Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2021-07-29 21:30:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.1899 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Thu Jul 29 21:30:53 2021 rev:208 rq:908026 version:unknown Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2021-07-05 22:22:44.913829392 +0200 +++ /work/SRC/openSUSE:Factory/.qemu.new.1899/qemu.changes 2021-07-29 21:31:05.304835758 +0200 @@ -1,0 +2,19 @@ +Fri Jul 23 19:43:33 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Disabled skiboot building for PowerPC due to the following issue: + https://github.com/open-power/skiboot/issues/265 + +------------------------------------------------------------------- +Fri Jul 23 19:22:24 UTC 2021 - Jos?? Ricardo Ziviani <[email protected]> + +- Fix possible mremap overflow in the pvrdma + (CVE-2021-3582, bsc#1187499) + hw-rdma-Fix-possible-mremap-overflow-in-.patch +- Ensure correct input on ring init + (CVE-2021-3607, bsc#1187539) + pvrdma-Ensure-correct-input-on-ring-init.patch +- Fix the ring init error flow + (CVE-2021-3608, bsc#1187538) + pvrdma-Fix-the-ring-init-error-flow-CVE-.patch + +------------------------------------------------------------------- New: ---- hw-rdma-Fix-possible-mremap-overflow-in-.patch pvrdma-Ensure-correct-input-on-ring-init.patch pvrdma-Fix-the-ring-init-error-flow-CVE-.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.fLlwGm/_old 2021-07-29 21:31:07.760832734 +0200 +++ /var/tmp/diff_new_pack.fLlwGm/_new 2021-07-29 21:31:07.764832729 +0200 @@ -44,12 +44,12 @@ %endif %ifarch ppc64 -%define build_skiboot_from_source 1 +%define build_skiboot_from_source 0 %define build_slof_from_source 1 %endif %ifarch ppc64le -%define build_skiboot_from_source 1 +%define build_skiboot_from_source 0 %define build_slof_from_source 1 %endif @@ -220,6 +220,9 @@ Patch00085: hw-block-nvme-align-with-existing-style.patch Patch00086: hw-nvme-fix-missing-check-for-PMR-capabi.patch Patch00087: hw-nvme-fix-pin-based-interrupt-behavior.patch +Patch00088: hw-rdma-Fix-possible-mremap-overflow-in-.patch +Patch00089: pvrdma-Ensure-correct-input-on-ring-init.patch +Patch00090: pvrdma-Fix-the-ring-init-error-flow-CVE-.patch # Patches applied in roms/seabios/: Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch @@ -1153,6 +1156,9 @@ %patch00085 -p1 %patch00086 -p1 %patch00087 -p1 +%patch00088 -p1 +%patch00089 -p1 +%patch00090 -p1 %patch01000 -p1 %patch01001 -p1 %patch01002 -p1 ++++++ bundles.tar.xz ++++++ Binary files old/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle and new/609d7596524ab204ccd71ef42c9eee4c7c338ea4.bundle differ ++++++ hw-rdma-Fix-possible-mremap-overflow-in-.patch ++++++ From: Marcel Apfelbaum <[email protected]> Date: Wed, 16 Jun 2021 14:06:00 +0300 Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Git-commit: 284f191b4abad213aed04cb0458e1600fd18d7c4 References: CVE-2021-3582 bsc#1187499 Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) <[email protected]> Tested-by: VictorV (Kunlun Lab) <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> Message-Id: <[email protected]> Reviewed-by: Yuval Shaia <[email protected]> Tested-by: Yuval Shaia <[email protected]> Reviewed-by: Prasad J Pandit <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index f59879e2574ea5569b098bb338e6..da7ddfa548ffb349dd3d695a6766 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, return NULL; } + length = ROUND_UP(length, TARGET_PAGE_SIZE); + if (nchunks * TARGET_PAGE_SIZE != length) { + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, + (unsigned long)length); + return NULL; + } + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory"); ++++++ pvrdma-Ensure-correct-input-on-ring-init.patch ++++++ From: Marcel Apfelbaum <[email protected]> Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607) Git-commit: 32e5703cfea07c91e6e84bcb0313f633bb146534 References: CVE-2021-3607 bsc#1187539 Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) <[email protected]> Reviewed-by: VictorV (Kunlun Lab) <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> Message-Id: <[email protected]> Reviewed-by: Yuval Shaia <[email protected]> Tested-by: Yuval Shaia <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/rdma/vmw/pvrdma_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 84ae8024fcfd86c535aeacc7198a..7c0c3551a8a4952397e1202cfc9f 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, uint64_t *dir, *tbl; int rc = 0; + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory (ring %s)", name); ++++++ pvrdma-Fix-the-ring-init-error-flow-CVE-.patch ++++++ From: Marcel Apfelbaum <[email protected]> Date: Wed, 30 Jun 2021 14:52:46 +0300 Subject: pvrdma: Fix the ring init error flow (CVE-2021-3608) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Git-commit: 66ae37d8cc313f89272e711174a846a229bcdbd3 References: CVE-2021-3608 bsc#1187538 Do not unmap uninitialized dma addresses. Fixes: CVE-2021-3608 Reviewed-by: VictorV (Kunlun Lab) <[email protected]> Tested-by: VictorV (Kunlun Lab) <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> Message-Id: <[email protected]> Tested-by: Yuval Shaia <[email protected]> Reviewed-by: Yuval Shaia <[email protected]> Reviewed-by: Philippe Mathieu-Daud?? <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> Signed-off-by: Jose R. Ziviani <[email protected]> --- hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c index 074ac59b84db3ab6bb092cb28fea..42130667a7d41bb2500f3ae5119c 100644 --- a/hw/rdma/vmw/pvrdma_dev_ring.c +++ b/hw/rdma/vmw/pvrdma_dev_ring.c @@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev, qatomic_set(&ring->ring_state->cons_head, 0); */ ring->npages = npages; - ring->pages = g_malloc(npages * sizeof(void *)); + ring->pages = g_malloc0(npages * sizeof(void *)); for (i = 0; i < npages; i++) { if (!tbl[i]) { ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.fLlwGm/_old 2021-07-29 21:31:08.356832000 +0200 +++ /var/tmp/diff_new_pack.fLlwGm/_new 2021-07-29 21:31:08.356832000 +0200 @@ -44,12 +44,12 @@ %endif %ifarch ppc64 -%define build_skiboot_from_source 1 +%define build_skiboot_from_source 0 %define build_slof_from_source 1 %endif %ifarch ppc64le -%define build_skiboot_from_source 1 +%define build_skiboot_from_source 0 %define build_slof_from_source 1 %endif
