From b67442d8e0bab0041f2b596f0f8b91faf567c7b4 Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Tue, 15 Mar 2022 23:12:22 +0800 Subject: [PATCH 1/3] update to qemu-kvm-4.2.0-59.module+el8.5.0+14169+68d2f392.2.src.rpm Signed-off-by: Liwei Ge --- 1001-qemu-kvm-gcc10.patch | 92 --------------- ...iofsd-Adjust-limit-for-minor-version.patch | 41 ------- ...embership-of-all-supplementary-group.patch | 111 ++++++++++++++++++ qemu-kvm.spec | 21 ++-- 4 files changed, 118 insertions(+), 147 deletions(-) delete mode 100644 1001-qemu-kvm-gcc10.patch delete mode 100644 kvm-virtiofsd-Adjust-limit-for-minor-version.patch create mode 100644 kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch diff --git a/1001-qemu-kvm-gcc10.patch b/1001-qemu-kvm-gcc10.patch deleted file mode 100644 index af2545b..0000000 --- a/1001-qemu-kvm-gcc10.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 4ce1e15fbc7266a108a7c77a3962644b3935346e Mon Sep 17 00:00:00 2001 -From: Christophe de Dinechin -Date: Fri, 28 Feb 2020 16:00:59 +0100 -Subject: [PATCH] scsi/qemu-pr-helper: Fix out-of-bounds access to - trnptid_list[] -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Compile error reported by gcc 10.0.1: - -scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: -scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] - 523 | paramp.trnptid_list[paramp.num_transportid++] = id; - | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ -In file included from scsi/qemu-pr-helper.c:36: -/usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ - 168 | struct transportid *trnptid_list[]; - | ^~~~~~~~~~~~ -scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ - 424 | struct prout_param_descriptor paramp; - | ^~~~~~ - -This highlights an actual implementation issue in function multipath_pr_out. -The variable paramp is declared with type `struct prout_param_descriptor`, -which is a struct terminated by an empty array in mpath_persist.h: - - struct transportid *trnptid_list[]; - -That empty array was filled with code that looked like that: - - trnptid_list[paramp.descr.num_transportid++] = id; - -This is an actual out-of-bounds access. - -The fix is to malloc `paramp`. - -Signed-off-by: Christophe de Dinechin -Signed-off-by: Paolo Bonzini ---- - scsi/qemu-pr-helper.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - -diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c -index 0659ceef098..181ed4a1861 100644 ---- a/scsi/qemu-pr-helper.c -+++ b/scsi/qemu-pr-helper.c -@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, - int rq_servact = cdb[1]; - int rq_scope = cdb[2] >> 4; - int rq_type = cdb[2] & 0xf; -- struct prout_param_descriptor paramp; -+ g_autofree struct prout_param_descriptor *paramp = NULL; - char transportids[PR_HELPER_DATA_SIZE]; - int r; - -+ paramp = g_malloc0(sizeof(struct prout_param_descriptor) -+ + sizeof(struct transportid *) * MPATH_MX_TIDS); -+ - if (sz < PR_OUT_FIXED_PARAM_SIZE) { - /* Illegal request, Parameter list length error. This isn't fatal; - * we have read the data, send an error without closing the socket. -@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, - * used by libmpathpersist (which, of course, will immediately - * do the opposite). - */ -- memset(¶mp, 0, sizeof(paramp)); -- memcpy(¶mp.key, ¶m[0], 8); -- memcpy(¶mp.sa_key, ¶m[8], 8); -- paramp.sa_flags = param[20]; -+ memcpy(¶mp->key, ¶m[0], 8); -+ memcpy(¶mp->sa_key, ¶m[8], 8); -+ paramp->sa_flags = param[20]; - if (sz > PR_OUT_FIXED_PARAM_SIZE) { - size_t transportid_len; - int i, j; -@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, - return CHECK_CONDITION; - } - -- paramp.trnptid_list[paramp.num_transportid++] = id; -+ assert(paramp->num_transportid < MPATH_MX_TIDS); -+ paramp->trnptid_list[paramp->num_transportid++] = id; - } - } - - r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, -- ¶mp, noisy, verbose); -+ paramp, noisy, verbose); - return mpath_reconstruct_sense(fd, r, sense); - } - #endif diff --git a/kvm-virtiofsd-Adjust-limit-for-minor-version.patch b/kvm-virtiofsd-Adjust-limit-for-minor-version.patch deleted file mode 100644 index 30ec553..0000000 --- a/kvm-virtiofsd-Adjust-limit-for-minor-version.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 3b7200134925fcf5ae99b5c3b34465456d3bc002 Mon Sep 17 00:00:00 2001 -From: Jacob Wang -Date: Mon, 2 Aug 2021 01:16:05 +0800 -Subject: [PATCH 1/1] virtiofsd: Adjust limit for minor version - -Upstream virtiofsd only supports fuse >= 7.31 -(https://github.com/qemu/qemu/commit/72c42e2d65510e073cf78fdc924d121c77fa0080), -while Cloud Kernel has fuse version 7.27, which causes virtiofs fails to run -due to version mismatch. This limitation is unnecessary in Cloud Kernel because -we have already backported mandatory fuse patches to support virtofs -frontend in Kernel. Hence, adjust the minor version limit to 7.27 to -suppress the limitation. - -Note that current fuse implementation in Cloud Kernel might lack of some -certain capabilities in fuse 7.28 ~ 7.31, which may cause unexpected results, -this patch is merely a workaround to enable virtiofs in guest kernel side and -further action is ongoing to make sure fuse APIs in both sides are 100% -compatible. - -Signed-off-by: Jacob Wang -Acked-by: Caspar Zhang ---- - tools/virtiofsd/fuse_lowlevel.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c -index 2dd36ec..2bb4318 100644 ---- a/tools/virtiofsd/fuse_lowlevel.c -+++ b/tools/virtiofsd/fuse_lowlevel.c -@@ -1917,7 +1917,7 @@ static void do_init(fuse_req_t req, fuse_ino_t nodeid, - outarg.major = FUSE_KERNEL_VERSION; - outarg.minor = FUSE_KERNEL_MINOR_VERSION; - -- if (arg->major < 7 || (arg->major == 7 && arg->minor < 31)) { -+ if (arg->major < 7 || (arg->major == 7 && arg->minor < 27)) { - fuse_log(FUSE_LOG_ERR, "fuse: unsupported protocol version: %u.%u\n", - arg->major, arg->minor); - fuse_reply_err(req, EPROTO); --- -1.8.3.1 - diff --git a/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch b/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch new file mode 100644 index 0000000..152032b --- /dev/null +++ b/kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch @@ -0,0 +1,111 @@ +From 746e07f2d54908296dde64e97e12ea33a35063e0 Mon Sep 17 00:00:00 2001 +From: Vivek Goyal +Date: Tue, 25 Jan 2022 13:51:14 -0500 +Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups + (CVE-2022-0358) + +RH-Author: Dr. David Alan Gilbert +RH-MergeRequest: 106: 8.5.0z non-av; virtiofsd security fix - drop secondary groups +RH-Commit: [1/1] e39df0b31f3c236675262395b94d5c10e8e3073f +RH-Bugzilla: 2048627 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Vivek Goyal + +At the start, drop membership of all supplementary groups. This is +not required. + +If we have membership of "root" supplementary group and when we switch +uid/gid using setresuid/setsgid, we still retain membership of existing +supplemntary groups. And that can allow some operations which are not +normally allowed. + +For example, if root in guest creates a dir as follows. + +$ mkdir -m 03777 test_dir + +This sets SGID on dir as well as allows unprivileged users to write into +this dir. + +And now as unprivileged user open file as follows. + +$ su test +$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); + +This will create SGID set executable in test_dir/. + +And that's a problem because now an unpriviliged user can execute it, +get egid=0 and get access to resources owned by "root" group. This is +privilege escalation. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 +Fixes: CVE-2022-0358 +Reported-by: JIETAO XIAO +Suggested-by: Miklos Szeredi +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Dr. David Alan Gilbert +Signed-off-by: Vivek Goyal +Message-Id: +Signed-off-by: Dr. David Alan Gilbert + dgilbert: Fixed missing {}'s style nit +(cherry picked from commit 449e8171f96a6a944d1f3b7d3627ae059eae21ca) + dgilbert: Minor fixup around #includes on backport +--- + tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c +index b47029da89..578131179c 100644 +--- a/tools/virtiofsd/passthrough_ll.c ++++ b/tools/virtiofsd/passthrough_ll.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #include "passthrough_helpers.h" + #include "seccomp.h" +@@ -1058,6 +1059,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) + #define OURSYS_setresuid SYS_setresuid + #endif + ++static void drop_supplementary_groups(void) ++{ ++ int ret; ++ ++ ret = getgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++ ++ if (!ret) { ++ return; ++ } ++ ++ /* Drop all supplementary groups. We should not need it */ ++ ret = setgroups(0, NULL); ++ if (ret == -1) { ++ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", ++ errno, strerror(errno)); ++ exit(1); ++ } ++} ++ + /* + * Change to uid/gid of caller so that file is created with + * ownership of caller. +@@ -3010,6 +3035,8 @@ int main(int argc, char *argv[]) + /* Don't mask creation mode, kernel already did that */ + umask(0); + ++ drop_supplementary_groups(); ++ + pthread_mutex_init(&lo.mutex, NULL); + lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); + lo.root.fd = -1; +-- +2.27.0 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 2ebe8a1..1e341d3 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.2 %global SLOF_gittagdate 20191022 %global SLOF_gittagcommit 899d9883 @@ -68,7 +67,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 59%{anolis_release}%{?dist}.1 +Release: 59%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1253,13 +1252,8 @@ Patch544: kvm-scsi-make-io_timeout-configurable.patch Patch545: kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch # For bz#2025011 - CVE-2021-20257 virt:rhel/qemu-kvm: QEMU: net: e1000: infinite loop while processing transmit descriptors [rhel-8.5.0.z] Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch - -# Begin: Anolis customized patches -# backport patch from upstream -Patch1000: kvm-virtiofsd-Adjust-limit-for-minor-version.patch -Patch1001: 1001-qemu-kvm-gcc10.patch -# End: Anolis customized patches - +# For bz#2048627 - CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z] +Patch547: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch BuildRequires: wget BuildRequires: rpm-build @@ -2208,11 +2202,10 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog -* Thu Jan 20 2022 Weitao Zhou - 4.2.0-59.0.2.1 -- Fix gcc10 build issue - -* Fri Dec 24 2021 Jacob Wang - 4.2.0-59.0.1.1 -- Adjust limit for virtiofsd minor version +* Tue Feb 08 2022 Jon Maloy - 4.2.0-59.el8_5.2 +- kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2048627] +- Resolves: bz#2048627 + (CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z]) * Thu Nov 25 2021 Jon Maloy - 4.2.0-59.el8_5 - kvm-hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch [bz#2025605] -- Gitee From 966f5bb334673e2867d1e3704b2bb62546243582 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Sun, 1 Aug 2021 13:37:55 +0800 Subject: [PATCH 2/3] Adjust to support virtiofsd minor > 27 Signed-off-by: Jacob Wang --- ...iofsd-Adjust-limit-for-minor-version.patch | 41 +++++++++++++++++++ qemu-kvm.spec | 8 +++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 kvm-virtiofsd-Adjust-limit-for-minor-version.patch diff --git a/kvm-virtiofsd-Adjust-limit-for-minor-version.patch b/kvm-virtiofsd-Adjust-limit-for-minor-version.patch new file mode 100644 index 0000000..30ec553 --- /dev/null +++ b/kvm-virtiofsd-Adjust-limit-for-minor-version.patch @@ -0,0 +1,41 @@ +From 3b7200134925fcf5ae99b5c3b34465456d3bc002 Mon Sep 17 00:00:00 2001 +From: Jacob Wang +Date: Mon, 2 Aug 2021 01:16:05 +0800 +Subject: [PATCH 1/1] virtiofsd: Adjust limit for minor version + +Upstream virtiofsd only supports fuse >= 7.31 +(https://github.com/qemu/qemu/commit/72c42e2d65510e073cf78fdc924d121c77fa0080), +while Cloud Kernel has fuse version 7.27, which causes virtiofs fails to run +due to version mismatch. This limitation is unnecessary in Cloud Kernel because +we have already backported mandatory fuse patches to support virtofs +frontend in Kernel. Hence, adjust the minor version limit to 7.27 to +suppress the limitation. + +Note that current fuse implementation in Cloud Kernel might lack of some +certain capabilities in fuse 7.28 ~ 7.31, which may cause unexpected results, +this patch is merely a workaround to enable virtiofs in guest kernel side and +further action is ongoing to make sure fuse APIs in both sides are 100% +compatible. + +Signed-off-by: Jacob Wang +Acked-by: Caspar Zhang +--- + tools/virtiofsd/fuse_lowlevel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/virtiofsd/fuse_lowlevel.c b/tools/virtiofsd/fuse_lowlevel.c +index 2dd36ec..2bb4318 100644 +--- a/tools/virtiofsd/fuse_lowlevel.c ++++ b/tools/virtiofsd/fuse_lowlevel.c +@@ -1917,7 +1917,7 @@ static void do_init(fuse_req_t req, fuse_ino_t nodeid, + outarg.major = FUSE_KERNEL_VERSION; + outarg.minor = FUSE_KERNEL_MINOR_VERSION; + +- if (arg->major < 7 || (arg->major == 7 && arg->minor < 31)) { ++ if (arg->major < 7 || (arg->major == 7 && arg->minor < 27)) { + fuse_log(FUSE_LOG_ERR, "fuse: unsupported protocol version: %u.%u\n", + arg->major, arg->minor); + fuse_reply_err(req, EPROTO); +-- +1.8.3.1 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 1e341d3..6c6127b 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global SLOF_gittagdate 20191022 %global SLOF_gittagcommit 899d9883 @@ -67,7 +68,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 59%{?dist}.2 +Release: 59%{anolis_release}%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1255,6 +1256,8 @@ Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch # For bz#2048627 - CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z] Patch547: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch +Patch1000: kvm-virtiofsd-Adjust-limit-for-minor-version.patch + BuildRequires: wget BuildRequires: rpm-build BuildRequires: zlib-devel @@ -2202,6 +2205,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Fri Dec 24 2021 Jacob Wang - 4.2.0-59.0.1.2 +- Adjust limit for virtiofsd minor version + * Tue Feb 08 2022 Jon Maloy - 4.2.0-59.el8_5.2 - kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch [bz#2048627] - Resolves: bz#2048627 -- Gitee From b8f5afc0c3b83f5e65171fea8c02a8a6c1044a8e Mon Sep 17 00:00:00 2001 From: Liwei Ge Date: Sat, 10 Oct 2020 23:49:32 +0800 Subject: [PATCH 3/3] Fix gcc10 build issue this change has given better compatible with both gcc8 and gcc10 toolchain, should be maintained util upstream fixes build hit error with gcc10: scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of 'struct transportid *[]' [-Werror=array-bounds] 523 | paramp.trnptid_list[paramp.num_transportid++] = id; backport upstream patch to fix this build issue Reviewed-by: Jacob Wang Signed-off-by: Liwei Ge (cherry picked from commit 3310dfd2b0ede197f2cb924388b069ee30162dd3) Signed-off-by: Caspar Zhang Signed-off-by: weitao zhou --- 1001-qemu-kvm-gcc10.patch | 92 +++++++++++++++++++++++++++++++++++++++ qemu-kvm.spec | 8 +++- 2 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 1001-qemu-kvm-gcc10.patch diff --git a/1001-qemu-kvm-gcc10.patch b/1001-qemu-kvm-gcc10.patch new file mode 100644 index 0000000..af2545b --- /dev/null +++ b/1001-qemu-kvm-gcc10.patch @@ -0,0 +1,92 @@ +From 4ce1e15fbc7266a108a7c77a3962644b3935346e Mon Sep 17 00:00:00 2001 +From: Christophe de Dinechin +Date: Fri, 28 Feb 2020 16:00:59 +0100 +Subject: [PATCH] scsi/qemu-pr-helper: Fix out-of-bounds access to + trnptid_list[] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Compile error reported by gcc 10.0.1: + +scsi/qemu-pr-helper.c: In function ‘multipath_pr_out’: +scsi/qemu-pr-helper.c:523:32: error: array subscript is outside array bounds of ‘struct transportid *[0]’ [-Werror=array-bounds] + 523 | paramp.trnptid_list[paramp.num_transportid++] = id; + | ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ +In file included from scsi/qemu-pr-helper.c:36: +/usr/include/mpath_persist.h:168:22: note: while referencing ‘trnptid_list’ + 168 | struct transportid *trnptid_list[]; + | ^~~~~~~~~~~~ +scsi/qemu-pr-helper.c:424:35: note: defined here ‘paramp’ + 424 | struct prout_param_descriptor paramp; + | ^~~~~~ + +This highlights an actual implementation issue in function multipath_pr_out. +The variable paramp is declared with type `struct prout_param_descriptor`, +which is a struct terminated by an empty array in mpath_persist.h: + + struct transportid *trnptid_list[]; + +That empty array was filled with code that looked like that: + + trnptid_list[paramp.descr.num_transportid++] = id; + +This is an actual out-of-bounds access. + +The fix is to malloc `paramp`. + +Signed-off-by: Christophe de Dinechin +Signed-off-by: Paolo Bonzini +--- + scsi/qemu-pr-helper.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/scsi/qemu-pr-helper.c b/scsi/qemu-pr-helper.c +index 0659ceef098..181ed4a1861 100644 +--- a/scsi/qemu-pr-helper.c ++++ b/scsi/qemu-pr-helper.c +@@ -421,10 +421,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + int rq_servact = cdb[1]; + int rq_scope = cdb[2] >> 4; + int rq_type = cdb[2] & 0xf; +- struct prout_param_descriptor paramp; ++ g_autofree struct prout_param_descriptor *paramp = NULL; + char transportids[PR_HELPER_DATA_SIZE]; + int r; + ++ paramp = g_malloc0(sizeof(struct prout_param_descriptor) ++ + sizeof(struct transportid *) * MPATH_MX_TIDS); ++ + if (sz < PR_OUT_FIXED_PARAM_SIZE) { + /* Illegal request, Parameter list length error. This isn't fatal; + * we have read the data, send an error without closing the socket. +@@ -454,10 +457,9 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + * used by libmpathpersist (which, of course, will immediately + * do the opposite). + */ +- memset(¶mp, 0, sizeof(paramp)); +- memcpy(¶mp.key, ¶m[0], 8); +- memcpy(¶mp.sa_key, ¶m[8], 8); +- paramp.sa_flags = param[20]; ++ memcpy(¶mp->key, ¶m[0], 8); ++ memcpy(¶mp->sa_key, ¶m[8], 8); ++ paramp->sa_flags = param[20]; + if (sz > PR_OUT_FIXED_PARAM_SIZE) { + size_t transportid_len; + int i, j; +@@ -520,12 +522,13 @@ static int multipath_pr_out(int fd, const uint8_t *cdb, uint8_t *sense, + return CHECK_CONDITION; + } + +- paramp.trnptid_list[paramp.num_transportid++] = id; ++ assert(paramp->num_transportid < MPATH_MX_TIDS); ++ paramp->trnptid_list[paramp->num_transportid++] = id; + } + } + + r = mpath_persistent_reserve_out(fd, rq_servact, rq_scope, rq_type, +- ¶mp, noisy, verbose); ++ paramp, noisy, verbose); + return mpath_reconstruct_sense(fd, r, sense); + } + #endif diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 6c6127b..8bfffac 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1256,7 +1256,12 @@ Patch546: kvm-e1000-fix-tx-re-entrancy-problem.patch # For bz#2048627 - CVE-2022-0358 virt:rhel/qemu-kvm: QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 [rhel-8.5.0.z] Patch547: kvm-virtiofsd-Drop-membership-of-all-supplementary-group.patch +# Begin: Anolis customized patches +# backport patch from upstream Patch1000: kvm-virtiofsd-Adjust-limit-for-minor-version.patch +Patch1001: 1001-qemu-kvm-gcc10.patch +# End: Anolis customized patches + BuildRequires: wget BuildRequires: rpm-build @@ -2205,7 +2210,8 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog -* Fri Dec 24 2021 Jacob Wang - 4.2.0-59.0.1.2 +* Tue Mar 15 2022 Weitao Zhou - 4.2.0-59.0.2.1 +- Fix gcc10 build issue - Adjust limit for virtiofsd minor version * Tue Feb 08 2022 Jon Maloy - 4.2.0-59.el8_5.2 -- Gitee