From 0007b37337bf983f70643f537fc899efd5765fe0 Mon Sep 17 00:00:00 2001 From: Eduardo Lima (Etrunko) Date: Apr 22 2022 02:43:10 +0000 Subject: qemu-7.0.0-1 --- diff --git a/0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch b/0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch deleted file mode 100644 index c7e2852..0000000 --- a/0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 8cdb99af45365727ac17f45239a9b8c1d5155c6d Mon Sep 17 00:00:00 2001 -From: Igor Mammedov -Date: Mon, 27 Dec 2021 14:31:17 -0500 -Subject: [PATCH] acpi: fix QEMU crash when started with SLIC table -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -if QEMU is started with used provided SLIC table blob, - - -acpitable sig=SLIC,oem_id='CRASH ',oem_table_id="ME",oem_rev=00002210,asl_compiler_id="",asl_compiler_rev=00000000,data=/dev/null -it will assert with: - - hw/acpi/aml-build.c:61:build_append_padded_str: assertion failed: (len <= maxlen) - -and following backtrace: - - ... - build_append_padded_str (array=0x555556afe320, str=0x555556afdb2e "CRASH ME", maxlen=0x6, pad=0x20) at hw/acpi/aml-build.c:61 - acpi_table_begin (desc=0x7fffffffd1b0, array=0x555556afe320) at hw/acpi/aml-build.c:1727 - build_fadt (tbl=0x555556afe320, linker=0x555557ca3830, f=0x7fffffffd318, oem_id=0x555556afdb2e "CRASH ME", oem_table_id=0x555556afdb34 "ME") at hw/acpi/aml-build.c:2064 - ... - -which happens due to acpi_table_begin() expecting NULL terminated -oem_id and oem_table_id strings, which is normally the case, but -in case of user provided SLIC table, oem_id points to table's blob -directly and as result oem_id became longer than expected. - -Fix issue by handling oem_id consistently and make acpi_get_slic_oem() -return NULL terminated strings. - -PS: -After [1] refactoring, oem_id semantics became inconsistent, where -NULL terminated string was coming from machine and old way pointer -into byte array coming from -acpitable option. That used to work -since build_header() wasn't expecting NULL terminated string and -blindly copied the 1st 6 bytes only. - -However commit [2] broke that by replacing build_header() with -acpi_table_begin(), which was expecting NULL terminated string -and was checking oem_id size. - -1) 602b45820 ("acpi: Permit OEM ID and OEM table ID fields to be changed") -2) -Fixes: 4b56e1e4eb08 ("acpi: build_fadt: use acpi_table_begin()/acpi_table_end() instead of build_header()") -Resolves: https://gitlab.com/qemu-project/qemu/-/issues/786 -Signed-off-by: Igor Mammedov -Message-Id: <20211227193120.1084176-2-imammedo@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: Denis Lisov -Tested-by: Alexander Tsoy -Cc: qemu-stable@nongnu.org -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin ---- - hw/acpi/core.c | 4 ++-- - hw/i386/acpi-build.c | 2 ++ - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/acpi/core.c b/hw/acpi/core.c -index 1e004d0078..3e811bf03c 100644 ---- a/hw/acpi/core.c -+++ b/hw/acpi/core.c -@@ -345,8 +345,8 @@ int acpi_get_slic_oem(AcpiSlicOem *oem) - struct acpi_table_header *hdr = (void *)(u - sizeof(hdr->_length)); - - if (memcmp(hdr->sig, "SLIC", 4) == 0) { -- oem->id = hdr->oem_id; -- oem->table_id = hdr->oem_table_id; -+ oem->id = g_strndup(hdr->oem_id, 6); -+ oem->table_id = g_strndup(hdr->oem_table_id, 8); - return 0; - } - } -diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c -index 8383b83ee3..0234fe7588 100644 ---- a/hw/i386/acpi-build.c -+++ b/hw/i386/acpi-build.c -@@ -2723,6 +2723,8 @@ void acpi_build(AcpiBuildTables *tables, MachineState *machine) - - /* Cleanup memory that's no longer used. */ - g_array_free(table_offsets, true); -+ g_free(slic_oem.id); -+ g_free(slic_oem.table_id); - } - - static void acpi_ram_update(MemoryRegion *mr, GArray *data) --- -2.35.1 - diff --git a/0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch b/0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch deleted file mode 100644 index e52e2b4..0000000 --- a/0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 7b223e38603de3a75602e14914d26f9d4baf52eb Mon Sep 17 00:00:00 2001 -From: Christian Ehrhardt -Date: Wed, 9 Feb 2022 12:14:56 +0100 -Subject: [PATCH 1/2] tools/virtiofsd: Add rseq syscall to the seccomp - allowlist - -The virtiofsd currently crashes when used with glibc 2.35. -That is due to the rseq system call being added to every thread -creation [1][2]. - -[1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/ -[2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html - -This happens not at daemon start, but when a guest connects - - /usr/lib/qemu/virtiofsd -f --socket-path=/tmp/testvfsd -o sandbox=chroot \ - -o source=/var/guests/j-virtiofs --socket-group=kvm - virtio_session_mount: Waiting for vhost-user socket connection... - # start ok, now guest will connect - virtio_session_mount: Received vhost-user socket connection - virtio_loop: Entry - fv_queue_set_started: qidx=0 started=1 - fv_queue_set_started: qidx=1 started=1 - Bad system call (core dumped) - -We have to put rseq on the seccomp allowlist to avoid that the daemon -is crashing in this case. - -Reported-by: Michael Hudson-Doyle -Signed-off-by: Christian Ehrhardt -Reviewed-by: Dr. David Alan Gilbert -Message-id: 20220209111456.3328420-1-christian.ehrhardt@canonical.com - -[Moved rseq to its alphabetically ordered position in the seccomp -allowlist. ---Stefan] -Signed-off-by: Stefan Hajnoczi ---- - tools/virtiofsd/passthrough_seccomp.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tools/virtiofsd/passthrough_seccomp.c b/tools/virtiofsd/passthrough_seccomp.c -index a3ce9f898d..2bc0127b69 100644 ---- a/tools/virtiofsd/passthrough_seccomp.c -+++ b/tools/virtiofsd/passthrough_seccomp.c -@@ -91,6 +91,9 @@ static const int syscall_allowlist[] = { - SCMP_SYS(renameat2), - SCMP_SYS(removexattr), - SCMP_SYS(restart_syscall), -+#ifdef __NR_rseq -+ SCMP_SYS(rseq), /* required since glibc 2.35 */ -+#endif - SCMP_SYS(rt_sigaction), - SCMP_SYS(rt_sigprocmask), - SCMP_SYS(rt_sigreturn), --- -2.35.1 - diff --git a/0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch b/0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch deleted file mode 100644 index 7c9b874..0000000 --- a/0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 449e8171f96a6a944d1f3b7d3627ae059eae21ca Mon Sep 17 00:00:00 2001 -From: Vivek Goyal -Date: Tue, 25 Jan 2022 13:51:14 -0500 -Subject: [PATCH] virtiofsd: Drop membership of all supplementary groups - (CVE-2022-0358) - -At the start, drop membership of all supplementary groups. This is -not required. - -If we have membership of "root" supplementary group and when we switch -uid/gid using setresuid/setsgid, we still retain membership of existing -supplemntary groups. And that can allow some operations which are not -normally allowed. - -For example, if root in guest creates a dir as follows. - -$ mkdir -m 03777 test_dir - -This sets SGID on dir as well as allows unprivileged users to write into -this dir. - -And now as unprivileged user open file as follows. - -$ su test -$ fd = open("test_dir/priviledge_id", O_RDWR|O_CREAT|O_EXCL, 02755); - -This will create SGID set executable in test_dir/. - -And that's a problem because now an unpriviliged user can execute it, -get egid=0 and get access to resources owned by "root" group. This is -privilege escalation. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 -Fixes: CVE-2022-0358 -Reported-by: JIETAO XIAO -Suggested-by: Miklos Szeredi -Reviewed-by: Stefan Hajnoczi -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Vivek Goyal -Message-Id: -Signed-off-by: Dr. David Alan Gilbert - dgilbert: Fixed missing {}'s style nit ---- - tools/virtiofsd/passthrough_ll.c | 27 +++++++++++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c -index 64b5b4fbb1..b3d0674f6d 100644 ---- a/tools/virtiofsd/passthrough_ll.c -+++ b/tools/virtiofsd/passthrough_ll.c -@@ -54,6 +54,7 @@ - #include - #include - #include -+#include - - #include "qemu/cutils.h" - #include "passthrough_helpers.h" -@@ -1161,6 +1162,30 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name) - #define OURSYS_setresuid SYS_setresuid - #endif - -+static void drop_supplementary_groups(void) -+{ -+ int ret; -+ -+ ret = getgroups(0, NULL); -+ if (ret == -1) { -+ fuse_log(FUSE_LOG_ERR, "getgroups() failed with error=%d:%s\n", -+ errno, strerror(errno)); -+ exit(1); -+ } -+ -+ if (!ret) { -+ return; -+ } -+ -+ /* Drop all supplementary groups. We should not need it */ -+ ret = setgroups(0, NULL); -+ if (ret == -1) { -+ fuse_log(FUSE_LOG_ERR, "setgroups() failed with error=%d:%s\n", -+ errno, strerror(errno)); -+ exit(1); -+ } -+} -+ - /* - * Change to uid/gid of caller so that file is created with - * ownership of caller. -@@ -3926,6 +3951,8 @@ int main(int argc, char *argv[]) - - qemu_init_exec_dir(argv[0]); - -+ drop_supplementary_groups(); -+ - pthread_mutex_init(&lo.mutex, NULL); - lo.inodes = g_hash_table_new(lo_key_hash, lo_key_equal); - lo.root.fd = -1; --- -GitLab - diff --git a/0002-virtiofsd-Do-not-support-blocking-flock.patch b/0002-virtiofsd-Do-not-support-blocking-flock.patch deleted file mode 100644 index 75cd0b1..0000000 --- a/0002-virtiofsd-Do-not-support-blocking-flock.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 41af4459ac47e107093c3f54b6875d54723aa613 Mon Sep 17 00:00:00 2001 -From: Sebastian Hasler -Date: Thu, 13 Jan 2022 16:32:49 +0100 -Subject: [PATCH 2/2] virtiofsd: Do not support blocking flock - -With the current implementation, blocking flock can lead to -deadlock. Thus, it's better to return EOPNOTSUPP if a user attempts -to perform a blocking flock request. - -Signed-off-by: Sebastian Hasler -Message-Id: <20220113153249.710216-1-sebastian.hasler@stuvus.uni-stuttgart.de> -Signed-off-by: Dr. David Alan Gilbert -Reviewed-by: Vivek Goyal -Reviewed-by: Greg Kurz ---- - tools/virtiofsd/passthrough_ll.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c -index b3d0674f6d..3e56d1cd95 100644 ---- a/tools/virtiofsd/passthrough_ll.c -+++ b/tools/virtiofsd/passthrough_ll.c -@@ -2467,6 +2467,15 @@ static void lo_flock(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi, - int res; - (void)ino; - -+ if (!(op & LOCK_NB)) { -+ /* -+ * Blocking flock can deadlock as there is only one thread -+ * serving the queue. -+ */ -+ fuse_reply_err(req, EOPNOTSUPP); -+ return; -+ } -+ - res = flock(lo_fi_fd(req, fi), op); - - fuse_reply_err(req, res == -1 ? errno : 0); --- -2.35.1 - diff --git a/qemu.spec b/qemu.spec index f922d0d..e4a5c07 100644 --- a/qemu.spec +++ b/qemu.spec @@ -195,6 +195,7 @@ %endif %define requires_block_ssh Requires: %{name}-block-ssh = %{evr} %define requires_audio_alsa Requires: %{name}-audio-alsa = %{evr} +%define requires_audio_dbus Requires: %{name}-audio-dbus = %{evr} %define requires_audio_oss Requires: %{name}-audio-oss = %{evr} %define requires_audio_pa Requires: %{name}-audio-pa = %{evr} %define requires_audio_sdl Requires: %{name}-audio-sdl = %{evr} @@ -202,6 +203,7 @@ %define requires_device_usb_host Requires: %{name}-device-usb-host = %{evr} %define requires_device_usb_redirect Requires: %{name}-device-usb-redirect = %{evr} %define requires_ui_curses Requires: %{name}-ui-curses = %{evr} +%define requires_ui_dbus Requires: %{name}-ui-dbus = %{evr} %define requires_ui_gtk Requires: %{name}-ui-gtk = %{evr} %define requires_ui_sdl Requires: %{name}-ui-sdl = %{evr} %define requires_ui_egl_headless Requires: %{name}-ui-egl-headless = %{evr} @@ -256,6 +258,7 @@ %{requires_block_rbd} \ %{requires_block_ssh} \ %{requires_audio_alsa} \ +%{requires_audio_dbus} \ %{requires_audio_oss} \ %{requires_audio_pa} \ %{requires_audio_sdl} \ @@ -302,11 +305,11 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release} %endif # To prevent rpmdev-bumpspec breakage -%global baserelease 8 +%global baserelease 1 Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 6.2.0 +Version: 7.0.0 Release: %{baserelease}%{?rcrel}%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY @@ -327,19 +330,6 @@ Source36: README.tests Patch0001: 0001-sgx-stub-fix.patch -# CVE-2022-0358 -# https://bugzilla.redhat.com/show_bug.cgi?id=2046202 -Patch0002: 0001-virtiofsd-Drop-membership-of-all-supplementary-groups.patch - -# Fix various crashes with virtiofsd on F36+ -# https://bugzilla.redhat.com/2070066 -Patch0003: 0001-tools-virtiofsd-Add-rseq-syscall-to-the-seccomp-allo.patch -Patch0004: 0002-virtiofsd-Do-not-support-blocking-flock.patch - -# acpi: fix QEMU crash when started with SLIC table -# https://bugzilla.redhat.com/show_bug.cgi?id=2072303 -Patch0005: 0001-acpi-fix-QEMU-crash-when-started-with-SLIC-table.patch - BuildRequires: meson >= %{meson_version} BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -461,8 +451,6 @@ BuildRequires: virglrenderer-devel # preferred disassembler for TCG BuildRequires: capstone-devel %endif -# parallels disk images require libxml2 -BuildRequires: libxml2-devel # qemu-ga BuildRequires: libudev-devel # qauth infrastructure @@ -697,6 +685,12 @@ Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} %description audio-alsa This package provides the additional ALSA audio driver for QEMU. +%package audio-dbus +Summary: QEMU D-Bus audio driver +Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} +%description audio-dbus +This package provides the additional D-Bus audio driver for QEMU. + %package audio-oss Summary: QEMU OSS audio driver Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} @@ -730,6 +724,12 @@ Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} %description ui-curses This package provides the additional curses UI for QEMU. +%package ui-dbus +Summary: QEMU D-Bus UI driver +Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} +%description ui-dbus +This package provides the additional D-Bus UI for QEMU. + %package ui-gtk Summary: QEMU GTK UI driver Requires: %{name}-common%{?_isa} = %{epoch}:%{version}-%{release} @@ -1247,8 +1247,8 @@ mkdir -p %{static_builddir} --disable-avx2 \\\ --disable-avx512f \\\ --disable-block-drv-whitelist-in-tools \\\ - --disable-bpf \\\ --disable-bochs \\\ + --disable-bpf \\\ --disable-brlapi \\\ --disable-bsd-user \\\ --disable-bzip2 \\\ @@ -1258,6 +1258,7 @@ mkdir -p %{static_builddir} --disable-cfi-debug \\\ --disable-cloop \\\ --disable-cocoa \\\ + --disable-coreaudio \\\ --disable-coroutine-pool \\\ --disable-crypto-afalg \\\ --disable-curl \\\ @@ -1267,10 +1268,12 @@ mkdir -p %{static_builddir} --disable-debug-tcg \\\ --disable-dmg \\\ --disable-docs \\\ + --disable-dsound \\\ --disable-fdt \\\ --disable-fuse \\\ --disable-fuse-lseek \\\ --disable-gcrypt \\\ + --disable-gettext \\\ --disable-gio \\\ --disable-glusterfs \\\ --disable-gnutls \\\ @@ -1280,7 +1283,9 @@ mkdir -p %{static_builddir} --disable-hax \\\ --disable-hvf \\\ --disable-iconv \\\ + --disable-jack \\\ --disable-kvm \\\ + --disable-l2tpv3 \\\ --disable-libdaxctl \\\ --disable-libiscsi \\\ --disable-libnfs \\\ @@ -1288,7 +1293,6 @@ mkdir -p %{static_builddir} --disable-libssh \\\ --disable-libudev \\\ --disable-libusb \\\ - --disable-libxml2 \\\ --disable-linux-aio \\\ --disable-linux-io-uring \\\ --disable-linux-user \\\ @@ -1305,7 +1309,10 @@ mkdir -p %{static_builddir} --disable-netmap \\\ --disable-nettle \\\ --disable-numa \\\ + --disable-nvmm \\\ --disable-opengl \\\ + --disable-oss \\\ + --disable-pa \\\ --disable-parallels \\\ --disable-pie \\\ --disable-pvrdma \\\ @@ -1321,6 +1328,7 @@ mkdir -p %{static_builddir} --disable-sdl \\\ --disable-sdl-image \\\ --disable-seccomp \\\ + --disable-selinux \\\ --disable-slirp \\\ --disable-slirp-smbd \\\ --disable-smartcard \\\ @@ -1359,7 +1367,6 @@ mkdir -p %{static_builddir} --disable-whpx \\\ --disable-xen \\\ --disable-xen-pci-passthrough \\\ - --disable-xfsctl \\\ --disable-xkbcommon \\\ --disable-zstd \\\ --with-git-submodules=ignore \\\ @@ -1426,10 +1433,13 @@ run_configure \ %if %{have_fdt} --enable-fdt=system \ %endif + --enable-gettext \ --enable-gnutls \ --enable-guest-agent \ --enable-iconv \ + --enable-jack \ --enable-kvm \ + --enable-l2tpv3 \ --enable-libiscsi \ %if %{have_pmem} --enable-libpmem \ @@ -1451,6 +1461,8 @@ run_configure \ %if %{have_opengl} --enable-opengl \ %endif + --enable-oss \ + --enable-pa \ --enable-pie \ %if %{have_block_rbd} --enable-rbd \ @@ -1459,9 +1471,7 @@ run_configure \ --enable-rdma \ %endif --enable-seccomp \ -%if 0%{?must_remember_to_add_this_in_qemu_6_2} --enable-selinux \ -%endif --enable-slirp=system \ --enable-slirp-smbd \ --enable-snappy \ @@ -1509,7 +1519,6 @@ run_configure \ --enable-libnfs \ %endif --enable-libudev \ - --enable-libxml2 \ %if %{have_liburing} --enable-linux-io-uring \ %endif @@ -1963,6 +1972,8 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %files audio-alsa %{_libdir}/%{name}/audio-alsa.so +%files audio-dbus +%{_libdir}/%{name}/audio-dbus.so %files audio-oss %{_libdir}/%{name}/audio-oss.so %files audio-pa @@ -1977,6 +1988,8 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %files ui-curses %{_libdir}/%{name}/ui-curses.so +%files ui-dbus +%{_libdir}/%{name}/ui-dbus.so %files ui-gtk %{_libdir}/%{name}/ui-gtk.so %files ui-sdl @@ -2213,6 +2226,7 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %{_datadir}/%{name}/skiboot.lid %{_datadir}/%{name}/u-boot.e500 %{_datadir}/%{name}/u-boot-sam460-20100605.bin +%{_datadir}/%{name}/vof*.bin %if %{have_memlock_limits} %{_sysconfdir}/security/limits.d/95-kvm-memlock.conf %endif @@ -2223,7 +2237,6 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %{_bindir}/qemu-system-riscv32 %{_bindir}/qemu-system-riscv64 %{_datadir}/%{name}/opensbi-riscv*.bin -%{_datadir}/%{name}/opensbi-riscv*.elf %{_datadir}/systemtap/tapset/qemu-system-riscv*.stp %{_mandir}/man1/qemu-system-riscv*.1* @@ -2305,6 +2318,9 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Fri Apr 08 2022 Eduardo Lima (Etrunko) - 7.0.0-1 +- Rebase to qemu 7.0.0-1 + * Wed Apr 06 2022 Richard W.M. Jones - 2:6.2.0-8 - acpi: fix QEMU crash when started with SLIC table (RHBZ#2072303) diff --git a/sources b/sources index f1545cf..9f53caf 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (qemu-6.2.0.tar.xz) = e9f8231c9e1cfcc41cb47f10a55d63f6b8aee307af00cf6acf64acb7aa4f49fa7e9d6330703a2abea15d8b7bbaba7d3cb08c83edd98d82642367b527df730817 +SHA512 (qemu-7.0.0.tar.xz) = 44ecd10c018a3763e1bc87d1d35b98890d0d5636acd69fe9b5cadf5024d5af6a31684d60cbe1c3370e02986434c1fb0ad99224e0e6f6fe7eda169992508157b1