QEMU is a FAST! processor emulator
CentOS Sources
2016-01-28 95f32b8c9b6232aa8ecb8e7d520ac1a3f1290e9b
import qemu-kvm-1.5.3-105.el7_2.3
2 files added
1 files modified
172 ■■■■■ changed files
SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch 97 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch 57 ●●●●● patch | view | raw | blame | history
SPECS/qemu-kvm.spec 18 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
New file
@@ -0,0 +1,97 @@
From 5d12c17191e042a57e02749cedc55104a8251ac3 Mon Sep 17 00:00:00 2001
From: Miroslav Rezanina <mrezanin@redhat.com>
Date: Thu, 21 Jan 2016 07:17:43 +0100
Subject: [PATCH] fw_cfg: add check to validate current entry value
 (CVE-2016-1714)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Message-id: <1453360663-5066-1-git-send-email-mrezanin@redhat.com>
Patchwork-id: 68834
O-Subject: [RHEL-7.2.z/RHEL-7.3 qemu-kvm PATCH] fw_cfg: add check to validate current entry value (CVE-2016-1714)
Bugzilla: 1298047
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
From: Prasad J Pandit <pjp@fedoraproject.org>
When processing firmware configurations, an OOB r/w access occurs
if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
Add a check to validate 's->cur_entry' to avoid such access.
This patch is based on upstream commit 66f8fd9dda312191b78d2a2ba2848bcee76127a2
  Author: Gabriel L. Somlo <somlo@cmu.edu>
  Date:   Thu Nov 5 09:32:50 2015 -0500
    fw_cfg: avoid calculating invalid current entry pointer
    When calculating a pointer to the currently selected fw_cfg item, the
    following is used:
      FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
    When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
    a non-existent element in s->entries[arch][...], which is undefined.
    This patch ensures the resulting entry pointer is set to NULL whenever
    s->cur_entry is FW_CFG_INVALID.
    Reported-by: Laszlo Ersek <lersek@redhat.com>
    Reviewed-by: Laszlo Ersek <lersek@redhat.com>
    Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
    Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
    Cc: Marc MarĂ­ <markmb@redhat.com>
    Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
    Reviewed-by: Laszlo Ersek <lersek@redhat.com>
    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
with added chunk for fw_cfg_write() that was removed in commit
023e3148567ac898c7258138f8e86c3c2bb40d07
and missing chunk for fw_cfg_dma_transfer that was added in commit
a4c0d1deb785611c96a455f65ec032976b00b36f.
Reported-by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/nvram/fw_cfg.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
index b865c09..fcb3146 100644
--- a/hw/nvram/fw_cfg.c
+++ b/hw/nvram/fw_cfg.c
@@ -207,12 +207,15 @@ static void fw_cfg_reboot(FWCfgState *s)
 static void fw_cfg_write(FWCfgState *s, uint8_t value)
 {
     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
-    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
+                     &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
     trace_fw_cfg_write(s, value);
-    if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback &&
-        s->cur_offset < e->len) {
+    if (s->cur_entry & FW_CFG_WRITE_CHANNEL
+        && e != NULL
+        && e->callback
+        && s->cur_offset < e->len) {
         e->data[s->cur_offset++] = value;
         if (s->cur_offset == e->len) {
             e->callback(e->callback_opaque, e->data);
@@ -241,7 +244,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
 static uint8_t fw_cfg_read(FWCfgState *s)
 {
     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
-    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
+                     &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
     uint8_t ret;
     if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
--
1.8.3.1
SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
New file
@@ -0,0 +1,57 @@
From 1a4a13c7c0f05f5a423c09607c7ef5151d315242 Mon Sep 17 00:00:00 2001
From: Max Reitz <mreitz@redhat.com>
Date: Sat, 16 Jan 2016 14:02:12 +0100
Subject: [PATCH] raw-posix: Fix .bdrv_co_get_block_status() for unaligned
 image size
Message-id: <1452952932-2466-2-git-send-email-mreitz@redhat.com>
Patchwork-id: 68783
O-Subject: [RHEL-7.2.z qemu-kvm PATCH 1/1] raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size
Bugzilla: 1298828
RH-Acked-by: Fam Zheng <famz@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
From: Kevin Wolf <kwolf@redhat.com>
Image files with an unaligned image size have a final hole that starts
at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
returned when checking the status of this sector. In qemu-img, this
triggers an assertion failure.
In order to fix this, one type for the sector that contains EOF must be
found. Treating a hole as data is safe, so this patch rounds the
calculated number of data sectors up, so that a partial sector at EOF is
treated as a full data sector.
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Tested-by: Cole Robinson <crobinso@redhat.com>
(cherry picked from commit b8684454e152ca2e100f4b59d80de2be27186206)
Signed-off-by: Max Reitz <mreitz@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 block/raw-posix.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/block/raw-posix.c b/block/raw-posix.c
index 72a9dc0..1f5275f 100644
--- a/block/raw-posix.c
+++ b/block/raw-posix.c
@@ -1452,8 +1452,9 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs,
         *pnum = nb_sectors;
         ret = BDRV_BLOCK_DATA;
     } else if (data == start) {
-        /* On a data extent, compute sectors to the end of the extent.  */
-        *pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE);
+        /* On a data extent, compute sectors to the end of the extent,
+         * possibly including a partial sector at EOF. */
+        *pnum = MIN(nb_sectors, DIV_ROUND_UP(hole - start, BDRV_SECTOR_SIZE));
         ret = BDRV_BLOCK_DATA;
     } else {
         /* On a hole, compute sectors to the beginning of the next extent.  */
--
1.8.3.1
SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@
Summary: QEMU is a FAST! processor emulator
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
Release: 105%{?dist}.1
Release: 105%{?dist}.3
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -3165,6 +3165,10 @@
Patch1554: kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch
# For bz#1279389 - ceph.conf properties override qemu's command-line properties
Patch1555: kvm-rbd-fix-ceph-settings-precedence.patch
# For bz#1298828 - [abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT
Patch1556: kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
# For bz#1298047 - CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z]
Patch1557: kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
BuildRequires: zlib-devel
@@ -4933,6 +4937,8 @@
%patch1553 -p1
%patch1554 -p1
%patch1555 -p1
%patch1556 -p1
%patch1557 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -5389,6 +5395,16 @@
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Thu Jan 21 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.3
- kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch [bz#1298047]
- Resolves: bz#1298047
  (CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z])
* Wed Jan 20 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.2
- kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch [bz#1298828]
- Resolves: bz#1298828
  ([abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT)
* Tue Nov 17 2015 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.1
- kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch [bz#1279389]
- kvm-rbd-fix-ceph-settings-precedence.patch [bz#1279389]