diff --git a/0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch b/0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch new file mode 100644 index 0000000..cfa0f91 --- /dev/null +++ b/0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch @@ -0,0 +1,61 @@ +From: Paolo Bonzini +Date: Wed, 3 Jun 2015 14:21:20 +0200 +Subject: [PATCH] atomics: add explicit compiler fence in __atomic memory + barriers + +__atomic_thread_fence does not include a compiler barrier; in the +C++11 memory model, fences take effect in combination with other +atomic operations. GCC implements this by making __atomic_load and +__atomic_store access memory as if the pointer was volatile, and +leaves no trace whatsoever of acquire and release fences in the +compiler's intermediate representation. + +In QEMU, we want memory barriers to act on all memory, but at the same +time we would like to use __atomic_thread_fence for portability reasons. +Add compiler barriers manually around the __atomic_thread_fence. + +Message-Id: <1433334080-14912-1-git-send-email-pbonzini@redhat.com> +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3bbf572345c65813f86a8fc434ea1b23beb08e16) +--- + include/qemu/atomic.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h +index 98e05ca..bd2c075 100644 +--- a/include/qemu/atomic.h ++++ b/include/qemu/atomic.h +@@ -99,7 +99,13 @@ + + #ifndef smp_wmb + #ifdef __ATOMIC_RELEASE +-#define smp_wmb() __atomic_thread_fence(__ATOMIC_RELEASE) ++/* __atomic_thread_fence does not include a compiler barrier; instead, ++ * the barrier is part of __atomic_load/__atomic_store's "volatile-like" ++ * semantics. If smp_wmb() is a no-op, absence of the barrier means that ++ * the compiler is free to reorder stores on each side of the barrier. ++ * Add one here, and similarly in smp_rmb() and smp_read_barrier_depends(). ++ */ ++#define smp_wmb() ({ barrier(); __atomic_thread_fence(__ATOMIC_RELEASE); barrier(); }) + #else + #define smp_wmb() __sync_synchronize() + #endif +@@ -107,7 +113,7 @@ + + #ifndef smp_rmb + #ifdef __ATOMIC_ACQUIRE +-#define smp_rmb() __atomic_thread_fence(__ATOMIC_ACQUIRE) ++#define smp_rmb() ({ barrier(); __atomic_thread_fence(__ATOMIC_ACQUIRE); barrier(); }) + #else + #define smp_rmb() __sync_synchronize() + #endif +@@ -115,7 +121,7 @@ + + #ifndef smp_read_barrier_depends + #ifdef __ATOMIC_CONSUME +-#define smp_read_barrier_depends() __atomic_thread_fence(__ATOMIC_CONSUME) ++#define smp_read_barrier_depends() ({ barrier(); __atomic_thread_fence(__ATOMIC_CONSUME); barrier(); }) + #else + #define smp_read_barrier_depends() barrier() + #endif diff --git a/0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch b/0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch new file mode 100644 index 0000000..8188465 --- /dev/null +++ b/0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch @@ -0,0 +1,40 @@ +From: Paolo Bonzini +Date: Mon, 12 Oct 2015 11:50:27 +0200 +Subject: [PATCH] target-i386: fix pcmpxstrx equal-ordered (strstr) mode + +In this mode, referring an invalid element of the source forces the +result to false (table 4-7, last column) but referring an invalid +element of the destination forces the result to true, so the outer +loop should still be run even if some elements of the destination +will be invalid. They will be avoided in the inner loop, which +correctly bounds "i" to validd, but they will still contribute to a +positive outcome of the search. + +This fixes tst_strstr in glibc 2.17. + +Reported-by: Florian Weimer +Cc: Richard Henderson +Cc: Eduardo Habkost +Signed-off-by: Paolo Bonzini +(cherry picked from commit 54c54f8b56047d3c2420e1ae06a6a8890c220ac4) +--- + target-i386/ops_sse.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target-i386/ops_sse.h b/target-i386/ops_sse.h +index 0765073..34eb141 100644 +--- a/target-i386/ops_sse.h ++++ b/target-i386/ops_sse.h +@@ -2037,10 +2037,10 @@ static inline unsigned pcmpxstrx(CPUX86State *env, Reg *d, Reg *s, + } + break; + case 3: +- for (j = valids - validd; j >= 0; j--) { ++ for (j = valids; j >= 0; j--) { + res <<= 1; + v = 1; +- for (i = MIN(upper - j, validd); i >= 0; i--) { ++ for (i = MIN(valids - j, validd); i >= 0; i--) { + v &= (pcmp_val(s, ctrl, i + j) == pcmp_val(d, ctrl, i)); + } + res |= v; diff --git a/0023-eepro100-Prevent-two-endless-loops.patch b/0023-eepro100-Prevent-two-endless-loops.patch new file mode 100644 index 0000000..36c136e --- /dev/null +++ b/0023-eepro100-Prevent-two-endless-loops.patch @@ -0,0 +1,60 @@ +From: Stefan Weil +Date: Fri, 20 Nov 2015 08:42:33 +0100 +Subject: [PATCH] eepro100: Prevent two endless loops + +http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html +shows an example how an endless loop in function action_command can +be achieved. + +During my code review, I noticed a 2nd case which can result in an +endless loop. + +Reported-by: Qinghao Tang +Signed-off-by: Stefan Weil +Signed-off-by: Jason Wang +(cherry picked from commit 00837731d254908a841d69298a4f9f077babaf24) +--- + hw/net/eepro100.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index c374c1a..3e874cd 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) + #if 0 + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); + #endif ++ if (tx_buffer_size == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", +@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) + + static void action_command(EEPRO100State *s) + { ++ /* The loop below won't stop if it gets special handcrafted data. ++ Therefore we limit the number of iterations. */ ++ unsigned max_loop_count = 16; ++ + for (;;) { + bool bit_el; + bool bit_s; +@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) + #if 0 + bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); + #endif ++ ++ if (max_loop_count-- == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } ++ + s->cu_offset = s->tx.link; + TRACE(OTHER, + logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", diff --git a/0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch b/0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch new file mode 100644 index 0000000..5cacc05 --- /dev/null +++ b/0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch @@ -0,0 +1,47 @@ +From: Prasad J Pandit +Date: Fri, 20 Nov 2015 11:50:31 +0530 +Subject: [PATCH] net: pcnet: add check to validate receive data + size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang + +(cherry picked from commit 837f21aacf5a714c23ddaadbbc5212f9b661e3f7) +--- + hw/net/pcnet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 68b9981..03a56b2 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1094,7 +1094,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1243,8 +1243,10 @@ static void pcnet_transmit(PCNetState *s) + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { + s->xmit_pos = -1; + goto txdone; + } diff --git a/0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch b/0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch new file mode 100644 index 0000000..1d31e92 --- /dev/null +++ b/0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch @@ -0,0 +1,34 @@ +From: Jason Wang +Date: Mon, 30 Nov 2015 15:00:06 +0800 +Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) + +Backends could provide a packet whose length is greater than buffer +size. Check for this and truncate the packet to avoid rx buffer +overflow in this case. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang +(cherry picked from commit 8b98a2f07175d46c3f7217639bd5e03f2ec56343) +--- + hw/net/pcnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 03a56b2..d8957ab 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1074,6 +1074,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + int pktcount = 0; + + if (!s->looptest) { ++ if (size > 4092) { ++#ifdef PCNET_DEBUG_RMD ++ fprintf(stderr, "pcnet: truncates rx packet.\n"); ++#endif ++ size = 4092; ++ } + memcpy(src, buf, size); + /* no need to compute the CRC */ + src[size] = 0; diff --git a/qemu.spec b/qemu.spec index ffb102a..926f75e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -43,7 +43,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.3.1 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -114,6 +114,16 @@ Patch0018: 0018-virtio-net-correctly-drop-truncated-packets.patch Patch0019: 0019-mirror-Fix-coroutine-reentrance.patch # Fix udp socket 'localaddr' (bz #1268708) Patch0020: 0020-util-socket-Add-missing-localaddr-and-localport-opti.patch +# Fix abort in abort in bdrv_error_action (bz #1277482) +Patch0021: 0021-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch +# Fix SSE4 emulation with accel=tcg (bz #1270703) +Patch0022: 0022-target-i386-fix-pcmpxstrx-equal-ordered-strstr-mode.patch +# CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214) +Patch0023: 0023-eepro100-Prevent-two-endless-loops.patch +# CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543) +Patch0024: 0024-net-pcnet-add-check-to-validate-receive-data-size-CV.patch +# CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549) +Patch0025: 0025-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1216,6 +1226,13 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Dec 07 2015 Cole Robinson - 2:2.3.1-8 +- Fix abort in abort in bdrv_error_action (bz #1277482) +- Fix SSE4 emulation with accel=tcg (bz #1270703) +- CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214) +- CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543) +- CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549) + * Thu Oct 08 2015 Cole Robinson - 2:2.3.1-7 - CVE-2015-7295: virtio-net possible remote DoS (bz #1264393) - drive-mirror: Fix coroutine reentrance (bz #1266936)