From fd9a5b0fc3594cf3c62099f01502a150a54823fc Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 2 Feb 2016 21:57:43 -0500 Subject: [PATCH] gnu: qemu: Update to 2.5.0; add fixes for security flaws. * gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file. * gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch, gnu/packages/patches/qemu-CVE-2015-8558.patch, gnu/packages/patches/qemu-CVE-2015-8567.patch, gnu/packages/patches/qemu-CVE-2015-8613.patch, gnu/packages/patches/qemu-CVE-2015-8701.patch, gnu/packages/patches/qemu-CVE-2015-8743.patch, gnu/packages/patches/qemu-CVE-2016-1568.patch, gnu/packages/patches/qemu-CVE-2016-1922.patch: New files. * gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the new patches. * gnu/packages/qemu.scm (qemu): Update to 2.5.0. [source]: Remove old patches and add new ones. [arguments]: Add 'disable-test-qga' phase. (%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables. --- gnu-system.am | 9 +- gnu/packages/patches/qemu-CVE-2015-6855.patch | 144 ------------------ gnu/packages/patches/qemu-CVE-2015-8558.patch | 48 ++++++ gnu/packages/patches/qemu-CVE-2015-8567.patch | 93 +++++++++++ gnu/packages/patches/qemu-CVE-2015-8613.patch | 35 +++++ gnu/packages/patches/qemu-CVE-2015-8701.patch | 47 ++++++ gnu/packages/patches/qemu-CVE-2015-8743.patch | 48 ++++++ gnu/packages/patches/qemu-CVE-2016-1568.patch | 39 +++++ gnu/packages/patches/qemu-CVE-2016-1922.patch | 65 ++++++++ ...o-9p-use-accessor-to-get-thread-pool.patch | 34 +++++ gnu/packages/qemu.scm | 45 +++--- 11 files changed, 440 insertions(+), 167 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2015-6855.patch create mode 100644 gnu/packages/patches/qemu-CVE-2015-8558.patch create mode 100644 gnu/packages/patches/qemu-CVE-2015-8567.patch create mode 100644 gnu/packages/patches/qemu-CVE-2015-8613.patch create mode 100644 gnu/packages/patches/qemu-CVE-2015-8701.patch create mode 100644 gnu/packages/patches/qemu-CVE-2015-8743.patch create mode 100644 gnu/packages/patches/qemu-CVE-2016-1568.patch create mode 100644 gnu/packages/patches/qemu-CVE-2016-1922.patch create mode 100644 gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch diff --git a/gnu-system.am b/gnu-system.am index bac13ce748..5657124036 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -682,7 +682,14 @@ dist_patch_DATA = \ gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \ gnu/packages/patches/python-configobj-setuptools.patch \ gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ - gnu/packages/patches/qemu-CVE-2015-6855.patch \ + gnu/packages/patches/qemu-CVE-2015-8558.patch \ + gnu/packages/patches/qemu-CVE-2015-8567.patch \ + gnu/packages/patches/qemu-CVE-2015-8613.patch \ + gnu/packages/patches/qemu-CVE-2015-8701.patch \ + gnu/packages/patches/qemu-CVE-2015-8743.patch \ + gnu/packages/patches/qemu-CVE-2016-1568.patch \ + gnu/packages/patches/qemu-CVE-2016-1922.patch \ + gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch \ gnu/packages/patches/qt4-ldflags.patch \ gnu/packages/patches/ratpoison-shell.patch \ gnu/packages/patches/readline-link-ncurses.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2015-6855.patch b/gnu/packages/patches/qemu-CVE-2015-6855.patch deleted file mode 100644 index e058dadd69..0000000000 --- a/gnu/packages/patches/qemu-CVE-2015-6855.patch +++ /dev/null @@ -1,144 +0,0 @@ -From d9033e1d3aa666c5071580617a57bd853c5d794a Mon Sep 17 00:00:00 2001 -From: John Snow -Date: Thu, 17 Sep 2015 14:17:05 -0400 -Subject: [PATCH] ide: fix ATAPI command permissions - -We're a little too lenient with what we'll let an ATAPI drive handle. -Clamp down on the IDE command execution table to remove CD_OK permissions -from commands that are not and have never been ATAPI commands. - -For ATAPI command validity, please see: -- ATA4 Section 6.5 ("PACKET Command feature set") -- ATA8/ACS Section 4.3 ("The PACKET feature set") -- ACS3 Section 4.3 ("The PACKET feature set") - -ACS3 has a historical command validity table in Table B.4 -("Historical Command Assignments") that can be referenced to find when -a command was introduced, deprecated, obsoleted, etc. - -The only reference for ATAPI command validity is by checking that -version's PACKET feature set section. - -ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4 -therefore are assumed to have never been ATAPI commands. - -Mandatory commands, as listed in ATA8-ACS3, are: - -- DEVICE RESET -- EXECUTE DEVICE DIAGNOSTIC -- IDENTIFY DEVICE -- IDENTIFY PACKET DEVICE -- NOP -- PACKET -- READ SECTOR(S) -- SET FEATURES - -Optional commands as listed in ATA8-ACS3, are: - -- FLUSH CACHE -- READ LOG DMA EXT -- READ LOG EXT -- WRITE LOG DMA EXT -- WRITE LOG EXT - -All other commands are illegal to send to an ATAPI device and should -be rejected by the device. - -CD_OK removal justifications: - -0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI. -0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4. -0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI. -0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI. -0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI. -0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI. -0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI. -0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI. -0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3. -0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3. -0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3. -0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3. -0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS. - -This patch fixes a divide by zero fault that can be caused by sending -the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to -attempt to use zeroed CHS values to perform sector arithmetic. - -Reported-by: Qinghao Tang -Signed-off-by: John Snow -Reviewed-by: Markus Armbruster -Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com -CC: qemu-stable@nongnu.org ---- - hw/ide/core.c | 30 +++++++++++++++--------------- - 1 file changed, 15 insertions(+), 15 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 8ba04df..1cc6945 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -1746,11 +1746,11 @@ static const struct { - } ide_cmd_table[0x100] = { - /* NOP not implemented, mandatory for CD */ - [CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK }, -- [WIN_DSM] = { cmd_data_set_management, ALL_OK }, -+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK }, - [WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK }, - [WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC}, - [WIN_READ] = { cmd_read_pio, ALL_OK }, -- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK }, -+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK }, - [WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK }, - [WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, -@@ -1769,12 +1769,12 @@ static const struct { - [CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK }, - [WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK }, - [WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC }, -- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY2] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE2] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK }, - [WIN_PACKETCMD] = { cmd_packet, CD_OK }, - [WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK }, - [WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC }, -@@ -1788,19 +1788,19 @@ static const struct { - [WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK }, - [WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK }, - [CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK }, -- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK }, -- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK }, -- [WIN_STANDBY] = { cmd_nop, ALL_OK }, -- [WIN_SETIDLE1] = { cmd_nop, ALL_OK }, -- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC }, -- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK }, -+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK }, -+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK }, -+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK }, -+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC }, -+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK }, - [WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK }, - [WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK }, - [WIN_IDENTIFY] = { cmd_identify, ALL_OK }, - [WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC }, - [IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC }, - [CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC }, -- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC }, -+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC }, - }; - - static bool ide_cmd_permitted(IDEState *s, uint32_t cmd) --- -2.4.3 - diff --git a/gnu/packages/patches/qemu-CVE-2015-8558.patch b/gnu/packages/patches/qemu-CVE-2015-8558.patch new file mode 100644 index 0000000000..f755d735cb --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8558.patch @@ -0,0 +1,48 @@ +From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 14 Dec 2015 09:21:23 +0100 +Subject: [PATCH] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: qemu-stable@nongnu.org +Reported-by: Qinghao Tang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 4e2161b..d07f228 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp; ++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-CVE-2015-8567.patch b/gnu/packages/patches/qemu-CVE-2015-8567.patch new file mode 100644 index 0000000000..0cfd8e9627 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8567.patch @@ -0,0 +1,93 @@ +From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Tue, 15 Dec 2015 12:27:54 +0530 +Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device + +Vmxnet3 device emulator does not check if the device is active +before activating it, also it did not free the transmit & receive +buffers while deactivating the device, thus resulting in memory +leakage on the host. This patch fixes both these issues to avoid +host memory leakage. + +Reported-by: Qinghao Tang +Reviewed-by: Dmitry Fleytman +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang +--- + hw/net/vmxnet3.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index a5dd79a..9c1adfc 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) + + static void vmxnet3_deactivate_device(VMXNET3State *s) + { +- VMW_CBPRN("Deactivating vmxnet3..."); +- s->device_active = false; ++ if (s->device_active) { ++ VMW_CBPRN("Deactivating vmxnet3..."); ++ vmxnet_tx_pkt_reset(s->tx_pkt); ++ vmxnet_tx_pkt_uninit(s->tx_pkt); ++ vmxnet_rx_pkt_uninit(s->rx_pkt); ++ s->device_active = false; ++ } + } + + static void vmxnet3_reset(VMXNET3State *s) +@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) + + vmxnet3_deactivate_device(s); + vmxnet3_reset_interrupt_states(s); +- vmxnet_tx_pkt_reset(s->tx_pkt); + s->drv_shmem = 0; + s->tx_sop = true; + s->skip_current_tx_pkt = false; +@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) + return; + } + ++ /* Verify if device is active */ ++ if (s->device_active) { ++ VMW_CFPRN("Vmxnet3 device is active"); ++ return; ++ } ++ + vmxnet3_adjust_by_guest_type(s); + vmxnet3_update_features(s); + vmxnet3_update_pm_state(s); +@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) + break; + + case VMXNET3_CMD_QUIESCE_DEV: +- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); ++ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); + vmxnet3_deactivate_device(s); + break; + +@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, + * shared address only after we get the high part + */ + if (val == 0) { +- s->device_active = false; ++ vmxnet3_deactivate_device(s); + } + s->temp_shared_guest_driver_memory = val; + s->drv_shmem = 0; +@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) + static void vmxnet3_net_uninit(VMXNET3State *s) + { + g_free(s->mcast_list); +- vmxnet_tx_pkt_reset(s->tx_pkt); +- vmxnet_tx_pkt_uninit(s->tx_pkt); +- vmxnet_rx_pkt_uninit(s->rx_pkt); ++ vmxnet3_deactivate_device(s); + qemu_del_nic(s->nic); + } + +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-CVE-2015-8613.patch b/gnu/packages/patches/qemu-CVE-2015-8613.patch new file mode 100644 index 0000000000..3bcc6ab8d6 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8613.patch @@ -0,0 +1,35 @@ +From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Mon, 21 Dec 2015 15:13:13 +0530 +Subject: [PATCH] scsi: initialise info object with appropriate size + +While processing controller 'CTRL_GET_INFO' command, the routine +'megasas_ctrl_get_info' overflows the '&info' object size. Use its +appropriate size to null initialise it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Message-Id: +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P +--- + hw/scsi/megasas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index d7dc667..576f56c 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) + BusChild *kid; + int num_pd_disks = 0; + +- memset(&info, 0x0, cmd->iov_size); ++ memset(&info, 0x0, dcmd_size); + if (cmd->iov_size < dcmd_size) { + trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, + dcmd_size); +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-CVE-2015-8701.patch b/gnu/packages/patches/qemu-CVE-2015-8701.patch new file mode 100644 index 0000000000..c7ab7b68b0 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8701.patch @@ -0,0 +1,47 @@ +From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 28 Dec 2015 16:24:08 +0530 +Subject: [PATCH] net: rocker: fix an incorrect array bounds check + +While processing transmit(tx) descriptors in 'tx_consume' routine +the switch emulator suffers from an off-by-one error, if a +descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) +fragments. Fix an incorrect bounds check to avoid it. + +Reported-by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/rocker/rocker.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index c57f1a6..2e77e50 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) + frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); + frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); + ++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { ++ goto err_too_many_frags; ++ } + iov[iovcnt].iov_len = frag_len; + iov[iovcnt].iov_base = g_malloc(frag_len); + if (!iov[iovcnt].iov_base) { +@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) + err = -ROCKER_ENXIO; + goto err_bad_io; + } +- +- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { +- goto err_too_many_frags; +- } ++ iovcnt++; + } + + if (iovcnt) { +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-CVE-2015-8743.patch b/gnu/packages/patches/qemu-CVE-2015-8743.patch new file mode 100644 index 0000000000..4a9d0e2f2d --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8743.patch @@ -0,0 +1,48 @@ +From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 31 Dec 2015 17:05:27 +0530 +Subject: [PATCH] net: ne2000: fix bounds check in ioport operations + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 010f9ef..a3dffff 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + stl_le_p(s->mem + addr, val); + } + } +@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return ldl_le_p(s->mem + addr); + } else { + return 0xffffffff; +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-CVE-2016-1568.patch b/gnu/packages/patches/qemu-CVE-2016-1568.patch new file mode 100644 index 0000000000..53863704cd --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-1568.patch @@ -0,0 +1,39 @@ +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: John Snow +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index dd1912e..17f1cbd 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-CVE-2016-1922.patch b/gnu/packages/patches/qemu-CVE-2016-1922.patch new file mode 100644 index 0000000000..36d9bd2591 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-1922.patch @@ -0,0 +1,65 @@ +From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Fri, 18 Dec 2015 11:35:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + + Hello, + +A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It +occurs while doing I/O port write operations via hmp interface. In that, +'current_cpu' remains null as it is not called from cpu_exec loop, which +results in the said issue. + +Below is a proposed (tested)patch to fix this issue; Does it look okay? + +=== +From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 18 Dec 2015 11:16:07 +0530 +Subject: [PATCH] i386: avoid null pointer dereference + +When I/O port write operation is called from hmp interface, +'current_cpu' remains null, as it is not called from cpu_exec() +loop. This leads to a null pointer dereference in vapic_write +routine. Add check to avoid it. + +Reported-by: Ling Liu +Signed-off-by: Prasad J Pandit +Message-Id: +Signed-off-by: Paolo Bonzini +Signed-off-by: P J P +--- + hw/i386/kvmvapic.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c6d34b2..f0922da 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) + static void vapic_write(void *opaque, hwaddr addr, uint64_t data, + unsigned int size) + { +- CPUState *cs = current_cpu; +- X86CPU *cpu = X86_CPU(cs); +- CPUX86State *env = &cpu->env; +- hwaddr rom_paddr; + VAPICROMState *s = opaque; ++ X86CPU *cpu; ++ CPUX86State *env; ++ hwaddr rom_paddr; + +- cpu_synchronize_state(cs); ++ if (!current_cpu) { ++ return; ++ } ++ ++ cpu_synchronize_state(current_cpu); ++ cpu = X86_CPU(current_cpu); ++ env = &cpu->env; + + /* + * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. +-- +2.6.3 + diff --git a/gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch b/gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch new file mode 100644 index 0000000000..497e49f1d9 --- /dev/null +++ b/gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch @@ -0,0 +1,34 @@ +From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Wed, 23 Dec 2015 10:56:58 +0100 +Subject: [PATCH] virtio-9p: use accessor to get thread_pool + +The aio_context_new() function does not allocate a thread pool. This is +deferred to the first call to the aio_get_thread_pool() accessor. It is +hence forbidden to access the thread_pool field directly, as it may be +NULL. The accessor *must* be used always. + +Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e +Reviewed-by: Michael Tokarev +Tested-by: Michael Tokarev +Cc: qemu-stable@nongnu.org +Signed-off-by: Greg Kurz +--- + hw/9pfs/virtio-9p-coth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c +index fb6e8f8..ab9425c 100644 +--- a/hw/9pfs/virtio-9p-coth.c ++++ b/hw/9pfs/virtio-9p-coth.c +@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) + void co_run_in_worker_bh(void *opaque) + { + Coroutine *co = opaque; +- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, ++ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), + coroutine_enter_func, co, coroutine_enter_cb, co); + } +-- +2.6.3 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index a6abb48913..7624cdcae9 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -1,6 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès -;;; Copyright © 2015 Mark H Weaver +;;; Copyright © 2015, 2016 Mark H Weaver ;;; ;;; This file is part of GNU Guix. ;;; @@ -51,35 +51,27 @@ (define (qemu-patch commit file-name sha256) (sha256 sha256) (file-name file-name))) -(define %glib-memory-vtable-patch - (qemu-patch "deb847bf" - "qemu-glib-memory-vtable.patch" - (base32 - "0afb7rvxy14104jxmhr7m02w5baiz0c7vhq3h642h09jgxrcmzzi"))) - -(define %glib-duplicate-test-patch - (qemu-patch "98cf48f6" - "qemu-glib-duplicate-test.patch" - (base32 - "1aicbplzdj5s5y13jmqyvfajay05x9dnkzd197waz8v6kha7d9d5"))) - (define-public qemu (package (name "qemu") - (version "2.4.0.1") + (version "2.5.0") (source (origin (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.bz2")) (sha256 (base32 - "1nqv5p94zpnhcaqkifnn83ap7dd0qrb0qiicswbyhhby0f48pzpc")) - (patches (list (search-patch "qemu-CVE-2015-6855.patch") - - ;; These two patches allow QEMU's tests to run - ;; correctly with 'gtester' from the latest GLib. - %glib-memory-vtable-patch - %glib-duplicate-test-patch)))) + "1m3j6xl7msrniidkvr5pw9d44yba5m7hm42xz8xy77v105s8hhrl")) + (patches + (map search-patch + '("qemu-virtio-9p-use-accessor-to-get-thread-pool.patch" + "qemu-CVE-2015-8558.patch" + "qemu-CVE-2015-8567.patch" + "qemu-CVE-2016-1922.patch" + "qemu-CVE-2015-8613.patch" + "qemu-CVE-2015-8701.patch" + "qemu-CVE-2015-8743.patch" + "qemu-CVE-2016-1568.patch"))))) (build-system gnu-build-system) (arguments '(#:phases (alist-replace @@ -120,7 +112,16 @@ (define-public qemu (string-append infodir "/" info))) (find-files "." "\\.info$")) #t))))) - %standard-phases)))) + (alist-cons-before + 'check 'disable-test-qga + (lambda _ + (substitute* "tests/Makefile" + ;; Comment out the test-qga test, which needs /sys and + ;; fails within the build environment. + (("check-unit-.* tests/test-qga" all) + (string-append "# " all))) + #t) + %standard-phases))))) (inputs ; TODO: Add optional inputs. `(("sdl" ,sdl)