From 0229e8cbbd36183387028a82d0219dcdd159486f Mon Sep 17 00:00:00 2001
From: pangqing <pangqing@uniontech.com>
Date: Mon, 8 Jul 2024 15:08:52 +0800
Subject: [PATCH] fix CVE-2023-6683 and CVE-2023-6693 and CVE-2024-26327

Signed-off-by: pangqing <pangqing@uniontech.com>
---
 0001-CVE-2023-6683.patch  | 35 ++++++++++++++++++++++++++++++
 0002-CVE-2023-6693.patch  | 45 +++++++++++++++++++++++++++++++++++++++
 0003-CVE-2024-26327.patch | 27 +++++++++++++++++++++++
 qemu.spec                 |  8 ++++++-
 4 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 0001-CVE-2023-6683.patch
 create mode 100644 0002-CVE-2023-6693.patch
 create mode 100644 0003-CVE-2024-26327.patch

diff --git a/0001-CVE-2023-6683.patch b/0001-CVE-2023-6683.patch
new file mode 100644
index 0000000..4375eac
--- /dev/null
+++ b/0001-CVE-2023-6683.patch
@@ -0,0 +1,35 @@
+From d852750ec985f4ebd26823c743def6b9d5010f34 Mon Sep 17 00:00:00 2001
+From: songmingliang <songmingliang@uniontech.com>
+Date: Mon, 8 Jul 2024 14:52:31 +0800
+Subject: [PATCH] CVE-2023-6683
+
+---
+ ui/clipboard.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf..b3f6fa3c9 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+     }
+ 
+     g_free(info->types[type].data);
+-    info->types[type].data = g_memdup(data, size);
+-    info->types[type].size = size;
+-    info->types[type].available = true;
++    if (size) {
++        info->types[type].data = g_memdup2(data, size);
++        info->types[type].size = size;
++        info->types[type].available = true;
++    } else {
++        info->types[type].data = NULL;
++        info->types[type].size = 0;
++        info->types[type].available = false;
++    }
+ 
+     if (update) {
+         qemu_clipboard_update(info);
+-- 
+2.27.0
+
diff --git a/0002-CVE-2023-6693.patch b/0002-CVE-2023-6693.patch
new file mode 100644
index 0000000..ad599cc
--- /dev/null
+++ b/0002-CVE-2023-6693.patch
@@ -0,0 +1,45 @@
+From b36cd7e9c3937bf6c71e725049f60dc0e54ca0df Mon Sep 17 00:00:00 2001
+From: songmingliang <songmingliang@uniontech.com>
+Date: Fri, 28 Jun 2024 17:42:07 +0800
+Subject: [PATCH] CVE-2023-6693
+
+---
+ hw/net/virtio-net.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index dc0b65501..81e5d4f57 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -2694,7 +2694,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
+         ssize_t ret;
+         unsigned int out_num;
+         struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg;
+-        struct virtio_net_hdr_mrg_rxbuf mhdr;
++        struct virtio_net_hdr_v1_hash vhdr;
+ 
+         elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
+         if (!elem) {
+@@ -2711,7 +2711,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
+         }
+ 
+         if (n->has_vnet_hdr) {
+-            if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
++            if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
+                 n->guest_hdr_len) {
+                 virtio_error(vdev, "virtio-net header incorrect");
+                 virtqueue_detach_element(q->tx_vq, elem, 0);
+@@ -2719,8 +2719,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
+                 return -EINVAL;
+             }
+             if (n->needs_vnet_hdr_swap) {
+-                virtio_net_hdr_swap(vdev, (void *) &mhdr);
+-                sg2[0].iov_base = &mhdr;
++                virtio_net_hdr_swap(vdev, (void *) &vhdr);
++                sg2[0].iov_base = &vhdr; 
+                 sg2[0].iov_len = n->guest_hdr_len;
+                 out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
+                                    out_sg, out_num,
+-- 
+2.27.0
+
diff --git a/0003-CVE-2024-26327.patch b/0003-CVE-2024-26327.patch
new file mode 100644
index 0000000..8f23c56
--- /dev/null
+++ b/0003-CVE-2024-26327.patch
@@ -0,0 +1,27 @@
+From a0ca7ae5203384ff73a23c06c7dae1f8b95c0e23 Mon Sep 17 00:00:00 2001
+From: songmingliang <songmingliang@uniontech.com>
+Date: Fri, 28 Jun 2024 17:25:08 +0800
+Subject: [PATCH] CVE-2024-26327
+
+---
+ hw/pci/pcie_sriov.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
+index a1fe65f5d..fe0e5ea2c 100644
+--- a/hw/pci/pcie_sriov.c
++++ b/hw/pci/pcie_sriov.c
+@@ -176,7 +176,9 @@ static void register_vfs(PCIDevice *dev)
+ 
+     assert(sriov_cap > 0);
+     num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+-
++    if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
++        return;
++    }
+     dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
+ 
+     trace_sriov_register_vfs(dev->name, PCI_SLOT(dev->devfn),
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index 1a775f7..25be9f7 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,4 +1,4 @@
-%define anolis_release 15
+%define anolis_release 16
 
 %bcond_with check
 
@@ -358,6 +358,9 @@ Patch1050: 1050-target-i386-Add-new-Hygon-Dharma-CPU-model.patch
 # Fix CVE-2024-3446
 # https://github.com/qemu/qemu/commit/ba28e0ff4d95b56dc334aac2730ab3651ffc3132
 Patch0038: 0038-hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch
+Patch1055: 0001-CVE-2023-6683.patch
+Patch1056: 0002-CVE-2023-6693.patch
+Patch1057: 0003-CVE-2024-26327.patch
 
 ExclusiveArch: x86_64 aarch64 loongarch64
 
@@ -1921,6 +1924,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Fri Jun 28 2024 pangqing <pangqing@uniontech.com> -2.8.2.0-16
+- CVE-2024-26327 and CVE-2023-6693 and CVE-2023-6683
+
 * Wed May 29 2024 Chang Gao <gc-taifu@linux.alibaba.com> -2.8.2.0-15
 - Fix CVE-2024-3446
 
-- 
Gitee