From 95f32b8c9b6232aa8ecb8e7d520ac1a3f1290e9b Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jan 28 2016 15:41:50 +0000
Subject: import qemu-kvm-1.5.3-105.el7_2.3


---

diff --git a/SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch b/SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
new file mode 100644
index 0000000..e1eb3b2
--- /dev/null
+++ b/SOURCES/kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
@@ -0,0 +1,97 @@
+From 5d12c17191e042a57e02749cedc55104a8251ac3 Mon Sep 17 00:00:00 2001
+From: Miroslav Rezanina <mrezanin@redhat.com>
+Date: Thu, 21 Jan 2016 07:17:43 +0100
+Subject: [PATCH] fw_cfg: add check to validate current entry value
+ (CVE-2016-1714)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Message-id: <1453360663-5066-1-git-send-email-mrezanin@redhat.com>
+Patchwork-id: 68834
+O-Subject: [RHEL-7.2.z/RHEL-7.3 qemu-kvm PATCH] fw_cfg: add check to validate current entry value (CVE-2016-1714)
+Bugzilla: 1298047
+RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+When processing firmware configurations, an OOB r/w access occurs
+if 's->cur_entry' is set to be invalid(FW_CFG_INVALID=0xffff).
+Add a check to validate 's->cur_entry' to avoid such access.
+
+This patch is based on upstream commit 66f8fd9dda312191b78d2a2ba2848bcee76127a2
+  Author: Gabriel L. Somlo <somlo@cmu.edu>
+  Date:   Thu Nov 5 09:32:50 2015 -0500
+
+    fw_cfg: avoid calculating invalid current entry pointer
+
+    When calculating a pointer to the currently selected fw_cfg item, the
+    following is used:
+
+      FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+
+    When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
+    a non-existent element in s->entries[arch][...], which is undefined.
+
+    This patch ensures the resulting entry pointer is set to NULL whenever
+    s->cur_entry is FW_CFG_INVALID.
+
+    Reported-by: Laszlo Ersek <lersek@redhat.com>
+    Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+    Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
+    Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
+    Cc: Marc Marí <markmb@redhat.com>
+    Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
+    Reviewed-by: Laszlo Ersek <lersek@redhat.com>
+    Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+with added chunk for fw_cfg_write() that was removed in commit
+023e3148567ac898c7258138f8e86c3c2bb40d07
+and missing chunk for fw_cfg_dma_transfer that was added in commit
+a4c0d1deb785611c96a455f65ec032976b00b36f.
+
+Reported-by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/nvram/fw_cfg.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index b865c09..fcb3146 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -207,12 +207,15 @@ static void fw_cfg_reboot(FWCfgState *s)
+ static void fw_cfg_write(FWCfgState *s, uint8_t value)
+ {
+     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+-    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++                     &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ 
+     trace_fw_cfg_write(s, value);
+ 
+-    if (s->cur_entry & FW_CFG_WRITE_CHANNEL && e->callback &&
+-        s->cur_offset < e->len) {
++    if (s->cur_entry & FW_CFG_WRITE_CHANNEL
++        && e != NULL
++        && e->callback
++        && s->cur_offset < e->len) {
+         e->data[s->cur_offset++] = value;
+         if (s->cur_offset == e->len) {
+             e->callback(e->callback_opaque, e->data);
+@@ -241,7 +244,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
+ static uint8_t fw_cfg_read(FWCfgState *s)
+ {
+     int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+-    FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++    FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++                     &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+     uint8_t ret;
+ 
+     if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch b/SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
new file mode 100644
index 0000000..841b730
--- /dev/null
+++ b/SOURCES/kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
@@ -0,0 +1,57 @@
+From 1a4a13c7c0f05f5a423c09607c7ef5151d315242 Mon Sep 17 00:00:00 2001
+From: Max Reitz <mreitz@redhat.com>
+Date: Sat, 16 Jan 2016 14:02:12 +0100
+Subject: [PATCH] raw-posix: Fix .bdrv_co_get_block_status() for unaligned
+ image size
+
+Message-id: <1452952932-2466-2-git-send-email-mreitz@redhat.com>
+Patchwork-id: 68783
+O-Subject: [RHEL-7.2.z qemu-kvm PATCH 1/1] raw-posix: Fix .bdrv_co_get_block_status() for unaligned image size
+Bugzilla: 1298828
+RH-Acked-by: Fam Zheng <famz@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+
+From: Kevin Wolf <kwolf@redhat.com>
+
+Image files with an unaligned image size have a final hole that starts
+at EOF, i.e. in the middle of a sector. Currently, *pnum == 0 is
+returned when checking the status of this sector. In qemu-img, this
+triggers an assertion failure.
+
+In order to fix this, one type for the sector that contains EOF must be
+found. Treating a hole as data is safe, so this patch rounds the
+calculated number of data sectors up, so that a partial sector at EOF is
+treated as a full data sector.
+
+This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1229394
+
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Tested-by: Cole Robinson <crobinso@redhat.com>
+(cherry picked from commit b8684454e152ca2e100f4b59d80de2be27186206)
+Signed-off-by: Max Reitz <mreitz@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ block/raw-posix.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/raw-posix.c b/block/raw-posix.c
+index 72a9dc0..1f5275f 100644
+--- a/block/raw-posix.c
++++ b/block/raw-posix.c
+@@ -1452,8 +1452,9 @@ static int64_t coroutine_fn raw_co_get_block_status(BlockDriverState *bs,
+         *pnum = nb_sectors;
+         ret = BDRV_BLOCK_DATA;
+     } else if (data == start) {
+-        /* On a data extent, compute sectors to the end of the extent.  */
+-        *pnum = MIN(nb_sectors, (hole - start) / BDRV_SECTOR_SIZE);
++        /* On a data extent, compute sectors to the end of the extent,
++         * possibly including a partial sector at EOF. */
++        *pnum = MIN(nb_sectors, DIV_ROUND_UP(hole - start, BDRV_SECTOR_SIZE));
+         ret = BDRV_BLOCK_DATA;
+     } else {
+         /* On a hole, compute sectors to the beginning of the next extent.  */
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 72b1d18..5c683ef 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version}                                      \
 Summary: QEMU is a FAST! processor emulator
 Name: %{pkgname}%{?pkgsuffix}
 Version: 1.5.3
-Release: 105%{?dist}.1
+Release: 105%{?dist}.3
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2+ and LGPLv2+ and BSD
@@ -3165,6 +3165,10 @@ Patch1553: kvm-qtest-ide-test-disable-flush-test.patch
 Patch1554: kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch
 # For bz#1279389 - ceph.conf properties override qemu's command-line properties
 Patch1555: kvm-rbd-fix-ceph-settings-precedence.patch
+# For bz#1298828 - [abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT
+Patch1556: kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch
+# For bz#1298047 - CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z]
+Patch1557: kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch
 
 
 BuildRequires: zlib-devel
@@ -4933,6 +4937,8 @@ cp %{SOURCE18} pc-bios # keep "make check" happy
 %patch1553 -p1
 %patch1554 -p1
 %patch1555 -p1
+%patch1556 -p1
+%patch1557 -p1
 
 %build
 buildarch="%{kvm_target}-softmmu"
@@ -5389,6 +5395,16 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %{_libdir}/pkgconfig/libcacard.pc
 
 %changelog
+* Thu Jan 21 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.3
+- kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch [bz#1298047]
+- Resolves: bz#1298047
+  (CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-7.2.z])
+
+* Wed Jan 20 2016 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.2
+- kvm-raw-posix-Fix-.bdrv_co_get_block_status-for-unaligne.patch [bz#1298828]
+- Resolves: bz#1298828
+  ([abrt] qemu-img: get_block_status(): qemu-img killed by SIGABRT)
+
 * Tue Nov 17 2015 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-105.el7_2.1
 - kvm-rbd-make-qemu-s-cache-setting-override-any-ceph-sett.patch [bz#1279389]
 - kvm-rbd-fix-ceph-settings-precedence.patch [bz#1279389]