From baf1ce5dfb577d8733759170869749f59b66b722 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 03 2019 13:23:20 +0000
Subject: import qemu-kvm-1.5.3-167.el7_7.1


---

diff --git a/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
new file mode 100644
index 0000000..12c4d84
--- /dev/null
+++ b/SOURCES/kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
@@ -0,0 +1,56 @@
+From 2724e62241909754ecf48bb64b417842e954a8d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 31 Jul 2019 21:39:33 +0200
+Subject: [PATCH 2/2] Fix heap overflow in ip_reass on big packet input
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190731213933.16245-2-philmd@redhat.com>
+Patchwork-id: 89844
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 1/1] Fix heap overflow in ip_reass on big packet input
+Bugzilla: 1734748
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+When the first fragment does not fit in the preallocated buffer, q will
+already be pointing to the ext buffer, so we mustn't try to update it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+(cherry picked from libslirp commit 126c04acbabd7ad32c2b018fe10dfac2a3bc1210)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ slirp/ip_input.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/slirp/ip_input.c b/slirp/ip_input.c
+index 880bdfd..5226224 100644
+--- a/slirp/ip_input.c
++++ b/slirp/ip_input.c
+@@ -330,6 +330,8 @@ insert:
+     q = fp->frag_link.next;
+ 	m = dtom(slirp, q);
+ 
++	int was_ext = m->m_flags & M_EXT;
++
+ 	q = (struct ipasfrag *) q->ipf_next;
+ 	while (q != (struct ipasfrag*)&fp->frag_link) {
+ 	  struct mbuf *t = dtom(slirp, q);
+@@ -352,7 +354,7 @@ insert:
+ 	 * the old buffer (in the mbuf), so we must point ip
+ 	 * into the new buffer.
+ 	 */
+-	if (m->m_flags & M_EXT) {
++	if (!was_ext && m->m_flags & M_EXT) {
+ 	  int delta = (char *)q - m->m_dat;
+ 	  q = (struct ipasfrag *)(m->m_ext + delta);
+ 	}
+-- 
+1.8.3.1
+
diff --git a/SOURCES/kvm-qxl-check-release-info-object.patch b/SOURCES/kvm-qxl-check-release-info-object.patch
new file mode 100644
index 0000000..585e777
--- /dev/null
+++ b/SOURCES/kvm-qxl-check-release-info-object.patch
@@ -0,0 +1,50 @@
+From bd9de3a28ae6721d5ccf1d14acf259b3e6f4093c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Wed, 19 Jun 2019 16:03:38 +0200
+Subject: [PATCH 1/2] qxl: check release info object
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190619160338.15430-2-philmd@redhat.com>
+Patchwork-id: 88733
+O-Subject: [RHEL-7.7 qemu-kvm PATCH 1/1] qxl: check release info object
+Bugzilla: 1732337
+RH-Acked-by: Christophe de Dinechin <cdupontd@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+
+Reported-by: Bugs SysSec <bugs-syssec@rub.de>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit d52680fc932efb8a2f334cc6993e705ed1e31e99)
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 0625a76..d493101 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -735,6 +735,9 @@ static void interface_release_resource(QXLInstance *sin,
+     QXLReleaseRing *ring;
+     uint64_t *item, id;
+ 
++    if (!ext.info) {
++        return;
++    }
+     if (ext.group_id == MEMSLOT_GROUP_HOST) {
+         /* host group -> vga mode update request */
+         qemu_spice_destroy_update(&qxl->ssd, (void *)(intptr_t)ext.info->id);
+-- 
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 2a3dbc2..710b6d5 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -14,7 +14,7 @@
     %global have_usbredir 0
 %endif
 
-%ifnarch s390 s390x %{arm}
+%ifnarch s390 s390x
     %global have_librdma 1
     %global have_tcmalloc 1
 %endif
@@ -41,9 +41,6 @@
 %ifarch aarch64
     %global kvm_target    aarch64
 %endif
-%ifarch %{arm}
-    %global kvm_target    arm
-%endif
 
 #Versions of various parts:
 
@@ -79,13 +76,13 @@ Obsoletes: %1 < %{obsoletes_version}                                      \
 Summary: QEMU is a machine emulator and virtualizer
 Name: %{pkgname}%{?pkgsuffix}
 Version: 1.5.3
-Release: 167%{?dist}
+Release: 167%{?dist}.1
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 10
 License: GPLv2 and GPLv2+ and CC-BY
 Group: Development/Tools
 URL: http://www.qemu.org/
-ExclusiveArch: x86_64 %{arm}
+ExclusiveArch: x86_64
 Requires: seabios-bin >= 1.7.2.2-5
 Requires: sgabios-bin
 Requires: seavgabios-bin
@@ -3972,6 +3969,10 @@ Patch1955: kvm-slirp-fix-big-little-endian-conversion-in-ident-prot.patch
 Patch1956: kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t.patch
 # For bz#1669068 - CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu() [rhel-7.7]
 Patch1957: kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch
+# For bz#1732337 - CVE-2019-12155 qemu-kvm: QEMU: qxl: null pointer dereference while releasing spice resources [rhel-7] [rhel-7.7.z]
+Patch1958: kvm-qxl-check-release-info-object.patch
+# For bz#1734748 - CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-7.7.z]
+Patch1959: kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
 
 
 BuildRequires: zlib-devel
@@ -6107,6 +6108,8 @@ tar -xf %{SOURCE21}
 %patch1955 -p1
 %patch1956 -p1
 %patch1957 -p1
+%patch1958 -p1
+%patch1959 -p1
 
 %build
 buildarch="%{kvm_target}-softmmu"
@@ -6552,6 +6555,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 %{_mandir}/man8/qemu-nbd.8*
 
 %changelog
+* Mon Aug 12 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-167.el7_7.1
+- kvm-qxl-check-release-info-object.patch [bz#1732337]
+- kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch [bz#1734748]
+- Resolves: bz#1732337
+  (CVE-2019-12155 qemu-kvm: QEMU: qxl: null pointer dereference while releasing spice resources [rhel-7] [rhel-7.7.z])
+- Resolves: bz#1734748
+  (CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-7.7.z])
+
 * Wed Jun 12 2019 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-167.el7
 - Reverting kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch [bz#1618503]
 - Resolves: bz#1618503