Date: Tuesday, August 18, 2015 @ 23:39:12 Author: seblu Revision: 243959
upgpkg: qemu 2.4.0-1 - fix FS#45922 - implement FS#45950 - remove example file in /etc; directory removed by upstream. Added: qemu/trunk/qemu-ga.service Modified: qemu/trunk/PKGBUILD qemu/trunk/qemu.install Deleted: qemu/trunk/CVE-2015-3214.patch qemu/trunk/CVE-2015-3456.patch qemu/trunk/CVE-2015-5154.patch qemu/trunk/CVE-2015-5158.patch ---------------------+ CVE-2015-3214.patch | 40 ----------- CVE-2015-3456.patch | 84 ------------------------ CVE-2015-5154.patch | 175 -------------------------------------------------- CVE-2015-5158.patch | 46 ------------- PKGBUILD | 31 ++++---- qemu-ga.service | 8 ++ qemu.install | 7 +- 7 files changed, 29 insertions(+), 362 deletions(-) Deleted: CVE-2015-3214.patch =================================================================== --- CVE-2015-3214.patch 2015-08-18 21:17:42 UTC (rev 243958) +++ CVE-2015-3214.patch 2015-08-18 21:39:12 UTC (rev 243959) @@ -1,40 +0,0 @@ -From 7d08e1fae6150a3c0867dba6f75cf00946b3163c Mon Sep 17 00:00:00 2001 -From: Petr Matousek <[email protected]> -Date: Tue, 2 Jun 2015 14:32:06 +0200 -Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read() - -Due converting PIO to the new memory read/write api we no longer provide -separate I/O region lenghts for read and write operations. As a result, -reading from PIT Mode/Command register will end with accessing -pit->channels with invalid index. - -Fix this by ignoring read from the Mode/Command register. - -This is CVE-2015-3214. - -Signed-off-by: Petr Matousek <[email protected]> -Reported-by: Matt Tait <[email protected]> ---- - hw/timer/i8254.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c -index 3450c98..9b65a33 100644 ---- a/hw/timer/i8254.c -+++ b/hw/timer/i8254.c -@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr, - PITChannelState *s; - - addr &= 3; -+ -+ if (addr == 3) { -+ /* Mode/Command register is write only, read is ignored */ -+ return 0; -+ } -+ - s = &pit->channels[addr]; - if (s->status_latched) { - s->status_latched = 0; --- -2.1.0 - Deleted: CVE-2015-3456.patch =================================================================== --- CVE-2015-3456.patch 2015-08-18 21:17:42 UTC (rev 243958) +++ CVE-2015-3456.patch 2015-08-18 21:39:12 UTC (rev 243959) @@ -1,84 +0,0 @@ -From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 -From: Petr Matousek <[email protected]> -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek <[email protected]> -Reviewed-by: John Snow <[email protected]> -Signed-off-by: John Snow <[email protected]> ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -1.7.0.4 - Deleted: CVE-2015-5154.patch =================================================================== --- CVE-2015-5154.patch 2015-08-18 21:17:42 UTC (rev 243958) +++ CVE-2015-5154.patch 2015-08-18 21:39:12 UTC (rev 243959) @@ -1,175 +0,0 @@ -From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <[email protected]> -Date: Wed, 3 Jun 2015 14:13:31 +0200 -Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: [email protected] -Signed-off-by: Kevin Wolf <[email protected]> ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 122e955..44fcc23 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; --- -1.8.3.1 -From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <[email protected]> -Date: Wed, 3 Jun 2015 14:17:46 +0200 -Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf <[email protected]> ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 950e311..79dd167 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - --- -1.8.3.1 - -From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf <[email protected]> -Date: Wed, 3 Jun 2015 14:41:27 +0200 -Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf <[email protected]> ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 44fcc23..50449ca 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - --- -1.8.3.1 - Deleted: CVE-2015-5158.patch =================================================================== --- CVE-2015-5158.patch 2015-08-18 21:17:42 UTC (rev 243958) +++ CVE-2015-5158.patch 2015-08-18 21:39:12 UTC (rev 243959) @@ -1,46 +0,0 @@ -From c170aad8b057223b1139d72e5ce7acceafab4fa9 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <[email protected]> -Date: Tue, 21 Jul 2015 08:59:39 +0200 -Subject: [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb - (CVE-2015-5158) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a guest-triggerable buffer overflow present in QEMU 2.2.0 -and newer. scsi_cdb_length returns -1 as an error value, but the -caller does not check it. - -Luckily, the massive overflow means that QEMU will just SIGSEGV, -making the impact much smaller. - -Reported-by: Zhu Donghai (朱东海) <[email protected]> -Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 -Reviewed-by: Fam Zheng <[email protected]> -Cc: [email protected] -Signed-off-by: Paolo Bonzini <[email protected]> ---- - hw/scsi/scsi-bus.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index f50b2f0..f0ae462 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { - int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) - { - int rc; -+ int len; - - cmd->lba = -1; -- cmd->len = scsi_cdb_length(buf); -+ len = scsi_cdb_length(buf); -+ if (len < 0) { -+ return -1; -+ } - -+ cmd->len = len; - switch (dev->type) { - case TYPE_TAPE: - rc = scsi_req_stream_xfer(cmd, dev, buf); Modified: PKGBUILD =================================================================== --- PKGBUILD 2015-08-18 21:17:42 UTC (rev 243958) +++ PKGBUILD 2015-08-18 21:39:12 UTC (rev 243959) @@ -7,9 +7,10 @@ 'qemu-block-iscsi' 'qemu-block-rbd' 'qemu-block-gluster' + 'qemu-guest-agent' 'libcacard') -pkgver=2.3.0 -pkgrel=7 +pkgver=2.4.0 +pkgrel=1 arch=('i686' 'x86_64') license=('GPL2' 'LGPL2.1') url='http://wiki.qemu.org/' @@ -19,18 +20,12 @@ 'libiscsi' 'libcacard' 'spice' 'spice-protocol' 'python2' 'usbredir' 'ceph' 'glusterfs' 'libssh2' 'lzo' 'snappy') source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2 - CVE-2015-3456.patch - CVE-2015-5154.patch - CVE-2015-3214.patch - CVE-2015-5158.patch qemu.sysusers + qemu-ga.service 65-kvm.rules) -md5sums=('2fab3ea4460de9b57192e5b8b311f221' - '5e8a68940c4e0267e795a6ddd144e00e' - '311d3845dda4795bf63107c3dcbf2bea' - '29840d5f2fa93ff447bf9dd120d12e5a' - 'cd87c265dfec4d8aa3767d5d047cd397' +md5sums=('186ee8194140a484a455f8e3c74589f4' '49778d11c28af170c4bebcc648b0ace1' + '44ee242d758f9318c6a1ea1dae96aa3a' '33ab286a20242dda7743a900f369d68a') prepare() { @@ -100,9 +95,6 @@ # https://bugs.archlinux.org/task/32565 chmod u+s usr/lib/qemu/qemu-bridge-helper - # add sample config - echo 'allow br0' > etc/qemu/bridge.conf.sample - # manual striping in scripts directory find usr/src/linux-${_kernver}/scripts -type f -perm -u+w 2>/dev/null|while read binary ; do case "$(file -bi "$binary")" in @@ -119,6 +111,9 @@ # remove splitted block modules rm usr/lib/qemu/block-{iscsi,rbd,gluster}.so + + # remove guest agent + rm usr/bin/qemu-ga } package_libcacard() { @@ -154,4 +149,12 @@ install -D qemu-${pkgver}/block-gluster.so "${pkgdir}"/usr/lib/qemu/block-gluster.so } +package_qemu-guest-agent() { + pkgdesc='QEMU Guest Agent' + depends=('glibc' 'gcc-libs' 'glib2') + + install -D qemu-${pkgver}/qemu-ga "${pkgdir}"/usr/bin/qemu-ga + install -D qemu-ga.service "${pkgdir}"/usr/lib/systemd/system/qemu-ga.service +} + # vim:set ts=2 sw=2 et: Added: qemu-ga.service =================================================================== --- qemu-ga.service (rev 0) +++ qemu-ga.service 2015-08-18 21:39:12 UTC (rev 243959) @@ -0,0 +1,8 @@ +[Unit] +Description=QEMU Guest Agent + +[Service] +ExecStart=/usr/bin/qemu-ga + +[Install] +WantedBy=multi-user.target Modified: qemu.install =================================================================== --- qemu.install 2015-08-18 21:17:42 UTC (rev 243958) +++ qemu.install 2015-08-18 21:39:12 UTC (rev 243959) @@ -3,9 +3,10 @@ # create kvm group systemd-sysusers qemu.conf - # retrigger events on modules files when already loaded - [[ -e /dev/kvm ]] && udevadm trigger /dev/kvm - [[ -e /dev/vhost-net ]] && udevadm trigger /dev/vhost-net + # trigger events on modules files when already loaded + for _f in /sys/devices/virtual/misc/{kvm,vhost-net}; do + [[ -e "$_f" ]] && udevadm trigger "$_f" + done } # arg 1: the new package version
