From 8a7ac9c97e27e83f7fa13d21a5956d6faa76aef5 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jun 20 2019 21:31:11 +0000 Subject: qemu-4.0.0-4.fc31 CVE-2019-12155: qxl: null pointer dereference while releasing spice resources (bz #1712727, bz #1712670) qemu-4.0.0-2.fc31 ppc64le: rpm hash calculation buggy (bz #1715017) Fix rawhide build (bz #1718926) Link against libslirp (bz #1712980) Add vgabios-ramfb.bin and vgabios-bochs-display.bin (bz #1721445) --- diff --git a/0001-target-i386-define-md-clear-bit.patch b/0001-target-i386-define-md-clear-bit.patch deleted file mode 100644 index eb26334..0000000 --- a/0001-target-i386-define-md-clear-bit.patch +++ /dev/null @@ -1,31 +0,0 @@ -From de8cb5ded43603937e0e7c341fcd7521822328a6 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Sat, 2 Mar 2019 00:07:10 +0100 -Subject: [PATCH] target/i386: define md-clear bit - -md-clear is a new CPUID bit which is set when microcode provides the -mechanism to invoke a flush of various exploitable CPU buffers by invoking -the VERW instruction. - -Signed-off-by: Paolo Bonzini -(cherry-picked from a private commit) ---- - target/i386/cpu.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index d6bb57d210..4ea78a4939 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .feat_names = { - NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", - NULL, NULL, NULL, NULL, -- NULL, NULL, NULL, NULL, -+ NULL, NULL, "md-clear", NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, --- -2.21.0 - diff --git a/0002-target-i386-define-md-clear-bit.patch b/0002-target-i386-define-md-clear-bit.patch new file mode 100644 index 0000000..57289e4 --- /dev/null +++ b/0002-target-i386-define-md-clear-bit.patch @@ -0,0 +1,29 @@ +From: Paolo Bonzini +Date: Wed, 15 May 2019 15:10:10 +0100 +Subject: [PATCH] target/i386: define md-clear bit + +md-clear is a new CPUID bit which is set when microcode provides the +mechanism to invoke a flush of various exploitable CPU buffers by invoking +the VERW instruction. + +Signed-off-by: Paolo Bonzini +Message-Id: <20190515141011.5315-2-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit b2ae52101fca7f9547ac2f388085dbc58f8fe1c0) +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index d6bb57d210..4ea78a4939 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .feat_names = { + NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, "md-clear", NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, diff --git a/0003-qxl-check-release-info-object.patch b/0003-qxl-check-release-info-object.patch new file mode 100644 index 0000000..d561406 --- /dev/null +++ b/0003-qxl-check-release-info-object.patch @@ -0,0 +1,31 @@ +From: Prasad J Pandit +Date: Thu, 25 Apr 2019 12:05:34 +0530 +Subject: [PATCH] qxl: check release info object + +When releasing spice resources in release_resource() routine, +if release info object 'ext.info' is null, it leads to null +pointer dereference. Add check to avoid it. + +Reported-by: Bugs SysSec +Signed-off-by: Prasad J Pandit +Message-id: 20190425063534.32747-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99) +--- + hw/display/qxl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/display/qxl.c b/hw/display/qxl.c +index c8ce5781e0..632923add2 100644 +--- a/hw/display/qxl.c ++++ b/hw/display/qxl.c +@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin, + QXLReleaseRing *ring; + uint64_t *item, id; + ++ if (!ext.info) { ++ return; ++ } + if (ext.group_id == MEMSLOT_GROUP_HOST) { + /* host group -> vga mode update request */ + QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id); diff --git a/0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch b/0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch new file mode 100644 index 0000000..e3cdb99 --- /dev/null +++ b/0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch @@ -0,0 +1,77 @@ +From: Anton Blanchard +Date: Fri, 24 May 2019 07:53:45 +0100 +Subject: [PATCH] target/ppc: Fix lxvw4x, lxvh8x and lxvb16x + +During the conversion these instructions were incorrectly treated as +stores. We need to use set_cpu_vsr* and not get_cpu_vsr*. + +Fixes: 8b3b2d75c7c0 ("introduce get_cpu_vsr{l,h}() and set_cpu_vsr{l,h}() helpers for VSR register access") +Signed-off-by: Anton Blanchard +Reviewed-by: Mark Cave-Ayland +Tested-by: Greg Kurz +Reviewed-by: Greg Kurz +Message-Id: <20190524065345.25591-1-mark.cave-ayland@ilande.co.uk> +Signed-off-by: David Gibson +(cherry picked from commit 2a1224359008e23b051b7b45be4789afa0269f8c) +--- + target/ppc/translate/vsx-impl.inc.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/target/ppc/translate/vsx-impl.inc.c b/target/ppc/translate/vsx-impl.inc.c +index 489b2436e4..1df688cc32 100644 +--- a/target/ppc/translate/vsx-impl.inc.c ++++ b/target/ppc/translate/vsx-impl.inc.c +@@ -102,8 +102,7 @@ static void gen_lxvw4x(DisasContext *ctx) + } + xth = tcg_temp_new_i64(); + xtl = tcg_temp_new_i64(); +- get_cpu_vsrh(xth, xT(ctx->opcode)); +- get_cpu_vsrl(xtl, xT(ctx->opcode)); ++ + gen_set_access_type(ctx, ACCESS_INT); + EA = tcg_temp_new(); + +@@ -126,6 +125,8 @@ static void gen_lxvw4x(DisasContext *ctx) + tcg_gen_addi_tl(EA, EA, 8); + tcg_gen_qemu_ld_i64(xtl, EA, ctx->mem_idx, MO_BEQ); + } ++ set_cpu_vsrh(xT(ctx->opcode), xth); ++ set_cpu_vsrl(xT(ctx->opcode), xtl); + tcg_temp_free(EA); + tcg_temp_free_i64(xth); + tcg_temp_free_i64(xtl); +@@ -185,8 +186,6 @@ static void gen_lxvh8x(DisasContext *ctx) + } + xth = tcg_temp_new_i64(); + xtl = tcg_temp_new_i64(); +- get_cpu_vsrh(xth, xT(ctx->opcode)); +- get_cpu_vsrl(xtl, xT(ctx->opcode)); + gen_set_access_type(ctx, ACCESS_INT); + + EA = tcg_temp_new(); +@@ -197,6 +196,8 @@ static void gen_lxvh8x(DisasContext *ctx) + if (ctx->le_mode) { + gen_bswap16x8(xth, xtl, xth, xtl); + } ++ set_cpu_vsrh(xT(ctx->opcode), xth); ++ set_cpu_vsrl(xT(ctx->opcode), xtl); + tcg_temp_free(EA); + tcg_temp_free_i64(xth); + tcg_temp_free_i64(xtl); +@@ -214,14 +215,14 @@ static void gen_lxvb16x(DisasContext *ctx) + } + xth = tcg_temp_new_i64(); + xtl = tcg_temp_new_i64(); +- get_cpu_vsrh(xth, xT(ctx->opcode)); +- get_cpu_vsrl(xtl, xT(ctx->opcode)); + gen_set_access_type(ctx, ACCESS_INT); + EA = tcg_temp_new(); + gen_addr_reg_index(ctx, EA); + tcg_gen_qemu_ld_i64(xth, EA, ctx->mem_idx, MO_BEQ); + tcg_gen_addi_tl(EA, EA, 8); + tcg_gen_qemu_ld_i64(xtl, EA, ctx->mem_idx, MO_BEQ); ++ set_cpu_vsrh(xT(ctx->opcode), xth); ++ set_cpu_vsrl(xT(ctx->opcode), xtl); + tcg_temp_free(EA); + tcg_temp_free_i64(xth); + tcg_temp_free_i64(xtl); diff --git a/0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch b/0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch new file mode 100644 index 0000000..4a6e49a --- /dev/null +++ b/0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch @@ -0,0 +1,23 @@ +From: Cole Robinson +Date: Thu, 20 Jun 2019 17:20:13 -0400 +Subject: [PATCH] NOT UPSTREAM: Build fix with latest kernel + +From here: https://lkml.org/lkml/2019/6/3/988 + +Signed-off-by: Cole Robinson +--- + linux-user/syscall.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index 96cd4bf86d..c7625858eb 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/qemu.spec b/qemu.spec index b95d9ed..ffd08b9 100644 --- a/qemu.spec +++ b/qemu.spec @@ -148,7 +148,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 4.0.0 -Release: 3%{?rcrel}%{?dist} +Release: 4%{?rcrel}%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY URL: http://www.qemu.org/ @@ -176,10 +176,16 @@ Source21: 95-kvm-ppc64-memlock.conf # Not upstream: temporary workaround until kernel supports lands for nested # VMX migration Patch0001: 0001-Revert-target-i386-kvm-add-VMX-migration-blocker.patch - - # CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 -Patch1001: 0001-target-i386-define-md-clear-bit.patch +Patch0002: 0002-target-i386-define-md-clear-bit.patch +# CVE-2019-12155: qxl: null pointer dereference while releasing spice +# resources (bz #1712727, bz #1712670) +Patch0003: 0003-qxl-check-release-info-object.patch +# qemu-4.0.0-2.fc31 ppc64le: rpm hash calculation buggy (bz #1715017) +Patch0004: 0004-target-ppc-Fix-lxvw4x-lxvh8x-and-lxvb16x.patch +# Fix rawhide build (bz #1718926) +# Not upstream, might be a kernel fix +Patch0005: 0005-NOT-UPSTREAM-Build-fix-with-latest-kernel.patch # documentation deps BuildRequires: texinfo @@ -1737,6 +1743,14 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu Jun 20 2019 Cole Robinson - 2:4.0.0-4 +- CVE-2019-12155: qxl: null pointer dereference while releasing spice + resources (bz #1712727, bz #1712670) +- qemu-4.0.0-2.fc31 ppc64le: rpm hash calculation buggy (bz #1715017) +- Fix rawhide build (bz #1718926) +- Link against libslirp (bz #1712980) +- Add vgabios-ramfb.bin and vgabios-bochs-display.bin (bz #1721445) + * Tue May 14 2019 Daniel P. Berrangé - 2:4.0.0-2 - Define md-clear CPUID bit - Resolves: rhbz #1710002 (CVE-2018-12126), rhbz #1710004 (CVE-2018-12127),