rpm/qemu
SHA256
1
0
Fork 0
forked from pool/qemu
Code Pull Requests Activity

Accepting request 505145 from home:bfrogers:branches:Virtualization

Browse Source 
Latest security fixes, a fix to a security fix, and a tweak to how we select the compiler where size is critical. Also found we need --no-renames for git format-patch as we do our git patch workflow.

OBS-URL: https://build.opensuse.org/request/show/505145
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=345
This commit is contained in:
Bruce Rogers 2017-06-21 01:27:18 +00:00 committed by Git OBS Bridge
parent d95d559950
commit 4849ea9f14
15 changed files with 622 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
0060-9pfs-local-fix-unlink-of-alien-file.patch Normal file
View File

@ -0,0 +1,102 @@
From 85bc346e1f5d90e1be7147f982e18511304daaeb Mon Sep 17 00:00:00 2001
From: Greg Kurz <groug@kaod.org>
Date: Thu, 25 May 2017 10:30:13 +0200
Subject: [PATCH] 9pfs: local: fix unlink of alien files in mapped-file mode
When trying to remove a file from a directory, both created in non-mapped
mode, the file remains and EBADF is returned to the guest.
This is a regression introduced by commit "df4938a6651b 9pfs: local:
unlinkat: don't follow symlinks" when fixing CVE-2016-9602. It changed the
way we unlink the metadata file from
ret = remove("$dir/.virtfs_metadata/$name");
if (ret < 0 && errno != ENOENT) {
/* Error out */
}
/* Ignore absence of metadata */
to
fd = openat("$dir/.virtfs_metadata")
unlinkat(fd, "$name")
if (ret < 0 && errno != ENOENT) {
/* Error out */
}
/* Ignore absence of metadata */
If $dir was created in non-mapped mode, openat() fails with ENOENT and
we pass -1 to unlinkat(), which fails in turn with EBADF.
We just need to check the return of openat() and ignore ENOENT, in order
to restore the behaviour we had with remove().
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
[groug: rewrote the comments as suggested by Eric]
(cherry picked from commit 6a87e7929f97b86c5823d4616fa1aa7636b2f116)
[BR: Fix and/or infrastructure for BSC#1020427 CVE-2016-9602]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p-local.c | 34 +++++++++++++++-------------------
1 file changed, 15 insertions(+), 19 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index a2486566af..226234d386 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -992,6 +992,14 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
int map_dirfd;
+ /* We need to remove the metadata as well:
+ * - the metadata directory if we're removing a directory
+ * - the metadata file in the parent's metadata directory
+ *
+ * If any of these are missing (ie, ENOENT) then we're probably
+ * trying to remove something that wasn't created in mapped-file
+ * mode. We just ignore the error.
+ */
if (flags == AT_REMOVEDIR) {
int fd;
@@ -999,32 +1007,20 @@ static int local_unlinkat_common(FsContext *ctx, int dirfd, const char *name,
if (fd == -1) {
goto err_out;
}
- /*
- * If directory remove .virtfs_metadata contained in the
- * directory
- */
ret = unlinkat(fd, VIRTFS_META_DIR, AT_REMOVEDIR);
close_preserve_errno(fd);
if (ret < 0 && errno != ENOENT) {
- /*
- * We didn't had the .virtfs_metadata file. May be file created
- * in non-mapped mode ?. Ignore ENOENT.
- */
goto err_out;
}
}
- /*
- * Now remove the name from parent directory
- * .virtfs_metadata directory.
- */
map_dirfd = openat_dir(dirfd, VIRTFS_META_DIR);
- ret = unlinkat(map_dirfd, name, 0);
- close_preserve_errno(map_dirfd);
- if (ret < 0 && errno != ENOENT) {
- /*
- * We didn't had the .virtfs_metadata file. May be file created
- * in non-mapped mode ?. Ignore ENOENT.
- */
+ if (map_dirfd != -1) {
+ ret = unlinkat(map_dirfd, name, 0);
+ close_preserve_errno(map_dirfd);
+ if (ret < 0 && errno != ENOENT) {
+ goto err_out;
+ }
+ } else if (errno != ENOENT) {
goto err_out;
}
}

113
0061-megasas-do-not-read-DCMD-opcode-mor.patch Normal file
View File

@ -0,0 +1,113 @@
From e0653c80373f056fa0bd72fb9aef161dac13b1cf Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 19 Jun 2017 16:36:08 -0600
Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame
Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[BR: BSC#1043296 CVE-2017-9503]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 804122ab05..887958481b 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -63,6 +63,7 @@ typedef struct MegasasCmd {
hwaddr pa;
hwaddr pa_size;
+ uint32_t dcmd_opcode;
union mfi_frame *frame;
SCSIRequest *req;
QEMUSGList qsg;
@@ -511,6 +512,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s,
cmd->context &= (uint64_t)0xFFFFFFFF;
}
cmd->count = count;
+ cmd->dcmd_opcode = -1;
s->busy++;
if (s->consumer_pa) {
@@ -1559,22 +1561,21 @@ static const struct dcmd_cmd_tbl_t {
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
{
- int opcode;
int retval = 0;
size_t len;
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
+ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
+ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode);
if (megasas_map_dcmd(s, cmd) < 0) {
return MFI_STAT_MEMORY_NOT_AVAILABLE;
}
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
+ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) {
cmdptr++;
}
len = cmd->iov_size;
if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
+ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len);
retval = megasas_dcmd_dummy(s, cmd);
} else {
trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len);
@@ -1589,13 +1590,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
SCSIRequest *req)
{
- int opcode;
int retval = MFI_STAT_OK;
int lun = req->lun;
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun);
- switch (opcode) {
+ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun);
+ switch (cmd->dcmd_opcode) {
case MFI_DCMD_PD_GET_INFO:
retval = megasas_pd_get_info_submit(req->dev, lun, cmd);
break;
@@ -1603,7 +1602,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd,
retval = megasas_ld_get_info_submit(req->dev, lun, cmd);
break;
default:
- trace_megasas_dcmd_internal_invalid(cmd->index, opcode);
+ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode);
retval = MFI_STAT_INVALID_DCMD;
break;
}
@@ -1824,7 +1823,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
{
MegasasCmd *cmd = req->hba_private;
uint8_t *buf;
- uint32_t opcode;
trace_megasas_io_complete(cmd->index, len);
@@ -1834,8 +1832,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
}
buf = scsi_req_get_buf(req);
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
+ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) {
struct mfi_pd_info *info = cmd->iov_buf;
if (info->inquiry_data[0] == 0x7f) {
@@ -1846,7 +1843,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len)
memcpy(info->vpd_page83, buf, len);
}
scsi_req_continue(req);
- } else if (opcode == MFI_DCMD_LD_GET_INFO) {
+ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) {
struct mfi_ld_info *info = cmd->iov_buf;
if (cmd->iov_buf) {

123
0062-megasas-always-store-SCSIRequest-in.patch Normal file
View File

@ -0,0 +1,123 @@
From 0199dd521a16bff213ee66fe1fb257790006237f Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Sat, 10 Jun 2017 14:04:51 -0600
Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd
This ensures that the request is unref'ed properly, and avoids a
segmentation fault in the new qtest testcase that is added.
Reported-by: Zhangyanyu <zyy4013@stu.ouc.edu.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[BR: BSC#1043296 CVE-2017-9503, dropped testcase from patch]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/megasas.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 887958481b..a0cafe3010 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -607,6 +607,9 @@ static void megasas_reset_frames(MegasasState *s)
static void megasas_abort_command(MegasasCmd *cmd)
{
/* Never abort internal commands. */
+ if (cmd->dcmd_opcode != -1) {
+ return;
+ }
if (cmd->req != NULL) {
scsi_req_cancel(cmd->req);
}
@@ -1014,7 +1017,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
uint64_t pd_size;
uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
uint8_t cmdbuf[6];
- SCSIRequest *req;
size_t len, resid;
if (!cmd->iov_buf) {
@@ -1023,8 +1025,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */
info->vpd_page83[0] = 0x7f;
megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data));
- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"PD get info std inquiry");
g_free(cmd->iov_buf);
@@ -1033,26 +1035,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun,
}
trace_megasas_dcmd_internal_submit(cmd->index,
"PD get info std inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
} else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) {
megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83));
- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"PD get info vpd inquiry");
return MFI_STAT_FLASH_ALLOC_FAIL;
}
trace_megasas_dcmd_internal_submit(cmd->index,
"PD get info vpd inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
}
@@ -1214,7 +1216,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
struct mfi_ld_info *info = cmd->iov_buf;
size_t dcmd_size = sizeof(struct mfi_ld_info);
uint8_t cdb[6];
- SCSIRequest *req;
ssize_t len, resid;
uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF);
uint64_t ld_size;
@@ -1223,8 +1224,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
cmd->iov_buf = g_malloc0(dcmd_size);
info = cmd->iov_buf;
megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83));
- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
- if (!req) {
+ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd);
+ if (!cmd->req) {
trace_megasas_dcmd_req_alloc_failed(cmd->index,
"LD get info vpd inquiry");
g_free(cmd->iov_buf);
@@ -1233,10 +1234,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun,
}
trace_megasas_dcmd_internal_submit(cmd->index,
"LD get info vpd inquiry", lun);
- len = scsi_req_enqueue(req);
+ len = scsi_req_enqueue(cmd->req);
if (len > 0) {
cmd->iov_size = len;
- scsi_req_continue(req);
+ scsi_req_continue(cmd->req);
}
return MFI_STAT_INVALID_STATUS;
}
@@ -1865,7 +1866,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status,
return;
}
- if (cmd->req == NULL) {
+ if (cmd->dcmd_opcode != -1) {
/*
* Internal command complete
*/

80
0063-nbd-Fully-initialize-client-in-case.patch Normal file
View File

@ -0,0 +1,80 @@
From 94301dd6735f540dc9f6e01943fda914c4bbef8a Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Fri, 26 May 2017 22:04:21 -0500
Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation
If a non-NBD client connects to qemu-nbd, we would end up with
a SIGSEGV in nbd_client_put() because we were trying to
unregister the client's association to the export, even though
we skipped inserting the client into that list. Easy trigger
in two terminals:
$ qemu-nbd -p 30001 --format=raw file
$ nmap 127.0.0.1 -p 30001
nmap claims that it thinks it connected to a pago-services1
server (which probably means nmap could be updated to learn the
NBD protocol and give a more accurate diagnosis of the open
port - but that's not our problem), then terminates immediately,
so our call to nbd_negotiate() fails. The fix is to reorder
nbd_co_client_start() to ensure that all initialization occurs
before we ever try talking to a client in nbd_negotiate(), so
that the teardown sequence on negotiation failure doesn't fault
while dereferencing a half-initialized object.
While debugging this, I also noticed that nbd_update_server_watch()
called by nbd_client_closed() was still adding a channel to accept
the next client, even when the state was no longer RUNNING. That
is fixed by making nbd_can_accept() pay attention to the current
state.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170527030421.28366-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af)
[BR: BSC#1043808 CVE-2017-9524]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
nbd/server.c | 8 +++-----
qemu-nbd.c | 2 +-
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/nbd/server.c b/nbd/server.c
index 924a1fe2db..edfda84d43 100644
--- a/nbd/server.c
+++ b/nbd/server.c
@@ -1376,16 +1376,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
if (exp) {
nbd_export_get(exp);
+ QTAILQ_INSERT_TAIL(&exp->clients, client, next);
}
+ qemu_co_mutex_init(&client->send_lock);
+
if (nbd_negotiate(data)) {
client_close(client);
goto out;
}
- qemu_co_mutex_init(&client->send_lock);
-
- if (exp) {
- QTAILQ_INSERT_TAIL(&exp->clients, client, next);
- }
nbd_client_receive_next_request(client);
diff --git a/qemu-nbd.c b/qemu-nbd.c
index e080fb7c75..b44764eb87 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -324,7 +324,7 @@ out:
static int nbd_can_accept(void)
{
- return nb_fds < shared;
+ return state == RUNNING && nb_fds < shared;
}
static void nbd_export_closed(NBDExport *exp)

28
0064-9pfs-local-remove-use-correct-path-.patch Normal file
View File

@ -0,0 +1,28 @@
From d8ebbbc6a85bc9a6a6e194564719e43a51ec2e86 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Mon, 19 Jun 2017 14:48:02 -0600
Subject: [PATCH] 9pfs: local: remove: use correct path component
Commit a0e640a8 introduced a path processing error.
Pass fstatat the dirpath based path component instead
of the entire path.
[BR: BSC#1045035]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p-local.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index 226234d386..47f6d9ec99 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -1044,7 +1044,7 @@ static int local_remove(FsContext *ctx, const char *path)
goto out;
}
- if (fstatat(dirfd, path, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) {
+ if (fstatat(dirfd, name, &stbuf, AT_SYMLINK_NOFOLLOW) < 0) {
goto err_out;
}

32
ipxe-ath-Add-missing-break-statements.patch Normal file
View File

@ -0,0 +1,32 @@
From 45f2265bfcbbf2afd7fac24372ae26e453f2b52d Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 22 Mar 2017 11:52:09 +0200
Subject: [PATCH] [ath] Add missing break statements
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
src/drivers/net/ath/ath5k/ath5k_desc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/drivers/net/ath/ath5k/ath5k_desc.c b/src/drivers/net/ath/ath5k/ath5k_desc.c
index 30fe1c77..816d26ed 100644
--- a/src/drivers/net/ath/ath5k/ath5k_desc.c
+++ b/src/drivers/net/ath/ath5k/ath5k_desc.c
@@ -104,10 +104,13 @@ ath5k_hw_setup_2word_tx_desc(struct ath5k_hw *ah, struct ath5k_desc *desc,
case AR5K_PKT_TYPE_BEACON:
case AR5K_PKT_TYPE_PROBE_RESP:
frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_NO_DELAY;
+ break;
case AR5K_PKT_TYPE_PIFS:
frame_type = AR5K_AR5210_TX_DESC_FRAME_TYPE_PIFS;
+ break;
default:
frame_type = type /*<< 2 ?*/;
+ break;
}
tx_ctl->tx_control_0 |=
--
2.12.2

28
ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch Normal file
View File

@ -0,0 +1,28 @@
From 28e26dd2503e6006fabb26f8c33050ba93a99623 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Wed, 29 Mar 2017 10:35:05 +0300
Subject: [PATCH] [mucurses] Fix erroneous __nonnull attribute
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
src/include/curses.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/include/curses.h b/src/include/curses.h
index 04060fe2..1f6fe029 100644
--- a/src/include/curses.h
+++ b/src/include/curses.h
@@ -443,7 +443,8 @@ extern int wborder ( WINDOW *, chtype, chtype, chtype, chtype, chtype, chtype,
extern int wclrtobot ( WINDOW * ) __nonnull;
extern int wclrtoeol ( WINDOW * ) __nonnull;
extern void wcursyncup ( WINDOW * );
-extern int wcolour_set ( WINDOW *, short, void * ) __nonnull;
+extern int wcolour_set ( WINDOW *, short, void * )
+ __attribute__ (( nonnull (1)));
#define wcolor_set(w,s,v) wcolour_set((w),(s),(v))
extern int wdelch ( WINDOW * ) __nonnull;
extern int wdeleteln ( WINDOW * ) __nonnull;
--
2.12.2

13
qemu-linux-user.changes
View File

@ -1,3 +1,16 @@
-------------------------------------------------------------------
Tue Jun 20 14:14:17 UTC 2017 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
* Patches added:
0060-9pfs-local-fix-unlink-of-alien-file.patch
0061-megasas-do-not-read-DCMD-opcode-mor.patch
0062-megasas-always-store-SCSIRequest-in.patch
0063-nbd-Fully-initialize-client-in-case.patch
0064-9pfs-local-remove-use-correct-path-.patch
- Add --no-renames to the git format-patch command in the git
workflow script for better patch compatibility
-------------------------------------------------------------------
Mon May 22 23:52:15 UTC 2017 - brogers@suse.com

10
qemu-linux-user.spec
View File

@ -85,6 +85,11 @@ Patch0056: 0056-jazz_led-fix-bad-snprintf.patch
Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch
Patch0058: 0058-altera_timer-fix-incorrect-memset.patch
Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch
Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch
Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch
Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch
Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch
Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Source400: update_git.sh
@ -197,6 +202,11 @@ run cross-architecture builds.
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%build
./configure \

23
qemu-testsuite.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Tue Jun 20 14:14:14 UTC 2017 - brogers@suse.com
- Use most recent compiler to build size-critical firmware, instead
of hard-coding gcc6 for all target versions (bsc#1043390)
* A few upstream ipxe patches were needed for gcc7 compatibility:
ipxe-ath-Add-missing-break-statements.patch
ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
- Add --no-renames to the git format-patch command in the git
workflow script for better patch compatibility
- Address various security/stability issues
* Fix potential privilege escalation in virtfs (CVE-2016-9602
bsc#1020427)
0060-9pfs-local-fix-unlink-of-alien-file.patch
* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296)
0061-megasas-do-not-read-DCMD-opcode-mor.patch
0062-megasas-always-store-SCSIRequest-in.patch
* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808)
0063-nbd-Fully-initialize-client-in-case.patch
* Fix regression introduced by recent virtfs security fixes (bsc#1045035)
0064-9pfs-local-remove-use-correct-path-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
-------------------------------------------------------------------
Tue Jun 6 21:21:53 UTC 2017 - lyan@suse.com

18
qemu-testsuite.spec
View File

@ -189,6 +189,11 @@ Patch0056: 0056-jazz_led-fix-bad-snprintf.patch
Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch
Patch0058: 0058-altera_timer-fix-incorrect-memset.patch
Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch
Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch
Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch
Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch
Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch
Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -200,6 +205,8 @@ Patch1100: ipxe-stable-buildid.patch
Patch1101: ipxe-use-gcc6-for-more-compact-code.patch
Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch
Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
Patch1104: ipxe-ath-Add-missing-break-statements.patch
Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
# sgabios
# PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brogers@suse.com -- reproducible builds
@ -238,8 +245,10 @@ BuildRequires: e2fsprogs-devel
BuildRequires: fdupes
BuildRequires: gcc-c++
%if %{build_x86_firmware_from_source}
%if 0%{?suse_version} <= 1320
BuildRequires: gcc6
%endif
%endif
BuildRequires: glib2-devel
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
BuildRequires: glusterfs-devel
@ -895,12 +904,21 @@ This package provides a service file for starting and stopping KSM.
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
pushd roms/ipxe
%patch1100 -p1
%if 0%{?suse_version} <= 1320
%patch1101 -p1
%endif
%patch1102 -p1
%patch1103 -p1
%patch1104 -p1
%patch1105 -p1
popd
pushd roms/sgabios

23
qemu.changes
View File

@ -1,3 +1,26 @@
-------------------------------------------------------------------
Tue Jun 20 14:14:14 UTC 2017 - brogers@suse.com
- Use most recent compiler to build size-critical firmware, instead
of hard-coding gcc6 for all target versions (bsc#1043390)
* A few upstream ipxe patches were needed for gcc7 compatibility:
ipxe-ath-Add-missing-break-statements.patch
ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
- Add --no-renames to the git format-patch command in the git
workflow script for better patch compatibility
- Address various security/stability issues
* Fix potential privilege escalation in virtfs (CVE-2016-9602
bsc#1020427)
0060-9pfs-local-fix-unlink-of-alien-file.patch
* Fix DOS in megasas device emulation (CVE-2017-9503 bsc#1043296)
0061-megasas-do-not-read-DCMD-opcode-mor.patch
0062-megasas-always-store-SCSIRequest-in.patch
* Fix DOS in qemu-nbd server (CVE-2017-9524 bsc#1043808)
0063-nbd-Fully-initialize-client-in-case.patch
* Fix regression introduced by recent virtfs security fixes (bsc#1045035)
0064-9pfs-local-remove-use-correct-path-.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
-------------------------------------------------------------------
Tue Jun 6 21:21:53 UTC 2017 - lyan@suse.com

18
qemu.spec
View File

@ -189,6 +189,11 @@ Patch0056: 0056-jazz_led-fix-bad-snprintf.patch
Patch0057: 0057-slirp-smb-Replace-constant-strings-.patch
Patch0058: 0058-altera_timer-fix-incorrect-memset.patch
Patch0059: 0059-Hacks-for-building-on-gcc-7-Fedora-.patch
Patch0060: 0060-9pfs-local-fix-unlink-of-alien-file.patch
Patch0061: 0061-megasas-do-not-read-DCMD-opcode-mor.patch
Patch0062: 0062-megasas-always-store-SCSIRequest-in.patch
Patch0063: 0063-nbd-Fully-initialize-client-in-case.patch
Patch0064: 0064-9pfs-local-remove-use-correct-path-.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -200,6 +205,8 @@ Patch1100: ipxe-stable-buildid.patch
Patch1101: ipxe-use-gcc6-for-more-compact-code.patch
Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch
Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
Patch1104: ipxe-ath-Add-missing-break-statements.patch
Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
# sgabios
# PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brogers@suse.com -- reproducible builds
@ -238,8 +245,10 @@ BuildRequires: e2fsprogs-devel
BuildRequires: fdupes
BuildRequires: gcc-c++
%if %{build_x86_firmware_from_source}
%if 0%{?suse_version} <= 1320
BuildRequires: gcc6
%endif
%endif
BuildRequires: glib2-devel
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
BuildRequires: glusterfs-devel
@ -895,12 +904,21 @@ This package provides a service file for starting and stopping KSM.
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
pushd roms/ipxe
%patch1100 -p1
%if 0%{?suse_version} <= 1320
%patch1101 -p1
%endif
%patch1102 -p1
%patch1103 -p1
%patch1104 -p1
%patch1105 -p1
popd
pushd roms/sgabios

10
qemu.spec.in
View File

@ -141,6 +141,9 @@ PATCH_FILES
Patch1100: ipxe-stable-buildid.patch
Patch1101: ipxe-use-gcc6-for-more-compact-code.patch
Patch1102: ipxe-build-Avoid-implicit-fallthrough-warnings-on-GCC-7.patch
Patch1103: ipxe-iscsi-Always-send-FirstBurstLength-parameter.patch
Patch1104: ipxe-ath-Add-missing-break-statements.patch
Patch1105: ipxe-mucurses-Fix-erroneous-__nonnull-attribute.patch
# sgabios
# PATCH-FIX-OPENSUSE sgabios-stable-buildid.patch brogers@suse.com -- reproducible builds
@ -179,8 +182,10 @@ BuildRequires: e2fsprogs-devel
BuildRequires: fdupes
BuildRequires: gcc-c++
%if %{build_x86_firmware_from_source}
%if 0%{?suse_version} <= 1320
BuildRequires: gcc6
%endif
%endif
BuildRequires: glib2-devel
%if 0%{?suse_version} >= 1310 && 0%{?suse_version} != 1315
BuildRequires: glusterfs-devel
@ -781,8 +786,13 @@ PATCH_EXEC
pushd roms/ipxe
%patch1100 -p1
%if 0%{?suse_version} <= 1320
%patch1101 -p1
%endif
%patch1102 -p1
%patch1103 -p1
%patch1104 -p1
%patch1105 -p1
popd
pushd roms/sgabios

2
update_git.sh
View File

@ -45,7 +45,7 @@ else
(cd $GIT_DIR && git remote add upstream git://git.qemu-project.org/qemu.git)
(cd $GIT_DIR && git remote update)
fi
(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR >/dev/null)
(cd $GIT_DIR && git format-patch -N $GIT_UPSTREAM_TAG --suffix= -o $CMP_DIR --no-renames >/dev/null)
QEMU_VERSION=`cat $GIT_DIR/VERSION`
echo "QEMU version: $QEMU_VERSION"