diff --git a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch index 7fbd127541cea671a6aad05b69a4d02f57fc9242..64d0d77ff5c5272abbaebe08360f7bfc8c57d8ef 100644 --- a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +++ b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -1,7 +1,7 @@ From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:11:06 +0200 -Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/hw-block-fdc-Extract-blk_create_empty_drive.patch b/hw-block-fdc-Extract-blk_create_empty_drive.patch index 23b3ab3e3b832117529f3bf91564cab0f386aaf2..61e1235c1753f49284ddc54c00d27493f968f6f1 100644 --- a/hw-block-fdc-Extract-blk_create_empty_drive.patch +++ b/hw-block-fdc-Extract-blk_create_empty_drive.patch @@ -1,7 +1,7 @@ From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:34 +0100 -Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive() +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch index 2c9c1809fd599c969cf13e4b92654d61535b3db8..ba7df948b428c9d50edc0c33ba01db40f2a3fecd 100644 --- a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +++ b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch @@ -1,7 +1,7 @@ From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:35 +0100 -Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix +Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee316de5f6b6cfdb80de451da6ff232e51c7..48d2fd9211033f72358307a9418e6dfd5591e3e9 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 432e6ccaa200722f2be1c9e18ee742461ae5458f..ae5ed7a7dea7ad3955d35751ecabe701aee70ab0 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,4 +1,4 @@ -From 08438d7975713bbeed2dff8467bd4656b34221ad Mon Sep 17 00:00:00 2001 +From b1f0a316a30eb5c1ba87391af284ad926afa2c3c Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT @@ -22,21 +22,21 @@ Signed-off-by: AlexChen 1 file changed, 6 insertions(+) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c -index cd90cd780e..297efd5a72 100644 +index 93fdd913fe..9a67fc7dc6 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c -@@ -1082,6 +1082,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, +@@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; } -@@ -1423,6 +1424,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, +@@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index cd90cd780e..297efd5a72 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be31292ab46766606bb656c8d07cda5dc2438c1..81c82782f9aa4a94f6020790c73bd11fe2b557ba 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b6c9d1ad4e06e38d7d5e66c04d86e83784..e1de794954dc53163a680a90fc666b1fadcdd2e6 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/qemu.spec b/qemu.spec index eaaeb704021962333d087bf1099beb7a6764703f..ec239fa55dfe0be5cdb60ca38288b3a6c672656a 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 67 +Release: 68 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -355,6 +355,17 @@ Patch0342: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0347: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0350: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +Patch0351: virtio-net-fix-map-leaking-on-error-during-receive.patch +Patch0352: hw-block-fdc-Extract-blk_create_empty_drive.patch +Patch0353: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +Patch0354: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +Patch0355: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +Patch0356: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch BuildRequires: flex BuildRequires: bison @@ -751,6 +762,25 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/block/fdc: Extract blk_create_empty_drive() +- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 +- tests/fdc-test: Add a regression test for CVE-2021-20196 +- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + +* Mon May 16 2022 Chen Qun +- vhost-vsock: detach the virqueue element in case of error +- virtio-net: fix map leaking on error during receive + +* Mon May 16 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + +* Mon May 16 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Tue May 10 2022 yezengruan - hw/block/fdc: Extract blk_create_empty_drive() - hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 diff --git a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch index 56aac5a8f059c1e4a2626fd8829fc411a218cec6..11d813487f596a64ea997e20ca58cb8ed7b934bc 100644 --- a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +++ b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch @@ -1,7 +1,7 @@ From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:36 +0100 -Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196 +Subject: [PATCH] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch index 48e1bf5c506643d95ed10c4ebb9f0602cd86dc8c..cfd13f35c30cd8595ab313e68f39cfd3233429db 100644 --- a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +++ b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -1,7 +1,7 @@ From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:17:12 +0200 -Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch index 8cde941766ae0a8983631c5623895ae0b68bf165..97d32c65f35dfdb59a423572f9b01e235cd82e23 100644 --- a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +++ b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -1,7 +1,7 @@ From 1f20e48288a39d9ea92e743707fd08de77bfe584 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Mon, 28 Feb 2022 10:50:58 +0100 -Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error +Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to diff --git a/virtio-net-fix-map-leaking-on-error-during-receive.patch b/virtio-net-fix-map-leaking-on-error-during-receive.patch index 9477045017040c85905b7eac1c74b29ff665bbe6..90d609641ac53158c6e2910428018f71d4684774 100644 --- a/virtio-net-fix-map-leaking-on-error-during-receive.patch +++ b/virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -1,7 +1,7 @@ From 72f59cd8d3c2a7a1f4a64cdfafd6c333d5bf4ad3 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Tue, 8 Mar 2022 10:42:51 +0800 -Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive +Subject: [PATCH] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue