From 849f452f3db19e11aa44e9e23acba8d31dedb382 Mon Sep 17 00:00:00 2001 From: Jiabo Feng Date: Thu, 11 Jul 2024 14:45:15 +0800 Subject: [PATCH] QEMU update to version 8.2.0-15: - block: Parse filenames only when explicitly requested (CVE-2024-4467) - iotests/270: Don't store data-file with json: prefix in image (CVE-2024-4467) - iotests/244: Don't store data-file with protocol in image (CVE-2024-4467) - qcow2: Don't open data_file with BDRV_O_NO_IO (CVE-2024-4467) - migration/dirtyrate: Fix segmentation fault - target/hexagon: idef-parser fix leak of init_list Signed-off-by: Jiabo Feng --- ...names-only-when-explicitly-requested.patch | 252 ++++++++++++++++++ ...t-store-data-file-with-protocol-in-i.patch | 52 ++++ ...t-store-data-file-with-json-prefix-i.patch | 54 ++++ ...ion-dirtyrate-Fix-segmentation-fault.patch | 36 +++ ...-data_file-with-BDRV_O_NO_IO-CVE-202.patch | 108 ++++++++ qemu.spec | 16 +- ...on-idef-parser-fix-leak-of-init_list.patch | 50 ++++ 7 files changed, 567 insertions(+), 1 deletion(-) create mode 100644 block-Parse-filenames-only-when-explicitly-requested.patch create mode 100644 iotests-244-Don-t-store-data-file-with-protocol-in-i.patch create mode 100644 iotests-270-Don-t-store-data-file-with-json-prefix-i.patch create mode 100644 migration-dirtyrate-Fix-segmentation-fault.patch create mode 100644 qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO-CVE-202.patch create mode 100644 target-hexagon-idef-parser-fix-leak-of-init_list.patch diff --git a/block-Parse-filenames-only-when-explicitly-requested.patch b/block-Parse-filenames-only-when-explicitly-requested.patch new file mode 100644 index 0000000..54f2fec --- /dev/null +++ b/block-Parse-filenames-only-when-explicitly-requested.patch @@ -0,0 +1,252 @@ +From fc74f24988cc2160d6115337330e8549df3aad0d Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 25 Apr 2024 14:56:02 +0200 +Subject: [PATCH] block: Parse filenames only when explicitly requested + (CVE-2024-4467) + +When handling image filenames from legacy options such as -drive or from +tools, these filenames are parsed for protocol prefixes, including for +the json:{} pseudo-protocol. + +This behaviour is intended for filenames that come directly from the +command line and for backing files, which may come from the image file +itself. Higher level management tools generally take care to verify that +untrusted images don't contain a bad (or any) backing file reference; +'qemu-img info' is a suitable tool for this. + +However, for other files that can be referenced in images, such as +qcow2 data files or VMDK extents, the string from the image file is +usually not verified by management tools - and 'qemu-img info' wouldn't +be suitable because in contrast to backing files, it already opens these +other referenced files. So here the string should be interpreted as a +literal local filename. More complex configurations need to be specified +explicitly on the command line or in QMP. + +This patch changes bdrv_open_inherit() so that it only parses filenames +if a new parameter parse_filename is true. It is set for the top level +in bdrv_open(), for the file child and for the backing file child. All +other callers pass false and disable filename parsing this way. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +Signed-off-by: liuxiangdong +--- + block.c | 98 +++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 61 insertions(+), 37 deletions(-) + +diff --git a/block.c b/block.c +index 3bfd4be6b4..6a2abfabcb 100644 +--- a/block.c ++++ b/block.c +@@ -89,6 +89,7 @@ static BlockDriverState *bdrv_open_inherit(const char *filename, + BlockDriverState *parent, + const BdrvChildClass *child_class, + BdrvChildRole child_role, ++ bool parse_filename, + Error **errp); + + static bool bdrv_recurse_has_child(BlockDriverState *bs, +@@ -2050,7 +2051,8 @@ static void parse_json_protocol(QDict *options, const char **pfilename, + * block driver has been specified explicitly. + */ + static int bdrv_fill_options(QDict **options, const char *filename, +- int *flags, Error **errp) ++ int *flags, bool allow_parse_filename, ++ Error **errp) + { + const char *drvname; + bool protocol = *flags & BDRV_O_PROTOCOL; +@@ -2092,7 +2094,7 @@ static int bdrv_fill_options(QDict **options, const char *filename, + if (protocol && filename) { + if (!qdict_haskey(*options, "filename")) { + qdict_put_str(*options, "filename", filename); +- parse_filename = true; ++ parse_filename = allow_parse_filename; + } else { + error_setg(errp, "Can't specify 'file' and 'filename' options at " + "the same time"); +@@ -3678,7 +3680,8 @@ int bdrv_open_backing_file(BlockDriverState *bs, QDict *parent_options, + } + + backing_hd = bdrv_open_inherit(backing_filename, reference, options, 0, bs, +- &child_of_bds, bdrv_backing_role(bs), errp); ++ &child_of_bds, bdrv_backing_role(bs), true, ++ errp); + if (!backing_hd) { + bs->open_flags |= BDRV_O_NO_BACKING; + error_prepend(errp, "Could not open backing file: "); +@@ -3715,7 +3718,8 @@ free_exit: + static BlockDriverState * + bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key, + BlockDriverState *parent, const BdrvChildClass *child_class, +- BdrvChildRole child_role, bool allow_none, Error **errp) ++ BdrvChildRole child_role, bool allow_none, ++ bool parse_filename, Error **errp) + { + BlockDriverState *bs = NULL; + QDict *image_options; +@@ -3746,7 +3750,8 @@ bdrv_open_child_bs(const char *filename, QDict *options, const char *bdref_key, + } + + bs = bdrv_open_inherit(filename, reference, image_options, 0, +- parent, child_class, child_role, errp); ++ parent, child_class, child_role, parse_filename, ++ errp); + if (!bs) { + goto done; + } +@@ -3756,6 +3761,37 @@ done: + return bs; + } + ++static BdrvChild *bdrv_open_child_common(const char *filename, ++ QDict *options, const char *bdref_key, ++ BlockDriverState *parent, ++ const BdrvChildClass *child_class, ++ BdrvChildRole child_role, ++ bool allow_none, bool parse_filename, ++ Error **errp) ++{ ++ BlockDriverState *bs; ++ BdrvChild *child; ++ AioContext *ctx; ++ ++ GLOBAL_STATE_CODE(); ++ ++ bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class, ++ child_role, allow_none, parse_filename, errp); ++ if (bs == NULL) { ++ return NULL; ++ } ++ ++ bdrv_graph_wrlock(NULL); ++ ctx = bdrv_get_aio_context(bs); ++ aio_context_acquire(ctx); ++ child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role, ++ errp); ++ aio_context_release(ctx); ++ bdrv_graph_wrunlock(NULL); ++ ++ return child; ++} ++ + /* + * Opens a disk image whose options are given as BlockdevRef in another block + * device's options. +@@ -3781,31 +3817,15 @@ BdrvChild *bdrv_open_child(const char *filename, + BdrvChildRole child_role, + bool allow_none, Error **errp) + { +- BlockDriverState *bs; +- BdrvChild *child; +- AioContext *ctx; +- +- GLOBAL_STATE_CODE(); +- +- bs = bdrv_open_child_bs(filename, options, bdref_key, parent, child_class, +- child_role, allow_none, errp); +- if (bs == NULL) { +- return NULL; +- } +- +- bdrv_graph_wrlock(NULL); +- ctx = bdrv_get_aio_context(bs); +- aio_context_acquire(ctx); +- child = bdrv_attach_child(parent, bs, bdref_key, child_class, child_role, +- errp); +- aio_context_release(ctx); +- bdrv_graph_wrunlock(NULL); +- +- return child; ++ return bdrv_open_child_common(filename, options, bdref_key, parent, ++ child_class, child_role, allow_none, false, ++ errp); + } + + /* +- * Wrapper on bdrv_open_child() for most popular case: open primary child of bs. ++ * This does mostly the same as bdrv_open_child(), but for opening the primary ++ * child of a node. A notable difference from bdrv_open_child() is that it ++ * enables filename parsing for protocol names (including json:). + * + * The caller must hold the lock of the main AioContext and no other AioContext. + * @parent can move to a different AioContext in this function. Callers must +@@ -3822,8 +3842,8 @@ int bdrv_open_file_child(const char *filename, + role = parent->drv->is_filter ? + (BDRV_CHILD_FILTERED | BDRV_CHILD_PRIMARY) : BDRV_CHILD_IMAGE; + +- if (!bdrv_open_child(filename, options, bdref_key, parent, +- &child_of_bds, role, false, errp)) ++ if (!bdrv_open_child_common(filename, options, bdref_key, parent, ++ &child_of_bds, role, false, true, errp)) + { + return -EINVAL; + } +@@ -3868,7 +3888,8 @@ BlockDriverState *bdrv_open_blockdev_ref(BlockdevRef *ref, Error **errp) + + } + +- bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, errp); ++ bs = bdrv_open_inherit(NULL, reference, qdict, 0, NULL, NULL, 0, false, ++ errp); + obj = NULL; + qobject_unref(obj); + visit_free(v); +@@ -3965,7 +3986,7 @@ static BlockDriverState * no_coroutine_fn + bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + int flags, BlockDriverState *parent, + const BdrvChildClass *child_class, BdrvChildRole child_role, +- Error **errp) ++ bool parse_filename, Error **errp) + { + int ret; + BlockBackend *file = NULL; +@@ -4014,9 +4035,11 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + } + + /* json: syntax counts as explicit options, as if in the QDict */ +- parse_json_protocol(options, &filename, &local_err); +- if (local_err) { +- goto fail; ++ if (parse_filename) { ++ parse_json_protocol(options, &filename, &local_err); ++ if (local_err) { ++ goto fail; ++ } + } + + bs->explicit_options = qdict_clone_shallow(options); +@@ -4041,7 +4064,8 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + parent->open_flags, parent->options); + } + +- ret = bdrv_fill_options(&options, filename, &flags, &local_err); ++ ret = bdrv_fill_options(&options, filename, &flags, parse_filename, ++ &local_err); + if (ret < 0) { + goto fail; + } +@@ -4110,7 +4134,7 @@ bdrv_open_inherit(const char *filename, const char *reference, QDict *options, + + file_bs = bdrv_open_child_bs(filename, options, "file", bs, + &child_of_bds, BDRV_CHILD_IMAGE, +- true, &local_err); ++ true, true, &local_err); + if (local_err) { + goto fail; + } +@@ -4273,7 +4297,7 @@ BlockDriverState *bdrv_open(const char *filename, const char *reference, + GLOBAL_STATE_CODE(); + + return bdrv_open_inherit(filename, reference, options, flags, NULL, +- NULL, 0, errp); ++ NULL, 0, true, errp); + } + + /* Return true if the NULL-terminated @list contains @str */ +-- +2.41.0.windows.1 + diff --git a/iotests-244-Don-t-store-data-file-with-protocol-in-i.patch b/iotests-244-Don-t-store-data-file-with-protocol-in-i.patch new file mode 100644 index 0000000..604f10a --- /dev/null +++ b/iotests-244-Don-t-store-data-file-with-protocol-in-i.patch @@ -0,0 +1,52 @@ +From 905b918d99f2b60834b55f24738728ce9972ea29 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 25 Apr 2024 14:49:40 +0200 +Subject: [PATCH] iotests/244: Don't store data-file with protocol in image + (CVE-2024-4467) + +We want to disable filename parsing for data files because it's too easy +to abuse in malicious image files. Make the test ready for the change by +passing the data file explicitly in command line options. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +--- + tests/qemu-iotests/244 | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/tests/qemu-iotests/244 b/tests/qemu-iotests/244 +index 3e61fa25bb..bb9cc6512f 100755 +--- a/tests/qemu-iotests/244 ++++ b/tests/qemu-iotests/244 +@@ -215,9 +215,22 @@ $QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" + $QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" + + # blkdebug doesn't support copy offloading, so this tests the error path +-$QEMU_IMG amend -f $IMGFMT -o "data_file=blkdebug::$TEST_IMG.data" "$TEST_IMG" +-$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$TEST_IMG" +-$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$TEST_IMG" ++test_img_with_blkdebug="json:{ ++ 'driver': 'qcow2', ++ 'file': { ++ 'driver': 'file', ++ 'filename': '$TEST_IMG' ++ }, ++ 'data-file': { ++ 'driver': 'blkdebug', ++ 'image': { ++ 'driver': 'file', ++ 'filename': '$TEST_IMG.data' ++ } ++ } ++}" ++$QEMU_IMG convert -f $IMGFMT -O $IMGFMT -n -C "$TEST_IMG.src" "$test_img_with_blkdebug" ++$QEMU_IMG compare -f $IMGFMT -F $IMGFMT "$TEST_IMG.src" "$test_img_with_blkdebug" + + echo + echo "=== Flushing should flush the data file ===" +-- +2.41.0.windows.1 + diff --git a/iotests-270-Don-t-store-data-file-with-json-prefix-i.patch b/iotests-270-Don-t-store-data-file-with-json-prefix-i.patch new file mode 100644 index 0000000..766ee8b --- /dev/null +++ b/iotests-270-Don-t-store-data-file-with-json-prefix-i.patch @@ -0,0 +1,54 @@ +From db48de0be2e1f4b476ffcaa94a4bd2c4b222f077 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 25 Apr 2024 14:49:40 +0200 +Subject: [PATCH] iotests/270: Don't store data-file with json: prefix in image + (CVE-2024-4467) + +We want to disable filename parsing for data files because it's too easy +to abuse in malicious image files. Make the test ready for the change by +passing the data file explicitly in command line options. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +--- + tests/qemu-iotests/270 | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/tests/qemu-iotests/270 b/tests/qemu-iotests/270 +index 74352342db..c37b674aa2 100755 +--- a/tests/qemu-iotests/270 ++++ b/tests/qemu-iotests/270 +@@ -60,8 +60,16 @@ _make_test_img -o cluster_size=2M,data_file="$TEST_IMG.orig" \ + # "write" 2G of data without using any space. + # (qemu-img create does not like it, though, because null-co does not + # support image creation.) +-$QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \ +- "$TEST_IMG" ++test_img_with_null_data="json:{ ++ 'driver': '$IMGFMT', ++ 'file': { ++ 'filename': '$TEST_IMG' ++ }, ++ 'data-file': { ++ 'driver': 'null-co', ++ 'size':'4294967296' ++ } ++}" + + # This gives us a range of: + # 2^31 - 512 + 768 - 1 = 2^31 + 255 > 2^31 +@@ -74,7 +82,7 @@ $QEMU_IMG amend -o data_file="json:{'driver':'null-co',,'size':'4294967296'}" \ + # on L2 boundaries, we need large L2 tables; hence the cluster size of + # 2 MB. (Anything from 256 kB should work, though, because then one L2 + # table covers 8 GB.) +-$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$TEST_IMG" | _filter_qemu_io ++$QEMU_IO -c "write 768 $((2 ** 31 - 512))" "$test_img_with_null_data" | _filter_qemu_io + + _check_test_img + +-- +2.41.0.windows.1 + diff --git a/migration-dirtyrate-Fix-segmentation-fault.patch b/migration-dirtyrate-Fix-segmentation-fault.patch new file mode 100644 index 0000000..b41a921 --- /dev/null +++ b/migration-dirtyrate-Fix-segmentation-fault.patch @@ -0,0 +1,36 @@ +From 44b6911233ea62a6a57afd90b259064fac3855ea Mon Sep 17 00:00:00 2001 +From: qihao +Date: Tue, 18 Jun 2024 09:50:38 +0800 +Subject: [PATCH] migration/dirtyrate: Fix segmentation fault + +cheery-pick from e65152d5483b2c847ec7a947ed52650152cfdcc0 + +Since the kvm_dirty_ring_enabled function accesses a null kvm_state +pointer when the KVM acceleration parameter is not specified, running +calc_dirty_rate with the -r or -b option causes a segmentation fault. + +Signed-off-by: Masato Imai +Message-ID: <20240507025010.1968881-1-mii@sfc.wide.ad.jp> +[Assert kvm_state when kvm_dirty_ring_enabled was called to fix it. - Hyman] +Signed-off-by: Hyman Huang +Signed-off-by: qihao_yewu +--- + accel/kvm/kvm-all.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/accel/kvm/kvm-all.c b/accel/kvm/kvm-all.c +index b791aad1d6..ade7841ca3 100644 +--- a/accel/kvm/kvm-all.c ++++ b/accel/kvm/kvm-all.c +@@ -2343,7 +2343,7 @@ bool kvm_vcpu_id_is_valid(int vcpu_id) + + bool kvm_dirty_ring_enabled(void) + { +- return kvm_state->kvm_dirty_ring_size ? true : false; ++ return kvm_state && kvm_state->kvm_dirty_ring_size; + } + + static void query_stats_cb(StatsResultList **result, StatsTarget target, +-- +2.41.0.windows.1 + diff --git a/qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO-CVE-202.patch b/qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO-CVE-202.patch new file mode 100644 index 0000000..7f3788e --- /dev/null +++ b/qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO-CVE-202.patch @@ -0,0 +1,108 @@ +From 1163031f9e9662c0882c986e5e76d20a7cd9d579 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 11 Apr 2024 15:06:01 +0200 +Subject: [PATCH] qcow2: Don't open data_file with BDRV_O_NO_IO (CVE-2024-4467) + +One use case for 'qemu-img info' is verifying that untrusted images +don't reference an unwanted external file, be it as a backing file or an +external data file. To make sure that calling 'qemu-img info' can't +already have undesired side effects with a malicious image, just don't +open the data file at all with BDRV_O_NO_IO. If nothing ever tries to do +I/O, we don't need to have it open. + +This changes the output of iotests case 061, which used 'qemu-img info' +to show that opening an image with an invalid data file fails. After +this patch, it succeeds. Replace this part of the test with a qemu-io +call, but keep the final 'qemu-img info' to show that the invalid data +file is correctly displayed in the output. + +Fixes: CVE-2024-4467 +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Eric Blake +Reviewed-by: Stefan Hajnoczi +Reviewed-by: Hanna Czenczek +--- + block/qcow2.c | 17 ++++++++++++++++- + tests/qemu-iotests/061 | 6 ++++-- + tests/qemu-iotests/061.out | 8 ++++++-- + 3 files changed, 26 insertions(+), 5 deletions(-) + +diff --git a/block/qcow2.c b/block/qcow2.c +index 13e032bd5e..7af7c0bee4 100644 +--- a/block/qcow2.c ++++ b/block/qcow2.c +@@ -1636,7 +1636,22 @@ qcow2_do_open(BlockDriverState *bs, QDict *options, int flags, + goto fail; + } + +- if (open_data_file) { ++ if (open_data_file && (flags & BDRV_O_NO_IO)) { ++ /* ++ * Don't open the data file for 'qemu-img info' so that it can be used ++ * to verify that an untrusted qcow2 image doesn't refer to external ++ * files. ++ * ++ * Note: This still makes has_data_file() return true. ++ */ ++ if (s->incompatible_features & QCOW2_INCOMPAT_DATA_FILE) { ++ s->data_file = NULL; ++ } else { ++ s->data_file = bs->file; ++ } ++ qdict_extract_subqdict(options, NULL, "data-file."); ++ qdict_del(options, "data-file"); ++ } else if (open_data_file) { + /* Open external data file */ + bdrv_graph_co_rdunlock(); + s->data_file = bdrv_co_open_child(NULL, options, "data-file", bs, +diff --git a/tests/qemu-iotests/061 b/tests/qemu-iotests/061 +index 53c7d428e3..b71ac097d1 100755 +--- a/tests/qemu-iotests/061 ++++ b/tests/qemu-iotests/061 +@@ -326,12 +326,14 @@ $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG" + echo + _make_test_img -o "compat=1.1,data_file=$TEST_IMG.data" 64M + $QEMU_IMG amend -o "data_file=foo" "$TEST_IMG" +-_img_info --format-specific ++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt ++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io + TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts + + echo + $QEMU_IMG amend -o "data_file=" --image-opts "data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" +-_img_info --format-specific ++$QEMU_IO -c "read 0 4k" "$TEST_IMG" 2>&1 | _filter_testdir | _filter_imgfmt ++$QEMU_IO -c "open -o data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" -c "read 0 4k" | _filter_qemu_io + TEST_IMG="data-file.filename=$TEST_IMG.data,file.filename=$TEST_IMG" _img_info --format-specific --image-opts + + echo +diff --git a/tests/qemu-iotests/061.out b/tests/qemu-iotests/061.out +index 139fc68177..24c33add7c 100644 +--- a/tests/qemu-iotests/061.out ++++ b/tests/qemu-iotests/061.out +@@ -545,7 +545,9 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 + qemu-img: data-file can only be set for images that use an external data file + + Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=67108864 data_file=TEST_DIR/t.IMGFMT.data +-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': Could not open 'foo': No such file or directory ++qemu-io: can't open device TEST_DIR/t.IMGFMT: Could not open 'foo': No such file or directory ++read 4096/4096 bytes at offset 0 ++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + image: TEST_DIR/t.IMGFMT + file format: IMGFMT + virtual size: 64 MiB (67108864 bytes) +@@ -560,7 +562,9 @@ Format specific information: + corrupt: false + extended l2: false + +-qemu-img: Could not open 'TEST_DIR/t.IMGFMT': 'data-file' is required for this image ++qemu-io: can't open device TEST_DIR/t.IMGFMT: 'data-file' is required for this image ++read 4096/4096 bytes at offset 0 ++4 KiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) + image: TEST_DIR/t.IMGFMT + file format: IMGFMT + virtual size: 64 MiB (67108864 bytes) +-- +2.41.0.windows.1 + diff --git a/qemu.spec b/qemu.spec index af89b3a..e87c1d2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -3,7 +3,7 @@ Name: qemu Version: 8.2.0 -Release: 14 +Release: 15 Epoch: 11 Summary: QEMU is a generic and open source machine emulator and virtualizer License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 @@ -276,6 +276,12 @@ Patch0259: ui-gtk-Fix-mouse-motion-event-scaling-issue-with-GTK.patch Patch0260: target-i386-Add-Hygon-Dhyana-v3-CPU-model.patch Patch0261: target-i386-Add-new-Hygon-Dharma-CPU-model.patch Patch0262: target-riscv-cpu.c-fix-Zvkb-extension-config.patch +Patch0263: target-hexagon-idef-parser-fix-leak-of-init_list.patch +Patch0264: migration-dirtyrate-Fix-segmentation-fault.patch +Patch0265: qcow2-Don-t-open-data_file-with-BDRV_O_NO_IO-CVE-202.patch +Patch0266: iotests-244-Don-t-store-data-file-with-protocol-in-i.patch +Patch0267: iotests-270-Don-t-store-data-file-with-json-prefix-i.patch +Patch0268: block-Parse-filenames-only-when-explicitly-requested.patch BuildRequires: flex BuildRequires: gcc @@ -873,6 +879,14 @@ getent passwd qemu >/dev/null || \ %endif %changelog +* Thu Jul 11 2024 Jiabo Feng - 11:8.2.0-15 +- block: Parse filenames only when explicitly requested (CVE-2024-4467) +- iotests/270: Don't store data-file with json: prefix in image (CVE-2024-4467) +- iotests/244: Don't store data-file with protocol in image (CVE-2024-4467) +- qcow2: Don't open data_file with BDRV_O_NO_IO (CVE-2024-4467) +- migration/dirtyrate: Fix segmentation fault +- target/hexagon: idef-parser fix leak of init_list + * Sat Jun 15 2024 Jiabo Feng - 11:8.2.0-14 - target/riscv/cpu.c: fix Zvkb extension config - target/i386: Add new Hygon 'Dharma' CPU model diff --git a/target-hexagon-idef-parser-fix-leak-of-init_list.patch b/target-hexagon-idef-parser-fix-leak-of-init_list.patch new file mode 100644 index 0000000..dae4443 --- /dev/null +++ b/target-hexagon-idef-parser-fix-leak-of-init_list.patch @@ -0,0 +1,50 @@ +From c36b2fb64446013ce8ded7f6bca5787795a17de1 Mon Sep 17 00:00:00 2001 +From: qihao +Date: Thu, 13 Jun 2024 10:31:49 +0800 +Subject: [PATCH] target/hexagon: idef-parser fix leak of init_list cheery-pick + from 95408ad8e24c4364086f185285039e89927dad6c + +gen_inst_init_args() is called for instructions using a predicate as an +rvalue. Upon first call, the list of arguments which might need +initialization init_list is freed to indicate that they have been +processed. For instructions without an rvalue predicate, +gen_inst_init_args() isn't called and init_list will never be freed. + +Free init_list from free_instruction() if it hasn't already been freed. +A comment in free_instruction is also updated. + +Signed-off-by: Anton Johansson +Reviewed-by: Taylor Simpson +Reviewed-by: Brian Cain +Message-Id: <20240523125901.27797-4-anjo@rev.ng> +Signed-off-by: Brian Cain +Signed-off-by: qihao_yewu +--- + target/hexagon/idef-parser/parser-helpers.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/target/hexagon/idef-parser/parser-helpers.c b/target/hexagon/idef-parser/parser-helpers.c +index 4af020933a..a83099de6b 100644 +--- a/target/hexagon/idef-parser/parser-helpers.c ++++ b/target/hexagon/idef-parser/parser-helpers.c +@@ -2123,9 +2123,16 @@ void free_instruction(Context *c) + g_string_free(g_array_index(c->inst.strings, GString*, i), TRUE); + } + g_array_free(c->inst.strings, TRUE); ++ /* ++ * Free list of arguments that might need initialization, if they haven't ++ * already been freed. ++ */ ++ if (c->inst.init_list) { ++ g_array_free(c->inst.init_list, TRUE); ++ } + /* Free INAME token value */ + g_string_free(c->inst.name, TRUE); +- /* Free variables and registers */ ++ /* Free declared TCGv variables */ + g_array_free(c->inst.allocated, TRUE); + /* Initialize instruction-specific portion of the context */ + memset(&(c->inst), 0, sizeof(Inst)); +-- +2.41.0.windows.1 + -- Gitee