From c13905de4df663fa116b37f8fc68319706c4017e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:25 +0800 Subject: [PATCH 01/15] spec: Update patch and changelog with !267 hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands !267 Signed-off-by: Chen Qun --- qemu.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/qemu.spec b/qemu.spec index 4f73d6e..bfc9f9e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -272,6 +272,7 @@ Patch0259: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch Patch0260: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0261: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0262: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +Patch0263: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch BuildRequires: flex BuildRequires: bison @@ -617,6 +618,9 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Tue May 10 2022 yezengruan - hw/block/fdc: Extract blk_create_empty_drive() - hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 -- Gitee From c75ddf988e42db913b19c9fde21bd24101038985 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: [PATCH 02/15] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Reviewed-by: Prasad J Pandit Signed-off-by: Marcel Apfelbaum cherry-pick from: 284f191b4abad213aed04cb0458e1600fd18d7c4 Signed-off-by: yezengruan --- hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee3..4a64212 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ -From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 +From 04d90353b1efa5347f70b4612ea6a329f2347f10 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. -- Gitee From bedd515a711b43d95aea5ce4ecfaa0d41aa460e4 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: [PATCH 03/15] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum cherry-pick from: 32e5703cfea07c91e6e84bcb0313f633bb146534 Signed-off-by: yezengruan --- pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be3129..074b468 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ -From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 +From 04ae970fd4bad794a5e6a3c2710d8e49f221b36d Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. -- Gitee From d96a8769514d1737a277501bc1be81b71cb65eae Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: [PATCH 04/15] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) Tested-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630115246.2178219-1-marcel@redhat.com> Tested-by: Yuval Shaia Reviewed-by: Yuval Shaia Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Marcel Apfelbaum cherry-pick from: 66ae37d8cc313f89272e711174a846a229bcdbd3 Signed-off-by: yezengruan --- pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b..a001703 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ -From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 +From d368151ce50593cfa7fa280245f9c0568961062a Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From a13bbf2746ebd6906908b7d79e1c92ba36574c10 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:32 +0800 Subject: [PATCH 05/15] spec: Update patch and changelog with !275 Fixes: CVE-2021-3582/CVE-2021-3607/CVE-2021-3608 !275 hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) pvrdma: Ensure correct input on ring init (CVE-2021-3607) pvrdma: Fix the ring init error flow (CVE-2021-3608) Signed-off-by: Chen Qun --- qemu.spec | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/qemu.spec b/qemu.spec index bfc9f9e..1e7ec6f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -273,6 +273,9 @@ Patch0260: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0261: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0262: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch Patch0263: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0264: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0265: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0266: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch BuildRequires: flex BuildRequires: bison @@ -618,6 +621,11 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + * Mon May 16 2022 Chen Qun - hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands -- Gitee From 945b078d8016b5a24632e80cfa37ac9c0c3ddd94 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 28 Feb 2022 10:50:58 +0100 Subject: [PATCH 06/15] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to detach it from the virtqueue before freeing its memory. Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device") Fixes: CVE-2022-26354 Cc: qemu-stable@nongnu.org Reported-by: VictorV Signed-off-by: Stefano Garzarella Message-Id: <20220228095058.27899-1-sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin --- vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch index e1d2bd2..2bb25fe 100644 --- a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +++ b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -1,7 +1,7 @@ From bc165d294fdb95d93758b240186fcd81066ced35 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Mon, 28 Feb 2022 10:50:58 +0100 -Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error +Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to -- Gitee From 62f7e56aa61c94fdff001da5f4db958a092f4656 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Tue, 8 Mar 2022 10:42:51 +0800 Subject: [PATCH 07/15] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue elements in an array and unmap them at once after receiving the packets, But it forgot to unmap the cached elements on error which will lead to leaking of mapping and other unexpected results. Fixing this by detaching the cached elements on error. This addresses CVE-2022-26353. Reported-by: Victor Tom Cc: qemu-stable@nongnu.org Fixes: CVE-2022-26353 Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") Reviewed-by: Michael S. Tsirkin Signed-off-by: Jason Wang --- virtio-net-fix-map-leaking-on-error-during-receive.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virtio-net-fix-map-leaking-on-error-during-receive.patch b/virtio-net-fix-map-leaking-on-error-during-receive.patch index f5f0d22..cc753b7 100644 --- a/virtio-net-fix-map-leaking-on-error-during-receive.patch +++ b/virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -1,7 +1,7 @@ From c1937347f65a1a81787884c99575cc9c91c023e7 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Tue, 8 Mar 2022 10:42:51 +0800 -Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive +Subject: [PATCH] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue -- Gitee From 95e0e7c6464daee43bac49c05d155c294f25fc2b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:43 +0800 Subject: [PATCH 08/15] spec: Update patch and changelog with !281 fix CVE-2022-26354 and CVE-2022-26353 !281 vhost-vsock: detach the virqueue element in case of error virtio-net: fix map leaking on error during receive Signed-off-by: Chen Qun --- qemu.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/qemu.spec b/qemu.spec index 1e7ec6f..7a4b100 100644 --- a/qemu.spec +++ b/qemu.spec @@ -276,6 +276,8 @@ Patch0263: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch Patch0264: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch Patch0265: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0266: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0267: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +Patch0268: virtio-net-fix-map-leaking-on-error-during-receive.patch BuildRequires: flex BuildRequires: bison @@ -621,6 +623,10 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- vhost-vsock: detach the virqueue element in case of error +- virtio-net: fix map leaking on error during receive + * Mon May 16 2022 Chen Qun - hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) - pvrdma: Ensure correct input on ring init (CVE-2021-3607) -- Gitee From 2d6c985b71a96e571b6dadea26988571c804c875 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:34 +0100 Subject: [PATCH 09/15] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We are going to re-use this code in the next commit, so extract it as a new blk_create_empty_drive() function. Inspired-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-2-philmd@redhat.com Signed-off-by: John Snow --- hw-block-fdc-Extract-blk_create_empty_drive.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw-block-fdc-Extract-blk_create_empty_drive.patch b/hw-block-fdc-Extract-blk_create_empty_drive.patch index 23b3ab3..8ffbd3b 100644 --- a/hw-block-fdc-Extract-blk_create_empty_drive.patch +++ b/hw-block-fdc-Extract-blk_create_empty_drive.patch @@ -1,7 +1,7 @@ -From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001 +From 70b620188baffb26a2a9c11d470301be1c4fc3d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:34 +0100 -Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive() +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From 6c9f3e0a8cf489e1b1f1cb7d8a0c7692458df703 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:35 +0100 Subject: [PATCH 10/15] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guest might select another drive on the bus by setting the DRIVE_SEL bit of the DIGITAL OUTPUT REGISTER (DOR). The current controller model doesn't expect a BlockBackend to be NULL. A simple way to fix CVE-2021-20196 is to create an empty BlockBackend when it is missing. All further accesses will be safely handled, and the controller state machines keep behaving correctly. Cc: qemu-stable@nongnu.org Fixes: CVE-2021-20196 Reported-by: Gaoning Pan (Ant Security Light-Year Lab) Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-3-philmd@redhat.com BugLink: https://bugs.launchpad.net/qemu/+bug/1912780 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/338 Reviewed-by: Darren Kenny Reviewed-by: Hanna Reitz Signed-off-by: Philippe Mathieu-Daudé Signed-off-by: John Snow --- hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch index 2c9c180..e78981e 100644 --- a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +++ b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch @@ -1,7 +1,7 @@ -From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001 +From ef1cfbcb758140d9c69dbd82bedc9cada587c2aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:35 +0100 -Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix +Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From cf536c8843ef41047a023bf0ce192802b66c84f7 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Wed, 24 Nov 2021 17:15:36 +0100 Subject: [PATCH 11/15] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Without the previous commit, when running 'make check-qtest-i386' with QEMU configured with '--enable-sanitizers' we get: AddressSanitizer:DEADLYSIGNAL ================================================================= ==287878==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000344 ==287878==The signal is caused by a WRITE memory access. ==287878==Hint: address points to the zero page. #0 0x564b2e5bac27 in blk_inc_in_flight block/block-backend.c:1346:5 #1 0x564b2e5bb228 in blk_pwritev_part block/block-backend.c:1317:5 #2 0x564b2e5bcd57 in blk_pwrite block/block-backend.c:1498:11 #3 0x564b2ca1cdd3 in fdctrl_write_data hw/block/fdc.c:2221:17 #4 0x564b2ca1b2f7 in fdctrl_write hw/block/fdc.c:829:9 #5 0x564b2dc49503 in portio_write softmmu/ioport.c:201:9 Add the reproducer for CVE-2021-20196. Suggested-by: Alexander Bulekov Reviewed-by: Darren Kenny Signed-off-by: Philippe Mathieu-Daudé Message-id: 20211124161536.631563-4-philmd@redhat.com Signed-off-by: John Snow --- tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch index 56aac5a..20f9e00 100644 --- a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +++ b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch @@ -1,7 +1,7 @@ -From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001 +From 7b624c4722677166f6d98f13fd8cd20f76fe75f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:36 +0100 -Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196 +Subject: [PATCH] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -- Gitee From abebde42aec3e43ddd220b65a2b1d3ee3c268766 Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 7 Apr 2022 10:11:06 +0200 Subject: [PATCH 12/15] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid fetching 'width' and 'height' a second time to prevent possible race condition. Refer to security advisory https://starlabs.sg/advisories/22-4207/ for more information. Fixes: CVE-2021-4207 Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Message-Id: <20220407081106.343235-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- display-qxl-render-fix-race-condition-in-qxl_cursor-.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch index 7fbd127..4e328a7 100644 --- a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +++ b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -1,7 +1,7 @@ -From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001 +From 0396df1e72e70d96592928601cdc66762539df0a Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:11:06 +0200 -Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From 9cfd675d7ecc5cc8a12990ef9db439f57cf021bb Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Thu, 7 Apr 2022 10:17:12 +0200 Subject: [PATCH 13/15] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Prevent potential integer overflow by limiting 'width' and 'height' to 512x512. Also change 'datasize' type to size_t. Refer to security advisory https://starlabs.sg/advisories/22-4206/ for more information. Fixes: CVE-2021-4206 Signed-off-by: Mauro Matteo Cascella Reviewed-by: Marc-André Lureau Message-Id: <20220407081712.345609-1-mcascell@redhat.com> Signed-off-by: Gerd Hoffmann --- ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch index 48e1bf5..06b7061 100644 --- a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +++ b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -1,7 +1,7 @@ -From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001 +From 262faa0b4828d8b9cd028d2436ce67bc386b5f72 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:17:12 +0200 -Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 -- Gitee From 6791696c2054b8b6bb47921bb624a11253e6688e Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:51 +0800 Subject: [PATCH 14/15] spec: Update patch and changelog with !289 fix CVE-2021-20196/CVE-2021-4207/CVE-2021-4206 !289 hw/block/fdc: Extract blk_create_empty_drive() hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 tests/fdc-test: Add a regression test for CVE-2021-20196 display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) Signed-off-by: Chen Qun --- qemu.spec | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/qemu.spec b/qemu.spec index 7a4b100..4b2a7b5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -278,6 +278,11 @@ Patch0265: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch Patch0266: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch Patch0267: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch Patch0268: virtio-net-fix-map-leaking-on-error-during-receive.patch +Patch0269: hw-block-fdc-Extract-blk_create_empty_drive.patch +Patch0270: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +Patch0271: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +Patch0272: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +Patch0273: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch BuildRequires: flex BuildRequires: bison @@ -623,6 +628,13 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/block/fdc: Extract blk_create_empty_drive() +- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 +- tests/fdc-test: Add a regression test for CVE-2021-20196 +- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + * Mon May 16 2022 Chen Qun - vhost-vsock: detach the virqueue element in case of error - virtio-net: fix map leaking on error during receive -- Gitee From 3811eb342309501715d6f09f18e404f1a3a56f6b Mon Sep 17 00:00:00 2001 From: Chen Qun Date: Mon, 16 May 2022 21:27:51 +0800 Subject: [PATCH 15/15] spec: Update release version with !267 !275 !281 !289 increase release verison by one Signed-off-by: Chen Qun --- qemu.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qemu.spec b/qemu.spec index 4b2a7b5..a1b1693 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 55 +Release: 56 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY -- Gitee