From 7f992805ebaef18ac69fba51c92478d354505b967c6dfad517745479be4ddd71 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 27 Mar 2019 03:57:07 +0000 Subject: [PATCH] Accepting request 688939 from home:bfrogers:branches:Virtualization - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 * Patches added: 0061-slirp-check-sscanf-result-when-emul.patch 0062-ppc-add-host-serial-and-host-model-.patch 0063-i2c-ddc-fix-oob-read.patch - Remove an unneeded BuildRequires which impacts bsc#1119414 fix Also add a corresponding Recommends for qemu-tools as part of this packaging adjustment (bsc#1130484) - Fix information leak in slirp (CVE-2019-9824 bsc#1129622) 0061-slirp-check-sscanf-result-when-emul.patch - Add method to specify whether or not to expose certain ppc64 host information, which can be considered a security issue (CVE-2019-8934 bsc#1126455) 0062-ppc-add-host-serial-and-host-model-.patch - Fix OOB memory access and information leak in virtual monitor interface (CVE-2019-03812 bsc#1125721) 0063-i2c-ddc-fix-oob-read.patch - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 - Remove an unneeded BuildRequires which impacts bsc#1119414 fix Also add a corresponding Recommends for qemu-tools as part of this packaging adjustment (bsc#1130484) - Fix information leak in slirp (CVE-2019-9824 bsc#1129622) 0061-slirp-check-sscanf-result-when-emul.patch - Add method to specify whether or not to expose certain ppc64 host information, which can be considered a security issue (CVE-2019-8934 bsc#1126455) 0062-ppc-add-host-serial-and-host-model-.patch - Fix OOB memory access and information leak in virtual monitor interface (CVE-2019-03812 bsc#1125721) 0063-i2c-ddc-fix-oob-read.patch - Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 OBS-URL: https://build.opensuse.org/request/show/688939 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=460 --- ...-slirp-check-sscanf-result-when-emul.patch | 47 ++++++ ...-ppc-add-host-serial-and-host-model-.patch | 153 ++++++++++++++++++ 0063-i2c-ddc-fix-oob-read.patch | 32 ++++ qemu-linux-user.changes | 9 ++ qemu-linux-user.spec | 6 + qemu-testsuite.changes | 17 ++ qemu-testsuite.spec | 8 +- qemu.changes | 17 ++ qemu.spec | 8 +- qemu.spec.in | 3 +- 10 files changed, 296 insertions(+), 4 deletions(-) create mode 100644 0061-slirp-check-sscanf-result-when-emul.patch create mode 100644 0062-ppc-add-host-serial-and-host-model-.patch create mode 100644 0063-i2c-ddc-fix-oob-read.patch diff --git a/0061-slirp-check-sscanf-result-when-emul.patch b/0061-slirp-check-sscanf-result-when-emul.patch new file mode 100644 index 00000000..e7c08a01 --- /dev/null +++ b/0061-slirp-check-sscanf-result-when-emul.patch @@ -0,0 +1,47 @@ +From: William Bowling +Date: Fri, 1 Mar 2019 21:45:56 +0000 +Subject: slirp: check sscanf result when emulating ident +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When emulating ident in tcp_emu, if the strchr checks passed but the +sscanf check failed, two uninitialized variables would be copied and +sent in the reply, so move this code inside the if(sscanf()) clause. + +Signed-off-by: William Bowling +Cc: qemu-stable@nongnu.org +Cc: secalert@redhat.com +Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> +Signed-off-by: Samuel Thibault +Reviewed-by: Philippe Mathieu-Daudé +(cherry picked from commit d3222975c7d6cda9e25809dea05241188457b113) +[BR: BSC#1129622 CVE-2019-9824 To pass our checkpatch check, I changed +the patch to use spaces, not tabs, as in the initially proposed] +Signed-off-by: Bruce Rogers +--- + slirp/tcp_subr.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 7a23ce738c..a6fd8626a8 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -661,12 +661,12 @@ tcp_emu(struct socket *so, struct mbuf *m) + break; + } + } ++ so_rcv->sb_cc = snprintf(so_rcv->sb_data, ++ so_rcv->sb_datalen, ++ "%d,%d\r\n", n1, n2); ++ so_rcv->sb_rptr = so_rcv->sb_data; ++ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } +- so_rcv->sb_cc = snprintf(so_rcv->sb_data, +- so_rcv->sb_datalen, +- "%d,%d\r\n", n1, n2); +- so_rcv->sb_rptr = so_rcv->sb_data; +- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } + m_free(m); + return 0; diff --git a/0062-ppc-add-host-serial-and-host-model-.patch b/0062-ppc-add-host-serial-and-host-model-.patch new file mode 100644 index 00000000..a6bc94c2 --- /dev/null +++ b/0062-ppc-add-host-serial-and-host-model-.patch @@ -0,0 +1,153 @@ +From: Prasad J Pandit +Date: Mon, 18 Feb 2019 23:43:49 +0530 +Subject: ppc: add host-serial and host-model machine attributes + (CVE-2019-8934) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On ppc hosts, hypervisor shares following system attributes + + - /proc/device-tree/system-id + - /proc/device-tree/model + +with a guest. This could lead to information leakage and misuse.[*] +Add machine attributes to control such system information exposure +to a guest. + +[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028 + +Reported-by: Daniel P. Berrangé +Fix-suggested-by: Daniel P. Berrangé +Signed-off-by: Prasad J Pandit +Message-Id: <20190218181349.23885-1-ppandit@redhat.com> +Reviewed-by: Daniel P. Berrangé +Reviewed-by: Greg Kurz +Signed-off-by: David Gibson +(cherry picked from commit 27461d69a0f108dea756419251acc3ea65198f1b) +[BR: BSC#1126455 CVE-2019-03812] +Signed-off-by: Bruce Rogers +--- + hw/ppc/spapr.c | 73 ++++++++++++++++++++++++++++++++++++++---- + include/hw/ppc/spapr.h | 2 ++ + 2 files changed, 69 insertions(+), 6 deletions(-) + +diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c +index 7afd1a175b..d3098d520e 100644 +--- a/hw/ppc/spapr.c ++++ b/hw/ppc/spapr.c +@@ -1244,13 +1244,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr, + * Add info to guest to indentify which host is it being run on + * and what is the uuid of the guest + */ +- if (kvmppc_get_host_model(&buf)) { +- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); +- g_free(buf); ++ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) { ++ if (g_str_equal(spapr->host_model, "passthrough")) { ++ /* -M host-model=passthrough */ ++ if (kvmppc_get_host_model(&buf)) { ++ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); ++ g_free(buf); ++ } ++ } else { ++ /* -M host-model= */ ++ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); ++ } + } +- if (kvmppc_get_host_serial(&buf)) { +- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); +- g_free(buf); ++ ++ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) { ++ if (g_str_equal(spapr->host_serial, "passthrough")) { ++ /* -M host-serial=passthrough */ ++ if (kvmppc_get_host_serial(&buf)) { ++ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); ++ g_free(buf); ++ } ++ } else { ++ /* -M host-serial= */ ++ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)); ++ } + } + + buf = qemu_uuid_unparse_strdup(&qemu_uuid); +@@ -3031,6 +3048,36 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name, + visit_type_uint32(v, name, (uint32_t *)opaque, errp); + } + ++static char *spapr_get_host_model(Object *obj, Error **errp) ++{ ++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); ++ ++ return g_strdup(spapr->host_model); ++} ++ ++static void spapr_set_host_model(Object *obj, const char *value, Error **errp) ++{ ++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); ++ ++ g_free(spapr->host_model); ++ spapr->host_model = g_strdup(value); ++} ++ ++static char *spapr_get_host_serial(Object *obj, Error **errp) ++{ ++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); ++ ++ return g_strdup(spapr->host_serial); ++} ++ ++static void spapr_set_host_serial(Object *obj, const char *value, Error **errp) ++{ ++ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); ++ ++ g_free(spapr->host_serial); ++ spapr->host_serial = g_strdup(value); ++} ++ + static void spapr_instance_init(Object *obj) + { + sPAPRMachineState *spapr = SPAPR_MACHINE(obj); +@@ -3067,6 +3114,17 @@ static void spapr_instance_init(Object *obj) + " the host's SMT mode", &error_abort); + object_property_add_bool(obj, "vfio-no-msix-emulation", + spapr_get_msix_emulation, NULL, NULL); ++ ++ object_property_add_str(obj, "host-model", ++ spapr_get_host_model, spapr_set_host_model, ++ &error_abort); ++ object_property_set_description(obj, "host-model", ++ "Set host's model-id to use - none|passthrough|string", &error_abort); ++ object_property_add_str(obj, "host-serial", ++ spapr_get_host_serial, spapr_set_host_serial, ++ &error_abort); ++ object_property_set_description(obj, "host-serial", ++ "Set host's system-id to use - none|passthrough|string", &error_abort); + } + + static void spapr_machine_finalizefn(Object *obj) +@@ -3961,6 +4019,9 @@ static const TypeInfo spapr_machine_info = { + */ + static void spapr_machine_3_1_instance_options(MachineState *machine) + { ++ sPAPRMachineState *spapr = SPAPR_MACHINE(machine); ++ spapr->host_model = g_strdup("passthrough"); ++ spapr->host_serial = g_strdup("passthrough"); + } + + static void spapr_machine_3_1_class_options(MachineClass *mc) +diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h +index 6279711fe8..63692a13bd 100644 +--- a/include/hw/ppc/spapr.h ++++ b/include/hw/ppc/spapr.h +@@ -171,6 +171,8 @@ struct sPAPRMachineState { + + /*< public >*/ + char *kvm_type; ++ char *host_model; ++ char *host_serial; + + const char *icp_type; + int32_t irq_map_nr; diff --git a/0063-i2c-ddc-fix-oob-read.patch b/0063-i2c-ddc-fix-oob-read.patch new file mode 100644 index 00000000..d951f0fa --- /dev/null +++ b/0063-i2c-ddc-fix-oob-read.patch @@ -0,0 +1,32 @@ +From: Gerd Hoffmann +Date: Tue, 8 Jan 2019 11:23:01 +0100 +Subject: i2c-ddc: fix oob read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Suggested-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Michael Hanselmann +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20190108102301.1957-1-kraxel@redhat.com +(cherry picked from commit b05b267840515730dbf6753495d5b7bd8b04ad1c) +[BR: BSC#1125721 CVE-2019-3812] +Signed-off-by: Bruce Rogers +--- + hw/i2c/i2c-ddc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c +index be34fe072c..0a0367ff38 100644 +--- a/hw/i2c/i2c-ddc.c ++++ b/hw/i2c/i2c-ddc.c +@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) + I2CDDCState *s = I2CDDC(i2c); + + int value; +- value = s->edid_blob[s->reg]; ++ value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; + s->reg++; + return value; + } diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 705daa42..0ab642fc 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Mar 25 20:45:10 UTC 2019 - Bruce Rogers + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0061-slirp-check-sscanf-result-when-emul.patch + 0062-ppc-add-host-serial-and-host-model-.patch + 0063-i2c-ddc-fix-oob-read.patch + ------------------------------------------------------------------- Fri Feb 15 22:49:26 UTC 2019 - Bruce Rogers diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index d7f74dcf..24173087 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -92,6 +92,9 @@ Patch0057: 0057-s390x-Return-specification-exceptio.patch Patch0058: 0058-Revert-target-i386-kvm-add-VMX-migr.patch Patch0059: 0059-memory-Fix-the-memory-region-type-a.patch Patch0060: 0060-target-i386-sev-Do-not-pin-the-ram-.patch +Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch +Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch +Patch0063: 0063-i2c-ddc-fix-oob-read.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -183,6 +186,9 @@ syscall layer occurs on the native hardware and operating system. %patch0058 -p1 %patch0059 -p1 %patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 9badd22b..519dd513 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Mar 25 20:45:08 UTC 2019 - Bruce Rogers + +- Remove an unneeded BuildRequires which impacts bsc#1119414 fix + Also add a corresponding Recommends for qemu-tools as part of + this packaging adjustment (bsc#1130484) +- Fix information leak in slirp (CVE-2019-9824 bsc#1129622) + 0061-slirp-check-sscanf-result-when-emul.patch +- Add method to specify whether or not to expose certain ppc64 host + information, which can be considered a security issue + (CVE-2019-8934 bsc#1126455) + 0062-ppc-add-host-serial-and-host-model-.patch +- Fix OOB memory access and information leak in virtual monitor + interface (CVE-2019-03812 bsc#1125721) + 0063-i2c-ddc-fix-oob-read.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + ------------------------------------------------------------------- Fri Mar 8 17:49:54 UTC 2019 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index a03a3a65..8fe76bbf 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -203,6 +203,9 @@ Patch0057: 0057-s390x-Return-specification-exceptio.patch Patch0058: 0058-Revert-target-i386-kvm-add-VMX-migr.patch Patch0059: 0059-memory-Fix-the-memory-region-type-a.patch Patch0060: 0060-target-i386-sev-Do-not-pin-the-ram-.patch +Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch +Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch +Patch0063: 0063-i2c-ddc-fix-oob-read.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -344,7 +347,6 @@ BuildRequires: libxkbcommon-devel BuildRequires: lzo-devel BuildRequires: makeinfo %if 0%{?suse_version} > 1320 -BuildRequires: multipath-tools BuildRequires: multipath-tools-devel %endif BuildRequires: ncurses-devel @@ -843,6 +845,7 @@ Release: 0 Provides: %name:%_libexecdir/qemu-bridge-helper Requires(pre): permissions Requires(pre): shadow +Recommends: multipath-tools Recommends: qemu-block-curl %if 0%{?with_rbd} Recommends: qemu-block-rbd @@ -1001,6 +1004,9 @@ This package provides a service file for starting and stopping KSM. %patch0058 -p1 %patch0059 -p1 %patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index 9badd22b..519dd513 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Mon Mar 25 20:45:08 UTC 2019 - Bruce Rogers + +- Remove an unneeded BuildRequires which impacts bsc#1119414 fix + Also add a corresponding Recommends for qemu-tools as part of + this packaging adjustment (bsc#1130484) +- Fix information leak in slirp (CVE-2019-9824 bsc#1129622) + 0061-slirp-check-sscanf-result-when-emul.patch +- Add method to specify whether or not to expose certain ppc64 host + information, which can be considered a security issue + (CVE-2019-8934 bsc#1126455) + 0062-ppc-add-host-serial-and-host-model-.patch +- Fix OOB memory access and information leak in virtual monitor + interface (CVE-2019-03812 bsc#1125721) + 0063-i2c-ddc-fix-oob-read.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + ------------------------------------------------------------------- Fri Mar 8 17:49:54 UTC 2019 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 1afd3e3c..5f2c4052 100644 --- a/qemu.spec +++ b/qemu.spec @@ -203,6 +203,9 @@ Patch0057: 0057-s390x-Return-specification-exceptio.patch Patch0058: 0058-Revert-target-i386-kvm-add-VMX-migr.patch Patch0059: 0059-memory-Fix-the-memory-region-type-a.patch Patch0060: 0060-target-i386-sev-Do-not-pin-the-ram-.patch +Patch0061: 0061-slirp-check-sscanf-result-when-emul.patch +Patch0062: 0062-ppc-add-host-serial-and-host-model-.patch +Patch0063: 0063-i2c-ddc-fix-oob-read.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -344,7 +347,6 @@ BuildRequires: libxkbcommon-devel BuildRequires: lzo-devel BuildRequires: makeinfo %if 0%{?suse_version} > 1320 -BuildRequires: multipath-tools BuildRequires: multipath-tools-devel %endif BuildRequires: ncurses-devel @@ -843,6 +845,7 @@ Release: 0 Provides: %name:%_libexecdir/qemu-bridge-helper Requires(pre): permissions Requires(pre): shadow +Recommends: multipath-tools Recommends: qemu-block-curl %if 0%{?with_rbd} Recommends: qemu-block-rbd @@ -1001,6 +1004,9 @@ This package provides a service file for starting and stopping KSM. %patch0058 -p1 %patch0059 -p1 %patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 pushd roms/seabios %patch1100 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index 788cd2e4..135c8c3a 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -282,7 +282,6 @@ BuildRequires: libxkbcommon-devel BuildRequires: lzo-devel BuildRequires: makeinfo %if 0%{?suse_version} > 1320 -BuildRequires: multipath-tools BuildRequires: multipath-tools-devel %endif BuildRequires: ncurses-devel @@ -781,6 +780,7 @@ Release: 0 Provides: %name:%_libexecdir/qemu-bridge-helper Requires(pre): permissions Requires(pre): shadow +Recommends: multipath-tools Recommends: qemu-block-curl %if 0%{?with_rbd} Recommends: qemu-block-rbd @@ -1176,7 +1176,6 @@ make %{?_smp_mflags} -C roms efirom make -C roms sgabios \ HOSTCC=cc - %if %{force_fit_virtio_pxe_rom} pushd roms/ipxe patch -p1 < %{SOURCE301}