diff --git a/SOURCES/kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch b/SOURCES/kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
new file mode 100644
index 0000000..86b5841
--- /dev/null
+++ b/SOURCES/kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
@@ -0,0 +1,73 @@
+From 172ca2ea0735849d004be7ff27dd3e79f79ce00e Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Sat, 20 Jun 2020 13:30:54 -0400
+Subject: [PATCH 1/3] Fix use-afte-free in ip_reass() (CVE-2020-1983)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20200620133054.3334982-2-jmaloy@redhat.com>
+Patchwork-id: 97673
+O-Subject: [RHEL-7.9 qemu-kvm PATCH 1/1] Fix use-afte-free in ip_reass() (CVE-2020-1983)
+Bugzilla: 1837565
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+The q pointer is updated when the mbuf data is moved from m_dat to
+m_ext.
+
+m_ext buffer may also be realloc()'ed and moved during m_cat():
+q should also be updated in this case.
+
+Reported-by: Aviv Sasson <asasson@paloaltonetworks.com>
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+(cherry picked from libslirp commit 9bd6c5913271eabcb7768a58197ed3301fe19f2d)
+Conflicts:
+ - Fixed indentation issues
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jon Maloy <jmaloy.redhat.com>
+---
+ slirp/ip_input.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/ip_input.c b/slirp/ip_input.c
+index 9e95b40e97..011f01ed71 100644
+--- a/slirp/ip_input.c
++++ b/slirp/ip_input.c
+@@ -329,10 +329,10 @@ insert:
+ /*
+ * Reassembly is complete; concatenate fragments.
+ */
+- q = fp->frag_link.next;
++ q = fp->frag_link.next;
+ m = dtom(slirp, q);
+
+- int was_ext = m->m_flags & M_EXT;
++ int delta = (char *)q - (m->m_flags & M_EXT ? m->m_ext : m->m_dat);
+
+ q = (struct ipasfrag *) q->ipf_next;
+ while (q != (struct ipasfrag*)&fp->frag_link) {
+@@ -356,12 +356,11 @@ insert:
+ * the old buffer (in the mbuf), so we must point ip
+ * into the new buffer.
+ */
+- if (!was_ext && m->m_flags & M_EXT) {
+- int delta = (char *)q - m->m_dat;
++ if (m->m_flags & M_EXT) {
+ q = (struct ipasfrag *)(m->m_ext + delta);
+ }
+
+- ip = fragtoip(q);
++ ip = fragtoip(q);
+ ip->ip_len = next;
+ ip->ip_tos &= ~1;
+ ip->ip_src = fp->ipq_src;
+--
+2.18.2
+
diff --git a/SOURCES/kvm-usb-check-RNDIS-message-length.patch b/SOURCES/kvm-usb-check-RNDIS-message-length.patch
new file mode 100644
index 0000000..fdeb8d3
--- /dev/null
+++ b/SOURCES/kvm-usb-check-RNDIS-message-length.patch
@@ -0,0 +1,78 @@
+From d43b55595f9f5a29ad45b6bf1c899646ef623bf9 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Fri, 4 Sep 2020 16:09:12 -0400
+Subject: [PATCH 2/3] usb: check RNDIS message length
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20200904160913.87759-2-jmaloy@redhat.com>
+Patchwork-id: 98289
+O-Subject: [RHEL-7.9 qemu-kvm PATCH 1/2] usb: check RNDIS message length
+Bugzilla: 1869693
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Prasad J Pandit <pjp@fedoraproject.org>
+
+When processing remote NDIS control message packets, the USB Net
+device emulator uses a fixed length(4096) data buffer. The incoming
+packet length could exceed this limit. Add a check to avoid it.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 1455648821-17340-2-git-send-email-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 64c9bc181fc78275596649f591302d72df2d3071)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jon Maloy <jmaloy.redhat.com>
+---
+ hw/usb/core.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index cf34755bba..f0201e30b4 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -128,9 +128,16 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ }
+
+ usb_packet_copy(p, s->setup_buf, p->iov.size);
++ s->setup_index = 0;
+ p->actual_length = 0;
+ s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+- s->setup_index = 0;
++ if (s->setup_len > sizeof(s->data_buf)) {
++ fprintf(stderr,
++ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
++ s->setup_len, sizeof(s->data_buf));
++ p->status = USB_RET_STALL;
++ return;
++ }
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -151,13 +158,6 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ }
+ s->setup_state = SETUP_STATE_DATA;
+ } else {
+- if (s->setup_len > sizeof(s->data_buf)) {
+- fprintf(stderr,
+- "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
+- p->status = USB_RET_STALL;
+- return;
+- }
+ if (s->setup_len == 0)
+ s->setup_state = SETUP_STATE_ACK;
+ else
+@@ -176,7 +176,7 @@ static void do_token_in(USBDevice *s, USBPacket *p)
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ index = (s->setup_buf[5] << 8) | s->setup_buf[4];
+-
++
+ switch(s->setup_state) {
+ case SETUP_STATE_ACK:
+ if (!(s->setup_buf[0] & USB_DIR_IN)) {
+--
+2.18.2
+
diff --git a/SOURCES/kvm-usb-fix-setup_len-init-CVE-2020-14364.patch b/SOURCES/kvm-usb-fix-setup_len-init-CVE-2020-14364.patch
new file mode 100644
index 0000000..ac2625c
--- /dev/null
+++ b/SOURCES/kvm-usb-fix-setup_len-init-CVE-2020-14364.patch
@@ -0,0 +1,102 @@
+From 9330e486e884f1757d6920a25c6cc491eedad0d0 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Fri, 4 Sep 2020 16:09:13 -0400
+Subject: [PATCH 3/3] usb: fix setup_len init (CVE-2020-14364)
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20200904160913.87759-3-jmaloy@redhat.com>
+Patchwork-id: 98291
+O-Subject: [RHEL-7.9 qemu-kvm PATCH 2/2] usb: fix setup_len init (CVE-2020-14364)
+Bugzilla: 1869693
+RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+Store calculated setup_len in a local variable, verify it, and only
+write it to the struct (USBDevice->setup_len) in case it passed the
+sanity checks.
+
+This prevents other code (do_token_{in,out} functions specifically)
+from working with invalid USBDevice->setup_len values and overrunning
+the USBDevice->setup_buf[] buffer.
+
+Fixes: CVE-2020-14364
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Tested-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 20200825053636.29648-1-kraxel@redhat.com
+(cherry picked from commit b946434f2659a182afc17e155be6791ebfb302eb)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Jon Maloy <jmaloy.redhat.com>
+---
+ hw/usb/core.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/hw/usb/core.c b/hw/usb/core.c
+index f0201e30b4..f0038e44ae 100644
+--- a/hw/usb/core.c
++++ b/hw/usb/core.c
+@@ -121,6 +121,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream)
+ static void do_token_setup(USBDevice *s, USBPacket *p)
+ {
+ int request, value, index;
++ unsigned int setup_len;
+
+ if (p->iov.size != 8) {
+ p->status = USB_RET_STALL;
+@@ -130,14 +131,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p)
+ usb_packet_copy(p, s->setup_buf, p->iov.size);
+ s->setup_index = 0;
+ p->actual_length = 0;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+@@ -251,26 +253,28 @@ static void do_token_out(USBDevice *s, USBPacket *p)
+ static void do_parameter(USBDevice *s, USBPacket *p)
+ {
+ int i, request, value, index;
++ unsigned int setup_len;
+
+ for (i = 0; i < 8; i++) {
+ s->setup_buf[i] = p->parameter >> (i*8);
+ }
+
+ s->setup_state = SETUP_STATE_PARAM;
+- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
+ s->setup_index = 0;
+
+ request = (s->setup_buf[0] << 8) | s->setup_buf[1];
+ value = (s->setup_buf[3] << 8) | s->setup_buf[2];
+ index = (s->setup_buf[5] << 8) | s->setup_buf[4];
+
+- if (s->setup_len > sizeof(s->data_buf)) {
++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6];
++ if (setup_len > sizeof(s->data_buf)) {
+ fprintf(stderr,
+ "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n",
+- s->setup_len, sizeof(s->data_buf));
++ setup_len, sizeof(s->data_buf));
+ p->status = USB_RET_STALL;
+ return;
+ }
++ s->setup_len = setup_len;
+
+ if (p->pid == USB_TOKEN_OUT) {
+ usb_packet_copy(p, s->data_buf, s->setup_len);
+--
+2.18.2
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index 59407b6..992dcf7 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 175%{?dist}
+Release: 175%{?dist}.1
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2 and GPLv2+ and CC-BY
@@ -4039,6 +4039,12 @@ Patch1990: kvm-gluster-the-glfs_io_cbk-callback-function-pointer-ad.patch
Patch1991: kvm-seccomp-set-the-seccomp-filter-to-all-threads.patch
# For bz#1810408 - CVE-2019-20382 qemu-kvm: QEMU: vnc: memory leakage upon disconnect [rhel-7]
Patch1992: kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch
+# For bz#1837565 - CVE-2020-1983 qemu-kvm: QEMU: slirp: use-after-free in ip_reass() function in ip_input.c [rhel-7]
+Patch1993: kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch
+# For bz#1869693 - CVE-2020-14364 qemu-kvm: QEMU: usb: out-of-bounds r/w access issue while processing usb packets [rhel-7.9.z]
+Patch1994: kvm-usb-check-RNDIS-message-length.patch
+# For bz#1869693 - CVE-2020-14364 qemu-kvm: QEMU: usb: out-of-bounds r/w access issue while processing usb packets [rhel-7.9.z]
+Patch1995: kvm-usb-fix-setup_len-init-CVE-2020-14364.patch
BuildRequires: zlib-devel
@@ -6209,6 +6215,9 @@ tar -xf %{SOURCE21}
%patch1990 -p1
%patch1991 -p1
%patch1992 -p1
+%patch1993 -p1
+%patch1994 -p1
+%patch1995 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6654,6 +6663,18 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
+* Tue Sep 08 2020 Jon Maloy <jmaloy@redhat.com> - 1.5.3-175.el7_9.1
+- Fixing release number for z-stream
+
+* Tue Sep 08 2020 Jon Maloy <jmaloy@redhat.com> - 1.5.3-175.el7
+- kvm-Fix-use-afte-free-in-ip_reass-CVE-2020-1983.patch [bz#1837565]
+- kvm-usb-check-RNDIS-message-length.patch [bz#1869693]
+- kvm-usb-fix-setup_len-init-CVE-2020-14364.patch [bz#1869693]
+- Resolves: bz#1837565
+ (CVE-2020-1983 qemu-kvm: QEMU: slirp: use-after-free in ip_reass() function in ip_input.c [rhel-7])
+- Resolves: bz#1869693
+ (CVE-2020-14364 qemu-kvm: QEMU: usb: out-of-bounds r/w access issue while processing usb packets [rhel-7.9.z])
+
* Mon Jun 01 2020 Jon Maloy <jmaloy@redhat.com> - 1.5.3-175.el7
- kvm-vnc-fix-memory-leak-when-vnc-disconnect.patch [bz#1810408]
- Resolves: bz#1810408