From 3058a28354912dff25c40dd9d6e00c04fdb79bf3 Mon Sep 17 00:00:00 2001
From: pangqing <pangqing@uniontech.com>
Date: Wed, 14 Aug 2024 13:45:22 +0800
Subject: [PATCH] fix CVE-2023-6683 and CVE-2023-6693 and CVE-2024-26327

Signed-off-by: pangqing <pangqing@uniontech.com>
---
 0001-CVE-2023-6683.patch  | 35 ++++++++++++++++++++++++++++++
 0002-CVE-2023-6693.patch  | 45 +++++++++++++++++++++++++++++++++++++++
 0003-CVE-2024-26327.patch | 27 +++++++++++++++++++++++
 qemu.spec                 |  8 ++++++-
 4 files changed, 114 insertions(+), 1 deletion(-)
 create mode 100644 0001-CVE-2023-6683.patch
 create mode 100644 0002-CVE-2023-6693.patch
 create mode 100644 0003-CVE-2024-26327.patch

diff --git a/0001-CVE-2023-6683.patch b/0001-CVE-2023-6683.patch
new file mode 100644
index 0000000..4375eac
--- /dev/null
+++ b/0001-CVE-2023-6683.patch
@@ -0,0 +1,35 @@
+From d852750ec985f4ebd26823c743def6b9d5010f34 Mon Sep 17 00:00:00 2001
+From: songmingliang <songmingliang@uniontech.com>
+Date: Mon, 8 Jul 2024 14:52:31 +0800
+Subject: [PATCH] CVE-2023-6683
+
+---
+ ui/clipboard.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/ui/clipboard.c b/ui/clipboard.c
+index 3d14bffaf..b3f6fa3c9 100644
+--- a/ui/clipboard.c
++++ b/ui/clipboard.c
+@@ -163,9 +163,15 @@ void qemu_clipboard_set_data(QemuClipboardPeer *peer,
+     }
+ 
+     g_free(info->types[type].data);
+-    info->types[type].data = g_memdup(data, size);
+-    info->types[type].size = size;
+-    info->types[type].available = true;
++    if (size) {
++        info->types[type].data = g_memdup2(data, size);
++        info->types[type].size = size;
++        info->types[type].available = true;
++    } else {
++        info->types[type].data = NULL;
++        info->types[type].size = 0;
++        info->types[type].available = false;
++    }
+ 
+     if (update) {
+         qemu_clipboard_update(info);
+-- 
+2.27.0
+
diff --git a/0002-CVE-2023-6693.patch b/0002-CVE-2023-6693.patch
new file mode 100644
index 0000000..ad599cc
--- /dev/null
+++ b/0002-CVE-2023-6693.patch
@@ -0,0 +1,45 @@
+From b36cd7e9c3937bf6c71e725049f60dc0e54ca0df Mon Sep 17 00:00:00 2001
+From: songmingliang <songmingliang@uniontech.com>
+Date: Fri, 28 Jun 2024 17:42:07 +0800
+Subject: [PATCH] CVE-2023-6693
+
+---
+ hw/net/virtio-net.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index dc0b65501..81e5d4f57 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+@@ -2694,7 +2694,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
+         ssize_t ret;
+         unsigned int out_num;
+         struct iovec sg[VIRTQUEUE_MAX_SIZE], sg2[VIRTQUEUE_MAX_SIZE + 1], *out_sg;
+-        struct virtio_net_hdr_mrg_rxbuf mhdr;
++        struct virtio_net_hdr_v1_hash vhdr;
+ 
+         elem = virtqueue_pop(q->tx_vq, sizeof(VirtQueueElement));
+         if (!elem) {
+@@ -2711,7 +2711,7 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
+         }
+ 
+         if (n->has_vnet_hdr) {
+-            if (iov_to_buf(out_sg, out_num, 0, &mhdr, n->guest_hdr_len) <
++            if (iov_to_buf(out_sg, out_num, 0, &vhdr, n->guest_hdr_len) <
+                 n->guest_hdr_len) {
+                 virtio_error(vdev, "virtio-net header incorrect");
+                 virtqueue_detach_element(q->tx_vq, elem, 0);
+@@ -2719,8 +2719,8 @@ static int32_t virtio_net_flush_tx(VirtIONetQueue *q)
+                 return -EINVAL;
+             }
+             if (n->needs_vnet_hdr_swap) {
+-                virtio_net_hdr_swap(vdev, (void *) &mhdr);
+-                sg2[0].iov_base = &mhdr;
++                virtio_net_hdr_swap(vdev, (void *) &vhdr);
++                sg2[0].iov_base = &vhdr; 
+                 sg2[0].iov_len = n->guest_hdr_len;
+                 out_num = iov_copy(&sg2[1], ARRAY_SIZE(sg2) - 1,
+                                    out_sg, out_num,
+-- 
+2.27.0
+
diff --git a/0003-CVE-2024-26327.patch b/0003-CVE-2024-26327.patch
new file mode 100644
index 0000000..8f23c56
--- /dev/null
+++ b/0003-CVE-2024-26327.patch
@@ -0,0 +1,27 @@
+From a0ca7ae5203384ff73a23c06c7dae1f8b95c0e23 Mon Sep 17 00:00:00 2001
+From: songmingliang <songmingliang@uniontech.com>
+Date: Fri, 28 Jun 2024 17:25:08 +0800
+Subject: [PATCH] CVE-2024-26327
+
+---
+ hw/pci/pcie_sriov.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
+index a1fe65f5d..fe0e5ea2c 100644
+--- a/hw/pci/pcie_sriov.c
++++ b/hw/pci/pcie_sriov.c
+@@ -176,7 +176,9 @@ static void register_vfs(PCIDevice *dev)
+ 
+     assert(sriov_cap > 0);
+     num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+-
++    if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
++        return;
++    }
+     dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
+ 
+     trace_sriov_register_vfs(dev->name, PCI_SLOT(dev->devfn),
+-- 
+2.27.0
+
diff --git a/qemu.spec b/qemu.spec
index 3bcc3a3..207d9d4 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,4 +1,4 @@
-%define anolis_release 16
+%define anolis_release 17
 
 %bcond_with check
 
@@ -364,6 +364,9 @@ Patch0038: 0038-hw-display-virtio-gpu-Protect-from-DMA-re-entrancy-b.patch
 #https://gitlab.com/qemu-project/qemu/-/commit/7e1110664ecbc4826f3c978ccb06b6c1bce823e6
 #https://gitlab.com/qemu-project/qemu/-/commit/7ead946998610657d38d1a505d5f25300d4ca613
 Patch0039:fix-cve-2024-4467.patch
+Patch1055: 0001-CVE-2023-6683.patch
+Patch1056: 0002-CVE-2023-6693.patch
+Patch1057: 0003-CVE-2024-26327.patch
 
 ExclusiveArch: x86_64 aarch64 loongarch64
 
@@ -1927,6 +1930,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 %endif
 
 %changelog
+* Wed Aug 14 2024 pangqing <pangqing@uniontech.com> -2.8.2.0-17
+- CVE-2024-26327 and CVE-2023-6693 and CVE-2023-6683
+
 * Thu Aug 1 2024 yangxinyu <yangxinyu@nfschina.com> -2.8.2.0-16
 - Fix CVE-2024-4467
 
-- 
Gitee