diff --git a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch index 7fbd127541cea671a6aad05b69a4d02f57fc9242..af026473a57a48eaf6acc3018e856a71204131ac 100644 --- a/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +++ b/display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -1,7 +1,7 @@ -From 5b4d6c4605900ecc22135af5a904270931220a4f Mon Sep 17 00:00:00 2001 +From 5442c1af059f303cf3b7d5f35997dc9378677f78 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:11:06 +0200 -Subject: [PATCH 4/5] display/qxl-render: fix race condition in qxl_cursor +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/hw-block-fdc-Extract-blk_create_empty_drive.patch b/hw-block-fdc-Extract-blk_create_empty_drive.patch index 23b3ab3e3b832117529f3bf91564cab0f386aaf2..c3e00fb5efe4a04687c5251792896a62ce5dd6fa 100644 --- a/hw-block-fdc-Extract-blk_create_empty_drive.patch +++ b/hw-block-fdc-Extract-blk_create_empty_drive.patch @@ -1,7 +1,7 @@ -From b05a7125bab12a5610db47c9fd4f85d93a552a4e Mon Sep 17 00:00:00 2001 +From 6a1ed848361ae21f40bd584dc670a0f581b8919f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:34 +0100 -Subject: [PATCH 1/5] hw/block/fdc: Extract blk_create_empty_drive() +Subject: [PATCH] hw/block/fdc: Extract blk_create_empty_drive() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch index 2c9c1809fd599c969cf13e4b92654d61535b3db8..2723170b54e52559440537a5bf4ebab297ab13a2 100644 --- a/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +++ b/hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch @@ -1,7 +1,7 @@ -From c303ae575659493d747225f61430460dec809362 Mon Sep 17 00:00:00 2001 +From 2e518af44f7c5f49822a06d38b51d2d0034c15e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:35 +0100 -Subject: [PATCH 2/5] hw/block/fdc: Kludge missing floppy drive to fix +Subject: [PATCH] hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch index d047ee316de5f6b6cfdb80de451da6ff232e51c7..52746db0be0b979eda8981578ec60b54af9e3af7 100644 --- a/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +++ b/hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch @@ -1,8 +1,8 @@ -From be2098de6cafdce46c104d6ff277b7b780631e40 Mon Sep 17 00:00:00 2001 +From b5d95cb90dba247a0a9ca3bc77b23d78632085ee Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 16 Jun 2021 14:06:00 +0300 -Subject: [PATCH 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma - device (CVE-2021-3582) +Subject: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device + (CVE-2021-3582) Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. diff --git a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch index 1b0c29a4e6c4caf6a007e4875f24a6a9826430e8..ed880aa57304e8b79f1c7c4fa753d5a2defe572b 100644 --- a/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +++ b/hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch @@ -1,8 +1,8 @@ From ea914867ecf5d342a7919abeff4b73c4a6f26e03 Mon Sep 17 00:00:00 2001 From: AlexChen Date: Thu, 4 Nov 2021 17:31:38 +0100 -Subject: [PATCH 2/2] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE - SELECT commands +Subject: [PATCH] hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT + commands This avoids an off-by-one read of 'mode_sense_valid' buffer in hw/scsi/scsi-disk.c:mode_sense_page(). @@ -28,7 +28,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1089,6 +1089,7 @@ static int mode_sense_page(SCSIDiskState *s, int page, uint8_t **p_outbuf, uint8_t *p = *p_outbuf + 2; int length; - + + assert(page < ARRAY_SIZE(mode_sense_valid)); if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) { return -1; @@ -36,7 +36,7 @@ index 93fdd913fe..9a67fc7dc6 100644 @@ -1430,6 +1431,11 @@ static int scsi_disk_check_mode_select(SCSIDiskState *s, int page, return -1; } - + + /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */ + if (page == MODE_PAGE_ALLS) { + return -1; @@ -45,6 +45,6 @@ index 93fdd913fe..9a67fc7dc6 100644 p = mode_current; memset(mode_current, 0, inlen + 2); len = mode_sense_page(s, page, &p, 0); --- +-- 2.27.0 diff --git a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch index 2be31292ab46766606bb656c8d07cda5dc2438c1..d7a451a47dd968934fca150a748d58f40f3a0d6f 100644 --- a/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +++ b/pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch @@ -1,7 +1,7 @@ -From 0383586640e2c9712376c795d4d2ea27aadeed78 Mon Sep 17 00:00:00 2001 +From f393d5e5c1d54ff82eac24076f5a2f6f9412871f Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 -Subject: [PATCH 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Subject: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. diff --git a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch index ed54c1b6c9d1ad4e06e38d7d5e66c04d86e83784..0ea6a498e747d9bd532973e774f74e39b3390002 100644 --- a/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +++ b/pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch @@ -1,7 +1,7 @@ -From ad63c75ceea0b9d6fe1dbb008cad41527a29f923 Mon Sep 17 00:00:00 2001 +From c07792a3e5decb249a952c5a4658f7cd23699eb2 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:52:46 +0300 -Subject: [PATCH 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608) +Subject: [PATCH] pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/qemu.spec b/qemu.spec index 7cf8d72b2aa3b5124f6e92b82392294be57416ab..8ccad7005aef7674b05235c5afe931fb5e1c74c3 100644 --- a/qemu.spec +++ b/qemu.spec @@ -1,6 +1,6 @@ Name: qemu Version: 4.1.0 -Release: 63 +Release: 64 Epoch: 2 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -320,6 +320,17 @@ Patch0342: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch Patch0343: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch Patch0344: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch Patch0345: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +Patch0346: hw-scsi-scsi-disk-MODE_PAGE_ALLS-not-allowed-in-MODE.patch +Patch0347: hw-rdma-Fix-possible-mremap-overflow-in-the-pvrdma-d.patch +Patch0348: pvrdma-Ensure-correct-input-on-ring-init-CVE-2021-36.patch +Patch0349: pvrdma-Fix-the-ring-init-error-flow-CVE-2021-3608.patch +Patch0350: vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +Patch0351: virtio-net-fix-map-leaking-on-error-during-receive.patch +Patch0352: hw-block-fdc-Extract-blk_create_empty_drive.patch +Patch0353: hw-block-fdc-Kludge-missing-floppy-drive-to-fix-CVE-.patch +Patch0354: tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +Patch0355: display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +Patch0356: ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch BuildRequires: flex BuildRequires: bison @@ -717,6 +728,25 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Mon May 16 2022 Chen Qun +- hw/block/fdc: Extract blk_create_empty_drive() +- hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 +- tests/fdc-test: Add a regression test for CVE-2021-20196 +- display/qxl-render: fix race condition in qxl_cursor (CVE-2021-4207) +- ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) + +* Mon May 16 2022 Chen Qun +- vhost-vsock: detach the virqueue element in case of error +- virtio-net: fix map leaking on error during receive + +* Mon May 16 2022 Chen Qun +- hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +- pvrdma: Ensure correct input on ring init (CVE-2021-3607) +- pvrdma: Fix the ring init error flow (CVE-2021-3608) + +* Mon May 16 2022 Chen Qun +- hw/scsi/scsi-disk: MODE_PAGE_ALLS not allowed in MODE SELECT commands + * Tue May 10 2022 yezengruan - hw/block/fdc: Extract blk_create_empty_drive() - hw/block/fdc: Kludge missing floppy drive to fix CVE-2021-20196 diff --git a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch index 56aac5a8f059c1e4a2626fd8829fc411a218cec6..01bd3eb2d58ad20d0d16c713e9b1b00dfef5d486 100644 --- a/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch +++ b/tests-fdc-test-Add-a-regression-test-for-CVE-2021-20.patch @@ -1,7 +1,7 @@ -From 2d3c9124817d4f01a1d241359a784f29006f9cc1 Mon Sep 17 00:00:00 2001 +From d7339498ecc6b88211209ca69dbcd26a78890178 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= Date: Wed, 24 Nov 2021 17:15:36 +0100 -Subject: [PATCH 3/5] tests/fdc-test: Add a regression test for CVE-2021-20196 +Subject: [PATCH] tests/fdc-test: Add a regression test for CVE-2021-20196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit diff --git a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch index 48e1bf5c506643d95ed10c4ebb9f0602cd86dc8c..70b60fbb733079f7ba843783cd81ea95f973ade9 100644 --- a/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch +++ b/ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -1,7 +1,7 @@ -From 88e41fe7ae7e3344f075ae9b226c29c976adf0f4 Mon Sep 17 00:00:00 2001 +From 6cb2defe67fa628c6274ed59cc737bfdd75948e8 Mon Sep 17 00:00:00 2001 From: Mauro Matteo Cascella Date: Thu, 7 Apr 2022 10:17:12 +0200 -Subject: [PATCH 5/5] ui/cursor: fix integer overflow in cursor_alloc +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc (CVE-2021-4206) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 diff --git a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch index ec6f073daa1d9a752248ddff8f15ab5a6cb31119..e027cf150cb0893f558dd953248ff57197f8f596 100644 --- a/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch +++ b/vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch @@ -1,7 +1,7 @@ From 24181e4b219d3206ff105ca727f8d566c8ae8db3 Mon Sep 17 00:00:00 2001 From: Stefano Garzarella Date: Mon, 28 Feb 2022 10:50:58 +0100 -Subject: [PATCH 1/2] vhost-vsock: detach the virqueue element in case of error +Subject: [PATCH] vhost-vsock: detach the virqueue element in case of error In vhost_vsock_send_transport_reset(), if an element popped from the virtqueue is invalid, we should call virtqueue_detach_element() to diff --git a/virtio-net-fix-map-leaking-on-error-during-receive.patch b/virtio-net-fix-map-leaking-on-error-during-receive.patch index b5803891602c0212136146a1b43fd2e0b81699aa..ec5806fad665b6667fc4502d77df45b12787f0f3 100644 --- a/virtio-net-fix-map-leaking-on-error-during-receive.patch +++ b/virtio-net-fix-map-leaking-on-error-during-receive.patch @@ -1,7 +1,7 @@ From c1e83833ebd3d02faa9e2cc666a06c1754038d14 Mon Sep 17 00:00:00 2001 From: Jason Wang Date: Tue, 8 Mar 2022 10:42:51 +0800 -Subject: [PATCH 2/2] virtio-net: fix map leaking on error during receive +Subject: [PATCH] virtio-net: fix map leaking on error during receive Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg") tries to fix the use after free of the sg by caching the virtqueue