rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

qemu-7.0.0-1

This commit is contained in:
Eduardo Lima (Etrunko) 2022-04-21 22:43:08 -03:00
parent af7430aef5
commit 0007b37337
6 changed files with 41 additions and 315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
View File

@ -1,90 +0,0 @@
From 8cdb99af45365727ac17f45239a9b8c1d5155c6d Mon Sep 17 00:00:00 2001
From: Igor Mammedov <imammedo@redhat.com>
Date: Mon, 27 Dec 2021 14:31:17 -0500
Subject: [PATCH] acpi: fix QEMU crash when started with SLIC table
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
if QEMU is started with used provided SLIC table blob,
-acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null
it will assert with:
hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen)
and following backtrace:
...
build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61
acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727
build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064
...
which happens due to acpi_table_begin() expecting NULL terminated
oem_id and oem_table_id strings, which is normally the case, but
in case of user provided SLIC table, oem_id points to table's blob
directly and as result oem_id became longer than expected.
Fix issue by handling oem_id consistently and make acpi_get_slic_oem()
return NULL terminated strings.
PS:
After [1] refactoring, oem_id semantics became inconsistent, where
NULL terminated string was coming from machine and old way pointer
into byte array coming from -acpitable option. That used to work
since build_header() wasn't expecting NULL terminated string and
blindly copied the 1st 6 bytes only.
However commit [2] broke that by replacing build_header() with
acpi_table_begin(), which was expecting NULL terminated string
and was checking oem_id size.
1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed")
2)
Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786
Signed-off-by: Igor Mammedov <imammedo@redhat.com>
Message-Id: <20211227193120.1084176-2-imammedo@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Tested-by: Denis Lisov <dennis.lissov@gmail.com>
Tested-by: Alexander Tsoy <alexander@tsoy.me>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/acpi/core.c | 4 ++--
hw/i386/acpi-build.c | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 1e004d0078..3e811bf03c 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem)
struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length));
if (memcmp(hdr->sig, "SLIC", 4) == 0) {
- oem->id = hdr->oem_id;
- oem->table_id = hdr->oem_table_id;
+ oem->id = g_strndup(hdr->oem_id, 6);
+ oem->table_id = g_strndup(hdr->oem_table_id, 8);
return 0;
}
}
diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c
index 8383b83ee3..0234fe7588 100644
--- a/hw/i386/acpi-build.c
+++ b/hw/i386/acpi-build.c
@@ -2723,6 +2723,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine)
/* Cleanup memory that's no longer used. */
g_array_free(table_offsets, true);
+ g_free(slic_oem.id);
+ g_free(slic_oem.table_id);
}
static void acpi_ram_update(MemoryRegion *mr, GArray *data)
--
2.35.1

58
0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch
View File

@ -1,58 +0,0 @@
From 7b223e38603de3a75602e14914d26f9d4baf52eb Mon Sep 17 00:00:00 2001
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Date: Wed, 9 Feb 2022 12:14:56 +0100
Subject: [PATCH 1/2] tools/virtiofsd: Add rseq syscall to the seccomp
allowlist
The virtiofsd currently crashes when used with glibc 2.35.
That is due to the rseq system call being added to every thread
creation [1][2].
[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
This happens not at daemon start, but when a guest connects
/usr/lib/qemu/virtiofsd -f --socket-path=/tmp/testvfsd -o sandbox=chroot \
-o source=/var/guests/j-virtiofs --socket-group=kvm
virtio_session_mount: Waiting for vhost-user socket connection...
# start ok, now guest will connect
virtio_session_mount: Received vhost-user socket connection
virtio_loop: Entry
fv_queue_set_started: qidx=0 started=1
fv_queue_set_started: qidx=1 started=1
Bad system call (core dumped)
We have to put rseq on the seccomp allowlist to avoid that the daemon
is crashing in this case.
Reported-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-id: 20220209111456.3328420-1-christian.ehrhardt@canonical.com
[Moved rseq to its alphabetically ordered position in the seccomp
allowlist.
--Stefan]
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
tools/virtiofsd/passthrough_seccomp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/virtiofsd/passthrough_seccomp.c b/tools/virtiofsd/passthrough_seccomp.c
index a3ce9f898d..2bc0127b69 100644
--- a/tools/virtiofsd/passthrough_seccomp.c
+++ b/tools/virtiofsd/passthrough_seccomp.c
@@ -91,6 +91,9 @@ static const int syscall_allowlist[] = {
SCMP_SYS(renameat2),
SCMP_SYS(removexattr),
SCMP_SYS(restart_syscall),
+#ifdef __NR_rseq
+ SCMP_SYS(rseq), /* required since glibc 2.35 */
+#endif
SCMP_SYS(rt_sigaction),
SCMP_SYS(rt_sigprocmask),
SCMP_SYS(rt_sigreturn),
--
2.35.1

101
0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch
View File

@ -1,101 +0,0 @@
From 449e8171f96a6a944d1f3b7d3627ae059eae21ca Mon Sep 17 00:00:00 2001
From: Vivek Goyal <vgoyal@redhat.com>
Date: Tue, 25 Jan 2022 13:51:14 -0500
Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups
(CVE-2022-0358)
At the start, drop membership of all supplementary groups. This is
not required.
If we have membership of "root" supplementary group and when we switch
uid/gid using setresuid/setsgid, we still retain membership of existing
supplemntary groups. And that can allow some operations which are not
normally allowed.
For example, if root in guest creates a dir as follows.
$ mkdir -m 03777 test_dir
This sets SGID on dir as well as allows unprivileged users to write into
this dir.
And now as unprivileged user open file as follows.
$ su test
$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755);
This will create SGID set executable in test_dir/.
And that's a problem because now an unpriviliged user can execute it,
get egid=0 and get access to resources owned by "root" group. This is
privilege escalation.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
Fixes: CVE-2022-0358
Reported-by: JIETAO XIAO <shawtao1125@gmail.com>
Suggested-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <YfBGoriS38eBQrAb@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
dgilbert: Fixed missing {}'s style nit
---
tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 64b5b4fbb1..b3d0674f6d 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -54,6 +54,7 @@
#include <sys/wait.h>
#include <sys/xattr.h>
#include <syslog.h>
+#include <grp.h>
#include "qemu/cutils.h"
#include "passthrough_helpers.h"
@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
#define OURSYS_setresuid SYS_setresuid
#endif
+static void drop_supplementary_groups(void)
+{
+ int ret;
+
+ ret = getgroups(0, NULL);
+ if (ret == -1) {
+ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n",
+ errno, strerror(errno));
+ exit(1);
+ }
+
+ if (!ret) {
+ return;
+ }
+
+ /* Drop all supplementary groups. We should not need it */
+ ret = setgroups(0, NULL);
+ if (ret == -1) {
+ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n",
+ errno, strerror(errno));
+ exit(1);
+ }
+}
+
/*
* Change to uid/gid of caller so that file is created with
* ownership of caller.
@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[])
qemu_init_exec_dir(argv[0]);
+ drop_supplementary_groups();
+
pthread_mutex_init(&lo.mutex, NULL);
lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal);
lo.root.fd = -1;
--
GitLab

41
0002-virtiofsd-Do-not-support-blocking-flock.patch
View File

@ -1,41 +0,0 @@
From 41af4459ac47e107093c3f54b6875d54723aa613 Mon Sep 17 00:00:00 2001
From: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de>
Date: Thu, 13 Jan 2022 16:32:49 +0100
Subject: [PATCH 2/2] virtiofsd: Do not support blocking flock
With the current implementation, blocking flock can lead to
deadlock. Thus, it's better to return EOPNOTSUPP if a user attempts
to perform a blocking flock request.
Signed-off-by: Sebastian Hasler <sebastian.hasler@stuvus.uni-stuttgart.de>
Message-Id: <20220113153249.710216-1-sebastian.hasler@stuvus.uni-stuttgart.de>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
---
tools/virtiofsd/passthrough_ll.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index b3d0674f6d..3e56d1cd95 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -2467,6 +2467,15 @@ static void lo_flock(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi,
int res;
(void)ino;
+ if (!(op & LOCK_NB)) {
+ /*
+ * Blocking flock can deadlock as there is only one thread
+ * serving the queue.
+ */
+ fuse_reply_err(req, EOPNOTSUPP);
+ return;
+ }
+
res = flock(lo_fi_fd(req, fi), op);
fuse_reply_err(req, res == -1 ? errno : 0);
--
2.35.1

64
qemu.spec
View File

@ -195,6 +195,7 @@
%endif
%define requires_block_ssh Requires: %{name}-block-ssh = %{evr}
%define requires_audio_alsa Requires: %{name}-audio-alsa = %{evr}
%define requires_audio_dbus Requires: %{name}-audio-dbus = %{evr}
%define requires_audio_oss Requires: %{name}-audio-oss = %{evr}
%define requires_audio_pa Requires: %{name}-audio-pa = %{evr}
%define requires_audio_sdl Requires: %{name}-audio-sdl = %{evr}
@ -202,6 +203,7 @@
%define requires_device_usb_host Requires: %{name}-device-usb-host = %{evr}
%define requires_device_usb_redirect Requires: %{name}-device-usb-redirect = %{evr}
%define requires_ui_curses Requires: %{name}-ui-curses = %{evr}
%define requires_ui_dbus Requires: %{name}-ui-dbus = %{evr}
%define requires_ui_gtk Requires: %{name}-ui-gtk = %{evr}
%define requires_ui_sdl Requires: %{name}-ui-sdl = %{evr}
%define requires_ui_egl_headless Requires: %{name}-ui-egl-headless = %{evr}
@ -256,6 +258,7 @@
%{requires_block_rbd} \
%{requires_block_ssh} \
%{requires_audio_alsa} \
%{requires_audio_dbus} \
%{requires_audio_oss} \
%{requires_audio_pa} \
%{requires_audio_sdl} \
@ -302,11 +305,11 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
%endif
# To prevent rpmdev-bumpspec breakage
%global baserelease 8
%global baserelease 1
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 6.2.0
Version: 7.0.0
Release: %{baserelease}%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2 and BSD and MIT and CC-BY
@ -327,19 +330,6 @@ Source36: README.tests
Patch0001: 0001-sgx-stub-fix.patch
# CVE-2022-0358
# https://bugzilla.redhat.com/show_bug.cgi?id=2046202
Patch0002: 0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch
# Fix various crashes with virtiofsd on F36+
# https://bugzilla.redhat.com/2070066
Patch0003: 0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch
Patch0004: 0002-virtiofsd-Do-not-support-blocking-flock.patch
# acpi: fix QEMU crash when started with SLIC table
# https://bugzilla.redhat.com/show_bug.cgi?id=2072303
Patch0005: 0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch
BuildRequires: meson >= %{meson_version}
BuildRequires: zlib-devel
BuildRequires: glib2-devel
@ -461,8 +451,6 @@ BuildRequires: virglrenderer-devel
# preferred disassembler for TCG
BuildRequires: capstone-devel
%endif
# parallels disk images require libxml2
BuildRequires: libxml2-devel
# qemu-ga
BuildRequires: libudev-devel
# qauth infrastructure
@ -697,6 +685,12 @@ Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
%description audio-alsa
This package provides the additional ALSA audio driver for QEMU.
%package audio-dbus
Summary: QEMU D-Bus audio driver
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
%description audio-dbus
This package provides the additional D-Bus audio driver for QEMU.
%package audio-oss
Summary: QEMU OSS audio driver
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
@ -730,6 +724,12 @@ Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
%description ui-curses
This package provides the additional curses UI for QEMU.
%package ui-dbus
Summary: QEMU D-Bus UI driver
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
%description ui-dbus
This package provides the additional D-Bus UI for QEMU.
%package ui-gtk
Summary: QEMU GTK UI driver
Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release}
@ -1247,8 +1247,8 @@ mkdir -p %{static_builddir}
--disable-avx2 \\\
--disable-avx512f \\\
--disable-block-drv-whitelist-in-tools \\\
--disable-bpf \\\
--disable-bochs \\\
--disable-bpf \\\
--disable-brlapi \\\
--disable-bsd-user \\\
--disable-bzip2 \\\
@ -1258,6 +1258,7 @@ mkdir -p %{static_builddir}
--disable-cfi-debug \\\
--disable-cloop \\\
--disable-cocoa \\\
--disable-coreaudio \\\
--disable-coroutine-pool \\\
--disable-crypto-afalg \\\
--disable-curl \\\
@ -1267,10 +1268,12 @@ mkdir -p %{static_builddir}
--disable-debug-tcg \\\
--disable-dmg \\\
--disable-docs \\\
--disable-dsound \\\
--disable-fdt \\\
--disable-fuse \\\
--disable-fuse-lseek \\\
--disable-gcrypt \\\
--disable-gettext \\\
--disable-gio \\\
--disable-glusterfs \\\
--disable-gnutls \\\
@ -1280,7 +1283,9 @@ mkdir -p %{static_builddir}
--disable-hax \\\
--disable-hvf \\\
--disable-iconv \\\
--disable-jack \\\
--disable-kvm \\\
--disable-l2tpv3 \\\
--disable-libdaxctl \\\
--disable-libiscsi \\\
--disable-libnfs \\\
@ -1288,7 +1293,6 @@ mkdir -p %{static_builddir}
--disable-libssh \\\
--disable-libudev \\\
--disable-libusb \\\
--disable-libxml2 \\\
--disable-linux-aio \\\
--disable-linux-io-uring \\\
--disable-linux-user \\\
@ -1305,7 +1309,10 @@ mkdir -p %{static_builddir}
--disable-netmap \\\
--disable-nettle \\\
--disable-numa \\\
--disable-nvmm \\\
--disable-opengl \\\
--disable-oss \\\
--disable-pa \\\
--disable-parallels \\\
--disable-pie \\\
--disable-pvrdma \\\
@ -1321,6 +1328,7 @@ mkdir -p %{static_builddir}
--disable-sdl \\\
--disable-sdl-image \\\
--disable-seccomp \\\
--disable-selinux \\\
--disable-slirp \\\
--disable-slirp-smbd \\\
--disable-smartcard \\\
@ -1359,7 +1367,6 @@ mkdir -p %{static_builddir}
--disable-whpx \\\
--disable-xen \\\
--disable-xen-pci-passthrough \\\
--disable-xfsctl \\\
--disable-xkbcommon \\\
--disable-zstd \\\
--with-git-submodules=ignore \\\
@ -1426,10 +1433,13 @@ run_configure \
%if %{have_fdt}
--enable-fdt=system \
%endif
--enable-gettext \
--enable-gnutls \
--enable-guest-agent \
--enable-iconv \
--enable-jack \
--enable-kvm \
--enable-l2tpv3 \
--enable-libiscsi \
%if %{have_pmem}
--enable-libpmem \
@ -1451,6 +1461,8 @@ run_configure \
%if %{have_opengl}
--enable-opengl \
%endif
--enable-oss \
--enable-pa \
--enable-pie \
%if %{have_block_rbd}
--enable-rbd \
@ -1459,9 +1471,7 @@ run_configure \
--enable-rdma \
%endif
--enable-seccomp \
%if 0%{?must_remember_to_add_this_in_qemu_6_2}
--enable-selinux \
%endif
--enable-slirp=system \
--enable-slirp-smbd \
--enable-snappy \
@ -1509,7 +1519,6 @@ run_configure \
--enable-libnfs \
%endif
--enable-libudev \
--enable-libxml2 \
%if %{have_liburing}
--enable-linux-io-uring \
%endif
@ -1963,6 +1972,8 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%files audio-alsa
%{_libdir}/%{name}/audio-alsa.so
%files audio-dbus
%{_libdir}/%{name}/audio-dbus.so
%files audio-oss
%{_libdir}/%{name}/audio-oss.so
%files audio-pa
@ -1977,6 +1988,8 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%files ui-curses
%{_libdir}/%{name}/ui-curses.so
%files ui-dbus
%{_libdir}/%{name}/ui-dbus.so
%files ui-gtk
%{_libdir}/%{name}/ui-gtk.so
%files ui-sdl
@ -2213,6 +2226,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%{_datadir}/%{name}/skiboot.lid
%{_datadir}/%{name}/u-boot.e500
%{_datadir}/%{name}/u-boot-sam460-20100605.bin
%{_datadir}/%{name}/vof*.bin
%if %{have_memlock_limits}
%{_sysconfdir}/security/limits.d/95-kvm-memlock.conf
%endif
@ -2223,7 +2237,6 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%{_bindir}/qemu-system-riscv32
%{_bindir}/qemu-system-riscv64
%{_datadir}/%{name}/opensbi-riscv*.bin
%{_datadir}/%{name}/opensbi-riscv*.elf
%{_datadir}/systemtap/tapset/qemu-system-riscv*.stp
%{_mandir}/man1/qemu-system-riscv*.1*
@ -2305,6 +2318,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Fri Apr 08 2022 Eduardo Lima (Etrunko) <etrunko@redhat.com> - 7.0.0-1
- Rebase to qemu 7.0.0-1
* Wed Apr 06 2022 Richard W.M. Jones <rjones@redhat.com> - 2:6.2.0-8
- acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303)

2
sources
View File

@ -1 +1 @@
SHA512 (qemu-6.2.0.tar.xz) = e9f8231c9e1cfcc41cb47f10a55d63f6b8aee307af00cf6acf64acb7aa4f49fa7e9d6330703a2abea15d8b7bbaba7d3cb08c83edd98d82642367b527df730817
SHA512 (qemu-7.0.0.tar.xz) = 44ecd10c018a3763e1bc87d1d35b98890d0d5636acd69fe9b5cadf5024d5af6a31684d60cbe1c3370e02986434c1fb0ad99224e0e6f6fe7eda169992508157b1