7 files changed, 351 insertions, 54 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
index 7e1e442a41..81607c9505 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
@@ -19,7 +19,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
 Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff
 ;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1]
-CVE: CVE-2018-10839
+CVE: CVE-2018-10839 CVE-2018-17958
 Signed-off-by: Changqing Li <changqing.li@windriver.com>
 ---
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
deleted file mode 100644
index af40ff275a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001
-From: Changqing Li <changqing.li@windriver.com>
-Date: Mon, 15 Oct 2018 16:33:04 +0800
-Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive
-In ne2000_receive(), we try to assign size_ to size which converts
-from size_t to integer. This will cause troubles when size_ is greater
-INT_MAX, this will lead a negative value in size and it can then pass
-the check of size < MIN_BUF_SIZE which may lead out of bound access of
-for both buf and buf1.
-Fixing by converting the type of size to size_t.
-CC: address@hidden
-Reported-by: Daniel Shapira <address@hidden>
-Reviewed-by: Michael S. Tsirkin <address@hidden>
-Signed-off-by: Jason Wang <address@hidden>
-Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html]
-CVE: CVE-2018-17958
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
- hw/net/ne2000.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
-index 07d79e3..869518e 100644
--- a/hw/net/ne2000.c
-+++ b/hw/net/ne2000.c
-@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s)
- ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
- {
-     NE2000State *s = qemu_get_nic_opaque(nc);
-    int size = size_;
-+    size_t size = size_;
-     uint8_t *p;
-     unsigned int total_len, next, avail, len, index, mcast_idx;
-     uint8_t buf1[60];
-@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
-         { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
- 
- #if defined(DEBUG_NE2000)
-    printf("NE2000: received len=%d\n", size);
-+    printf("NE2000: received len=%zu\n", size);
- #endif
- 
-     if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
-- 
-2.7.4
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
new file mode 100644
index 0000000000..9fe136455f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
@@ -0,0 +1,50 @@
+From 3c9fd43da473a324f6cc7a0d3db58f651a2d262c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 26 Oct 2018 18:03:58 +0530
+Subject: [PATCH] ppc/pnv: check size before data buffer access
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+While performing PowerNV memory r/w operations, the access length
+'sz' could exceed the data[4] buffer size. Add check to avoid OOB
+access.
+Reported-by: Moguofang <moguofang@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+CVE: CVE-2018-18954
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/ppc/pnv_lpc.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
+index d7721320a2..172a915cfc 100644
+--- a/hw/ppc/pnv_lpc.c
+++ b/hw/ppc/pnv_lpc.c
+@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
+     /* XXX Check for magic bits at the top, addr size etc... */
+     unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
+     uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
+-    uint8_t data[4];
+    uint8_t data[8];
+     bool success;
+ 
+    if (sz > sizeof(data)) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+            "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
+        return;
+    }
+
+     if (cmd & ECCB_CTL_READ) {
+         success = opb_read(lpc, opb_addr, data, sz);
+         if (success) {
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
new file mode 100644
index 0000000000..0e11ad288c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
+From b664d9d003d1a98642dcfb8e6fceef6dbf3d52d8 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Tue, 8 Jan 2019 11:23:01 +0100
+Subject: [PATCH] i2c-ddc: fix oob read
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Suggested-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Michael Hanselmann <public@hansmi.ch>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20190108102301.1957-1-kraxel@redhat.com
+CVE: CVE-2019-3812
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/i2c/i2c-ddc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
+index bec0c91e2d..89e659288e 100644
+--- a/hw/i2c/i2c-ddc.c
+++ b/hw/i2c/i2c-ddc.c
+@@ -247,7 +247,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
+     I2CDDCState *s = I2CDDC(i2c);
+ 
+     int value;
+-    value = s->edid_blob[s->reg];
+    value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
+     s->reg++;
+     return value;
+ }
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
new file mode 100644
index 0000000000..5b14596042
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
@@ -0,0 +1,41 @@
+From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Sun, 13 Jan 2019 23:29:48 +0530
+Subject: [PATCH] slirp: check data length while emulating ident function
+While emulating identification protocol, tcp_emu() does not check
+available space in the 'sc_rcv->sb_data' buffer. It could lead to
+heap buffer overflow issue. Add check to avoid it.
+Reported-by: Kira <864786842@qq.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+CVE: CVE-2019-6778
+Upstream-Status: Backport
+[https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ slirp/tcp_subr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
+index 8d0f94b75f..7277aadfdf 100644
+--- a/slirp/tcp_subr.c
+++ b/slirp/tcp_subr.c
+@@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m)
+                        socklen_t addrlen = sizeof(struct sockaddr_in);
+                        struct sbuf *so_rcv = &so->so_rcv;
+ 
+                       if (m->m_len > so_rcv->sb_datalen
+                                       - (so_rcv->sb_wptr - so_rcv->sb_data)) {
+                           return 1;
+                       }
+
+                        memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
+                        so_rcv->sb_wptr += m->m_len;
+                        so_rcv->sb_rptr += m->m_len;
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
new file mode 100644
index 0000000000..db3201c505
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
@@ -0,0 +1,215 @@
+From 13e153f01b4f2a3e199202b34a247d83c176f21a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 18 Feb 2019 23:43:49 +0530
+Subject: [PATCH] ppc: add host-serial and host-model machine attributes
+ (CVE-2019-8934)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+On ppc hosts, hypervisor shares following system attributes
+  - /proc/device-tree/system-id
+  - /proc/device-tree/model
+with a guest. This could lead to information leakage and misuse.[*]
+Add machine attributes to control such system information exposure
+to a guest.
+[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
+Reported-by: Daniel P. Berrangé <berrange@redhat.com>
+Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
+Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+CVE: CVE-2019-8934
+Upstream-Status: Backport
+[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b]
+Signed-off-by: Dan Tran <dantran@microsoft.com>
+---
+ hw/ppc/spapr.c         | 128 ++++++++++++++++++++++++++++++++++++++---
+ include/hw/ppc/spapr.h |   2 +
+ 2 files changed, 123 insertions(+), 7 deletions(-)
+diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
+index 421b2dd09b..069d678ee0 100644
+--- a/hw/ppc/spapr.c
+++ b/hw/ppc/spapr.c
+@@ -1266,13 +1266,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
+      * Add info to guest to indentify which host is it being run on
+      * and what is the uuid of the guest
+      */
+-    if (kvmppc_get_host_model(&buf)) {
+-        _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+-        g_free(buf);
+    if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
+        if (g_str_equal(spapr->host_model, "passthrough")) {
+            /* -M host-model=passthrough */
+            if (kvmppc_get_host_model(&buf)) {
+                _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
+                g_free(buf);
+            }
+        } else {
+            /* -M host-model=<user-string> */
+            _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
+        }
+     }
+-    if (kvmppc_get_host_serial(&buf)) {
+-        _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+-        g_free(buf);
+
+    if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
+        if (g_str_equal(spapr->host_serial, "passthrough")) {
+            /* -M host-serial=passthrough */
+            if (kvmppc_get_host_serial(&buf)) {
+                _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
+                g_free(buf);
+            }
+        } else {
+            /* -M host-serial=<user-string> */
+            _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
+        }
+     }
+ 
+     buf = qemu_uuid_unparse_strdup(&qemu_uuid);
+@@ -3027,6 +3044,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
+     visit_type_uint32(v, name, (uint32_t *)opaque, errp);
+ }
+ 
+static char *spapr_get_ic_mode(Object *obj, Error **errp)
+{
+    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+    if (spapr->irq == &spapr_irq_xics_legacy) {
+        return g_strdup("legacy");
+    } else if (spapr->irq == &spapr_irq_xics) {
+        return g_strdup("xics");
+    } else if (spapr->irq == &spapr_irq_xive) {
+        return g_strdup("xive");
+    } else if (spapr->irq == &spapr_irq_dual) {
+        return g_strdup("dual");
+    }
+    g_assert_not_reached();
+}
+
+static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp)
+{
+    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+    if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
+        error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode");
+        return;
+    }
+
+    /* The legacy IRQ backend can not be set */
+    if (strcmp(value, "xics") == 0) {
+        spapr->irq = &spapr_irq_xics;
+    } else if (strcmp(value, "xive") == 0) {
+        spapr->irq = &spapr_irq_xive;
+    } else if (strcmp(value, "dual") == 0) {
+        spapr->irq = &spapr_irq_dual;
+    } else {
+        error_setg(errp, "Bad value for \"ic-mode\" property");
+    }
+}
+
+static char *spapr_get_host_model(Object *obj, Error **errp)
+{
+    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+    return g_strdup(spapr->host_model);
+}
+
+static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
+{
+    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+    g_free(spapr->host_model);
+    spapr->host_model = g_strdup(value);
+}
+
+static char *spapr_get_host_serial(Object *obj, Error **errp)
+{
+    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+    return g_strdup(spapr->host_serial);
+}
+
+static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
+{
+    sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+
+    g_free(spapr->host_serial);
+    spapr->host_serial = g_strdup(value);
+}
+
+ static void spapr_instance_init(Object *obj)
+ {
+     sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
+@@ -3063,6 +3147,25 @@ static void spapr_instance_init(Object *obj)
+                                     " the host's SMT mode", &error_abort);
+     object_property_add_bool(obj, "vfio-no-msix-emulation",
+                              spapr_get_msix_emulation, NULL, NULL);
+
+    /* The machine class defines the default interrupt controller mode */
+    spapr->irq = smc->irq;
+    object_property_add_str(obj, "ic-mode", spapr_get_ic_mode,
+                            spapr_set_ic_mode, NULL);
+    object_property_set_description(obj, "ic-mode",
+                 "Specifies the interrupt controller mode (xics, xive, dual)",
+                 NULL);
+
+    object_property_add_str(obj, "host-model",
+        spapr_get_host_model, spapr_set_host_model,
+        &error_abort);
+    object_property_set_description(obj, "host-model",
+        "Set host's model-id to use - none|passthrough|string", &error_abort);
+    object_property_add_str(obj, "host-serial",
+        spapr_get_host_serial, spapr_set_host_serial,
+        &error_abort);
+    object_property_set_description(obj, "host-serial",
+        "Set host's system-id to use - none|passthrough|string", &error_abort);
+ }
+ 
+ static void spapr_machine_finalizefn(Object *obj)
+@@ -4067,7 +4170,18 @@ static void spapr_machine_3_0_instance_options(MachineState *machine)
+ 
+ static void spapr_machine_3_0_class_options(MachineClass *mc)
+ {
+-    /* Defaults for the latest behaviour inherited from the base class */
+    sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
+    static GlobalProperty compat[] = {
+        { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
+        { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
+    };
+
+    spapr_machine_4_0_class_options(mc);
+    compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len);
+    compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
+
+    mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0");
+    smc->update_dt_enabled = false;
+ }
+ 
+ DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
+diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
+index 7e5de1a6fd..4c69a55374 100644
+--- a/include/hw/ppc/spapr.h
+++ b/include/hw/ppc/spapr.h
+@@ -165,6 +165,8 @@ struct sPAPRMachineState {
+ 
+     /*< public >*/
+     char *kvm_type;
+    char *host_model;
+    char *host_serial;
+ 
+     const char *icp_type;
+ 
+-- 
+2.22.0.vfs.1.1.57.gbaf16c8
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index f02e3120cc..6c3049b40e 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://0009-apic-fixup-fallthrough-to-PIC.patch \
           file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
           file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
+           file://CVE-2018-10839.patch\
           file://CVE-2018-15746.patch \
-           file://CVE-2018-17958.patch \
           file://CVE-2018-17962.patch \
           file://CVE-2018-17963.patch \
           file://CVE-2018-16867.patch \
@@ -36,6 +36,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
           file://CVE-2018-20815_p2.patch \
           file://CVE-2019-9824.patch \
           file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
+           file://CVE-2018-18954.patch \
+           file://CVE-2019-3812.patch \
+           file://CVE-2019-6778.patch \
+           file://CVE-2019-8934.patch \
           "
 UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch index 7e1e442a41..81607c9505 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
@@ -19,7 +19,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
19	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff	19	Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff
20	;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1]	20	;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1]
21		21
22	CVE: CVE-2018-10839	22	CVE: CVE-2018-10839 CVE-2018-17958
23		23
24	Signed-off-by: Changqing Li <changqing.li@windriver.com>	24	Signed-off-by: Changqing Li <changqing.li@windriver.com>
25	---	25	---


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch deleted file mode 100644 index af40ff275a..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch +++ /dev/null
@@ -1,52 +0,0 @@
1	From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001
2	From: Changqing Li <changqing.li@windriver.com>
3	Date: Mon, 15 Oct 2018 16:33:04 +0800
4	Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive
5
6	In ne2000_receive(), we try to assign size_ to size which converts
7	from size_t to integer. This will cause troubles when size_ is greater
8	INT_MAX, this will lead a negative value in size and it can then pass
9	the check of size < MIN_BUF_SIZE which may lead out of bound access of
10	for both buf and buf1.
11
12	Fixing by converting the type of size to size_t.
13
14	CC: address@hidden
15	Reported-by: Daniel Shapira <address@hidden>
16	Reviewed-by: Michael S. Tsirkin <address@hidden>
17	Signed-off-by: Jason Wang <address@hidden>
18
19	Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html]
20
21	CVE: CVE-2018-17958
22
23	Signed-off-by: Changqing Li <changqing.li@windriver.com>
24	---
25	hw/net/ne2000.c \| 4 ++--
26	1 file changed, 2 insertions(+), 2 deletions(-)
27
28	diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
29	index 07d79e3..869518e 100644
30	--- a/hw/net/ne2000.c
31	+++ b/hw/net/ne2000.c
32	@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s)
33	ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)
34	{
35	NE2000State *s = qemu_get_nic_opaque(nc);
36	- int size = size_;
37	+ size_t size = size_;
38	uint8_t *p;
39	unsigned int total_len, next, avail, len, index, mcast_idx;
40	uint8_t buf1[60];
41	@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState nc, const uint8_t buf, size_t size_)
42	{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
43
44	#if defined(DEBUG_NE2000)
45	- printf("NE2000: received len=%d\n", size);
46	+ printf("NE2000: received len=%zu\n", size);
47	#endif
48
49	if (s->cmd & E8390_STOP \|\| ne2000_buffer_full(s))
50	--
51	2.7.4
52


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch new file mode 100644 index 0000000000..9fe136455f --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
@@ -0,0 +1,50 @@
		1	From 3c9fd43da473a324f6cc7a0d3db58f651a2d262c Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Fri, 26 Oct 2018 18:03:58 +0530
		4	Subject: [PATCH] ppc/pnv: check size before data buffer access
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	While performing PowerNV memory r/w operations, the access length
		10	'sz' could exceed the data[4] buffer size. Add check to avoid OOB
		11	access.
		12
		13	Reported-by: Moguofang <moguofang@huawei.com>
		14	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		15	Reviewed-by: Cédric Le Goater <clg@kaod.org>
		16	Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
		17
		18	CVE: CVE-2018-18954
		19	Upstream-Status: Backport
		20	[https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d]
		21
		22	Signed-off-by: Dan Tran <dantran@microsoft.com>
		23	---
		24	hw/ppc/pnv_lpc.c \| 8 +++++++-
		25	1 file changed, 7 insertions(+), 1 deletion(-)
		26
		27	diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
		28	index d7721320a2..172a915cfc 100644
		29	--- a/hw/ppc/pnv_lpc.c
		30	+++ b/hw/ppc/pnv_lpc.c
		31	@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
		32	/* XXX Check for magic bits at the top, addr size etc... */
		33	unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
		34	uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
		35	- uint8_t data[4];
		36	+ uint8_t data[8];
		37	bool success;
		38
		39	+ if (sz > sizeof(data)) {
		40	+ qemu_log_mask(LOG_GUEST_ERROR,
		41	+ "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
		42	+ return;
		43	+ }
		44	+
		45	if (cmd & ECCB_CTL_READ) {
		46	success = opb_read(lpc, opb_addr, data, sz);
		47	if (success) {
		48	--
		49	2.22.0.vfs.1.1.57.gbaf16c8
		50


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch new file mode 100644 index 0000000000..0e11ad288c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
		1	From b664d9d003d1a98642dcfb8e6fceef6dbf3d52d8 Mon Sep 17 00:00:00 2001
		2	From: Gerd Hoffmann <kraxel@redhat.com>
		3	Date: Tue, 8 Jan 2019 11:23:01 +0100
		4	Subject: [PATCH] i2c-ddc: fix oob read
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	Suggested-by: Michael Hanselmann <public@hansmi.ch>
		10	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
		11	Reviewed-by: Michael Hanselmann <public@hansmi.ch>
		12	Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
		13	Message-id: 20190108102301.1957-1-kraxel@redhat.com
		14
		15	CVE: CVE-2019-3812
		16	Upstream-Status: Backport
		17	[https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c]
		18
		19	Signed-off-by: Dan Tran <dantran@microsoft.com>
		20	---
		21	hw/i2c/i2c-ddc.c \| 2 +-
		22	1 file changed, 1 insertion(+), 1 deletion(-)
		23
		24	diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
		25	index bec0c91e2d..89e659288e 100644
		26	--- a/hw/i2c/i2c-ddc.c
		27	+++ b/hw/i2c/i2c-ddc.c
		28	@@ -247,7 +247,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
		29	I2CDDCState *s = I2CDDC(i2c);
		30
		31	int value;
		32	- value = s->edid_blob[s->reg];
		33	+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
		34	s->reg++;
		35	return value;
		36	}
		37	--
		38	2.22.0.vfs.1.1.57.gbaf16c8
		39


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch new file mode 100644 index 0000000000..5b14596042 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
@@ -0,0 +1,41 @@
		1	From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Sun, 13 Jan 2019 23:29:48 +0530
		4	Subject: [PATCH] slirp: check data length while emulating ident function
		5
		6	While emulating identification protocol, tcp_emu() does not check
		7	available space in the 'sc_rcv->sb_data' buffer. It could lead to
		8	heap buffer overflow issue. Add check to avoid it.
		9
		10	Reported-by: Kira <864786842@qq.com>
		11	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		12	Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
		13
		14	CVE: CVE-2019-6778
		15	Upstream-Status: Backport
		16	[https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905]
		17
		18	Signed-off-by: Dan Tran <dantran@microsoft.com>
		19	---
		20	slirp/tcp_subr.c \| 5 +++++
		21	1 file changed, 5 insertions(+)
		22
		23	diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
		24	index 8d0f94b75f..7277aadfdf 100644
		25	--- a/slirp/tcp_subr.c
		26	+++ b/slirp/tcp_subr.c
		27	@@ -640,6 +640,11 @@ tcp_emu(struct socket so, struct mbuf m)
		28	socklen_t addrlen = sizeof(struct sockaddr_in);
		29	struct sbuf *so_rcv = &so->so_rcv;
		30
		31	+ if (m->m_len > so_rcv->sb_datalen
		32	+ - (so_rcv->sb_wptr - so_rcv->sb_data)) {
		33	+ return 1;
		34	+ }
		35	+
		36	memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
		37	so_rcv->sb_wptr += m->m_len;
		38	so_rcv->sb_rptr += m->m_len;
		39	--
		40	2.22.0.vfs.1.1.57.gbaf16c8
		41


diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch new file mode 100644 index 0000000000..db3201c505 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
@@ -0,0 +1,215 @@
		1	From 13e153f01b4f2a3e199202b34a247d83c176f21a Mon Sep 17 00:00:00 2001
		2	From: Prasad J Pandit <pjp@fedoraproject.org>
		3	Date: Mon, 18 Feb 2019 23:43:49 +0530
		4	Subject: [PATCH] ppc: add host-serial and host-model machine attributes
		5	(CVE-2019-8934)
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	On ppc hosts, hypervisor shares following system attributes
		11
		12	- /proc/device-tree/system-id
		13	- /proc/device-tree/model
		14
		15	with a guest. This could lead to information leakage and misuse.[*]
		16	Add machine attributes to control such system information exposure
		17	to a guest.
		18
		19	[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
		20
		21	Reported-by: Daniel P. Berrangé <berrange@redhat.com>
		22	Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
		23	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
		24	Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
		25	Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
		26	Reviewed-by: Greg Kurz <groug@kaod.org>
		27	Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
		28
		29	CVE: CVE-2019-8934
		30	Upstream-Status: Backport
		31	[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b]
		32
		33	Signed-off-by: Dan Tran <dantran@microsoft.com>
		34	---
		35	hw/ppc/spapr.c \| 128 ++++++++++++++++++++++++++++++++++++++---
		36	include/hw/ppc/spapr.h \| 2 +
		37	2 files changed, 123 insertions(+), 7 deletions(-)
		38
		39	diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
		40	index 421b2dd09b..069d678ee0 100644
		41	--- a/hw/ppc/spapr.c
		42	+++ b/hw/ppc/spapr.c
		43	@@ -1266,13 +1266,30 @@ static void spapr_build_fdt(sPAPRMachineState spapr,
		44	* Add info to guest to indentify which host is it being run on
		45	* and what is the uuid of the guest
		46	*/
		47	- if (kvmppc_get_host_model(&buf)) {
		48	- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
		49	- g_free(buf);
		50	+ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
		51	+ if (g_str_equal(spapr->host_model, "passthrough")) {
		52	+ /* -M host-model=passthrough */
		53	+ if (kvmppc_get_host_model(&buf)) {
		54	+ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
		55	+ g_free(buf);
		56	+ }
		57	+ } else {
		58	+ /* -M host-model=<user-string> */
		59	+ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
		60	+ }
		61	}
		62	- if (kvmppc_get_host_serial(&buf)) {
		63	- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
		64	- g_free(buf);
		65	+
		66	+ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
		67	+ if (g_str_equal(spapr->host_serial, "passthrough")) {
		68	+ /* -M host-serial=passthrough */
		69	+ if (kvmppc_get_host_serial(&buf)) {
		70	+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
		71	+ g_free(buf);
		72	+ }
		73	+ } else {
		74	+ /* -M host-serial=<user-string> */
		75	+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
		76	+ }
		77	}
		78
		79	buf = qemu_uuid_unparse_strdup(&qemu_uuid);
		80	@@ -3027,6 +3044,73 @@ static void spapr_set_vsmt(Object obj, Visitor v, const char *name,
		81	visit_type_uint32(v, name, (uint32_t *)opaque, errp);
		82	}
		83
		84	+static char spapr_get_ic_mode(Object obj, Error **errp)
		85	+{
		86	+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		87	+
		88	+ if (spapr->irq == &spapr_irq_xics_legacy) {
		89	+ return g_strdup("legacy");
		90	+ } else if (spapr->irq == &spapr_irq_xics) {
		91	+ return g_strdup("xics");
		92	+ } else if (spapr->irq == &spapr_irq_xive) {
		93	+ return g_strdup("xive");
		94	+ } else if (spapr->irq == &spapr_irq_dual) {
		95	+ return g_strdup("dual");
		96	+ }
		97	+ g_assert_not_reached();
		98	+}
		99	+
		100	+static void spapr_set_ic_mode(Object obj, const char value, Error **errp)
		101	+{
		102	+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		103	+
		104	+ if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
		105	+ error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode");
		106	+ return;
		107	+ }
		108	+
		109	+ /* The legacy IRQ backend can not be set */
		110	+ if (strcmp(value, "xics") == 0) {
		111	+ spapr->irq = &spapr_irq_xics;
		112	+ } else if (strcmp(value, "xive") == 0) {
		113	+ spapr->irq = &spapr_irq_xive;
		114	+ } else if (strcmp(value, "dual") == 0) {
		115	+ spapr->irq = &spapr_irq_dual;
		116	+ } else {
		117	+ error_setg(errp, "Bad value for \"ic-mode\" property");
		118	+ }
		119	+}
		120	+
		121	+static char spapr_get_host_model(Object obj, Error **errp)
		122	+{
		123	+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		124	+
		125	+ return g_strdup(spapr->host_model);
		126	+}
		127	+
		128	+static void spapr_set_host_model(Object obj, const char value, Error **errp)
		129	+{
		130	+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		131	+
		132	+ g_free(spapr->host_model);
		133	+ spapr->host_model = g_strdup(value);
		134	+}
		135	+
		136	+static char spapr_get_host_serial(Object obj, Error **errp)
		137	+{
		138	+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		139	+
		140	+ return g_strdup(spapr->host_serial);
		141	+}
		142	+
		143	+static void spapr_set_host_serial(Object obj, const char value, Error **errp)
		144	+{
		145	+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		146	+
		147	+ g_free(spapr->host_serial);
		148	+ spapr->host_serial = g_strdup(value);
		149	+}
		150	+
		151	static void spapr_instance_init(Object *obj)
		152	{
		153	sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
		154	@@ -3063,6 +3147,25 @@ static void spapr_instance_init(Object *obj)
		155	" the host's SMT mode", &error_abort);
		156	object_property_add_bool(obj, "vfio-no-msix-emulation",
		157	spapr_get_msix_emulation, NULL, NULL);
		158	+
		159	+ /* The machine class defines the default interrupt controller mode */
		160	+ spapr->irq = smc->irq;
		161	+ object_property_add_str(obj, "ic-mode", spapr_get_ic_mode,
		162	+ spapr_set_ic_mode, NULL);
		163	+ object_property_set_description(obj, "ic-mode",
		164	+ "Specifies the interrupt controller mode (xics, xive, dual)",
		165	+ NULL);
		166	+
		167	+ object_property_add_str(obj, "host-model",
		168	+ spapr_get_host_model, spapr_set_host_model,
		169	+ &error_abort);
		170	+ object_property_set_description(obj, "host-model",
		171	+ "Set host's model-id to use - none\|passthrough\|string", &error_abort);
		172	+ object_property_add_str(obj, "host-serial",
		173	+ spapr_get_host_serial, spapr_set_host_serial,
		174	+ &error_abort);
		175	+ object_property_set_description(obj, "host-serial",
		176	+ "Set host's system-id to use - none\|passthrough\|string", &error_abort);
		177	}
		178
		179	static void spapr_machine_finalizefn(Object *obj)
		180	@@ -4067,7 +4170,18 @@ static void spapr_machine_3_0_instance_options(MachineState *machine)
		181
		182	static void spapr_machine_3_0_class_options(MachineClass *mc)
		183	{
		184	- /* Defaults for the latest behaviour inherited from the base class */
		185	+ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
		186	+ static GlobalProperty compat[] = {
		187	+ { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
		188	+ { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
		189	+ };
		190	+
		191	+ spapr_machine_4_0_class_options(mc);
		192	+ compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len);
		193	+ compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
		194	+
		195	+ mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0");
		196	+ smc->update_dt_enabled = false;
		197	}
		198
		199	DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
		200	diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
		201	index 7e5de1a6fd..4c69a55374 100644
		202	--- a/include/hw/ppc/spapr.h
		203	+++ b/include/hw/ppc/spapr.h
		204	@@ -165,6 +165,8 @@ struct sPAPRMachineState {
		205
		206	/< public >/
		207	char *kvm_type;
		208	+ char *host_model;
		209	+ char *host_serial;
		210
		211	const char *icp_type;
		212
		213	--
		214	2.22.0.vfs.1.1.57.gbaf16c8
		215


diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb index f02e3120cc..6c3049b40e 100644 --- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
21	file://0009-apic-fixup-fallthrough-to-PIC.patch \	21	file://0009-apic-fixup-fallthrough-to-PIC.patch \
22	file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \	22	file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
23	file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \	23	file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
		24	file://CVE-2018-10839.patch\
24	file://CVE-2018-15746.patch \	25	file://CVE-2018-15746.patch \
25	file://CVE-2018-17958.patch \
26	file://CVE-2018-17962.patch \	26	file://CVE-2018-17962.patch \
27	file://CVE-2018-17963.patch \	27	file://CVE-2018-17963.patch \
28	file://CVE-2018-16867.patch \	28	file://CVE-2018-16867.patch \
@@ -36,6 +36,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
36	file://CVE-2018-20815_p2.patch \	36	file://CVE-2018-20815_p2.patch \
37	file://CVE-2019-9824.patch \	37	file://CVE-2019-9824.patch \
38	file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \	38	file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
		39	file://CVE-2018-18954.patch \
		40	file://CVE-2019-3812.patch \
		41	file://CVE-2019-6778.patch \
		42	file://CVE-2019-8934.patch \
39	"	43	"
40	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"	44	UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
41		45