Accepting request 494734 from home:bfrogers:branches:Virtualization

Security fixes.

OBS-URL: https://build.opensuse.org/request/show/494734
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=339

0048-input-Add-trace-event-for-empty-key.patch

@@ -1,6 +1,6 @@
-From c376e77aa2dd2489101c8d89a55771a67332447b Mon Sep 17 00:00:00 2001
+From 99ce69e23c7154ccaee85137c121bb6b8bab8275 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
-Date: Thu, 30 Mar 2017 15:32:08 +0200
+Date: Thu, 30 Mar 2017 16:22:55 +0200
 Subject: [PATCH] input: Add trace event for empty keyboard queue
 
 When driving QEMU from the outside, we have basically no chance to
@@ -12,6 +12,8 @@ This patch adds a trace events when the keyboarde queue is drained.
 An external driver can use that as hint that new keys can be pressed.
 
 Signed-off-by: Alexander Graf <agraf@suse.de>
+Message-id: 1490883775-94658-1-git-send-email-agraf@suse.de
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 [BR: BSC#1031692]
 Signed-off-by: Bruce Rogers <brogers@suse.com>
 ---

0049-ACPI-don-t-call-acpi_pcihp_device_p.patch

@@ -1,4 +1,4 @@
-From 9df0bb18bea5bc5cb4f292cfa4b51018cb2c70d9 Mon Sep 17 00:00:00 2001
+From e4733da636cf6a2b53ae1fdfc5c934576e1970a6 Mon Sep 17 00:00:00 2001
 From: Bruce Rogers <brogers@suse.com>
 Date: Thu, 27 Apr 2017 13:43:58 -0600
 Subject: [PATCH] ACPI: don't call acpi_pcihp_device_plug_cb on xen

0050-i386-Allow-cpuid-bit-override.patch

@@ -1,4 +1,4 @@
-From 475a538eb562cb8cb757105957b10903c420945a Mon Sep 17 00:00:00 2001
+From 5cff035804d92d336b27c368754b63e2dccbba90 Mon Sep 17 00:00:00 2001
 From: Alexander Graf <agraf@suse.de>
 Date: Tue, 28 Mar 2017 05:27:00 -0600
 Subject: [PATCH] i386: Allow cpuid bit override

0051-input-limit-kbd-queue-depth.patch

@@ -0,0 +1,90 @@
+From 60f3bfde84c98a31a1de4542fbab456ae83c4cbb Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 10:42:37 +0200
+Subject: [PATCH] input: limit kbd queue depth
+
+Apply a limit to the number of items we accept into the keyboard queue.
+
+Impact: Without this limit vnc clients can exhaust host memory by
+sending keyboard events faster than qemu feeds them to the guest.
+
+Fixes: CVE-2017-8379
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: jiangxin1@huawei.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20170428084237.23960-1-kraxel@redhat.com
+(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc)
+[BR: BSC#1037334]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ ui/input.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ui/input.c b/ui/input.c
+index ed88cda6d6..fb1f404095 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
+     QTAILQ_HEAD_INITIALIZER(kbd_queue);
+ static QEMUTimer *kbd_timer;
+ static uint32_t kbd_default_delay_ms = 10;
++static uint32_t queue_count;
++static uint32_t queue_limit = 1024;
+ 
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
+                                                    QemuInputHandler *handler)
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
+             break;
+         }
+         QTAILQ_REMOVE(queue, item, node);
++        queue_count--;
+         g_free(item);
+     }
+ }
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
+     item->delay_ms = delay_ms;
+     item->timer = timer;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ 
+     if (start_timer) {
+         timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
+     item->src = src;
+     item->evt = evt;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ }
+ 
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+ 
+     item->type = QEMU_INPUT_QUEUE_SYNC;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ }
+ 
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
+         qemu_input_event_send(src, evt);
+         qemu_input_event_sync();
+         qapi_free_InputEvent(evt);
+-    } else {
++    } else if (queue_count < queue_limit) {
+         qemu_input_queue_event(&kbd_queue, src, evt);
+         qemu_input_queue_sync(&kbd_queue);
+     }
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
+         kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
+                                  &kbd_queue);
+     }
+-    qemu_input_queue_delay(&kbd_queue, kbd_timer,
+-                           delay_ms ? delay_ms : kbd_default_delay_ms);
++    if (queue_count < queue_limit) {
++        qemu_input_queue_delay(&kbd_queue, kbd_timer,
++                               delay_ms ? delay_ms : kbd_default_delay_ms);
++    }
+ }
+ 
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)

0052-audio-release-capture-buffers.patch

@@ -0,0 +1,38 @@
+From f612e97b6af1cb18d66d70ede8c65faab8c21a5a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+
+Fixes: CVE-2017-8309
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel@redhat.com
+(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a)
+[BR: BSC#1037242]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8422..beafed209b 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+                     sw = sw1;
+                 }
+                 QLIST_REMOVE (cap, entries);
++                g_free (cap->hw.mix_buf);
++                g_free (cap->buf);
+                 g_free (cap);
+             }
+             return;

0053-scsi-avoid-an-off-by-one-error-in-m.patch

@@ -0,0 +1,45 @@
+From 7b1991173de44443e24a82f6a52f3977e5f66bc7 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 24 Apr 2017 17:36:34 +0530
+Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
+
+While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
+an off-by-one error could occur as 's->adp_reset' index is not
+reset after reading the last sequence.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f)
+[BR: BSC#1037336 CVE-2017-8380]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/scsi/megasas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 84b8caf901..804122ab05 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
+     case MFI_SEQ:
+         trace_megasas_mmio_writel("MFI_SEQ", val);
+         /* Magic sequence to start ADP reset */
+-        if (adp_reset_seq[s->adp_reset] == val) {
+-            s->adp_reset++;
++        if (adp_reset_seq[s->adp_reset++] == val) {
++            if (s->adp_reset == 6) {
++                s->adp_reset = 0;
++                s->diag = MFI_DIAG_WRITE_ENABLE;
++            }
+         } else {
+             s->adp_reset = 0;
+             s->diag = 0;
+         }
+-        if (s->adp_reset == 6) {
+-            s->diag = MFI_DIAG_WRITE_ENABLE;
+-        }
+         break;
+     case MFI_DIAG:
+         trace_megasas_mmio_writel("MFI_DIAG", val);

0054-vmw_pvscsi-check-message-ring-page-.patch

@@ -0,0 +1,33 @@
+From 4e1c19fe60bb27e1a8b44878b40e59c0c324af56 Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 25 Apr 2017 18:36:23 +0530
+Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
+
+A guest could set the message ring page count to zero, resulting in
+infinite loop. Add check to avoid it.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e)
+[BR: BSC#1036211 CVE-2017-8112]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 75575461e2..4a106da856 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+     uint32_t len_log2;
+     uint32_t ring_size;
+ 
+-    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++    if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+         return -1;
+     }
+     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;

qemu-linux-user.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu May 11 20:55:59 UTC 2017 - brogers@suse.com
+
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
+* Patches added:
+  0051-input-limit-kbd-queue-depth.patch
+  0052-audio-release-capture-buffers.patch
+  0053-scsi-avoid-an-off-by-one-error-in-m.patch
+  0054-vmw_pvscsi-check-message-ring-page-.patch
+
 -------------------------------------------------------------------
 Thu Apr 27 20:09:41 UTC 2017 - brogers@suse.com
 

qemu-linux-user.spec

@@ -76,6 +76,10 @@ Patch0047:      0047-ARM-KVM-Enable-in-kernel-timers-wit.patch
 Patch0048:      0048-input-Add-trace-event-for-empty-key.patch
 Patch0049:      0049-ACPI-don-t-call-acpi_pcihp_device_p.patch
 Patch0050:      0050-i386-Allow-cpuid-bit-override.patch
+Patch0051:      0051-input-limit-kbd-queue-depth.patch
+Patch0052:      0052-audio-release-capture-buffers.patch
+Patch0053:      0053-scsi-avoid-an-off-by-one-error-in-m.patch
+Patch0054:      0054-vmw_pvscsi-check-message-ring-page-.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 Source400:      update_git.sh
@@ -179,6 +183,10 @@ run cross-architecture builds.
 %patch0048 -p1
 %patch0049 -p1
 %patch0050 -p1
+%patch0051 -p1
+%patch0052 -p1
+%patch0053 -p1
+%patch0054 -p1
 
 %build
 ./configure \

qemu-testsuite.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu May 11 20:55:57 UTC 2017 - brogers@suse.com
+
+- Address various security/stability issues
+* Fix DOS potential in vnc interface (CVE-2017-8379 bsc#1037334)
+  0051-input-limit-kbd-queue-depth.patch
+* Fix DOS potential in vnc interface (CVE-2017-8309 bsc#1037242)
+  0052-audio-release-capture-buffers.patch
+* Fix OOB access in megasas device emulation (CVE-2017-8380
+  bsc#1037336)
+  0053-scsi-avoid-an-off-by-one-error-in-m.patch
+* Fix DOS in Vmware pv scsi emulation (CVE-2017-8112 bsc#1036211)
+  0054-vmw_pvscsi-check-message-ring-page-.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
+
 -------------------------------------------------------------------
 Thu May  4 20:14:25 UTC 2017 - brogers@suse.com
 

qemu-testsuite.spec

@@ -180,6 +180,10 @@ Patch0047:      0047-ARM-KVM-Enable-in-kernel-timers-wit.patch
 Patch0048:      0048-input-Add-trace-event-for-empty-key.patch
 Patch0049:      0049-ACPI-don-t-call-acpi_pcihp_device_p.patch
 Patch0050:      0050-i386-Allow-cpuid-bit-override.patch
+Patch0051:      0051-input-limit-kbd-queue-depth.patch
+Patch0052:      0052-audio-release-capture-buffers.patch
+Patch0053:      0053-scsi-avoid-an-off-by-one-error-in-m.patch
+Patch0054:      0054-vmw_pvscsi-check-message-ring-page-.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -876,6 +880,10 @@ This package provides a service file for starting and stopping KSM.
 %patch0048 -p1
 %patch0049 -p1
 %patch0050 -p1
+%patch0051 -p1
+%patch0052 -p1
+%patch0053 -p1
+%patch0054 -p1
 
 pushd roms/ipxe
 %patch1100 -p1

qemu.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu May 11 20:55:57 UTC 2017 - brogers@suse.com
+
+- Address various security/stability issues
+* Fix DOS potential in vnc interface (CVE-2017-8379 bsc#1037334)
+  0051-input-limit-kbd-queue-depth.patch
+* Fix DOS potential in vnc interface (CVE-2017-8309 bsc#1037242)
+  0052-audio-release-capture-buffers.patch
+* Fix OOB access in megasas device emulation (CVE-2017-8380
+  bsc#1037336)
+  0053-scsi-avoid-an-off-by-one-error-in-m.patch
+* Fix DOS in Vmware pv scsi emulation (CVE-2017-8112 bsc#1036211)
+  0054-vmw_pvscsi-check-message-ring-page-.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9
+
 -------------------------------------------------------------------
 Thu May  4 20:14:25 UTC 2017 - brogers@suse.com
 

qemu.spec

@@ -180,6 +180,10 @@ Patch0047:      0047-ARM-KVM-Enable-in-kernel-timers-wit.patch
 Patch0048:      0048-input-Add-trace-event-for-empty-key.patch
 Patch0049:      0049-ACPI-don-t-call-acpi_pcihp_device_p.patch
 Patch0050:      0050-i386-Allow-cpuid-bit-override.patch
+Patch0051:      0051-input-limit-kbd-queue-depth.patch
+Patch0052:      0052-audio-release-capture-buffers.patch
+Patch0053:      0053-scsi-avoid-an-off-by-one-error-in-m.patch
+Patch0054:      0054-vmw_pvscsi-check-message-ring-page-.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -876,6 +880,10 @@ This package provides a service file for starting and stopping KSM.
 %patch0048 -p1
 %patch0049 -p1
 %patch0050 -p1
+%patch0051 -p1
+%patch0052 -p1
+%patch0053 -p1
+%patch0054 -p1
 
 pushd roms/ipxe
 %patch1100 -p1