Package: qemu / 1:2.8+dfsg-6+deb9u7

Metadata

Package Version Patches format
qemu 1:2.8+dfsg-6+deb9u7 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
02_kfreebsd.patch | (download)

configure | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

---
use fixed data path.patch | (download)

os-posix.c | 2 2 + 0 - 0 !
vl.c | 8 0 + 8 - 0 !
2 files changed, 2 insertions(+), 8 deletions(-)

 use fixed data dir instead of determining it at runtime
use data path.patch | (download)

vl.c | 15 11 + 4 - 0 !
1 file changed, 11 insertions(+), 4 deletions(-)

 use data path to search data files, not just a single directory
v2.8.1.diff | (download)

VERSION | 2 1 + 1 - 0 !
block/iscsi.c | 8 6 + 2 - 0 !
block/nfs.c | 49 25 + 24 - 0 !
block/vmdk.c | 4 2 + 2 - 0 !
cpu-exec.c | 9 5 + 4 - 0 !
exec.c | 1 1 + 0 - 0 !
hmp.c | 6 2 + 4 - 0 !
hw/9pfs/9p-local.c | 1027 561 + 466 - 0 !
hw/9pfs/9p-local.h | 20 20 + 0 - 0 !
hw/9pfs/9p-posix-acl.c | 44 8 + 36 - 0 !
hw/9pfs/9p-util.c | 69 69 + 0 - 0 !
hw/9pfs/9p-util.h | 60 60 + 0 - 0 !
hw/9pfs/9p-xattr-user.c | 24 3 + 21 - 0 !
hw/9pfs/9p-xattr.c | 166 160 + 6 - 0 !
hw/9pfs/9p-xattr.h | 87 21 + 66 - 0 !
hw/9pfs/9p.c | 16 10 + 6 - 0 !
hw/9pfs/Makefile.objs | 2 1 + 1 - 0 !
hw/core/machine.c | 39 36 + 3 - 0 !
hw/display/cirrus_vga.c | 154 111 + 43 - 0 !
hw/display/cirrus_vga_rop.h | 191 115 + 76 - 0 !
hw/display/cirrus_vga_rop2.h | 125 64 + 61 - 0 !
hw/i386/pc.c | 4 3 + 1 - 0 !
hw/ide/ahci.c | 2 1 + 1 - 0 !
hw/intc/apic_common.c | 2 2 + 0 - 0 !
hw/intc/ioapic.c | 5 5 + 0 - 0 !
hw/net/e1000e.c | 2 1 + 1 - 0 !
hw/net/net_rx_pkt.c | 37 19 + 18 - 0 !
hw/pci/pci.c | 4 2 + 2 - 0 !
hw/ppc/spapr_ovec.c | 2 1 + 1 - 0 !
hw/s390x/css.c | 15 15 + 0 - 0 !
hw/s390x/s390-virtio.c | 2 1 + 1 - 0 !
hw/scsi/mptsas.c | 6 3 + 3 - 0 !
hw/scsi/scsi-disk.c | 2 1 + 1 - 0 !
hw/sd/sdhci.c | 2 1 + 1 - 0 !
hw/virtio/trace-events | 2 2 + 0 - 0 !
hw/virtio/virtio-balloon.c | 7 6 + 1 - 0 !
hw/virtio/virtio-crypto.c | 4 2 + 2 - 0 !
hw/virtio/virtio-pci.c | 4 4 + 0 - 0 !
hw/virtio/virtio.c | 51 30 + 21 - 0 !
include/exec/exec-all.h | 1 1 + 0 - 0 !
include/net/eth.h | 4 2 + 2 - 0 !
include/qom/object_interfaces.h | 17 0 + 17 - 0 !
include/ui/console.h | 7 0 + 7 - 0 !
include/ui/gtk.h | 4 4 + 0 - 0 !
linux-user/host/s390x/safe-syscall.inc.S | 2 1 + 1 - 0 !
linux-user/main.c | 5 4 + 1 - 0 !
nbd/client.c | 2 1 + 1 - 0 !
net/eth.c | 25 14 + 11 - 0 !
qapi/opts-visitor.c | 2 1 + 1 - 0 !
qemu-char.c | 15 10 + 5 - 0 !
qga/commands-posix.c | 5 4 + 1 - 0 !
qom/object_interfaces.c | 75 21 + 54 - 0 !
target-arm/translate-a64.c | 7 4 + 3 - 0 !
target-i386/cpu.h | 5 3 + 2 - 0 !
target-i386/excp_helper.c | 11 6 + 5 - 0 !
target-i386/helper.h | 1 0 + 1 - 0 !
target-i386/misc_helper.c | 24 12 + 12 - 0 !
target-i386/seg_helper.c | 6 3 + 3 - 0 !
target-i386/svm_helper.c | 65 31 + 34 - 0 !
target-s390x/cpu_models.c | 2 0 + 2 - 0 !
target-s390x/kvm.c | 2 1 + 1 - 0 !
target-sparc/translate.c | 27 25 + 2 - 0 !
tcg/aarch64/tcg-target.inc.c | 66 33 + 33 - 0 !
tests/test-opts-visitor.c | 21 21 + 0 - 0 !
thread-pool.c | 7 7 + 0 - 0 !
ui/console.c | 28 0 + 28 - 0 !
ui/gtk.c | 13 12 + 1 - 0 !
ui/vnc.c | 111 8 + 103 - 0 !
util/qemu-thread-posix.c | 12 6 + 6 - 0 !
69 files changed, 1615 insertions(+), 1213 deletions(-)

 upstream changes between 2.8.0 and 2.8.1, stable/bugfix release
doc don t mention memory it is m.patch | (download)

qemu-options.hx | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 doc: don't mention -memory, it is -m
Bug-Debian: https://bugs.debian.org/833619

Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

xhci fix event queue IRQ handling.patch | (download)

hw/usb/hcd-xhci.c | 13 13 + 0 - 0 !
1 file changed, 13 insertions(+)

 [patch] xhci: fix event queue irq handling
Commit-Id: 7da76e12cc5cc902dda4c168d8d608fd4e61cbc5

The qemu xhci emulation doesn't handle the ERDP_EHB flag correctly.

When the host adapter queues a new event the ERDP_EHB flag is set.  The
flag is cleared (via w1c) by the guest when it updates the ERDP (event
ring dequeue pointer) register to notify the host adapter which events
it has fetched.

An IRQ must be raised in case the ERDP_EHB flag flips from clear to set.
If the flag is set already (which implies there are events queued up
which are not yet processed by the guest) xhci must *not* raise a IRQ.

Qemu got that wrong and raised an IRQ on every event, thereby generating
spurious interrupts in case we've queued events faster than the guest
processed them.  This patch fixes that.

With that change in place we also have to check ERDP updates, to see
whenever the guest has fetched all queued events.  In case there are
still pending events set ERDP_EHB and raise an IRQ again, to make sure
the events don't linger unseen forever.

The linux kernel driver and the microsoft windows driver (shipped with
win8+) can deal with the spurious interrupts without problems.  The
renesas windows driver (v2.1.39) which can be used on older windows
versions is quite upset though.  It does spurious ERDP updates now and
then (not every time, seems we must hit a race window for this to
happen), which in turn makes the qemu xhci emulation think the event
ring is full.  Things go south from here ...

tl;dr: This is the "fix xhci on win7" patch.

Cc: M.Cerveny@computer.org
Cc: 1373228@bugs.launchpad.net
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1486104705-13761-1-git-send-email-kraxel@redhat.com

xhci only free completed transfers.patch | (download)

hw/usb/hcd-xhci.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 xhci: only free completed transfers
Commit-Id: f94d18d6c6df388fde196d3ab252f57e33843a8b
Bug-Debian: http://bugs.debian.org/855659

Most callsites check already, one was missed.

Cc: 1653384@bugs.launchpad.net
Fixes: 94b037f2a451b3dc855f9f2c346e5049a361bd55
Reported-by: Fabian Lesniak <fabian@lesniak-it.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485790607-31399-2-git-send-email-kraxel@redhat.com

char drop data written to a disconnected pty.patch | (download)

qemu-char.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 char: drop data written to a disconnected pty
Commit-Id: 1c64fdbc8177058802df205f5d7cd65edafa59a8

When a serial port writes data to a pty that's disconnected, drop the
data and return the length dropped. This avoids triggering pointless
retries in callers like the 16550A serial_xmit(), and causes
qemu_chr_fe_write() to write all data to the log file, rather than
logging only while a pty client like virsh console happens to be
connected.

Signed-off-by: Ed Swierk <eswierk@skyportsystems.com>
Message-Id: <1485870329-79428-1-git-send-email-eswierk@skyportsystems.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

linux user fix apt get update on linux user hppa.patch | (download)

linux-user/syscall.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 linux-user: fix "apt-get update" on linux-user hppa
Commit-Id: 40493c5f2b0f124c9b2581e539bba14522e51269
Bug-Debian: http://bugs.debian.org/846084

apt-get was hanging on linux-user hppa.

strace has shown the netlink data stream was not correctly byte swapped.

It appears the fd translator function is unregistered just after it
has been registered, so the translator function is not called.

This patch removes the fd_trans_unregister() after the do_socket()
in the TARGET_NR_socket case.

This fd_trans_unregister() was added by commit
    e36800c linux-user: add signalfd/signalfd4 syscalls
when do_socket() was not registering any fd translator.
And as now it is, we must remove this fd_trans_unregister() to keep them.

Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
Message-Id: <20170126080449.28255-3-laurent@vivier.eu>
Signed-off-by: Richard Henderson <rth@twiddle.net>

slirp make RA build more flexible.patch | (download)

slirp/ip6_icmp.c | 24 9 + 15 - 0 !
1 file changed, 9 insertions(+), 15 deletions(-)

 slirp: make ra build more flexible
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: e42f869b5118fa9ac64dcea624276204567fc581
Bug-Debian: http://bugs.debian.org/844566

Do not hardcode the RA size at all, use a pl_size variable which
accounts the accumulated size, and fill rip->ip_pl at the end.

This will allow to make some blocks optional.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
slirp send RDNSS in RA only if host has an IPv6 DNS.patch | (download)

slirp/ip6_icmp.c | 25 14 + 11 - 0 !
1 file changed, 14 insertions(+), 11 deletions(-)

 slirp: send rdnss in ra only if host has an ipv6 dns server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: a2f80fdfc683019901cdf4c0863a5920c0ca7245
Bug-Debian: http://bugs.debian.org/844566

Previously we would always send an RDNSS option in the RA, making the guest
try to resolve DNS through IPv6, even if the host does not actually have
and IPv6 DNS server available.

This makes the RDNSS option enabled only when an IPv6 DNS server is
available.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
audio ac97 add exit function CVE 2017 5525.patch | (download)

hw/audio/ac97.c | 11 11 + 0 - 0 !
1 file changed, 11 insertions(+)

 audio: ac97: add exit function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: 12351a91da97b414eec8cdb09f1d9f41e535a401
Bug-Debian: https://bugs.debian.org/852021

Currently the ac97 device emulation doesn't have a exit function,
hot unplug this device will leak some memory. Add a exit function to
avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
audio es1370 add exit function CVE 2017 5526.patch | (download)

hw/audio/es1370.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 audio: es1370: add exit function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
Bug-Debian: https://bugs.debian.org/851910

Currently the es1370 device emulation doesn't have a exit function,
hot unplug this device will leak some memory. Add a exit function to
avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
watchdog 6300esb add exit function CVE 2016 10155.patch | (download)

hw/watchdog/wdt_i6300esb.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 watchdog: 6300esb: add exit function
Commit-Id: eb7a20a3616085d46aa6b4b4224e15587ec67e6e
Bug-Debian: https://bugs.debian.org/852232

When the Intel 6300ESB watchdog is hot unplug. The timer allocated
in realize isn't freed thus leaking memory leak. This patch avoid
this through adding the exit function.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

serial fix memory leak in serial exit CVE 2017 5579.patch | (download)

hw/char/serial.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 serial: fix memory leak in serial exit
Commit-Id: 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
Bug-Debian: https://bugs.debian.org/853002

The serial_exit_core function doesn't free some resources.
This can lead memory leak when hotplug and unplug. This
patch avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

sd sdhci check transfer mode register in multi block CVE 2017 5987.patch | (download)

hw/sd/sdhci.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 sd: sdhci: check transfer mode register in multi block transfer
Bug-Debian: http://bugs.debian.org/855159

In the SDHCI protocol, the transfer mode register value
is used during multi block transfer to check if block count
register is enabled and should be updated. Transfer mode
register could be set such that, block count register would
not be updated, thus leading to an infinite loop. Add check
to avoid it.

Reported-by: Wjjzhang <wjjzhang@tencent.com>
Reported-by: Jiang Xin <jiangxin1@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170214185225.7994-3-ppandit@redhat.com
megasas fix guest triggered memory leak CVE 2017 5856.patch | (download)

hw/scsi/megasas.c | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 megasas: fix guest-triggered memory leak
Commit-Id: 765a707000e838c30b18d712fe6cb3dd8e0435f3
Bug-Debian: http://bugs.debian.org/853996

If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
Avoid this by returning only the status from map_dcmd, and loading
cmd->iov_size in the caller.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

usb ccid check ccid apdu length CVE 2017 5898.patch | (download)

hw/usb/dev-smartcard-reader.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 usb: ccid: check ccid apdu length
Commit-Id: c7dfbf322595ded4e70b626bf83158a9f3807c6a
Bug-Debian: http://bugs.debian.org/854729

CCID device emulator uses Application Protocol Data Units(APDU)
to exchange command and responses to and from the host.
The length in these units couldn't be greater than 65536. Add
check to ensure the same. It'd also avoid potential integer
overflow in emulated_apdu_from_guest.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170202192228.10847-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

xhci apply limits to loops CVE 2017 5973.patch | (download)

hw/usb/hcd-xhci.c | 15 14 + 1 - 0 !
hw/usb/trace-events | 1 1 + 0 - 0 !
2 files changed, 15 insertions(+), 1 deletion(-)

 xhci: apply limits to loops
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: f89b60f6e5fee3923bedf80e82b4e5efc1bb156b
Bug-Debian: http://bugs.debian.org/855611

Limits should be big enough that normal guest should not hit it.
Add a tracepoint to log them, just in case.  Also, while being
at it, log the existing link trb limit too.

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1486383669-6421-1-git-send-email-kraxel@redhat.com

net imx limit buffer descriptor count CVE 2016 7907.patch | (download)

hw/net/imx_fec.c | 10 6 + 4 - 0 !
1 file changed, 6 insertions(+), 4 deletions(-)

 net: imx: limit buffer descriptor count
Commit-Id: 81f17e0d435c3db3a3e67e0d32ebf9c98973211f
Bug-Debian: http://bugs.debian.org/839986

i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.

Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>

virtio gpu fix resource leak in virgl_cmd_resource CVE 2017 5857.patch | (download)

hw/display/virtio-gpu-3d.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 virtio-gpu: fix resource leak in virgl_cmd_resource_unref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: 5e8e3c4c75c199aa1017db816fca02be2a9f8798
Bug-Debian: http://bugs.debian.org/853996

When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
we'll leak memory.

This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com

usb ohci limit the number of link eds CVE 2017 6505.patch | (download)

hw/usb/hcd-ohci.c | 9 8 + 1 - 0 !
1 file changed, 8 insertions(+), 1 deletion(-)

 usb: ohci: limit the number of link eds
Commit-Id: 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb
Patch-Debian: http://bugs.debian.org/856969

The guest may builds an infinite loop with link eds. This patch
limit the number of linked ed to avoid this.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

dma rc4030 limit interval timer reload value CVE 2016 8667.patch | (download)

hw/dma/rc4030.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 dma: rc4030: limit interval timer reload value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c
Bug-Debian: http://bugs.debian.org/840950

The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.

Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>

9pfs fix file descriptor leak CVE 2017 7377.patch | (download)

hw/9pfs/9p.c | 8 8 + 0 - 0 !
1 file changed, 8 insertions(+)

 9pfs: fix file descriptor leak (cve-2017-7377)
Commit-Id: d63fb193e71644a073b77ff5ac6f1216f2f6cf6e
Bug-Debian: http://bugs.debian.org/859854

The v9fs_create() and v9fs_lcreate() functions are used to create a file
on the backend and to associate it to a fid. The fid shouldn't be already
in-use, otherwise both functions may silently leak a file descriptor or
allocated memory. The current code doesn't check that.

This patch ensures that the fid isn't already associated to anything
before using it.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
(reworded the changelog, Greg Kurz)
Signed-off-by: Greg Kurz <groug@kaod.org>

9pfs local set path of export root to dot CVE 2017 7471.patch | (download)

hw/9pfs/9p-local.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 9pfs: local: set the path of the export root to "."
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: 9c6b899f7a46893ab3b671e341a2234e9c0c060e
Bug-Debian: http://bugs.debian.org/860785

The local backend was recently converted to using "at*()" syscalls in order
to ensure all accesses happen below the shared directory. This requires that
we only pass relative paths, otherwise the dirfd argument to the "at*()"
syscalls is ignored and the path is treated as an absolute path in the host.
This is actually the case for paths in all fids, with the notable exception
of the root fid, whose path is "/". This causes the following backend ops to
act on the "/" directory of the host instead of the virtfs shared directory
when the export root is involved:
- lstat
- chmod
- chown
- utimensat

ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
host for example. This could cause security issues with a privileged QEMU.

All "*at()" syscalls are being passed an open file descriptor. In the case
of the export root, this file descriptor points to the path in the host that
was passed to -fsdev.

The fix is thus as simple as changing the path of the export root fid to be
"." instead of "/".

This is CVE-2017-7471.

Cc: qemu-stable@nongnu.org
Reported-by: Léo Gaspard <leo@gaspard.io>
Signed-off-by: Greg Kurz <groug@kaod.org>
9pfs xattr fix memory leak in v9fs_list_xattr CVE 2017 8086.patch | (download)

hw/9pfs/9p-xattr.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 9pfs: xattr: fix memory leak in v9fs_list_xattr (cve-2017-8086)
Commit-Id: 4ffcdef4277a91af15a3c09f7d16af072c29f3f2
Bug-Debian: http://bugs.debian.org/861348

Free 'orig_value' in error path.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Greg Kurz <groug@kaod.org>

9pfs local forbid client access to metadata CVE 2017 7493.patch | (download)

hw/9pfs/9p-local.c | 58 56 + 2 - 0 !
1 file changed, 56 insertions(+), 2 deletions(-)

 9pfs: local: forbid client access to metadata (cve-2017-7493)
Commit-Id: 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b

When using the mapped-file security mode, we shouldn't let the client mess
with the metadata. The current code already tries to hide the metadata dir
from the client by skipping it in local_readdir(). But the client can still
access or modify it through several other operations. This can be used to
escalate privileges in the guest.

Affected backend operations are:
- local_mknod()
- local_mkdir()
- local_open2()
- local_symlink()
- local_link()
- local_unlinkat()
- local_renameat()
- local_rename()
- local_name_to_path()

Other operations are safe because they are only passed a fid path, which
is computed internally in local_name_to_path().

This patch converts all the functions listed above to fail and return
EINVAL when being passed the name of the metadata dir. This may look
like a poor choice for errno, but there's no such thing as an illegal
path name on Linux and I could not think of anything better.

This fixes CVE-2017-7493.

Reported-by: Leo Gaspard <leo@gaspard.io>
Signed-off-by: Greg Kurz <groug@kaod.org>
vmw_pvscsi check message ring page count at init CVE 2017 8112.patch | (download)

hw/scsi/vmw_pvscsi.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 vmw_pvscsi: check message ring page count at initialisation
Commit-Id: f68826989cd4d1217797251339579c57b3c0934e
Bug-Debian: http://bugs.debian.org/861351

A guest could set the message ring page count to zero, resulting in
infinite loop. Add check to avoid it.

Reported-by: YY Z <bigbird475958471@gmail.com>
Signed-off-by: P J P <ppandit@redhat.com>
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
scsi avoid an off by one error in megasas_mmio_write CVE 2017 8380.patch | (download)

hw/scsi/megasas.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 scsi: avoid an off-by-one error in megasas_mmio_write
Commit-Id: 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
Bug-Debian: http://bugs.debian.org/862282

While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
an off-by-one error could occur as 's->adp_reset' index is not
reset after reading the last sequence.

Reported-by: YY Z <bigbird475958471@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

input limit kbd queue depth CVE 2017 8379.patch | (download)

ui/input.c | 14 11 + 3 - 0 !
1 file changed, 11 insertions(+), 3 deletions(-)

 input: limit kbd queue depth
Commit-Id: fa18f36a461984eae50ab957e47ec78dae3c14fc
Bug-Debian: http://bugs.debian.org/862289

Apply a limit to the number of items we accept into the keyboard queue.

Impact: Without this limit vnc clients can exhaust host memory by
sending keyboard events faster than qemu feeds them to the guest.

Fixes: CVE-2017-8379
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: jiangxin1@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170428084237.23960-1-kraxel@redhat.com

audio release capture buffers CVE 2017 8309.patch | (download)

audio/audio.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 audio: release capture buffers
Commit-Id: 3268a845f41253fb55852a8429c32b50f36f349a
Bug-Debian: http://bugs.debian.org/862280

AUD_add_capture() allocates two buffers which are never released.
Add the missing calls to AUD_del_capture().

Impact: Allows vnc clients to exhaust host memory by repeatedly
starting and stopping audio capture.

Fixes: CVE-2017-8309
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
net e1000e fix an infinite loop issue CVE 2017 9310.patch | (download)

hw/net/e1000e_core.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 net: e1000e: fix an infinite loop issue (cve-2017-9310)
Commit-Id: 4154c7e03fa55b4cf52509a83d50d6c09d743b77
Bug-Debian: http://bugs.debian.org/863840

This issue is like the issue in e1000 network card addressed in
this commit:
e1000: eliminate infinite loops on out-of-bounds transfer start.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
usb ohci fix error return code in servicing iso td CVE 2017 9330.patch | (download)

hw/usb/hcd-ohci.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 usb: ohci: fix error return code in servicing iso td
Commit-Id: 26f670a244982335cc08943fb1ec099a2c81e42d
Bug-Debian: http://bugs.debian.org/863943

It should return 1 if an error occurs when reading iso td.
This will avoid an infinite loop issue in ohci_service_ed_list.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5899ac3e.1033240a.944d5.9a2d@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

ide core add cleanup function.patch | (download)

hw/ide/core.c | 8 8 + 0 - 0 !
include/hw/ide/internal.h | 1 1 + 0 - 0 !
2 files changed, 9 insertions(+)

 ide: core: add cleanup function
Commit-Id: c9f086418a255f386e1c4d2c1418c032eb349537

As the pci ahci can be hotplug and unplug, in the ahci unrealize
function it should free all the resource once allocated in the
realized function. This patch add ide_exit to free the resource.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 1488449293-80280-3-git-send-email-liqiang6-s@360.cn
Signed-off-by: John Snow <jsnow@redhat.com>

ide ahci call cleanup function in ahci unit CVE 2017 9373.patch | (download)

hw/ide/ahci.c | 12 12 + 0 - 0 !
1 file changed, 12 insertions(+)

 ide: ahci: call cleanup function in ahci unit
Commit-Id: d68f0f778e7f4fbd674627274267f269e40f0b04
Bug-Debian: http://bugs.debian.org/864216

This can avoid memory leak when hotunplug the ahci device.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 1488449293-80280-4-git-send-email-liqiang6-s@360.cn
Signed-off-by: John Snow <jsnow@redhat.com>

xhci dont kick in xhci_submit and xhci_fire_ctl_transfer.patch | (download)

hw/usb/hcd-xhci.c | 8 0 + 8 - 0 !
1 file changed, 8 deletions(-)

 xhci: don't kick in xhci_submit and xhci_fire_ctl_transfer
Commit-Id: ddb603ab6c981c1d67cb42266fc700c33e5b2d8f
Bug-Debian: http://bugs.debian.org/869945

xhci_submit and xhci_fire_ctl_transfer are is called from
xhci_kick_epctx processing loop only, so there is no need to call
xhci_kick_epctx make sure processing continues.  Also eecursive calls
into xhci_kick_epctx can cause trouble.

Drop the xhci_kick_epctx calls.

Cc: 1653384@bugs.launchpad.net
Fixes: 94b037f2a451b3dc855f9f2c346e5049a361bd55
Reported-by: Fabian Lesniak <fabian@lesniak-it.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485790607-31399-4-git-send-email-kraxel@redhat.com

xhci guard xhci_kick_epctx against recursive calls CVE 2017 9375.patch | (download)

hw/usb/hcd-xhci.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 xhci: guard xhci_kick_epctx against recursive calls
Commit-Id: 96d87bdda3919bb16f754b3d3fd1227e1f38f13c
Bug-Debian: http://bugs.debian.org/864219

Track xhci_kick_epctx processing being active in a variable.  Check the
variable before calling xhci_kick_epctx from xhci_kick_ep.  Add an
assert to make sure we don't call recursively into xhci_kick_epctx.

Cc: 1653384@bugs.launchpad.net
Fixes: 94b037f2a451b3dc855f9f2c346e5049a361bd55
Reported-by: Fabian Lesniak <fabian@lesniak-it.de>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1486035372-3621-1-git-send-email-kraxel@redhat.com
Message-id: 1485790607-31399-5-git-send-email-kraxel@redhat.com

usb ehci fix memory leak in ehci CVE 2017 9374.patch | (download)

hw/usb/hcd-ehci-pci.c | 9 9 + 0 - 0 !
hw/usb/hcd-ehci.c | 5 5 + 0 - 0 !
hw/usb/hcd-ehci.h | 1 1 + 0 - 0 !
3 files changed, 15 insertions(+)

 usb: ehci: fix memory leak in ehci
Commit-Id: d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1459132
Bug-Debian: http://bugs.debian.org/864568

In usb_ehci_init function, it initializes 's->ipacket', but there
is no corresponding function to free this. As the ehci can be hotplug
and unplug, this will leak host memory leak. In order to make the
hierarchy clean, we should add a ehci pci finalize function, then call
the clean function in ehci device.

Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 589a85b8.3c2b9d0a.b8e6.1434@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

nbd ignore SIGPIPE CVE 2017 10664.patch | (download)

qemu-nbd.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 qemu-nbd: ignore sigpipe
Commit-Id: 041e32b8d9d076980b4e35317c0339e57ab888f1
Bug-Debian: http://bugs.debian.org/866674

qemu proper has done so for 13 years
(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have
done so for four years (526eda14a68d5b3596be715505289b541288ef2a).
Ignoring this signal is especially important in qemu-nbd because
otherwise a client can easily take down the qemu-nbd server by dropping
the connection when the server wants to send something, for example:

$ qemu-nbd -x foo -f raw -t null-co:// &
[1] 12726
$ qemu-io -c quit nbd://localhost/bar
can't open device nbd://localhost/bar: No export with name 'bar' available
[1]  + 12726 broken pipe  qemu-nbd -x foo -f raw -t null-co://

In this case, the client sends an NBD_OPT_ABORT and closes the
connection (because it is not required to wait for a reply), but the
server replies with an NBD_REP_ACK (because it is required to reply).

Signed-off-by: Max Reitz <mreitz@redhat.com>
Message-Id: <20170611123714.31292-1-mreitz@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

nbd fully initialize client in case of failed negotiation CVE 2017 9524.patch | (download)

nbd/server.c | 9 4 + 5 - 0 !
qemu-nbd.c | 2 1 + 1 - 0 !
2 files changed, 5 insertions(+), 6 deletions(-)

 nbd: fully initialize client in case of failed negotiation
Commit-Id: df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af
Bug-Debian: http://bugs.debian.org/865755

If a non-NBD client connects to qemu-nbd, we would end up with
a SIGSEGV in nbd_client_put() because we were trying to
unregister the client's association to the export, even though
we skipped inserting the client into that list.  Easy trigger
in two terminals:

$ qemu-nbd -p 30001 --format=raw file
$ nmap 127.0.0.1 -p 30001

nmap claims that it thinks it connected to a pago-services1
server (which probably means nmap could be updated to learn the
NBD protocol and give a more accurate diagnosis of the open
port - but that's not our problem), then terminates immediately,
so our call to nbd_negotiate() fails.  The fix is to reorder
nbd_co_client_start() to ensure that all initialization occurs
before we ever try talking to a client in nbd_negotiate(), so
that the teardown sequence on negotiation failure doesn't fault
while dereferencing a half-initialized object.

While debugging this, I also noticed that nbd_update_server_watch()
called by nbd_client_closed() was still adding a channel to accept
the next client, even when the state was no longer RUNNING.  That
is fixed by making nbd_can_accept() pay attention to the current
state.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170527030421.28366-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit  df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af)

nbd fix regression on resiliency to port scan CVE 2017 9524.patch | (download)

blockdev-nbd.c | 6 5 + 1 - 0 !
include/block/nbd.h | 2 1 + 1 - 0 !
nbd/server.c | 24 15 + 9 - 0 !
qemu-nbd.c | 4 2 + 2 - 0 !
4 files changed, 23 insertions(+), 13 deletions(-)

 nbd: fix regression on resiliency to port scan
Commit-Id: 0c9390d978cbf61e8f16c9f580fa96b305c43568
Bug-Debian: http://bugs.debian.org/865755

Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
server would not quit, regardless of how many probe connections
came and went, until a connection actually negotiated).  But we
broke that in commit ee7d7aa when removing the return value to
nbd_client_new(), although that patch also introduced a bug causing
an assertion failure on a client that fails negotiation.  We then
made it worse during refactoring in commit 1a6245a (a segfault
before we could even assert); the (masked) assertion was cleaned
up in d3780c2 (still in 2.6), and just recently we finally fixed
the segfault ("nbd: Fully intialize client in case of failed
negotiation").  But that still means that ever since we added
TLS support to qemu-nbd, we have been vulnerable to an ill-timed
port-scan being able to cause a denial of service by taking down
qemu-nbd before a real client has a chance to connect.

Since negotiation is now handled asynchronously via coroutines,
we no longer have a synchronous point of return by re-adding a
return value to nbd_client_new().  So this patch instead wires
things up to pass the negotiation status through the close_fn
callback function.

Simple test across two terminals:
$ qemu-nbd -f raw -p 30001 file
$ nmap 127.0.0.1 -p 30001 && \
  qemu-io -c 'r 0 512' -f raw nbd://localhost:30001

Note that this patch does not change what constitutes successful
negotiation (thus, a client must enter transmission phase before
that client can be considered as a reason to terminate the server
when the connection ends).  Perhaps we may want to tweak things
in a later patch to also treat a client that uses NBD_OPT_ABORT
as being a 'successful' negotiation (the client correctly talked
the NBD protocol, and informed us it was not going to use our
export after all), but that's a discussion for another day.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614

Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 0c9390d978cbf61e8f16c9f580fa96b305c43568)

xen disk don t leak stack data via response ring CVE 2017 10911.patch | (download)

hw/block/xen_disk.c | 25 12 + 13 - 0 !
1 file changed, 12 insertions(+), 13 deletions(-)

 xen/disk: don't leak stack data via response ring
Commit-Id: b0ac694fdb9113b973048ebe5619927e74965f61
Bug-Debian: http://bugs.debian.org/869706
Bug: https://xenbits.xen.org/xsa/advisory-216.html

Rather than constructing a local structure instance on the stack, fill
the fields directly on the shared ring, just like other (Linux)
backends do. Build on the fact that all response structure flavors are
actually identical (aside from alignment and padding at the end).

This is XSA-216.

Reported by: Anthony Perard <anthony.perard@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
slirp check len against dhcp options array end CVE 2017 11434.patch | (download)

slirp/bootp.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 slirp: check len against dhcp options array end
Bug-Debian: http://bugs.debian.org/869171

While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.

Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>

exec use qemu_ram_ptr_length to access guest ram CVE 2017 11334.patch | (download)

exec.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 exec: use qemu_ram_ptr_length to access guest ram
Commit-Id: 04bf2526ce87f21b32c9acba1c5518708c243ad0
Bug-Debian: http://bugs.debian.org/869173

When accessing guest's ram block during DMA operation, use
'qemu_ram_ptr_length' to get ram block pointer. It ensures
that DMA operation of given length is possible; And avoids
any OOB memory access situations.

Reported-by: Alex <broscutamaker@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

exec add lock parameter to qemu_ram_ptr_length.patch | (download)

exec.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 exec: add lock parameter to qemu_ram_ptr_length
Commit-Id: f5aa69bdc3418773f26747ca282c291519626ece
Bug-Debian: http://bugs.debian.org/871648
Bug-Debian: http://bugs.debian.org/871702
Bug-Debian: http://bugs.debian.org/872257

Commit 04bf2526ce87f21b32c9acba1c5518708c243ad0 (exec: use
qemu_ram_ptr_length to access guest ram) start using qemu_ram_ptr_length
instead of qemu_map_ram_ptr, but when used with Xen, the behavior of
usb redir fix stack overflow in usbredir_log_data CVE 2017 10806.patch | (download)

hw/usb/redirect.c | 13 1 + 12 - 0 !
1 file changed, 1 insertion(+), 12 deletions(-)

 usb-redir: fix stack overflow in usbredir_log_data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: bd4a683505b27adc1ac809f71e918e58573d851d
Bug-Debian: http://bugs.debian.org/867751

Don't reinvent a broken wheel, just use the hexdump function we have.

Impact: low, broken code doesn't run unless you have debug logging
enabled.

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170509110128.27261-1-kraxel@redhat.com

ide do not flush empty CDROM drives CVE 2017 12809.patch | (download)

hw/ide/core.c | 10 9 + 1 - 0 !
1 file changed, 9 insertions(+), 1 deletion(-)

 ide: do not flush empty cdrom drives
Commit-Id: 4da97120d51a4383aa96d741a2b837f8c4bbcd0b
Bug-Debian: http://bugs.debian.org/873849

The block backend changed in a way that flushing empty CDROM drives now
crashes.  Amend IDE to avoid doing so until the root problem can be
addressed for 2.11.

Original patch by John Snow <jsnow@redhat.com>.

Reported-by: Kieron Shorrock <kshorrock@paloaltonetworks.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
vga stop passing pointers to vga_draw_line functions CVE 2017 13672.patch | (download)

hw/display/vga-helpers.h | 202 110 + 92 - 0 !
hw/display/vga.c | 5 3 + 2 - 0 !
hw/display/vga_int.h | 1 1 + 0 - 0 !
3 files changed, 114 insertions(+), 94 deletions(-)

 vga: stop passing pointers to vga_draw_line* functions
Commit-Id: 3d90c6254863693a6b13d918d2b8682e08bbc681
Bug-Debian: http://bugs.debian.org/873851

Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).

Impact:  DoS for privileged guest users.  qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.

Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828122906.18993-1-kraxel@redhat.com

multiboot validate multiboot header address values CVE 2017 14167.patch | (download)

hw/i386/multiboot.c | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

 multiboot: validate multiboot header address values
Commit-Id: ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb
Bug-Debian: http://bugs.debian.org/874606

While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
the kernel image. These addresses are used to compute kernel
size and kernel text offset in the OS image. Validate these
address values to avoid an OOB access issue.

This is CVE-2017-14167.

Reported-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170907063256.7418-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

multiboot bss_end_addr can be zero CVE 2018 7550.patch | (download)

hw/i386/multiboot.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 multiboot: bss_end_addr can be zero
Commit-Id: 2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8
Bug-Debian: http://bugs.debian.org/892041

The multiboot spec (https://www.gnu.org/software/grub/manual/multiboot/),
section 3.1.3, allows for bss_end_addr to be zero.

A zero bss_end_addr signifies there is no .bss section.

Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Jack Schwartz <jack.schwartz@oracle.com>
slirp fix clearing ifq_so from pending packets CVE 2017 13711.patch | (download)

slirp/socket.c | 39 23 + 16 - 0 !
1 file changed, 23 insertions(+), 16 deletions(-)

 slirp: fix clearing ifq_so from pending packets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit-Id: 1201d308519f1e915866d7583d5136d03cc1d384
Bug-Debian: http://bugs.debian.org/873875

The if_fastq and if_batchq contain not only packets, but queues of packets
for the same socket. When sofree frees a socket, it thus has to clear ifq_so
from all the packets from the queues, not only the first.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
CVE 2017 5715/i386 increase X86CPUDefinition model_id to 49.patch | (download)

target-i386/cpu.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 i386: increase x86cpudefinition::model_id to 49
Commit-Id: 807e9869b8c4119b81df902625af818519e01759

The original commit comment in 807e9869b8c4119b81df902625af818519e01759:

CVE 2017 5715/i386 add support for SPEC_CTRL MSR.patch | (download)

target-i386/cpu.h | 3 3 + 0 - 0 !
target-i386/kvm.c | 15 15 + 0 - 0 !
target-i386/machine.c | 20 20 + 0 - 0 !
3 files changed, 38 insertions(+)

 i386: add support for spec_ctrl msr
Commit-Id: a33a2cfe2f771b360b3422f6cdf566a560860bfc

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20180109154519.25634-3-ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit a33a2cfe2f771b360b3422f6cdf566a560860bfc)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

CVE 2017 5715/i386 add spec ctrl CPUID bit.patch | (download)

target-i386/cpu.c | 2 1 + 1 - 0 !
target-i386/cpu.h | 1 1 + 0 - 0 !
2 files changed, 2 insertions(+), 1 deletion(-)

 i386: add spec-ctrl cpuid bit
Commit-Id: a2381f0934432ef2cd47a335348ba8839632164c

Add the feature name and a CPUID_7_0_EDX_SPEC_CTRL macro.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20180109154519.25634-4-ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit a2381f0934432ef2cd47a335348ba8839632164c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

CVE 2017 5715/i386 add FEAT_8000_0008_EBX CPUID feature word.patch | (download)

target-i386/cpu.c | 19 18 + 1 - 0 !
target-i386/cpu.h | 3 3 + 0 - 0 !
2 files changed, 21 insertions(+), 1 deletion(-)

 i386: add feat_8000_0008_ebx cpuid feature word
Commit-Id: 1b3420e1c4d523c49866cca4e7544753201cd43d

Add the new feature word and the "ibpb" feature flag.

Based on a patch by Paolo Bonzini.

Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20180109154519.25634-5-ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit 1b3420e1c4d523c49866cca4e7544753201cd43d)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

CVE 2017 5715/i386 add new IBRS versions of Intel CPU models.patch | (download)

target-i386/cpu.c | 329 328 + 1 - 0 !
1 file changed, 328 insertions(+), 1 deletion(-)

 i386: add new -ibrs versions of intel cpu models
Commit-Id: ac96c41354b7e4c70b756342d9b686e31ab87458

The new MSR IA32_SPEC_CTRL MSR was introduced by a recent Intel
microcode updated and can be used by OSes to mitigate
CVE-2017-5715.  Unfortunately we can't change the existing CPU
models without breaking existing setups, so users need to
explicitly update their VM configuration to use the new *-IBRS
CPU model if they want to expose IBRS to guests.

The new CPU models are simple copies of the existing CPU models,
with just CPUID_7_0_EDX_SPEC_CTRL added and model_id updated.

Cc: Jiri Denemark <jdenemar@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Message-Id: <20180109154519.25634-6-ehabkost@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit ac96c41354b7e4c70b756342d9b686e31ab87458)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

CVE 2017 5715/s390x kvm introduce branch prediction blocking contr.patch | (download)

linux-headers/asm-s390/kvm.h | 5 4 + 1 - 0 !
linux-headers/linux/kvm.h | 1 1 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 s390x/kvm: introduce branch prediction blocking control (bpbc) defines
Commit-Id: 9cbb636270b4df6f0a548e5c34b895330db5df8b

Only bpbc-related changes from linux kernel 4.15-rc9
Based on upstream commit 9cbb636270b4df6f0a548e5c34b895330db5df8b

CVE 2017 5715/s390x kvm handle bpb feature.patch | (download)

target-s390x/cpu.c | 1 1 + 0 - 0 !
target-s390x/cpu.h | 1 1 + 0 - 0 !
target-s390x/cpu_features.c | 1 1 + 0 - 0 !
target-s390x/cpu_features_def.h | 1 1 + 0 - 0 !
target-s390x/gen-features.c | 1 1 + 0 - 0 !
target-s390x/kvm.c | 14 14 + 0 - 0 !
target-s390x/machine.c | 17 17 + 0 - 0 !
7 files changed, 36 insertions(+)

 s390x/kvm: handle bpb feature
Commit-Id: 4646696f7996c039f847f54540f0a8f7fa170cc4

We need to handle the bpb control on reset and migration. Normally
stfle.82 is transparent (and the normal guest part works without
hypervisor activity). To prevent any issues we require full
host kernel support for this feature.

Cc: qemu-stable@nongnu.org
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Message-Id: <20180118085628.40798-3-borntraeger@de.ibm.com>
vga check the validation of memory addr when draw text CVE 2018 5683.patch | (download)

hw/display/vga.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 vga: check the validation of memory addr when draw text
Commit-Id: 191f59dc17396bb5a8da50f8c59b6e0a430711a4
Bug-Debian: http://bugs.debian.org/887392

Start a vm with qemu-kvm -enable-kvm -vnc :66 -smp 1 -m 1024 -hda
redhat_5.11.qcow2  -device pcnet -vga cirrus,
then use VNC client to connect to VM, and excute the code below in guest
OS will lead to qemu crash:

int main()
 {
    iopl(3);
    srand(time(NULL));
    int a,b;
    while(1){
	a = rand()%0x100;
	b = 0x3c0 + (rand()%0x20);
        outb(a,b);
    }
    return 0;
}

The above code is writing the registers of VGA randomly.
We can write VGA CRT controller registers index 0x0C or 0x0D
(which is the start address register) to modify the
the display memory address of the upper left pixel
or character of the screen. The address may be out of the
range of vga ram. So we should check the validation of memory address
when reading or writing it to avoid segfault.

Signed-off-by: linzhecheng <linzhecheng@huawei.com>
Message-id: 20180111132724.13744-1-linzhecheng@huawei.com
Fixes: CVE-2018-5683
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>