diff --git a/SOURCES/kvm-Suppress-prototype-warning-for-nss-headers.patch b/SOURCES/kvm-Suppress-prototype-warning-for-nss-headers.patch new file mode 100644 index 0000000..1215d24 --- /dev/null +++ b/SOURCES/kvm-Suppress-prototype-warning-for-nss-headers.patch @@ -0,0 +1,100 @@ +From 10f48326f30ae89bea01124bdbab4702a21f3655 Mon Sep 17 00:00:00 2001 +From: Miroslav Rezanina +Date: Thu, 3 Dec 2020 11:17:02 -0500 +Subject: [PATCH] Suppress prototype warning for nss headers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Miroslav Rezanina +Message-id: <20201203111702.215084-1-mrezanin@redhat.com> +Patchwork-id: 100201 +O-Subject: [RHEL-7.9.z qemu-kvm PATCH] Suppress prototype warning for nss headers +Bugzilla: 1884997 +RH-Acked-by: Thomas Huth +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Jon Maloy + +From: Miroslav Rezanina + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1884997 +Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=33460150 +branch: rhel79/master +Upstream: n/a + +Rebase of nss introduced following warning when using it for building qemu-kvm: + +/usr/include/nss3/pk11pub.h:951:1: error: function declaration isn’t a prototype [-Werror=strict-prototypes] +int SECMOD_GetSystemFIPSEnabled(); + +This issue is tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1885321. However, +this issue is not important enough to fix (as discussed in the bugzilla). + +We have to hack qemu-kvm to live with this warning. To do it we add following hacks: + +1) We disable using -Werror for nss test in configure. This allows configure to pass. + +2) We disable -Werror=scrict-prototypes when including nss headers. This allows build to pass. + +Signed-off-by: Miroslav Rezanina +Signed-off-by: Jon Maloy +--- + configure | 13 ++++++------- + libcacard/vcard_emul_nss.c | 8 ++++++++ + 2 files changed, 14 insertions(+), 7 deletions(-) + +diff --git a/configure b/configure +index 34e3accfdd..77c2f0a438 100755 +--- a/configure ++++ b/configure +@@ -3246,13 +3246,11 @@ EOF + libcacard_libs="$($pkg_config --libs nss 2>/dev/null) $glib_libs" + libcacard_cflags="$($pkg_config --cflags nss 2>/dev/null) $glib_cflags" + test_cflags="$libcacard_cflags" +- # The header files in nss < 3.13.3 have a bug which causes them to +- # emit a warning. If we're going to compile QEMU with -Werror, then +- # test that the headers don't have this bug. Otherwise we would pass +- # the configure test but fail to compile QEMU later. +- if test "$werror" = "yes"; then +- test_cflags="-Werror $test_cflags" +- fi ++ # nss > 3.53 generates warning when including it's headers. This breaks the ++ # build so we have to disable -Werror for build test. ++ # See https://bugzilla.redhat.com/show_bug.cgi?id=1885321 ++ old_werror=$werror ++ werror=no + if test -n "$libtool" && + $pkg_config --atleast-version=3.12.8 nss >/dev/null 2>&1 && \ + compile_prog "$test_cflags" "$libcacard_libs"; then +@@ -3266,6 +3264,7 @@ EOF + fi + smartcard_nss="no" + fi ++ werror=$old_werror + fi + + # check for libusb +diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c +index 1a3e5683bc..f1aa51943b 100644 +--- a/libcacard/vcard_emul_nss.c ++++ b/libcacard/vcard_emul_nss.c +@@ -17,8 +17,16 @@ + /* avoid including prototypes.h that redefines uint32 */ + #define NO_NSPR_10_SUPPORT + ++/* ++ * nss > 3.53 genererates prototype warning when including headers so we can't ++ * treat this warning ass error to allow build. ++ * See https://bugzilla.redhat.com/show_bug.cgi?id=1885321 ++ */ ++#pragma GCC diagnostic push ++#pragma GCC diagnostic ignored "-Wstrict-prototypes" + #include + #include ++#pragma GCC diagnostic pop + #include + #include + #include +-- +2.18.2 + diff --git a/SOURCES/kvm-hw-core-loader-Fix-possible-crash-in-rom_copy.patch b/SOURCES/kvm-hw-core-loader-Fix-possible-crash-in-rom_copy.patch new file mode 100644 index 0000000..b944555 --- /dev/null +++ b/SOURCES/kvm-hw-core-loader-Fix-possible-crash-in-rom_copy.patch @@ -0,0 +1,59 @@ +From af9348b27b8bc0c7033527220e7840f4b3209832 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Tue, 6 Oct 2020 18:00:53 -0400 +Subject: [PATCH 2/2] hw/core/loader: Fix possible crash in rom_copy() + +RH-Author: Jon Maloy +Message-id: <20201006180053.484822-2-jmaloy@redhat.com> +Patchwork-id: 98552 +O-Subject: [RHEL-7.9.z qemu-kvm PATCH 1/1] hw/core/loader: Fix possible crash in rom_copy() +Bugzilla: 1842923 +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Markus Armbruster +RH-Acked-by: Thomas Huth + +From: Thomas Huth + +Both, "rom->addr" and "addr" are derived from the binary image +that can be loaded with the "-kernel" paramer. The code in +rom_copy() then calculates: + + d = dest + (rom->addr - addr); + +and uses "d" as destination in a memcpy() some lines later. Now with +bad kernel images, it is possible that rom->addr is smaller than addr, +thus "rom->addr - addr" gets negative and the memcpy() then tries to +copy contents from the image to a bad memory location. This could +maybe be used to inject code from a kernel image into the QEMU binary, +so we better fix it with an additional sanity check here. + +Cc: qemu-stable@nongnu.org +Reported-by: Guangming Liu +Buglink: https://bugs.launchpad.net/qemu/+bug/1844635 +Message-Id: <20190925130331.27825-1-thuth@redhat.com> +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Thomas Huth + +(cherry picked from commit e423455c4f23a1a828901c78fe6d03b7dde79319) +Signed-off-by: Jon Maloy +Signed-off-by: Jon Maloy +--- + hw/core/loader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/core/loader.c b/hw/core/loader.c +index 5a15449407..939d0855cb 100644 +--- a/hw/core/loader.c ++++ b/hw/core/loader.c +@@ -841,7 +841,7 @@ int rom_copy(uint8_t *dest, hwaddr addr, size_t size) + if (rom->addr + rom->romsize < addr) { + continue; + } +- if (rom->addr > end) { ++ if (rom->addr > end || rom->addr < addr) { + break; + } + +-- +2.18.2 + diff --git a/SOURCES/kvm-hw-net-vmxnet_tx_pkt-fix-assertion-failure-in-vmxnet.patch b/SOURCES/kvm-hw-net-vmxnet_tx_pkt-fix-assertion-failure-in-vmxnet.patch new file mode 100644 index 0000000..441dcd6 --- /dev/null +++ b/SOURCES/kvm-hw-net-vmxnet_tx_pkt-fix-assertion-failure-in-vmxnet.patch @@ -0,0 +1,55 @@ +From 1b5e283b804f9d650e1c96a3a97bd690876ac0aa Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Mon, 28 Sep 2020 20:05:20 -0400 +Subject: [PATCH 1/2] hw/net/vmxnet_tx_pkt: fix assertion failure in + vmxnet_tx_pkt_add_raw_fragment() + +RH-Author: Jon Maloy +Message-id: <20200928200520.1045037-2-jmaloy@redhat.com> +Patchwork-id: 98500 +O-Subject: [RHEL-7.9.z qemu-kvm PATCH 1/1] hw/net/vmxnet_tx_pkt: fix assertion failure in vmxnet_tx_pkt_add_raw_fragment() +Bugzilla: 1860960 +RH-Acked-by: Laszlo Ersek +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Michael S. Tsirkin + +An assertion failure issue was found in the code that processes network packets +while adding data fragments into the packet context. It could be abused by a +malicious guest to abort the QEMU process on the host. This patch replaces the +affected assert() with a conditional statement, returning false if the current +data fragment exceeds max_raw_frags. + +Reported-by: Alexander Bulekov +Reported-by: Ziming Zhang +Reviewed-by: Dmitry Fleytman +Signed-off-by: Mauro Matteo Cascella +Signed-off-by: Jason Wang + +(cherry picked from commit 035e69b063835a5fd23cacabd63690a3d84532a8) +Manually adapted since the affected function is located in a different +file and has a different name. +Signed-off-by: Jon Maloy +Signed-off-by: Jon Maloy +--- + hw/net/vmxnet_tx_pkt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/net/vmxnet_tx_pkt.c b/hw/net/vmxnet_tx_pkt.c +index 03f34cf86f..cbb309e8a9 100644 +--- a/hw/net/vmxnet_tx_pkt.c ++++ b/hw/net/vmxnet_tx_pkt.c +@@ -330,7 +330,10 @@ bool vmxnet_tx_pkt_add_raw_fragment(struct VmxnetTxPkt *pkt, hwaddr pa, + hwaddr mapped_len = 0; + struct iovec *ventry; + assert(pkt); +- assert(pkt->max_raw_frags > pkt->raw_frags); ++ ++ if (pkt->raw_frags >= pkt->max_raw_frags) { ++ return false; ++ } + + if (!len) { + return true; +-- +2.18.2 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 221cc32..89a794f 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -14,7 +14,7 @@ %global have_usbredir 0 %endif -%ifnarch s390 s390x %{arm} +%ifnarch s390 s390x %global have_librdma 1 %global have_tcmalloc 1 %endif @@ -41,9 +41,6 @@ %ifarch aarch64 %global kvm_target aarch64 %endif -%ifarch %{arm} - %global kvm_target arm -%endif #Versions of various parts: @@ -79,13 +76,13 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 175%{?dist}.1 +Release: 175%{?dist}.3 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY Group: Development/Tools URL: http://www.qemu.org/ -ExclusiveArch: x86_64 %{arm} +ExclusiveArch: x86_64 Requires: seabios-bin >= 1.7.2.2-5 Requires: sgabios-bin Requires: seavgabios-bin @@ -4048,6 +4045,12 @@ Patch1993: kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch Patch1994: kvm-usb-check-RNDIS-message-length.patch # For bz#1869693 - CVE-2020-14364 qemu-kvm: QEMU: usb: out-of-bounds r/w access issue while processing usb packets [rhel-7.9.z] Patch1995: kvm-usb-fix-setup_len-init-CVE-2020-14364.patch +# For bz#1860960 - CVE-2020-16092 qemu-kvm: QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c [rhel-7.9.z] +Patch1996: kvm-hw-net-vmxnet_tx_pkt-fix-assertion-failure-in-vmxnet.patch +# For bz#1842923 - CVE-2020-13765 qemu-kvm: QEMU: loader: OOB access while loading registered ROM may lead to code execution [rhel-7.9.z] +Patch1997: kvm-hw-core-loader-Fix-possible-crash-in-rom_copy.patch +# For bz#1884997 - qemu-kvm FTBFS on rhel7.9 +Patch1998: kvm-Suppress-prototype-warning-for-nss-headers.patch BuildRequires: zlib-devel @@ -6221,6 +6224,9 @@ tar -xf %{SOURCE21} %patch1993 -p1 %patch1994 -p1 %patch1995 -p1 +%patch1996 -p1 +%patch1997 -p1 +%patch1998 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6666,6 +6672,19 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Tue Jan 05 2021 Jon Maloy - 1.5.3-175.el7_9.3 +- kvm-Suppress-prototype-warning-for-nss-headers.patch [bz#1884997] +- Resolves: bz#1884997 + (qemu-kvm FTBFS on rhel7.9) + +* Tue Nov 17 2020 Jon Maloy - 1.5.3-175.el7_9.2 +- kvm-hw-net-vmxnet_tx_pkt-fix-assertion-failure-in-vmxnet.patch [bz#1860960] +- kvm-hw-core-loader-Fix-possible-crash-in-rom_copy.patch [bz#1842923] +- Resolves: bz#1842923 + (CVE-2020-13765 qemu-kvm: QEMU: loader: OOB access while loading registered ROM may lead to code execution [rhel-7.9.z]) +- Resolves: bz#1860960 + (CVE-2020-16092 qemu-kvm: QEMU: reachable assertion failure in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c [rhel-7.9.z]) + * Tue Sep 08 2020 Jon Maloy - 1.5.3-175.el7_9.1 - Fixing release number for z-stream