21752-1-kraxel@redhat.com
[BR: BSC#1063122 CVE-2017-15289]
Signed-off-by: Bruce Rogers <brogers@suse.com
---
hw/display/cirrus_vga.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index afc290ab91..077a8cb74f 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -2038,15 +2038,14 @@ static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
} else if (mode == 5) {
*dst = s->cirrus_shadow_gr0;
}
val <<= 1;
- dst++;
}
memory_region_set_dirty(&s->vga.vram, offset, 8);
}
@@ -2060,8 +2059,8 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
unsigned val = mem_value;
uint8_t *dst;
- dst = s->vga.vram_ptr + (offset &= s->cirrus_addr_mask);
for (x = 0; x < 8; x++) {
+ dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
if (val & 0x80) {
*dst = s->cirrus_shadow_gr1;
*(dst + 1) = s->vga.gr[0x11];
@@ -2070,7 +2069,6 @@ static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
*(dst + 1) = s->vga.gr[0x10];
}
val <<= 1;
- dst += 2;
}
memory_region_set_dirty(&s->vga.vram, offset, 16);
}

43
0042-9pfs-use-g_malloc0-to-allocate-spac.patch Normal file
View File

@ -0,0 +1,43 @@
From 89a7eced18edb0d38a444abc1b367d241ae6cff8 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 16 Oct 2017 14:21:59 +0200
Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
9p back-end first queries the size of an extended attribute,
allocates space for it via g_malloc() and then retrieves its
value into allocated buffer. Race between querying attribute
size and retrieving its could lead to memory bytes disclosure.
Use g_malloc0() to avoid it.
Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 7bd92756303f2158a68d5166264dc30139b813b6)
[BR: BSC#1062069 CVE-2017-15038]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 8e9490c5f5..c41c0eb106 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3236,7 +3236,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
@@ -3269,7 +3269,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
&name, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);

9
qemu-linux-user.changes
View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Thu Oct 19 21:58:01 UTC 2017 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10
* Patches added:
0040-io-monitor-encoutput-buffer-size-fr.patch
0041-cirrus-fix-oob-access-in-mode4and5-.patch
0042-9pfs-use-g_malloc0-to-allocate-spac.patch
-------------------------------------------------------------------
Tue Oct 3 21:07:30 UTC 2017 - brogers@suse.com

6
qemu-linux-user.spec
View File

@ -65,6 +65,9 @@ Patch0036: 0036-io-fix-temp-directory-used-by-test-.patch
Patch0037: 0037-io-fix-check-for-handshake-completi.patch
Patch0038: 0038-crypto-fix-test-cert-generation-to-.patch
Patch0039: 0039-vhost-user-disable-the-broken-subpr.patch
Patch0040: 0040-io-monitor-encoutput-buffer-size-fr.patch
Patch0041: 0041-cirrus-fix-oob-access-in-mode4and5-.patch
Patch0042: 0042-9pfs-use-g_malloc0-to-allocate-spac.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Source400: update_git.sh
@ -157,6 +160,9 @@ run cross-architecture builds.
%patch0037 -p1
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%build
./configure \

16
qemu-testsuite.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Thu Oct 19 21:57:57 UTC 2017 - brogers@suse.com
- Add announcement in support docs about qed storage format no
longer being supported in next major SLE release (SLE15)
(fate#324200)
- Address various security/stability issues
* Fix DoS in I/O channel websockets (CVE-2017-15268 bsc#1062942)
0040-io-monitor-encoutput-buffer-size-fr.patch
* Fix OOB access in cirrus vga device emulation (CVE-2017-15289
bsc#1063122)
0041-cirrus-fix-oob-access-in-mode4and5-.patch
* Fix information leak in 9pfs interface (CVE-2017-15038 bsc#1062069)
0042-9pfs-use-g_malloc0-to-allocate-spac.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10
-------------------------------------------------------------------
Mon Oct 16 14:50:03 UTC 2017 - brogers@suse.com

6
qemu-testsuite.spec
View File

@ -184,6 +184,9 @@ Patch0036: 0036-io-fix-temp-directory-used-by-test-.patch
Patch0037: 0037-io-fix-check-for-handshake-completi.patch
Patch0038: 0038-crypto-fix-test-cert-generation-to-.patch
Patch0039: 0039-vhost-user-disable-the-broken-subpr.patch
Patch0040: 0040-io-monitor-encoutput-buffer-size-fr.patch
Patch0041: 0041-cirrus-fix-oob-access-in-mode4and5-.patch
Patch0042: 0042-9pfs-use-g_malloc0-to-allocate-spac.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -887,6 +890,9 @@ This package provides a service file for starting and stopping KSM.
%patch0037 -p1
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
pushd roms/ipxe
%patch1100 -p1

16
qemu.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Thu Oct 19 21:57:57 UTC 2017 - brogers@suse.com
- Add announcement in support docs about qed storage format no
longer being supported in next major SLE release (SLE15)
(fate#324200)
- Address various security/stability issues
* Fix DoS in I/O channel websockets (CVE-2017-15268 bsc#1062942)
0040-io-monitor-encoutput-buffer-size-fr.patch
* Fix OOB access in cirrus vga device emulation (CVE-2017-15289
bsc#1063122)
0041-cirrus-fix-oob-access-in-mode4and5-.patch
* Fix information leak in 9pfs interface (CVE-2017-15038 bsc#1062069)
0042-9pfs-use-g_malloc0-to-allocate-spac.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10
-------------------------------------------------------------------
Mon Oct 16 14:50:03 UTC 2017 - brogers@suse.com

8
qemu.spec
View File

@ -184,6 +184,9 @@ Patch0036: 0036-io-fix-temp-directory-used-by-test-.patch
Patch0037: 0037-io-fix-check-for-handshake-completi.patch
Patch0038: 0038-crypto-fix-test-cert-generation-to-.patch
Patch0039: 0039-vhost-user-disable-the-broken-subpr.patch
Patch0040: 0040-io-monitor-encoutput-buffer-size-fr.patch
Patch0041: 0041-cirrus-fix-oob-access-in-mode4and5-.patch
Patch0042: 0042-9pfs-use-g_malloc0-to-allocate-spac.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -200,7 +203,7 @@ Patch1200: sgabios-stable-buildid.patch
# SLOF (Currently no patches)
# skiboot (OPAL)
# skiboot
Patch1400: skiboot-GCC7-fixes-for-Wimplicit-fallthr.patch
Patch1401: skiboot-libc-stdio-vsnprintf.c-add-expli.patch
@ -887,6 +890,9 @@ This package provides a service file for starting and stopping KSM.
%patch0037 -p1
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
pushd roms/ipxe
%patch1100 -p1

20
supported.arm.txt
View File

@ -182,6 +182,12 @@ Deprecated, Superseded, Modified and Dropped Features
- The previously supported blkdev-add QMP command has been flagged as lacking
and could possibly change syntax in the future.
- Due to upstream's decision to no longer fully support the qed storage format
going forward (since it really provides no benefit over qcow2 and is now no
longer actively maintained upstream), creating qed storage images is no longer
supported and it is highly discouraged to continuing to use existing qed
images. They should instead be converted to another supported format.
QEMU Command-Line and Monitor Syntax and Support
------------------------------------------------
@ -189,10 +195,10 @@ QEMU Command-Line and Monitor Syntax and Support
qemu-system-aarch64 [options]
Where 'options' are taken from the options listed below.
The images used with -drive or -cdrom, may be in the raw (no format), qcow2
or qed storage formats, and may be located in files within the host
filesystem, logical volumes, host physical disks, or network based storage.
Read only media may also be accessed via URL style protocol specifiers.
The images used with -drive or -cdrom, may be in the raw (no format) or qcow2
storage formats, and may be located in files within the host filesystem,
logical volumes, host physical disks, or network based storage. Read only
media may also be accessed via URL style protocol specifiers.
Note that as a general rule, as new command line options are added which serve
to replace an older option or interface, you are strongly encouraged to adapt
@ -234,7 +240,7 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-scsi|virtio-rng|e1000-82540em)
-dfilter range, ...
-display ...
-drive ... (if specified if=[virtio] and format=[qcow2|qed|raw] and
-drive ... (if specified if=[virtio] and format=[qcow2|raw] and
snapshot=off only)
-echr ...
-enable-fips
@ -597,8 +603,8 @@ QEMU Command-Line and Monitor Syntax and Support
(note that some of these device names represent supported devices and
are used internally, but are not specifyable via -device even though
they appear in the list of devices)
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
or raw]
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
raw]
-dtb file
-enable-hax
-fda/-fdb ...

20
supported.ppc.txt
View File

@ -182,6 +182,12 @@ Deprecated, Superseded, Modified and Dropped Features
- The previously supported blkdev-add QMP command has been flagged as lacking
and could possibly change syntax in the future.
- Due to upstream's decision to no longer fully support the qed storage format
going forward (since it really provides no benefit over qcow2 and is now no
longer actively maintained upstream), creating qed storage images is no longer
supported and it is highly discouraged to continuing to use existing qed
images. They should instead be converted to another supported format.
QEMU Command-Line and Monitor Syntax and Support
------------------------------------------------
@ -189,10 +195,10 @@ QEMU Command-Line and Monitor Syntax and Support
qemu-system-ppc64 [options]
Where 'options' are taken from the options listed below.
The images used with -drive or -cdrom, may be in the raw (no format), qcow2
or qed storage formats, and may be located in files within the host
filesystem, logical volumes, host physical disks, or network based storage.
Read only media may also be accessed via URL style protocol specifiers.
The images used with -drive or -cdrom, may be in the raw (no format) or qcow2
storage formats, and may be located in files within the host filesystem,
logical volumes, host physical disks, or network based storage. Read only
media may also be accessed via URL style protocol specifiers.
Note that as a general rule, as new command line options are added which serve
to replace an older option or interface, you are strongly encouraged to adapt
@ -234,7 +240,7 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-scsi|virtio-rng|e1000-82540em)
-dfilter range, ...
-display ...
-drive ... (if specified if=[virtio] and format=[qcow2|qed|raw] and
-drive ... (if specified if=[virtio] and format=[qcow2|raw] and
snapshot=off only)
-echr ...
-enable-fips
@ -547,8 +553,8 @@ QEMU Command-Line and Monitor Syntax and Support
(note that some of these device names represent supported devices and
are used internally, but are not specifyable via -device even though
they appear in the list of devices)
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
or raw]
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
raw]
-dtb file
-enable-hax
-fda/-fdb ...

20
supported.s390.txt
View File

@ -183,6 +183,12 @@ Deprecated, Superseded, Modified and Dropped Features
- The previously supported blkdev-add QMP command has been flagged as lacking
and could possibly change syntax in the future.
- Due to upstream's decision to no longer fully support the qed storage format
going forward (since it really provides no benefit over qcow2 and is now no
longer actively maintained upstream), creating qed storage images is no longer
supported and it is highly discouraged to continuing to use existing qed
images. They should instead be converted to another supported format.
QEMU Command-Line and Monitor Syntax and Support
------------------------------------------------
@ -190,10 +196,10 @@ QEMU Command-Line and Monitor Syntax and Support
qemu-system-s390x [options]
Where 'options' are taken from the options listed below.
The images used with -drive or -cdrom, may be in the raw (no format), qcow2
or qed storage formats, and may be located in files within the host
filesystem, logical volumes, host physical disks, or network based storage.
Read only media may also be accessed via URL style protocol specifiers.
The images used with -drive or -cdrom, may be in the raw (no format) or qcow2
storage formats, and may be located in files within the host filesystem,
logical volumes, host physical disks, or network based storage. Read only
media may also be accessed via URL style protocol specifiers.
Note that as a general rule, as new command line options are added which serve
to replace an older option or interface, you are strongly encouraged to adapt
@ -230,7 +236,7 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-net|virtio-serial|virtio-balloon|virtio-scsi|virtio-rng)
-dfilter range, ...
-display ...
-drive ... (if specified if=[virtio] and format=[qcow2|qed|raw] and
-drive ... (if specified if=[virtio] and format=[qcow2|raw] and
snapshot=off only)
-echr ...
-enable-fips
@ -557,8 +563,8 @@ QEMU Command-Line and Monitor Syntax and Support
(note that some of these device names represent supported devices and
are used internally, but are not specifyable via -device even though
they appear in the list of devices)
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
or raw]
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
raw]
-dtb file
-enable-hax
-fda/-fdb ...

18
supported.x86.txt
View File

@ -274,6 +274,12 @@ Deprecated, Superseded, Modified and Dropped Features
are not supported in this release. The current q35 machine type is however now
fully supported.
- Due to upstream's decision to no longer fully support the qed storage format
going forward (since it really provides no benefit over qcow2 and is now no
longer actively maintained upstream), creating qed storage images is no longer
supported and it is highly discouraged to continuing to use existing qed
images. They should instead be converted to another supported format.
QEMU Command-Line and Monitor Syntax and Support
------------------------------------------------
@ -284,9 +290,9 @@ QEMU Command-Line and Monitor Syntax and Support
Where 'options' are taken from the options listed below, and 'disk_image' is
the file system reference to the the x86 guest's primary IDE based hard disk
image. This image as well as those used with -drive or -cdrom, may be in the
raw (no format), qcow2 or qed storage formats, and may be located in files
within the host filesystem, logical volumes, host physical disks, or network
based storage. Read only media may also be accessed via URL style protocol
raw (no format) or qcow2 storage formats, and may be located in files within
the host filesystem, logical volumes, host physical disks, or network based
storage. Read only media may also be accessed via URL style protocol
specifiers.
Note that as a general rule, as new command line options are added which serve
@ -333,7 +339,7 @@ QEMU Command-Line and Monitor Syntax and Support
virtio-scsi|virtio-rng|e1000-82540em)
-dfilter range, ...
-display ...
-drive ... (if specified if=[floppy|ide|virtio] and format=[qcow2|qed|raw] and
-drive ... (if specified if=[floppy|ide|virtio] and format=[qcow2|raw] and
snapshot=off only)
-echr ...
-enable-fips
@ -669,8 +675,8 @@ QEMU Command-Line and Monitor Syntax and Support
(note that some of these device names represent supported devices and
are used internally, but are not specifyable via -device even though
they appear in the list of devices)
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2, qed
or raw]
-drive ,if=[scsi|mtd|pflash], snapshot=on, format=[anything besides qcow2 or
raw]
-dtb file
-enable-hax
-g ...