diff --git a/0048-input-Add-trace-event-for-empty-key.patch b/0048-input-Add-trace-event-for-empty-key.patch index e0c90c29..c657f6c6 100644 --- a/0048-input-Add-trace-event-for-empty-key.patch +++ b/0048-input-Add-trace-event-for-empty-key.patch @@ -1,6 +1,6 @@ -From c376e77aa2dd2489101c8d89a55771a67332447b Mon Sep 17 00:00:00 2001 +From 99ce69e23c7154ccaee85137c121bb6b8bab8275 Mon Sep 17 00:00:00 2001 From: Alexander Graf -Date: Thu, 30 Mar 2017 15:32:08 +0200 +Date: Thu, 30 Mar 2017 16:22:55 +0200 Subject: [PATCH] input: Add trace event for empty keyboard queue When driving QEMU from the outside, we have basically no chance to @@ -12,6 +12,8 @@ This patch adds a trace events when the keyboarde queue is drained. An external driver can use that as hint that new keys can be pressed. Signed-off-by: Alexander Graf +Message-id: 1490883775-94658-1-git-send-email-agraf@suse.de +Signed-off-by: Gerd Hoffmann [BR: BSC#1031692] Signed-off-by: Bruce Rogers --- diff --git a/0049-ACPI-don-t-call-acpi_pcihp_device_p.patch b/0049-ACPI-don-t-call-acpi_pcihp_device_p.patch index 52d393d4..517fc96b 100644 --- a/0049-ACPI-don-t-call-acpi_pcihp_device_p.patch +++ b/0049-ACPI-don-t-call-acpi_pcihp_device_p.patch @@ -1,4 +1,4 @@ -From 9df0bb18bea5bc5cb4f292cfa4b51018cb2c70d9 Mon Sep 17 00:00:00 2001 +From e4733da636cf6a2b53ae1fdfc5c934576e1970a6 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 27 Apr 2017 13:43:58 -0600 Subject: [PATCH] ACPI: don't call acpi_pcihp_device_plug_cb on xen diff --git a/0050-i386-Allow-cpuid-bit-override.patch b/0050-i386-Allow-cpuid-bit-override.patch index 012afd7a..01e66efd 100644 --- a/0050-i386-Allow-cpuid-bit-override.patch +++ b/0050-i386-Allow-cpuid-bit-override.patch @@ -1,4 +1,4 @@ -From 475a538eb562cb8cb757105957b10903c420945a Mon Sep 17 00:00:00 2001 +From 5cff035804d92d336b27c368754b63e2dccbba90 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 28 Mar 2017 05:27:00 -0600 Subject: [PATCH] i386: Allow cpuid bit override diff --git a/0051-input-limit-kbd-queue-depth.patch b/0051-input-limit-kbd-queue-depth.patch new file mode 100644 index 00000000..1cdc0cfb --- /dev/null +++ b/0051-input-limit-kbd-queue-depth.patch @@ -0,0 +1,90 @@ +From 60f3bfde84c98a31a1de4542fbab456ae83c4cbb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 28 Apr 2017 10:42:37 +0200 +Subject: [PATCH] input: limit kbd queue depth + +Apply a limit to the number of items we accept into the keyboard queue. + +Impact: Without this limit vnc clients can exhaust host memory by +sending keyboard events faster than qemu feeds them to the guest. + +Fixes: CVE-2017-8379 +Cc: P J P +Cc: Huawei PSIRT +Reported-by: jiangxin1@huawei.com +Signed-off-by: Gerd Hoffmann +Message-id: 20170428084237.23960-1-kraxel@redhat.com +(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc) +[BR: BSC#1037334] +Signed-off-by: Bruce Rogers +--- + ui/input.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ui/input.c b/ui/input.c +index ed88cda6d6..fb1f404095 100644 +--- a/ui/input.c ++++ b/ui/input.c +@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = + QTAILQ_HEAD_INITIALIZER(kbd_queue); + static QEMUTimer *kbd_timer; + static uint32_t kbd_default_delay_ms = 10; ++static uint32_t queue_count; ++static uint32_t queue_limit = 1024; + + QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, + QemuInputHandler *handler) +@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) + break; + } + QTAILQ_REMOVE(queue, item, node); ++ queue_count--; + g_free(item); + } + } +@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, + item->delay_ms = delay_ms; + item->timer = timer; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + + if (start_timer) { + timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, + item->src = src; + item->evt = evt; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) +@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) + + item->type = QEMU_INPUT_QUEUE_SYNC; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) +@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) + qemu_input_event_send(src, evt); + qemu_input_event_sync(); + qapi_free_InputEvent(evt); +- } else { ++ } else if (queue_count < queue_limit) { + qemu_input_queue_event(&kbd_queue, src, evt); + qemu_input_queue_sync(&kbd_queue); + } +@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) + kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, + &kbd_queue); + } +- qemu_input_queue_delay(&kbd_queue, kbd_timer, +- delay_ms ? delay_ms : kbd_default_delay_ms); ++ if (queue_count < queue_limit) { ++ qemu_input_queue_delay(&kbd_queue, kbd_timer, ++ delay_ms ? delay_ms : kbd_default_delay_ms); ++ } + } + + InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) diff --git a/0052-audio-release-capture-buffers.patch b/0052-audio-release-capture-buffers.patch new file mode 100644 index 00000000..3227780c --- /dev/null +++ b/0052-audio-release-capture-buffers.patch @@ -0,0 +1,38 @@ +From f612e97b6af1cb18d66d70ede8c65faab8c21a5a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 28 Apr 2017 09:56:12 +0200 +Subject: [PATCH] audio: release capture buffers + +AUD_add_capture() allocates two buffers which are never released. +Add the missing calls to AUD_del_capture(). + +Impact: Allows vnc clients to exhaust host memory by repeatedly +starting and stopping audio capture. + +Fixes: CVE-2017-8309 +Cc: P J P +Cc: Huawei PSIRT +Reported-by: "Jiangxin (hunter, SCC)" +Signed-off-by: Gerd Hoffmann +Reviewed-by: Prasad J Pandit +Message-id: 20170428075612.9997-1-kraxel@redhat.com +(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a) +[BR: BSC#1037242] +Signed-off-by: Bruce Rogers +--- + audio/audio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/audio/audio.c b/audio/audio.c +index c8898d8422..beafed209b 100644 +--- a/audio/audio.c ++++ b/audio/audio.c +@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) + sw = sw1; + } + QLIST_REMOVE (cap, entries); ++ g_free (cap->hw.mix_buf); ++ g_free (cap->buf); + g_free (cap); + } + return; diff --git a/0053-scsi-avoid-an-off-by-one-error-in-m.patch b/0053-scsi-avoid-an-off-by-one-error-in-m.patch new file mode 100644 index 00000000..ca027196 --- /dev/null +++ b/0053-scsi-avoid-an-off-by-one-error-in-m.patch @@ -0,0 +1,45 @@ +From 7b1991173de44443e24a82f6a52f3977e5f66bc7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 24 Apr 2017 17:36:34 +0530 +Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write + +While reading magic sequence(MFI_SEQ) in megasas_mmio_write, +an off-by-one error could occur as 's->adp_reset' index is not +reset after reading the last sequence. + +Reported-by: YY Z +Signed-off-by: Prasad J Pandit +Message-Id: <20170424120634.12268-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f) +[BR: BSC#1037336 CVE-2017-8380] +Signed-off-by: Bruce Rogers +--- + hw/scsi/megasas.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 84b8caf901..804122ab05 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, + case MFI_SEQ: + trace_megasas_mmio_writel("MFI_SEQ", val); + /* Magic sequence to start ADP reset */ +- if (adp_reset_seq[s->adp_reset] == val) { +- s->adp_reset++; ++ if (adp_reset_seq[s->adp_reset++] == val) { ++ if (s->adp_reset == 6) { ++ s->adp_reset = 0; ++ s->diag = MFI_DIAG_WRITE_ENABLE; ++ } + } else { + s->adp_reset = 0; + s->diag = 0; + } +- if (s->adp_reset == 6) { +- s->diag = MFI_DIAG_WRITE_ENABLE; +- } + break; + case MFI_DIAG: + trace_megasas_mmio_writel("MFI_DIAG", val); diff --git a/0054-vmw_pvscsi-check-message-ring-page-.patch b/0054-vmw_pvscsi-check-message-ring-page-.patch new file mode 100644 index 00000000..f0aba7c8 --- /dev/null +++ b/0054-vmw_pvscsi-check-message-ring-page-.patch @@ -0,0 +1,33 @@ +From 4e1c19fe60bb27e1a8b44878b40e59c0c324af56 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Tue, 25 Apr 2017 18:36:23 +0530 +Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation + +A guest could set the message ring page count to zero, resulting in +infinite loop. Add check to avoid it. + +Reported-by: YY Z +Signed-off-by: P J P +Message-Id: <20170425130623.3649-1-ppandit@redhat.com> +Reviewed-by: Dmitry Fleytman +Signed-off-by: Paolo Bonzini +(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e) +[BR: BSC#1036211 CVE-2017-8112] +Signed-off-by: Bruce Rogers +--- + hw/scsi/vmw_pvscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 75575461e2..4a106da856 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + uint32_t len_log2; + uint32_t ring_size; + +- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { + return -1; + } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index d0a95358..a1aad425 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Thu May 11 20:55:59 UTC 2017 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 +* Patches added: + 0051-input-limit-kbd-queue-depth.patch + 0052-audio-release-capture-buffers.patch + 0053-scsi-avoid-an-off-by-one-error-in-m.patch + 0054-vmw_pvscsi-check-message-ring-page-.patch + ------------------------------------------------------------------- Thu Apr 27 20:09:41 UTC 2017 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 1a560185..bb38945a 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -76,6 +76,10 @@ Patch0047: 0047-ARM-KVM-Enable-in-kernel-timers-wit.patch Patch0048: 0048-input-Add-trace-event-for-empty-key.patch Patch0049: 0049-ACPI-don-t-call-acpi_pcihp_device_p.patch Patch0050: 0050-i386-Allow-cpuid-bit-override.patch +Patch0051: 0051-input-limit-kbd-queue-depth.patch +Patch0052: 0052-audio-release-capture-buffers.patch +Patch0053: 0053-scsi-avoid-an-off-by-one-error-in-m.patch +Patch0054: 0054-vmw_pvscsi-check-message-ring-page-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -179,6 +183,10 @@ run cross-architecture builds. %patch0048 -p1 %patch0049 -p1 %patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 5e21f3e4..468180e4 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu May 11 20:55:57 UTC 2017 - brogers@suse.com + +- Address various security/stability issues +* Fix DOS potential in vnc interface (CVE-2017-8379 bsc#1037334) + 0051-input-limit-kbd-queue-depth.patch +* Fix DOS potential in vnc interface (CVE-2017-8309 bsc#1037242) + 0052-audio-release-capture-buffers.patch +* Fix OOB access in megasas device emulation (CVE-2017-8380 + bsc#1037336) + 0053-scsi-avoid-an-off-by-one-error-in-m.patch +* Fix DOS in Vmware pv scsi emulation (CVE-2017-8112 bsc#1036211) + 0054-vmw_pvscsi-check-message-ring-page-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + ------------------------------------------------------------------- Thu May 4 20:14:25 UTC 2017 - brogers@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index b879396c..2d63903b 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -180,6 +180,10 @@ Patch0047: 0047-ARM-KVM-Enable-in-kernel-timers-wit.patch Patch0048: 0048-input-Add-trace-event-for-empty-key.patch Patch0049: 0049-ACPI-don-t-call-acpi_pcihp_device_p.patch Patch0050: 0050-i386-Allow-cpuid-bit-override.patch +Patch0051: 0051-input-limit-kbd-queue-depth.patch +Patch0052: 0052-audio-release-capture-buffers.patch +Patch0053: 0053-scsi-avoid-an-off-by-one-error-in-m.patch +Patch0054: 0054-vmw_pvscsi-check-message-ring-page-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -876,6 +880,10 @@ This package provides a service file for starting and stopping KSM. %patch0048 -p1 %patch0049 -p1 %patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index 5e21f3e4..468180e4 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu May 11 20:55:57 UTC 2017 - brogers@suse.com + +- Address various security/stability issues +* Fix DOS potential in vnc interface (CVE-2017-8379 bsc#1037334) + 0051-input-limit-kbd-queue-depth.patch +* Fix DOS potential in vnc interface (CVE-2017-8309 bsc#1037242) + 0052-audio-release-capture-buffers.patch +* Fix OOB access in megasas device emulation (CVE-2017-8380 + bsc#1037336) + 0053-scsi-avoid-an-off-by-one-error-in-m.patch +* Fix DOS in Vmware pv scsi emulation (CVE-2017-8112 bsc#1036211) + 0054-vmw_pvscsi-check-message-ring-page-.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.9 + ------------------------------------------------------------------- Thu May 4 20:14:25 UTC 2017 - brogers@suse.com diff --git a/qemu.spec b/qemu.spec index a3d4a90d..22354914 100644 --- a/qemu.spec +++ b/qemu.spec @@ -180,6 +180,10 @@ Patch0047: 0047-ARM-KVM-Enable-in-kernel-timers-wit.patch Patch0048: 0048-input-Add-trace-event-for-empty-key.patch Patch0049: 0049-ACPI-don-t-call-acpi_pcihp_device_p.patch Patch0050: 0050-i386-Allow-cpuid-bit-override.patch +Patch0051: 0051-input-limit-kbd-queue-depth.patch +Patch0052: 0052-audio-release-capture-buffers.patch +Patch0053: 0053-scsi-avoid-an-off-by-one-error-in-m.patch +Patch0054: 0054-vmw_pvscsi-check-message-ring-page-.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -876,6 +880,10 @@ This package provides a service file for starting and stopping KSM. %patch0048 -p1 %patch0049 -p1 %patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 pushd roms/ipxe %patch1100 -p1