rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Rebased to version 2.1.2

Browse Source 
CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818)
This commit is contained in:
Cole Robinson 2014-09-26 10:26:35 -04:00
parent e84b901375
commit 46f3a5c276
12 changed files with 16 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
0001-loader-Add-load_image_gzipped-function.patch
View File

@ -1,4 +1,4 @@
From 031f135c71ab705914f378d19067d1f1f25e744f Mon Sep 17 00:00:00 2001
From 6665e04d68d58a93d75a51a0840534f3a0ad2402 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 19 Aug 2014 18:56:28 +0100
Subject: [PATCH] loader: Add load_image_gzipped function.

2
0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
View File

@ -1,4 +1,4 @@
From 0f688b169496a2f85fe092eae3f385511946bf3f Mon Sep 17 00:00:00 2001
From f06e2812a6813c8c93fee50bd8beb5ae5d8cb871 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Tue, 19 Aug 2014 18:56:28 +0100
Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed

2
0003-block.curl-adding-timeout-option.patch
View File

@ -1,4 +1,4 @@
From 04ca8ab4dfca981ab0f1f6744286e8a84e0fccca Mon Sep 17 00:00:00 2001
From 5331434dbb2a1959a8a8d153fd4553ae434cc464 Mon Sep 17 00:00:00 2001
From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
Date: Wed, 13 Aug 2014 12:44:27 -0300
Subject: [PATCH] block.curl: adding 'timeout' option

2
0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
View File

@ -1,4 +1,4 @@
From dde3e0ef0b9f2ffd68b6bd348ccb46d8fb35f84c Mon Sep 17 00:00:00 2001
From 4b3a1a47188c5df308d51048a8a0de630c45d12c Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Fri, 29 Aug 2014 16:03:12 +0100
Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https

2
0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
View File

@ -1,4 +1,4 @@
From 1ea3e3a38b5bdb144a7206654c51f8f4768077f3 Mon Sep 17 00:00:00 2001
From a1fd2da51b26f549d63000d3a81fbb70d7c40f4e Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 28 Aug 2014 09:04:21 +0100
Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.

30
0006-virtio-net-drop-assert-on-vm-stop.patch
View File

@ -1,30 +0,0 @@
From b6bb785977e725e1a0f3ed203f5ffe3def56e03f Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 11 Sep 2014 18:32:51 +0300
Subject: [PATCH] virtio-net: drop assert on vm stop
On vm stop, vm_running state set to stopped
before device is notified, so callbacks can get envoked with
vm_running = false; and this is not an error.
Cc: qemu-stable@nongnu.org
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 131c5221fe25a9547c4a388a3d26ff7fd14843e5)
---
hw/net/virtio-net.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 826a2a5..2040eac 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1125,8 +1125,6 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
return num_packets;
}
- assert(vdev->vm_running);
-
if (q->async_tx.elem.out_num) {
virtio_queue_set_notification(q->tx_vq, 0);
return num_packets;

2
0008-virtio-pci-enable-bus-master-for-old-guests.patch → 0006-virtio-pci-enable-bus-master-for-old-guests.patch
View File

@ -1,4 +1,4 @@
From b8ecf2e833811f9fce6bcf3a87ca52fb490e2f13 Mon Sep 17 00:00:00 2001
From a9862ff2c205aa289b62abcb7ddd03c7630f5c7a Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 11 Sep 2014 18:45:33 +0200
Subject: [PATCH] virtio-pci: enable bus master for old guests

53
0007-Revert-virtio-don-t-call-device-on-vm_running.patch
View File

@ -1,53 +0,0 @@
From 6b448e66c6e2e993b2c5666cbc0747e6405e80fa Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 11 Sep 2014 18:42:02 +0300
Subject: [PATCH] Revert "virtio: don't call device on !vm_running"
This reverts commit a1bc7b827e422e1ff065640d8ec5347c4aadfcd8.
virtio: don't call device on !vm_running
It turns out that virtio net assumes that vm_running
is updated before device status callback in many places,
so this change leads to asserts.
Previous commit fixes the root issue that motivated
a1bc7b827e422e1ff065640d8ec5347c4aadfcd8 differently,
so there's no longer a need for this change.
In the future, we might be able to drop checking vm_running
completely, and check vm state directly.
Reported-by: Dietmar Maurer <dietmar@proxmox.com>
Cc: qemu-stable@nongnu.org
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9e8e8c48653471fa5fed447e388fdef57d4f6998)
---
hw/virtio/virtio.c | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index ac22238..5c98180 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -1108,10 +1108,7 @@ static void virtio_vmstate_change(void *opaque, int running, RunState state)
BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
VirtioBusClass *k = VIRTIO_BUS_GET_CLASS(qbus);
bool backend_run = running && (vdev->status & VIRTIO_CONFIG_S_DRIVER_OK);
-
- if (running) {
- vdev->vm_running = running;
- }
+ vdev->vm_running = running;
if (backend_run) {
virtio_set_status(vdev, vdev->status);
@@ -1124,10 +1121,6 @@ static void virtio_vmstate_change(void *opaque, int running, RunState state)
if (!backend_run) {
virtio_set_status(vdev, vdev->status);
}
-
- if (!running) {
- vdev->vm_running = running;
- }
}
void virtio_init(VirtIODevice *vdev, const char *name,

2
0009-virtio-pci-fix-migration-for-pci-bus-master.patch → 0007-virtio-pci-fix-migration-for-pci-bus-master.patch
View File

@ -1,4 +1,4 @@
From 53db3d7b0836c13268f141bb46653a7898011d1e Mon Sep 17 00:00:00 2001
From 2c8d6826ebaf1bf846edd213f8fe8f95c0c300cb Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 11 Sep 2014 18:34:29 +0300
Subject: [PATCH] virtio-pci: fix migration for pci bus master

47
0010-pc-leave-more-space-for-BIOS-allocations.patch
View File

@ -1,47 +0,0 @@
From beb8650b34906da8f87e07238ab33aa8ffc54a67 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 18 Sep 2014 16:32:07 +0300
Subject: [PATCH] pc: leave more space for BIOS allocations
Since QEMU 2.1, we are allocating more space for ACPI tables, so no
space is left after initrd for the BIOS to allocate memory.
Besides ACPI tables, there are a few other uses of high memory in
SeaBIOS: SMBIOS tables and USB drivers use it in particular. These uses
allocate a very small amount of memory. Malloc metadata also lives
there. So we need _some_ extra padding there to avoid initrd breakage,
but not much.
John Snow found a case where RHEL5 was broken by the recent change to
ACPI_TABLE_SIZE; in his case 4KB of extra padding are fine, but just to
be safe I am adding 32KB, which is roughly the same amount of padding
that was left by QEMU 2.0 and earlier.
Move initrd to leave some space for the BIOS.
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: John Snow <jsnow@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 438f92ee9f6a4f78f8adcc399809e252b6da72a2)
---
hw/i386/pc.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/hw/i386/pc.c b/hw/i386/pc.c
index 97932a6..ef9fad8 100644
--- a/hw/i386/pc.c
+++ b/hw/i386/pc.c
@@ -72,8 +72,10 @@
#define DPRINTF(fmt, ...)
#endif
-/* Leave a chunk of memory at the top of RAM for the BIOS ACPI tables. */
-unsigned acpi_data_size = 0x20000;
+/* Leave a chunk of memory at the top of RAM for the BIOS ACPI tables
+ * (128K) and other BIOS datastructures (less than 4K reported to be used at
+ * the moment, 32K should be enough for a while). */
+unsigned acpi_data_size = 0x20000 + 0x8000;
void pc_set_legacy_acpi_data_size(void)
{
acpi_data_size = 0x10000;

18
qemu.spec
View File

@ -151,8 +151,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.1.1
Release: 2%{?dist}
Version: 2.1.2
Release: 1%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -200,11 +200,8 @@ Patch0003: 0003-block.curl-adding-timeout-option.patch
Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
# Fix crash on migration/snapshot (bz #1144490)
Patch0006: 0006-virtio-net-drop-assert-on-vm-stop.patch
Patch0007: 0007-Revert-virtio-don-t-call-device-on-vm_running.patch
Patch0008: 0008-virtio-pci-enable-bus-master-for-old-guests.patch
Patch0009: 0009-virtio-pci-fix-migration-for-pci-bus-master.patch
Patch0010: 0010-pc-leave-more-space-for-BIOS-allocations.patch
Patch0006: 0006-virtio-pci-enable-bus-master-for-old-guests.patch
Patch0007: 0007-virtio-pci-fix-migration-for-pci-bus-master.patch
BuildRequires: SDL2-devel
BuildRequires: zlib-devel
@ -740,9 +737,6 @@ CAC emulation development files.
# Fix crash on migration/snapshot (bz #1144490)
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%build
@ -1522,6 +1516,10 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Fri Sep 26 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.2-1
- Rebased to version 2.1.2
- CVE-2014-3640 qemu: slirp: NULL pointer (bz #1144821, bz #1144818)
* Sun Sep 21 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.1-2
- Fix crash on migration/snapshot (bz #1144490)

2
sources
View File

@ -1 +1 @@
78b1b51bfa2eee424e1bfdf3b66daa64 qemu-2.1.1.tar.bz2
0ff197c4ed4b695620bc4734e77c888f qemu-2.1.2.tar.bz2