From 5bc031ca38bc575d5f24df388a0ab5d5b764a530 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:30 +0800 Subject: [PATCH 1/6] spec: Update patch and changelog with !267 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands !267 Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index b80c8c2..930973e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -265,6 +265,7 @@ Patch0252: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0253: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0254: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0255: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0256: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch BuildRequires: flex BuildRequires: bison @@ -610,6 +611,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Wed Apr 06 2022 yezengruan - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607) -- Gitee From 3f8e95c17a34c2fbb1815693c3f0b478914083af Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: [PATCH 2/6] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Reviewed-by: Prasad J Pandit Signed-off-by: Marcel Apfelbaum cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4 Signed-off-by: yezengruan --- hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee3..4a64212 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ -From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 +From 04d90353b1efa5347f70b4612ea6a329f2347f10 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. -- Gitee From e449ecb930395c4726d300cf554273b8f998901a Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: [PATCH 3/6] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534 Signed-off-by: yezengruan --- pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be3129..074b468 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ -From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 +From 04ae970fd4bad794a5e6a3c2710d8e49f221b36d Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. -- Gitee From 3d1ebf61f960f3b1216d576ec642178b6e23776d Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: [PATCH 4/6] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630115246.2178219-1-marcel@redhat.com> Tested-by: Yuval Shaia Reviewed-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Marcel Apfelbaum cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3 Signed-off-by: yezengruan --- pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b..a001703 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ -From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 +From d368151ce50593cfa7fa280245f9c0568961062a Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 89c2568e38110cba3200ef5a25f9a4de7cfcbe20 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:36 +0800 Subject: [PATCH 5/6] spec: Update patch and changelog with !275 Fixes: CVE-2021-3582/CVE-2021-3607/CVE-2021-3608 !275 hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) pvrdma: Ensure correct input on ring init (CVE-2021-3607) pvrdma: Fix the ring init error flow (CVE-2021-3608) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index 930973e..164850e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -266,6 +266,9 @@ Patch0253: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0254: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0255: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0256: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0257: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0258: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0259: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -611,6 +614,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Fri Apr 08 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + * Fri Apr 08 2022 Chen Qun - hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands -- Gitee From b8f643bc596975ec239453b1c913f5ae17c3437b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Fri, 8 Apr 2022 16:27:42 +0800 Subject: [PATCH 6/6] spec: Update release version with !267 !275 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 164850e..ad3387b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 53 +Release: 54 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee