diff --git a/0056-slirp-check-data-length-while-emula.patch b/0056-slirp-check-data-length-while-emula.patch new file mode 100644 index 00000000..9f2948d9 --- /dev/null +++ b/0056-slirp-check-data-length-while-emula.patch @@ -0,0 +1,33 @@ +From: Prasad J Pandit +Date: Sun, 13 Jan 2019 23:29:48 +0530 +Subject: slirp: check data length while emulating ident function + +While emulating identification protocol, tcp_emu() does not check +available space in the 'sc_rcv->sb_data' buffer. It could lead to +heap buffer overflow issue. Add check to avoid it. + +Reported-by: Kira <864786842@qq.com> +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +(cherry picked from commit a7104eda7dab99d0cdbd3595c211864cba415905) +[BR: BSC#1123156 CVE-2019-6778, modify patch to use spaces instead of tabs] +Signed-off-by: Bruce Rogers +--- + slirp/tcp_subr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index fa61349cbb..7a23ce738c 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -635,6 +635,10 @@ tcp_emu(struct socket *so, struct mbuf *m) + socklen_t addrlen = sizeof(struct sockaddr_in); + struct sbuf *so_rcv = &so->so_rcv; + ++ if (m->m_len > so_rcv->sb_datalen - (so_rcv->sb_wptr - so_rcv->sb_data)) { ++ return 1; ++ } ++ + memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); + so_rcv->sb_wptr += m->m_len; + so_rcv->sb_rptr += m->m_len; diff --git a/ipxe-build-Disable-gcc-address-of-packed-member-warning.patch b/ipxe-build-Disable-gcc-address-of-packed-member-warning.patch new file mode 100644 index 00000000..7a72893f --- /dev/null +++ b/ipxe-build-Disable-gcc-address-of-packed-member-warning.patch @@ -0,0 +1,42 @@ +From 0ee72a15887b838d967c3b05070d5ad86f0d729a Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Fri, 25 Jan 2019 10:29:16 -0700 +Subject: [PATCH] [build] Disable gcc address of packed member warning + +GCC 9.0 introduces a new warning for using pointers to packed +structure and union members. ipxe code is replete with this usage, +partly because the architectures it is designed for handle unaligned +accesses. Therefore this warning is not very helpful and since the +default build considers warnings to be errors, needs to be disabled. + +[BR: BSC#1121464] +Signed-off-by: Bruce Rogers +--- + src/Makefile.housekeeping | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping +index f8334921..e7f1ece0 100644 +--- a/src/Makefile.housekeeping ++++ b/src/Makefile.housekeeping +@@ -646,6 +646,17 @@ $(BIN)/.certificate.der.% : $(BIN)/.cert + CERT_ALL := $(foreach i,$(call seq,1,$(CERT_COUNT)),\ + CERT ( $(i), \"$(word $(i),$(CERT_DERS))\" )) + ++ ++# GCC 9.0 introduces a new warning for using pointers to packed ++# structure and union members. ipxe code is replete with this usage, ++# partly because the architectures it is designed for handle unaligned ++# accesses. Therefore this warning is not very helpful and since the ++# default build considers warnings to be errors, needs to be disabled. ++# ++WNAOPM_TEST = $(CC) -Waddress-of-packed-member -x c -c /dev/null -o /dev/null \ ++ >/dev/null 2>&1 ++WNAOPM_FLAGS := $(shell $(WNAOPM_TEST) && $(ECHO) '-Wno-address-of-packed-member') ++WORKAROUND_CFLAGS += $(WNAOPM_FLAGS) + endif + + certstore_DEPS += $(CERT_LIST) $(CERT_FILES) $(CERT_PEMS) $(CERT_DERS) +-- +2.20.1 + diff --git a/ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch b/ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch new file mode 100644 index 00000000..defce591 --- /dev/null +++ b/ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch @@ -0,0 +1,42 @@ +From 1280c1f65b73d6d0c4833e39a3bb8194bd03f906 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Fri, 25 Jan 2019 09:37:44 -0700 +Subject: [PATCH] [efi] Simplify diagnostic for NULL handle +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Compiling with GCC 9 now warns as follows: +interface/efi/efi_debug.c:334:3: error: ā€˜%sā€™ directive argument is null [-Werror=format-overflow=] + 334 | printf ( "HANDLE %s could not retrieve protocols\n", + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 335 | efi_handle_name ( handle ) ); + | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors + +Simplify this diagnostic by simply indicating a has been +passed as a handle. + +[BR: BSC#1121464] +Signed-off-by: Bruce Rogers +--- + src/interface/efi/efi_debug.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/interface/efi/efi_debug.c b/src/interface/efi/efi_debug.c +index 8ea0a822..19fba767 100644 +--- a/src/interface/efi/efi_debug.c ++++ b/src/interface/efi/efi_debug.c +@@ -331,8 +331,7 @@ void dbg_efi_protocols ( EFI_HANDLE handle ) { + + /* Sanity check */ + if ( ! handle ) { +- printf ( "HANDLE %s could not retrieve protocols\n", +- efi_handle_name ( handle ) ); ++ printf ( "HANDLE could not retrieve protocols\n" ); + return; + } + +-- +2.20.1 + diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 8876690d..8cd27920 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jan 25 19:21:00 UTC 2019 - Bruce Rogers + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0056-slirp-check-data-length-while-emula.patch + ------------------------------------------------------------------- Thu Jan 17 21:58:04 UTC 2019 - Bruce Rogers diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 39ff6f0f..3152a79b 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -87,6 +87,7 @@ Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch Patch0054: 0054-linux-user-make-pwrite64-pread64-fd.patch Patch0055: 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch +Patch0056: 0056-slirp-check-data-length-while-emula.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -173,6 +174,7 @@ syscall layer occurs on the native hardware and operating system. %patch0053 -p1 %patch0054 -p1 %patch0055 -p1 +%patch0056 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index b77a5e0d..3a7a3e04 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jan 25 19:20:59 UTC 2019 - Bruce Rogers + +- Fix OOB issue in slirp (CVE-2019-6778 bsc#1123156) + 0056-slirp-check-data-length-while-emula.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +- Fix ipxe GCC 9 incompatibilities (bsc#1121464) + ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch + ipxe-build-Disable-gcc-address-of-packed-member-warning.patch + ------------------------------------------------------------------- Thu Jan 17 21:58:02 UTC 2019 - Bruce Rogers diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index bcb55d2f..7e355a1e 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -192,6 +192,7 @@ Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch Patch0054: 0054-linux-user-make-pwrite64-pread64-fd.patch Patch0055: 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch +Patch0056: 0056-slirp-check-data-length-while-emula.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -204,6 +205,8 @@ Patch1200: ipxe-stable-buildid.patch Patch1201: ipxe-use-gcc6-for-more-compact-code.patch Patch1202: ipxe-efi-guard-strncpy-with-gcc-warning-ignore-pragma.patch Patch1203: ipxe-fix-build.patch +Patch1204: ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch +Patch1205: ipxe-build-Disable-gcc-address-of-packed-member-warning.patch # sgabios - path: roms/sgabios (patch range 1300-1399) Patch1300: sgabios-stable-buildid.patch @@ -975,6 +978,7 @@ This package provides a service file for starting and stopping KSM. %patch0053 -p1 %patch0054 -p1 %patch0055 -p1 +%patch0056 -p1 pushd roms/seabios %patch1100 -p1 @@ -990,6 +994,8 @@ pushd roms/ipxe %endif %patch1202 -p1 %patch1203 -p1 +%patch1204 -p1 +%patch1205 -p1 popd pushd roms/sgabios diff --git a/qemu.changes b/qemu.changes index b77a5e0d..3a7a3e04 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jan 25 19:20:59 UTC 2019 - Bruce Rogers + +- Fix OOB issue in slirp (CVE-2019-6778 bsc#1123156) + 0056-slirp-check-data-length-while-emula.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +- Fix ipxe GCC 9 incompatibilities (bsc#1121464) + ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch + ipxe-build-Disable-gcc-address-of-packed-member-warning.patch + ------------------------------------------------------------------- Thu Jan 17 21:58:02 UTC 2019 - Bruce Rogers diff --git a/qemu.spec b/qemu.spec index 82c05847..5561aa86 100644 --- a/qemu.spec +++ b/qemu.spec @@ -192,6 +192,7 @@ Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch Patch0054: 0054-linux-user-make-pwrite64-pread64-fd.patch Patch0055: 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch +Patch0056: 0056-slirp-check-data-length-while-emula.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -204,6 +205,8 @@ Patch1200: ipxe-stable-buildid.patch Patch1201: ipxe-use-gcc6-for-more-compact-code.patch Patch1202: ipxe-efi-guard-strncpy-with-gcc-warning-ignore-pragma.patch Patch1203: ipxe-fix-build.patch +Patch1204: ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch +Patch1205: ipxe-build-Disable-gcc-address-of-packed-member-warning.patch # sgabios - path: roms/sgabios (patch range 1300-1399) Patch1300: sgabios-stable-buildid.patch @@ -975,6 +978,7 @@ This package provides a service file for starting and stopping KSM. %patch0053 -p1 %patch0054 -p1 %patch0055 -p1 +%patch0056 -p1 pushd roms/seabios %patch1100 -p1 @@ -990,6 +994,8 @@ pushd roms/ipxe %endif %patch1202 -p1 %patch1203 -p1 +%patch1204 -p1 +%patch1205 -p1 popd pushd roms/sgabios diff --git a/qemu.spec.in b/qemu.spec.in index 6a5761d0..90046661 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -147,6 +147,8 @@ Patch1200: ipxe-stable-buildid.patch Patch1201: ipxe-use-gcc6-for-more-compact-code.patch Patch1202: ipxe-efi-guard-strncpy-with-gcc-warning-ignore-pragma.patch Patch1203: ipxe-fix-build.patch +Patch1204: ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch +Patch1205: ipxe-build-Disable-gcc-address-of-packed-member-warning.patch # sgabios - path: roms/sgabios (patch range 1300-1399) Patch1300: sgabios-stable-buildid.patch @@ -879,6 +881,8 @@ pushd roms/ipxe %endif %patch1202 -p1 %patch1203 -p1 +%patch1204 -p1 +%patch1205 -p1 popd pushd roms/sgabios