From a6baaff6190630414bb841dd7882b032939fda3d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 10 2021 12:04:33 +0000 Subject: import qemu-kvm-4.2.0-48.module+el8.4.0+11909+3300d70f.3 --- diff --git a/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch b/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch new file mode 100644 index 0000000..859de91 --- /dev/null +++ b/SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch @@ -0,0 +1,82 @@ +From 6c2949cba8971971c89fb1e5db9e557dfcd156ef Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:04 -0400 +Subject: [PATCH 5/8] acpi: accept byte and word access to core ACPI registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-5-jmaloy@redhat.com> +Patchwork-id: 101482 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 4/6] acpi: accept byte and word access to core ACPI registers +Bugzilla: 1944621 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Michael Tokarev + +All ISA registers should be accessible as bytes, words or dwords +(if wide enough). Fix the access constraints for acpi-pm-evt, +acpi-pm-tmr & acpi-cnt registers. + +Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid") +Fixes: afafe4bbe0 (apci: switch cnt to memory api) +Fixes: 77d58b1e47 (apci: switch timer to memory api) +Fixes: b5a7c024d2 (apci: switch evt to memory api) +Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/ +Buglink: https://bugs.debian.org/964793 +BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247 +BugLink: https://bugs.launchpad.net/bugs/1886318 +Reported-By: Simon John +Signed-off-by: Michael Tokarev +Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru> +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +(cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/acpi/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/hw/acpi/core.c b/hw/acpi/core.c +index 45cbed49ab..d85052c34a 100644 +--- a/hw/acpi/core.c ++++ b/hw/acpi/core.c +@@ -461,7 +461,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_evt_ops = { + .read = acpi_pm_evt_read, + .write = acpi_pm_evt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -530,7 +531,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_tmr_ops = { + .read = acpi_pm_tmr_read, + .write = acpi_pm_tmr_write, +- .valid.min_access_size = 4, ++ .impl.min_access_size = 4, ++ .valid.min_access_size = 1, + .valid.max_access_size = 4, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +@@ -602,7 +604,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val, + static const MemoryRegionOps acpi_pm_cnt_ops = { + .read = acpi_pm_cnt_read, + .write = acpi_pm_cnt_write, +- .valid.min_access_size = 2, ++ .impl.min_access_size = 2, ++ .valid.min_access_size = 1, + .valid.max_access_size = 2, + .endianness = DEVICE_LITTLE_ENDIAN, + }; +-- +2.27.0 + diff --git a/SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch b/SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch new file mode 100644 index 0000000..4316d69 --- /dev/null +++ b/SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch @@ -0,0 +1,60 @@ +From 1cbb554a4057afd4d71c04757ef7fd1bbb7114ee Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:46 -0400 +Subject: [PATCH 8/9] cadence_gem: switch to use qemu_receive_packet() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-9-jmaloy@redhat.com> +Patchwork-id: 101793 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 8/9] cadence_gem: switch to use qemu_receive_packet() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Alexander Bulekov + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Alexander Bulekov +Signed-off-by: Jason Wang + +(cherry picked from commit e73adfbeec9d4e008630c814759052ed945c3fed) +Conflict: upstream commit 24d62fd5028e ("net: cadence_gem: Move tx/rx +packet buffert to CadenceGEMState") is missing in this version, so +we stick to using the original stack variable tx_packet in the calls. + +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/cadence_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c +index b8be73dc55..be7c91123b 100644 +--- a/hw/net/cadence_gem.c ++++ b/hw/net/cadence_gem.c +@@ -1225,8 +1225,8 @@ static void gem_transmit(CadenceGEMState *s) + /* Send the packet somewhere */ + if (s->phy_loop || (s->regs[GEM_NWCTRL] & + GEM_NWCTRL_LOCALLOOP)) { +- gem_receive(qemu_get_queue(s->nic), tx_packet, +- total_bytes); ++ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet, ++ total_bytes); + } else { + qemu_send_packet(qemu_get_queue(s->nic), tx_packet, + total_bytes); +-- +2.27.0 + diff --git a/SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch b/SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch new file mode 100644 index 0000000..a100b0c --- /dev/null +++ b/SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch @@ -0,0 +1,53 @@ +From 4044e97e37188a9844cc6cd66d8b7819acccb27e Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:41 -0400 +Subject: [PATCH 3/9] dp8393x: switch to use qemu_receive_packet() for loopback + packet +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-4-jmaloy@redhat.com> +Patchwork-id: 101789 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 3/9] dp8393x: switch to use qemu_receive_packet() for loopback packet +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Jason Wang + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé + +(cherry picked from commit 331d2ac9ea307c990dc86e6493e8f0c48d14bb33) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/dp8393x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c +index 3d991af163..6d55b5de64 100644 +--- a/hw/net/dp8393x.c ++++ b/hw/net/dp8393x.c +@@ -482,7 +482,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s) + s->regs[SONIC_TCR] |= SONIC_TCR_CRSL; + if (nc->info->can_receive(nc)) { + s->loopback_packet = 1; +- nc->info->receive(nc, s->tx_buffer, tx_len); ++ qemu_receive_packet(nc, s->tx_buffer, tx_len); + } + } else { + /* Transmit packet */ +-- +2.27.0 + diff --git a/SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch b/SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch new file mode 100644 index 0000000..b2a211f --- /dev/null +++ b/SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch @@ -0,0 +1,52 @@ +From bf44928b2ac2cb8b9608209d5425533458fd2b8a Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:40 -0400 +Subject: [PATCH 2/9] e1000: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-3-jmaloy@redhat.com> +Patchwork-id: 101784 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 2/9] e1000: switch to use qemu_receive_packet() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Jason Wang + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +(cherry picked from commit 1caff0340f49c93d535c6558a5138d20d475315c) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/e1000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/e1000.c b/hw/net/e1000.c +index fc73fdd6fa..f6ae78748a 100644 +--- a/hw/net/e1000.c ++++ b/hw/net/e1000.c +@@ -547,7 +547,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size) + + NetClientState *nc = qemu_get_queue(s->nic); + if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch b/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch new file mode 100644 index 0000000..d63b7ed --- /dev/null +++ b/SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch @@ -0,0 +1,80 @@ +From fd46dd1555e5955cf55b463ef126cf5cfac1d7ae Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Fri, 21 May 2021 23:04:32 -0400 +Subject: [PATCH 8/8] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210521230432.585518-2-jmaloy@redhat.com> +Patchwork-id: 101625 +O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register +Bugzilla: 1952986 +RH-Acked-by: Danilo de Paula +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé + +From: Philippe Mathieu-Daudé + +Per the ARM Generic Interrupt Controller Architecture specification +(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit, +not 10: + + - 4.3 Distributor register descriptions + - 4.3.15 Software Generated Interrupt Register, GICD_SG + + - Table 4-21 GICD_SGIR bit assignments + + The Interrupt ID of the SGI to forward to the specified CPU + interfaces. The value of this field is the Interrupt ID, in + the range 0-15, for example a value of 0b0011 specifies + Interrupt ID 3. + +Correct the irq mask to fix an undefined behavior (which eventually +lead to a heap-buffer-overflow, see [Buglink]): + + $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio + [I 1612088147.116987] OPENED + [R +0.278293] writel 0x8000f00 0xff4affb0 + ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]' + SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13 + +This fixes a security issue when running with KVM on Arm with +kernel-irqchip=off. (The default is kernel-irqchip=on, which is +unaffected, and which is also the correct choice for performance.) + +Cc: qemu-stable@nongnu.org +Fixes: CVE-2021-20221 +Fixes: 9ee6e8bb853 ("ARMv7 support.") +Buglink: https://bugs.launchpad.net/qemu/+bug/1913916 +Buglink: https://bugs.launchpad.net/qemu/+bug/1913917 +Reported-by: Alexander Bulekov +Signed-off-by: Philippe Mathieu-Daudé +Message-id: 20210131103401.217160-1-f4bug@amsat.org +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell + +(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/intc/arm_gic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c +index 1d7da7baa2..df355f4d11 100644 +--- a/hw/intc/arm_gic.c ++++ b/hw/intc/arm_gic.c +@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset, + int target_cpu; + + cpu = gic_get_current_cpu(s); +- irq = value & 0x3ff; ++ irq = value & 0xf; + switch ((value >> 24) & 3) { + case 0: + mask = (value >> 16) & ALL_CPU_MASK; +-- +2.27.0 + diff --git a/SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch b/SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch new file mode 100644 index 0000000..11fac16 --- /dev/null +++ b/SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch @@ -0,0 +1,53 @@ +From 0438b497def59f2101864d79a20e50b896ae1870 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:47 -0400 +Subject: [PATCH 9/9] lan9118: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-10-jmaloy@redhat.com> +Patchwork-id: 101790 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 9/9] lan9118: switch to use qemu_receive_packet() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Alexander Bulekov + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +(cherry picked from commit 37cee01784ff0df13e5209517e1b3594a5e792d1) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/lan9118.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c +index ed551f2178..7bb4633f0f 100644 +--- a/hw/net/lan9118.c ++++ b/hw/net/lan9118.c +@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *s) + /* FIXME: Honor TX disable, and allow queueing of packets. */ + if (s->phy_control & 0x4000) { + /* This assumes the receive routine doesn't touch the VLANClient. */ +- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } else { + qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch b/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch new file mode 100644 index 0000000..b9781d0 --- /dev/null +++ b/SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch @@ -0,0 +1,47 @@ +From 17813233c9bb5c93c7f3c7fc350641f8e76e769c Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:02 -0400 +Subject: [PATCH 3/8] libqos: pci-pc: use 32-bit write for EJ register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-3-jmaloy@redhat.com> +Patchwork-id: 101484 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 2/6] libqos: pci-pc: use 32-bit write for EJ register +Bugzilla: 1944621 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Paolo Bonzini + +The memory region ops have min_access_size == 4 so obey it. + +Tested-by: Thomas Huth +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 4b7c06837ae0b1ff56473202a42e7e386f53d6db) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + tests/libqos/pci-pc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/libqos/pci-pc.c b/tests/libqos/pci-pc.c +index 0bc591d1da..3bb2eb3ba8 100644 +--- a/tests/libqos/pci-pc.c ++++ b/tests/libqos/pci-pc.c +@@ -186,7 +186,7 @@ void qpci_unplug_acpi_device_test(QTestState *qts, const char *id, uint8_t slot) + g_assert(!qdict_haskey(response, "error")); + qobject_unref(response); + +- qtest_outb(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot); ++ qtest_outl(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot); + + qtest_qmp_eventwait(qts, "DEVICE_DELETED"); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch b/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch new file mode 100644 index 0000000..1406231 --- /dev/null +++ b/SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch @@ -0,0 +1,48 @@ +From 9c10bd2a3cd83c06add41e61a970da304fb0d3bf Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:01 -0400 +Subject: [PATCH 2/8] libqos: usb-hcd-ehci: use 32-bit write for config + register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-2-jmaloy@redhat.com> +Patchwork-id: 101478 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 1/6] libqos: usb-hcd-ehci: use 32-bit write for config register +Bugzilla: 1944621 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Paolo Bonzini + +The memory region ops have min_access_size == 4 so obey it. + +Tested-by: Thomas Huth +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 89ed83d8b23c11d250c290593cad3ca839d5b053) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + tests/usb-hcd-ehci-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/usb-hcd-ehci-test.c b/tests/usb-hcd-ehci-test.c +index 5251d539e9..c51e8bb223 100644 +--- a/tests/usb-hcd-ehci-test.c ++++ b/tests/usb-hcd-ehci-test.c +@@ -96,7 +96,7 @@ static void pci_ehci_port_1(void) + static void pci_ehci_config(void) + { + /* hands over all ports from companion uhci to ehci */ +- qpci_io_writew(ehci1.dev, ehci1.bar, 0x60, 1); ++ qpci_io_writel(ehci1.dev, ehci1.bar, 0x60, 1); + } + + static void pci_uhci_port_2(void) +-- +2.27.0 + diff --git a/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch b/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch new file mode 100644 index 0000000..eff9682 --- /dev/null +++ b/SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch @@ -0,0 +1,104 @@ +From e4010373c72eab2342d2ba7f10c1ddf43dc618c8 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:03 -0400 +Subject: [PATCH 4/8] memory: Revert "memory: accept mismatching sizes in + memory_region_access_valid" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-4-jmaloy@redhat.com> +Patchwork-id: 101480 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 3/6] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid" +Bugzilla: 1944621 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: "Michael S. Tsirkin" + +Memory API documentation documents valid .min_access_size and .max_access_size +fields and explains that any access outside these boundaries is blocked. + +This is what devices seem to assume. + +However this is not what the implementation does: it simply +ignores the boundaries unless there's an "accepts" callback. + +Naturally, this breaks a bunch of devices. + +Revert to the documented behaviour. + +Devices that want to allow any access can just drop the valid field, +or add the impl field to have accesses converted to appropriate +length. + +Cc: qemu-stable@nongnu.org +Reviewed-by: Richard Henderson +Fixes: CVE-2020-13754 +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363 +Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid") +Signed-off-by: Michael S. Tsirkin +Message-Id: <20200610134731.1514409-1-mst@redhat.com> +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + memory.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/memory.c b/memory.c +index 5a4a80842d..0cfcb72a5a 100644 +--- a/memory.c ++++ b/memory.c +@@ -1351,35 +1351,24 @@ bool memory_region_access_valid(MemoryRegion *mr, + bool is_write, + MemTxAttrs attrs) + { +- int access_size_min, access_size_max; +- int access_size, i; +- +- if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ if (mr->ops->valid.accepts ++ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { + return false; + } + +- if (!mr->ops->valid.accepts) { +- return true; +- } +- +- access_size_min = mr->ops->valid.min_access_size; +- if (!mr->ops->valid.min_access_size) { +- access_size_min = 1; ++ if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ return false; + } + +- access_size_max = mr->ops->valid.max_access_size; ++ /* Treat zero as compatibility all valid */ + if (!mr->ops->valid.max_access_size) { +- access_size_max = 4; ++ return true; + } + +- access_size = MAX(MIN(size, access_size_max), access_size_min); +- for (i = 0; i < size; i += access_size) { +- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size, +- is_write, attrs)) { +- return false; +- } ++ if (size > mr->ops->valid.max_access_size ++ || size < mr->ops->valid.min_access_size) { ++ return false; + } +- + return true; + } + +-- +2.27.0 + diff --git a/SOURCES/kvm-net-introduce-qemu_receive_packet.patch b/SOURCES/kvm-net-introduce-qemu_receive_packet.patch new file mode 100644 index 0000000..7fecc55 --- /dev/null +++ b/SOURCES/kvm-net-introduce-qemu_receive_packet.patch @@ -0,0 +1,187 @@ +From ee23b82cc9174c96ea73252e2986cf822999494b Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:39 -0400 +Subject: [PATCH 1/9] net: introduce qemu_receive_packet() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-2-jmaloy@redhat.com> +Patchwork-id: 101785 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 1/9] net: introduce qemu_receive_packet() +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Jason Wang + +Some NIC supports loopback mode and this is done by calling +nc->info->receive() directly which in fact suppresses the effort of +reentrancy check that is done in qemu_net_queue_send(). + +Unfortunately we can't use qemu_net_queue_send() here since for +loopback there's no sender as peer, so this patch introduce a +qemu_receive_packet() which is used for implementing loopback mode +for a NIC with this check. + +NIC that supports loopback mode will be converted to this helper. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Reviewed-by: Philippe Mathieu-Daudé +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang + +(cherry picked from commit 705df5466c98f3efdd2b68d3b31dad86858acad7) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + include/net/net.h | 5 +++++ + include/net/queue.h | 8 ++++++++ + net/net.c | 38 +++++++++++++++++++++++++++++++------- + net/queue.c | 22 ++++++++++++++++++++++ + 4 files changed, 66 insertions(+), 7 deletions(-) + +diff --git a/include/net/net.h b/include/net/net.h +index e175ba9677..1b32a8aaec 100644 +--- a/include/net/net.h ++++ b/include/net/net.h +@@ -142,12 +142,17 @@ void *qemu_get_nic_opaque(NetClientState *nc); + void qemu_del_net_client(NetClientState *nc); + typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque); + void qemu_foreach_nic(qemu_nic_foreach func, void *opaque); ++int qemu_can_receive_packet(NetClientState *nc); + int qemu_can_send_packet(NetClientState *nc); + ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov, + int iovcnt); + ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov, + int iovcnt, NetPacketSent *sent_cb); + ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size); ++ssize_t qemu_receive_packet_iov(NetClientState *nc, ++ const struct iovec *iov, ++ int iovcnt); + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size); + ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf, + int size, NetPacketSent *sent_cb); +diff --git a/include/net/queue.h b/include/net/queue.h +index c0269bb1dc..9f2f289d77 100644 +--- a/include/net/queue.h ++++ b/include/net/queue.h +@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue, + + void qemu_del_net_queue(NetQueue *queue); + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size); ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt); ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +diff --git a/net/net.c b/net/net.c +index 84aa6d8d00..d0b651ca95 100644 +--- a/net/net.c ++++ b/net/net.c +@@ -516,6 +516,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be) + #endif + } + ++int qemu_can_receive_packet(NetClientState *nc) ++{ ++ if (nc->receive_disabled) { ++ return 0; ++ } else if (nc->info->can_receive && ++ !nc->info->can_receive(nc)) { ++ return 0; ++ } ++ return 1; ++} ++ + int qemu_can_send_packet(NetClientState *sender) + { + int vm_running = runstate_is_running(); +@@ -528,13 +539,7 @@ int qemu_can_send_packet(NetClientState *sender) + return 1; + } + +- if (sender->peer->receive_disabled) { +- return 0; +- } else if (sender->peer->info->can_receive && +- !sender->peer->info->can_receive(sender->peer)) { +- return 0; +- } +- return 1; ++ return qemu_can_receive_packet(sender->peer); + } + + static ssize_t filter_receive_iov(NetClientState *nc, +@@ -667,6 +672,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size) + return qemu_send_packet_async(nc, buf, size, NULL); + } + ++ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive(nc->incoming_queue, buf, size); ++} ++ ++ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov, ++ int iovcnt) ++{ ++ if (!qemu_can_receive_packet(nc)) { ++ return 0; ++ } ++ ++ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt); ++} ++ + ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size) + { + return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW, +diff --git a/net/queue.c b/net/queue.c +index 61276ca4be..7c0b72c8ef 100644 +--- a/net/queue.c ++++ b/net/queue.c +@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue, + return ret; + } + ++ssize_t qemu_net_queue_receive(NetQueue *queue, ++ const uint8_t *data, ++ size_t size) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver(queue, NULL, 0, data, size); ++} ++ ++ssize_t qemu_net_queue_receive_iov(NetQueue *queue, ++ const struct iovec *iov, ++ int iovcnt) ++{ ++ if (queue->delivering) { ++ return 0; ++ } ++ ++ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt); ++} ++ + ssize_t qemu_net_queue_send(NetQueue *queue, + NetClientState *sender, + unsigned flags, +-- +2.27.0 + diff --git a/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch b/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch new file mode 100644 index 0000000..cf3ef08 --- /dev/null +++ b/SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch @@ -0,0 +1,62 @@ +From 04c233dd15e3b5bc842af371c3433eb723ffb6e6 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 23 Mar 2021 22:11:13 -0400 +Subject: [PATCH 1/8] net: remove an assert call in eth_get_gso_type +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210323221113.1893864-2-jmaloy@redhat.com> +Patchwork-id: 101364 +O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] net: remove an assert call in eth_get_gso_type +Bugzilla: 1939494 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Xiao Wang +RH-Acked-by: Thomas Huth + +From: Prasad J Pandit + +eth_get_gso_type() routine returns segmentation offload type based on +L3 protocol type. It calls g_assert_not_reached if L3 protocol is +unknown, making the following return statement unreachable. Remove the +g_assert call, it maybe triggered by a guest user. + +Reported-by: Gaoning Pan +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang + +(cherry picked from commit 7564bf7701f00214cdc8a678a9f7df765244def1) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + net/eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/eth.c b/net/eth.c +index 0c1d413ee2..1e0821c5f8 100644 +--- a/net/eth.c ++++ b/net/eth.c +@@ -16,6 +16,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "net/eth.h" + #include "net/checksum.h" + #include "net/tap.h" +@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto) + return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state; + } + } +- +- /* Unsupported offload */ +- g_assert_not_reached(); ++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, " ++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto); + + return VIRTIO_NET_HDR_GSO_NONE | ecn_state; + } +-- +2.27.0 + diff --git a/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch b/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch new file mode 100644 index 0000000..c54cfbd --- /dev/null +++ b/SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch @@ -0,0 +1,46 @@ +From 3d7ff6c57357e1fb8453b26200cfd239e9cdaa72 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 24 Jun 2021 14:50:46 -0400 +Subject: [PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is + reached + +RH-Author: Thomas Huth +Message-id: <20210624145047.483112-3-thuth@redhat.com> +Patchwork-id: 101762 +O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is reached +Bugzilla: 1975679 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Jon Maloy +RH-Acked-by: Cornelia Huck + +Break the loop if `cur_block_nr` is a null block number because this +means that the end of chunk is reached. In this case we will try to +boot the default entry. + +Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu") +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit 468184ec9024f4f7b55247f70ec57554e8a500d7) +Signed-off-by: Danilo C. L. de Paula +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index bb6e003270..624f524331 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) + for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) { + cur_block_nr = eckd_block_num(&s1b->seek[i].chs); + +- if (!cur_block_nr) { ++ if (!cur_block_nr || is_null_block_number(cur_block_nr)) { + break; + } + +-- +2.27.0 + diff --git a/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch b/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch new file mode 100644 index 0000000..1d45f6d --- /dev/null +++ b/SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch @@ -0,0 +1,44 @@ +From c3f15d52ad265bba0b21453d2d8b69f597092c25 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 24 Jun 2021 14:50:47 -0400 +Subject: [PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end + of chunk is reached + +RH-Author: Thomas Huth +Message-id: <20210624145047.483112-4-thuth@redhat.com> +Patchwork-id: 101763 +O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end of chunk is reached +Bugzilla: 1975679 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Jon Maloy +RH-Acked-by: Cornelia Huck + +Don't read the block if a null block number is reached, because this means that +the end of chunk is reached. + +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com> +Signed-off-by: Thomas Huth +(cherry picked from commit a6625d38cce3901a7c1cba069f0abcf743a293f1) +Signed-off-by: Danilo C. L. de Paula +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index 624f524331..8458b15cb6 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr) + next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs); + } + +- if (next_block_nr) { ++ if (next_block_nr && !is_null_block_number(next_block_nr)) { + read_block(next_block_nr, s2_next_blk, + "Cannot read stage2 boot loader"); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch b/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch new file mode 100644 index 0000000..d180158 --- /dev/null +++ b/SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch @@ -0,0 +1,47 @@ +From 93ddbd8ba056141dd68d973d534b67dad9882052 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 24 Jun 2021 14:50:45 -0400 +Subject: [PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error + +RH-Author: Thomas Huth +Message-id: <20210624145047.483112-2-thuth@redhat.com> +Patchwork-id: 101764 +O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error +Bugzilla: 1975679 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Jon Maloy +RH-Acked-by: Cornelia Huck + +This error takes effect when the magic value "zIPL" is located at the +end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic +value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff. + +Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu") +Reviewed-by: Collin Walling +Signed-off-by: Marc Hartmayer +Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com> +Reviewed-by: Thomas Huth +[thuth: Use "<= ... - 4" instead of "< ... - 3"] +Signed-off-by: Thomas Huth +(cherry picked from commit 5f97ba0c74ccace0a4014460de9751ff3c6f454a) +Signed-off-by: Danilo C. L. de Paula +--- + pc-bios/s390-ccw/bootmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c +index e91ea719ff..bb6e003270 100644 +--- a/pc-bios/s390-ccw/bootmap.c ++++ b/pc-bios/s390-ccw/bootmap.c +@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset) + int i; + + /* Menu banner starts with "zIPL" */ +- for (i = 0; i < virtio_get_block_size() - 4; i++) { ++ for (i = 0; i <= virtio_get_block_size() - 4; i++) { + if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) { + *offset = i; + return true; +-- +2.27.0 + diff --git a/SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch b/SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch new file mode 100644 index 0000000..2c66a5f --- /dev/null +++ b/SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch @@ -0,0 +1,54 @@ +From 3427c5573a7ab788e0c39e30b4d0ed5db85f03b3 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:45 -0400 +Subject: [PATCH 7/9] pcnet: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-8-jmaloy@redhat.com> +Patchwork-id: 101791 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 7/9] pcnet: switch to use qemu_receive_packet() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Alexander Bulekov + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1917085 +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +(cherry picked from commit 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/pcnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index f3f18d8598..dcd3fc4948 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1250,7 +1250,7 @@ txagain: + if (BCR_SWSTYLE(s) == 1) + add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS); + s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC; +- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); ++ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos); + s->looptest = 0; + } else { + if (s->nic) { +-- +2.27.0 + diff --git a/SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch b/SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch new file mode 100644 index 0000000..95df72c --- /dev/null +++ b/SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch @@ -0,0 +1,54 @@ +From e0b83063b76725878c466f1b8918c61864cfd0c2 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:44 -0400 +Subject: [PATCH 6/9] rtl8139: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-7-jmaloy@redhat.com> +Patchwork-id: 101792 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 6/9] rtl8139: switch to use qemu_receive_packet() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Alexander Bulekov + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Buglink: https://bugs.launchpad.net/qemu/+bug/1910826 +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +(cherry picked from commit 5311fb805a4403bba024e83886fa0e7572265de4) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 21d80e96cf..ccb04faa4c 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size, + } + + DPRINTF("+++ transmit loopback mode\n"); +- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt); ++ qemu_receive_packet(qemu_get_queue(s->nic), buf, size); + + if (iov) { + g_free(buf2); +-- +2.27.0 + diff --git a/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch b/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch new file mode 100644 index 0000000..9b468ed --- /dev/null +++ b/SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch @@ -0,0 +1,84 @@ +From 251adb595eb7e39e9368cb7ed07f9a4c42d28d2c Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:06 -0400 +Subject: [PATCH 7/8] softmmu/memory: Log invalid memory accesses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-7-jmaloy@redhat.com> +Patchwork-id: 101481 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 6/6] softmmu/memory: Log invalid memory accesses +Bugzilla: 1944621 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Philippe Mathieu-Daudé + +Log invalid memory accesses with as GUEST_ERROR. + +This is particularly useful since commit 5d971f9e67 which reverted +("memory: accept mismatching sizes in memory_region_access_valid"). + +Signed-off-by: Philippe Mathieu-Daudé +Reviewed-by: Michael S. Tsirkin +Message-Id: <20201005152725.2143444-1-philmd@redhat.com> +Signed-off-by: Laurent Vivier + +(cherry picked from commit 21786c7e59847b1612406ff394958f22e5b323f8) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + memory.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/memory.c b/memory.c +index 0cfcb72a5a..660df8159a 100644 +--- a/memory.c ++++ b/memory.c +@@ -14,6 +14,7 @@ + */ + + #include "qemu/osdep.h" ++#include "qemu/log.h" + #include "qapi/error.h" + #include "cpu.h" + #include "exec/memory.h" +@@ -1353,10 +1354,18 @@ bool memory_region_access_valid(MemoryRegion *mr, + { + if (mr->ops->valid.accepts + && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr " ++ "0x%" HWADDR_PRIX ", size %u, " ++ "region '%s', reason: rejected\n", ++ addr, size, memory_region_name(mr)); + return false; + } + + if (!mr->ops->valid.unaligned && (addr & (size - 1))) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr " ++ "0x%" HWADDR_PRIX ", size %u, " ++ "region '%s', reason: unaligned\n", ++ addr, size, memory_region_name(mr)); + return false; + } + +@@ -1367,6 +1376,13 @@ bool memory_region_access_valid(MemoryRegion *mr, + + if (size > mr->ops->valid.max_access_size + || size < mr->ops->valid.min_access_size) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr " ++ "0x%" HWADDR_PRIX ", size %u, " ++ "region '%s', reason: invalid size " ++ "(min:%u max:%u)\n", ++ addr, size, memory_region_name(mr), ++ mr->ops->valid.min_access_size, ++ mr->ops->valid.max_access_size); + return false; + } + return true; +-- +2.27.0 + diff --git a/SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch b/SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch new file mode 100644 index 0000000..47f8f13 --- /dev/null +++ b/SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch @@ -0,0 +1,54 @@ +From 1a56df13e6a033548b22489d3b148009c8f80718 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:42 -0400 +Subject: [PATCH 4/9] sungem: switch to use qemu_receive_packet() for loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-5-jmaloy@redhat.com> +Patchwork-id: 101786 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 4/9] sungem: switch to use qemu_receive_packet() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Jason Wang + +This patch switches to use qemu_receive_packet() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Mark Cave-Ayland +Reviewed-by: Philippe Mathieu-Daudé +Reviewed-by: Alistair Francis +Signed-off-by: Jason Wang + +(cherry picked from commit 8c92060d3c0248bd4d515719a35922cd2391b9b4) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/sungem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/sungem.c b/hw/net/sungem.c +index f31d41ac5b..8b202b5c15 100644 +--- a/hw/net/sungem.c ++++ b/hw/net/sungem.c +@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf, + NetClientState *nc = qemu_get_queue(s->nic); + + if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) { +- nc->info->receive(nc, buf, size); ++ qemu_receive_packet(nc, buf, size); + } else { + qemu_send_packet(nc, buf, size); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch b/SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch new file mode 100644 index 0000000..fdb9496 --- /dev/null +++ b/SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch @@ -0,0 +1,53 @@ +From 199915a03857c1e4e0a6ac90a46496b1a8abd702 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 29 Jun 2021 03:42:43 -0400 +Subject: [PATCH 5/9] tx_pkt: switch to use qemu_receive_packet_iov() for + loopback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210629034247.3286477-6-jmaloy@redhat.com> +Patchwork-id: 101788 +O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 5/9] tx_pkt: switch to use qemu_receive_packet_iov() for loopback +Bugzilla: 1932917 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Thomas Huth + +From: Jason Wang + +This patch switches to use qemu_receive_receive_iov() which can detect +reentrancy and return early. + +This is intended to address CVE-2021-3416. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Jason Wang + +(cherry picked from commit 8c552542b81e56ff532dd27ec6e5328954bdda73) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/net/net_tx_pkt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c +index 54d4c3bbd0..646cdfaf4d 100644 +--- a/hw/net/net_tx_pkt.c ++++ b/hw/net/net_tx_pkt.c +@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt, + NetClientState *nc, const struct iovec *iov, int iov_cnt) + { + if (pkt->is_loopback) { +- nc->info->receive_iov(nc, iov, iov_cnt); ++ qemu_receive_packet_iov(nc, iov, iov_cnt); + } else { + qemu_sendv_packet(nc, iov, iov_cnt); + } +-- +2.27.0 + diff --git a/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch b/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch new file mode 100644 index 0000000..f577210 --- /dev/null +++ b/SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch @@ -0,0 +1,76 @@ +From 33e907b7be4636a726d40a3d68cab24574bc597a Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 21 Apr 2021 22:30:05 -0400 +Subject: [PATCH 6/8] xhci: fix valid.max_access_size to access address + registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210421223006.19650-6-jmaloy@redhat.com> +Patchwork-id: 101483 +O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 5/6] xhci: fix valid.max_access_size to access address registers +Bugzilla: 1944621 +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Laszlo Ersek + +From: Laurent Vivier + +QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow +64-bit mode access in "runtime" and "operational" MemoryRegionOps. + +Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set. + +XHCI specs: +"If the xHC supports 64-bit addressing (AC64 = ‘1’), then software +should write 64-bit registers using only Qword accesses. If a +system is incapable of issuing Qword accesses, then writes to the +64-bit address fields shall be performed using 2 Dword accesses; +low Dword-first, high-Dword second. If the xHC supports 32-bit +addressing (AC64 = ‘0’), then the high Dword of registers containing +64-bit address fields are unused and software should write addresses +using only Dword accesses" + +The problem has been detected with SLOF, as linux kernel always accesses +registers using 32-bit access even if AC64 is set and revealed by +5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"") + +Suggested-by: Alexey Kardashevskiy +Signed-off-by: Laurent Vivier +Message-id: 20200721083322.90651-1-lvivier@redhat.com +Signed-off-by: Gerd Hoffmann + +(cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + hw/usb/hcd-xhci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 646c78cde9..ab449bb003 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3183,7 +3183,7 @@ static const MemoryRegionOps xhci_oper_ops = { + .read = xhci_oper_read, + .write = xhci_oper_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +@@ -3199,7 +3199,7 @@ static const MemoryRegionOps xhci_runtime_ops = { + .read = xhci_runtime_read, + .write = xhci_runtime_write, + .valid.min_access_size = 4, +- .valid.max_access_size = 4, ++ .valid.max_access_size = sizeof(dma_addr_t), + .endianness = DEVICE_LITTLE_ENDIAN, + }; + +-- +2.27.0 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 4a65e5f..d88bcd7 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -67,7 +67,7 @@ Obsoletes: %1-rhev Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 4.2.0 -Release: 48%{?dist} +Release: 48%{?dist}.3 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1130,6 +1130,46 @@ Patch489: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch Patch490: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch # For bz#1917451 - CVE-2020-29443 virt:rhel/qemu-kvm: QEMU: ide: atapi: OOB access while processing read commands [rhel-8.4.0] Patch491: kvm-ide-atapi-check-logical-block-address-and-read-size-.patch +# For bz#1939494 - CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.4.0.z] +Patch492: kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch +# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z] +Patch493: kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch +# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z] +Patch494: kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch +# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z] +Patch495: kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch +# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z] +Patch496: kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch +# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z] +Patch497: kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch +# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z] +Patch498: kvm-softmmu-memory-Log-invalid-memory-accesses.patch +# For bz#1952986 - CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.4.0.z] +Patch499: kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch +# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z] +Patch500: kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch +# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z] +Patch501: kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch +# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z] +Patch502: kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch503: kvm-net-introduce-qemu_receive_packet.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch504: kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch505: kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch506: kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch507: kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch508: kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch509: kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch510: kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch +# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z] +Patch511: kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch BuildRequires: wget BuildRequires: rpm-build @@ -2078,6 +2118,42 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Wed Jul 21 2021 Danilo Cesar Lemes de Paula - 4.2.0-48.el8_4.3 +- kvm-net-introduce-qemu_receive_packet.patch [bz#1932917] +- kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch [bz#1932917] +- kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917] +- kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch [bz#1932917] +- kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch [bz#1932917] +- kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917] +- kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch [bz#1932917] +- kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch [bz#1932917] +- kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917] +- Resolves: bz#1932917 + (CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]) + +* Tue Jul 06 2021 Danilo Cesar Lemes de Paula - 4.2.0-48.el8_4.2 +- kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch [bz#1975679] +- kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch [bz#1975679] +- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1975679] +- Resolves: bz#1975679 + (RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]) + +* Thu Jun 03 2021 Danilo Cesar Lemes de Paula - 4.2.0-48.el8_4 +- kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch [bz#1939494] +- kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch [bz#1944621] +- kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch [bz#1944621] +- kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch [bz#1944621] +- kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch [bz#1944621] +- kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch [bz#1944621] +- kvm-softmmu-memory-Log-invalid-memory-accesses.patch [bz#1944621] +- kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch [bz#1952986] +- Resolves: bz#1939494 + (CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.4.0.z]) +- Resolves: bz#1944621 + (CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]) +- Resolves: bz#1952986 + (CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.4.0.z]) + * Tue Mar 16 2021 Danilo Cesar Lemes de Paula - 4.2.0-48.el8 - kvm-ide-atapi-check-logical-block-address-and-read-size-.patch [bz#1917451] - Resolves: bz#1917451