rpms/qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz #1015274, bz #1007330)

Browse Source 
Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
This commit is contained in:
Cole Robinson 2013-10-06 14:47:27 -04:00
parent ca009fd076
commit c2ae918774
6 changed files with 311 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
View File

@ -1,7 +1,23 @@
diff -ur qemu-1.4.2.old/target-ppc/translate_init.c qemu-1.4.2/target-ppc/translate_init.c
--- qemu-1.4.2.old/target-ppc/translate_init.c 2013-05-24 14:37:58.000000000 +0100
+++ qemu-1.4.2/target-ppc/translate_init.c 2013-09-05 09:53:58.787648890 +0100
@@ -6738,6 +6738,10 @@
From f8028b0aa2318fc10df39c8dec1353b91e1597be Mon Sep 17 00:00:00 2001
From: Anton Blanchard <anton@samba.org>
Date: Wed, 1 May 2013 00:44:51 +0000
Subject: [PATCH] target-ppc: Add read and write of PPR SPR
Recent Linux kernels save and restore the PPR across exceptions
so we need to handle it.
Signed-off-by: Anton Blanchard <anton@au1.ibm.com>
Signed-off-by: Alexander Graf <agraf@suse.de>
(cherry picked from commit 04559d5210860ea5853db09c75ea8ff2f8843e16)
---
target-ppc/translate_init.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 88d9dfa..7e46fdc 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -6738,6 +6738,10 @@ static void init_proc_POWER7 (CPUPPCState *env)
&spr_read_generic, &spr_write_generic,
&spr_read_generic, &spr_write_generic,
0x00000000);

10
0400-qxl-fix-local-renderer.patch → 0317-qxl-fix-local-renderer.patch
View File

@ -1,4 +1,4 @@
From d7a39084ead4274e58f01b713676e34242cbe2a1 Mon Sep 17 00:00:00 2001
From 95a8ab8e74cdf9140601b436edc9b7240ef2f8d4 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 5 Sep 2013 21:57:19 +0200
Subject: [PATCH] qxl: fix local renderer
@ -18,10 +18,7 @@ memory location.
https://bugzilla.redhat.com/show_bug.cgi?id=948717
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
cherry-picked from c58c7b959b93b864a27fd6b3646ee1465ab8832b
applied cleanly to hw/qxl-render.c (upstream renamed to
hw/display/qxl-render.c)
(cherry picked from commit c58c7b959b93b864a27fd6b3646ee1465ab8832b)
---
hw/qxl-render.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
@ -66,6 +63,3 @@ index 455fb91..fe21b18 100644
for (i = 0; i < qxl->num_dirty_rects; i++) {
if (qemu_spice_rect_is_empty(qxl->dirty+i)) {
break;
--
1.8.3.1

155
0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch Normal file
View File

@ -0,0 +1,155 @@
From e2fbed46dae80551daf1b8269cab5f6b586bd0d7 Mon Sep 17 00:00:00 2001
From: Asias He <asias@redhat.com>
Date: Fri, 13 Sep 2013 14:56:55 +0800
Subject: [PATCH] scsi: Allocate SCSITargetReq r->buf dynamically
BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1007330
Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=6282465
This is the backport of the following commit. The patch is not
sent public since it is a embargoed bug.
r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
most. If more than 256 luns are specified by user, we have buffer
overflow in scsi_target_emulate_report_luns.
To fix, we allocate the buffer dynamically.
Signed-off-by: Asias He <asias@redhat.com>
Signed-off-by: Asias He <asias@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
*s/&r->buf/r->buf/ due to type change
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
(cherry picked from commit fdcbe7d587a64dec0db0d3c9a3b230c39efbfeef)
---
hw/scsi-bus.c | 44 +++++++++++++++++++++++++++++++++-----------
hw/scsi.h | 2 ++
2 files changed, 35 insertions(+), 11 deletions(-)
diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
index 01e1dec..54c9596 100644
--- a/hw/scsi-bus.c
+++ b/hw/scsi-bus.c
@@ -11,6 +11,8 @@ static char *scsibus_get_dev_path(DeviceState *dev);
static char *scsibus_get_fw_dev_path(DeviceState *dev);
static int scsi_req_parse(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf);
static void scsi_req_dequeue(SCSIRequest *req);
+static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len);
+static void scsi_target_free_buf(SCSIRequest *req);
static Property scsi_props[] = {
DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0),
@@ -304,7 +306,8 @@ typedef struct SCSITargetReq SCSITargetReq;
struct SCSITargetReq {
SCSIRequest req;
int len;
- uint8_t buf[2056];
+ uint8_t *buf;
+ int buf_len;
};
static void store_lun(uint8_t *outbuf, int lun)
@@ -348,14 +351,12 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
if (!found_lun0) {
n += 8;
}
- len = MIN(n + 8, r->req.cmd.xfer & ~7);
- if (len > sizeof(r->buf)) {
- /* TODO: > 256 LUNs? */
- return false;
- }
+ scsi_target_alloc_buf(&r->req, n + 8);
+
+ len = MIN(n + 8, r->req.cmd.xfer & ~7);
memset(r->buf, 0, len);
- stl_be_p(&r->buf, n);
+ stl_be_p(r->buf, n);
i = found_lun0 ? 8 : 16;
QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) {
DeviceState *qdev = kid->child;
@@ -374,6 +375,9 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
{
assert(r->req.dev->lun != r->req.lun);
+
+ scsi_target_alloc_buf(&r->req, SCSI_INQUIRY_LEN);
+
if (r->req.cmd.buf[1] & 0x2) {
/* Command support data - optional, not implemented */
return false;
@@ -398,7 +402,7 @@ static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
return false;
}
/* done with EVPD */
- assert(r->len < sizeof(r->buf));
+ assert(r->len < r->buf_len);
r->len = MIN(r->req.cmd.xfer, r->len);
return true;
}
@@ -442,8 +446,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
}
break;
case REQUEST_SENSE:
- r->len = scsi_device_get_sense(r->req.dev, r->buf,
- MIN(req->cmd.xfer, sizeof r->buf),
+ scsi_target_alloc_buf(&r->req, SCSI_SENSE_LEN);
+ r->len = scsi_device_get_sense(r->req.dev, r->buf, r->buf_len,
(req->cmd.buf[1] & 1) == 0);
if (r->req.dev->sense_is_ua) {
scsi_device_unit_attention_reported(req->dev);
@@ -488,11 +492,29 @@ static uint8_t *scsi_target_get_buf(SCSIRequest *req)
return r->buf;
}
+static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len)
+{
+ SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
+
+ r->buf = g_malloc(len);
+ r->buf_len = len;
+
+ return r->buf;
+}
+
+static void scsi_target_free_buf(SCSIRequest *req)
+{
+ SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
+
+ g_free(r->buf);
+}
+
static const struct SCSIReqOps reqops_target_command = {
.size = sizeof(SCSITargetReq),
.send_command = scsi_target_send_command,
.read_data = scsi_target_read_data,
.get_buf = scsi_target_get_buf,
+ .free_req = scsi_target_free_buf,
};
@@ -1348,7 +1370,7 @@ int scsi_build_sense(uint8_t *in_buf, int in_len,
buf[7] = 10;
buf[12] = sense.asc;
buf[13] = sense.ascq;
- return MIN(len, 18);
+ return MIN(len, SCSI_SENSE_LEN);
} else {
/* Return descriptor format sense buffer */
buf[0] = 0x72;
diff --git a/hw/scsi.h b/hw/scsi.h
index a5b5b2e..d6028bf 100644
--- a/hw/scsi.h
+++ b/hw/scsi.h
@@ -9,6 +9,8 @@
#define MAX_SCSI_DEVS 255
#define SCSI_CMD_BUF_SIZE 16
+#define SCSI_SENSE_LEN 18
+#define SCSI_INQUIRY_LEN 36
typedef struct SCSIBus SCSIBus;
typedef struct SCSIBusInfo SCSIBusInfo;

42
0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch Normal file
View File

@ -0,0 +1,42 @@
From 5ba99e361671bc22bfc3ce45d866826f297e25b7 Mon Sep 17 00:00:00 2001
From: Gabriel de Perthuis <g2p.code@gmail.com>
Date: Fri, 10 May 2013 19:53:28 +0200
Subject: [PATCH] hw/9pfs: Be robust against paths without FS_IOC_GETVERSION
9P optionally uses the FS_IOC_GETVERSION ioctl to get information about
a file's version (sometimes called generation number).
The code checks for supported filesystems at mount time, but some paths
may come from other mounted filesystems.
Change it to treat unsupported paths the same as unsupported
filesystems, returning 0 in both cases.
Note: ENOTTY is the error code for an unsupported ioctl.
This fix allows booting a linux kernel with the same / filesystem as the
host; otherwise the boot fails when mounting devtmpfs.
Signed-off-by: Gabriel de Perthuis <g2p.code@gmail.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
(cherry picked from commit db431f6adc881a0758512cd765b3108209013512)
---
hw/9pfs/cofile.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
index 2efebf3..194c130 100644
--- a/hw/9pfs/cofile.c
+++ b/hw/9pfs/cofile.c
@@ -38,6 +38,10 @@ int v9fs_co_st_gen(V9fsPDU *pdu, V9fsPath *path, mode_t st_mode,
});
v9fs_path_unlock(s);
}
+ /* The ioctl may not be supported depending on the path */
+ if (err == -ENOTTY) {
+ err = 0;
+ }
return err;
}

68
0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch Normal file
View File

@ -0,0 +1,68 @@
From 79d5a6121844c36239cd4945a4b56e93f10367e8 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 1 Oct 2013 12:28:17 +0100
Subject: [PATCH] hw/9pfs: Fix errno value for xattr functions
If there is no operation driver for the xattr type the
functions return '-1' and set errno to '-EOPNOTSUPP'.
When the calling code sets 'ret = -errno' this turns
into a large positive number.
In Linux 3.11, the kernel has switched to using 9p
version 9p2000.L, instead of 9p2000.u, which enables
support for xattr operations. This on its own is harmless,
but for another change which makes it request the xattr
with a name 'security.capability'.
The result is that the guest sees a succesful return
of 95 bytes of data, instead of a failure with errno
set to 95. Since the kernel expects a maximum of 20
bytes for an xattr return this gets translated to the
unexpected errno ERANGE.
This all means that when running a binary off a 9p fs
in 3.11 kernels you get a fun result of:
# ./date
sh: ./date: Numerical result out of range
The only workaround is to pass 'version=9p2000.u' when
mounting the 9p fs in the guest, to disable all use of
xattrs.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
---
hw/9pfs/virtio-9p-xattr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/9pfs/virtio-9p-xattr.c b/hw/9pfs/virtio-9p-xattr.c
index a839606..2115eee 100644
--- a/hw/9pfs/virtio-9p-xattr.c
+++ b/hw/9pfs/virtio-9p-xattr.c
@@ -36,7 +36,7 @@ ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
if (xops) {
return xops->getxattr(ctx, path, name, value, size);
}
- errno = -EOPNOTSUPP;
+ errno = EOPNOTSUPP;
return -1;
}
@@ -123,7 +123,7 @@ int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
if (xops) {
return xops->setxattr(ctx, path, name, value, size, flags);
}
- errno = -EOPNOTSUPP;
+ errno = EOPNOTSUPP;
return -1;
}
@@ -135,7 +135,7 @@ int v9fs_remove_xattr(FsContext *ctx,
if (xops) {
return xops->removexattr(ctx, path, name);
}
- errno = -EOPNOTSUPP;
+ errno = EOPNOTSUPP;
return -1;
}

30
qemu.spec
View File

@ -131,7 +131,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 1.4.2
Release: 11%{?dist}
Release: 12%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@ -295,11 +295,17 @@ Patch0313: 0313-qdev-allow-both-pre-and-post-order-vists-in-qdev-wal.patch
Patch0314: 0314-qdev-switch-reset-to-post-order.patch
# Fix crash in scsi_dma_complete (bz #1001617)
Patch0315: 0315-scsi-avoid-assertion-failure-on-VERIFY-command.patch
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz #1004532)
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz
# #1004532)
Patch0316: 0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
# Fix screenshots for qxl kernel driver (bz #948717)
Patch0400: 0400-qxl-fix-local-renderer.patch
Patch0317: 0317-qxl-fix-local-renderer.patch
# CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
# #1015274, bz #1007330)
Patch0318: 0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
# Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
Patch0319: 0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
Patch0320: 0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
BuildRequires: SDL-devel
BuildRequires: zlib-devel
@ -892,10 +898,17 @@ CAC emulation development files.
%patch0314 -p1
# Fix crash in scsi_dma_complete (bz #1001617)
%patch0315 -p1
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz #1004532)
# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz
# #1004532)
%patch0316 -p1
# Fix screenshots for qxl kernel driver (bz #948717)
%patch0400 -p1
%patch0317 -p1
# CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
# #1015274, bz #1007330)
%patch0318 -p1
# Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
%patch0319 -p1
%patch0320 -p1
%build
%if %{with kvmonly}
@ -1543,6 +1556,11 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Sun Oct 06 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-12
- CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
#1015274, bz #1007330)
- Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
* Wed Sep 25 2013 Alon Levy <alevy@redhat.com> 2:1.4.2-11
- Fix screenshots for qxl kernel driver (bz #948717)