Package: qemu / 1:3.1+dfsg-8~deb10u1

Metadata

Package Version Patches format
qemu 1:3.1+dfsg-8~deb10u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
use fixed data path.patch | (download)

os-posix.c | 2 2 + 0 - 0 !
vl.c | 7 1 + 6 - 0 !
2 files changed, 3 insertions(+), 6 deletions(-)

 use fixed data dir instead of determining it at runtime
do not link everything with xen.patch | (download)

configure | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

---
usb mtp use O_NOFOLLOW and O_CLOEXEC CVE 2018 16872.patch | (download)

hw/usb/dev-mtp.c | 13 9 + 4 - 0 !
1 file changed, 9 insertions(+), 4 deletions(-)

 usb-mtp: use o_nofollow and o_cloexec.
Bug-Debian: https://bugs.debian.org/916397
Closes: #916397

Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
While being at it also add O_CLOEXEC.

usb-mtp only handles regular files and directories and ignores
bt use size_t type for length parameters instead of int CVE 2018 19665.patch | (download)

bt-host.c | 8 4 + 4 - 0 !
bt-vhci.c | 7 4 + 3 - 0 !
hw/bt/core.c | 2 1 + 1 - 0 !
hw/bt/hci-csr.c | 32 16 + 16 - 0 !
hw/bt/hci.c | 38 19 + 19 - 0 !
hw/bt/hid.c | 10 5 + 5 - 0 !
hw/bt/l2cap.c | 56 29 + 27 - 0 !
hw/bt/sdp.c | 6 3 + 3 - 0 !
hw/usb/dev-bluetooth.c | 12 6 + 6 - 0 !
include/hw/bt.h | 8 4 + 4 - 0 !
include/sysemu/bt.h | 10 5 + 5 - 0 !
11 files changed, 96 insertions(+), 93 deletions(-)

 bt: use size_t type for length parameters instead of int
Bug-Debian: https://bugs.debian.org/916278
Closes: #916278, CVE-2018-19665

The length parameter values are not negative, thus use an unsigned
type 'size_t' for them. Many routines pass 'len' values to memcpy(3)
calls. If it was negative, it could lead to memory corruption issues.
Add check to avoid it.

Reported-by: Arash TC <tohidi.arash@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
hw_usb fix mistaken de initialization of CCID state.patch | (download)

hw/usb/ccid-card-emulated.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 hw/usb: fix mistaken de-initialization of ccid state
Date: Fri, 21 Dec 2018 13:41:15 +0000
Message-Id: <20181221134115.27973-1-berrange@redhat.com>
Bug-Debian: https://bugs.debian.org/917007

In previous commit:

  commit 7dea29e4af17fc1d27478de9f8ea38144deac54a
sparc64 timeval.tv_usec is int.patch | (download)

linux-user/syscall_defs.h | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 sparc64 timeval.tv_usec is int


On sparc (only) Linux defines timeval::tv_usec with type int, not
long.  However qemu-user's definition of struct target_timeval uses
abi_long unconditionally.  This results in the syscall translation
layer effectively multiplying tv_usec by 2**32.  All sparc syscalls
passing non-zero values for this field fail with -EINVAL.

Laurent Vivier <laurent@vivier.eu>:

According to the kernel definition, I think it should be:

See arch/sparc/include/uapi/asm/posix_types.h

typedef int                    __kernel_suseconds_t;
..

scsi generic avoid possible oob access to r buf CVE 2019 6501.patch | (download)

hw/scsi/scsi-generic.c | 18 10 + 8 - 0 !
1 file changed, 10 insertions(+), 8 deletions(-)

 scsi-generic: avoid possible out-of-bounds access to r->buf (cve-2019-6501)
Bug-Debian: http://bugs.debian.org/920222

Whenever the allocation length of a SCSI request is shorter than the size of the
VPD page list, page_idx is used blindly to index into r->buf.  Even though
the stores in the insertion sort are protected against overflows, the same is not
true of the reads and the final store of 0xb0.

This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid
out-of-bounds access to VPD page list", 2018-11-06), except that here the
allocation length can be chosen by the guest.  Note that according to the SCSI
standard, the contents of the PAGE LENGTH field are not altered based
on the allocation length.

The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD
page list sorted", 2018-11-06) but the overflow was already possible before.

Reported-by: Kevin Wolf <kwolf@redhat.com>
Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

slirp check data length while emulating ident function CVE 2019 6778.patch | (download)

slirp/tcp_subr.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 slirp: check data length while emulating ident function (cve-2019-6778)
Bug-Debian: http://bugs.debian.org/921525

While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv->sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.

Reported-by: Kira <864786842@qq.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>

i2c ddc fix oob read CVE 2019 3812.patch | (download)

hw/i2c/i2c-ddc.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 i2c-ddc: fix oob read
Commit-Id: b05b267840515730dbf6753495d5b7bd8b04ad1c
Bug-Debian: https://bugs.debian.org/922635
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Suggested-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
slirp check sscanf result when emulating ident CVE 2019 9824.patch | (download)

slirp/tcp_subr.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 slirp: check sscanf result when emulating ident (cve-2019-9824)

device_tree don t use load_image CVE 2018 20815.patch | (download)

device_tree.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 device_tree.c: don't use load_image() (cve-2018-20815)
Commit-Id: da885fe1ee8b4589047484bd7fa05a4905b52b17

The load_image() function is deprecated, as it does not let the
caller specify how large the buffer to read the file into is.
Instead use load_image_size().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
sun4u add power_mem_read routine CVE 2019 5008.patch | (download)

hw/sparc64/sun4u.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 sun4u: add power_mem_read routine
Commit-Id: ad280559c68360c9f1cd7be063857853759e6a73
Bug-Debian: http://bugs.debian.org/927439

Define skeleton 'power_mem_read' routine. Avoid NULL dereference.

Reported-by: Fakhri Zulkifli <mohdfakhrizulkifli@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>

aarch32 exception return to switch from hyp mon.patch | (download)

target/arm/helper.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 target/arm: allow aarch32 exception return to switch from mon->hyp
Commit-Id: 2d2a4549cc29850aab891495685a7b31f5254b12
Bug-Debian: http://bugs.debian.org/927763

In U-boot, we switch from S-SVC -> Mon -> Hyp mode when we want to
enter Hyp mode. The change into Hyp mode is done by doing an
exception return from Mon. This doesn't work with current QEMU.

The problem is that in bad_mode_switch() we refuse to allow
the change of mode.

Note that bad_mode_switch() is used to do validation for two situations:

 (1) changes to mode by instructions writing to CPSR.M
     (ie not exception take/return) -- this corresponds to the
     Armv8 Arm ARM pseudocode Arch32.WriteModeByInstr
 (2) changes to mode by exception return

Attempting to enter or leave Hyp mode via case (1) is forbidden in
v8 and UNPREDICTABLE in v7, and QEMU is correct to disallow it
there. However, we're already doing that check at the top of the
bad_mode_switch() function, so if that passes then we should allow
the case (2) exception return mode changes to switch into Hyp mode.

We want to test whether we're trying to return to the nonexistent
"secure Hyp" mode, so we need to look at arm_is_secure_below_el3()
rather than arm_is_secure(), since the latter is always true if
we're in Mon (EL3).

Signed-off-by: Alexander Graf <agraf@suse.de>
enable md no.patch | (download)

target/i386/cpu.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 target/i386: add mds-no feature
Bug-Debian: http://bugs.debian.org/929067

Microarchitectural Data Sampling is a hardware vulnerability which allows
unprivileged speculative access to data which is available in various CPU
internal buffers.

Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES
MSR to report that they are not vulnerable, make it available to guests.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
--
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091

enable md clear.patch | (download)

target/i386/cpu.c | 2 1 + 1 - 0 !
target/i386/cpu.h | 1 1 + 0 - 0 !
target/i386/hvf/x86_cpuid.c | 3 2 + 1 - 0 !
3 files changed, 4 insertions(+), 2 deletions(-)

 target/i386: define md-clear bit
Bug-Debian: http://bugs.debian.org/929067

md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction.  Add the new feature, and pass it down to
Hypervisor.framework guests.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

[Backported to qemu 3.1 - sbeattie]


qxl check release info object CVE 2019 12155.patch | (download)

hw/display/qxl.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 qxl: check release info object (cve-2019-12155)
Bug-Debian: http://bugs.debian.org/929353

When releasing spice resources in release_resource() routine,
if release info object 'ext.info' is null, it leads to null
pointer dereference. Add check to avoid it.

Reported-by: Bugs SysSec <bugs-syssec@rub.de>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20190425063534.32747-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>