From 2f80d753ffc63c18c5182fc929b4baf09bb09d51 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Sat, 4 May 2019 14:57:25 +0200 Subject: [PATCH] up to 4.0.0 --- CVE-2015-3456.patch | 84 --------------------------------------------- qemu.spec | 16 +++++---- x32.patch | 22 ++++-------- 3 files changed, 15 insertions(+), 107 deletions(-) delete mode 100644 CVE-2015-3456.patch diff --git a/CVE-2015-3456.patch b/CVE-2015-3456.patch deleted file mode 100644 index 50c19d9..0000000 --- a/CVE-2015-3456.patch +++ /dev/null @@ -1,84 +0,0 @@ -From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -1.7.0.4 - diff --git a/qemu.spec b/qemu.spec index 98eb35a..0949156 100644 --- a/qemu.spec +++ b/qemu.spec @@ -34,12 +34,12 @@ Summary: QEMU CPU Emulator Summary(pl.UTF-8): QEMU - emulator procesora Name: qemu -Version: 3.1.0 +Version: 4.0.0 Release: 1 License: GPL v2 Group: Applications/Emulators Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.xz -# Source0-md5: fb687ce0b02d3bf4327e36d3b99427a8 +# Source0-md5: 0afeca336fd57ae3d3086ec07f59d708 Source2: %{name}.binfmt # Loads kvm kernel modules at boot Source3: kvm-modules-load.conf @@ -60,7 +60,6 @@ Patch2: %{name}-user-execve.patch Patch3: %{name}-xattr.patch Patch4: libjpeg-boolean.patch Patch5: x32.patch -Patch6: %{name}-CVE-2018-20815.patch URL: http://www.qemu-project.org/ %{?with_gl:BuildRequires: OpenGL-GLX-devel} %{?with_gl:BuildRequires: OpenGL-devel} @@ -829,7 +828,6 @@ Moduł QEMU dla urządeń blokowych typu 'ssh'. %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 # workaround for conflict with alsa/error.h ln -s ../error.h qapi/error.h @@ -880,7 +878,6 @@ build dynamic \ %{__enable_disable ceph rbd} \ %{__enable_disable rdma} \ %{__enable_disable sdl} \ - --with-sdlabi=2.0 \ %{__enable_disable seccomp} \ %{__enable_disable spice} \ %{__enable_disable smartcard smartcard} \ @@ -1054,6 +1051,8 @@ done : > qemu.lang %endif +%{__rm} -r $RPM_BUILD_ROOT%{_docdir}/qemu + %clean rm -rf $RPM_BUILD_ROOT @@ -1118,9 +1117,11 @@ fi %attr(640,root,qemu) %config(noreplace) %verify(not md5 mtime size) /etc/qemu/bridge.conf %{systemdunitdir}/ksm.service %{systemdunitdir}/ksmtuned.service +%attr(755,root,root) %{_bindir}/elf2dmp %attr(755,root,root) %{_bindir}/ivshmem-client %attr(755,root,root) %{_bindir}/ivshmem-server %attr(755,root,root) %{_bindir}/virtfs-proxy-helper +%attr(755,root,root) %{_bindir}/qemu-edid %{?with_xkbcommon:%attr(755,root,root) %{_bindir}/qemu-keymap} %attr(755,root,root) %{_bindir}/qemu-nbd %attr(755,root,root) %{_bindir}/qemu-pr-helper @@ -1130,12 +1131,12 @@ fi %attr(755,root,root) %{_sbindir}/ksmtuned %{_mandir}/man1/qemu.1* %{_mandir}/man1/virtfs-proxy-helper.1* +%{_mandir}/man7/qemu-cpu-models.7* %{_mandir}/man7/qemu-block-drivers.7* %{_mandir}/man8/qemu-nbd.8* %dir %{_datadir}/qemu %{_datadir}/%{name}/keymaps -%{_datadir}/%{name}/qemu-icon.bmp %{_datadir}/%{name}/trace-events-all # various bios images @@ -1159,6 +1160,7 @@ fi %{_datadir}/%{name}/petalogix-ml605.dtb %{_datadir}/%{name}/petalogix-s3adsp1800.dtb %{_datadir}/%{name}/ppc_rom.bin +%{_datadir}/%{name}/pvh.bin %{_datadir}/%{name}/pxe-e1000.rom %{_datadir}/%{name}/pxe-eepro100.rom %{_datadir}/%{name}/pxe-ne2k_pci.rom @@ -1166,7 +1168,6 @@ fi %{_datadir}/%{name}/pxe-rtl8139.rom %{_datadir}/%{name}/pxe-virtio.rom %{_datadir}/%{name}/QEMU,cgthree.bin -%{_datadir}/%{name}/qemu_logo_no_text.svg %{_datadir}/%{name}/QEMU,tcx.bin %{_datadir}/%{name}/s390-ccw.img %{_datadir}/%{name}/sgabios.bin @@ -1396,6 +1397,7 @@ fi %config(noreplace) %verify(not md5 mtime size) /etc/udev/rules.d/99-qemu-guest-agent.rules %{systemdunitdir}/qemu-guest-agent.service %attr(755,root,root) %{_bindir}/qemu-ga +%{_mandir}/man7/qemu-ga-ref.7* %{_mandir}/man8/qemu-ga.8* %files module-block-curl diff --git a/x32.patch b/x32.patch index 250576c..e135219 100644 --- a/x32.patch +++ b/x32.patch @@ -9,25 +9,15 @@ ;; arm|aarch64) libseccomp_minver="2.2.3" -@@ -2932,7 +2932,7 @@ - ########################################## - # TPM passthrough is only on x86 Linux - --if test "$targetos" = Linux && test "$cpu" = i386 -o "$cpu" = x86_64; then -+if test "$targetos" = Linux && test "$cpu" = i386 -o "$cpu" = x86_64 -o "$cpu" = x32; then - tpm_passthrough=$tpm - else - tpm_passthrough=no -@@ -4161,7 +4161,7 @@ +@@ -6148,7 +6148,7 @@ # Mac OS X ships with a broken assembler roms= --if test \( "$cpu" = "i386" -o "$cpu" = "x86_64" \) -a \ -+if test \( "$cpu" = "i386" -o "$cpu" = "x86_64" -o "$cpu" = "x32" \) -a \ - "$targetos" != "Darwin" -a "$targetos" != "SunOS" -a \ - "$softmmu" = yes ; then - roms="optionrom" - +-if { test "$cpu" = "i386" || test "$cpu" = "x86_64"; } && \ ++if { test "$cpu" = "i386" || test "$cpu" = "x86_64" || test "$cpu" = "x32"; } && \ + test "$targetos" != "Darwin" && test "$targetos" != "SunOS" && \ + test "$softmmu" = yes ; then + # Different host OS linkers have different ideas about the name of the ELF --- qemu-2.6.0/include/qemu/atomic.h~ 2016-07-17 18:37:57.000000000 +0200 +++ qemu-2.6.0/include/qemu/atomic.h 2016-07-17 18:38:33.485893530 +0200 @@ -20,7 +20,7 @@ -- 2.44.0