diff --git a/SOURCES/kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch b/SOURCES/kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch new file mode 100644 index 0000000..b3811d7 --- /dev/null +++ b/SOURCES/kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch @@ -0,0 +1,60 @@ +From 1767f904c44076c1b049eb540c6b565aac787bc3 Mon Sep 17 00:00:00 2001 +From: Sergio Lopez Pascual +Date: Mon, 15 Apr 2019 11:38:00 +0100 +Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Sergio Lopez Pascual +Message-id: <20190415113800.48669-2-slp@redhat.com> +Patchwork-id: 85667 +O-Subject: [RHEL-8.0 qemu-kvm PATCH 1/1] device_tree: Fix integer overflowing in load_device_tree() +Bugzilla: 1693116 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Stefan Hajnoczi +RH-Acked-by: Stefano Garzarella + +From: Markus Armbruster + +If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the +computation of @dt_size overflows to a negative number, which then +gets converted to a very large size_t for g_malloc0() and +load_image_size(). In the (fortunately improbable) case g_malloc0() +succeeds and load_image_size() survives, we'd assign the negative +number to *sizep. What that would do to the callers I can't say, but +it's unlikely to be good. + +Fix by rejecting images whose size would overflow. + +Reported-by: Kurtis Miller +Signed-off-by: Markus Armbruster +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Alistair Francis +Message-Id: <20190409174018.25798-1-armbru@redhat.com> +(cherry picked from 065e6298a75164b4347682b63381dbe752c2b156) +Signed-off-by: Sergio Lopez + +Signed-off-by: Danilo C. L. de Paula +--- + device_tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/device_tree.c b/device_tree.c +index 19458b3..2457f58 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) + filename_path); + goto fail; + } ++ if (dt_size > INT_MAX / 2 - 10000) { ++ error_report("Device tree file '%s' is too large", filename_path); ++ goto fail; ++ } + + /* Expand to 2x size to give enough room for manipulation. */ + dt_size += 10000; +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-define-md-clear-bit-rhev.patch b/SOURCES/kvm-target-i386-define-md-clear-bit-rhev.patch new file mode 100644 index 0000000..881d3af --- /dev/null +++ b/SOURCES/kvm-target-i386-define-md-clear-bit-rhev.patch @@ -0,0 +1,35 @@ +From 8f9887acd04e8db0bebd0ad3fe1cf5d7294abdfd Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Sat, 2 Mar 2019 00:07:10 +0100 +Subject: target/i386: define md-clear bit + +Message-id: <20190301230710.692-1-pbonzini@redhat.com> +O-Subject: [qemu PATCH] target/i386: define md-clear bit + +md-clear is a new CPUID bit which is set when microcode provides the +mechanism to invoke a flush of various exploitable CPU buffers by invoking +the VERW instruction. + +Signed-off-by: Paolo Bonzini + +--- + + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index d990070c59..16da90562c 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .feat_names = { + NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, "md-clear", NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +-- +2.20.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index a240b64..2fd59bf 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -68,7 +68,7 @@ Obsoletes: %1-rhev Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 2.12.0 -Release: 63%{?dist} +Release: 64%{?dist}.2 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -1318,6 +1318,10 @@ Patch638: kvm-qga-fix-driver-leak-in-guest-get-fsinfo.patch Patch639: kvm-slirp-check-data-length-while-emulating-ident-functi.patch # For bz#1668162 - CVE-2019-6501 qemu-kvm: QEMU: scsi-generic: possible OOB access while handling inquiry request [rhel-8] Patch640: kvm-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch +# For bz#1693116 - CVE-2018-20815 qemu-kvm: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-8.0] +Patch641: kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch +# For bz#1704545 - CVE-2018-12126 virt:rhel/qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-8.0.0.z] +Patch642: kvm-target-i386-define-md-clear-bit-rhev.patch BuildRequires: zlib-devel BuildRequires: glib2-devel @@ -2208,6 +2212,21 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %changelog +* Fri May 10 2019 Danilo Cesar Lemes de Paula - 2.12.0-64.el8.0.0.2 +- Bump release version to fix the versioning problem (zstream release lower than ystream). +- Resolves: bz#1704545 + (CVE-2018-12126 virt:rhel/qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-8.0.0.z]) + +* Fri May 03 2019 Danilo Cesar Lemes de Paula - 2.12.0-63.el8.0.0.2 +- kvm-target-i386-define-md-clear-bit-rhev.patch [bz#1704545] +- Resolves: bz#1704545 + (CVE-2018-12126 virt:rhel/qemu-kvm: hardware: Microarchitectural Store Buffer Data Sampling [rhel-8.0.0.z]) + +* Mon Apr 22 2019 Danilo Cesar Lemes de Paula - 2.12.0-63.el8_0.1 +- kvm-device_tree-Fix-integer-overflowing-in-load_device_t.patch [bz#1693116] +- Resolves: bz#1693116 + (CVE-2018-20815 qemu-kvm: QEMU: device_tree: heap buffer overflow while loading device tree blob [rhel-8.0]) + * Tue Feb 26 2019 Danilo Cesar Lemes de Paula - 2.12.0-63.el8 - kvm-scsi-generic-avoid-possible-out-of-bounds-access-to-.patch [bz#1668162] - Resolves: bz#1668162