SHA256
1
0
forked from pool/qemu

Accepting request 688939 from home:bfrogers:branches:Virtualization

- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
* Patches added:
  0061-slirp-check-sscanf-result-when-emul.patch
  0062-ppc-add-host-serial-and-host-model-.patch
  0063-i2c-ddc-fix-oob-read.patch
- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
  Also add a corresponding Recommends for qemu-tools as part of
  this packaging adjustment (bsc#1130484)
- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
  0061-slirp-check-sscanf-result-when-emul.patch
- Add method to specify whether or not to expose certain ppc64 host
  information, which can be considered a security issue
  (CVE-2019-8934 bsc#1126455)
  0062-ppc-add-host-serial-and-host-model-.patch
- Fix OOB memory access and information leak in virtual monitor
  interface (CVE-2019-03812 bsc#1125721) 
  0063-i2c-ddc-fix-oob-read.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
  Also add a corresponding Recommends for qemu-tools as part of
  this packaging adjustment (bsc#1130484)
- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
  0061-slirp-check-sscanf-result-when-emul.patch
- Add method to specify whether or not to expose certain ppc64 host
  information, which can be considered a security issue
  (CVE-2019-8934 bsc#1126455)
  0062-ppc-add-host-serial-and-host-model-.patch
- Fix OOB memory access and information leak in virtual monitor
  interface (CVE-2019-03812 bsc#1125721) 
  0063-i2c-ddc-fix-oob-read.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1

OBS-URL: https://build.opensuse.org/request/show/688939
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=460
This commit is contained in:
Bruce Rogers 2019-03-27 03:57:07 +00:00 committed by Git OBS Bridge
parent 0c80576ea1
commit 4dc0ebdca9
10 changed files with 296 additions and 4 deletions

View File

@ -0,0 +1,47 @@
From: William Bowling <will@wbowling.info>
Date: Fri, 1 Mar 2019 21:45:56 +0000
Subject: slirp: check sscanf result when emulating ident
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When emulating ident in tcp_emu, if the strchr checks passed but the
sscanf check failed, two uninitialized variables would be copied and
sent in the reply, so move this code inside the if(sscanf()) clause.
Signed-off-by: William Bowling <will@wbowling.info>
Cc: qemu-stable@nongnu.org
Cc: secalert@redhat.com
Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113)
[BR: BSC#1129622 CVE-2019-9824 To pass our checkpatch check, I changed
the patch to use spaces, not tabs, as in the initially proposed]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
slirp/tcp_subr.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
index 7a23ce738c..a6fd8626a8 100644
--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
@@ -661,12 +661,12 @@ tcp_emu(struct socket *so, struct mbuf *m)
break;
}
}
+ so_rcv->sb_cc = snprintf(so_rcv->sb_data,
+ so_rcv->sb_datalen,
+ "%d,%d\r\n", n1, n2);
+ so_rcv->sb_rptr = so_rcv->sb_data;
+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
- so_rcv->sb_cc = snprintf(so_rcv->sb_data,
- so_rcv->sb_datalen,
- "%d,%d\r\n", n1, n2);
- so_rcv->sb_rptr = so_rcv->sb_data;
- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc;
}
m_free(m);
return 0;

View File

@ -0,0 +1,153 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 18 Feb 2019 23:43:49 +0530
Subject: ppc: add host-serial and host-model machine attributes
(CVE-2019-8934)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On ppc hosts, hypervisor shares following system attributes
- /proc/device-tree/system-id
- /proc/device-tree/model
with a guest. This could lead to information leakage and misuse.[*]
Add machine attributes to control such system information exposure
to a guest.
[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
Reported-by: Daniel P. Berrangé <berrange@redhat.com>
Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry picked from commit 27461d69a0f108dea756419251acc3ea65198f1b)
[BR: BSC#1126455 CVE-2019-03812]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/ppc/spapr.c | 73 ++++++++++++++++++++++++++++++++++++++----
include/hw/ppc/spapr.h | 2 ++
2 files changed, 69 insertions(+), 6 deletions(-)
diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
index 7afd1a175b..d3098d520e 100644
--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
@@ -1244,13 +1244,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
* Add info to guest to indentify which host is it being run on
* and what is the uuid of the guest
*/
- if (kvmppc_get_host_model(&buf)) {
- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
- g_free(buf);
+ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
+ if (g_str_equal(spapr->host_model, "passthrough")) {
+ /* -M host-model=passthrough */
+ if (kvmppc_get_host_model(&buf)) {
+ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+ g_free(buf);
+ }
+ } else {
+ /* -M host-model=<user-string> */
+ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
+ }
}
- if (kvmppc_get_host_serial(&buf)) {
- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
- g_free(buf);
+
+ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
+ if (g_str_equal(spapr->host_serial, "passthrough")) {
+ /* -M host-serial=passthrough */
+ if (kvmppc_get_host_serial(&buf)) {
+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+ g_free(buf);
+ }
+ } else {
+ /* -M host-serial=<user-string> */
+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
+ }
}
buf = qemu_uuid_unparse_strdup(&qemu_uuid);
@@ -3031,6 +3048,36 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
visit_type_uint32(v, name, (uint32_t *)opaque, errp);
}
+static char *spapr_get_host_model(Object *obj, Error **errp)
+{
+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+ return g_strdup(spapr->host_model);
+}
+
+static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
+{
+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+ g_free(spapr->host_model);
+ spapr->host_model = g_strdup(value);
+}
+
+static char *spapr_get_host_serial(Object *obj, Error **errp)
+{
+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+ return g_strdup(spapr->host_serial);
+}
+
+static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
+{
+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+ g_free(spapr->host_serial);
+ spapr->host_serial = g_strdup(value);
+}
+
static void spapr_instance_init(Object *obj)
{
sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
@@ -3067,6 +3114,17 @@ static void spapr_instance_init(Object *obj)
" the host's SMT mode", &error_abort);
object_property_add_bool(obj, "vfio-no-msix-emulation",
spapr_get_msix_emulation, NULL, NULL);
+
+ object_property_add_str(obj, "host-model",
+ spapr_get_host_model, spapr_set_host_model,
+ &error_abort);
+ object_property_set_description(obj, "host-model",
+ "Set host's model-id to use - none|passthrough|string", &error_abort);
+ object_property_add_str(obj, "host-serial",
+ spapr_get_host_serial, spapr_set_host_serial,
+ &error_abort);
+ object_property_set_description(obj, "host-serial",
+ "Set host's system-id to use - none|passthrough|string", &error_abort);
}
static void spapr_machine_finalizefn(Object *obj)
@@ -3961,6 +4019,9 @@ static const TypeInfo spapr_machine_info = {
*/
static void spapr_machine_3_1_instance_options(MachineState *machine)
{
+ sPAPRMachineState *spapr = SPAPR_MACHINE(machine);
+ spapr->host_model = g_strdup("passthrough");
+ spapr->host_serial = g_strdup("passthrough");
}
static void spapr_machine_3_1_class_options(MachineClass *mc)
diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
index 6279711fe8..63692a13bd 100644
--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
@@ -171,6 +171,8 @@ struct sPAPRMachineState {
/*< public >*/
char *kvm_type;
+ char *host_model;
+ char *host_serial;
const char *icp_type;
int32_t irq_map_nr;

View File

@ -0,0 +1,32 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 8 Jan 2019 11:23:01 +0100
Subject: i2c-ddc: fix oob read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Suggested-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Michael Hanselmann <public@hansmi.ch>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20190108102301.1957-1-kraxel@redhat.com
(cherry picked from commit b05b267840515730dbf6753495d5b7bd8b04ad1c)
[BR: BSC#1125721 CVE-2019-3812]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/i2c/i2c-ddc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
index be34fe072c..0a0367ff38 100644
--- a/hw/i2c/i2c-ddc.c
+++ b/hw/i2c/i2c-ddc.c
@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
I2CDDCState *s = I2CDDC(i2c);
int value;
- value = s->edid_blob[s->reg];
+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
s->reg++;
return value;
}

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon Mar 25 20:45:10 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
* Patches added:
0061-slirp-check-sscanf-result-when-emul.patch
0062-ppc-add-host-serial-and-host-model-.patch
0063-i2c-ddc-fix-oob-read.patch
-------------------------------------------------------------------
Fri Feb 15 22:49:26 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -92,6 +92,9 @@ Patch0057: 0057-s390x-Return-specification-exceptio.patch
Patch0058: 0058-Revert-target-i386-kvm-add-VMX-migr.patch
Patch0059: 0059-memory-Fix-the-memory-region-type-a.patch
Patch0060: 0060-target-i386-sev-Do-not-pin-the-ram-.patch
Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch
Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch
Patch0063: 0063-i2c-ddc-fix-oob-read.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
ExcludeArch: s390
@ -183,6 +186,9 @@ syscall layer occurs on the native hardware and operating system.
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%build
./configure \

View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Mon Mar 25 20:45:08 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
Also add a corresponding Recommends for qemu-tools as part of
this packaging adjustment (bsc#1130484)
- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
0061-slirp-check-sscanf-result-when-emul.patch
- Add method to specify whether or not to expose certain ppc64 host
information, which can be considered a security issue
(CVE-2019-8934 bsc#1126455)
0062-ppc-add-host-serial-and-host-model-.patch
- Fix OOB memory access and information leak in virtual monitor
interface (CVE-2019-03812 bsc#1125721)
0063-i2c-ddc-fix-oob-read.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
-------------------------------------------------------------------
Fri Mar 8 17:49:54 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -203,6 +203,9 @@ Patch0057: 0057-s390x-Return-specification-exceptio.patch
Patch0058: 0058-Revert-target-i386-kvm-add-VMX-migr.patch
Patch0059: 0059-memory-Fix-the-memory-region-type-a.patch
Patch0060: 0060-target-i386-sev-Do-not-pin-the-ram-.patch
Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch
Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch
Patch0063: 0063-i2c-ddc-fix-oob-read.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -344,7 +347,6 @@ BuildRequires: libxkbcommon-devel
BuildRequires: lzo-devel
BuildRequires: makeinfo
%if 0%{?suse_version} > 1320
BuildRequires: multipath-tools
BuildRequires: multipath-tools-devel
%endif
BuildRequires: ncurses-devel
@ -843,6 +845,7 @@ Release: 0
Provides: %name:%_libexecdir/qemu-bridge-helper
Requires(pre): permissions
Requires(pre): shadow
Recommends: multipath-tools
Recommends: qemu-block-curl
%if 0%{?with_rbd}
Recommends: qemu-block-rbd
@ -1001,6 +1004,9 @@ This package provides a service file for starting and stopping KSM.
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
pushd roms/seabios
%patch1100 -p1

View File

@ -1,3 +1,20 @@
-------------------------------------------------------------------
Mon Mar 25 20:45:08 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Remove an unneeded BuildRequires which impacts bsc#1119414 fix
Also add a corresponding Recommends for qemu-tools as part of
this packaging adjustment (bsc#1130484)
- Fix information leak in slirp (CVE-2019-9824 bsc#1129622)
0061-slirp-check-sscanf-result-when-emul.patch
- Add method to specify whether or not to expose certain ppc64 host
information, which can be considered a security issue
(CVE-2019-8934 bsc#1126455)
0062-ppc-add-host-serial-and-host-model-.patch
- Fix OOB memory access and information leak in virtual monitor
interface (CVE-2019-03812 bsc#1125721)
0063-i2c-ddc-fix-oob-read.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1
-------------------------------------------------------------------
Fri Mar 8 17:49:54 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -203,6 +203,9 @@ Patch0057: 0057-s390x-Return-specification-exceptio.patch
Patch0058: 0058-Revert-target-i386-kvm-add-VMX-migr.patch
Patch0059: 0059-memory-Fix-the-memory-region-type-a.patch
Patch0060: 0060-target-i386-sev-Do-not-pin-the-ram-.patch
Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch
Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch
Patch0063: 0063-i2c-ddc-fix-oob-read.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
@ -344,7 +347,6 @@ BuildRequires: libxkbcommon-devel
BuildRequires: lzo-devel
BuildRequires: makeinfo
%if 0%{?suse_version} > 1320
BuildRequires: multipath-tools
BuildRequires: multipath-tools-devel
%endif
BuildRequires: ncurses-devel
@ -843,6 +845,7 @@ Release: 0
Provides: %name:%_libexecdir/qemu-bridge-helper
Requires(pre): permissions
Requires(pre): shadow
Recommends: multipath-tools
Recommends: qemu-block-curl
%if 0%{?with_rbd}
Recommends: qemu-block-rbd
@ -1001,6 +1004,9 @@ This package provides a service file for starting and stopping KSM.
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
pushd roms/seabios
%patch1100 -p1

View File

@ -282,7 +282,6 @@ BuildRequires: libxkbcommon-devel
BuildRequires: lzo-devel
BuildRequires: makeinfo
%if 0%{?suse_version} > 1320
BuildRequires: multipath-tools
BuildRequires: multipath-tools-devel
%endif
BuildRequires: ncurses-devel
@ -781,6 +780,7 @@ Release: 0
Provides: %name:%_libexecdir/qemu-bridge-helper
Requires(pre): permissions
Requires(pre): shadow
Recommends: multipath-tools
Recommends: qemu-block-curl
%if 0%{?with_rbd}
Recommends: qemu-block-rbd
@ -1176,7 +1176,6 @@ make %{?_smp_mflags} -C roms efirom
make -C roms sgabios \
HOSTCC=cc
%if %{force_fit_virtio_pxe_rom}
pushd roms/ipxe
patch -p1 < %{SOURCE301}