summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch2
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch52
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch41
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch215
-rw-r--r--meta/recipes-devtools/qemu/qemu_3.0.0.bb6
7 files changed, 351 insertions, 54 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
index 7e1e442a41..81607c9505 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch
@@ -19,7 +19,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
19Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff 19Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff
20;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1] 20;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1]
21 21
22CVE: CVE-2018-10839 22CVE: CVE-2018-10839 CVE-2018-17958
23 23
24Signed-off-by: Changqing Li <changqing.li@windriver.com> 24Signed-off-by: Changqing Li <changqing.li@windriver.com>
25--- 25---
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
deleted file mode 100644
index af40ff275a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch
+++ /dev/null
@@ -1,52 +0,0 @@
1From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001
2From: Changqing Li <changqing.li@windriver.com>
3Date: Mon, 15 Oct 2018 16:33:04 +0800
4Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive
5
6In ne2000_receive(), we try to assign size_ to size which converts
7from size_t to integer. This will cause troubles when size_ is greater
8INT_MAX, this will lead a negative value in size and it can then pass
9the check of size < MIN_BUF_SIZE which may lead out of bound access of
10for both buf and buf1.
11
12Fixing by converting the type of size to size_t.
13
14CC: address@hidden
15Reported-by: Daniel Shapira <address@hidden>
16Reviewed-by: Michael S. Tsirkin <address@hidden>
17Signed-off-by: Jason Wang <address@hidden>
18
19Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html]
20
21CVE: CVE-2018-17958
22
23Signed-off-by: Changqing Li <changqing.li@windriver.com>
24---
25 hw/net/ne2000.c | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
29index 07d79e3..869518e 100644
30--- a/hw/net/ne2000.c
31+++ b/hw/net/ne2000.c
32@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s)
33 ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
34 {
35 NE2000State *s = qemu_get_nic_opaque(nc);
36- int size = size_;
37+ size_t size = size_;
38 uint8_t *p;
39 unsigned int total_len, next, avail, len, index, mcast_idx;
40 uint8_t buf1[60];
41@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_)
42 { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
43
44 #if defined(DEBUG_NE2000)
45- printf("NE2000: received len=%d\n", size);
46+ printf("NE2000: received len=%zu\n", size);
47 #endif
48
49 if (s->cmd & E8390_STOP || ne2000_buffer_full(s))
50--
512.7.4
52
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
new file mode 100644
index 0000000000..9fe136455f
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch
@@ -0,0 +1,50 @@
1From 3c9fd43da473a324f6cc7a0d3db58f651a2d262c Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Fri, 26 Oct 2018 18:03:58 +0530
4Subject: [PATCH] ppc/pnv: check size before data buffer access
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9While performing PowerNV memory r/w operations, the access length
10'sz' could exceed the data[4] buffer size. Add check to avoid OOB
11access.
12
13Reported-by: Moguofang <moguofang@huawei.com>
14Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15Reviewed-by: Cédric Le Goater <clg@kaod.org>
16Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
17
18CVE: CVE-2018-18954
19Upstream-Status: Backport
20[https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d]
21
22Signed-off-by: Dan Tran <dantran@microsoft.com>
23---
24 hw/ppc/pnv_lpc.c | 8 +++++++-
25 1 file changed, 7 insertions(+), 1 deletion(-)
26
27diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c
28index d7721320a2..172a915cfc 100644
29--- a/hw/ppc/pnv_lpc.c
30+++ b/hw/ppc/pnv_lpc.c
31@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd)
32 /* XXX Check for magic bits at the top, addr size etc... */
33 unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH;
34 uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK;
35- uint8_t data[4];
36+ uint8_t data[8];
37 bool success;
38
39+ if (sz > sizeof(data)) {
40+ qemu_log_mask(LOG_GUEST_ERROR,
41+ "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz);
42+ return;
43+ }
44+
45 if (cmd & ECCB_CTL_READ) {
46 success = opb_read(lpc, opb_addr, data, sz);
47 if (success) {
48--
492.22.0.vfs.1.1.57.gbaf16c8
50
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
new file mode 100644
index 0000000000..0e11ad288c
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
@@ -0,0 +1,39 @@
1From b664d9d003d1a98642dcfb8e6fceef6dbf3d52d8 Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Tue, 8 Jan 2019 11:23:01 +0100
4Subject: [PATCH] i2c-ddc: fix oob read
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Suggested-by: Michael Hanselmann <public@hansmi.ch>
10Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
11Reviewed-by: Michael Hanselmann <public@hansmi.ch>
12Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
13Message-id: 20190108102301.1957-1-kraxel@redhat.com
14
15CVE: CVE-2019-3812
16Upstream-Status: Backport
17[https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c]
18
19Signed-off-by: Dan Tran <dantran@microsoft.com>
20---
21 hw/i2c/i2c-ddc.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
25index bec0c91e2d..89e659288e 100644
26--- a/hw/i2c/i2c-ddc.c
27+++ b/hw/i2c/i2c-ddc.c
28@@ -247,7 +247,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
29 I2CDDCState *s = I2CDDC(i2c);
30
31 int value;
32- value = s->edid_blob[s->reg];
33+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
34 s->reg++;
35 return value;
36 }
37--
382.22.0.vfs.1.1.57.gbaf16c8
39
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
new file mode 100644
index 0000000000..5b14596042
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch
@@ -0,0 +1,41 @@
1From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Sun, 13 Jan 2019 23:29:48 +0530
4Subject: [PATCH] slirp: check data length while emulating ident function
5
6While emulating identification protocol, tcp_emu() does not check
7available space in the 'sc_rcv->sb_data' buffer. It could lead to
8heap buffer overflow issue. Add check to avoid it.
9
10Reported-by: Kira <864786842@qq.com>
11Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
13
14CVE: CVE-2019-6778
15Upstream-Status: Backport
16[https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905]
17
18Signed-off-by: Dan Tran <dantran@microsoft.com>
19---
20 slirp/tcp_subr.c | 5 +++++
21 1 file changed, 5 insertions(+)
22
23diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c
24index 8d0f94b75f..7277aadfdf 100644
25--- a/slirp/tcp_subr.c
26+++ b/slirp/tcp_subr.c
27@@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m)
28 socklen_t addrlen = sizeof(struct sockaddr_in);
29 struct sbuf *so_rcv = &so->so_rcv;
30
31+ if (m->m_len > so_rcv->sb_datalen
32+ - (so_rcv->sb_wptr - so_rcv->sb_data)) {
33+ return 1;
34+ }
35+
36 memcpy(so_rcv->sb_wptr, m->m_data, m->m_len);
37 so_rcv->sb_wptr += m->m_len;
38 so_rcv->sb_rptr += m->m_len;
39--
402.22.0.vfs.1.1.57.gbaf16c8
41
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
new file mode 100644
index 0000000000..db3201c505
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
@@ -0,0 +1,215 @@
1From 13e153f01b4f2a3e199202b34a247d83c176f21a Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 18 Feb 2019 23:43:49 +0530
4Subject: [PATCH] ppc: add host-serial and host-model machine attributes
5 (CVE-2019-8934)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10On ppc hosts, hypervisor shares following system attributes
11
12 - /proc/device-tree/system-id
13 - /proc/device-tree/model
14
15with a guest. This could lead to information leakage and misuse.[*]
16Add machine attributes to control such system information exposure
17to a guest.
18
19[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
20
21Reported-by: Daniel P. Berrangé <berrange@redhat.com>
22Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
23Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
24Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
25Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
26Reviewed-by: Greg Kurz <groug@kaod.org>
27Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
28
29CVE: CVE-2019-8934
30Upstream-Status: Backport
31[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b]
32
33Signed-off-by: Dan Tran <dantran@microsoft.com>
34---
35 hw/ppc/spapr.c | 128 ++++++++++++++++++++++++++++++++++++++---
36 include/hw/ppc/spapr.h | 2 +
37 2 files changed, 123 insertions(+), 7 deletions(-)
38
39diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
40index 421b2dd09b..069d678ee0 100644
41--- a/hw/ppc/spapr.c
42+++ b/hw/ppc/spapr.c
43@@ -1266,13 +1266,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
44 * Add info to guest to indentify which host is it being run on
45 * and what is the uuid of the guest
46 */
47- if (kvmppc_get_host_model(&buf)) {
48- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
49- g_free(buf);
50+ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
51+ if (g_str_equal(spapr->host_model, "passthrough")) {
52+ /* -M host-model=passthrough */
53+ if (kvmppc_get_host_model(&buf)) {
54+ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
55+ g_free(buf);
56+ }
57+ } else {
58+ /* -M host-model=<user-string> */
59+ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
60+ }
61 }
62- if (kvmppc_get_host_serial(&buf)) {
63- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
64- g_free(buf);
65+
66+ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
67+ if (g_str_equal(spapr->host_serial, "passthrough")) {
68+ /* -M host-serial=passthrough */
69+ if (kvmppc_get_host_serial(&buf)) {
70+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
71+ g_free(buf);
72+ }
73+ } else {
74+ /* -M host-serial=<user-string> */
75+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
76+ }
77 }
78
79 buf = qemu_uuid_unparse_strdup(&qemu_uuid);
80@@ -3027,6 +3044,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
81 visit_type_uint32(v, name, (uint32_t *)opaque, errp);
82 }
83
84+static char *spapr_get_ic_mode(Object *obj, Error **errp)
85+{
86+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
87+
88+ if (spapr->irq == &spapr_irq_xics_legacy) {
89+ return g_strdup("legacy");
90+ } else if (spapr->irq == &spapr_irq_xics) {
91+ return g_strdup("xics");
92+ } else if (spapr->irq == &spapr_irq_xive) {
93+ return g_strdup("xive");
94+ } else if (spapr->irq == &spapr_irq_dual) {
95+ return g_strdup("dual");
96+ }
97+ g_assert_not_reached();
98+}
99+
100+static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp)
101+{
102+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
103+
104+ if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
105+ error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode");
106+ return;
107+ }
108+
109+ /* The legacy IRQ backend can not be set */
110+ if (strcmp(value, "xics") == 0) {
111+ spapr->irq = &spapr_irq_xics;
112+ } else if (strcmp(value, "xive") == 0) {
113+ spapr->irq = &spapr_irq_xive;
114+ } else if (strcmp(value, "dual") == 0) {
115+ spapr->irq = &spapr_irq_dual;
116+ } else {
117+ error_setg(errp, "Bad value for \"ic-mode\" property");
118+ }
119+}
120+
121+static char *spapr_get_host_model(Object *obj, Error **errp)
122+{
123+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
124+
125+ return g_strdup(spapr->host_model);
126+}
127+
128+static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
129+{
130+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
131+
132+ g_free(spapr->host_model);
133+ spapr->host_model = g_strdup(value);
134+}
135+
136+static char *spapr_get_host_serial(Object *obj, Error **errp)
137+{
138+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
139+
140+ return g_strdup(spapr->host_serial);
141+}
142+
143+static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
144+{
145+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
146+
147+ g_free(spapr->host_serial);
148+ spapr->host_serial = g_strdup(value);
149+}
150+
151 static void spapr_instance_init(Object *obj)
152 {
153 sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
154@@ -3063,6 +3147,25 @@ static void spapr_instance_init(Object *obj)
155 " the host's SMT mode", &error_abort);
156 object_property_add_bool(obj, "vfio-no-msix-emulation",
157 spapr_get_msix_emulation, NULL, NULL);
158+
159+ /* The machine class defines the default interrupt controller mode */
160+ spapr->irq = smc->irq;
161+ object_property_add_str(obj, "ic-mode", spapr_get_ic_mode,
162+ spapr_set_ic_mode, NULL);
163+ object_property_set_description(obj, "ic-mode",
164+ "Specifies the interrupt controller mode (xics, xive, dual)",
165+ NULL);
166+
167+ object_property_add_str(obj, "host-model",
168+ spapr_get_host_model, spapr_set_host_model,
169+ &error_abort);
170+ object_property_set_description(obj, "host-model",
171+ "Set host's model-id to use - none|passthrough|string", &error_abort);
172+ object_property_add_str(obj, "host-serial",
173+ spapr_get_host_serial, spapr_set_host_serial,
174+ &error_abort);
175+ object_property_set_description(obj, "host-serial",
176+ "Set host's system-id to use - none|passthrough|string", &error_abort);
177 }
178
179 static void spapr_machine_finalizefn(Object *obj)
180@@ -4067,7 +4170,18 @@ static void spapr_machine_3_0_instance_options(MachineState *machine)
181
182 static void spapr_machine_3_0_class_options(MachineClass *mc)
183 {
184- /* Defaults for the latest behaviour inherited from the base class */
185+ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
186+ static GlobalProperty compat[] = {
187+ { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
188+ { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
189+ };
190+
191+ spapr_machine_4_0_class_options(mc);
192+ compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len);
193+ compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
194+
195+ mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0");
196+ smc->update_dt_enabled = false;
197 }
198
199 DEFINE_SPAPR_MACHINE(3_0, "3.0", true);
200diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
201index 7e5de1a6fd..4c69a55374 100644
202--- a/include/hw/ppc/spapr.h
203+++ b/include/hw/ppc/spapr.h
204@@ -165,6 +165,8 @@ struct sPAPRMachineState {
205
206 /*< public >*/
207 char *kvm_type;
208+ char *host_model;
209+ char *host_serial;
210
211 const char *icp_type;
212
213--
2142.22.0.vfs.1.1.57.gbaf16c8
215
diff --git a/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
index f02e3120cc..6c3049b40e 100644
--- a/meta/recipes-devtools/qemu/qemu_3.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.0.0.bb
@@ -21,8 +21,8 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
21 file://0009-apic-fixup-fallthrough-to-PIC.patch \ 21 file://0009-apic-fixup-fallthrough-to-PIC.patch \
22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ 22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ 23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
24 file://CVE-2018-10839.patch\
24 file://CVE-2018-15746.patch \ 25 file://CVE-2018-15746.patch \
25 file://CVE-2018-17958.patch \
26 file://CVE-2018-17962.patch \ 26 file://CVE-2018-17962.patch \
27 file://CVE-2018-17963.patch \ 27 file://CVE-2018-17963.patch \
28 file://CVE-2018-16867.patch \ 28 file://CVE-2018-16867.patch \
@@ -36,6 +36,10 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
36 file://CVE-2018-20815_p2.patch \ 36 file://CVE-2018-20815_p2.patch \
37 file://CVE-2019-9824.patch \ 37 file://CVE-2019-9824.patch \
38 file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \ 38 file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
39 file://CVE-2018-18954.patch \
40 file://CVE-2019-3812.patch \
41 file://CVE-2019-6778.patch \
42 file://CVE-2019-8934.patch \
39 " 43 "
40UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 44UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
41 45