Fix abort in abort in bdrv_error_action (bz #1277482)

Fix SSE4 emulation with accel=tcg (bz #1270703)
CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214)
CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543)
CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)

0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch

@@ -0,0 +1,61 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 3 Jun 2015 14:21:20 +0200
+Subject: [PATCH] atomics: add explicit compiler fence in __atomic memory
+ barriers
+
+__atomic_thread_fence does not include a compiler barrier; in the
+C++11 memory model, fences take effect in combination with other
+atomic operations.  GCC implements this by making __atomic_load and
+__atomic_store access memory as if the pointer was volatile, and
+leaves no trace whatsoever of acquire and release fences in the
+compiler's intermediate representation.
+
+In QEMU, we want memory barriers to act on all memory, but at the same
+time we would like to use __atomic_thread_fence for portability reasons.
+Add compiler barriers manually around the __atomic_thread_fence.
+
+Message-Id: <1433334080-14912-1-git-send-email-pbonzini@redhat.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 3bbf572345c65813f86a8fc434ea1b23beb08e16)
+---
+ include/qemu/atomic.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
+index 98e05ca..bd2c075 100644
+--- a/include/qemu/atomic.h
++++ b/include/qemu/atomic.h
+@@ -99,7 +99,13 @@
+ 
+ #ifndef smp_wmb
+ #ifdef __ATOMIC_RELEASE
+-#define smp_wmb()   __atomic_thread_fence(__ATOMIC_RELEASE)
++/* __atomic_thread_fence does not include a compiler barrier; instead,
++ * the barrier is part of __atomic_load/__atomic_store's "volatile-like"
++ * semantics. If smp_wmb() is a no-op, absence of the barrier means that
++ * the compiler is free to reorder stores on each side of the barrier.
++ * Add one here, and similarly in smp_rmb() and smp_read_barrier_depends().
++ */
++#define smp_wmb()   ({ barrier(); __atomic_thread_fence(__ATOMIC_RELEASE); barrier(); })
+ #else
+ #define smp_wmb()   __sync_synchronize()
+ #endif
+@@ -107,7 +113,7 @@
+ 
+ #ifndef smp_rmb
+ #ifdef __ATOMIC_ACQUIRE
+-#define smp_rmb()   __atomic_thread_fence(__ATOMIC_ACQUIRE)
++#define smp_rmb()   ({ barrier(); __atomic_thread_fence(__ATOMIC_ACQUIRE); barrier(); })
+ #else
+ #define smp_rmb()   __sync_synchronize()
+ #endif
+@@ -115,7 +121,7 @@
+ 
+ #ifndef smp_read_barrier_depends
+ #ifdef __ATOMIC_CONSUME
+-#define smp_read_barrier_depends()   __atomic_thread_fence(__ATOMIC_CONSUME)
++#define smp_read_barrier_depends()   ({ barrier(); __atomic_thread_fence(__ATOMIC_CONSUME); barrier(); })
+ #else
+ #define smp_read_barrier_depends()   barrier()
+ #endif

0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch

@@ -0,0 +1,40 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 12 Oct 2015 11:50:27 +0200
+Subject: [PATCH] target-i386: fix pcmpxstrx equal-ordered (strstr) mode
+
+In this mode, referring an invalid element of the source forces the
+result to false (table 4-7, last column) but referring an invalid
+element of the destination forces the result to true, so the outer
+loop should still be run even if some elements of the destination
+will be invalid.  They will be avoided in the inner loop, which
+correctly bounds "i" to validd, but they will still contribute to a
+positive outcome of the search.
+
+This fixes tst_strstr in glibc 2.17.
+
+Reported-by: Florian Weimer <fweimer@redhat.com>
+Cc: Richard Henderson <rth@twiddle.net>
+Cc: Eduardo Habkost <ehabkost@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+(cherry picked from commit 54c54f8b56047d3c2420e1ae06a6a8890c220ac4)
+---
+ target-i386/ops_sse.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/target-i386/ops_sse.h b/target-i386/ops_sse.h
+index 0765073..34eb141 100644
+--- a/target-i386/ops_sse.h
++++ b/target-i386/ops_sse.h
+@@ -2037,10 +2037,10 @@ static inline unsigned pcmpxstrx(CPUX86State *env, Reg *d, Reg *s,
+         }
+         break;
+     case 3:
+-        for (j = valids - validd; j >= 0; j--) {
++        for (j = valids; j >= 0; j--) {
+             res <<= 1;
+             v = 1;
+-            for (i = MIN(upper - j, validd); i >= 0; i--) {
++            for (i = MIN(valids - j, validd); i >= 0; i--) {
+                 v &= (pcmp_val(s, ctrl, i + j) == pcmp_val(d, ctrl, i));
+             }
+             res |= v;

0023-eepro100-Prevent-two-endless-loops.patch

@@ -0,0 +1,60 @@
+From: Stefan Weil <sw@weilnetz.de>
+Date: Fri, 20 Nov 2015 08:42:33 +0100
+Subject: [PATCH] eepro100: Prevent two endless loops
+
+http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html
+shows an example how an endless loop in function action_command can
+be achieved.
+
+During my code review, I noticed a 2nd case which can result in an
+endless loop.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Stefan Weil <sw@weilnetz.de>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 00837731d254908a841d69298a4f9f077babaf24)
+---
+ hw/net/eepro100.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
+index c374c1a..3e874cd 100644
+--- a/hw/net/eepro100.c
++++ b/hw/net/eepro100.c
+@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s)
+ #if 0
+         uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6);
+ #endif
++        if (tx_buffer_size == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
+         tbd_address += 8;
+         TRACE(RXTX, logout
+             ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n",
+@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s)
+ 
+ static void action_command(EEPRO100State *s)
+ {
++    /* The loop below won't stop if it gets special handcrafted data.
++       Therefore we limit the number of iterations. */
++    unsigned max_loop_count = 16;
++
+     for (;;) {
+         bool bit_el;
+         bool bit_s;
+@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s)
+ #if 0
+         bool bit_sf = ((s->tx.command & COMMAND_SF) != 0);
+ #endif
++
++        if (max_loop_count-- == 0) {
++            /* Prevent an endless loop. */
++            logout("loop in %s:%u\n", __FILE__, __LINE__);
++            break;
++        }
++
+         s->cu_offset = s->tx.link;
+         TRACE(OTHER,
+               logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n",

0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch

@@ -0,0 +1,47 @@
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 20 Nov 2015 11:50:31 +0530
+Subject: [PATCH] net: pcnet: add check to validate receive data
+ size(CVE-2015-7504)
+
+In loopback mode, pcnet_receive routine appends CRC code to the
+receive buffer. If the data size given is same as the buffer size,
+the appended CRC code overwrites 4 bytes after s->buffer. Added a
+check to avoid that.
+
+Reported by: Qinghao Tang <luodalongde@gmail.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+(cherry picked from commit 837f21aacf5a714c23ddaadbbc5212f9b661e3f7)
+---
+ hw/net/pcnet.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 68b9981..03a56b2 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1094,7 +1094,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+                 uint32_t fcs = ~0;
+                 uint8_t *p = src;
+ 
+-                while (p != &src[size-4])
++                while (p != &src[size])
+                     CRC(fcs, *p++);
+                 crc_err = (*(uint32_t *)p != htonl(fcs));
+             }
+@@ -1243,8 +1243,10 @@ static void pcnet_transmit(PCNetState *s)
+         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+ 
+         /* if multi-tmd packet outsizes s->buffer then skip it silently.
+-           Note: this is not what real hw does */
+-        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
++         * Note: this is not what real hw does.
++         * Last four bytes of s->buffer are used to store CRC FCS code.
++         */
++        if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) {
+             s->xmit_pos = -1;
+             goto txdone;
+         }

0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch

@@ -0,0 +1,34 @@
+From: Jason Wang <jasowang@redhat.com>
+Date: Mon, 30 Nov 2015 15:00:06 +0800
+Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512)
+
+Backends could provide a packet whose length is greater than buffer
+size. Check for this and truncate the packet to avoid rx buffer
+overflow in this case.
+
+Cc: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+(cherry picked from commit 8b98a2f07175d46c3f7217639bd5e03f2ec56343)
+---
+ hw/net/pcnet.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
+index 03a56b2..d8957ab 100644
+--- a/hw/net/pcnet.c
++++ b/hw/net/pcnet.c
+@@ -1074,6 +1074,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
+             int pktcount = 0;
+ 
+             if (!s->looptest) {
++                if (size > 4092) {
++#ifdef PCNET_DEBUG_RMD
++                    fprintf(stderr, "pcnet: truncates rx packet.\n");
++#endif
++                    size = 4092;
++                }
+                 memcpy(src, buf, size);
+                 /* no need to compute the CRC */
+                 src[size] = 0;

qemu.spec

@@ -43,7 +43,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 2.3.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -114,6 +114,16 @@ Patch0018: 0018-virtio-net-correctly-drop-truncated-packets.patch
 Patch0019: 0019-mirror-Fix-coroutine-reentrance.patch
 # Fix udp socket 'localaddr' (bz #1268708)
 Patch0020: 0020-util-socket-Add-missing-localaddr-and-localport-opti.patch
+# Fix abort in abort in bdrv_error_action (bz #1277482)
+Patch0021: 0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch
+# Fix SSE4 emulation with accel=tcg (bz #1270703)
+Patch0022: 0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch
+# CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214)
+Patch0023: 0023-eepro100-Prevent-two-endless-loops.patch
+# CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543)
+Patch0024: 0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch
+# CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)
+Patch0025: 0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -1216,6 +1226,13 @@ getent passwd qemu >/dev/null || \
 
 
 %changelog
+* Mon Dec 07 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-8
+- Fix abort in abort in bdrv_error_action (bz #1277482)
+- Fix SSE4 emulation with accel=tcg (bz #1270703)
+- CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214)
+- CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543)
+- CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)
+
 * Thu Oct 08 2015 Cole Robinson <crobinso@redhat.com> - 2:2.3.1-7
 - CVE-2015-7295: virtio-net possible remote DoS (bz #1264393)
 - drive-mirror: Fix coroutine reentrance (bz #1266936)