From c2ae918774f94a28ce28f0285dc2d9570be5c23a Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Sun, 6 Oct 2013 14:47:27 -0400
Subject: [PATCH] CVE-2013-4344: buffer overflow in
 scsi_target_emulate_report_luns (bz #1015274, bz #1007330) Fix 9pfs xattrs on
 kernel 3.11 (bz #1013676)

---
 ...et-ppc-Add-read-and-write-of-PPR-SPR.patch |  24 ++-
 ...patch => 0317-qxl-fix-local-renderer.patch |  10 +-
 ...cate-SCSITargetReq-r-buf-dynamically.patch | 155 ++++++++++++++++++
 ...t-against-paths-without-FS_IOC_GETVE.patch |  42 +++++
 ...-Fix-errno-value-for-xattr-functions.patch |  68 ++++++++
 qemu.spec                                     |  30 +++-
 6 files changed, 311 insertions(+), 18 deletions(-)
 rename 0400-qxl-fix-local-renderer.patch => 0317-qxl-fix-local-renderer.patch (91%)
 create mode 100644 0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
 create mode 100644 0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
 create mode 100644 0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch

diff --git a/0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch b/0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
index ca4a94b..400bde4 100644
--- a/0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
+++ b/0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
@@ -1,7 +1,23 @@
-diff -ur qemu-1.4.2.old/target-ppc/translate_init.c qemu-1.4.2/target-ppc/translate_init.c
---- qemu-1.4.2.old/target-ppc/translate_init.c	2013-05-24 14:37:58.000000000 +0100
-+++ qemu-1.4.2/target-ppc/translate_init.c	2013-09-05 09:53:58.787648890 +0100
-@@ -6738,6 +6738,10 @@
+From f8028b0aa2318fc10df39c8dec1353b91e1597be Mon Sep 17 00:00:00 2001
+From: Anton Blanchard <anton@samba.org>
+Date: Wed, 1 May 2013 00:44:51 +0000
+Subject: [PATCH] target-ppc: Add read and write of PPR SPR
+
+Recent Linux kernels save and restore the PPR across exceptions
+so we need to handle it.
+
+Signed-off-by: Anton Blanchard <anton@au1.ibm.com>
+Signed-off-by: Alexander Graf <agraf@suse.de>
+(cherry picked from commit 04559d5210860ea5853db09c75ea8ff2f8843e16)
+---
+ target-ppc/translate_init.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
+index 88d9dfa..7e46fdc 100644
+--- a/target-ppc/translate_init.c
++++ b/target-ppc/translate_init.c
+@@ -6738,6 +6738,10 @@ static void init_proc_POWER7 (CPUPPCState *env)
                   &spr_read_generic, &spr_write_generic,
                   &spr_read_generic, &spr_write_generic,
                   0x00000000);
diff --git a/0400-qxl-fix-local-renderer.patch b/0317-qxl-fix-local-renderer.patch
similarity index 91%
rename from 0400-qxl-fix-local-renderer.patch
rename to 0317-qxl-fix-local-renderer.patch
index 40482e9..f9a435c 100644
--- a/0400-qxl-fix-local-renderer.patch
+++ b/0317-qxl-fix-local-renderer.patch
@@ -1,4 +1,4 @@
-From d7a39084ead4274e58f01b713676e34242cbe2a1 Mon Sep 17 00:00:00 2001
+From 95a8ab8e74cdf9140601b436edc9b7240ef2f8d4 Mon Sep 17 00:00:00 2001
 From: Gerd Hoffmann <kraxel@redhat.com>
 Date: Thu, 5 Sep 2013 21:57:19 +0200
 Subject: [PATCH] qxl: fix local renderer
@@ -18,10 +18,7 @@ memory location.
 https://bugzilla.redhat.com/show_bug.cgi?id=948717
 
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-
-cherry-picked from c58c7b959b93b864a27fd6b3646ee1465ab8832b
- applied cleanly to hw/qxl-render.c (upstream renamed to
- hw/display/qxl-render.c)
+(cherry picked from commit c58c7b959b93b864a27fd6b3646ee1465ab8832b)
 ---
  hw/qxl-render.c | 15 ++++++++++-----
  1 file changed, 10 insertions(+), 5 deletions(-)
@@ -66,6 +63,3 @@ index 455fb91..fe21b18 100644
      for (i = 0; i < qxl->num_dirty_rects; i++) {
          if (qemu_spice_rect_is_empty(qxl->dirty+i)) {
              break;
--- 
-1.8.3.1
-
diff --git a/0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch b/0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
new file mode 100644
index 0000000..c8b3b94
--- /dev/null
+++ b/0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
@@ -0,0 +1,155 @@
+From e2fbed46dae80551daf1b8269cab5f6b586bd0d7 Mon Sep 17 00:00:00 2001
+From: Asias He <asias@redhat.com>
+Date: Fri, 13 Sep 2013 14:56:55 +0800
+Subject: [PATCH] scsi: Allocate SCSITargetReq r->buf dynamically
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1007330
+Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=6282465
+
+This is the backport of the following commit. The patch is not
+sent public since it is a embargoed bug.
+
+   r->buf is hardcoded to 2056 which is (256 + 1) * 8, allowing 256 luns at
+   most. If more than 256 luns are specified by user, we have buffer
+   overflow in scsi_target_emulate_report_luns.
+
+   To fix, we allocate the buffer dynamically.
+
+   Signed-off-by: Asias He <asias@redhat.com>
+
+Signed-off-by: Asias He <asias@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+
+*s/&r->buf/r->buf/ due to type change
+
+Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
+(cherry picked from commit fdcbe7d587a64dec0db0d3c9a3b230c39efbfeef)
+---
+ hw/scsi-bus.c | 44 +++++++++++++++++++++++++++++++++-----------
+ hw/scsi.h     |  2 ++
+ 2 files changed, 35 insertions(+), 11 deletions(-)
+
+diff --git a/hw/scsi-bus.c b/hw/scsi-bus.c
+index 01e1dec..54c9596 100644
+--- a/hw/scsi-bus.c
++++ b/hw/scsi-bus.c
+@@ -11,6 +11,8 @@ static char *scsibus_get_dev_path(DeviceState *dev);
+ static char *scsibus_get_fw_dev_path(DeviceState *dev);
+ static int scsi_req_parse(SCSICommand *cmd, SCSIDevice *dev, uint8_t *buf);
+ static void scsi_req_dequeue(SCSIRequest *req);
++static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len);
++static void scsi_target_free_buf(SCSIRequest *req);
+ 
+ static Property scsi_props[] = {
+     DEFINE_PROP_UINT32("channel", SCSIDevice, channel, 0),
+@@ -304,7 +306,8 @@ typedef struct SCSITargetReq SCSITargetReq;
+ struct SCSITargetReq {
+     SCSIRequest req;
+     int len;
+-    uint8_t buf[2056];
++    uint8_t *buf;
++    int buf_len;
+ };
+ 
+ static void store_lun(uint8_t *outbuf, int lun)
+@@ -348,14 +351,12 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
+     if (!found_lun0) {
+         n += 8;
+     }
+-    len = MIN(n + 8, r->req.cmd.xfer & ~7);
+-    if (len > sizeof(r->buf)) {
+-        /* TODO: > 256 LUNs? */
+-        return false;
+-    }
+ 
++    scsi_target_alloc_buf(&r->req, n + 8);
++
++    len = MIN(n + 8, r->req.cmd.xfer & ~7);
+     memset(r->buf, 0, len);
+-    stl_be_p(&r->buf, n);
++    stl_be_p(r->buf, n);
+     i = found_lun0 ? 8 : 16;
+     QTAILQ_FOREACH(kid, &r->req.bus->qbus.children, sibling) {
+         DeviceState *qdev = kid->child;
+@@ -374,6 +375,9 @@ static bool scsi_target_emulate_report_luns(SCSITargetReq *r)
+ static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
+ {
+     assert(r->req.dev->lun != r->req.lun);
++
++    scsi_target_alloc_buf(&r->req, SCSI_INQUIRY_LEN);
++
+     if (r->req.cmd.buf[1] & 0x2) {
+         /* Command support data - optional, not implemented */
+         return false;
+@@ -398,7 +402,7 @@ static bool scsi_target_emulate_inquiry(SCSITargetReq *r)
+             return false;
+         }
+         /* done with EVPD */
+-        assert(r->len < sizeof(r->buf));
++        assert(r->len < r->buf_len);
+         r->len = MIN(r->req.cmd.xfer, r->len);
+         return true;
+     }
+@@ -442,8 +446,8 @@ static int32_t scsi_target_send_command(SCSIRequest *req, uint8_t *buf)
+         }
+         break;
+     case REQUEST_SENSE:
+-        r->len = scsi_device_get_sense(r->req.dev, r->buf,
+-                                       MIN(req->cmd.xfer, sizeof r->buf),
++        scsi_target_alloc_buf(&r->req, SCSI_SENSE_LEN);
++        r->len = scsi_device_get_sense(r->req.dev, r->buf, r->buf_len,
+                                        (req->cmd.buf[1] & 1) == 0);
+         if (r->req.dev->sense_is_ua) {
+             scsi_device_unit_attention_reported(req->dev);
+@@ -488,11 +492,29 @@ static uint8_t *scsi_target_get_buf(SCSIRequest *req)
+     return r->buf;
+ }
+ 
++static uint8_t *scsi_target_alloc_buf(SCSIRequest *req, size_t len)
++{
++    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
++
++    r->buf = g_malloc(len);
++    r->buf_len = len;
++
++    return r->buf;
++}
++
++static void scsi_target_free_buf(SCSIRequest *req)
++{
++    SCSITargetReq *r = DO_UPCAST(SCSITargetReq, req, req);
++
++    g_free(r->buf);
++}
++
+ static const struct SCSIReqOps reqops_target_command = {
+     .size         = sizeof(SCSITargetReq),
+     .send_command = scsi_target_send_command,
+     .read_data    = scsi_target_read_data,
+     .get_buf      = scsi_target_get_buf,
++    .free_req     = scsi_target_free_buf,
+ };
+ 
+ 
+@@ -1348,7 +1370,7 @@ int scsi_build_sense(uint8_t *in_buf, int in_len,
+         buf[7] = 10;
+         buf[12] = sense.asc;
+         buf[13] = sense.ascq;
+-        return MIN(len, 18);
++        return MIN(len, SCSI_SENSE_LEN);
+     } else {
+         /* Return descriptor format sense buffer */
+         buf[0] = 0x72;
+diff --git a/hw/scsi.h b/hw/scsi.h
+index a5b5b2e..d6028bf 100644
+--- a/hw/scsi.h
++++ b/hw/scsi.h
+@@ -9,6 +9,8 @@
+ #define MAX_SCSI_DEVS	255
+ 
+ #define SCSI_CMD_BUF_SIZE     16
++#define SCSI_SENSE_LEN      18
++#define SCSI_INQUIRY_LEN    36
+ 
+ typedef struct SCSIBus SCSIBus;
+ typedef struct SCSIBusInfo SCSIBusInfo;
diff --git a/0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch b/0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
new file mode 100644
index 0000000..cd3bba4
--- /dev/null
+++ b/0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
@@ -0,0 +1,42 @@
+From 5ba99e361671bc22bfc3ce45d866826f297e25b7 Mon Sep 17 00:00:00 2001
+From: Gabriel de Perthuis <g2p.code@gmail.com>
+Date: Fri, 10 May 2013 19:53:28 +0200
+Subject: [PATCH] hw/9pfs: Be robust against paths without FS_IOC_GETVERSION
+
+9P optionally uses the FS_IOC_GETVERSION ioctl to get information about
+a file's version (sometimes called generation number).
+
+The code checks for supported filesystems at mount time, but some paths
+may come from other mounted filesystems.
+
+Change it to treat unsupported paths the same as unsupported
+filesystems, returning 0 in both cases.
+
+Note: ENOTTY is the error code for an unsupported ioctl.
+
+This fix allows booting a linux kernel with the same / filesystem as the
+host; otherwise the boot fails when mounting devtmpfs.
+
+Signed-off-by: Gabriel de Perthuis <g2p.code@gmail.com>
+Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
+(cherry picked from commit db431f6adc881a0758512cd765b3108209013512)
+---
+ hw/9pfs/cofile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c
+index 2efebf3..194c130 100644
+--- a/hw/9pfs/cofile.c
++++ b/hw/9pfs/cofile.c
+@@ -38,6 +38,10 @@ int v9fs_co_st_gen(V9fsPDU *pdu, V9fsPath *path, mode_t st_mode,
+             });
+         v9fs_path_unlock(s);
+     }
++    /* The ioctl may not be supported depending on the path */
++    if (err == -ENOTTY) {
++        err = 0;
++    }
+     return err;
+ }
+ 
diff --git a/0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch b/0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
new file mode 100644
index 0000000..28bed77
--- /dev/null
+++ b/0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
@@ -0,0 +1,68 @@
+From 79d5a6121844c36239cd4945a4b56e93f10367e8 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Tue, 1 Oct 2013 12:28:17 +0100
+Subject: [PATCH] hw/9pfs: Fix errno value for xattr functions
+
+If there is no operation driver for the xattr type the
+functions return '-1' and set errno to '-EOPNOTSUPP'.
+When the calling code sets 'ret = -errno' this turns
+into a large positive number.
+
+In Linux 3.11, the kernel has switched to using 9p
+version 9p2000.L, instead of 9p2000.u, which enables
+support for xattr operations. This on its own is harmless,
+but for another change which makes it request the xattr
+with a name 'security.capability'.
+
+The result is that the guest sees a succesful return
+of 95 bytes of data, instead of a failure with errno
+set to 95. Since the kernel expects a maximum of 20
+bytes for an xattr return this gets translated to the
+unexpected errno ERANGE.
+
+This all means that when running a binary off a 9p fs
+in 3.11 kernels you get a fun result of:
+
+  # ./date
+  sh: ./date: Numerical result out of range
+
+The only workaround is to pass 'version=9p2000.u' when
+mounting the 9p fs in the guest, to disable all use of
+xattrs.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+---
+ hw/9pfs/virtio-9p-xattr.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/9pfs/virtio-9p-xattr.c b/hw/9pfs/virtio-9p-xattr.c
+index a839606..2115eee 100644
+--- a/hw/9pfs/virtio-9p-xattr.c
++++ b/hw/9pfs/virtio-9p-xattr.c
+@@ -36,7 +36,7 @@ ssize_t v9fs_get_xattr(FsContext *ctx, const char *path,
+     if (xops) {
+         return xops->getxattr(ctx, path, name, value, size);
+     }
+-    errno = -EOPNOTSUPP;
++    errno = EOPNOTSUPP;
+     return -1;
+ }
+ 
+@@ -123,7 +123,7 @@ int v9fs_set_xattr(FsContext *ctx, const char *path, const char *name,
+     if (xops) {
+         return xops->setxattr(ctx, path, name, value, size, flags);
+     }
+-    errno = -EOPNOTSUPP;
++    errno = EOPNOTSUPP;
+     return -1;
+ 
+ }
+@@ -135,7 +135,7 @@ int v9fs_remove_xattr(FsContext *ctx,
+     if (xops) {
+         return xops->removexattr(ctx, path, name);
+     }
+-    errno = -EOPNOTSUPP;
++    errno = EOPNOTSUPP;
+     return -1;
+ 
+ }
diff --git a/qemu.spec b/qemu.spec
index b133ece..4f93cb1 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -131,7 +131,7 @@
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
 Version: 1.4.2
-Release: 11%{?dist}
+Release: 12%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
@@ -295,11 +295,17 @@ Patch0313: 0313-qdev-allow-both-pre-and-post-order-vists-in-qdev-wal.patch
 Patch0314: 0314-qdev-switch-reset-to-post-order.patch
 # Fix crash in scsi_dma_complete (bz #1001617)
 Patch0315: 0315-scsi-avoid-assertion-failure-on-VERIFY-command.patch
-# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz #1004532)
+# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz
+# #1004532)
 Patch0316: 0316-target-ppc-Add-read-and-write-of-PPR-SPR.patch
-
 # Fix screenshots for qxl kernel driver (bz #948717)
-Patch0400: 0400-qxl-fix-local-renderer.patch
+Patch0317: 0317-qxl-fix-local-renderer.patch
+# CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
+# #1015274, bz #1007330)
+Patch0318: 0318-scsi-Allocate-SCSITargetReq-r-buf-dynamically.patch
+# Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
+Patch0319: 0319-hw-9pfs-Be-robust-against-paths-without-FS_IOC_GETVE.patch
+Patch0320: 0320-hw-9pfs-Fix-errno-value-for-xattr-functions.patch
 
 BuildRequires: SDL-devel
 BuildRequires: zlib-devel
@@ -892,10 +898,17 @@ CAC emulation development files.
 %patch0314 -p1
 # Fix crash in scsi_dma_complete (bz #1001617)
 %patch0315 -p1
-# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz #1004532)
+# ppc64 hangs at "Trying to read invalid spr 896 380 at .." (bz
+# #1004532)
 %patch0316 -p1
 # Fix screenshots for qxl kernel driver (bz #948717)
-%patch0400 -p1
+%patch0317 -p1
+# CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
+# #1015274, bz #1007330)
+%patch0318 -p1
+# Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
+%patch0319 -p1
+%patch0320 -p1
 
 %build
 %if %{with kvmonly}
@@ -1543,6 +1556,11 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Sun Oct 06 2013 Cole Robinson <crobinso@redhat.com> - 2:1.4.2-12
+- CVE-2013-4344: buffer overflow in scsi_target_emulate_report_luns (bz
+  #1015274, bz #1007330)
+- Fix 9pfs xattrs on kernel 3.11 (bz #1013676)
+
 * Wed Sep 25 2013 Alon Levy <alevy@redhat.com> 2:1.4.2-11
 - Fix screenshots for qxl kernel driver (bz #948717)