summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Rees <maxcrees@me.com>2020-03-24 17:26:38 -0500
committerMax Rees <maxcrees@me.com>2020-03-24 17:26:38 -0500
commitffd6e687a5d0029a192bf16b220ccbfbb21bdd81 (patch)
tree32bdcf4f8e9d2cf14c865ac27df6ab028e420871
parent20f2af5a8c48426fd0ee30b6865942256a072274 (diff)
downloadpackages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.tar.gz
packages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.tar.bz2
packages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.tar.xz
packages-ffd6e687a5d0029a192bf16b220ccbfbb21bdd81.zip
user/qemu: [CVE] bump to 4.2.0 (#121)
* SSH block device support is dropped until we ship libssh (upstream switched away from libssh2) * system-ppcemb target dropped upstream * Switched to user/libslirp (4.2.0) instead of vendored copy (4.1.0) which fixes several CVEs (included in these secfixes for this time only; future secfixes for libslirp should be in user/libslirp with a rebuild of qemu for the statically linked bits).
-rw-r--r--user/qemu/APKBUILD111
-rw-r--r--user/qemu/CVE-2020-1711.patch61
-rw-r--r--user/qemu/MAP_SYNC-fix.patch22
-rw-r--r--user/qemu/fix-sockios-header.patch13
4 files changed, 160 insertions, 47 deletions
diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD
index e64bb2510..579eed14f 100644
--- a/user/qemu/APKBUILD
+++ b/user/qemu/APKBUILD
@@ -2,10 +2,11 @@
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
+# Contributor: Max Rees <maxcrees@me.com>
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=qemu
-pkgver=3.0.0
-pkgrel=5
+pkgver=4.2.0
+pkgrel=0
pkgdesc="Machine emulator and virtualisation software"
url="https://www.qemu.org/"
arch="all"
@@ -27,13 +28,14 @@ makedepends="
libjpeg-turbo-dev
libnfs-dev
libpng-dev
- libssh2-dev
+ libslirp-dev
libusb-dev
libx11-dev
libxml2-dev
linux-headers
lzo-dev
ncurses-dev
+ py3-sphinx
python3
snappy-dev
spice-dev
@@ -109,7 +111,6 @@ _system_subsystems="
system-or1k
system-ppc
system-ppc64
- system-ppcemb
system-riscv32
system-riscv64
system-s390x
@@ -151,13 +152,14 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz
ncurses.patch
ignore-signals-33-and-64-to-allow-golang-emulation.patch
0001-linux-user-fix-build-with-musl-on-ppc64le.patch
- fix-sockios-header.patch
test-crypto-ivgen-skip-essiv.patch
ppc32-musl-support.patch
signal-fixes.patch
sysinfo-header.patch
fix-lm32-underlinking.patch
time64.patch
+ MAP_SYNC-fix.patch
+ CVE-2020-1711.patch
$pkgname-guest-agent.confd
$pkgname-guest-agent.initd
@@ -168,31 +170,66 @@ builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
# 2.8.1-r1:
-# - CVE-2016-7994
-# - CVE-2016-7995
-# - CVE-2016-8576
-# - CVE-2016-8577
-# - CVE-2016-8578
-# - CVE-2016-8668
-# - CVE-2016-8909
-# - CVE-2016-8910
-# - CVE-2016-9101
-# - CVE-2016-9102
-# - CVE-2016-9103
-# - CVE-2016-9104
-# - CVE-2016-9105
-# - CVE-2016-9106
-# - CVE-2017-2615
-# - CVE-2017-2620
-# - CVE-2017-5525
-# - CVE-2017-5552
-# - CVE-2017-5578
-# - CVE-2017-5579
-# - CVE-2017-5667
-# - CVE-2017-5856
-# - CVE-2017-5857
-# - CVE-2017-5898
-# - CVE-2017-5931
+# - CVE-2016-7994
+# - CVE-2016-7995
+# - CVE-2016-8576
+# - CVE-2016-8577
+# - CVE-2016-8578
+# - CVE-2016-8668
+# - CVE-2016-8909
+# - CVE-2016-8910
+# - CVE-2016-9101
+# - CVE-2016-9102
+# - CVE-2016-9103
+# - CVE-2016-9104
+# - CVE-2016-9105
+# - CVE-2016-9106
+# - CVE-2017-2615
+# - CVE-2017-2620
+# - CVE-2017-5525
+# - CVE-2017-5552
+# - CVE-2017-5578
+# - CVE-2017-5579
+# - CVE-2017-5667
+# - CVE-2017-5856
+# - CVE-2017-5857
+# - CVE-2017-5898
+# - CVE-2017-5931
+# 4.2.0-r0:
+# - CVE-2018-10839
+# - CVE-2018-16847
+# - CVE-2018-16867
+# - CVE-2018-16872
+# - CVE-2018-17958
+# - CVE-2018-17962
+# - CVE-2018-17963
+# - CVE-2018-18849
+# - CVE-2018-18954
+# - CVE-2018-19364
+# - CVE-2018-19489
+# - CVE-2018-20123
+# - CVE-2018-20124
+# - CVE-2018-20125
+# - CVE-2018-20126
+# - CVE-2018-20191
+# - CVE-2018-20216
+# - CVE-2018-20815
+# - CVE-2019-3812
+# - CVE-2019-5008
+# - CVE-2019-6501
+# - CVE-2019-6778
+# - CVE-2019-8934
+# - CVE-2019-9824
+# - CVE-2019-12068
+# - CVE-2019-12155
+# - CVE-2019-13164
+# - CVE-2019-14378
+# - CVE-2019-15034
+# - CVE-2019-15890
+# - CVE-2019-20382
+# - CVE-2020-1711
+# - CVE-2020-7039
+# - CVE-2020-8608
prepare() {
default_prepare # apply patches
@@ -218,6 +255,7 @@ _compile_common() {
--disable-gcrypt \
--cc="${CC:-gcc}" \
--python="/usr/bin/python3" \
+ --enable-slirp=system \
"$@"
make ARFLAGS="rc"
}
@@ -233,7 +271,6 @@ _compile_system() {
--enable-cap-ng \
--enable-linux-aio \
--enable-usb-redir \
- --enable-libssh2 \
--enable-vhost-net \
--enable-snappy \
--enable-tpm \
@@ -248,16 +285,19 @@ _compile_system() {
build() {
local systems
+
mkdir -p "$builddir"/build \
"$builddir"/build-user \
"$builddir"/build-gtk
+ msg "Building -user..."
cd "$builddir"/build-user
_compile_common \
--enable-linux-user \
--disable-system \
--static
+ msg "Building -system..."
cd "$builddir"/build
_compile_system \
--enable-vnc \
@@ -268,10 +308,10 @@ build() {
--disable-gtk
if [ -n "$_arch" ]; then
+ msg "Building -gtk..."
cd "$builddir"/build-gtk
_compile_system \
--enable-gtk \
- --with-gtkabi=3.0 \
--disable-vnc \
--disable-spice \
--disable-guest-agent \
@@ -287,9 +327,11 @@ check() {
}
package() {
+ msg "Installing -user..."
cd "$builddir"/build-user
make DESTDIR="$pkgdir" install
+ msg "Installing -system..."
cd "$builddir"/build
make DESTDIR="$pkgdir" install
@@ -395,7 +437,7 @@ guest() {
"$subpkgdir"/etc/conf.d/$pkgname-guest-agent
}
-sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000bd28357697b08f3b656899dceb9e459350b8d55557817444ed5d7fa380a5a qemu-3.0.0.tar.xz
+sha512sums="2a79973c2b07c53e8c57a808ea8add7b6b2cbca96488ed5d4b669ead8c9318907dec2b6109f180fc8ca8f04c0f73a56e82b3a527b5626b799d7e849f2474ec56 qemu-4.2.0.tar.xz
405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd 0001-elfload-load-PIE-executables-to-right-address.patch
1ac043312864309e19f839a699ab2485bca51bbf3d5fdb39f1a87b87e3cbdd8cbda1a56e6b5c9ffccd65a8ac2f600da9ceb8713f4dbba26f245bc52bcd8a1c56 0001-linux-user-fix-build-with-musl-on-aarch64.patch
224f5b44da749921e8a821359478c5238d8b6e24a9c0b4c5738c34e82f3062ec4639d495b8b5883d304af4a0d567e38aa6623aac1aa3a7164a5757c036528ac0 musl-F_SHLCK-and-F_EXLCK.patch
@@ -404,13 +446,14 @@ sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000b
b6ed02aaf95a9bb30a5f107d35371207967edca058f3ca11348b0b629ea7a9c4baa618db68a3df72199eea6d86d14ced74a5a229d17604cc3f0adedcfeae7a73 ncurses.patch
fd178f2913639a0c33199b3880cb17536961f2b3ff171c12b27f4be6bca032d6b88fd16302d09c692bb34883346babef5c44407a6804b20a39a465bb2bc85136 ignore-signals-33-and-64-to-allow-golang-emulation.patch
d8933df9484158c2b4888254e62117d78f8ed7c18527b249419f39c2b2ab1afa148010884b40661f8965f1ef3105580fceffdfddbb2c9221dc1c62066722ba65 0001-linux-user-fix-build-with-musl-on-ppc64le.patch
-39590476a4ebd7c1e79a4f0451b24c75b1817a2a83abaa1f71bb60b225d772152f0af8f3e51ff65645e378c536ffa6ff551dade52884d03a14b7c6a19c5c97d4 fix-sockios-header.patch
8b8db136f78bd26b5da171effa9e11016ec2bc3e2fc8107228b5543b47aa370978ed883794aa4f917f334e284a5b49e82070e1da2d31d49301195b6713a48eff test-crypto-ivgen-skip-essiv.patch
fb0130fa4e8771b23ae337ea3e5e29fd5f7dcfe7f9f7a68968f5b059bb4dd1336b0d04c118840d55885bc784a96a99b28aeacbc6a5549b2e6750c9d3099a897c ppc32-musl-support.patch
c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0dad0ca3bfe9caae1269bc5c9ab4c6e696f35c7857c1b5c86b signal-fixes.patch
698f6b134f4ca87f4de62caf7a656841a40a451b8686ca95928f67a296e58a7493d432d9baa5f6360917865aa4929600baf1699993b0600923a066ca9d45d1da sysinfo-header.patch
2828cc612539aa93b5789de7de6d4f85d3cf82311484c0fe91fdd3efeb972057e2baa2a3809ed633d6caa1785642d49196cb282b095d7553c510c47ce7d6a702 fix-lm32-underlinking.patch
87f659800b78b31731ea1828a27a3762662ef124d10e942f6029b332d5e8cf4487f62a3d742ad59709c2eb9e3ae8af36fa849d6cbac89978a282d29786b9b41a time64.patch
+d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7 MAP_SYNC-fix.patch
+0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9 CVE-2020-1711.patch
d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6 qemu-guest-agent.initd
9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules
diff --git a/user/qemu/CVE-2020-1711.patch b/user/qemu/CVE-2020-1711.patch
new file mode 100644
index 000000000..c57b5c984
--- /dev/null
+++ b/user/qemu/CVE-2020-1711.patch
@@ -0,0 +1,61 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3f13..cbd57294ab 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ struct scsi_get_lba_status *lbas = NULL;
+ struct scsi_lba_status_descriptor *lbasd = NULL;
+ struct IscsiTask iTask;
+- uint64_t lba;
++ uint64_t lba, max_bytes;
+ int ret;
+
+ iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ }
+
+ lba = offset / iscsilun->block_size;
++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+
+ qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+ goto out_unlock;
+ }
+
+- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+
+ if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+ lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+--
+2.25.1
+
diff --git a/user/qemu/MAP_SYNC-fix.patch b/user/qemu/MAP_SYNC-fix.patch
new file mode 100644
index 000000000..e13609d73
--- /dev/null
+++ b/user/qemu/MAP_SYNC-fix.patch
@@ -0,0 +1,22 @@
+diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c
+index f7f177d..7598960 100644
+--- a/util/mmap-alloc.c
++++ b/util/mmap-alloc.c
+@@ -10,14 +10,16 @@
+ * later. See the COPYING file in the top-level directory.
+ */
+
++#include "qemu/osdep.h"
++
+ #ifdef CONFIG_LINUX
+ #include <linux/mman.h>
++#include <asm-generic/mman.h> /* for ppc64le */
+ #else /* !CONFIG_LINUX */
+ #define MAP_SYNC 0x0
+ #define MAP_SHARED_VALIDATE 0x0
+ #endif /* CONFIG_LINUX */
+
+-#include "qemu/osdep.h"
+ #include "qemu/mmap-alloc.h"
+ #include "qemu/host-utils.h"
+
diff --git a/user/qemu/fix-sockios-header.patch b/user/qemu/fix-sockios-header.patch
deleted file mode 100644
index 1f3cd767c..000000000
--- a/user/qemu/fix-sockios-header.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 43d0562..afa0ac4 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -59,6 +59,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base,
- #include <linux/icmp.h>
- #include <linux/icmpv6.h>
- #include <linux/errqueue.h>
-+#include <linux/sockios.h>
- #include <linux/random.h>
- #include "qemu-common.h"
- #ifdef CONFIG_TIMERFD
- #include <sys/timerfd.h>