SHA256
1
0
forked from pool/qemu

Accepting request 441247 from home:bfrogers:branches:Virtualization

Refine the reproducible build changes to no longer override linux commands, but rather fix via patches only. Also fix all the recent security issues reported.

OBS-URL: https://build.opensuse.org/request/show/441247
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=320
This commit is contained in:
Andreas Färber 2016-11-21 17:05:46 +00:00 committed by Git OBS Bridge
parent 2e9c4a4658
commit f036a54ad6
38 changed files with 1710 additions and 58 deletions

View File

@ -0,0 +1,45 @@
From fd5aa800d14fbc8f0a6a75b37ee0e74092dde8cd Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 8 Sep 2016 18:15:54 +0530
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
[BR: CVE-2016-7170 BSC#998516]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/vmware_vga.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.bpp = vmsvga_fifo_read(s);
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
- if (cursor.width > 256 ||
- cursor.height > 256 ||
- cursor.bpp > 32 ||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+ if (cursor.width > 256
+ || cursor.height > 256
+ || cursor.bpp > 32
+ || SVGA_BITMAP_SIZE(x, y)
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
goto badcmd;
}

View File

@ -0,0 +1,36 @@
From eccd42e2e97bdf76467d48b0cecdd07327c686fd Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 31 Aug 2016 17:36:07 +0530
Subject: [PATCH] scsi: mptconfig: fix an assert expression
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() should assert that the size
fits in a byte. However, the size is expressed in 32-bit
units, so up to 1020 bytes fit. The assertion was only
allowing replies up to 252 bytes, so fix it.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
[BR: CVE-2016-7157 BSC#997860]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 7071854..3e4f400 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
va_end(ap);
if (data) {
- assert(ret < 256 && (ret % 4) == 0);
+ assert(ret / 4 < 256 && (ret % 4) == 0);
stb_p(*data + 1, ret / 4);
}
return ret;

View File

@ -0,0 +1,40 @@
From 3e3bf236d5b712cd5861effaf193093779584c80 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 29 Aug 2016 11:35:37 +0200
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
These issues cause respectively a QEMU crash and a leak of 2 bytes of
stack. They were discovered by VictorV of 360 Marvel Team.
Reported-by: Tom Victor <i-tangtianwen@360.cm>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
[BR: CVE-2016-7157 BSC#997860]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptconfig.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 3e4f400..87a416a 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
{
/* VPD - all zeros */
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
- "s256");
+ "*s256");
}
static
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
"*l*lwwb*b*b*blww",
pcic->vendor_id, pcic->device_id, pcic->revision,
- pcic->subsystem_vendor_id,
+ pcic->class_id, pcic->subsystem_vendor_id,
pcic->subsystem_id);
}

View File

@ -0,0 +1,64 @@
From c08b11cce7dce1fc89c71d3c0de4c5706a89009a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 6 Sep 2016 02:20:43 +0530
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
long time or go into an infinite loop due to two different bugs:
1) the request descriptor data length is defined to be 64 bit. While
building SG list from a request descriptor, it gets truncated to 32bit
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
situation large 'dataLen' values when data_length is cast to uint32_t and
chunk_size becomes always zero. Fix this by removing the incorrect cast.
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
element has a zero length. Get out of the loop early when this happens,
by introducing an upper limit on the number of SG list elements.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
[BR: CVE-2016-7156 BSC#997859]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 5116f4a..73679f8 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@
#define PVSCSI_MAX_DEVS (64)
#define PVSCSI_MSIX_NUM_VECTORS (1)
+#define PVSCSI_MAX_SG_ELEM 2048
+
#define PVSCSI_MAX_CMD_DATA_WORDS \
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
@@ -634,17 +636,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
static void
pvscsi_convert_sglist(PVSCSIRequest *r)
{
- int chunk_size;
+ uint32_t chunk_size, elmcnt = 0;
uint64_t data_length = r->req.dataLen;
PVSCSISGState sg = r->sg;
- while (data_length) {
- while (!sg.resid) {
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
pvscsi_get_next_sg_elem(&sg);
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
r->sg.resid);
}
- assert(data_length > 0);
- chunk_size = MIN((unsigned) data_length, sg.resid);
+ chunk_size = MIN(data_length, sg.resid);
if (chunk_size) {
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
}

View File

@ -0,0 +1,32 @@
From c559aa30371dc110e2b13e5006a327aab6503ac7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 13 Sep 2016 03:20:03 -0700
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
If the xhci uses msix, it doesn't free the corresponding
memory, thus leading a memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
[BR: CVE-2016-7466 BSC#1000345]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/hcd-xhci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
/* destroy msix memory region */
if (dev->msix_table && dev->msix_pba
&& dev->msix_entry_used) {
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
}
usb_bus_release(&xhci->bus);

View File

@ -0,0 +1,35 @@
From 9115b36311e918d6ccea499ff5767508b72250e6 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 12 Sep 2016 18:14:11 +0530
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
[BR: CVE-2016-7423 BSC#1000397]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;

View File

@ -0,0 +1,38 @@
From a6cfc94b9a325993d6d77022ae8d0fd0cc77d117 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 14 Sep 2016 15:09:12 +0530
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
[BR: CVE-2016-7421 BSC#999661]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 73679f8..efa5459 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -253,8 +253,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =

View File

@ -0,0 +1,38 @@
From db87d12d0e7e3720ebc0283aced8077f43e29963 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 19 Sep 2016 23:55:45 +0530
Subject: [PATCH] virtio: add check for descriptor's mapped address
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference while
un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
[BR: CVE-2016-7422 BSC#1000346]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/virtio/virtio.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 74c085c..eabe573 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
+ if (!iov[num_sg].iov_base) {
+ error_report("virtio: bogus descriptor or out of resources");
+ exit(1);
+ }
+
iov[num_sg].iov_len = len;
addr[num_sg] = pa;

View File

@ -0,0 +1,52 @@
From 60f6f3204dcfbb6c7518751061abc99ddd9b2c97 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
[BR: CVE-2016-7908 BSC#1002550]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/mcf_fec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);

View File

@ -0,0 +1,32 @@
From 9d2c9efdb4d8b49689517271db3420c6de75278d Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sun, 18 Sep 2016 19:48:35 -0700
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list is not freed thus leading to a memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
[BR: CVE-2016-7995 BSC#1003612]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/hcd-ehci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
if (off + len > 4096) {
/* transfer crosses page border */
if (pg == 6) {
+ qemu_sglist_destroy(&ehci->isgl);
return -1; /* avoid page pg + 1 */
}
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);

View File

@ -0,0 +1,68 @@
From 8e5cea1968f6fe19792237cb2abeaf6e7ff3244e Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 10 Oct 2016 12:46:22 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Needed to avoid we run in circles forever in case the guest builds
an endless loop with link trbs.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Tested-by: P J P <ppandit@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
[BR: CVE-2016-8576 BSC#1003878]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 281a2a5..8a9a31a 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;

View File

@ -0,0 +1,58 @@
From 2d4128223e6b5a3dff30e0b07435620f1092c5ae Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
If a guest sends an empty string paramater to any 9P operation, the current
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
This is unfortunate because it can cause NULL pointer dereference to happen
at various locations in the 9pfs code. And we don't want to check str->data
everywhere we pass it to strcmp() or any other function which expects a
dereferenceable pointer.
This patch enforces the allocation of genuine C empty strings instead, so
callers don't have to bother.
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
the returned string is empty. It now uses v9fs_string_size() since
name.data cannot be NULL anymore.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
[groug, rewritten title and changelog,
fix empty string check in v9fs_xattrwalk()]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a)
[BR: CVE-2016-8578 BSC#1003894]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
fsdev/9p-iov-marshal.c | 2 +-
hw/9pfs/9p.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index dfe293d..a345fe3 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3160,7 +3160,7 @@ static void v9fs_xattrwalk(void *opaque)
goto out;
}
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
- if (name.data == NULL) {
+ if (!v9fs_string_size(&name)) {
/*
* listxattr request. Get the size first
*/

View File

@ -0,0 +1,32 @@
From 9f7f59799ea714c512ecfc0e224df66095abf9c0 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
The v9fs_link() function keeps a reference on the source fid object. This
causes a memory leak since the reference never goes down to 0. This patch
fixes the issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, rephrased the changelog]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c)
[BR: CVE-2016-9105 BSC#1007494]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index a345fe3..239aef4 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2402,6 +2402,7 @@ static void v9fs_link(void *opaque)
if (!err) {
err = offset;
}
+ put_fid(pdu, oldfidp);
out:
put_fid(pdu, dfidp);
out_nofid:

View File

@ -0,0 +1,39 @@
From 5f29f9ab1d097cf326dfa477f75d30117f668b49 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
object thus causing potential memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19)
[BR: CVE-2016-8577 BSC#1003893]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 239aef4..4a71cff 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque)
if (len < 0) {
/* IO error return the error */
err = len;
- goto out;
+ goto out_free_iovec;
}
} while (count < max_count && len > 0);
err = pdu_marshal(pdu, offset, "d", count);
if (err < 0) {
- goto out;
+ goto out_free_iovec;
}
err += offset + count;
+out_free_iovec:
qemu_iovec_destroy(&qiov);
qemu_iovec_destroy(&qiov_full);
} else if (fidp->fid_type == P9_FID_XATTR) {

View File

@ -0,0 +1,32 @@
From 9f8a42e3f35479353ad9b9b5af78e136fd59b509 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix information leak in xattr read
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
reads this memory before writing to it, this will leak host heap memory
to the guest. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d)
[BR: CVE-2016-9103 BSC#1007454]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 4a71cff..af32464 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = offset;
put_fid(pdu, file_fidp);
out_nofid:

View File

@ -0,0 +1,35 @@
From 61eb543d366088cebecaf8fead80d1bd32db7cb2 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
situation that this field has been allocated previously. Every time, it
will be allocated directly. This leads to a host memory leak issue if
the client sends another Txattrcreate message with the same fid number
before the fid from the previous time got clunked.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, updated the changelog to indicate how the leak can occur]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06)
[BR: CVE-2016-9102 BSC#1007450]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index af32464..aa2b8c0 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+ g_free(xattr_fidp->fs.xattr.value);
xattr_fidp->fs.xattr.value = g_malloc0(size);
err = offset;
put_fid(pdu, file_fidp);

View File

@ -0,0 +1,33 @@
From 1dd9e4b00e2f7eb60436a5a3017042eb7b93a8ff Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
If an error occurs when marshalling the transfer length to the guest, the
v9fs_write() function doesn't free an IO vector, thus leading to a memory
leak. This patch fixes the issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, rephrased the changelog]
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9)
[BR: CVE-2016-9106 BSC#1007495]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index aa2b8c0..af07846 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
offset = 7;
err = pdu_marshal(pdu, offset, "d", total);
if (err < 0) {
- goto out;
+ goto out_qiov;
}
err += offset;
trace_v9fs_write_return(pdu->tag, pdu->id, total, err);

View File

@ -0,0 +1,37 @@
From 5a472227730f7f2465baf36716d755ced0300611 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Oct 2016 11:28:08 +0530
Subject: [PATCH] char: serial: check divider value against baud base
16550A UART device uses an oscillator to generate frequencies
(baud base), which decide communication speed. This speed could
be changed by dividing it by a divider. If the divider is
greater than the baud base, speed is set to zero, leading to a
divide by zero error. Add check to avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01)
[BR: CVE-2016-8669 BSC#1004707]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/char/serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47..eec72b7 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
int speed, parity, data_bits, stop_bits, frame_size;
QEMUSerialSetParams ssp;
- if (s->divider == 0)
+ if (s->divider == 0 || s->divider > s->baudbase) {
return;
+ }
/* Start bit. */
frame_size = 1;

View File

@ -0,0 +1,37 @@
From ac4e97299905661397882b588d6d2c08e5df65b0 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 30 Sep 2016 00:27:33 +0530
Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)
[BR: CVE-2016-7909 BSC#1002557]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;

View File

@ -0,0 +1,30 @@
From c266d999085e07c2cbb9b59b9cf4e39c0c7e2ae0 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sat, 8 Oct 2016 05:07:25 -0700
Subject: [PATCH] net: eepro100: fix memory leak in device uninit
The exit dispatch of eepro100 network card device doesn't free
the 's->vmstate' field which was allocated in device realize thus
leading a host memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae)
[BR: CVE-2016-9101 BSC#1007391]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/eepro100.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index bab4dbf..4bf71f2 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
+ g_free(s->vmstate);
eeprom93xx_free(&pci_dev->qdev, s->eeprom);
qemu_del_nic(s->nic);
}

View File

@ -0,0 +1,36 @@
From 9999bb270b68c8bfb82d37a52515cbbfdc7d900f Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Oct 2016 14:40:55 +0530
Subject: [PATCH] net: rocker: set limit to DMA buffer size
Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723)
[BR: CVE-2016-8668 BSC#1004706]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/rocker/rocker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
rocker_msix_irq(r, val);
break;
case ROCKER_TEST_DMA_SIZE:
- r->test_dma_size = val;
+ r->test_dma_size = val & 0xFFFF;
break;
case ROCKER_TEST_DMA_ADDR + 4:
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;

View File

@ -0,0 +1,33 @@
From d77a9e7e19bf1f4697445513df7b67a865bb6d8e Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Thu, 11 Aug 2016 00:42:20 +0530
Subject: [PATCH] net: vmxnet: initialise local tx descriptor
In Vmxnet3 device emulator while processing transmit(tx) queue,
when it reaches end of packet, it calls vmxnet3_complete_packet.
In that local 'txcq_descr' object is not initialised, which could
leak host memory bytes a guest.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf)
[BR: CVE-2016-6836 BSC#994760]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/vmxnet3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 90f6943..92f6af9 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
txcq_descr.txdIdx = tx_ridx;
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);

View File

@ -0,0 +1,34 @@
From 854b5adf363ebfb07ad0134079401d62cdf25b77 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 21 Oct 2016 17:39:29 +0530
Subject: [PATCH] net: rtl8139: limit processing of ring descriptors
RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: Andrew Henderson <hendersa@icculus.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit c7c35916692fe010fef25ac338443d3fe40be225)
[BR: CVE-2016-8910 BSC#1006538]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 3345bc6..f05e59c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
{
int txcount = 0;
- while (rtl8139_cplus_transmit_one(s))
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
{
++txcount;
}

View File

@ -0,0 +1,38 @@
From 1f01b4d6f3d3acc6d0fd5e809b0de4547f4815cc Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 20 Oct 2016 13:10:24 +0530
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
[BR: CVE-2016-8909 BSC#1006536]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/audio/intel-hda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
}
left = len;
- while (left > 0) {
+ s = st->bentries;
+ while (left > 0 && s-- > 0) {
copy = left;
if (copy > st->bsize - st->lpib)
copy = st->bsize - st->lpib;

View File

@ -0,0 +1,35 @@
From 6562305928517bbc5b2a4525b8baddb58a510666 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Sun, 18 Sep 2016 19:07:11 -0700
Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd)
[BR: CVE-2016-7994 BSC#1003613]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7fe6ed8..5b6d17b 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
qemu_log_mask(LOG_GUEST_ERROR,
"%s: host couldn't handle guest format %d\n",
__func__, c2d.format);
+ g_free(res);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
return;
}

View File

@ -0,0 +1,92 @@
From a3ada2d4bae5bd45ca8751f47fe59f71cf7355e7 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 12:00:40 +0100
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
[BR: CVE-2016-9104 BSC#1007493]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/9pfs/9p.c | 32 ++++++++++++--------------------
1 file changed, 12 insertions(+), 20 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index af07846..fc4f2cd 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
ssize_t err;
size_t offset = 7;
- int read_count;
- int64_t xattr_len;
+ uint64_t read_count;
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
VirtQueueElement *elem = v->elems[pdu->idx];
- xattr_len = fidp->fs.xattr.len;
- read_count = xattr_len - off;
+ if (fidp->fs.xattr.len < off) {
+ read_count = 0;
+ } else {
+ read_count = fidp->fs.xattr.len - off;
+ }
if (read_count > max_count) {
read_count = max_count;
- } else if (read_count < 0) {
- /*
- * read beyond XATTR value
- */
- read_count = 0;
}
err = pdu_marshal(pdu, offset, "d", read_count);
if (err < 0) {
@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
int i, to_copy;
ssize_t err = 0;
- int write_count;
- int64_t xattr_len;
+ uint64_t write_count;
size_t offset = 7;
- xattr_len = fidp->fs.xattr.len;
- write_count = xattr_len - off;
- if (write_count > count) {
- write_count = count;
- } else if (write_count < 0) {
- /*
- * write beyond XATTR value len specified in
- * xattrcreate
- */
+ if (fidp->fs.xattr.len < off) {
err = -ENOSPC;
goto out;
}
+ write_count = fidp->fs.xattr.len - off;
+ if (write_count > count) {
+ write_count = count;
+ }
err = pdu_marshal(pdu, offset, "d", write_count);
if (err < 0) {
return err;

View File

@ -0,0 +1,32 @@
From 491b61b48cef566df12b5b2191111febd95d1a5c Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Mon, 31 Oct 2016 15:55:14 -0600
Subject: [PATCH] dma: rc4030: limit interval timer reload value
The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[BR: CVE-2016-8667 BSC#1004702]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/dma/rc4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
break;
/* Interval timer reload */
case 0x0228:
- s->itr = val;
+ s->itr = val & 0x01FF;
qemu_irq_lower(s->timer_irq);
set_next_tick(s);
break;

View File

@ -0,0 +1,47 @@
From b7f162a68696ea14af398de7584cfaf9f2de4509 Mon Sep 17 00:00:00 2001
From: P J P <ppandit@redhat.com>
Date: Mon, 31 Oct 2016 15:58:47 -0600
Subject: [PATCH] net: imx: limit buffer descriptor count
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
[BR: CVE-2016-7907 BSC#1002549]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
hw/net/imx_fec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..1d74827 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
#define PHY_INT_PARFAULT (1 << 2)
#define PHY_INT_AUTONEG_PAGE (1 << 1)
+#define IMX_MAX_DESC 1024
+
static void imx_eth_update(IMXFECState *s);
/*
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;

View File

@ -0,0 +1,71 @@
From 265aa090c4da5686ac3ed77285108606a79e4821 Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Sat, 19 Nov 2016 08:06:30 -0700
Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with
date info
Certain rom subpackages build from qemu git-submodules call the date
program to include date information in the packaged binaries. This
causes repeated builds of the package to be different, wkere the only
real difference is due to the fact that time build timestamp has
changed. To promote reproducible builds and avoid customers being
prompted to update packages needlessly, we'll use the timestamp of the
VERSION file as the packaging timestamp for all packages that build in a
timestamp for whatever reason.
[BR: BSC#1011213]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
roms/Makefile | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/roms/Makefile b/roms/Makefile
index 88b3709..eb0640f 100644
--- a/roms/Makefile
+++ b/roms/Makefile
@@ -52,6 +52,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu-project.org"
#
EFIROM ?= $(shell which EfiRom 2>/dev/null)
+# NB: Certain SUSE qemu subpackages use date information, but we want
+# reproducible builds, so we use a pre-determined timestamp, rather
+# than the current timestamp to acheive consistent results build to
+# build.
+PACKAGING_TIMESTAMP = $(shell date -r ../VERSION +%s)
+
default:
@echo "nothing is build by default"
@echo "available build targets:"
@@ -105,7 +111,7 @@ build-lgplvgabios:
.PHONY: sgabios
sgabios:
- $(MAKE) -C sgabios
+ $(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP)
cp sgabios/sgabios.bin ../pc-bios
@@ -125,18 +131,22 @@ efi-rom-%: build-pxe-roms build-efi-roms
build-pxe-roms:
$(MAKE) -C ipxe/src CONFIG=qemu \
+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
CROSS_COMPILE=$(x86_64_cross_prefix) \
$(patsubst %,bin/%.rom,$(pxerom_targets))
build-efi-roms: build-pxe-roms
$(MAKE) -C ipxe/src CONFIG=qemu \
+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
CROSS_COMPILE=$(x86_64_cross_prefix) \
$(patsubst %,bin-i386-efi/%.efidrv,$(pxerom_targets)) \
$(patsubst %,bin-x86_64-efi/%.efidrv,$(pxerom_targets))
slof:
- $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) qemu
+ $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) \
+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
+ qemu
cp SLOF/boot_rom.bin ../pc-bios/slof.bin
u-boot.e500:

View File

@ -1,13 +1,43 @@
--- a/roms/ipxe/src/Makefile.housekeeping
+++ b/roms/ipxe/src/Makefile.housekeeping
@@ -1074,7 +1074,9 @@ blib : $(BLIB)
ipxe:Makefile: fix issues of build reproducibility
It is desirable to produce the same bits on subsequent
builds when the actual code of the package doesn't
change. (bsc#1011213)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
src/Makefile.housekeeping | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/src/Makefile.housekeeping
+++ b/src/Makefile.housekeeping
@@ -1079,11 +1079,18 @@ blib : $(BLIB)
# Command to generate build ID. Must be unique for each $(BIN)/%.tmp,
# even within the same build run.
#
-BUILD_ID_CMD := perl -e 'printf "0x%08x", int ( rand ( 0xffffffff ) );'
+BUILD_ID_DIR := .build_ids
+VERYCLEANUP += $(BUILD_ID_DIR)
+BUILD_ID_CMD := bash -c 'declare -i i=1 ; mkdir -p $(BUILD_ID_DIR) ; cd $(BUILD_ID_DIR) ; until mkdir "$${i}" 2>/dev/null ; do : $$(( i++ )) ; done ; printf "0x%08x" "$${i}" '
+# NB: In the case of the SUSE qemu-ipxe package we want reproducible
+# builds, so we just use the TGT_ROM_NAME variable, which is already
+# a unique (in the context of the files we generate) hex value suitable
+# for specifying the build_id. We no longer define a BUILD_ID_CMD, as
+# we need to use the TGT_ROM_NAME variable directly in the link command
# Build timestamp
#
-BUILD_TIMESTAMP := $(shell date +%s)
+# NB: In the case of the SUSE qemu-ipxe package we want reproducible
+# builds, so we use a pre-determined timestamp, rather than the current
+# timestamp
+BUILD_TIMESTAMP := $(PACKAGING_TIMESTAMP)
# Build version
#
@@ -1103,7 +1110,7 @@ $(BIN)/version.%.o : core/version.c $(MA
$(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT)
$(QM)$(ECHO) " [LD] $@"
$(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \
- --defsym _build_id=`$(BUILD_ID_CMD)` \
+ --defsym _build_id=`$(PRINTF) "0x%b" "$(TGT_ROM_NAME)"` \
--defsym _build_timestamp=$(BUILD_TIMESTAMP) \
-Map $(BIN)/$*.tmp.map
$(Q)$(OBJDUMP) -ht $@ | $(PERL) $(SORTOBJDUMP) >> $(BIN)/$*.tmp.map

View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Sat Nov 19 15:24:08 UTC 2016 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
* Patches added:
0069-roms-Makefile-pass-a-packaging-time.patch
-------------------------------------------------------------------
Thu Nov 10 21:49:18 UTC 2016 - brogers@suse.com
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
* Patches added:
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
0042-scsi-mptconfig-fix-an-assert-expres.patch
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
0048-virtio-add-check-for-descriptor-s-m.patch
0049-net-mcf-limit-buffer-descriptor-cou.patch
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
0051-xhci-limit-the-number-of-link-trbs-.patch
0052-9pfs-allocate-space-for-guest-origi.patch
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
0054-9pfs-fix-potential-host-memory-leak.patch
0055-9pfs-fix-information-leak-in-xattr-.patch
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
0058-char-serial-check-divider-value-aga.patch
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
0060-net-eepro100-fix-memory-leak-in-dev.patch
0061-net-rocker-set-limit-to-DMA-buffer-.patch
0062-net-vmxnet-initialise-local-tx-desc.patch
0063-net-rtl8139-limit-processing-of-rin.patch
0064-audio-intel-hda-check-stream-entry-.patch
0065-virtio-gpu-fix-memory-leak-in-virti.patch
0066-9pfs-fix-integer-overflow-issue-in-.patch
0067-dma-rc4030-limit-interval-timer-rel.patch
0068-net-imx-limit-buffer-descriptor-cou.patch
-------------------------------------------------------------------
Mon Nov 7 16:14:20 UTC 2016 - afaerber@suse.de

View File

@ -65,6 +65,35 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch
Patch0038: 0038-linux-user-properly-test-for-infini.patch
Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch
Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch
Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch
Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch
Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch
Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch
Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch
Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch
Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch
Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch
Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch
Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch
Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch
Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch
Patch0058: 0058-char-serial-check-divider-value-aga.patch
Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch
Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch
Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch
Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch
Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch
Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch
Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch
Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch
Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch
Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch
Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch
# Please do not add patches manually here, run update_git.sh.
# this is to make lint happy
Source300: qemu-rpmlintrc
@ -158,6 +187,35 @@ run cross-architecture builds.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%build
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \

View File

@ -1,3 +1,81 @@
-------------------------------------------------------------------
Sat Nov 19 15:24:03 UTC 2016 - brogers@suse.com
- Refine the approach to producing stable builds in our ROM based
packages. All built roms which have hostname or date calls now
produce consistent results build to build via patch changes, so
remove the hostname and date call workarounds. (bsc#1011213)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
* Patches added:
0069-roms-Makefile-pass-a-packaging-time.patch
sgabios-stable-buildid.patch
-------------------------------------------------------------------
Sat Nov 19 15:15:03 UTC 2016 - brogers@suse.com
- Re-enable ceph (rbd) functionality in OBS builds as we've been told
the issues which prompted us to disable it are resolved
- Address various security/stability issues
* Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516)
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
* Fix DOS in LSI SAS1068 emulation (CVE-2016-7157 bsc#997860)
0042-scsi-mptconfig-fix-an-assert-expres.patch
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
* Fix DOS in Vmware pv scsi interface (CVE-2016-7156 bsc#997859)
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
* Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345)
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
* Fix OOB access in LSI SAS1068 emulation (CVE-2016-7423 bsc#1000397)
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
* Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661)
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
* Fix NULL pointer dereference in virtio processing
(CVE-2016-7422 bsc#1000346)
0048-virtio-add-check-for-descriptor-s-m.patch
* Fix DOS in ColdFire Fast Ethernet Controller emulation
(CVE-2016-7908 bsc#1002550)
0049-net-mcf-limit-buffer-descriptor-cou.patch
* Fix DOS in USB EHCI emulation (CVE-2016-7995 bsc#1003612)
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
* Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878)
0051-xhci-limit-the-number-of-link-trbs-.patch
* Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)
0052-9pfs-allocate-space-for-guest-origi.patch
* Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
* Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)
0054-9pfs-fix-potential-host-memory-leak.patch
* Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454)
0055-9pfs-fix-information-leak-in-xattr-.patch
* Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450)
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
* Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
* Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707)
0058-char-serial-check-divider-value-aga.patch
* Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557)
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
* Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)
0060-net-eepro100-fix-memory-leak-in-dev.patch
* Fix OOB access in Rocker switch emulation (CVE-2016-8668 bsc#1004706)
0061-net-rocker-set-limit-to-DMA-buffer-.patch
* Plug data leak in vmxnet3 emulation (CVE-2016-6836 bsc#994760)
0062-net-vmxnet-initialise-local-tx-desc.patch
* Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)
0063-net-rtl8139-limit-processing-of-rin.patch
* Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536)
0064-audio-intel-hda-check-stream-entry-.patch
* Fix DOS in virtio-gpu (CVE-2016-7994 bsc#1003613)
0065-virtio-gpu-fix-memory-leak-in-virti.patch
* Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)
0066-9pfs-fix-integer-overflow-issue-in-.patch
* Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702)
0067-dma-rc4030-limit-interval-timer-rel.patch
* Fix DOS in i.MX NIC emulation (CVE-2016-7907 bsc#1002549)
0068-net-imx-limit-buffer-descriptor-cou.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
-------------------------------------------------------------------
Fri Nov 11 11:11:11 UTC 2016 - ohering@suse.de

View File

@ -127,15 +127,50 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch
Patch0038: 0038-linux-user-properly-test-for-infini.patch
Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch
Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch
Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch
Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch
Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch
Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch
Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch
Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch
Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch
Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch
Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch
Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch
Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch
Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch
Patch0058: 0058-char-serial-check-divider-value-aga.patch
Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch
Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch
Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch
Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch
Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch
Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch
Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch
Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch
Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch
Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch
Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
%if %{build_x86_fw_from_source}
# SeaBIOS
# SeaBIOS / SeaVGABIOS
# PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit
Patch1000: seabios_128kb.patch
# ipxe
Patch1100: ipxe-stable-buildid.patch
# sgabios
Patch1200: sgabios-stable-buildid.patch
# SLOF
# (currently no patches)
%endif
@ -747,12 +782,49 @@ This package provides a service file for starting and stopping KSM.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios
%patch1000 -p1
popd
pushd roms/ipxe
%patch1100 -p1
popd
pushd roms/sgabios
%patch1200 -p1
popd
pushd roms/SLOF
# (currently no patches)
popd
@ -768,6 +840,7 @@ rm -f pc-bios/slof.bin
%endif
%build
echo '%{version}' > roms/seabios/.version
./configure \
--prefix=%_prefix \
--sysconfdir=%_sysconfdir \

View File

@ -1,3 +1,81 @@
-------------------------------------------------------------------
Sat Nov 19 15:24:03 UTC 2016 - brogers@suse.com
- Refine the approach to producing stable builds in our ROM based
packages. All built roms which have hostname or date calls now
produce consistent results build to build via patch changes, so
remove the hostname and date call workarounds. (bsc#1011213)
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
* Patches added:
0069-roms-Makefile-pass-a-packaging-time.patch
sgabios-stable-buildid.patch
-------------------------------------------------------------------
Sat Nov 19 15:15:03 UTC 2016 - brogers@suse.com
- Re-enable ceph (rbd) functionality in OBS builds as we've been told
the issues which prompted us to disable it are resolved
- Address various security/stability issues
* Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516)
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
* Fix DOS in LSI SAS1068 emulation (CVE-2016-7157 bsc#997860)
0042-scsi-mptconfig-fix-an-assert-expres.patch
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
* Fix DOS in Vmware pv scsi interface (CVE-2016-7156 bsc#997859)
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
* Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345)
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
* Fix OOB access in LSI SAS1068 emulation (CVE-2016-7423 bsc#1000397)
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
* Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661)
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
* Fix NULL pointer dereference in virtio processing
(CVE-2016-7422 bsc#1000346)
0048-virtio-add-check-for-descriptor-s-m.patch
* Fix DOS in ColdFire Fast Ethernet Controller emulation
(CVE-2016-7908 bsc#1002550)
0049-net-mcf-limit-buffer-descriptor-cou.patch
* Fix DOS in USB EHCI emulation (CVE-2016-7995 bsc#1003612)
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
* Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878)
0051-xhci-limit-the-number-of-link-trbs-.patch
* Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)
0052-9pfs-allocate-space-for-guest-origi.patch
* Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
* Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)
0054-9pfs-fix-potential-host-memory-leak.patch
* Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454)
0055-9pfs-fix-information-leak-in-xattr-.patch
* Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450)
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
* Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
* Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707)
0058-char-serial-check-divider-value-aga.patch
* Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557)
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
* Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)
0060-net-eepro100-fix-memory-leak-in-dev.patch
* Fix OOB access in Rocker switch emulation (CVE-2016-8668 bsc#1004706)
0061-net-rocker-set-limit-to-DMA-buffer-.patch
* Plug data leak in vmxnet3 emulation (CVE-2016-6836 bsc#994760)
0062-net-vmxnet-initialise-local-tx-desc.patch
* Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)
0063-net-rtl8139-limit-processing-of-rin.patch
* Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536)
0064-audio-intel-hda-check-stream-entry-.patch
* Fix DOS in virtio-gpu (CVE-2016-7994 bsc#1003613)
0065-virtio-gpu-fix-memory-leak-in-virti.patch
* Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)
0066-9pfs-fix-integer-overflow-issue-in-.patch
* Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702)
0067-dma-rc4030-limit-interval-timer-rel.patch
* Fix DOS in i.MX NIC emulation (CVE-2016-7907 bsc#1002549)
0068-net-imx-limit-buffer-descriptor-cou.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
-------------------------------------------------------------------
Fri Nov 11 11:11:11 UTC 2016 - ohering@suse.de

View File

@ -127,16 +127,50 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch
Patch0038: 0038-linux-user-properly-test-for-infini.patch
Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch
Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch
Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch
Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch
Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch
Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch
Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch
Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch
Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch
Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch
Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch
Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch
Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch
Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch
Patch0058: 0058-char-serial-check-divider-value-aga.patch
Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch
Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch
Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch
Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch
Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch
Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch
Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch
Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch
Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch
Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch
Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Patch999: ipxe-stable-buildid.patch
%if %{build_x86_fw_from_source}
# SeaBIOS
# SeaBIOS / SeaVGABIOS
# PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit
Patch1000: seabios_128kb.patch
# ipxe
Patch1100: ipxe-stable-buildid.patch
# sgabios
Patch1200: sgabios-stable-buildid.patch
# SLOF
# (currently no patches)
%endif
@ -748,13 +782,49 @@ This package provides a service file for starting and stopping KSM.
%patch0038 -p1
%patch0039 -p1
%patch0040 -p1
%patch0041 -p1
%patch0042 -p1
%patch0043 -p1
%patch0044 -p1
%patch0045 -p1
%patch0046 -p1
%patch0047 -p1
%patch0048 -p1
%patch0049 -p1
%patch0050 -p1
%patch0051 -p1
%patch0052 -p1
%patch0053 -p1
%patch0054 -p1
%patch0055 -p1
%patch0056 -p1
%patch0057 -p1
%patch0058 -p1
%patch0059 -p1
%patch0060 -p1
%patch0061 -p1
%patch0062 -p1
%patch0063 -p1
%patch0064 -p1
%patch0065 -p1
%patch0066 -p1
%patch0067 -p1
%patch0068 -p1
%patch0069 -p1
%patch999 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios
%patch1000 -p1
popd
pushd roms/ipxe
%patch1100 -p1
popd
pushd roms/sgabios
%patch1200 -p1
popd
pushd roms/SLOF
# (currently no patches)
popd
@ -771,21 +841,6 @@ rm -f pc-bios/slof.bin
%build
echo '%{version}' > roms/seabios/.version
mkdir .bin
pushd $_
tee hostname <<_EOD_
#!/bin/sh
echo hostname
_EOD_
tee date <<_EOD_
#!/bin/sh
exec $(type -p date) --reference="$PWD/date" --utc "\$@"
_EOD_
touch -r ../VERSION date
chmod 00755 *
ls -l --time-style=full-iso *
export PATH="$PWD:$PATH"
popd
./configure \
--prefix=%_prefix \
--sysconfdir=%_sysconfdir \
@ -955,13 +1010,6 @@ make %{?_smp_mflags} -C roms pxerom
%ifarch x86_64
make %{?_smp_mflags} -C roms efirom
%endif
# relink ipxe roms, this time with a stable build_id
find roms/ipxe \( -name "*.rom" -o -name "*.tmp" \) -print -delete
make -C roms pxerom
%ifarch x86_64
make -C roms efirom
%endif
#
make -C roms sgabios
%endif
%if %{build_slof_from_source}

View File

@ -91,13 +91,18 @@ PATCH_FILES
# Please do not add QEMU patches manually here.
# Run update_git.sh to regenerate this queue.
Patch999: ipxe-stable-buildid.patch
%if %{build_x86_fw_from_source}
# SeaBIOS
# SeaBIOS / SeaVGABIOS
# PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit
Patch1000: seabios_128kb.patch
# ipxe
Patch1100: ipxe-stable-buildid.patch
# sgabios
Patch1200: sgabios-stable-buildid.patch
# SLOF
# (currently no patches)
%endif
@ -671,15 +676,21 @@ This package provides a service file for starting and stopping KSM.
%setup -q -n qemu-2.7.0
PATCH_EXEC
%patch999 -p1
%if %{build_x86_fw_from_source}
pushd roms/seabios
%patch1000 -p1
popd
pushd roms/ipxe
# (currently no patches)
%patch1100 -p1
popd
pushd roms/sgabios
%patch1200 -p1
popd
pushd roms/SLOF
# (currently no patches)
popd
# as a safeguard, delete the firmware files that we intend to build
for i in %built_firmware_files
@ -694,21 +705,6 @@ rm -f pc-bios/slof.bin
%build
echo '%{version}' > roms/seabios/.version
mkdir .bin
pushd $_
tee hostname <<_EOD_
#!/bin/sh
echo hostname
_EOD_
tee date <<_EOD_
#!/bin/sh
exec $(type -p date) --reference="$PWD/date" --utc "\$@"
_EOD_
touch -r ../VERSION date
chmod 00755 *
ls -l --time-style=full-iso *
export PATH="$PWD:$PATH"
popd
./configure \
--prefix=%_prefix \
--sysconfdir=%_sysconfdir \
@ -879,13 +875,6 @@ make %{?_smp_mflags} -C roms pxerom
%ifarch x86_64
make %{?_smp_mflags} -C roms efirom
%endif
# relink ipxe roms, this time with a stable build_id
find roms/ipxe \( -name "*.rom" -o -name "*.tmp" \) -print -delete
make -C roms pxerom
%ifarch x86_64
make -C roms efirom
%endif
#
make -C roms sgabios
%endif
%if %{build_slof_from_source}

View File

@ -0,0 +1,26 @@
sgabios:Makefile: fix issues of build reproducibility
It is desirable to produce the same bits on subsequent
builds when the actual code of the package doesn't
change. (bsc#1011213)
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
Makefile | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/Makefile
+++ b/Makefile
@@ -14,9 +14,9 @@
#
# $Id$
-BUILD_DATE = \"$(shell date -u)\"
-BUILD_SHORT_DATE = \"$(shell date -u +%D)\"
-BUILD_HOST = \"$(shell hostname)\"
+BUILD_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u)\"
+BUILD_SHORT_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u +%D)\"
+BUILD_HOST = \"hostname\"
BUILD_USER = \"$(shell whoami)\"
CFLAGS := -Wall -Os -m32 -nostdlib