Dario Faggioli
5f7cc8fe5e
- Substantial rework of the spec file:
* the 'make check' testsuite now runs in the %check section of
the main package, not in a subpackage
* switched from %setup to %autosetup
* rearranged the content in order to minimize the use of %if,
%ifarch, etc
- Properly fix bsc#1198038, CVE-2022-0216
* Patches added:
scsi-lsi53c895a-really-fix-use-after-fre.patch
tests-qtest-Move-the-fuzz-tests-to-x86-o.patch
- Make temp dir (for update_git.sh) configurable
- Added new subpackages (audio-dbus, ui-dbus)
- bsc#1199018 was never fixed in Factory's QEMU 6.2. It is
now (since the patches are already in SeaBIOS 1.16.0)
- Some tests are having issues when run in OBS. They seem to be
due to race conditions, triggered by resource constraints of
OBS workers. Let's disable them for now, while looking for a fix
- Update to v7.0.0. For full release notese, see:
* https://wiki.qemu.org/ChangeLog/7.0
Be sure to also check the following pages:
* https://qemu-project.gitlab.io/qemu/about/removed-features.html
* https://qemu-project.gitlab.io/qemu/about/deprecated.html
Some notable changes:
* [ARM] The virt board has gained a new control knob to disable passing a RNG seed in the DTB (dtb-kaslr-seed)
* [ARM] The AST2600 SoC now supports a dummy version of the i3c device
* [ARM] The virt board can now run guests with KVM on hosts with restricted IPA ranges
* [ARM] The virt board now supports virtio-mem-pci
* [ARM] The virt board now supports specifying the guest CPU topology
* [ARM] On the virt board, we now enable PAuth when using KVM or hvf and the host CPU supports it
* [RISC-V] Add support for ratified 1.0 Vector extension
* [RISC-V] Support for the Zve64f and Zve32f extensions
* [RISC-V] Drop support for draft 0.7.1 Vector extension
* [RISC-V] Support Zfhmin and Zfh extensions
* [RISC-V] RISC-V KVM support
* [RISC-V] Mark Hypervisor extension as non experimental
* [RISC-V] Enable Hypervisor extension by default
* [x86] Support for Intel AMX.
* [PCI/PCIe] Q35: fix PCIe device becoming disabled after migration when ACPI based PCI hotplug is used (6b0969f1ec)
* [PCI/PCIe] initial bits of SR/IOV support (250346169)
* [PCI/PCIe] arm/virt: fixed PXB interrupt routing (e609301b45)
* [PCI/PCIe] arm/virt: support for virtio-mem-pci (b1b87327a9)
* [virtiofs] Fix for CVE-2022-0358 - behaviour with supplementary groups and SGID directories
* [virtiofs] Improved security label support
* [virtiofs] The virtiofsd in qemu is now starting to be deprecated; please start using and contributing to Rust virtiofsd
* Patches dropped:
acpi-validate-hotplug-selector-on-access.patch
block-backend-Retain-permissions-after-m.patch
block-qdict-Fix-Werror-maybe-uninitializ.patch
brotli-fix-actual-variable-array-paramet.patch
display-qxl-render-fix-race-condition-in.patch
doc-Add-the-SGX-numa-description.patch
hw-i386-amd_iommu-Fix-maybe-uninitialize.patch
hw-intc-exynos4210_gic-provide-more-room.patch
hw-nvme-fix-CVE-2021-3929.patch
hw-nvram-at24-return-0xff-if-1-byte-addr.patch
iotest-065-explicit-compression-type.patch
iotest-214-explicit-compression-type.patch
iotest-302-use-img_info_log-helper.patch
iotest-303-explicit-compression-type.patch
iotest-39-use-_qcow2_dump_header.patch
iotests-60-more-accurate-set-dirty-bit-i.patch
iotests-bash-tests-filter-compression-ty.patch
iotests-common.rc-introduce-_qcow2_dump_.patch
iotests-declare-lack-of-support-for-comp.patch
iotests-drop-qemu_img_verbose-helper.patch
iotests-massive-use-_qcow2_dump_header.patch
iotests-MRCE-Write-data-to-source.patch
iotests.py-filter-out-successful-output-.patch
iotests.py-img_info_log-rename-imgopts-a.patch
iotests.py-implement-unsupported_imgopts.patch
iotests.py-qemu_img-create-support-IMGOP.patch
iotests.py-rewrite-default-luks-support-.patch
iotests-specify-some-unsupported_imgopts.patch
meson-build-all-modules-by-default.patch
numa-Enable-numa-for-SGX-EPC-sections.patch
numa-Support-SGX-numa-in-the-monitor-and.patch
python-aqmp-add-__del__-method-to-legacy.patch
python-aqmp-add-_session_guard.patch
python-aqmp-add-SocketAddrT-to-package-r.patch
python-aqmp-add-socket-bind-step-to-lega.patch
python-aqmp-add-start_server-and-accept-.patch
python-aqmp-copy-type-definitions-from-q.patch
python-aqmp-drop-_bind_hack.patch
python-aqmp-fix-docstring-typo.patch
python-aqmp-Fix-negotiation-with-pre-oob.patch
python-aqmp-fix-race-condition-in-legacy.patch
Python-aqmp-fix-type-definitions-for-myp.patch
python-aqmp-handle-asyncio.TimeoutError-.patch
python-aqmp-refactor-_do_accept-into-two.patch
python-aqmp-remove-_new_session-and-_est.patch
python-aqmp-rename-accept-to-start_serve.patch
python-aqmp-rename-AQMPError-to-QMPError.patch
python-aqmp-split-_client_connected_cb-o.patch
python-aqmp-squelch-pylint-warning-for-t.patch
python-aqmp-stop-the-server-during-disco.patch
python-introduce-qmp-shell-wrap-convenie.patch
python-machine-raise-VMLaunchFailure-exc.patch
python-move-qmp-shell-under-the-AQMP-pac.patch
python-move-qmp-utilities-to-python-qemu.patch
python-qmp-switch-qmp-shell-to-AQMP.patch
python-support-recording-QMP-session-to-.patch
python-upgrade-mypy-to-0.780.patch
qcow2-simple-case-support-for-downgradin.patch
qemu-binfmt-conf.sh-should-use-F-as-shor.patch
tests-qemu-iotests-040-Skip-TestCommitWi.patch
tests-qemu-iotests-Fix-051-for-binaries-.patch
tests-qemu-iotests-testrunner-Quote-case.patch
tools-virtiofsd-Add-rseq-syscall-to-the-.patch
ui-cursor-fix-integer-overflow-in-cursor.patch
vhost-vsock-detach-the-virqueue-element-.patch
virtiofsd-Drop-membership-of-all-supplem.patch
virtio-net-fix-map-leaking-on-error-duri.patch
Disable-some-tests-that-have-problems-in.patch
* Patches added:
intc-exynos4210_gic-replace-snprintf-wit.patch
Revert-8dcb404bff6d9147765d7dd3e9c849337.patch
------------------------------------------------------------------
- Fix bsc#1197084
* Patches added:
hostmem-default-the-amount-of-prealloc-t.patch
- Get rid of downstream patches breaking s390 modules. Replace
them with the upstream proposed and Acked (but never committed)
solution (bsc#1199015)
* Patches added:
modules-generates-per-target-modinfo.patch
modules-introduces-module_kconfig-direct.patch
* Patches dropped:
Fix-the-module-building-problem-for-s390.patch
modules-quick-fix-a-fundamental-error-in.patch
- backport patches for having coroutine work well when LTO is used
* Patches added:
coroutine-ucontext-use-QEMU_DEFINE_STATI.patch
coroutine-use-QEMU_DEFINE_STATIC_CO_TLS.patch
coroutine-win32-use-QEMU_DEFINE_STATIC_C.patch
- seabios: drop patch that changes python in python2.
Just go to python3 directly.
* Patches dropped:
seabios-use-python2-explicitly-as-needed.patch
OBS-URL: https://build.opensuse.org/request/show/990667
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=726
102 lines
4.0 KiB
Diff
102 lines
4.0 KiB
Diff
From: Claudio Fontana <cfontana@suse.de>
|
|
Date: Tue, 31 May 2022 13:47:07 +0200
|
|
Subject: pci: fix overflow in snprintf string formatting
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Git-commit: 36f18c6989a3d1ff1d7a0e50b0868ef3958299b4
|
|
References: bsc#1199924
|
|
|
|
the code in pcibus_get_fw_dev_path contained the potential for a
|
|
stack buffer overflow of 1 byte, potentially writing to the stack an
|
|
extra NUL byte.
|
|
|
|
This overflow could happen if the PCI slot is >= 0x10000000,
|
|
and the PCI function is >= 0x10000000, due to the size parameter
|
|
of snprintf being incorrectly calculated in the call:
|
|
|
|
if (PCI_FUNC(d->devfn))
|
|
snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
|
|
|
|
since the off obtained from a previous call to snprintf is added
|
|
instead of subtracted from the total available size of the buffer.
|
|
|
|
Without the accurate size guard from snprintf, we end up writing in the
|
|
worst case:
|
|
|
|
name (32) + "@" (1) + SLOT (8) + "," (1) + FUNC (8) + term NUL (1) = 51 bytes
|
|
|
|
In order to provide something more robust, replace all of the code in
|
|
pcibus_get_fw_dev_path with a single call to g_strdup_printf,
|
|
so there is no need to rely on manual calculations.
|
|
|
|
Found by compiling QEMU with FORTIFY_SOURCE=3 as the error:
|
|
|
|
*** buffer overflow detected ***: terminated
|
|
|
|
Thread 1 "qemu-system-x86" received signal SIGABRT, Aborted.
|
|
[Switching to Thread 0x7ffff642c380 (LWP 121307)]
|
|
0x00007ffff71ff55c in __pthread_kill_implementation () from /lib64/libc.so.6
|
|
(gdb) bt
|
|
#0 0x00007ffff71ff55c in __pthread_kill_implementation () at /lib64/libc.so.6
|
|
#1 0x00007ffff71ac6f6 in raise () at /lib64/libc.so.6
|
|
#2 0x00007ffff7195814 in abort () at /lib64/libc.so.6
|
|
#3 0x00007ffff71f279e in __libc_message () at /lib64/libc.so.6
|
|
#4 0x00007ffff729767a in __fortify_fail () at /lib64/libc.so.6
|
|
#5 0x00007ffff7295c36 in () at /lib64/libc.so.6
|
|
#6 0x00007ffff72957f5 in __snprintf_chk () at /lib64/libc.so.6
|
|
#7 0x0000555555b1c1fd in pcibus_get_fw_dev_path ()
|
|
#8 0x0000555555f2bde4 in qdev_get_fw_dev_path_helper.constprop ()
|
|
#9 0x0000555555f2bd86 in qdev_get_fw_dev_path_helper.constprop ()
|
|
#10 0x00005555559a6e5d in get_boot_device_path ()
|
|
#11 0x00005555559a712c in get_boot_devices_list ()
|
|
#12 0x0000555555b1a3d0 in fw_cfg_machine_reset ()
|
|
#13 0x0000555555bf4c2d in pc_machine_reset ()
|
|
#14 0x0000555555c66988 in qemu_system_reset ()
|
|
#15 0x0000555555a6dff6 in qdev_machine_creation_done ()
|
|
#16 0x0000555555c79186 in qmp_x_exit_preconfig.part ()
|
|
#17 0x0000555555c7b459 in qemu_init ()
|
|
#18 0x0000555555960a29 in main ()
|
|
|
|
Found-by: Dario Faggioli <Dario Faggioli <dfaggioli@suse.com>
|
|
Found-by: Martin Liška <martin.liska@suse.com>
|
|
Cc: qemu-stable@nongnu.org
|
|
Signed-off-by: Claudio Fontana <cfontana@suse.de>
|
|
Message-Id: <20220531114707.18830-1-cfontana@suse.de>
|
|
Reviewed-by: Ani Sinha <ani@anisinha.ca>
|
|
Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
|
|
---
|
|
hw/pci/pci.c | 18 +++++++++---------
|
|
1 file changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
|
|
index dae9119bfe5fe45a15e31985151e..c69b412434775df1368beb67984c 100644
|
|
--- a/hw/pci/pci.c
|
|
+++ b/hw/pci/pci.c
|
|
@@ -2625,15 +2625,15 @@ static char *pci_dev_fw_name(DeviceState *dev, char *buf, int len)
|
|
static char *pcibus_get_fw_dev_path(DeviceState *dev)
|
|
{
|
|
PCIDevice *d = (PCIDevice *)dev;
|
|
- char path[50], name[33];
|
|
- int off;
|
|
-
|
|
- off = snprintf(path, sizeof(path), "%s@%x",
|
|
- pci_dev_fw_name(dev, name, sizeof name),
|
|
- PCI_SLOT(d->devfn));
|
|
- if (PCI_FUNC(d->devfn))
|
|
- snprintf(path + off, sizeof(path) + off, ",%x", PCI_FUNC(d->devfn));
|
|
- return g_strdup(path);
|
|
+ char name[33];
|
|
+ int has_func = !!PCI_FUNC(d->devfn);
|
|
+
|
|
+ return g_strdup_printf("%s@%x%s%.*x",
|
|
+ pci_dev_fw_name(dev, name, sizeof(name)),
|
|
+ PCI_SLOT(d->devfn),
|
|
+ has_func ? "," : "",
|
|
+ has_func,
|
|
+ PCI_FUNC(d->devfn));
|
|
}
|
|
|
|
static char *pcibus_get_dev_path(DeviceState *dev)
|