diff options
Diffstat (limited to 'user/qemu')
-rw-r--r-- | user/qemu/APKBUILD | 115 | ||||
-rw-r--r-- | user/qemu/CVE-2020-11102.patch | 144 | ||||
-rw-r--r-- | user/qemu/CVE-2020-1711.patch | 61 | ||||
-rw-r--r-- | user/qemu/MAP_SYNC-fix.patch | 22 | ||||
-rw-r--r-- | user/qemu/fix-sockios-header.patch | 13 |
5 files changed, 308 insertions, 47 deletions
diff --git a/user/qemu/APKBUILD b/user/qemu/APKBUILD index e64bb2510..bc3744541 100644 --- a/user/qemu/APKBUILD +++ b/user/qemu/APKBUILD @@ -2,10 +2,11 @@ # Contributor: Valery Kartel <valery.kartel@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Contributor: Natanael Copa <ncopa@alpinelinux.org> +# Contributor: Max Rees <maxcrees@me.com> # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=qemu -pkgver=3.0.0 -pkgrel=5 +pkgver=4.2.0 +pkgrel=1 pkgdesc="Machine emulator and virtualisation software" url="https://www.qemu.org/" arch="all" @@ -27,13 +28,14 @@ makedepends=" libjpeg-turbo-dev libnfs-dev libpng-dev - libssh2-dev + libslirp-dev libusb-dev libx11-dev libxml2-dev linux-headers lzo-dev ncurses-dev + py3-sphinx python3 snappy-dev spice-dev @@ -109,7 +111,6 @@ _system_subsystems=" system-or1k system-ppc system-ppc64 - system-ppcemb system-riscv32 system-riscv64 system-s390x @@ -151,13 +152,15 @@ source="https://download.qemu.org/$pkgname-$pkgver.tar.xz ncurses.patch ignore-signals-33-and-64-to-allow-golang-emulation.patch 0001-linux-user-fix-build-with-musl-on-ppc64le.patch - fix-sockios-header.patch test-crypto-ivgen-skip-essiv.patch ppc32-musl-support.patch signal-fixes.patch sysinfo-header.patch fix-lm32-underlinking.patch time64.patch + MAP_SYNC-fix.patch + CVE-2020-1711.patch + CVE-2020-11102.patch $pkgname-guest-agent.confd $pkgname-guest-agent.initd @@ -168,31 +171,68 @@ builddir="$srcdir/$pkgname-$pkgver" # secfixes: # 2.8.1-r1: -# - CVE-2016-7994 -# - CVE-2016-7995 -# - CVE-2016-8576 -# - CVE-2016-8577 -# - CVE-2016-8578 -# - CVE-2016-8668 -# - CVE-2016-8909 -# - CVE-2016-8910 -# - CVE-2016-9101 -# - CVE-2016-9102 -# - CVE-2016-9103 -# - CVE-2016-9104 -# - CVE-2016-9105 -# - CVE-2016-9106 -# - CVE-2017-2615 -# - CVE-2017-2620 -# - CVE-2017-5525 -# - CVE-2017-5552 -# - CVE-2017-5578 -# - CVE-2017-5579 -# - CVE-2017-5667 -# - CVE-2017-5856 -# - CVE-2017-5857 -# - CVE-2017-5898 -# - CVE-2017-5931 +# - CVE-2016-7994 +# - CVE-2016-7995 +# - CVE-2016-8576 +# - CVE-2016-8577 +# - CVE-2016-8578 +# - CVE-2016-8668 +# - CVE-2016-8909 +# - CVE-2016-8910 +# - CVE-2016-9101 +# - CVE-2016-9102 +# - CVE-2016-9103 +# - CVE-2016-9104 +# - CVE-2016-9105 +# - CVE-2016-9106 +# - CVE-2017-2615 +# - CVE-2017-2620 +# - CVE-2017-5525 +# - CVE-2017-5552 +# - CVE-2017-5578 +# - CVE-2017-5579 +# - CVE-2017-5667 +# - CVE-2017-5856 +# - CVE-2017-5857 +# - CVE-2017-5898 +# - CVE-2017-5931 +# 4.2.0-r0: +# - CVE-2018-10839 +# - CVE-2018-16847 +# - CVE-2018-16867 +# - CVE-2018-16872 +# - CVE-2018-17958 +# - CVE-2018-17962 +# - CVE-2018-17963 +# - CVE-2018-18849 +# - CVE-2018-18954 +# - CVE-2018-19364 +# - CVE-2018-19489 +# - CVE-2018-20123 +# - CVE-2018-20124 +# - CVE-2018-20125 +# - CVE-2018-20126 +# - CVE-2018-20191 +# - CVE-2018-20216 +# - CVE-2018-20815 +# - CVE-2019-3812 +# - CVE-2019-5008 +# - CVE-2019-6501 +# - CVE-2019-6778 +# - CVE-2019-8934 +# - CVE-2019-9824 +# - CVE-2019-12068 +# - CVE-2019-12155 +# - CVE-2019-13164 +# - CVE-2019-14378 +# - CVE-2019-15034 +# - CVE-2019-15890 +# - CVE-2019-20382 +# - CVE-2020-1711 +# - CVE-2020-7039 +# - CVE-2020-8608 +# 4.2.0-r1: +# - CVE-2020-11102 prepare() { default_prepare # apply patches @@ -218,6 +258,7 @@ _compile_common() { --disable-gcrypt \ --cc="${CC:-gcc}" \ --python="/usr/bin/python3" \ + --enable-slirp=system \ "$@" make ARFLAGS="rc" } @@ -233,7 +274,6 @@ _compile_system() { --enable-cap-ng \ --enable-linux-aio \ --enable-usb-redir \ - --enable-libssh2 \ --enable-vhost-net \ --enable-snappy \ --enable-tpm \ @@ -248,16 +288,19 @@ _compile_system() { build() { local systems + mkdir -p "$builddir"/build \ "$builddir"/build-user \ "$builddir"/build-gtk + msg "Building -user..." cd "$builddir"/build-user _compile_common \ --enable-linux-user \ --disable-system \ --static + msg "Building -system..." cd "$builddir"/build _compile_system \ --enable-vnc \ @@ -268,10 +311,10 @@ build() { --disable-gtk if [ -n "$_arch" ]; then + msg "Building -gtk..." cd "$builddir"/build-gtk _compile_system \ --enable-gtk \ - --with-gtkabi=3.0 \ --disable-vnc \ --disable-spice \ --disable-guest-agent \ @@ -287,9 +330,11 @@ check() { } package() { + msg "Installing -user..." cd "$builddir"/build-user make DESTDIR="$pkgdir" install + msg "Installing -system..." cd "$builddir"/build make DESTDIR="$pkgdir" install @@ -395,7 +440,7 @@ guest() { "$subpkgdir"/etc/conf.d/$pkgname-guest-agent } -sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000bd28357697b08f3b656899dceb9e459350b8d55557817444ed5d7fa380a5a qemu-3.0.0.tar.xz +sha512sums="2a79973c2b07c53e8c57a808ea8add7b6b2cbca96488ed5d4b669ead8c9318907dec2b6109f180fc8ca8f04c0f73a56e82b3a527b5626b799d7e849f2474ec56 qemu-4.2.0.tar.xz 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd 0001-elfload-load-PIE-executables-to-right-address.patch 1ac043312864309e19f839a699ab2485bca51bbf3d5fdb39f1a87b87e3cbdd8cbda1a56e6b5c9ffccd65a8ac2f600da9ceb8713f4dbba26f245bc52bcd8a1c56 0001-linux-user-fix-build-with-musl-on-aarch64.patch 224f5b44da749921e8a821359478c5238d8b6e24a9c0b4c5738c34e82f3062ec4639d495b8b5883d304af4a0d567e38aa6623aac1aa3a7164a5757c036528ac0 musl-F_SHLCK-and-F_EXLCK.patch @@ -404,13 +449,15 @@ sha512sums="a764302f50b9aca4134bbbc1f361b98e71240cdc7b25600dfe733bf4cf17bd86000b b6ed02aaf95a9bb30a5f107d35371207967edca058f3ca11348b0b629ea7a9c4baa618db68a3df72199eea6d86d14ced74a5a229d17604cc3f0adedcfeae7a73 ncurses.patch fd178f2913639a0c33199b3880cb17536961f2b3ff171c12b27f4be6bca032d6b88fd16302d09c692bb34883346babef5c44407a6804b20a39a465bb2bc85136 ignore-signals-33-and-64-to-allow-golang-emulation.patch d8933df9484158c2b4888254e62117d78f8ed7c18527b249419f39c2b2ab1afa148010884b40661f8965f1ef3105580fceffdfddbb2c9221dc1c62066722ba65 0001-linux-user-fix-build-with-musl-on-ppc64le.patch -39590476a4ebd7c1e79a4f0451b24c75b1817a2a83abaa1f71bb60b225d772152f0af8f3e51ff65645e378c536ffa6ff551dade52884d03a14b7c6a19c5c97d4 fix-sockios-header.patch 8b8db136f78bd26b5da171effa9e11016ec2bc3e2fc8107228b5543b47aa370978ed883794aa4f917f334e284a5b49e82070e1da2d31d49301195b6713a48eff test-crypto-ivgen-skip-essiv.patch fb0130fa4e8771b23ae337ea3e5e29fd5f7dcfe7f9f7a68968f5b059bb4dd1336b0d04c118840d55885bc784a96a99b28aeacbc6a5549b2e6750c9d3099a897c ppc32-musl-support.patch c6436b1cc986788baccd5fe0f9d23c7db9026f6b723260611cf894bd94ee830140a17ee5859efe0dad0ca3bfe9caae1269bc5c9ab4c6e696f35c7857c1b5c86b signal-fixes.patch 698f6b134f4ca87f4de62caf7a656841a40a451b8686ca95928f67a296e58a7493d432d9baa5f6360917865aa4929600baf1699993b0600923a066ca9d45d1da sysinfo-header.patch 2828cc612539aa93b5789de7de6d4f85d3cf82311484c0fe91fdd3efeb972057e2baa2a3809ed633d6caa1785642d49196cb282b095d7553c510c47ce7d6a702 fix-lm32-underlinking.patch 87f659800b78b31731ea1828a27a3762662ef124d10e942f6029b332d5e8cf4487f62a3d742ad59709c2eb9e3ae8af36fa849d6cbac89978a282d29786b9b41a time64.patch +d7de79ea74e36702cac4a59e472564a55f0a663be7e63c3755e32b4b5dfbc04b390ee79f09f43f6ae706ee2aec9e005eade3c0fd4a202db60d11f436874a17d7 MAP_SYNC-fix.patch +0ea3745c45507c00c3c036241992d594b5f7e9aa1f0fa9b425dd222390066e1ea2d0aa4923bde0e7f27b7cc2f759a122ae4b600c2fa682a5aad509e7d03ccad9 CVE-2020-1711.patch +5d9e7e065c6716024eab4984331071f42dcd5363c5456023f81a3ef0329ae578348d0f875868f85c9e1fee5e435d86e2eb7e342a957c36cd099cb5d5d9f3a78d CVE-2020-11102.patch d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 1cd24c2444c5935a763c501af2b0da31635aad9cf62e55416d6477fcec153cddbe7de205d99616def11b085e0dd366ba22463d2270f831d884edbc307c7864a6 qemu-guest-agent.initd 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules diff --git a/user/qemu/CVE-2020-11102.patch b/user/qemu/CVE-2020-11102.patch new file mode 100644 index 000000000..c437a7d47 --- /dev/null +++ b/user/qemu/CVE-2020-11102.patch @@ -0,0 +1,144 @@ +From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 24 Mar 2020 22:57:22 +0530 +Subject: [PATCH 1/1] net: tulip: check frame size and r/w data length + +Tulip network driver while copying tx/rx buffers does not check +frame size against r/w data length. This may lead to OOB buffer +access. Add check to avoid it. + +Limit iterations over descriptors to avoid potential infinite +loop issue in tulip_xmit_list_update. + +Reported-by: Li Qiang <pangpei.lq@antfin.com> +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Reported-by: Jason Wang <jasowang@redhat.com> +Tested-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> +--- + hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index cfac271..1295f51 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) + + trace_tulip_receive(buf, size); + +- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { ++ if (size < 14 || size > sizeof(s->rx_frame) - 4 ++ || s->rx_frame_len || tulip_rx_stopped(s)) { + return 0; + } + +@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, + return tulip_receive(qemu_get_nic_opaque(nc), buf, size); + } + +- + static NetClientInfo net_tulip_info = { + .type = NET_CLIENT_DRIVER_NIC, + .size = sizeof(NICState), +@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { + /* Internal or external Loopback */ + tulip_receive(s, s->tx_frame, s->tx_frame_len); +- } else { ++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { + qemu_send_packet(qemu_get_queue(s->nic), + s->tx_frame, s->tx_frame_len); + } +@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + } + } + +-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) + { + int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; + int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + ++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len1) { + pci_dma_read(&s->dev, desc->buf_addr1, + s->tx_frame + s->tx_frame_len, len1); + s->tx_frame_len += len1; + } + ++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len2) { + pci_dma_read(&s->dev, desc->buf_addr2, + s->tx_frame + s->tx_frame_len, len2); + s->tx_frame_len += len2; + } + desc->status = (len1 + len2) ? 0 : 0x7fffffff; ++ ++ return 0; + } + + static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) +@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) + + static void tulip_xmit_list_update(TULIPState *s) + { ++#define TULIP_DESC_MAX 128 ++ uint8_t i = 0; + struct tulip_descriptor desc; + + if (tulip_ts(s) != CSR5_TS_SUSPENDED) { + return; + } + +- for (;;) { ++ for (i = 0; i < TULIP_DESC_MAX; i++) { + tulip_desc_read(s, s->current_tx_desc, &desc); + tulip_dump_tx_descriptor(s, &desc); + +@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) + s->tx_frame_len = 0; + } + +- tulip_copy_tx_buffers(s, &desc); +- +- if (desc.control & TDES1_LS) { +- tulip_tx(s, &desc); ++ if (!tulip_copy_tx_buffers(s, &desc)) { ++ if (desc.control & TDES1_LS) { ++ tulip_tx(s, &desc); ++ } + } + } + tulip_desc_write(s, s->current_tx_desc, &desc); +-- +1.8.3.1 + diff --git a/user/qemu/CVE-2020-1711.patch b/user/qemu/CVE-2020-1711.patch new file mode 100644 index 000000000..c57b5c984 --- /dev/null +++ b/user/qemu/CVE-2020-1711.patch @@ -0,0 +1,61 @@ +From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 +From: Felipe Franciosi <felipe@nutanix.com> +Date: Thu, 23 Jan 2020 12:44:59 +0000 +Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) + +When querying an iSCSI server for the provisioning status of blocks (via +GET LBA STATUS), Qemu only validates that the response descriptor zero's +LBA matches the one requested. Given the SCSI spec allows servers to +respond with the status of blocks beyond the end of the LUN, Qemu may +have its heap corrupted by clearing/setting too many bits at the end of +its allocmap for the LUN. + +A malicious guest in control of the iSCSI server could carefully program +Qemu's heap (by selectively setting the bitmap) and then smash it. + +This limits the number of bits that iscsi_co_block_status() will try to +update in the allocmap so it can't overflow the bitmap. + +Fixes: CVE-2020-1711 +Cc: qemu-stable@nongnu.org +Signed-off-by: Felipe Franciosi <felipe@nutanix.com> +Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> +Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> +Signed-off-by: Kevin Wolf <kwolf@redhat.com> +--- + block/iscsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/iscsi.c b/block/iscsi.c +index 2aea7e3f13..cbd57294ab 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + struct scsi_get_lba_status *lbas = NULL; + struct scsi_lba_status_descriptor *lbasd = NULL; + struct IscsiTask iTask; +- uint64_t lba; ++ uint64_t lba, max_bytes; + int ret; + + iscsi_co_init_iscsitask(iscsilun, &iTask); +@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + } + + lba = offset / iscsilun->block_size; ++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; + + qemu_mutex_lock(&iscsilun->mutex); + retry: +@@ -764,7 +765,7 @@ retry: + goto out_unlock; + } + +- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; ++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); + + if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || + lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { +-- +2.25.1 + diff --git a/user/qemu/MAP_SYNC-fix.patch b/user/qemu/MAP_SYNC-fix.patch new file mode 100644 index 000000000..e13609d73 --- /dev/null +++ b/user/qemu/MAP_SYNC-fix.patch @@ -0,0 +1,22 @@ +diff --git a/util/mmap-alloc.c b/util/mmap-alloc.c +index f7f177d..7598960 100644 +--- a/util/mmap-alloc.c ++++ b/util/mmap-alloc.c +@@ -10,14 +10,16 @@ + * later. See the COPYING file in the top-level directory. + */ + ++#include "qemu/osdep.h" ++ + #ifdef CONFIG_LINUX + #include <linux/mman.h> ++#include <asm-generic/mman.h> /* for ppc64le */ + #else /* !CONFIG_LINUX */ + #define MAP_SYNC 0x0 + #define MAP_SHARED_VALIDATE 0x0 + #endif /* CONFIG_LINUX */ + +-#include "qemu/osdep.h" + #include "qemu/mmap-alloc.h" + #include "qemu/host-utils.h" + diff --git a/user/qemu/fix-sockios-header.patch b/user/qemu/fix-sockios-header.patch deleted file mode 100644 index 1f3cd767c..000000000 --- a/user/qemu/fix-sockios-header.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 43d0562..afa0ac4 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -59,6 +59,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base, - #include <linux/icmp.h> - #include <linux/icmpv6.h> - #include <linux/errqueue.h> -+#include <linux/sockios.h> - #include <linux/random.h> - #include "qemu-common.h" - #ifdef CONFIG_TIMERFD - #include <sys/timerfd.h> |