From 550fc59b0e0ee4a23f490bd4491b7003820fdda1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 29 2019 12:53:22 +0000 Subject: import qemu-kvm-ma-2.12.0-18.el7_6.4 --- diff --git a/SOURCES/kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch b/SOURCES/kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch new file mode 100644 index 0000000..1f4fdaf --- /dev/null +++ b/SOURCES/kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch @@ -0,0 +1,59 @@ +From b18831e53e64414ebd35419fb8dffd51e8ec46f7 Mon Sep 17 00:00:00 2001 +From: Sergio Lopez Pascual +Date: Mon, 15 Apr 2019 09:09:30 +0200 +Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Sergio Lopez Pascual +Message-id: <20190415090930.27086-2-slp@redhat.com> +Patchwork-id: 85657 +O-Subject: [RHEL-7.6.z qemu-kvm-ma PATCH 1/1] device_tree: Fix integer overflowing in load_device_tree() +Bugzilla: 1693112 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: John Snow + +From: Markus Armbruster + +If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the +computation of @dt_size overflows to a negative number, which then +gets converted to a very large size_t for g_malloc0() and +load_image_size(). In the (fortunately improbable) case g_malloc0() +succeeds and load_image_size() survives, we'd assign the negative +number to *sizep. What that would do to the callers I can't say, but +it's unlikely to be good. + +Fix by rejecting images whose size would overflow. + +Reported-by: Kurtis Miller +Signed-off-by: Markus Armbruster +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Alistair Francis +Message-Id: <20190409174018.25798-1-armbru@redhat.com> +(cherry picked from commit 065e6298a75164b4347682b63381dbe752c2b156) +Signed-off-by: Sergio Lopez +Signed-off-by: Miroslav Rezanina +--- + device_tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/device_tree.c b/device_tree.c +index 19458b3..2457f58 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) + filename_path); + goto fail; + } ++ if (dt_size > INT_MAX / 2 - 10000) { ++ error_report("Device tree file '%s' is too large", filename_path); ++ goto fail; ++ } + + /* Expand to 2x size to give enough room for manipulation. */ + dt_size += 10000; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-s390x-cpumodel-ignore-csske-for-expansion.patch b/SOURCES/kvm-s390x-cpumodel-ignore-csske-for-expansion.patch new file mode 100644 index 0000000..1a2a8a7 --- /dev/null +++ b/SOURCES/kvm-s390x-cpumodel-ignore-csske-for-expansion.patch @@ -0,0 +1,46 @@ +From f2ac185797ae7e260a99dae91a6a9adf89538d49 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 13 Jun 2019 08:07:26 +0200 +Subject: [PATCH] s390x/cpumodel: ignore csske for expansion + +RH-Author: David Hildenbrand +Message-id: <20190613080726.13089-1-david@redhat.com> +Patchwork-id: 88658 +O-Subject: [RHEL-7.6.z qemu-kvm-ma PATCH] s390x/cpumodel: ignore csske for expansion +Bugzilla: 1720262 +RH-Acked-by: Jens Freimann +RH-Acked-by: Cornelia Huck +RH-Acked-by: Laurent Vivier +RH-Acked-by: Eduardo Habkost + +csske will be removed in a future machine. Ignore it for expanding the +cpu model. Otherwise qemu falls back to z9. + +Signed-off-by: Christian Borntraeger +Cc: qemu-stable@nongnu.org +Reviewed-by: David Hildenbrand +Message-Id: <20190429090250.7648-3-borntraeger@de.ibm.com> +Signed-off-by: Cornelia Huck +(cherry picked from commit eaf6f642abf1d4d24791b70728d4068428fc4658) +Signed-off-by: David Hildenbrand +Signed-off-by: Miroslav Rezanina +--- + target/s390x/cpu_models.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c +index 0b5d271..ed06498 100644 +--- a/target/s390x/cpu_models.c ++++ b/target/s390x/cpu_models.c +@@ -1259,6 +1259,8 @@ static void init_ignored_base_feat(void) + S390_FEAT_KM_TDEA_192, + S390_FEAT_KIMD_SHA_1, + S390_FEAT_KLMD_SHA_1, ++ /* CSSKE is deprecated on newer generations */ ++ S390_FEAT_CONDITIONAL_SSKE, + }; + int i; + +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 17976e3..21ca722 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -108,7 +108,7 @@ Obsoletes: %1%{rhel_ma_suffix} < %{obsoletes_version2} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 2.12.0 -Release: 18%{?dist}.2 +Release: 18%{?dist}.4 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY @@ -1143,6 +1143,10 @@ Patch493: kvm-hw-s390x-Fix-bad-mask-in-time2tod.patch # For bz#1667843 - RHEL-Alt-7.6 - Backport diag308 stable exception fix (qemu-kvm-ma) # For bz#1668424 - RHEL-Alt-7.6 - Backport diag308 stable exception fix (qemu-kvm-ma) [rhel-7.6.z] Patch494: kvm-s390x-Return-specification-exception-for-unimplement.patch +# For bz#1693112 - CVE-2018-20815 qemu-kvm-ma: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-7.6.z] +Patch495: kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch +# For bz#1720262 - RHEL-Alt-7.6 - QEMU toleration patch to ensure cpu detection in a nested KVM [rhel-7.6.z] +Patch496: kvm-s390x-cpumodel-ignore-csske-for-expansion.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -1851,6 +1855,8 @@ ApplyOptionalPatch() %patch492 -p1 %patch493 -p1 %patch494 -p1 +%patch495 -p1 +%patch496 -p1 # Fix executable permission for iotests chmod 755 $(ls tests/qemu-iotests/???) @@ -2371,6 +2377,15 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Sat Jun 22 2019 Miroslav Rezanina - 2.12.0-18.el7_6.4 +- kvm-s390x-cpumodel-ignore-csske-for-expansion.patch [bz#1720262] +- Resolves: bz#1720262 + +* Fri May 17 2019 Miroslav Rezanina - 2.12.0-18.el7_6.3 +- kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch [bz#1693112] +- Resolves: bz#1693112 + (CVE-2018-20815 qemu-kvm-ma: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-7.6.z]) + * Wed Feb 06 2019 Miroslav Rezanina - ma-2.12.0-18.el7_6.2 - kvm-s390x-refuse-to-start-guests-backed-by-hugetlbfs.patch [bz#1672919] - kvm-s390x-tcg-avoid-overflows-in-time2tod-tod2time.patch [bz#1672920]