diff --git a/0002-linux-user-make-pwrite64-pread64-fd-NULL-0-offset-re.patch b/0002-linux-user-make-pwrite64-pread64-fd-NULL-0-offset-re.patch new file mode 100644 index 0000000..77b0ca8 --- /dev/null +++ b/0002-linux-user-make-pwrite64-pread64-fd-NULL-0-offset-re.patch @@ -0,0 +1,67 @@ +From: Peter Maydell +Date: Tue, 8 Jan 2019 18:49:00 +0000 +Subject: [PATCH] linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return + 0 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Linux returns success if pwrite64() or pread64() are called with a +zero length NULL buffer, but QEMU was returning -TARGET_EFAULT. + +This is the same bug that we fixed in commit 58cfa6c2e6eb51b23cc9 +for the write syscall, and long before that in 38d840e6790c29f59 +for the read syscall. + +Fixes: https://bugs.launchpad.net/qemu/+bug/1810433 + +Signed-off-by: Peter Maydell +Reviewed-by: Laurent Vivier +Reviewed-by: Philippe Mathieu-Daudé +Message-Id: <20190108184900.9654-1-peter.maydell@linaro.org> +Signed-off-by: Laurent Vivier +(cherry picked from commit 2bd3f8998e1e7dcd9afc29fab252fb9936f9e956) +--- + linux-user/syscall.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index 280137da8c..b13a170e52 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -9677,8 +9677,15 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, + arg4 = arg5; + arg5 = arg6; + } +- if (!(p = lock_user(VERIFY_WRITE, arg2, arg3, 0))) +- return -TARGET_EFAULT; ++ if (arg2 == 0 && arg3 == 0) { ++ /* Special-case NULL buffer and zero length, which should succeed */ ++ p = 0; ++ } else { ++ p = lock_user(VERIFY_WRITE, arg2, arg3, 0); ++ if (!p) { ++ return -TARGET_EFAULT; ++ } ++ } + ret = get_errno(pread64(arg1, p, arg3, target_offset64(arg4, arg5))); + unlock_user(p, arg2, ret); + return ret; +@@ -9687,8 +9694,15 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_long arg1, + arg4 = arg5; + arg5 = arg6; + } +- if (!(p = lock_user(VERIFY_READ, arg2, arg3, 1))) +- return -TARGET_EFAULT; ++ if (arg2 == 0 && arg3 == 0) { ++ /* Special-case NULL buffer and zero length, which should succeed */ ++ p = 0; ++ } else { ++ p = lock_user(VERIFY_READ, arg2, arg3, 1); ++ if (!p) { ++ return -TARGET_EFAULT; ++ } ++ } + ret = get_errno(pwrite64(arg1, p, arg3, target_offset64(arg4, arg5))); + unlock_user(p, arg2, 0); + return ret; diff --git a/0003-gluster-Handle-changed-glfs_ftruncate-signature.patch b/0003-gluster-Handle-changed-glfs_ftruncate-signature.patch new file mode 100644 index 0000000..97a06c4 --- /dev/null +++ b/0003-gluster-Handle-changed-glfs_ftruncate-signature.patch @@ -0,0 +1,77 @@ +From: Prasanna Kumar Kalever +Date: Tue, 5 Mar 2019 16:46:33 +0100 +Subject: [PATCH] gluster: Handle changed glfs_ftruncate signature + +New versions of Glusters libgfapi.so have an updated glfs_ftruncate() +function that returns additional 'struct stat' structures to enable +advanced caching of attributes. This is useful for file servers, not so +much for QEMU. Nevertheless, the API has changed and needs to be +adopted. + +Signed-off-by: Prasanna Kumar Kalever +Signed-off-by: Niels de Vos +Signed-off-by: Kevin Wolf +(cherry picked from commit e014dbe74e0484188164c61ff6843f8a04a8cb9d) +--- + block/gluster.c | 4 ++++ + configure | 18 ++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/block/gluster.c b/block/gluster.c +index 5e300c96c8..c466a56b1c 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -20,6 +20,10 @@ + #include "qemu/option.h" + #include "qemu/cutils.h" + ++#ifdef CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT ++# define glfs_ftruncate(fd, offset) glfs_ftruncate(fd, offset, NULL, NULL) ++#endif ++ + #define GLUSTER_OPT_FILENAME "filename" + #define GLUSTER_OPT_VOLUME "volume" + #define GLUSTER_OPT_PATH "path" +diff --git a/configure b/configure +index 0a3c6a72c3..02e444fb88 100755 +--- a/configure ++++ b/configure +@@ -453,6 +453,7 @@ glusterfs_xlator_opt="no" + glusterfs_discard="no" + glusterfs_fallocate="no" + glusterfs_zerofill="no" ++glusterfs_ftruncate_has_stat="no" + gtk="" + gtk_gl="no" + tls_priority="NORMAL" +@@ -3982,6 +3983,19 @@ if test "$glusterfs" != "no" ; then + glusterfs_fallocate="yes" + glusterfs_zerofill="yes" + fi ++ cat > $TMPC << EOF ++#include ++ ++int ++main(void) ++{ ++ /* new glfs_ftruncate() passes two additional args */ ++ return glfs_ftruncate(NULL, 0, NULL, NULL); ++} ++EOF ++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then ++ glusterfs_ftruncate_has_stat="yes" ++ fi + else + if test "$glusterfs" = "yes" ; then + feature_not_found "GlusterFS backend support" \ +@@ -6735,6 +6749,10 @@ if test "$glusterfs_zerofill" = "yes" ; then + echo "CONFIG_GLUSTERFS_ZEROFILL=y" >> $config_host_mak + fi + ++if test "$glusterfs_ftruncate_has_stat" = "yes" ; then ++ echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak ++fi ++ + if test "$libssh2" = "yes" ; then + echo "CONFIG_LIBSSH2=m" >> $config_host_mak + echo "LIBSSH2_CFLAGS=$libssh2_cflags" >> $config_host_mak diff --git a/0004-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch b/0004-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch new file mode 100644 index 0000000..4eb5dd4 --- /dev/null +++ b/0004-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch @@ -0,0 +1,88 @@ +From: Niels de Vos +Date: Tue, 5 Mar 2019 16:46:34 +0100 +Subject: [PATCH] gluster: the glfs_io_cbk callback function pointer adds + pre/post stat args + +The glfs_*_async() functions do a callback once finished. This callback +has changed its arguments, pre- and post-stat structures have been +added. This makes it possible to improve caching, which is useful for +Samba and NFS-Ganesha, but not so much for QEMU. Gluster 6 is the first +release that includes these new arguments. + +With an additional detection in ./configure, the new arguments can +conditionally get included in the glfs_io_cbk handler. + +Signed-off-by: Niels de Vos +Signed-off-by: Kevin Wolf +(cherry picked from commit 0e3b891fefacc0e49f3c8ffa3a753b69eb7214d2) +--- + block/gluster.c | 6 +++++- + configure | 24 ++++++++++++++++++++++++ + 2 files changed, 29 insertions(+), 1 deletion(-) + +diff --git a/block/gluster.c b/block/gluster.c +index c466a56b1c..58011b954c 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -729,7 +729,11 @@ static struct glfs *qemu_gluster_init(BlockdevOptionsGluster *gconf, + /* + * AIO callback routine called from GlusterFS thread. + */ +-static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, void *arg) ++static void gluster_finish_aiocb(struct glfs_fd *fd, ssize_t ret, ++#ifdef CONFIG_GLUSTERFS_IOCB_HAS_STAT ++ struct glfs_stat *pre, struct glfs_stat *post, ++#endif ++ void *arg) + { + GlusterAIOCB *acb = (GlusterAIOCB *)arg; + +diff --git a/configure b/configure +index 02e444fb88..3ff6337a78 100755 +--- a/configure ++++ b/configure +@@ -454,6 +454,7 @@ glusterfs_discard="no" + glusterfs_fallocate="no" + glusterfs_zerofill="no" + glusterfs_ftruncate_has_stat="no" ++glusterfs_iocb_has_stat="no" + gtk="" + gtk_gl="no" + tls_priority="NORMAL" +@@ -3996,6 +3997,25 @@ EOF + if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then + glusterfs_ftruncate_has_stat="yes" + fi ++ cat > $TMPC << EOF ++#include ++ ++/* new glfs_io_cbk() passes two additional glfs_stat structs */ ++static void ++glusterfs_iocb(glfs_fd_t *fd, ssize_t ret, struct glfs_stat *prestat, struct glfs_stat *poststat, void *data) ++{} ++ ++int ++main(void) ++{ ++ glfs_io_cbk iocb = &glusterfs_iocb; ++ iocb(NULL, 0 , NULL, NULL, NULL); ++ return 0; ++} ++EOF ++ if compile_prog "$glusterfs_cflags" "$glusterfs_libs" ; then ++ glusterfs_iocb_has_stat="yes" ++ fi + else + if test "$glusterfs" = "yes" ; then + feature_not_found "GlusterFS backend support" \ +@@ -6753,6 +6773,10 @@ if test "$glusterfs_ftruncate_has_stat" = "yes" ; then + echo "CONFIG_GLUSTERFS_FTRUNCATE_HAS_STAT=y" >> $config_host_mak + fi + ++if test "$glusterfs_iocb_has_stat" = "yes" ; then ++ echo "CONFIG_GLUSTERFS_IOCB_HAS_STAT=y" >> $config_host_mak ++fi ++ + if test "$libssh2" = "yes" ; then + echo "CONFIG_LIBSSH2=m" >> $config_host_mak + echo "LIBSSH2_CFLAGS=$libssh2_cflags" >> $config_host_mak diff --git a/0005-pvrdma-release-device-resources-in-case-of-an-error.patch b/0005-pvrdma-release-device-resources-in-case-of-an-error.patch new file mode 100644 index 0000000..22addf7 --- /dev/null +++ b/0005-pvrdma-release-device-resources-in-case-of-an-error.patch @@ -0,0 +1,39 @@ +From: Prasad J Pandit +Date: Wed, 12 Dec 2018 23:28:17 +0530 +Subject: [PATCH] pvrdma: release device resources in case of an error + +If during pvrdma device initialisation an error occurs, +pvrdma_realize() does not release memory resources, leading +to memory leakage. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <20181212175817.815-1-ppandit@redhat.com> +Reviewed-by: Yuval Shaia +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit cce648613bc802be1b894227f7fd94d88476ea07) +--- + hw/rdma/vmw/pvrdma_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index ca5fa8d981..34d8cc4694 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -572,7 +572,7 @@ static int pvrdma_check_ram_shared(Object *obj, void *opaque) + + static void pvrdma_realize(PCIDevice *pdev, Error **errp) + { +- int rc; ++ int rc = 0; + PVRDMADev *dev = PVRDMA_DEV(pdev); + Object *memdev_root; + bool ram_shared = false; +@@ -632,6 +632,7 @@ static void pvrdma_realize(PCIDevice *pdev, Error **errp) + + out: + if (rc) { ++ pvrdma_fini(pdev); + error_append_hint(errp, "Device fail to load\n"); + } + } diff --git a/0006-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC.patch b/0006-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC.patch new file mode 100644 index 0000000..d8e5dca --- /dev/null +++ b/0006-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC.patch @@ -0,0 +1,77 @@ +From: Gerd Hoffmann +Date: Thu, 13 Dec 2018 13:25:11 +0100 +Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. + +Open files and directories with O_NOFOLLOW to avoid symlinks attacks. +While being at it also add O_CLOEXEC. + +usb-mtp only handles regular files and directories and ignores +everything else, so users should not see a difference. + +Because qemu ignores symlinks, carrying out a successful symlink attack +requires swapping an existing file or directory below rootdir for a +symlink and winning the race against the inotify notification to qemu. + +Fixes: CVE-2018-16872 +Cc: Prasad J Pandit +Cc: Bandan Das +Reported-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Michael Hanselmann +Message-id: 20181213122511.13853-1-kraxel@redhat.com +(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) +--- + hw/usb/dev-mtp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 100b7171f4..36c43b8c20 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) + { + struct dirent *entry; + DIR *dir; ++ int fd; + + if (o->have_children) { + return; + } + o->have_children = true; + +- dir = opendir(o->path); ++ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); ++ if (fd < 0) { ++ return; ++ } ++ dir = fdopendir(fd); + if (!dir) { + return; + } +@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, + + trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); + +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, + c->argv[1], c->argv[2]); + + d = usb_mtp_data_alloc(c); +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s) + 0, 0, 0, 0); + goto done; + } +- d->fd = open(path, O_CREAT | O_WRONLY, mask); ++ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); + if (d->fd == -1) { + usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, + 0, 0, 0, 0); diff --git a/0007-pvrdma-add-uar_read-routine.patch b/0007-pvrdma-add-uar_read-routine.patch new file mode 100644 index 0000000..ffe7575 --- /dev/null +++ b/0007-pvrdma-add-uar_read-routine.patch @@ -0,0 +1,39 @@ +From: Prasad J Pandit +Date: Thu, 13 Dec 2018 01:00:35 +0530 +Subject: [PATCH] pvrdma: add uar_read routine + +Define skeleton 'uar_read' routine. Avoid NULL dereference. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Marcel Apfelbaum +Signed-off-by: Marcel Apfelbaum +(cherry picked from commit 2aa86456fb938a11f2b7bd57c8643c213218681c) +--- + hw/rdma/vmw/pvrdma_main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 34d8cc4694..c9d9631769 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -455,6 +455,11 @@ static const MemoryRegionOps regs_ops = { + }, + }; + ++static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size) ++{ ++ return 0xffffffff; ++} ++ + static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) + { + PVRDMADev *dev = opaque; +@@ -496,6 +501,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size) + } + + static const MemoryRegionOps uar_ops = { ++ .read = uar_read, + .write = uar_write, + .endianness = DEVICE_LITTLE_ENDIAN, + .impl = { diff --git a/0008-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch b/0008-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch new file mode 100644 index 0000000..9f3cd20 --- /dev/null +++ b/0008-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch @@ -0,0 +1,67 @@ +From: Paolo Bonzini +Date: Fri, 11 Jan 2019 17:27:31 +0100 +Subject: [PATCH] scsi-generic: avoid possible out-of-bounds access to r->buf + +Whenever the allocation length of a SCSI request is shorter than the size of the +VPD page list, page_idx is used blindly to index into r->buf. Even though +the stores in the insertion sort are protected against overflows, the same is not +true of the reads and the final store of 0xb0. + +This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid +out-of-bounds access to VPD page list", 2018-11-06), except that here the +allocation length can be chosen by the guest. Note that according to the SCSI +standard, the contents of the PAGE LENGTH field are not altered based +on the allocation length. + +The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD +page list sorted", 2018-11-06) but the overflow was already possible before. + +Reported-by: Kevin Wolf +Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5 +Signed-off-by: Paolo Bonzini +(cherry picked from commit e909ff93698851777faac3c45d03c1b73f311ea6) +--- + hw/scsi/scsi-generic.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c +index 7237b4162e..42700e8897 100644 +--- a/hw/scsi/scsi-generic.c ++++ b/hw/scsi/scsi-generic.c +@@ -182,7 +182,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s) + /* Also take care of the opt xfer len. */ + stl_be_p(&r->buf[12], + MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12]))); +- } else if (s->needs_vpd_bl_emulation && page == 0x00) { ++ } else if (s->needs_vpd_bl_emulation && page == 0x00 && r->buflen >= 4) { + /* + * Now we're capable of supplying the VPD Block Limits + * response if the hardware can't. Add it in the INQUIRY +@@ -193,18 +193,20 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s) + * and will use it to proper setup the SCSI device. + * + * VPD page numbers must be sorted, so insert 0xb0 at the +- * right place with an in-place insert. After the initialization +- * part of the for loop is executed, the device response is +- * at r[0] to r[page_idx - 1]. ++ * right place with an in-place insert. When the while loop ++ * begins the device response is at r[0] to r[page_idx - 1]. + */ +- for (page_idx = lduw_be_p(r->buf + 2) + 4; +- page_idx > 4 && r->buf[page_idx - 1] >= 0xb0; +- page_idx--) { ++ page_idx = lduw_be_p(r->buf + 2) + 4; ++ page_idx = MIN(page_idx, r->buflen); ++ while (page_idx > 4 && r->buf[page_idx - 1] >= 0xb0) { + if (page_idx < r->buflen) { + r->buf[page_idx] = r->buf[page_idx - 1]; + } ++ page_idx--; ++ } ++ if (page_idx < r->buflen) { ++ r->buf[page_idx] = 0xb0; + } +- r->buf[page_idx] = 0xb0; + stw_be_p(r->buf + 2, lduw_be_p(r->buf + 2) + 1); + } + } diff --git a/0009-slirp-check-data-length-while-emulating-ident-functi.patch b/0009-slirp-check-data-length-while-emulating-ident-functi.patch new file mode 100644 index 0000000..2fdca36 --- /dev/null +++ b/0009-slirp-check-data-length-while-emulating-ident-functi.patch @@ -0,0 +1,32 @@ +From: Prasad J Pandit +Date: Sun, 13 Jan 2019 23:29:48 +0530 +Subject: [PATCH] slirp: check data length while emulating ident function + +While emulating identification protocol, tcp_emu() does not check +available space in the 'sc_rcv->sb_data' buffer. It could lead to +heap buffer overflow issue. Add check to avoid it. + +Reported-by: Kira <864786842@qq.com> +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +(cherry picked from commit a7104eda7dab99d0cdbd3595c211864cba415905) +--- + slirp/tcp_subr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index fa61349cbb..c41a683988 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -635,6 +635,11 @@ tcp_emu(struct socket *so, struct mbuf *m) + socklen_t addrlen = sizeof(struct sockaddr_in); + struct sbuf *so_rcv = &so->so_rcv; + ++ if (m->m_len > so_rcv->sb_datalen ++ - (so_rcv->sb_wptr - so_rcv->sb_data)) { ++ return 1; ++ } ++ + memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); + so_rcv->sb_wptr += m->m_len; + so_rcv->sb_rptr += m->m_len; diff --git a/0010-i2c-ddc-fix-oob-read.patch b/0010-i2c-ddc-fix-oob-read.patch new file mode 100644 index 0000000..f177da6 --- /dev/null +++ b/0010-i2c-ddc-fix-oob-read.patch @@ -0,0 +1,30 @@ +From: Gerd Hoffmann +Date: Tue, 8 Jan 2019 11:23:01 +0100 +Subject: [PATCH] i2c-ddc: fix oob read +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Suggested-by: Michael Hanselmann +Signed-off-by: Gerd Hoffmann +Reviewed-by: Michael Hanselmann +Reviewed-by: Philippe Mathieu-Daudé +Message-id: 20190108102301.1957-1-kraxel@redhat.com +(cherry picked from commit b05b267840515730dbf6753495d5b7bd8b04ad1c) +--- + hw/i2c/i2c-ddc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c +index be34fe072c..0a0367ff38 100644 +--- a/hw/i2c/i2c-ddc.c ++++ b/hw/i2c/i2c-ddc.c +@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) + I2CDDCState *s = I2CDDC(i2c); + + int value; +- value = s->edid_blob[s->reg]; ++ value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; + s->reg++; + return value; + } diff --git a/qemu.spec b/qemu.spec index c7e786b..2473b4b 100644 --- a/qemu.spec +++ b/qemu.spec @@ -147,7 +147,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 3.1.0 -Release: 4%{?rcrel}%{?dist}.3 +Release: 5%{?rcrel}%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY URL: http://www.qemu.org/ @@ -171,8 +171,27 @@ Source20: kvm-x86.modprobe.conf # /etc/security/limits.d/95-kvm-ppc64-memlock.conf Source21: 95-kvm-ppc64-memlock.conf -# Good ol' keymap 86 still messin with us -Patch0: 0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch +# Restore patch to drop phantom 86 key from en-us keymap (bz #1658676) +Patch0001: 0001-Remove-problematic-evdev-86-key-from-en-us-keymap.patch +# linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 (bz +# #1174267) +Patch0002: 0002-linux-user-make-pwrite64-pread64-fd-NULL-0-offset-re.patch +# Fix build with latest gluster (bz #1684298) +Patch0003: 0003-gluster-Handle-changed-glfs_ftruncate-signature.patch +Patch0004: 0004-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch +# CVE-2018-20123: pvrdma: memory leakage in device hotplug (bz #1658964) +Patch0005: 0005-pvrdma-release-device-resources-in-case-of-an-error.patch +# CVE-2018-16872: usb-mtp: path traversal issue (bz #1659150) +Patch0006: 0006-usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC.patch +# CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz #1660315) +Patch0007: 0007-pvrdma-add-uar_read-routine.patch +# CVE-2019-6501: scsi-generic: possible OOB access (bz #1669005) +Patch0008: 0008-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch +# CVE-2019-6778: slirp: heap buffer overflow (bz #1669072) +Patch0009: 0009-slirp-check-data-length-while-emulating-ident-functi.patch +# CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory +# disclosure (bz #1678081) +Patch0010: 0010-i2c-ddc-fix-oob-read.patch @@ -917,7 +936,6 @@ run_configure() { --with-pkgversion=%{name}-%{version}-%{release} \ --disable-strip \ --disable-werror \ - --disable-glusterfs \ --enable-kvm \ --python=/usr/bin/python3 \ %ifarch s390 %{mips64} @@ -1663,6 +1681,18 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu Mar 21 2019 Cole Robinson - 2:3.1.0-5 +- linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 (bz + #1174267) +- Fix build with latest gluster (bz #1684298) +- CVE-2018-20123: pvrdma: memory leakage in device hotplug (bz #1658964) +- CVE-2018-16872: usb-mtp: path traversal issue (bz #1659150) +- CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz #1660315) +- CVE-2019-6501: scsi-generic: possible OOB access (bz #1669005) +- CVE-2019-6778: slirp: heap buffer overflow (bz #1669072) +- CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory + disclosure (bz #1678081) + * Sun Mar 03 2019 Cole Robinson - 2:3.1.0-4.3 - Temporarily disable glusterfs (bz #1684298)