From df8a80613e3446a841b36f2e6396fb3ffbf5272271a4b338b6960e645b00f486 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 31 Aug 2017 20:04:54 +0000 Subject: [PATCH] Accepting request 520017 from home:bfrogers:branches:Virtualization A few post v2.10 patches needed to fix issues identified too late to get in. Also enable seccomp for all arch's we build for, and use better package references for rdma support OBS-URL: https://build.opensuse.org/request/show/520017 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=361 --- ...-string-input-visitor-Fix-uint64-par.patch | 4 +- ...-test-string-input-visitor-Add-int-t.patch | 20 ++--- ...-slirp-fix-clearing-ifq_so-from-pend.patch | 81 +++++++++++++++++++ 0035-s390-ccw-Fix-alignment-for-CCW1.patch | 38 +++++++++ qemu-linux-user.changes | 8 ++ qemu-linux-user.spec | 4 + qemu-testsuite.changes | 13 +++ qemu-testsuite.spec | 15 ++-- qemu.changes | 13 +++ qemu.spec | 15 ++-- qemu.spec.in | 11 +-- 11 files changed, 189 insertions(+), 33 deletions(-) create mode 100644 0034-slirp-fix-clearing-ifq_so-from-pend.patch create mode 100644 0035-s390-ccw-Fix-alignment-for-CCW1.patch diff --git a/0029-string-input-visitor-Fix-uint64-par.patch b/0029-string-input-visitor-Fix-uint64-par.patch index d407b7c5..cc0a7817 100644 --- a/0029-string-input-visitor-Fix-uint64-par.patch +++ b/0029-string-input-visitor-Fix-uint64-par.patch @@ -97,13 +97,13 @@ index 67a0a4a58b..1c73e5aeae 100644 + error_setg(errp, QERR_INVALID_PARAMETER_TYPE, name ? name : "null", + "integer"); + return; - } ++ } + + parse_str(siv, name, true, errp); + + if (!siv->ranges) { + goto error; -+ } + } + + if (!siv->cur_range) { + Range *r; diff --git a/0030-test-string-input-visitor-Add-int-t.patch b/0030-test-string-input-visitor-Add-int-t.patch index fad79b6b..f179fb24 100644 --- a/0030-test-string-input-visitor-Add-int-t.patch +++ b/0030-test-string-input-visitor-Add-int-t.patch @@ -17,18 +17,18 @@ diff --git a/tests/test-string-input-visitor.c b/tests/test-string-input-visitor index 79313a7f7a..e00194a649 100644 --- a/tests/test-string-input-visitor.c +++ b/tests/test-string-input-visitor.c -@@ -58,6 +58,14 @@ static void test_visitor_in_int(TestInputVisitorData *data, - visit_type_int(v, NULL, &res, &err); - g_assert(!err); - g_assert_cmpint(res, ==, value); +@@ -55,6 +55,14 @@ static void test_visitor_in_int(TestInputVisitorData *data, + + v = visitor_input_test_init(data, "-42"); + ++ visit_type_int(v, NULL, &res, &err); ++ g_assert(!err); ++ g_assert_cmpint(res, ==, value); + visitor_input_teardown(data, unused); + + value = INT64_MAX; + v = visitor_input_test_init(data, g_strdup_printf("%" PRId64, value)); + -+ visit_type_int(v, NULL, &res, &err); -+ g_assert(!err); -+ g_assert_cmpint(res, ==, value); - - v = visitor_input_test_init(data, "not an int"); - + visit_type_int(v, NULL, &res, &err); + g_assert(!err); + g_assert_cmpint(res, ==, value); diff --git a/0034-slirp-fix-clearing-ifq_so-from-pend.patch b/0034-slirp-fix-clearing-ifq_so-from-pend.patch new file mode 100644 index 00000000..17f9f23f --- /dev/null +++ b/0034-slirp-fix-clearing-ifq_so-from-pend.patch @@ -0,0 +1,81 @@ +From dc8c3677038bae1bd06dca0167a790776f3e6b3b Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Fri, 25 Aug 2017 01:35:53 +0200 +Subject: [PATCH] slirp: fix clearing ifq_so from pending packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The if_fastq and if_batchq contain not only packets, but queues of packets +for the same socket. When sofree frees a socket, it thus has to clear ifq_so +from all the packets from the queues, not only the first. + +Signed-off-by: Samuel Thibault +Reviewed-by: Philippe Mathieu-Daudé +Cc: qemu-stable@nongnu.org +Signed-off-by: Peter Maydell +(cherry picked from commit 1201d308519f1e915866d7583d5136d03cc1d384) +[BR: BSC#1056291 CVE-2017-13711] +Signed-off-by: Bruce Rogers +--- + slirp/socket.c | 39 +++++++++++++++++++++++---------------- + 1 file changed, 23 insertions(+), 16 deletions(-) + +diff --git a/slirp/socket.c b/slirp/socket.c +index ecec0295a9..cb7b5b608d 100644 +--- a/slirp/socket.c ++++ b/slirp/socket.c +@@ -59,6 +59,27 @@ socreate(Slirp *slirp) + return(so); + } + ++/* ++ * Remove references to so from the given message queue. ++ */ ++static void ++soqfree(struct socket *so, struct quehead *qh) ++{ ++ struct mbuf *ifq; ++ ++ for (ifq = (struct mbuf *) qh->qh_link; ++ (struct quehead *) ifq != qh; ++ ifq = ifq->ifq_next) { ++ if (ifq->ifq_so == so) { ++ struct mbuf *ifm; ++ ifq->ifq_so = NULL; ++ for (ifm = ifq->ifs_next; ifm != ifq; ifm = ifm->ifs_next) { ++ ifm->ifq_so = NULL; ++ } ++ } ++ } ++} ++ + /* + * remque and free a socket, clobber cache + */ +@@ -66,23 +87,9 @@ void + sofree(struct socket *so) + { + Slirp *slirp = so->slirp; +- struct mbuf *ifm; + +- for (ifm = (struct mbuf *) slirp->if_fastq.qh_link; +- (struct quehead *) ifm != &slirp->if_fastq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } +- +- for (ifm = (struct mbuf *) slirp->if_batchq.qh_link; +- (struct quehead *) ifm != &slirp->if_batchq; +- ifm = ifm->ifq_next) { +- if (ifm->ifq_so == so) { +- ifm->ifq_so = NULL; +- } +- } ++ soqfree(so, &slirp->if_fastq); ++ soqfree(so, &slirp->if_batchq); + + if (so->so_emu==EMU_RSH && so->extra) { + sofree(so->extra); diff --git a/0035-s390-ccw-Fix-alignment-for-CCW1.patch b/0035-s390-ccw-Fix-alignment-for-CCW1.patch new file mode 100644 index 00000000..8badeb40 --- /dev/null +++ b/0035-s390-ccw-Fix-alignment-for-CCW1.patch @@ -0,0 +1,38 @@ +From adee899fc239f9eca87881a7f6c6e1dae346922e Mon Sep 17 00:00:00 2001 +From: Farhan Ali +Date: Fri, 25 Aug 2017 09:24:46 -0400 +Subject: [PATCH] s390-ccw: Fix alignment for CCW1 + +The commit 198c0d1f9df8c4 s390x/css: check ccw address validity +exposes an alignment issue in ccw bios. + +According to PoP the CCW must be doubleword aligned. Let's fix +this in the bios. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Farhan Ali +Reviewed-by: Halil Pasic +Reviewed-by: Eric Farman +Acked-by: Christian Borntraeger +Message-Id: <3ed8b810b6592daee6a775037ce21f850e40647d.1503667215.git.alifm@linux.vnet.ibm.com> +Signed-off-by: Cornelia Huck +(cherry picked from commit 3a1e4561ad63b303b092387ae006bd41468ece63) +[BR: BSC#1056680] +Signed-off-by: Bruce Rogers +--- + pc-bios/s390-ccw/cio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/cio.h b/pc-bios/s390-ccw/cio.h +index f5b4549ea3..55eaeee4b6 100644 +--- a/pc-bios/s390-ccw/cio.h ++++ b/pc-bios/s390-ccw/cio.h +@@ -133,7 +133,7 @@ struct ccw1 { + __u8 flags; + __u16 count; + __u32 cda; +-} __attribute__ ((packed)); ++} __attribute__ ((packed, aligned(8))); + + #define CCW_FLAG_DC 0x80 + #define CCW_FLAG_CC 0x40 diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 44c8371d..fdbc8226 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:32 UTC 2017 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 +* Patches added: + 0034-slirp-fix-clearing-ifq_so-from-pend.patch + 0035-s390-ccw-Fix-alignment-for-CCW1.patch + ------------------------------------------------------------------- Wed Aug 30 19:52:36 UTC 2017 - brogers@suse.com diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 22b3e108..75da3ffa 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -59,6 +59,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. Source400: update_git.sh @@ -145,6 +147,8 @@ run cross-architecture builds. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 %build ./configure \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index addfedd6..889b292e 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:22 UTC 2017 - brogers@suse.com + +- Update BuildRequires packages libibverbs-devel and librdmacm-devel + to the more correct rdma-core-devel +- Enable seccomp for s390x, aarch64, and ppc64le +- Fix OOB issue (use after free) in slirp network stack (CVE-2017-13711 + bsc#1056291) + 0034-slirp-fix-clearing-ifq_so-from-pend.patch +- Fix a misalignment in the s390 ccw firmware (bsc#1056680) + 0035-s390-ccw-Fix-alignment-for-CCW1.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 + ------------------------------------------------------------------- Thu Aug 31 18:34:27 UTC 2017 - jfehlig@suse.com diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index de704b7c..ba67e882 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -165,6 +165,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -247,9 +249,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -283,9 +282,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -315,6 +311,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif @@ -850,6 +849,8 @@ This package provides a service file for starting and stopping KSM. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.changes b/qemu.changes index addfedd6..889b292e 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Thu Aug 31 18:48:22 UTC 2017 - brogers@suse.com + +- Update BuildRequires packages libibverbs-devel and librdmacm-devel + to the more correct rdma-core-devel +- Enable seccomp for s390x, aarch64, and ppc64le +- Fix OOB issue (use after free) in slirp network stack (CVE-2017-13711 + bsc#1056291) + 0034-slirp-fix-clearing-ifq_so-from-pend.patch +- Fix a misalignment in the s390 ccw firmware (bsc#1056680) + 0035-s390-ccw-Fix-alignment-for-CCW1.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.10 + ------------------------------------------------------------------- Thu Aug 31 18:34:27 UTC 2017 - jfehlig@suse.com diff --git a/qemu.spec b/qemu.spec index f9f9f3fb..9b17908f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -165,6 +165,8 @@ Patch0030: 0030-test-string-input-visitor-Add-int-t.patch Patch0031: 0031-test-string-input-visitor-Add-uint6.patch Patch0032: 0032-tests-Add-QOM-property-unit-tests.patch Patch0033: 0033-tests-Add-scsi-disk-test.patch +Patch0034: 0034-slirp-fix-clearing-ifq_so-from-pend.patch +Patch0035: 0035-s390-ccw-Fix-alignment-for-CCW1.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -247,9 +249,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -283,9 +282,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -315,6 +311,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif @@ -850,6 +849,8 @@ This package provides a service file for starting and stopping KSM. %patch0031 -p1 %patch0032 -p1 %patch0033 -p1 +%patch0034 -p1 +%patch0035 -p1 pushd roms/ipxe %patch1100 -p1 diff --git a/qemu.spec.in b/qemu.spec.in index 078e83ef..b75325c1 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -87,7 +87,7 @@ %define with_seccomp 1 %endif -%ifarch %ix86 x86_64 s390x +%ifarch %ix86 x86_64 s390x aarch64 ppc64le %define with_seccomp 1 %endif @@ -215,9 +215,6 @@ BuildRequires: libfdt1-devel BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: libibverbs-devel -%endif %if 0%{?with_rbd} %if 0%{?is_opensuse} || 0%{?sle_version} > 120100 BuildRequires: librbd-devel @@ -251,9 +248,6 @@ BuildRequires: libpcap-devel BuildRequires: libpixman-1-0-devel BuildRequires: libpng-devel BuildRequires: libpulse-devel -%if 0%{?suse_version} >= 1315 -BuildRequires: librdmacm-devel -%endif %if 0%{?with_seccomp} BuildRequires: libseccomp-devel %endif @@ -283,6 +277,9 @@ BuildRequires: ovmf-tools BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python +%if 0%{?suse_version} >= 1315 +BuildRequires: rdma-core-devel +%endif %if 0%{?suse_version} >= 1310 BuildRequires: snappy-devel %endif