diff --git a/SOURCES/kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch b/SOURCES/kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch new file mode 100644 index 0000000..3a7ce94 --- /dev/null +++ b/SOURCES/kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch @@ -0,0 +1,76 @@ +From 0f918da30dbb71e68e7fad4a2da8983b25536233 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 19 Jun 2015 10:45:29 +0200 +Subject: [PATCH] atomics: add explicit compiler fence in __atomic memory + barriers + +Message-id: <1434710730-26183-1-git-send-email-pbonzini@redhat.com> +Patchwork-id: 66333 +O-Subject: [RHEL7.2/7.1.z qemu-kvm PATCH] atomics: add explicit compiler fence in __atomic memory barriers +Bugzilla: 1233643 +RH-Acked-by: Fam Zheng +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Dr. David Alan Gilbert + +__atomic_thread_fence does not include a compiler barrier; in the +C++11 memory model, fences take effect in combination with other +atomic operations. GCC implements this by making __atomic_load and +__atomic_store access memory as if the pointer was volatile, and +leaves no trace whatsoever of acquire and release fences in the +compiler's intermediate representation. + +In QEMU, we want memory barriers to act on all memory, but at the same +time we would like to use __atomic_thread_fence for portability reasons. +Add compiler barriers manually around the __atomic_thread_fence. + +Thanks to Uli and Kevin for analyzing this bug! + +Message-Id: <1433334080-14912-1-git-send-email-pbonzini@redhat.com> +Reviewed-by: Stefan Hajnoczi +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3bbf572345c65813f86a8fc434ea1b23beb08e16) +Signed-off-by: Miroslav Rezanina +--- + include/qemu/atomic.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h +index 0aa8913..690d0d6 100644 +--- a/include/qemu/atomic.h ++++ b/include/qemu/atomic.h +@@ -99,7 +99,13 @@ + + #ifndef smp_wmb + #ifdef __ATOMIC_RELEASE +-#define smp_wmb() __atomic_thread_fence(__ATOMIC_RELEASE) ++/* __atomic_thread_fence does not include a compiler barrier; instead, ++ * the barrier is part of __atomic_load/__atomic_store's "volatile-like" ++ * semantics. If smp_wmb() is a no-op, absence of the barrier means that ++ * the compiler is free to reorder stores on each side of the barrier. ++ * Add one here, and similarly in smp_rmb() and smp_read_barrier_depends(). ++ */ ++#define smp_wmb() ({ barrier(); __atomic_thread_fence(__ATOMIC_RELEASE); barrier(); }) + #else + #define smp_wmb() __sync_synchronize() + #endif +@@ -107,7 +113,7 @@ + + #ifndef smp_rmb + #ifdef __ATOMIC_ACQUIRE +-#define smp_rmb() __atomic_thread_fence(__ATOMIC_ACQUIRE) ++#define smp_rmb() ({ barrier(); __atomic_thread_fence(__ATOMIC_ACQUIRE); barrier(); }) + #else + #define smp_rmb() __sync_synchronize() + #endif +@@ -115,7 +121,7 @@ + + #ifndef smp_read_barrier_depends + #ifdef __ATOMIC_CONSUME +-#define smp_read_barrier_depends() __atomic_thread_fence(__ATOMIC_CONSUME) ++#define smp_read_barrier_depends() ({ barrier(); __atomic_thread_fence(__ATOMIC_CONSUME); barrier(); }) + #else + #define smp_read_barrier_depends() barrier() + #endif +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch b/SOURCES/kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch new file mode 100644 index 0000000..a532e62 --- /dev/null +++ b/SOURCES/kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch @@ -0,0 +1,56 @@ +From 72e9da46b9dbbaa0e8d1ec332b876336df99e769 Mon Sep 17 00:00:00 2001 +From: Petr Matousek +Date: Thu, 25 Jun 2015 12:46:37 +0200 +Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read() + +Message-id: <20150625124637.GJ18896@dhcp-25-225.brq.redhat.com> +Patchwork-id: 66478 +O-Subject: [RHEL-7.2 qemu-kvm PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read() +Bugzilla: 1229646 +RH-Acked-by: Markus Armbruster +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Michael S. Tsirkin + +Upstream: d4862a87e31a51de9eb260f25c9e99a75efe3235 + +Due converting PIO to the new memory read/write api we no longer provide +separate I/O region lenghts for read and write operations. As a result, +reading from PIT Mode/Command register will end with accessing +pit->channels with invalid index. + +Fix this by ignoring read from the Mode/Command register. + +This is CVE-2015-3214. + +Reported-by: Matt Tait +Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052 +Cc: qemu-stable@nongnu.org +Signed-off-by: Petr Matousek +Signed-off-by: Paolo Bonzini + +Signed-off-by: Petr Matousek +Signed-off-by: Miroslav Rezanina +--- + hw/timer/i8254.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c +index 20c0c36..64c9f58 100644 +--- a/hw/timer/i8254.c ++++ b/hw/timer/i8254.c +@@ -187,6 +187,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr, + PITChannelState *s; + + addr &= 3; ++ ++ if (addr == 3) { ++ /* Mode/Command register is write only, read is ignored */ ++ return 0; ++ } ++ + s = &pit->channels[addr]; + if (s->status_latched) { + s->status_latched = 0; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch b/SOURCES/kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch new file mode 100644 index 0000000..abb9d13 --- /dev/null +++ b/SOURCES/kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch @@ -0,0 +1,86 @@ +From 892bb2a720de57109f7e8526879069abcaab38bf Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 16 Jul 2015 16:15:58 +0200 +Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer + (CVE-2015-5154) + +Message-id: <1437056160-3284-2-git-send-email-kwolf@redhat.com> +Patchwork-id: n/a +O-Subject: [virt-devel] [RHEL/RHEV-7 qemu-kvm(-rhev) EMBARGOED PATCH 1/3] ide: + Check array bounds before writing to io_buffer (CVE-2015-5154) +Bugzilla: 1243689 +RH-Acked-by: Petr Matousek +RH-Acked-by: John Snow +RH-Acked-by: Stefan Hajnoczi + +If the end_transfer_func of a command is called because enough data has +been read or written for the current PIO transfer, and it fails to +correctly call the command completion functions, the DRQ bit in the +status register and s->end_transfer_func may remain set. This allows the +guest to access further bytes in s->io_buffer beyond s->data_end, and +eventually overflowing the io_buffer. + +One case where this currently happens is emulation of the ATAPI command +START STOP UNIT. + +This patch fixes the problem by adding explicit array bounds checks +before accessing the buffer instead of relying on end_transfer_func to +function correctly. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +--- + hw/ide/core.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 24a1708..ada26c0 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1849,6 +1849,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) + } + + p = s->data_ptr; ++ if (p + 2 > s->data_end) { ++ return; ++ } ++ + *(uint16_t *)p = le16_to_cpu(val); + p += 2; + s->data_ptr = p; +@@ -1870,6 +1874,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) + } + + p = s->data_ptr; ++ if (p + 2 > s->data_end) { ++ return 0; ++ } ++ + ret = cpu_to_le16(*(uint16_t *)p); + p += 2; + s->data_ptr = p; +@@ -1891,6 +1899,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) + } + + p = s->data_ptr; ++ if (p + 4 > s->data_end) { ++ return; ++ } ++ + *(uint32_t *)p = le32_to_cpu(val); + p += 4; + s->data_ptr = p; +@@ -1912,6 +1924,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) + } + + p = s->data_ptr; ++ if (p + 4 > s->data_end) { ++ return 0; ++ } ++ + ret = cpu_to_le32(*(uint32_t *)p); + p += 4; + s->data_ptr = p; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch b/SOURCES/kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch new file mode 100644 index 0000000..0bf3fb4 --- /dev/null +++ b/SOURCES/kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch @@ -0,0 +1,80 @@ +From a6bc46fecbb3463447cd1e79afe60704afaa55e8 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 16 Jul 2015 16:16:00 +0200 +Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses + +Message-id: <1437056160-3284-4-git-send-email-kwolf@redhat.com> +Patchwork-id: n/a +O-Subject: [virt-devel] [RHEL/RHEV-7 qemu-kvm(-rhev) EMBARGOED PATCH 3/3] ide: + Clear DRQ after handling all expected accesses +Bugzilla: 1243689 +RH-Acked-by: Petr Matousek +RH-Acked-by: John Snow +RH-Acked-by: Stefan Hajnoczi + +This is additional hardening against an end_transfer_func that fails to +clear the DRQ status bit. The bit must be unset as soon as the PIO +transfer has completed, so it's better to do this in a central place +instead of duplicating the code in all commands (and forgetting it in +some). + +Signed-off-by: Kevin Wolf +--- + hw/ide/core.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index ada26c0..cd2e964 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1856,8 +1856,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) + *(uint16_t *)p = le16_to_cpu(val); + p += 2; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + } + + uint32_t ide_data_readw(void *opaque, uint32_t addr) +@@ -1881,8 +1883,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) + ret = cpu_to_le16(*(uint16_t *)p); + p += 2; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + return ret; + } + +@@ -1906,8 +1910,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) + *(uint32_t *)p = le32_to_cpu(val); + p += 4; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + } + + uint32_t ide_data_readl(void *opaque, uint32_t addr) +@@ -1931,8 +1937,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) + ret = cpu_to_le32(*(uint32_t *)p); + p += 4; + s->data_ptr = p; +- if (p >= s->data_end) ++ if (p >= s->data_end) { ++ s->status &= ~DRQ_STAT; + s->end_transfer_func(s); ++ } + return ret; + } + +-- +1.8.3.1 + diff --git a/SOURCES/kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch b/SOURCES/kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch new file mode 100644 index 0000000..1fa98c8 --- /dev/null +++ b/SOURCES/kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch @@ -0,0 +1,37 @@ +From b4e9b91cce5952bb67a235490ad5f6bdb6b73ed5 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 16 Jul 2015 16:15:59 +0200 +Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion + +Message-id: <1437056160-3284-3-git-send-email-kwolf@redhat.com> +Patchwork-id: n/a +O-Subject: [virt-devel] [RHEL/RHEV-7 qemu-kvm(-rhev) EMBARGOED PATCH 2/3] + ide/atapi: Fix START STOP UNIT command completion +Bugzilla: 1243689 +RH-Acked-by: Petr Matousek +RH-Acked-by: John Snow +RH-Acked-by: Stefan Hajnoczi + +The command must be completed on all code paths. START STOP UNIT with +pwrcnd set should succeed without doing anything. + +Signed-off-by: Kevin Wolf +--- + hw/ide/atapi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index 05e60b1..f6d66a0 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -879,6 +879,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) + + if (pwrcnd) { + /* eject/load only happens for power condition == 0 */ ++ ide_atapi_cmd_ok(s); + return; + } + +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 4a9f2a8..b2ab524 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -28,13 +28,16 @@ %ifarch x86_64 %global kvm_target x86_64 %endif -%ifarch ppc64 +%ifarch %{power64} %global kvm_target ppc64 %endif -%ifarch s390x +%ifarch s390x s390 %global kvm_target s390x %endif +%ifarch ppc + %global kvm_target ppc +%endif #Versions of various parts: %define pkgname qemu-kvm @@ -69,7 +72,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a FAST! processor emulator Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 86%{?dist}.2 +Release: 86%{?dist}.5 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -2832,6 +2835,16 @@ Patch1391: kvm-cirrus-don-t-overflow-CirrusVGAState-cirrus_bltbuf.patch Patch1392: kvm-pc-add-rhel6.6.0-machine-type.patch # For bz#1219269 - EMBARGOED CVE-2015-3456 qemu-kvm: qemu: floppy disk controller flaw [rhel-7.1.z] Patch1393: kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch +# For bz#1233643 - [abrt] qemu-kvm: bdrv_error_action(): qemu-kvm killed by SIGABRT +Patch1394: kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch +# For bz#1243689 - EMBARGOED CVE-2015-5154 qemu-kvm: qemu: ide: atapi: heap overflow during I/O buffer memory access [rhel-7.1.z] +Patch1395: kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch +# For bz#1243689 - EMBARGOED CVE-2015-5154 qemu-kvm: qemu: ide: atapi: heap overflow during I/O buffer memory access [rhel-7.1.z] +Patch1396: kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch +# For bz#1243689 - EMBARGOED CVE-2015-5154 qemu-kvm: qemu: ide: atapi: heap overflow during I/O buffer memory access [rhel-7.1.z] +Patch1397: kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch +# For bz#1243726 - CVE-2015-3214 qemu-kvm: qemu: i8254: out-of-bounds memory access in pit_ioport_read function [rhel-7.1.z] +Patch1398: kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch BuildRequires: zlib-devel @@ -4433,6 +4446,11 @@ cp %{SOURCE18} pc-bios # keep "make check" happy %patch1391 -p1 %patch1392 -p1 %patch1393 -p1 +%patch1394 -p1 +%patch1395 -p1 +%patch1396 -p1 +%patch1397 -p1 +%patch1398 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -4523,7 +4541,7 @@ dobuild() { --libdir=%{_libdir} \ --with-pkgversion=%{pkgname}-%{version}-%{release} \ --disable-guest-agent \ - --target-list= --cpu=%{_arch} + "$@" make libcacard.la %{?_smp_mflags} $buildldflags make vscclient %{?_smp_mflags} $buildldflags @@ -4877,6 +4895,23 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_libdir}/pkgconfig/libcacard.pc %changelog +* Mon Jul 20 2015 Miroslav Rezanina - 1.5.3-86.el7_1.5 +- kvm-i8254-fix-out-of-bounds-memory-access-in-pit_ioport_.patch [bz#1243726] +- Resolves: bz#1243726 + (CVE-2015-3214 qemu-kvm: qemu: i8254: out-of-bounds memory access in pit_ioport_read function [rhel-7.1.z]) + +* Fri Jul 17 2015 Miroslav Rezanina - 1.5.3-86.el7_1.4 +- kvm-ide-Check-array-bounds-before-writing-to-io_buffer-C.patch [bz#1243689] +- kvm-ide-atapi-Fix-START-STOP-UNIT-command-completion.patch [bz#1243689] +- kvm-ide-Clear-DRQ-after-handling-all-expected-accesses.patch [bz#1243689] +- Resolves: bz#1243689 + (EMBARGOED CVE-2015-5154 qemu-kvm: qemu: ide: atapi: heap overflow during I/O buffer memory access [rhel-7.1.z]) + +* Wed Jun 24 2015 Miroslav Rezanina - 1.5.3-86.el7_1.3 +- kvm-atomics-add-explicit-compiler-fence-in-__atomic-memo.patch [bz#1233643] +- Resolves: bz#1233643 + ([abrt] qemu-kvm: bdrv_error_action(): qemu-kvm killed by SIGABRT) + * Fri May 08 2015 Miroslav Rezanina - 1.5.3-86.el7_1.2 - kvm-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch [bz#1219269] - Resolves: bz#1219269