diff --git a/0029-string-input-visitor-Fix-uint64-par.patch b/0029-string-input-visitor-Fix-uint64-par.patch index d407b7c5..cc0a7817 100644 --- a/0029-string-input-visitor-Fix-uint64-par.patch +++ b/0029-string-input-visitor-Fix-uint64-par.patch @@ -97,13 +97,13 @@ index 67a0a4a58b..1c73e5aeae 100644 + error_setg(errp, QERR_INVALID_PARAMETER_TYPE, name ? name : "null", + "integer"); + return; - } ++ } + + parse_str(siv, name, true, errp); + + if (!siv->ranges) { + goto error; -+ } + } + + if (!siv->cur_range) { + Range *r; diff --git a/0030-test-string-input-visitor-Add-int-t.patch b/0030-test-string-input-visitor-Add-int-t.patch index fad79b6b..f179fb24 100644 --- a/0030-test-string-input-visitor-Add-int-t.patch +++ b/0030-test-string-input-visitor-Add-int-t.patch @@ -17,18 +17,18 @@ diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor index 79313a7f7a..e00194a649 100644 --- a/tests/test-string-input-visitor.c +++ b/tests/test-string-input-visitor.c -@@ -58,6 +58,14 @@ static void test_visitor_in_int(TestInputVisitorData *data, - visit_type_int(v, NULL, &res, &err); - g_assert(!err); - g_assert_cmpint(res, ==, value); +@@ -55,6 +55,14 @@ static void test_visitor_in_int(TestInputVisitorData *data, + + v = visitor_input_test_init(data, "-42"); + ++ visit_type_int(v, NULL, &res, &err); ++ g_assert(!err); ++ g_assert_cmpint(res, ==, value); + visitor_input_teardown(data, unused); + + value = INT64_MAX; + v = visitor_input_test_init(data, g_strdup_printf("%" PRId64, value)); + -+ visit_type_int(v, NULL, &res, &err); -+ g_assert(!err); -+ g_assert_cmpint(res, ==, value); - - v = visitor_input_test_init(data, "not an int"); - + visit_type_int(v, NULL, &res, &err); + g_assert(!err); + g_assert_cmpint(res, ==, value); diff --git a/0034-slirp-fix-clearing-ifq_so-from-pend.patch b/0034-slirp-fix-clearing-ifq_so-from-pend.patch new file mode 100644 index 00000000..17f9f23f --- /dev/null +++ b/0034-slirp-fix-clearing-ifq_so-from-pend.patch @@ -0,0 +1,81 @@ +From dc8c3677038bae1bd06dca0167a790776f3e6b3b Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Fri, 25 Aug 2017 01:35:53 +0200 +Subject: [PATCH] slirp: fix clearing ifq_so from pending packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The if_fastq and if_batchq contain not only packets, but queues of packets +for the same socket. When sofree frees a socket, it thus has to clear ifq_so +from all the packets from the queues, not only the first. + +Signed-off-by: Samuel Thibault +Reviewed-by: Philippe Mathieu-Daudé +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell +(cherry picked from commit 1201d308519f1e915866d7583d5136d03cc1d384) +[BR: BSC#1056291 CVE-2017-13711] +Signed-off-by: Bruce Rogers +--- + slirp/socket.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/slirp/socket.c b/slirp/socket.c +index ecec0295a9..cb7b5b608d 100644 +--- a/slirp/socket.c ++++ b/slirp/socket.c +@@ -59,6 +59,27 @@ socreate(Slirp *slirp) + return(so); + } + ++/* ++ * Remove references to so from the given message queue. ++ */ ++static void ++soqfree(struct socket *so, struct quehead *qh) ++{ ++ struct mbuf *ifq; ++ ++ for (ifq = (struct mbuf *) qh->qh_link; ++ (struct quehead *) ifq != qh; ++ ifq = ifq->ifq_next) { ++ if (ifq->ifq_so == so) { ++ struct mbuf *ifm; ++ ifq->ifq_so = NULL; ++ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { ++ ifm->ifq_so = NULL; ++ } ++ } ++ } ++} ++ + /* + * remque and free a socket, clobber cache + */ +@@ -66,23 +87,9 @@ void + sofree(struct socket *so) + { + Slirp *slirp = so->slirp; +- struct mbuf *ifm; + +- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; +- (struct quehead *) ifm != &slirp->if_fastq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } +- +- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; +- (struct quehead *) ifm != &slirp->if_batchq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } ++ soqfree(so, &slirp->if_fastq); ++ soqfree(so, &slirp->if_batchq); + + if (so->so_emu==EMU_RSH && so->extra) { + sofree(so->extra); diff --git a/0035-s390-ccw-Fix-alignment-for-CCW1.patch b/0035-s390-ccw-Fix-alignment-for-CCW1.patch new file mode 100644 index 00000000..8badeb40 --- /dev/null +++ b/0035-s390-ccw-Fix-alignment-for-CCW1.patch @@ -0,0 +1,38 @@ +From adee899fc239f9eca87881a7f6c6e1dae346922e Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Fri, 25 Aug 2017 09:24:46 -0400 +Subject: [PATCH] s390-ccw: Fix alignment for CCW1 + +The commit 198c0d1f9df8c4 s390x/css: check ccw address validity +exposes an alignment issue in ccw bios. + +According to PoP the CCW must be doubleword aligned. Let's fix +this in the bios. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Farhan Ali +Reviewed-by: Halil Pasic +Reviewed-by: Eric Farman +Acked-by: Christian Borntraeger +Message-Id: <3ed8b810b6592daee6a775037ce21f850e40647d.1503667215.git.alifm@linux.vnet.ibm.com> +Signed-off-by: Cornelia Huck +(cherry picked from commit 3a1e4561ad63b303b092387ae006bd41468ece63) +[BR: BSC#1056680] +Signed-off-by: Bruce Rogers +--- + pc-bios/s390-ccw/cio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/cio.h b/pc-bios/s390-ccw/cio.h +index f5b4549ea3..55eaeee4b6 100644 +--- a/pc-bios/s390-ccw/cio.h ++++ b/pc-bios/s390-ccw/cio.h +@@ -133,7 +133,7 @@ struct ccw1 { + __u8 flags; + __u16 count; + __u32 cda; +-} __attribute__ ((packed)); ++} __attribute__ ((packed, aligned(8))); + + #define CCW_FLAG_DC 0x80 + #define CCW_FLAG_CC 0x40 diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 44c8371d..fdbc8226 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:32 UTC 2017 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 +* Patches added: + 0034-slirp-fix-clearing-ifq_so-from-pend.patch + 0035-s390-ccw-Fix-alignment-for-CCW1.patch + ------------------------------------------------------------------- Wed Aug 30 19:52:36 UTC 2017 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 22b3e108..75da3ffa 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -59,6 +59,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -145,6 +147,8 @@ run cross-architecture builds. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index addfedd6..889b292e 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:22 UTC 2017 - brogers@suse.com + +- Update BuildRequires packages libibverbs-devel and librdmacm-devel + to the more correct rdma-core-devel +- Enable seccomp for s390x, aarch64, and ppc64le +- Fix OOB issue (use after free) in slirp network stack (CVE-2017-13711 + bsc#1056291) + 0034-slirp-fix-clearing-ifq_so-from-pend.patch +- Fix a misalignment in the s390 ccw firmware (bsc#1056680) + 0035-s390-ccw-Fix-alignment-for-CCW1.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 + ------------------------------------------------------------------- Thu Aug 31 18:34:27 UTC 2017 - jfehlig@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index de704b7c..ba67e882 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -165,6 +165,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -247,9 +249,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -283,9 +282,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -315,6 +311,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif @@ -850,6 +849,8 @@ This package provides a service file for starting and stopping KSM. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index addfedd6..889b292e 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:22 UTC 2017 - brogers@suse.com + +- Update BuildRequires packages libibverbs-devel and librdmacm-devel + to the more correct rdma-core-devel +- Enable seccomp for s390x, aarch64, and ppc64le +- Fix OOB issue (use after free) in slirp network stack (CVE-2017-13711 + bsc#1056291) + 0034-slirp-fix-clearing-ifq_so-from-pend.patch +- Fix a misalignment in the s390 ccw firmware (bsc#1056680) + 0035-s390-ccw-Fix-alignment-for-CCW1.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 + ------------------------------------------------------------------- Thu Aug 31 18:34:27 UTC 2017 - jfehlig@suse.com diff --git a/qemu.spec b/qemu.spec index f9f9f3fb..9b17908f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -165,6 +165,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -247,9 +249,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -283,9 +282,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -315,6 +311,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif @@ -850,6 +849,8 @@ This package provides a service file for starting and stopping KSM. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index 078e83ef..b75325c1 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -215,9 +215,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -251,9 +248,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -283,6 +277,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif