From 723d95470d87017f54e3f216fa652e94c9abf625 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Thu, 11 Sep 2014 15:58:04 -0400 Subject: [PATCH] Rebased to version 2.1.1 CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956) CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz #1139115) --- ...ader-Add-load_image_gzipped-function.patch | 20 ++++++---- ...rnel-option-to-take-a-gzip-compresse.patch | 40 ++++++------------- ...003-block.curl-adding-timeout-option.patch | 10 ++--- ...kie-or-cookies-to-be-sent-with-http-.patch | 12 +++--- ...ref-NULL-pointer-in-call-to-aio_poll.patch | 8 ++-- qemu.spec | 39 ++++++++++-------- sources | 2 +- 7 files changed, 60 insertions(+), 71 deletions(-) rename 0001-block.curl-adding-timeout-option.patch => 0003-block.curl-adding-timeout-option.patch (96%) rename 0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch => 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch (94%) rename 0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch => 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch (93%) diff --git a/0001-loader-Add-load_image_gzipped-function.patch b/0001-loader-Add-load_image_gzipped-function.patch index 5be7cd9..4358d91 100644 --- a/0001-loader-Add-load_image_gzipped-function.patch +++ b/0001-loader-Add-load_image_gzipped-function.patch @@ -1,7 +1,7 @@ -From ddf2a3a69486376897ae654c8f1f0aa8cbae6c24 Mon Sep 17 00:00:00 2001 +From 031f135c71ab705914f378d19067d1f1f25e744f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" -Date: Mon, 4 Aug 2014 12:25:08 +0100 -Subject: [PATCH 1/2] loader: Add load_image_gzipped function. +Date: Tue, 19 Aug 2014 18:56:28 +0100 +Subject: [PATCH] loader: Add load_image_gzipped function. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -11,13 +11,20 @@ gzipped. It is uncompressed before storing it in guest memory. Signed-off-by: Richard W.M. Jones Reviewed-by: Alex Bennée +Reviewed-by: Peter Crosthwaite +Reviewed-by: Alex Bennée +Message-id: 1407831259-2115-2-git-send-email-rjones@redhat.com +[PMM: removed stray space before ')'] +Signed-off-by: Peter Maydell + +(cherry picked from commit 235e74afcb85285a8e35e75f0cb6e6811267bb75) --- hw/core/loader.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ include/hw/loader.h | 1 + 2 files changed, 49 insertions(+) diff --git a/hw/core/loader.c b/hw/core/loader.c -index 2bf6b8f..83136e8 100644 +index 2bf6b8f..0fde699 100644 --- a/hw/core/loader.c +++ b/hw/core/loader.c @@ -577,6 +577,54 @@ int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz) @@ -47,7 +54,7 @@ index 2bf6b8f..83136e8 100644 + /* Is it a gzip-compressed file? */ + if (len < 2 || + compressed_data[0] != 0x1f || -+ compressed_data[1] != 0x8b ) { ++ compressed_data[1] != 0x8b) { + goto out; + } + @@ -87,6 +94,3 @@ index 796cbf9..00c9117 100644 #define ELF_LOAD_FAILED -1 #define ELF_LOAD_NOT_ELF -2 --- -2.0.4 - diff --git a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch index d2521c1..1702946 100644 --- a/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +++ b/0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch @@ -1,7 +1,7 @@ -From fc77c3116f7e4b3400e576c51e73ade2edee350a Mon Sep 17 00:00:00 2001 +From 0f688b169496a2f85fe092eae3f385511946bf3f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" -Date: Tue, 29 Jul 2014 23:32:31 +0100 -Subject: [PATCH 2/2] aarch64: Allow -kernel option to take a gzip-compressed +Date: Tue, 19 Aug 2014 18:56:28 +0100 +Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed kernel. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -25,36 +25,25 @@ Currently this is only done when emulating aarch64. Signed-off-by: Richard W.M. Jones Reviewed-by: Alex Bennée +Reviewed-by: Peter Crosthwaite +Reviewed-by: Alex Bennée +Message-id: 1407831259-2115-3-git-send-email-rjones@redhat.com +Signed-off-by: Peter Maydell +(cherry picked from commit 6f5d3cbe8892367026526a7deed0ceecc700a7ad) --- - hw/arm/boot.c | 9 +++++++++ - 1 file changed, 9 insertions(+) + hw/arm/boot.c | 7 +++++++ + 1 file changed, 7 insertions(+) diff --git a/hw/arm/boot.c b/hw/arm/boot.c -index 1241761..c71c4d5 100644 +index 3d1f4a2..b7d60aa 100644 --- a/hw/arm/boot.c +++ b/hw/arm/boot.c -@@ -448,6 +448,7 @@ static void do_cpu_reset(void *opaque) - void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) - { - CPUState *cs = CPU(cpu); -+ int allow_compressed_kernels = 0; - int kernel_size; - int initrd_size; - int is_linux = 0; -@@ -469,6 +470,7 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) - primary_loader = bootloader_aarch64; - kernel_load_offset = KERNEL64_LOAD_ADDR; - elf_machine = EM_AARCH64; -+ allow_compressed_kernels = 1; - } else { - primary_loader = bootloader; - kernel_load_offset = KERNEL_LOAD_ADDR; -@@ -514,6 +516,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) +@@ -510,6 +510,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info) kernel_size = load_uimage(info->kernel_filename, &entry, NULL, &is_linux); } + /* On aarch64, it's the bootloader's job to uncompress the kernel. */ -+ if (allow_compressed_kernels && kernel_size < 0) { ++ if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) { + entry = info->loader_start + kernel_load_offset; + kernel_size = load_image_gzipped(info->kernel_filename, entry, + info->ram_size - kernel_load_offset); @@ -63,6 +52,3 @@ index 1241761..c71c4d5 100644 if (kernel_size < 0) { entry = info->loader_start + kernel_load_offset; kernel_size = load_image_targphys(info->kernel_filename, entry, --- -2.0.4 - diff --git a/0001-block.curl-adding-timeout-option.patch b/0003-block.curl-adding-timeout-option.patch similarity index 96% rename from 0001-block.curl-adding-timeout-option.patch rename to 0003-block.curl-adding-timeout-option.patch index a52d6bd..1cfbc69 100644 --- a/0001-block.curl-adding-timeout-option.patch +++ b/0003-block.curl-adding-timeout-option.patch @@ -1,4 +1,4 @@ -From 212aefaa53d142baa9a22f5aadd2e72eb916c0c0 Mon Sep 17 00:00:00 2001 +From 04ca8ab4dfca981ab0f1f6744286e8a84e0fccca Mon Sep 17 00:00:00 2001 From: Daniel Henrique Barboza Date: Wed, 13 Aug 2014 12:44:27 -0300 Subject: [PATCH] block.curl: adding 'timeout' option @@ -17,13 +17,14 @@ Signed-off-by: Daniel Henrique Barboza Reviewed-by: Benoit Canet Tested-by: Richard W.M. Jones Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 212aefaa53d142baa9a22f5aadd2e72eb916c0c0) --- block/curl.c | 13 ++++++++++++- qemu-options.hx | 10 ++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/block/curl.c b/block/curl.c -index d4b85d2..2698ae3 100644 +index 79ff2f1..6f45547 100644 --- a/block/curl.c +++ b/block/curl.c @@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, @@ -82,7 +83,7 @@ index d4b85d2..2698ae3 100644 file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL); diff --git a/qemu-options.hx b/qemu-options.hx -index c573dd8..52d56f4 100644 +index 1549625..dcb008b 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k. @@ -110,6 +111,3 @@ index c573dd8..52d56f4 100644 qemu-system-x86_64 -drive file=/tmp/test.qcow2 @end example --- -2.0.4 - diff --git a/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch similarity index 94% rename from 0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch rename to 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch index 281cb42..345b94d 100644 --- a/0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +++ b/0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch @@ -1,4 +1,4 @@ -From a94f83d94fdf907680f068f1be7ad13d1f697067 Mon Sep 17 00:00:00 2001 +From dde3e0ef0b9f2ffd68b6bd348ccb46d8fb35f84c Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Fri, 29 Aug 2014 16:03:12 +0100 Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https @@ -24,13 +24,14 @@ disk size: unavailable Signed-off-by: Richard W.M. Jones Signed-off-by: Stefan Hajnoczi +(cherry picked from commit a94f83d94fdf907680f068f1be7ad13d1f697067) --- block/curl.c | 16 ++++++++++++++++ qemu-options.hx | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/block/curl.c b/block/curl.c -index 2698ae3..9051bc0 100644 +index 6f45547..537e257 100644 --- a/block/curl.c +++ b/block/curl.c @@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle, @@ -97,7 +98,7 @@ index 2698ae3..9051bc0 100644 g_free(s->url); qemu_opts_del(opts); return -EINVAL; -@@ -695,6 +710,7 @@ static void curl_close(BlockDriverState *bs) +@@ -689,6 +704,7 @@ static void curl_close(BlockDriverState *bs) DPRINTF("CURL: Close\n"); curl_detach_aio_context(bs); @@ -106,7 +107,7 @@ index 2698ae3..9051bc0 100644 } diff --git a/qemu-options.hx b/qemu-options.hx -index 52d56f4..5479cf5 100644 +index dcb008b..53b6171 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k. @@ -121,6 +122,3 @@ index 52d56f4..5479cf5 100644 @item timeout Set the timeout in seconds of the CURL connection. This timeout is the time that CURL waits for a response from the remote server to get the size of the --- -2.0.4 - diff --git a/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch similarity index 93% rename from 0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch rename to 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch index f8ef3c8..594dc3f 100644 --- a/0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +++ b/0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch @@ -1,4 +1,4 @@ -From a2f468e48f8b6559ec9123e94948bc373b788941 Mon Sep 17 00:00:00 2001 +From 1ea3e3a38b5bdb144a7206654c51f8f4768077f3 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Thu, 28 Aug 2014 09:04:21 +0100 Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll. @@ -30,12 +30,13 @@ Signed-off-by: Richard W.M. Jones Reviewed-by: Paolo Bonzini Reviewed-by: Benoît Canet Signed-off-by: Stefan Hajnoczi +(cherry picked from commit a2f468e48f8b6559ec9123e94948bc373b788941) --- block/curl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/block/curl.c b/block/curl.c -index 9051bc0..0258339 100644 +index 537e257..d28b701 100644 --- a/block/curl.c +++ b/block/curl.c @@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg) @@ -74,6 +75,3 @@ index 9051bc0..0258339 100644 if (!state) { acb->common.cb(acb->common.opaque, -EIO); qemu_aio_release(acb); --- -2.0.4 - diff --git a/qemu.spec b/qemu.spec index 6a01fff..17a44eb 100644 --- a/qemu.spec +++ b/qemu.spec @@ -151,8 +151,8 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.1.0 -Release: 6%{?dist} +Version: 2.1.1 +Release: 1%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -192,16 +192,13 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# Upstream commit: 235e74afcb85285a8e35e75f0cb6e6811267bb75 -Patch1: 0001-loader-Add-load_image_gzipped-function.patch -# Upstream commit: 6f5d3cbe8892367026526a7deed0ceecc700a7ad -Patch2: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch -# Upstream commit: 212aefaa53d142baa9a22f5aadd2e72eb916c0c0 -Patch3: 0001-block.curl-adding-timeout-option.patch -# Upstream commit: a94f83d94fdf907680f068f1be7ad13d1f697067 -Patch4: 0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch -# Upstream commit: a2f468e48f8b6559ec9123e94948bc373b788941 -Patch5: 0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch +# Allow aarch64 to boot compressed kernel +Patch0001: 0001-loader-Add-load_image_gzipped-function.patch +Patch0002: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch +# Fix crash in curl driver +Patch0003: 0003-block.curl-adding-timeout-option.patch +Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch +Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -727,11 +724,13 @@ CAC emulation development files. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 +# Allow aarch64 to boot compressed kernel +%patch0001 -p1 +%patch0002 -p1 +# Fix crash in curl driver +%patch0003 -p1 +%patch0004 -p1 +%patch0005 -p1 %build @@ -1511,6 +1510,12 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Sep 11 2014 Cole Robinson - 2:2.1.1-1 +- Rebased to version 2.1.1 +- CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956) +- CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz + #1139115) + * Wed Sep 3 2014 Richard W.M. Jones 2:2.1.0-6 - Add upstream patches to: * Fix crash in curl driver. diff --git a/sources b/sources index 1db3d6d..bb54534 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6726977292b448cbc7f89998fac6983b qemu-2.1.0.tar.bz2 +78b1b51bfa2eee424e1bfdf3b66daa64 qemu-2.1.1.tar.bz2