diff --git a/qemu.spec b/qemu.spec index 577e230e86a812a9eed4883f723dccafaa0ed2b9..5e8ad573515027fc8245e863da31a4885d901ca3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 25 +Release: 19 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY @@ -175,103 +175,16 @@ Patch0162: migration-Compat-virtual-timer-adjust-for-v4.0.1-and.patch Patch0163: vtimer-Drop-vtimer-virtual-timer-adjust.patch Patch0164: target-arm-Add-the-kvm_adjvtime-vcpu-property-for-Co.patch Patch0165: target-arm-Fix-PAuth-sbox-functions.patch -Patch0166: tests-Disalbe-filemonitor-testcase.patch -Patch0167: es1370-check-total-frame-count-against-current-frame.patch -Patch0168: exec-set-map-length-to-zero-when-returning-NULL.patch -Patch0169: ati-vga-check-mm_index-before-recursive-call-CVE-202.patch -Patch0170: megasas-use-unsigned-type-for-reply_queue_head-and-c.patch -Patch0171: megasas-avoid-NULL-pointer-dereference.patch -Patch0172: megasas-use-unsigned-type-for-positive-numeric-field.patch -Patch0173: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch -Patch0174: hw-arm-acpi-enable-SHPC-native-hot-plug.patch -Patch0175: hw-tpm-rename-Error-parameter-to-more-common-errp.patch -Patch0176: tpm-ppi-page-align-PPI-RAM.patch -Patch0177: tpm-Move-tpm_tis_show_buffer-to-tpm_util.c.patch -Patch0178: spapr-Implement-get_dt_compatible-callback.patch -Patch0179: delete-the-in-tpm.txt.patch -Patch0180: tpm_spapr-Support-TPM-for-ppc64-using-CRQ-based-inte.patch -Patch0181: tpm_spapr-Support-suspend-and-resume.patch -Patch0182: hw-ppc-Kconfig-Enable-TPM_SPAPR-as-part-of-PSERIES-c.patch -Patch0183: docs-specs-tpm-reST-ify-TPM-documentation.patch -Patch0184: tpm-rename-TPM_TIS-into-TPM_TIS_ISA.patch -Patch0185: tpm-Use-TPMState-as-a-common-struct.patch -Patch0186: tpm-Separate-tpm_tis-common-functions-from-isa-code.patch -Patch0187: tpm-Separate-TPM_TIS-and-TPM_TIS_ISA-configs.patch -Patch0188: tpm-Add-the-SysBus-TPM-TIS-device.patch -Patch0189: hw-arm-virt-vTPM-support.patch -Patch0190: docs-specs-tpm-Document-TPM_TIS-sysbus-device-for-AR.patch -Patch0191: test-tpm-pass-optional-machine-options-to-swtpm-test.patch -Patch0192: test-tpm-tis-Get-prepared-to-share-tests-between-ISA.patch -Patch0193: test-tpm-tis-Add-Sysbus-TPM-TIS-device-test.patch -Patch0194: build-smt-processor-structure-to-support-smt-topolog.patch -Patch0195: target-arm-Add-isar_feature-tests-for-PAN-ATS1E1.patch -Patch0196: target-arm-Add-ID_AA64MMFR2_EL1.patch -Patch0197: target-arm-Add-and-use-FIELD-definitions-for-ID_AA64.patch -Patch0198: target-arm-Use-FIELD-macros-for-clearing-ID_DFR0-PER.patch -Patch0199: target-arm-Define-an-aa32_pmu_8_1-isar-feature-test-.patch -Patch0200: target-arm-Add-_aa64_-and-_any_-versions-of-pmu_8_1-.patch -Patch0201: target-arm-Stop-assuming-DBGDIDR-always-exists.patch -Patch0202: target-arm-Move-DBGDIDR-into-ARMISARegisters.patch -Patch0203: target-arm-Enable-ARMv8.2-ATS1E1-in-cpu-max.patch -Patch0204: target-arm-Test-correct-register-in-aa32_pan-and-aa3.patch -Patch0205: target-arm-Read-debug-related-ID-registers-from-KVM.patch -Patch0206: target-arm-monitor-Introduce-qmp_query_cpu_model_exp.patch -Patch0207: target-arm-monitor-query-cpu-model-expansion-crashed.patch -Patch0208: target-arm-convert-isar-regs-to-array.patch -Patch0209: target-arm-parse-cpu-feature-related-options.patch -Patch0210: target-arm-register-CPU-features-for-property.patch -Patch0211: target-arm-Allow-ID-registers-to-synchronize-to-KVM.patch -Patch0212: target-arm-introduce-CPU-feature-dependency-mechanis.patch -Patch0213: target-arm-introduce-KVM_CAP_ARM_CPU_FEATURE.patch -Patch0214: target-arm-Add-CPU-features-to-query-cpu-model-expan.patch -Patch0215: target-arm-Update-ID-fields.patch -Patch0216: target-arm-Add-more-CPU-features.patch -Patch0217: hw-usb-core-fix-buffer-overflow.patch -Patch0218: target-arm-ignore-evtstrm-and-cpuid-CPU-features.patch -Patch0219: hw-arm-virt-Init-PMU-for-hotplugged-vCPU.patch -Patch0220: Fixed-integer-overflow-in-e1000e.patch -Patch0221: migration-fix-cleanup_bh-leak-on-resume.patch -Patch0222: qmp-fix-leak-on-callbacks-that-return-both-value-and.patch -Patch0223: qga-commands-posix-fix-use-after-free-of-local_err.patch -Patch0224: file-posix-Fix-leaked-fd-in-raw_open_common-error-pa.patch -Patch0225: object-return-self-in-object_ref.patch -Patch0226: lm32-do-not-leak-memory-on-object_new-object_unref.patch -Patch0227: cris-do-not-leak-struct-cris_disasm_data.patch -Patch0228: hppa-fix-leak-from-g_strdup_printf.patch -Patch0229: mcf5208-fix-leak-from-qemu_allocate_irqs.patch -Patch0230: microblaze-fix-leak-of-fdevice-tree-blob.patch -Patch0231: ide-fix-leak-from-qemu_allocate_irqs.patch -Patch0232: make-check-unit-use-after-free-in-test-opts-visitor.patch -Patch0233: xhci-fix-valid.max_access_size-to-access-address-reg.patch -Patch0234: qga-fix-assert-regression-on-guest-shutdown.patch -Patch0235: char-fix-use-after-free-with-dup-chardev-reconnect.patch -Patch0236: migration-Count-new_dirty-instead-of-real_dirty.patch -Patch0237: qga-Plug-unlikely-memory-leak-in-guest-set-memory-bl.patch -Patch0238: chardev-tcp-Fix-error-message-double-free-error.patch -Patch0239: colo-compare-Fix-memory-leak-in-packet_enqueue.patch -Patch0240: migration-fix-multifd_send_pages-next-channel.patch -Patch0241: hw-block-nvme-fix-pin-based-interrupt-behavior.patch -Patch0242: hw-block-nvme-fix-pci-doorbell-size-calculation.patch -Patch0243: virtio-pci-fix-queue_enable-write.patch -Patch0244: hw-pci-pci_bridge-Correct-pci_bridge_io-memory-regio.patch -Patch0245: linux-user-mmap.c-fix-integer-underflow-in-target_mr.patch -Patch0246: migration-rdma-cleanup-rdma-context-before-g_free-to.patch -Patch0247: pc-bios-s390-ccw-net-fix-a-possible-memory-leak-in-g.patch -Patch0248: block-qcow2-do-free-crypto_opts-in-qcow2_close.patch -Patch0249: qemu-img-free-memory-before-re-assign.patch -Patch0250: block-qcow2-threads-fix-qcow2_decompress.patch -Patch0251: block-Avoid-memleak-on-qcow2-image-info-failure.patch -Patch0252: block-bdrv_set_backing_bs-fix-use-after-free.patch -Patch0253: hmp-vnc-Fix-info-vnc-list-leak.patch -Patch0254: migration-colo-fix-use-after-free-of-local_err.patch -Patch0255: migration-ram-fix-use-after-free-of-local_err.patch -Patch0256: block-mirror-fix-use-after-free-of-local_err.patch -Patch0257: block-fix-bdrv_root_attach_child-forget-to-unref-chi.patch -Patch0258: virtio-serial-bus-Plug-memory-leak-on-realize-error-.patch -Patch0259: virtio-blk-delete-vqs-on-the-error-path-in-realize.patch -Patch0260: fix-vhost_user_blk_watch-crash.patch -Patch0261: vhost-user-blk-delay-vhost_user_blk_disconnect.patch -Patch0262: usbredir-fix-buffer-overflow-on-vmload.patch +Patch0166: es1370-check-total-frame-count-against-current-frame.patch +Patch0167: exec-set-map-length-to-zero-when-returning-NULL.patch +Patch0168: ati-vga-check-mm_index-before-recursive-call-CVE-202.patch +Patch0169: megasas-use-unsigned-type-for-reply_queue_head-and-c.patch +Patch0170: megasas-avoid-NULL-pointer-dereference.patch +Patch0171: megasas-use-unsigned-type-for-positive-numeric-field.patch +Patch0172: hw-scsi-megasas-Fix-possible-out-of-bounds-array-acc.patch +Patch0173: hw-arm-acpi-enable-SHPC-native-hot-plug.patch +PATCH0174: hw-usb-core-fix-buffer-overflow.patch +Patch0173: slirp-networking-fix-out-of-bounds-read-information.patch BuildRequires: flex BuildRequires: bison @@ -618,106 +531,16 @@ getent passwd qemu >/dev/null || \ %endif %changelog -* Wed Sep 09 2020 Huawei Technologies Co., Ltd -- usbredir-fix-buffer-overflow-on-vmload.patch - -* Wed Sep 09 2020 Huawei Technologies Co., Ltd -- block/qcow2: do free crypto_opts in qcow2_close() -- qemu-img: free memory before re-assign -- block/qcow2-threads: fix qcow2_decompress -- block: Avoid memleak on qcow2 image info failure -- block: bdrv_set_backing_bs: fix use-after-free -- hmp/vnc: Fix info vnc list leak -- migration/colo: fix use after free of local_err -- migration/ram: fix use after free of local_err -- block/mirror: fix use after free of local_err -- block: fix bdrv_root_attach_child forget to unref child_bs -- virtio-serial-bus: Plug memory leak on realize() error paths -- virtio-blk: delete vqs on the error path in realize() -- fix vhost_user_blk_watch crash -- vhost-user-blk: delay vhost_user_blk_disconnect - -* Wed Sep 09 2020 Huawei Technologies Co., Ltd -- hw-pci-pci_bridge-Correct-pci_bridge_io-memory-regio.patch -- linux-user-mmap.c-fix-integer-underflow-in-target_mr.patch -- migration-rdma-cleanup-rdma-context-before-g_free-to.patch -- pc-bios-s390-ccw-net-fix-a-possible-memory-leak-in-g.patch - -* Wed Sep 9 2020 Huawei Technologies Co., Ltd -- virtio-pci: fix queue_enable write -- hw/block/nvme: fix pci doorbell size calculation -- hw/block/nvme: fix pin-based interrupt behavior -- migration: fix multifd_send_pages() next channel -- colo-compare: Fix memory leak in packet_enqueue() -- chardev/tcp: Fix error message double free error -- qga: Plug unlikely memory leak in guest-set-memory-blocks -- migration: Count new_dirty instead of real_dirty -- char: fix use-after-free with dup chardev & reconnect -- qga: fix assert regression on guest-shutdown -- xhci: fix valid.max_access_size to access address registers - -* Wed Sep 9 2020 Huawei Technologies Co., Ltd -- lm32-do-not-leak-memory-on-object_new-object_unref.patch -- cris-do-not-leak-struct-cris_disasm_data.patch -- hppa-fix-leak-from-g_strdup_printf.patch -- mcf5208-fix-leak-from-qemu_allocate_irqs.patch -- microblaze-fix-leak-of-fdevice-tree-blob.patch -- ide-fix-leak-from-qemu_allocate_irqs.patch -- make-check-unit-use-after-free-in-test-opts-visitor.patch - -* Wed Sep 9 2020 Huawei Technologies Co., Ltd -- object: return self in object_ref() -- file-posix: Fix leaked fd in raw_open_common() error path -- qga/commands-posix: fix use after free of local_err -- qmp: fix leak on callbacks that return both value and error -- migration: fix cleanup_bh leak on resume -- Fixed integer overflow in e1000e - -* Wed Sep 09 2020 Huawei Technologies Co., Ltd -- hw/arm/virt: Init PMU for hotplugged vCPU - -* Tue Sep 08 2020 Huawei Technologies Co., Ltd -- target/arm: ignore evtstrm and cpuid CPU features - -* Fri Aug 21 2020 Huawei Technologies Co., Ltd -- hw/usb/core.c: fix buffer overflow in do_token_setup function +* Thu Sep 10 2020 Huawei Technologies Co., LTD +- slirp/src/ip6_input.c: fix out-of-bounds read information -* Wed Aug 19 2020 Huawei Technologies Co., Ltd -- target-arm-convert-isar-regs-to-array.patch -- target-arm-parse-cpu-feature-related-options.patch -- target-arm-register-CPU-features-for-property.patch -- target-arm-Allow-ID-registers-to-synchronize-to-KVM.patch -- target-arm-introduce-CPU-feature-dependency-mechanis.patch -- target-arm-introduce-KVM_CAP_ARM_CPU_FEATURE.patch -- target-arm-Add-CPU-features-to-query-cpu-model-expan.patch -- target-arm-Update-ID-fields.patch -- target-arm-Add-more-CPU-features.patch - -* Wed Aug 19 2020 Huawei Technologies Co., Ltd -- target-arm-Add-isar_feature-tests-for-PAN-ATS1E1.patch -- target-arm-Add-ID_AA64MMFR2_EL1.patch -- target-arm-Add-and-use-FIELD-definitions-for-ID_AA64.patch -- target-arm-Use-FIELD-macros-for-clearing-ID_DFR0-PER.patch -- target-arm-Define-an-aa32_pmu_8_1-isar-feature-test-.patch -- target-arm-Add-_aa64_-and-_any_-versions-of-pmu_8_1-.patch -- target-arm-Stop-assuming-DBGDIDR-always-exists.patch -- target-arm-Move-DBGDIDR-into-ARMISARegisters.patch -- target-arm-Enable-ARMv8.2-ATS1E1-in-cpu-max.patch -- target-arm-Test-correct-register-in-aa32_pan-and-aa3.patch -- target-arm-Read-debug-related-ID-registers-from-KVM.patch -- target-arm-monitor-Introduce-qmp_query_cpu_model_exp.patch -- target-arm-monitor-query-cpu-model-expansion-crashed.patch - -* Tue Aug 18 2020 Huawei Technologies Co., Ltd -- hw/acpi/aml-build.c: build smt processor structure to support smt topology - -* Thu Aug 13 2020 Huawei Technologies Co., Ltd --target/arm: Aarch64 support vtpm +* Thu Aug 27 2020 Huawei Technologies Co., Ltd +- hw/usb/core.c: fix buffer overflow in do_token_setup function * Wed Aug 12 2020 Huawei Technologies Co., Ltd - backport upstream patch to support SHPCHotplug in arm -* Thu Aug 6 2020 Huawei Technologies Co., Ltd +* Fri Jul 24 2020 Huawei Technologies Co., Ltd - es1370: check total frame count against current frame - exec: set map length to zero when returning NULL - ati-vga: check mm_index before recursive call (CVE-2020-13800) @@ -726,9 +549,6 @@ getent passwd qemu >/dev/null || \ - megasas: use unsigned type for positive numeric fields - hw/scsi/megasas: Fix possible out-of-bounds array access in tracepoints -* Thu Aug 6 2020 Huawei Technologies Co., Ltd -- tests: Disalbe filemonitor testcase - * Sat Jun 20 2020 Huawei Technologies Co., Ltd - target/arm: Fix PAuth sbox functions - fix two patches' format which can cause git am failed diff --git a/slirp-networking-fix-out-of-bounds-read-information.patch b/slirp-networking-fix-out-of-bounds-read-information.patch new file mode 100644 index 0000000000000000000000000000000000000000..a720042222793aa8011f470f54ecad62c946c423 --- /dev/null +++ b/slirp-networking-fix-out-of-bounds-read-information.patch @@ -0,0 +1,36 @@ +From 353521693d409d3800fa9bb29981bf15b7be9729 Mon Sep 17 00:00:00 2001 +From: Jiajie Li +Date: Thu, 10 Sep 2020 10:49:36 +0800 +Subject: [PATCH] Init slirp/src/ip6_input.c + +Drop Ipv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). Ther're invalid and could +lead to data leakage in icmp6_send_echoreply(). + +Signed-off-by Ralf Haferkamp + +--- + qemu-4.0.0/slirp/src/ip6_input.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/qemu-4.0.0/slirp/src/ip6_input.c b/qemu-4.0.0/slirp/src/ip6_input.c +index c966d91..d9d2b7e 100644 +--- a/qemu-4.0.0/slirp/src/ip6_input.c ++++ b/qemu-4.0.0/slirp/src/ip6_input.c +@@ -49,13 +49,6 @@ void ip6_input(struct mbuf *m) + goto bad; + } + +- // Check if the message size is big enough to hold what's +- // set in the payload length header. If not this is an invalid +- // packet +- if(m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)){ +- goto bad; +- } +- + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +1.8.3.1 +