Accepting request 984177 from home:dfaggioli:old_qemu

- Fix bugs boo#1200557 and boo#1199924 - Now that boo#1199924 is fixed, re-enable FORTIFY_SOURCE=3 * Patches added: pci-fix-overflow-in-snprintf-string-form.patch sphinx-change-default-language-to-en.patch OBS-URL: https://build.opensuse.org/request/show/984177 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=721
2022-06-21 13:17:32 +00:00 · 2022-06-21 13:17:32 +00:00 · c39ad145aa
commit c39ad145aa
parent f76560bd5f
6 changed files with 151 additions and 8 deletions
--- a/bundles.tar.xz
+++ b/bundles.tar.xz
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c205305cd9e7d29be6220fe76cab04d5a7be4019e998cfeb643ac6a4e31de0a3
-size 136912
+oid sha256:b2837938571118a36f2134cbc2dab59a161748a2a3ae8decca176b5f35f3dea8
+size 139264
--- a/pci-fix-overflow-in-snprintf-string-form.patch
+++ b/pci-fix-overflow-in-snprintf-string-form.patch
@ -0,0 +1,101 @@
+From: Claudio Fontana <cfontana@suse.de>
+Date: Tue, 31 May 2022 13:47:07 +0200
+Subject: pci: fix overflow in snprintf string formatting
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Git-commit: 36f18c6989a3d1ff1d7a0e50b0868ef3958299b4
+References: bsc#1199924
+
+the code in pcibus_get_fw_dev_path contained the potential for a
+stack buffer overflow of 1 byte, potentially writing to the stack an
+extra NUL byte.
+
+This overflow could happen if the PCI slot is >= 0x10000000,
+and the PCI function is >= 0x10000000, due to the size parameter
+of snprintf being incorrectly calculated in the call:
+
+    if (PCI_FUNC(d->devfn))
+        snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
+
+since the off obtained from a previous call to snprintf is added
+instead of subtracted from the total available size of the buffer.
+
+Without the accurate size guard from snprintf, we end up writing in the
+worst case:
+
+name (32) + "@" (1) + SLOT (8) + "," (1) + FUNC (8) + term NUL (1) = 51 bytes
+
+In order to provide something more robust, replace all of the code in
+pcibus_get_fw_dev_path with a single call to g_strdup_printf,
+so there is no need to rely on manual calculations.
+
+Found by compiling QEMU with FORTIFY_SOURCE=3 as the error:
+
+*** buffer overflow detected ***: terminated
+
+Thread 1 "qemu-system-x86" received signal SIGABRT, Aborted.
+[Switching to Thread 0x7ffff642c380 (LWP 121307)]
+0x00007ffff71ff55c in __pthread_kill_implementation () from /lib64/libc.so.6
+(gdb) bt
+ #0  0x00007ffff71ff55c in __pthread_kill_implementation () at /lib64/libc.so.6
+ #1  0x00007ffff71ac6f6 in raise () at /lib64/libc.so.6
+ #2  0x00007ffff7195814 in abort () at /lib64/libc.so.6
+ #3  0x00007ffff71f279e in __libc_message () at /lib64/libc.so.6
+ #4  0x00007ffff729767a in __fortify_fail () at /lib64/libc.so.6
+ #5  0x00007ffff7295c36 in  () at /lib64/libc.so.6
+ #6  0x00007ffff72957f5 in __snprintf_chk () at /lib64/libc.so.6
+ #7  0x0000555555b1c1fd in pcibus_get_fw_dev_path ()
+ #8  0x0000555555f2bde4 in qdev_get_fw_dev_path_helper.constprop ()
+ #9  0x0000555555f2bd86 in qdev_get_fw_dev_path_helper.constprop ()
+ #10 0x00005555559a6e5d in get_boot_device_path ()
+ #11 0x00005555559a712c in get_boot_devices_list ()
+ #12 0x0000555555b1a3d0 in fw_cfg_machine_reset ()
+ #13 0x0000555555bf4c2d in pc_machine_reset ()
+ #14 0x0000555555c66988 in qemu_system_reset ()
+ #15 0x0000555555a6dff6 in qdev_machine_creation_done ()
+ #16 0x0000555555c79186 in qmp_x_exit_preconfig.part ()
+ #17 0x0000555555c7b459 in qemu_init ()
+ #18 0x0000555555960a29 in main ()
+
+Found-by: Dario Faggioli <Dario Faggioli <dfaggioli@suse.com>
+Found-by: Martin Liška <martin.liska@suse.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Claudio Fontana <cfontana@suse.de>
+Message-Id: <20220531114707.18830-1-cfontana@suse.de>
+Reviewed-by: Ani Sinha <ani@anisinha.ca>
+Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ hw/pci/pci.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/hw/pci/pci.c b/hw/pci/pci.c
+index e5993c1ef52b7c9e39faa7de4020..87c419836b3c990ee862f623fd89 100644
+--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
+@@ -2576,15 +2576,15 @@ static char *pci_dev_fw_name(DeviceState *dev, char *buf, int len)
+ static char *pcibus_get_fw_dev_path(DeviceState *dev)
+ {
+     PCIDevice *d = (PCIDevice *)dev;
+-    char path[50], name[33];
+-    int off;
+-
+-    off = snprintf(path, sizeof(path), "%s@%x",
+-                   pci_dev_fw_name(dev, name, sizeof name),
+-                   PCI_SLOT(d->devfn));
+-    if (PCI_FUNC(d->devfn))
+-        snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
+-    return g_strdup(path);
+    char name[33];
+    int has_func = !!PCI_FUNC(d->devfn);
+
+    return g_strdup_printf("%s@%x%s%.*x",
+                           pci_dev_fw_name(dev, name, sizeof(name)),
+                           PCI_SLOT(d->devfn),
+                           has_func ? "," : "",
+                           has_func,
+                           PCI_FUNC(d->devfn));
+ }
+ 
+ static char *pcibus_get_dev_path(DeviceState *dev)
--- a/qemu.changes
+++ b/qemu.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jun 21 07:30:46 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>
+
+- Fix bugs boo#1200557 and boo#1199924
+- Now that boo#1199924 is fixed, re-enable FORTIFY_SOURCE=3
+* Patches added:
+  pci-fix-overflow-in-snprintf-string-form.patch
+  sphinx-change-default-language-to-en.patch
+
 -------------------------------------------------------------------
 Fri May 27 14:07:50 UTC 2022 - Dario Faggioli <dfaggioli@suse.com>

--- a/qemu.spec
+++ b/qemu.spec
@ -248,6 +248,8 @@ Patch00104:     python-aqmp-add-start_server-and-accept-.patch
 Patch00105:     python-aqmp-fix-race-condition-in-legacy.patch
 Patch00106:     python-aqmp-drop-_bind_hack.patch
 Patch00107:     block-qdict-Fix-Werror-maybe-uninitializ.patch
+Patch00108:     pci-fix-overflow-in-snprintf-string-form.patch
+Patch00109:     sphinx-change-default-language-to-en.patch
 # Patches applied in roms/seabios/:
 Patch01000:     seabios-use-python2-explicitly-as-needed.patch
 Patch01001:     seabios-switch-to-python3-as-needed.patch
@ -1278,6 +1280,8 @@ This package records qemu testsuite results and represents successful testing.
 %patch00105 -p1
 %patch00106 -p1
 %patch00107 -p1
+%patch00108 -p1
+%patch00109 -p1
 %patch01000 -p1
 %patch01001 -p1
 %patch01002 -p1
@ -1394,8 +1398,6 @@ cp %{SOURCE13} docs/supported.rst
 mkdir -p %blddir
 cd %blddir

-# We want to enforce _FORTIFY_SOURCE=2. See bsc#1199924
-EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g') -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
 %srcdir/configure \
 	--prefix=%_prefix \
 	--sysconfdir=%_sysconfdir \
@ -1405,7 +1407,7 @@ EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g
 	--docdir=%_docdir \
 	--firmwarepath=%_datadir/%name \
        --python=%_bindir/python3 \
-	--extra-cflags="${EXTRA_CFLAGS}" \
+	--extra-cflags="%{optflags}" \
 	--with-git-submodules=ignore \
 	--disable-fuzzing \
 	--disable-multiprocess \
--- a/qemu.spec.in
+++ b/qemu.spec.in
@ -1128,8 +1128,6 @@ cp %{SOURCE13} docs/supported.rst
 mkdir -p %blddir
 cd %blddir

-# We want to enforce _FORTIFY_SOURCE=2. See bsc#1199924
-EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g') -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
 %srcdir/configure \
 	--prefix=%_prefix \
 	--sysconfdir=%_sysconfdir \
@ -1139,7 +1137,7 @@ EXTRA_CFLAGS="$(echo %{optflags} | sed -E 's/-[A-Z]?_FORTIFY_SOURCE[=]?[0-9]*//g
 	--docdir=%_docdir \
 	--firmwarepath=%_datadir/%name \
        --python=%_bindir/python3 \
-	--extra-cflags="${EXTRA_CFLAGS}" \
+	--extra-cflags="%{optflags}" \
 	--with-git-submodules=ignore \
 	--disable-fuzzing \
 	--disable-multiprocess \
--- a/sphinx-change-default-language-to-en.patch
+++ b/sphinx-change-default-language-to-en.patch
@ -0,0 +1,33 @@
+From: =?UTF-8?q?Martin=20Li=C5=A1ka?= <mliska@suse.cz>
+Date: Fri, 17 Jun 2022 16:02:56 +0200
+Subject: sphinx: change default language to 'en'
+
+Git-commit: 0000000000000000000000000000000000000000
+References: bsc#1200557
+
+Fixes the following Sphinx warning (treated as error) starting
+with 5.0 release:
+
+Warning, treated as error:
+Invalid configuration value found: 'language = None'. Update your configuration to a valid langauge code. Falling back to 'en' (English).
+
+Signed-off-by: Martin Liska <mliska@suse.cz>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Dario Faggioli <dfaggioli@suse.com>
+---
+ docs/conf.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/docs/conf.py b/docs/conf.py
+index 763e7d2434487bb558111d34f07f..84b593e12af8a17412b731ef4366 100644
+--- a/docs/conf.py
+++ b/docs/conf.py
+@@ -120,7 +120,7 @@ finally:
+ #
+ # This is also used if you do content translation via gettext catalogs.
+ # Usually you set "language" from the command line for these cases.
+-language = None
+language = 'en'
+ 
+ # List of patterns, relative to source directory, that match files and
+ # directories to ignore when looking for source files.