From a3fa63d2ce15f58d5bfe8d4b3a0de1d8212e9df6 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Mon, 21 Sep 2015 18:19:06 -0400 Subject: [PATCH] Fix typo causing qemu-img to link against entire world (bz #1260996) CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) CVE-2015-6855: ide: divide by zero issue (bz #1261793) CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) Make block copy more stable (bz #1264416) Fix hang at start of live merge for large images (bz #1262901) --- ...cipher-vcipherlast-vncipherlast-and-.patch | 98 ------------ ...c-fix-xscmpodp-and-xscmpudp-decoding.patch | 53 ------- ...-qemu-img-to-link-against-entire-wor.patch | 30 ++++ 0007-fix-quorum-libs.patch | 12 -- ...nite-loop-in-processing-transmit-des.patch | 35 +++++ 0009-ide-fix-ATAPI-command-permissions.patch | 141 ++++++++++++++++++ ...te-loop-when-receiving-packets-CVE-2.patch | 32 ++++ ...o-validate-ring-buffer-pointers-CVE-.patch | 67 +++++++++ ...irror-limit-qiov-to-IOV_MAX-elements.patch | 60 ++++++++ ...ep-periodically-during-bitmap-scanni.patch | 57 +++++++ qemu.spec | 32 +++- 11 files changed, 447 insertions(+), 170 deletions(-) delete mode 100644 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch delete mode 100644 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch create mode 100644 0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch delete mode 100644 0007-fix-quorum-libs.patch create mode 100644 0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch create mode 100644 0009-ide-fix-ATAPI-command-permissions.patch create mode 100644 0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch create mode 100644 0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch create mode 100644 0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch create mode 100644 0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch diff --git a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch b/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch deleted file mode 100644 index 2b099a4..0000000 --- a/0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From d233fc09d20fa24f6ee03f8505333d73f559eacf Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:44 +0200 -Subject: [PATCH 1/2] target-ppc: fix vcipher, vcipherlast, vncipherlast and - vpermxor - -For vector instructions, the helpers get pointers to the vector register -in arguments. Some operands might point to the same register, including -the operand holding the result. - -When emulating instructions which access the vector elements in a -non-linear way, we need to store the result in an temporary variable. - -This fixes openssl when emulating a POWER8 CPU. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/int_helper.c | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/target-ppc/int_helper.c b/target-ppc/int_helper.c -index 0a55d5e..b122868 100644 ---- a/target-ppc/int_helper.c -+++ b/target-ppc/int_helper.c -@@ -2327,24 +2327,28 @@ void helper_vsbox(ppc_avr_t *r, ppc_avr_t *a) - - void helper_vcipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u32) { -- r->AVRW(i) = b->AVRW(i) ^ -+ result.AVRW(i) = b->AVRW(i) ^ - (AES_Te0[a->AVRB(AES_shifts[4*i + 0])] ^ - AES_Te1[a->AVRB(AES_shifts[4*i + 1])] ^ - AES_Te2[a->AVRB(AES_shifts[4*i + 2])] ^ - AES_Te3[a->AVRB(AES_shifts[4*i + 3])]); - } -+ *r = result; - } - - void helper_vcipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_sbox[a->AVRB(AES_shifts[i])]); - } -+ *r = result; - } - - void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) -@@ -2369,11 +2373,13 @@ void helper_vncipher(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - - void helper_vncipherlast(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b) - { -+ ppc_avr_t result; - int i; - - VECTOR_FOR_INORDER_I(i, u8) { -- r->AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); -+ result.AVRB(i) = b->AVRB(i) ^ (AES_isbox[a->AVRB(AES_ishifts[i])]); - } -+ *r = result; - } - - #define ROTRu32(v, n) (((v) >> (n)) | ((v) << (32-n))) -@@ -2460,16 +2466,19 @@ void helper_vshasigmad(ppc_avr_t *r, ppc_avr_t *a, uint32_t st_six) - - void helper_vpermxor(ppc_avr_t *r, ppc_avr_t *a, ppc_avr_t *b, ppc_avr_t *c) - { -+ ppc_avr_t result; - int i; -+ - VECTOR_FOR_INORDER_I(i, u8) { - int indexA = c->u8[i] >> 4; - int indexB = c->u8[i] & 0xF; - #if defined(HOST_WORDS_BIGENDIAN) -- r->u8[i] = a->u8[indexA] ^ b->u8[indexB]; -+ result.u8[i] = a->u8[indexA] ^ b->u8[indexB]; - #else -- r->u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; -+ result.u8[i] = a->u8[15-indexA] ^ b->u8[15-indexB]; - #endif - } -+ *r = result; - } - - #undef VECTOR_FOR_INORDER_I --- -2.5.0 - diff --git a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch b/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch deleted file mode 100644 index 94e7b83..0000000 --- a/0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +++ /dev/null @@ -1,53 +0,0 @@ -From d539a02e18916c558985f26cf37af1e83851d9fd Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno -Date: Sun, 13 Sep 2015 23:03:45 +0200 -Subject: [PATCH 2/2] target-ppc: fix xscmpodp and xscmpudp decoding - -The xscmpodp and xscmpudp instructions only have the AX, BX bits in -there encoding, the lowest bit (usually TX) is marked as an invalid -bit. We therefore can't decode them with GEN_XX2FORM, which decodes -the two lowest bit. - -Introduce a new form GEN_XX2FORM, which decodes AX and BX and mark -the lowest bit as invalid. - -Cc: Tom Musta -Cc: Alexander Graf -Cc: qemu-stable@nongnu.org -Signed-off-by: Aurelien Jarno ---- - target-ppc/translate.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/target-ppc/translate.c b/target-ppc/translate.c -index 84c5cea..c0eed13 100644 ---- a/target-ppc/translate.c -+++ b/target-ppc/translate.c -@@ -10670,6 +10670,13 @@ GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 0, PPC_NONE, fl2), \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 0, PPC_NONE, fl2) - -+#undef GEN_XX2IFORM -+#define GEN_XX2IFORM(name, opc2, opc3, fl2) \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 1, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 2, opc3, 1, PPC_NONE, fl2), \ -+GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 3, opc3, 1, PPC_NONE, fl2) -+ - #undef GEN_XX3_RC_FORM - #define GEN_XX3_RC_FORM(name, opc2, opc3, fl2) \ - GEN_HANDLER2_E(name, #name, 0x3C, opc2 | 0x00, opc3 | 0x00, 0, PPC_NONE, fl2), \ -@@ -10731,8 +10738,8 @@ GEN_XX3FORM(xsnmaddadp, 0x04, 0x14, PPC2_VSX), - GEN_XX3FORM(xsnmaddmdp, 0x04, 0x15, PPC2_VSX), - GEN_XX3FORM(xsnmsubadp, 0x04, 0x16, PPC2_VSX), - GEN_XX3FORM(xsnmsubmdp, 0x04, 0x17, PPC2_VSX), --GEN_XX2FORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), --GEN_XX2FORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), -+GEN_XX2IFORM(xscmpodp, 0x0C, 0x05, PPC2_VSX), -+GEN_XX2IFORM(xscmpudp, 0x0C, 0x04, PPC2_VSX), - GEN_XX3FORM(xsmaxdp, 0x00, 0x14, PPC2_VSX), - GEN_XX3FORM(xsmindp, 0x00, 0x15, PPC2_VSX), - GEN_XX2FORM(xscvdpsp, 0x12, 0x10, PPC2_VSX), --- -2.5.0 - diff --git a/0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch b/0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch new file mode 100644 index 0000000..f8cd956 --- /dev/null +++ b/0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch @@ -0,0 +1,30 @@ +From: Cole Robinson +Date: Tue, 8 Sep 2015 12:43:59 -0400 +Subject: [PATCH] Fix typo causing qemu-img to link against entire world (rhbz + #1260996) + +This is a minimal fix that's not upstream in this form. Upstream was +accidentally fixed with: + +commit 488981a4af396551a3178d032cc2b41d9553ada2 +Author: Daniel P. Berrange +Date: Wed Jul 1 18:10:35 2015 +0100 + + block: convert quorum blockdrv to use crypto APIs +--- + configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure b/configure +index 6969f6f..adbe117 100755 +--- a/configure ++++ b/configure +@@ -2323,7 +2323,7 @@ quorum_tls_libs=`$pkg_config --libs gnutls 2> /dev/null` + if compile_prog "$quorum_tls_cflags" "$quorum_tls_libs" ; then + qcow_tls=yes + libs_softmmu="$quorum_tls_libs $libs_softmmu" +- libs_tools="$quorum_tls_libs $libs_softmmu" ++ libs_tools="$quorum_tls_libs $libs_tools" + QEMU_CFLAGS="$QEMU_CFLAGS $quorum_tls_cflags" + quorum="yes" + else diff --git a/0007-fix-quorum-libs.patch b/0007-fix-quorum-libs.patch deleted file mode 100644 index 499a4e8..0000000 --- a/0007-fix-quorum-libs.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -rup qemu-2.3.1/configure qemu-2.3.1.new/configure ---- qemu-2.3.1/configure 2015-08-11 20:19:07.000000000 +0100 -+++ qemu-2.3.1.new/configure 2015-09-08 12:40:44.694091584 +0100 -@@ -2323,7 +2323,7 @@ quorum_tls_libs=`$pkg_config --libs gnut - if compile_prog "$quorum_tls_cflags" "$quorum_tls_libs" ; then - qcow_tls=yes - libs_softmmu="$quorum_tls_libs $libs_softmmu" -- libs_tools="$quorum_tls_libs $libs_softmmu" -+ libs_tools="$quorum_tls_libs $libs_tools" - QEMU_CFLAGS="$QEMU_CFLAGS $quorum_tls_cflags" - quorum="yes" - else diff --git a/0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch b/0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch new file mode 100644 index 0000000..3d2b254 --- /dev/null +++ b/0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch @@ -0,0 +1,35 @@ +From: P J P +Date: Fri, 4 Sep 2015 17:21:06 +0100 +Subject: [PATCH] e1000: Avoid infinite loop in processing transmit descriptor + (CVE-2015-6815) + +While processing transmit descriptors, it could lead to an infinite +loop if 'bytes' was to become zero; Add a check to avoid it. + +[The guest can force 'bytes' to 0 by setting the hdr_len and mss +descriptor fields to 0. +--Stefan] + +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Thomas Huth +Message-id: 1441383666-6590-1-git-send-email-stefanha@redhat.com +(cherry picked from commit b947ac2bf26479e710489739c465c8af336599e7) +--- + hw/net/e1000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index 091d61a..f02b9ce 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -737,7 +737,8 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp) + memmove(tp->data, tp->header, tp->hdr_len); + tp->size = tp->hdr_len; + } +- } while (split_size -= bytes); ++ split_size -= bytes; ++ } while (bytes && split_size); + } else if (!tp->tse && tp->cptse) { + // context descriptor TSE is not set, while data descriptor TSE is set + DBGOUT(TXERR, "TCP segmentation error\n"); diff --git a/0009-ide-fix-ATAPI-command-permissions.patch b/0009-ide-fix-ATAPI-command-permissions.patch new file mode 100644 index 0000000..2b7d001 --- /dev/null +++ b/0009-ide-fix-ATAPI-command-permissions.patch @@ -0,0 +1,141 @@ +From: John Snow +Date: Thu, 17 Sep 2015 14:17:05 -0400 +Subject: [PATCH] ide: fix ATAPI command permissions + +We're a little too lenient with what we'll let an ATAPI drive handle. +Clamp down on the IDE command execution table to remove CD_OK permissions +from commands that are not and have never been ATAPI commands. + +For ATAPI command validity, please see: +- ATA4 Section 6.5 ("PACKET Command feature set") +- ATA8/ACS Section 4.3 ("The PACKET feature set") +- ACS3 Section 4.3 ("The PACKET feature set") + +ACS3 has a historical command validity table in Table B.4 +("Historical Command Assignments") that can be referenced to find when +a command was introduced, deprecated, obsoleted, etc. + +The only reference for ATAPI command validity is by checking that +version's PACKET feature set section. + +ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 +therefore are assumed to have never been ATAPI commands. + +Mandatory commands, as listed in ATA8-ACS3, are: + +- DEVICE RESET +- EXECUTE DEVICE DIAGNOSTIC +- IDENTIFY DEVICE +- IDENTIFY PACKET DEVICE +- NOP +- PACKET +- READ SECTOR(S) +- SET FEATURES + +Optional commands as listed in ATA8-ACS3, are: + +- FLUSH CACHE +- READ LOG DMA EXT +- READ LOG EXT +- WRITE LOG DMA EXT +- WRITE LOG EXT + +All other commands are illegal to send to an ATAPI device and should +be rejected by the device. + +CD_OK removal justifications: + +0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. +0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. +0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. +0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. +0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. +0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. +0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. +0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. +0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. +0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. +0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. +0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. +0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. + +This patch fixes a divide by zero fault that can be caused by sending +the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to +attempt to use zeroed CHS values to perform sector arithmetic. + +Reported-by: Qinghao Tang +Signed-off-by: John Snow +Reviewed-by: Markus Armbruster +Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com +CC: qemu-stable@nongnu.org +(cherry picked from commit d9033e1d3aa666c5071580617a57bd853c5d794a) +--- + hw/ide/core.c | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 822519b..90e103f 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1747,11 +1747,11 @@ static const struct { + } ide_cmd_table[0x100] = { + /* NOP not implemented, mandatory for CD */ + [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, +- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, ++ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, + [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, + [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, + [WIN_READ] = { cmd_read_pio, ALL_OK }, +- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, ++ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, + [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, + [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, +@@ -1770,12 +1770,12 @@ static const struct { + [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, + [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, + [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, +- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, + [WIN_PACKETCMD] = { cmd_packet, CD_OK }, + [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, + [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, +@@ -1789,19 +1789,19 @@ static const struct { + [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, + [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, + [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, +- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, +- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, +- [WIN_STANDBY] = { cmd_nop, ALL_OK }, +- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, +- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, +- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, ++ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, ++ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, ++ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, ++ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, ++ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, + [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, + [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, + [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, + [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, + [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, + [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, +- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, ++ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, + }; + + static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) diff --git a/0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch b/0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch new file mode 100644 index 0000000..c1f70ca --- /dev/null +++ b/0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch @@ -0,0 +1,32 @@ +From: P J P +Date: Tue, 15 Sep 2015 16:46:59 +0530 +Subject: [PATCH] net: avoid infinite loop when receiving + packets(CVE-2015-5278) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, leading to an infinite +loop situation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 737d2b3c41d59eb8f94ab7eb419b957938f24943) +--- + hw/net/ne2000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 3492db3..44a4264 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -253,7 +253,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + if (index <= s->stop) + avail = s->stop - index; + else +- avail = 0; ++ break; + len = size; + if (len > avail) + len = avail; diff --git a/0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch b/0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch new file mode 100644 index 0000000..d197a7e --- /dev/null +++ b/0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch @@ -0,0 +1,67 @@ +From: P J P +Date: Tue, 15 Sep 2015 16:40:49 +0530 +Subject: [PATCH] net: add checks to validate ring buffer + pointers(CVE-2015-5279) + +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) +bytes to process network packets. While receiving packets +via ne2000_receive() routine, a local 'index' variable +could exceed the ring buffer size, which could lead to a +memory buffer overflow. Added other checks at initialisation. + +Reported-by: Qinghao Tang +Signed-off-by: P J P +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 9bbdbc66e5765068dce76e9269dce4547afd8ad4) +--- + hw/net/ne2000.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 44a4264..2bdb4c9 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -230,6 +230,9 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + } + + index = s->curpag << 8; ++ if (index >= NE2000_PMEM_END) { ++ index = s->start; ++ } + /* 4 bytes for header */ + total_len = size + 4; + /* address for next packet (4 bytes for CRC) */ +@@ -315,13 +318,19 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + offset = addr | (page << 4); + switch(offset) { + case EN0_STARTPG: +- s->start = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->start = val << 8; ++ } + break; + case EN0_STOPPG: +- s->stop = val << 8; ++ if (val << 8 <= NE2000_PMEM_END) { ++ s->stop = val << 8; ++ } + break; + case EN0_BOUNDARY: +- s->boundary = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->boundary = val; ++ } + break; + case EN0_IMR: + s->imr = val; +@@ -362,7 +371,9 @@ static void ne2000_ioport_write(void *opaque, uint32_t addr, uint32_t val) + s->phys[offset - EN1_PHYS] = val; + break; + case EN1_CURPAG: +- s->curpag = val; ++ if (val << 8 < NE2000_PMEM_END) { ++ s->curpag = val; ++ } + break; + case EN1_MULT ... EN1_MULT + 7: + s->mult[offset - EN1_MULT] = val; diff --git a/0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch b/0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch new file mode 100644 index 0000000..0b365dd --- /dev/null +++ b/0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch @@ -0,0 +1,60 @@ +From: Stefan Hajnoczi +Date: Wed, 1 Jul 2015 15:45:50 +0100 +Subject: [PATCH] block/mirror: limit qiov to IOV_MAX elements + +If mirror has more free buffers than IOV_MAX, preadv(2)/pwritev(2) +EINVAL failures may be encountered. + +It is possible to trigger this by setting granularity to a low value +like 8192. + +This patch stops appending chunks once IOV_MAX is reached. + +The spurious EINVAL failure can be reproduced with a qcow2 image file +and the following QMP invocation: + + qmp.command('drive-mirror', device='virtio0', target='/tmp/r7.s1', + granularity=8192, sync='full', mode='absolute-paths', + format='raw') + +While the guest is running dd if=/dev/zero of=/var/tmp/foo oflag=direct +bs=4k. + +Cc: Jeff Cody +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Paolo Bonzini +Message-id: 1435761950-26714-1-git-send-email-stefanha@redhat.com +Signed-off-by: Jeff Cody +(cherry picked from commit cae98cb87d269c33d23b2bccd79bb8d99a60d811) +--- + block/mirror.c | 4 ++++ + trace-events | 1 + + 2 files changed, 5 insertions(+) + +diff --git a/block/mirror.c b/block/mirror.c +index bd079a4..9407287 100644 +--- a/block/mirror.c ++++ b/block/mirror.c +@@ -248,6 +248,10 @@ static uint64_t coroutine_fn mirror_iteration(MirrorBlockJob *s) + trace_mirror_break_buf_busy(s, nb_chunks, s->in_flight); + break; + } ++ if (IOV_MAX < nb_chunks + added_chunks) { ++ trace_mirror_break_iov_max(s, nb_chunks, added_chunks); ++ break; ++ } + + /* We have enough free space to copy these sectors. */ + bitmap_set(s->in_flight_bitmap, next_chunk, added_chunks); +diff --git a/trace-events b/trace-events +index 30eba92..6f992c4 100644 +--- a/trace-events ++++ b/trace-events +@@ -94,6 +94,7 @@ mirror_yield(void *s, int64_t cnt, int buf_free_count, int in_flight) "s %p dirt + mirror_yield_in_flight(void *s, int64_t sector_num, int in_flight) "s %p sector_num %"PRId64" in_flight %d" + mirror_yield_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d" + mirror_break_buf_busy(void *s, int nb_chunks, int in_flight) "s %p requested chunks %d in_flight %d" ++mirror_break_iov_max(void *s, int nb_chunks, int added_chunks) "s %p requested chunks %d added_chunks %d" + + # block/backup.c + backup_do_cow_enter(void *job, int64_t start, int64_t sector_num, int nb_sectors) "job %p start %"PRId64" sector_num %"PRId64" nb_sectors %d" diff --git a/0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch b/0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch new file mode 100644 index 0000000..f316c30 --- /dev/null +++ b/0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch @@ -0,0 +1,57 @@ +From: Fam Zheng +Date: Wed, 13 May 2015 11:11:13 +0800 +Subject: [PATCH] block/mirror: Sleep periodically during bitmap scanning + +Before, we only yield after initializing dirty bitmap, where the QMP +command would return. That may take very long, and guest IO will be +blocked. + +Add sleep points like the later mirror iterations. + +Signed-off-by: Fam Zheng +Reviewed-by: Wen Congyang +Reviewed-by: Paolo Bonzini +Reviewed-by: Stefan Hajnoczi +Message-id: 1431486673-19280-1-git-send-email-famz@redhat.com +Signed-off-by: Jeff Cody +(cherry picked from commit 4c0cbd6fec7db182a6deb52d5a8a8e7b0c5cbe64) +--- + block/mirror.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/block/mirror.c b/block/mirror.c +index 9407287..6f1bc3c 100644 +--- a/block/mirror.c ++++ b/block/mirror.c +@@ -453,11 +453,23 @@ static void coroutine_fn mirror_run(void *opaque) + sectors_per_chunk = s->granularity >> BDRV_SECTOR_BITS; + mirror_free_init(s); + ++ last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME); + if (!s->is_none_mode) { + /* First part, loop on the sectors and initialize the dirty bitmap. */ + BlockDriverState *base = s->base; + for (sector_num = 0; sector_num < end; ) { + int64_t next = (sector_num | (sectors_per_chunk - 1)) + 1; ++ int64_t now = qemu_clock_get_ns(QEMU_CLOCK_REALTIME); ++ ++ if (now - last_pause_ns > SLICE_TIME) { ++ last_pause_ns = now; ++ block_job_sleep_ns(&s->common, QEMU_CLOCK_REALTIME, 0); ++ } ++ ++ if (block_job_is_cancelled(&s->common)) { ++ goto immediate_exit; ++ } ++ + ret = bdrv_is_allocated_above(bs, base, + sector_num, next - sector_num, &n); + +@@ -476,7 +488,6 @@ static void coroutine_fn mirror_run(void *opaque) + } + + bdrv_dirty_iter_init(bs, s->dirty_bitmap, &s->hbi); +- last_pause_ns = qemu_clock_get_ns(QEMU_CLOCK_REALTIME); + for (;;) { + uint64_t delay_ns = 0; + int64_t cnt; diff --git a/qemu.spec b/qemu.spec index 4c7c330..5c415ab 100644 --- a/qemu.spec +++ b/qemu.spec @@ -43,7 +43,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.3.1 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -87,12 +87,21 @@ Patch0005: 0005-virtio-serial-fix-ANY_LAYOUT.patch # CVE-2015-5255: heap memory corruption in vnc_refresh_server_surface # (bz #1255899) Patch0006: 0006-vnc-fix-memory-corruption-CVE-2015-5225.patch -# Fix typo causing qemu-img to link against entire world (rhbz #1260996) -Patch0007: 0007-fix-quorum-libs.patch - -# Fix emulation of various instructions, required by libm in F22 ppc64 guests. -Patch0008: 0001-target-ppc-fix-vcipher-vcipherlast-vncipherlast-and-.patch -Patch0009: 0002-target-ppc-fix-xscmpodp-and-xscmpudp-decoding.patch +# Fix typo causing qemu-img to link against entire world (bz #1260996) +Patch0007: 0007-Fix-typo-causing-qemu-img-to-link-against-entire-wor.patch +# CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) +Patch0008: 0008-e1000-Avoid-infinite-loop-in-processing-transmit-des.patch +# CVE-2015-6855: ide: divide by zero issue (bz #1261793) +Patch0009: 0009-ide-fix-ATAPI-command-permissions.patch +# CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) +Patch0010: 0010-net-avoid-infinite-loop-when-receiving-packets-CVE-2.patch +# CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz +# #1263287) +Patch0011: 0011-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch +# Make block copy more stable (bz #1264416) +Patch0012: 0012-block-mirror-limit-qiov-to-IOV_MAX-elements.patch +# Fix hang at start of live merge for large images (bz #1262901) +Patch0013: 0013-block-mirror-Sleep-periodically-during-bitmap-scanni.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1195,6 +1204,15 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Sep 21 2015 Cole Robinson - 2:2.3.1-5 +- Fix typo causing qemu-img to link against entire world (bz #1260996) +- CVE-2015-6815: net: e1000: infinite loop issue (bz #1260225) +- CVE-2015-6855: ide: divide by zero issue (bz #1261793) +- CVE-2015-5278: Infinite loop in ne2000_receive() (bz #1263284) +- CVE-2015-5279: Heap overflow vulnerability in ne2000_receive() (bz #1263287) +- Make block copy more stable (bz #1264416) +- Fix hang at start of live merge for large images (bz #1262901) + * Sun Sep 20 2015 Richard W.M. Jones - 2:2.3.1-4 - Fix emulation of various instructions, required by libm in F22 ppc64 guests.