From 2c0b43b3032f9a55edd395ae37f45fffce44fa9d Mon Sep 17 00:00:00 2001 From: Martin Borg Date: Thu, 1 Mar 2018 10:34:33 +0100 Subject: qemu: Drop CVE patches The CVEs have been fixed in upstream poky/rocko. Signed-off-by: Martin Borg --- .../qemu/qemu/0001-CVE-2017-2620.patch | 77 ---------------------- .../qemu/qemu/0002-CVE-2017-2620.patch | 55 ---------------- recipes-devtools/qemu/qemu/CVE-2017-5931.patch | 52 --------------- recipes-devtools/qemu/qemu/CVE-2017-6505.patch | 56 ---------------- recipes-devtools/qemu/qemu/CVE-2017-7471.patch | 70 -------------------- recipes-devtools/qemu/qemu/CVE-2017-8309.patch | 42 ------------ recipes-devtools/qemu/qemu_%.bbappend | 10 --- 7 files changed, 362 deletions(-) delete mode 100644 recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch delete mode 100644 recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch delete mode 100644 recipes-devtools/qemu/qemu/CVE-2017-5931.patch delete mode 100644 recipes-devtools/qemu/qemu/CVE-2017-6505.patch delete mode 100644 recipes-devtools/qemu/qemu/CVE-2017-7471.patch delete mode 100644 recipes-devtools/qemu/qemu/CVE-2017-8309.patch delete mode 100644 recipes-devtools/qemu/qemu_%.bbappend diff --git a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch deleted file mode 100644 index 5684062..0000000 --- a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 2ab8276a1cb2bcd0d14d4e05c193252f370b8251 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Mon, 9 Jan 2017 13:35:20 -0700 -Subject: [PATCH] display: cirrus: ignore source pitch value as needed in - blit_is_unsafe - -Commit 4299b90 added a check which is too broad, given that the source -pitch value is not required to be initialized for solid fill operations. -This patch refines the blit_is_unsafe() check to ignore source pitch in -that case. After applying the above commit as a security patch, we -noticed the SLES 11 SP4 guest gui failed to initialize properly. - -Upstream-Status: Backport [this patch is needed for CVE-2017-2620] - -Signed-off-by: Bruce Rogers -Message-id: 20170109203520.5619-1-brogers@suse.com -Signed-off-by: Gerd Hoffmann -(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061) -Signed-off-by: Michael Roth -Signed-off-by: Sona Sarmadi ---- - hw/display/cirrus_vga.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index bdb092e..379910d 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - { - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); -@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { - return true; - } -+ if (dst_only) { -+ return false; -+ } - if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; -@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - - dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); - -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - (*s->cirrus_rop) (s, dst, src, -@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s)) { -+ if (blit_is_unsafe(s, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -1.9.1 - diff --git a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch deleted file mode 100644 index 3910fb9..0000000 --- a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch +++ /dev/null @@ -1,55 +0,0 @@ -From fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Wed, 8 Feb 2017 11:18:36 +0100 -Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo - (CVE-2017-2620) - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -CVE: CVE-2017-2620 -Upstream-Status: Backport - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann -(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298) -Signed-off-by: Michael Roth -Signed-off-by: Sona Sarmadi ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 629a5c8..6766349 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -873,6 +873,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s, true)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -898,6 +902,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -1.9.1 - diff --git a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch deleted file mode 100644 index 4c35c26..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch +++ /dev/null @@ -1,52 +0,0 @@ -From d6f119475d3c9c913f9140771895036be66d5c33 Mon Sep 17 00:00:00 2001 -From: Gonglei -Date: Tue, 3 Jan 2017 14:50:03 +0800 -Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow - -Because the 'size_t' type is 4 bytes in 32-bit platform, which -is the same with 'int'. It's easy to make 'max_len' to zero when -integer overflow and then cause heap overflow if 'max_len' is zero. - -Using uint_64 instead of size_t to avoid the integer overflow. - -CVE: CVE-2017-5931 -Upstream-Status: Backport [backport from 2.8.1.1 releases: https://git.qemu.org/?p=qemu.git;a=commit;h=d6f119475d3c9c913f9140771895036be66d5c33] - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang -Signed-off-by: Gonglei -Tested-by: Li Qiang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin -(cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4) -Signed-off-by: Michael Roth -Signed-off-by: Sona Sarmadi ---- - hw/virtio/virtio-crypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c -index 2f2467e..c23e1ad 100644 ---- a/hw/virtio/virtio-crypto.c -+++ b/hw/virtio/virtio-crypto.c -@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - uint32_t hash_start_src_offset = 0, len_to_hash = 0; - uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - -- size_t max_len, curr_size = 0; -+ uint64_t max_len, curr_size = 0; - size_t s; - - /* Plain cipher */ -@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - return NULL; - } - -- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; -+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; - if (unlikely(max_len > vcrypto->conf.max_size)) { - virtio_error(vdev, "virtio-crypto too big length"); - return NULL; --- -1.9.1 - diff --git a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch deleted file mode 100644 index a939e85..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 7 Feb 2017 02:23:33 -0800 -Subject: [PATCH] usb: ohci: limit the number of link eds - -The guest may builds an infinite loop with link eds. This patch -limit the number of linked ed to avoid this. - -CVE: CVE-2017-6505 -Upstream-Status: Backport [backport from v2.9.0-rc0~85^2~8] - -Signed-off-by: Li Qiang -Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com -Signed-off-by: Gerd Hoffmann -Signed-off-by: Sona Sarmadi ---- - hw/usb/hcd-ohci.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index 2cba3e3..21c93e0 100644 ---- a/hw/usb/hcd-ohci.c -+++ b/hw/usb/hcd-ohci.c -@@ -42,6 +42,8 @@ - - #define OHCI_MAX_PORTS 15 - -+#define ED_LINK_LIMIT 4 -+ - static int64_t usb_frame_time; - static int64_t usb_bit_time; - -@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - uint32_t next_ed; - uint32_t cur; - int active; -- -+ uint32_t link_cnt = 0; - active = 0; - - if (head == 0) -@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - - next_ed = ed.next & OHCI_DPTR_MASK; - -+ if (++link_cnt > ED_LINK_LIMIT) { -+ ohci_die(ohci); -+ return 0; -+ } -+ - if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { - uint32_t addr; - /* Cancel pending packets for ED that have been paused. */ --- -1.9.1 - diff --git a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch deleted file mode 100644 index af233d3..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 96bae145e27d4df62671b4eebd6c735f412016cf Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Mon, 17 Apr 2017 10:53:23 +0200 -Subject: [PATCH] 9pfs: local: set the path of the export root to "." -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The local backend was recently converted to using "at*()" syscalls in order -to ensure all accesses happen below the shared directory. This requires that -we only pass relative paths, otherwise the dirfd argument to the "at*()" -syscalls is ignored and the path is treated as an absolute path in the host. -This is actually the case for paths in all fids, with the notable exception -of the root fid, whose path is "/". This causes the following backend ops to -act on the "/" directory of the host instead of the virtfs shared directory -when the export root is involved: -- lstat -- chmod -- chown -- utimensat - -ie, chmod /9p_mount_point in the guest will be converted to chmod / in the -host for example. This could cause security issues with a privileged QEMU. - -All "*at()" syscalls are being passed an open file descriptor. In the case -of the export root, this file descriptor points to the path in the host that -was passed to -fsdev. - -The fix is thus as simple as changing the path of the export root fid to be -"." instead of "/". - -This is CVE-2017-7471. - -CVE: CVE-2017-7471 -Upstream-Status: Backport - -Cc: qemu-stable@nongnu.org -Reported-by: Léo Gaspard -Signed-off-by: Greg Kurz -Reviewed-by: Eric Blake -Signed-off-by: Peter Maydell -(cherry picked from commit 9c6b899f7a46893ab3b671e341a2234e9c0c060e) -Signed-off-by: Michael Roth -Signed-off-by: Sona Sarmadi ---- - hw/9pfs/9p-local.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index 227de61..293e0dc 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -1099,8 +1099,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, - { - if (dir_path) { - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); -- } else { -+ } else if (strcmp(name, "/")) { - v9fs_path_sprintf(target, "%s", name); -+ } else { -+ /* We want the path of the export root to be relative, otherwise -+ * "*at()" syscalls would treat it as "/" in the host. -+ */ -+ v9fs_path_sprintf(target, "%s", "."); - } - return 0; - } --- -1.9.1 - diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch deleted file mode 100644 index 812e64b..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Fri, 28 Apr 2017 09:56:12 +0200 -Subject: [PATCH] audio: release capture buffers - -AUD_add_capture() allocates two buffers which are never released. -Add the missing calls to AUD_del_capture(). - -Impact: Allows vnc clients to exhaust host memory by repeatedly -starting and stopping audio capture. - -Fixes: CVE-2017-8309 - -CVE-2017-8309 -Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27] - -Cc: P J P -Cc: Huawei PSIRT -Reported-by: "Jiangxin (hunter, SCC)" -Signed-off-by: Gerd Hoffmann -Reviewed-by: Prasad J Pandit -Message-id: 20170428075612.9997-1-kraxel@redhat.com -Signed-off-by: Sona Sarmadi ---- - audio/audio.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/audio/audio.c b/audio/audio.c -index c8898d8..beafed2 100644 ---- a/audio/audio.c -+++ b/audio/audio.c -@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) - sw = sw1; - } - QLIST_REMOVE (cap, entries); -+ g_free (cap->hw.mix_buf); -+ g_free (cap->buf); - g_free (cap); - } - return; --- -1.9.1 diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend deleted file mode 100644 index e27553c..0000000 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ /dev/null @@ -1,10 +0,0 @@ -# look for files in the layer first -FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" - -SRC_URI += "file://0001-CVE-2017-2620.patch \ - file://0002-CVE-2017-2620.patch \ - file://CVE-2017-7471.patch \ - file://CVE-2017-6505.patch \ - file://CVE-2017-8309.patch \ - file://CVE-2017-5931.patch \ - " -- cgit v1.2.3-54-g00ecf