From 6b34499dc62a55283dabd04c39f9b4d53fcf13c8 Mon Sep 17 00:00:00 2001 From: Rutger Helling Date: Wed, 12 Dec 2018 11:57:36 +0100 Subject: gnu: qemu: Update to 3.1.0. * gnu/packages/virtualization.scm (qemu): Update to 3.1.0. [source]: Remove obsolete patches. * gnu/packages/patches/qemu-CVE-2018-16847.patch, gnu/packages/patches/qemu-CVE-2018-16867.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/packages/patches/qemu-CVE-2018-16847.patch | 158 ------------------------- gnu/packages/patches/qemu-CVE-2018-16867.patch | 49 -------- gnu/packages/virtualization.scm | 6 +- 3 files changed, 2 insertions(+), 211 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch (limited to 'gnu/packages') diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch deleted file mode 100644 index c76bdf764a..0000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16847.patch +++ /dev/null @@ -1,158 +0,0 @@ -Fix CVE-2018-16847: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce - -From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Tue, 20 Nov 2018 19:41:48 +0100 -Subject: [PATCH] nvme: fix out-of-bounds access to the CMB -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Because the CMB BAR has a min_access_size of 2, if you read the last -byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one -error. This is CVE-2018-16847. - -Another way to fix this might be to register the CMB as a RAM memory -region, which would also be more efficient. However, that might be a -change for big-endian machines; I didn't think this through and I don't -know how real hardware works. Add a basic testcase for the CMB in case -somebody does this change later on. - -Cc: Keith Busch -Cc: qemu-block@nongnu.org -Reported-by: Li Qiang -Reviewed-by: Li Qiang -Tested-by: Li Qiang -Signed-off-by: Paolo Bonzini -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: Philippe Mathieu-Daudé -Signed-off-by: Kevin Wolf ---- - hw/block/nvme.c | 2 +- - tests/Makefile.include | 2 +- - tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++------- - 3 files changed, 60 insertions(+), 12 deletions(-) - -diff --git a/hw/block/nvme.c b/hw/block/nvme.c -index 28d284346dd..8c35cab2b43 100644 ---- a/hw/block/nvme.c -+++ b/hw/block/nvme.c -@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = { - .write = nvme_cmb_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .impl = { -- .min_access_size = 2, -+ .min_access_size = 1, - .max_access_size = 8, - }, - }; -diff --git a/tests/Makefile.include b/tests/Makefile.include -index 613242bc6ef..fb0b449c02a 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o - tests/machine-none-test$(EXESUF): tests/machine-none-test.o - tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y) - tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y) --tests/nvme-test$(EXESUF): tests/nvme-test.o -+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y) - tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o - tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o - tests/ac97-test$(EXESUF): tests/ac97-test.o -diff --git a/tests/nvme-test.c b/tests/nvme-test.c -index 7674a446e4f..2700ba838aa 100644 ---- a/tests/nvme-test.c -+++ b/tests/nvme-test.c -@@ -8,25 +8,73 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/units.h" - #include "libqtest.h" -+#include "libqos/libqos-pc.h" -+ -+static QOSState *qnvme_start(const char *extra_opts) -+{ -+ QOSState *qs; -+ const char *arch = qtest_get_arch(); -+ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw " -+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s"; -+ -+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { -+ qs = qtest_pc_boot(cmd, extra_opts ? : ""); -+ global_qtest = qs->qts; -+ return qs; -+ } -+ -+ g_printerr("nvme tests are only available on x86\n"); -+ exit(EXIT_FAILURE); -+} -+ -+static void qnvme_stop(QOSState *qs) -+{ -+ qtest_shutdown(qs); -+} - --/* Tests only initialization so far. TODO: Replace with functional tests */ - static void nop(void) - { -+ QOSState *qs; -+ -+ qs = qnvme_start(NULL); -+ qnvme_stop(qs); - } - --int main(int argc, char **argv) -+static void nvmetest_cmb_test(void) - { -- int ret; -+ const int cmb_bar_size = 2 * MiB; -+ QOSState *qs; -+ QPCIDevice *pdev; -+ QPCIBar bar; - -- g_test_init(&argc, &argv, NULL); -- qtest_add_func("/nvme/nop", nop); -+ qs = qnvme_start("-global nvme.cmb_size_mb=2"); -+ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); -+ g_assert(pdev != NULL); -+ -+ qpci_device_enable(pdev); -+ bar = qpci_iomap(pdev, 2, NULL); -+ -+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99); -+ -+ /* Test partially out-of-bounds accesses. */ -+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211); -+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211); -+ g_free(pdev); - -- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw " -- "-device nvme,drive=drv0,serial=foo"); -- ret = g_test_run(); -+ qnvme_stop(qs); -+} - -- qtest_end(); -+int main(int argc, char **argv) -+{ -+ g_test_init(&argc, &argv, NULL); -+ qtest_add_func("/nvme/nop", nop); -+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test); - -- return ret; -+ return g_test_run(); - } --- -2.19.2 - diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch deleted file mode 100644 index 1403d8e0f8..0000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16867.patch +++ /dev/null @@ -1,49 +0,0 @@ -Fix CVE-2018-16867: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867 -https://seclists.org/oss-sec/2018/q4/202 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6 - -From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 3 Dec 2018 11:10:45 +0100 -Subject: [PATCH] usb-mtp: outlaw slashes in filenames -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Slash is unix directory separator, so they are not allowed in filenames. -Note this also stops the classic escape via "../". - -Fixes: CVE-2018-16867 -Reported-by: Michael Hanselmann -Signed-off-by: Gerd Hoffmann -Reviewed-by: Philippe Mathieu-Daudé -Message-id: 20181203101045.27976-3-kraxel@redhat.com ---- - hw/usb/dev-mtp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 0f6a9702ef1..100b7171f4e 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) - - filename = utf16_to_str(dataset->length, dataset->filename); - -+ if (strchr(filename, '/')) { -+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, -+ 0, 0, 0, 0); -+ return; -+ } -+ - o = usb_mtp_object_lookup_name(p, filename, dataset->length); - if (o != NULL) { - next_handle = o->handle; --- -2.19.2 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 0502bb38c4..8e361558bf 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -95,16 +95,14 @@ (define-public qemu (package (name "qemu") - (version "3.0.0") + (version "3.1.0") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2018-16847.patch" - "qemu-CVE-2018-16867.patch")) (sha256 (base32 - "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld")))) + "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- cgit 1.4.1