Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2023-02-28 12:47:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.31432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Tue Feb 28 12:47:49 2023 rev:247 rq:1067613 version:7.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2023-02-14 20:07:53.952191483 +0100 +++ /work/SRC/openSUSE:Factory/.qemu.new.31432/qemu.changes 2023-02-28 12:48:06.988275535 +0100 @@ -1,0 +2,26 @@ +Fri Feb 24 12:12:42 UTC 2023 - Dario Faggioli <dfaggi...@suse.com> + +- Fix build issue with Linux 6.2's headers (bsc#1208657) by dropping + linux-user-add-more-compat-ioctl-definit.patch and adding + Revert-linux-user-fix-compat-with-glibc-.patch +- Patches meson-enforce-a-minimum-Linux-kernel-hea.patch and + linux-user-drop-conditionals-for-obsolet.patch were added + as downstream patches as they were part of a series, but + they never made it upstream, so we don't want them here + either +* Patches dropped: + linux-user-add-more-compat-ioctl-definit.patch + linux-user-drop-conditionals-for-obsolet.patch + meson-enforce-a-minimum-Linux-kernel-hea.patch +* Patches added: + Revert-linux-user-fix-compat-with-glibc-.patch + +------------------------------------------------------------------- +Thu Feb 23 11:09:14 UTC 2023 - Dario Faggioli <dfaggi...@suse.com> + +- Fixes bsc#1197653, CVE-2022-1050 +* Patches added: + block-Handle-curl-7.55.0-7.85.0-version-.patch + hw-pvrdma-Protect-against-buggy-or-malic.patch + +------------------------------------------------------------------- Old: ---- linux-user-add-more-compat-ioctl-definit.patch linux-user-drop-conditionals-for-obsolet.patch meson-enforce-a-minimum-Linux-kernel-hea.patch New: ---- Revert-linux-user-fix-compat-with-glibc-.patch block-Handle-curl-7.55.0-7.85.0-version-.patch hw-pvrdma-Protect-against-buggy-or-malic.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu.spec ++++++ --- /var/tmp/diff_new_pack.oTkLX6/_old 2023-02-28 12:48:09.160289646 +0100 +++ /var/tmp/diff_new_pack.oTkLX6/_new 2023-02-28 12:48:09.164289671 +0100 @@ -192,56 +192,56 @@ Patch00026: meson-remove-pkgversion-from-CONFIG_STAM.patch Patch00027: linux-user-use-max-as-default-CPU-model-.patch Patch00028: net-tulip-Restrict-DMA-engine-to-memorie.patch -Patch00029: linux-user-add-more-compat-ioctl-definit.patch -Patch00030: linux-user-remove-conditionals-for-many-.patch -Patch00031: meson-enforce-a-minimum-Linux-kernel-hea.patch -Patch00032: linux-user-drop-conditionals-for-obsolet.patch -Patch00033: block-io_uring-revert-Use-io_uring_regis.patch -Patch00034: hw-smbios-support-for-type-8-port-connec.patch -Patch00035: hw-smbios-add-core_count2-to-smbios-tabl.patch -Patch00036: openSUSE-pc-q35-Bump-max_cpus-to-1024.patch -Patch00037: bios-tables-test-teach-test-to-use-smbio.patch -Patch00038: tests-acpi-allow-changes-for-core_count2.patch -Patch00039: bios-tables-test-add-test-for-number-of-.patch -Patch00040: tests-acpi-update-tables-for-new-core-co.patch -Patch00041: configure-Add-Wno-gnu-variable-sized-typ.patch -Patch00042: Update-linux-headers-to-v6.0-rc4.patch -Patch00043: s390x-pci-add-routine-to-get-host-functi.patch -Patch00044: s390x-pci-enable-for-load-store-interpre.patch -Patch00045: s390x-pci-don-t-fence-interpreted-device.patch -Patch00046: s390x-pci-enable-adapter-event-notificat.patch -Patch00047: s390x-pci-let-intercept-devices-have-sep.patch -Patch00048: s390x-pci-reflect-proper-maxstbl-for-gro.patch -Patch00049: module-removed-unused-function-argument-.patch -Patch00050: module-rename-module_load_one-to-module_.patch -Patch00051: module-add-Error-arguments-to-module_loa.patch -Patch00052: dmg-warn-when-opening-dmg-images-contain.patch -Patch00053: accel-abort-if-we-fail-to-load-the-accel.patch -Patch00054: s390x-tod-kvm-don-t-save-restore-the-TOD.patch -Patch00055: hw-display-qxl-Have-qxl_log_command-Retu.patch -Patch00056: hw-display-qxl-Document-qxl_phys2virt.patch -Patch00057: hw-display-qxl-Pass-requested-buffer-siz.patch -Patch00058: hw-display-qxl-Avoid-buffer-overrun-in-q.patch -Patch00059: ui-vnc-clipboard-fix-integer-underflow-i.patch -Patch00060: hw-acpi-erst.c-Fix-memory-handling-issue.patch -Patch00061: dump-Replace-opaque-DumpState-pointer-wi.patch -Patch00062: dump-Rename-write_elf_loads-to-write_elf.patch -Patch00063: dump-Refactor-dump_iterate-and-introduce.patch -Patch00064: dump-Rework-get_start_block.patch -Patch00065: dump-Rework-filter-area-variables.patch -Patch00066: dump-Rework-dump_calculate_size-function.patch -Patch00067: dump-Split-elf-header-functions-into-pre.patch -Patch00068: dump-Rename-write_elf-_phdr_note-to-prep.patch -Patch00069: dump-Use-a-buffer-for-ELF-section-data-a.patch -Patch00070: dump-Write-ELF-section-headers-right-aft.patch -Patch00071: dump-Reorder-struct-DumpState.patch -Patch00072: dump-Reintroduce-memory_offset-and-secti.patch -Patch00073: dump-Add-architecture-section-and-sectio.patch -Patch00074: s390x-Add-protected-dump-cap.patch -Patch00075: s390x-Introduce-PV-query-interface.patch -Patch00076: include-elf.h-add-s390x-note-types.patch -Patch00077: s390x-Add-KVM-PV-dump-interface.patch -Patch00078: s390x-pv-Add-dump-support.patch +Patch00029: linux-user-remove-conditionals-for-many-.patch +Patch00030: block-io_uring-revert-Use-io_uring_regis.patch +Patch00031: hw-smbios-support-for-type-8-port-connec.patch +Patch00032: hw-smbios-add-core_count2-to-smbios-tabl.patch +Patch00033: openSUSE-pc-q35-Bump-max_cpus-to-1024.patch +Patch00034: bios-tables-test-teach-test-to-use-smbio.patch +Patch00035: tests-acpi-allow-changes-for-core_count2.patch +Patch00036: bios-tables-test-add-test-for-number-of-.patch +Patch00037: tests-acpi-update-tables-for-new-core-co.patch +Patch00038: configure-Add-Wno-gnu-variable-sized-typ.patch +Patch00039: Update-linux-headers-to-v6.0-rc4.patch +Patch00040: s390x-pci-add-routine-to-get-host-functi.patch +Patch00041: s390x-pci-enable-for-load-store-interpre.patch +Patch00042: s390x-pci-don-t-fence-interpreted-device.patch +Patch00043: s390x-pci-enable-adapter-event-notificat.patch +Patch00044: s390x-pci-let-intercept-devices-have-sep.patch +Patch00045: s390x-pci-reflect-proper-maxstbl-for-gro.patch +Patch00046: module-removed-unused-function-argument-.patch +Patch00047: module-rename-module_load_one-to-module_.patch +Patch00048: module-add-Error-arguments-to-module_loa.patch +Patch00049: dmg-warn-when-opening-dmg-images-contain.patch +Patch00050: accel-abort-if-we-fail-to-load-the-accel.patch +Patch00051: s390x-tod-kvm-don-t-save-restore-the-TOD.patch +Patch00052: hw-display-qxl-Have-qxl_log_command-Retu.patch +Patch00053: hw-display-qxl-Document-qxl_phys2virt.patch +Patch00054: hw-display-qxl-Pass-requested-buffer-siz.patch +Patch00055: hw-display-qxl-Avoid-buffer-overrun-in-q.patch +Patch00056: ui-vnc-clipboard-fix-integer-underflow-i.patch +Patch00057: hw-acpi-erst.c-Fix-memory-handling-issue.patch +Patch00058: dump-Replace-opaque-DumpState-pointer-wi.patch +Patch00059: dump-Rename-write_elf_loads-to-write_elf.patch +Patch00060: dump-Refactor-dump_iterate-and-introduce.patch +Patch00061: dump-Rework-get_start_block.patch +Patch00062: dump-Rework-filter-area-variables.patch +Patch00063: dump-Rework-dump_calculate_size-function.patch +Patch00064: dump-Split-elf-header-functions-into-pre.patch +Patch00065: dump-Rename-write_elf-_phdr_note-to-prep.patch +Patch00066: dump-Use-a-buffer-for-ELF-section-data-a.patch +Patch00067: dump-Write-ELF-section-headers-right-aft.patch +Patch00068: dump-Reorder-struct-DumpState.patch +Patch00069: dump-Reintroduce-memory_offset-and-secti.patch +Patch00070: dump-Add-architecture-section-and-sectio.patch +Patch00071: s390x-Add-protected-dump-cap.patch +Patch00072: s390x-Introduce-PV-query-interface.patch +Patch00073: include-elf.h-add-s390x-note-types.patch +Patch00074: s390x-Add-KVM-PV-dump-interface.patch +Patch00075: s390x-pv-Add-dump-support.patch +Patch00076: block-Handle-curl-7.55.0-7.85.0-version-.patch +Patch00077: hw-pvrdma-Protect-against-buggy-or-malic.patch +Patch00078: Revert-linux-user-fix-compat-with-glibc-.patch # Patches applied in roms/seabios/: Patch01000: openSUSE-switch-to-python3-as-needed.patch Patch01001: openSUSE-build-enable-cross-compilation-.patch ++++++ Revert-linux-user-fix-compat-with-glibc-.patch ++++++ From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berra...@redhat.com> Date: Tue, 10 Jan 2023 12:49:01 -0500 Subject: Revert "linux-user: fix compat with glibc >= 2.36 sys/mount.h" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 3cd3df2a9584e6f753bb62a0028bd67124ab5532. glibc has fixed (in 2.36.9000-40-g774058d729) the problem that caused a clash when both sys/mount.h annd linux/mount.h are included, and backported this to the 2.36 stable release too: https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E It is saner for QEMU to remove the workaround it applied for glibc 2.36 and expect distros to ship the 2.36 maint release with the fix. This avoids needing to add a further workaround to QEMU to deal with the fact that linux/brtfs.h now also pulls in linux/mount.h via linux/fs.h since Linux 6.1 Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com> Message-Id: <20230110174901.2580297-3-berra...@redhat.com> Signed-off-by: Laurent Vivier <laur...@vivier.eu> (cherry picked from commit 6003159ce18faad4e1bc7bf9c85669019cd4950e) Resolves: bsc#1208657 Signed-off-by: Dario Faggioli <dfaggi...@suse.com> --- linux-user/syscall.c | 18 ------------------ meson.build | 2 -- 2 files changed, 20 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index 9d92e56e3996dc2174a4af9d0491..3deb9ca31483d2e54ba3e299284d 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -95,25 +95,7 @@ #include <linux/soundcard.h> #include <linux/kd.h> #include <linux/mtio.h> - -#ifdef HAVE_SYS_MOUNT_FSCONFIG -/* - * glibc >= 2.36 linux/mount.h conflicts with sys/mount.h, - * which in turn prevents use of linux/fs.h. So we have to - * define the constants ourselves for now. - */ -#define FS_IOC_GETFLAGS _IOR('f', 1, long) -#define FS_IOC_SETFLAGS _IOW('f', 2, long) -#define FS_IOC_GETVERSION _IOR('v', 1, long) -#define FS_IOC_SETVERSION _IOW('v', 2, long) -#define FS_IOC_FIEMAP _IOWR('f', 11, struct fiemap) -#define FS_IOC32_GETFLAGS _IOR('f', 1, int) -#define FS_IOC32_SETFLAGS _IOW('f', 2, int) -#define FS_IOC32_GETVERSION _IOR('v', 1, int) -#define FS_IOC32_SETVERSION _IOW('v', 2, int) -#else #include <linux/fs.h> -#endif #include <linux/fd.h> #if defined(CONFIG_FIEMAP) #include <linux/fiemap.h> diff --git a/meson.build b/meson.build index ef7f024fde3f7ed66d54db0dfa13..2af12f7e487e191de26200f70624 100644 --- a/meson.build +++ b/meson.build @@ -1962,8 +1962,6 @@ config_host_data.set('HAVE_OPTRESET', cc.has_header_symbol('getopt.h', 'optreset')) config_host_data.set('HAVE_IPPROTO_MPTCP', cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP')) -config_host_data.set('HAVE_SYS_MOUNT_FSCONFIG', - cc.has_header_symbol('sys/mount.h', 'FSCONFIG_SET_FLAG')) # has_member config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID', ++++++ block-Handle-curl-7.55.0-7.85.0-version-.patch ++++++ From: Anton Johansson <a...@rev.ng> Date: Mon, 23 Jan 2023 21:14:31 +0100 Subject: block: Handle curl 7.55.0, 7.85.0 version changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 7.55.0 deprecates CURLINFO_CONTENT_LENGTH_DOWNLOAD in favour of a *_T version, which returns curl_off_t instead of a double. * 7.85.0 deprecates CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS in favour of *_STR variants, specifying the desired protocols via a string. Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1440 Signed-off-by: Anton Johansson <a...@rev.ng> Message-Id: <20230123201431.23118-1-a...@rev.ng> Reviewed-by: Philippe Mathieu-Daudé <phi...@linaro.org> Reviewed-by: Kevin Wolf <kw...@redhat.com> Signed-off-by: Kevin Wolf <kw...@redhat.com> (cherry picked from commit e7b8d9d038f313c2b9e601609e7d7c3ca6ad0234) Signed-off-by: Dario Faggioli <dfaggi...@suse.com> --- block/curl.c | 44 +++++++++++++++++++++++++++++++++++++------- 1 file changed, 37 insertions(+), 7 deletions(-) diff --git a/block/curl.c b/block/curl.c index 1e0f609579794fb542d281373b3e..16fe02c2c286a4824edead5de449 100644 --- a/block/curl.c +++ b/block/curl.c @@ -37,8 +37,15 @@ // #define DEBUG_VERBOSE +/* CURL 7.85.0 switches to a string based API for specifying + * the desired protocols. + */ +#if LIBCURL_VERSION_NUM >= 0x075500 +#define PROTOCOLS "HTTP,HTTPS,FTP,FTPS" +#else #define PROTOCOLS (CURLPROTO_HTTP | CURLPROTO_HTTPS | \ CURLPROTO_FTP | CURLPROTO_FTPS) +#endif #define CURL_NUM_STATES 8 #define CURL_NUM_ACB 8 @@ -509,9 +516,18 @@ static int curl_init_state(BDRVCURLState *s, CURLState *state) * obscure protocols. For example, do not allow POP3/SMTP/IMAP see * CVE-2013-0249. * - * Restricting protocols is only supported from 7.19.4 upwards. + * Restricting protocols is only supported from 7.19.4 upwards. Note: + * version 7.85.0 deprecates CURLOPT_*PROTOCOLS in favour of a string + * based CURLOPT_*PROTOCOLS_STR API. */ -#if LIBCURL_VERSION_NUM >= 0x071304 +#if LIBCURL_VERSION_NUM >= 0x075500 + if (curl_easy_setopt(state->curl, + CURLOPT_PROTOCOLS_STR, PROTOCOLS) || + curl_easy_setopt(state->curl, + CURLOPT_REDIR_PROTOCOLS_STR, PROTOCOLS)) { + goto err; + } +#elif LIBCURL_VERSION_NUM >= 0x071304 if (curl_easy_setopt(state->curl, CURLOPT_PROTOCOLS, PROTOCOLS) || curl_easy_setopt(state->curl, CURLOPT_REDIR_PROTOCOLS, PROTOCOLS)) { goto err; @@ -669,7 +685,12 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, const char *file; const char *cookie; const char *cookie_secret; - double d; + /* CURL >= 7.55.0 uses curl_off_t for content length instead of a double */ +#if LIBCURL_VERSION_NUM >= 0x073700 + curl_off_t cl; +#else + double cl; +#endif const char *secretid; const char *protocol_delimiter; int ret; @@ -796,27 +817,36 @@ static int curl_open(BlockDriverState *bs, QDict *options, int flags, } if (curl_easy_perform(state->curl)) goto out; - if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &d)) { + /* CURL 7.55.0 deprecates CURLINFO_CONTENT_LENGTH_DOWNLOAD in favour of + * the *_T version which returns a more sensible type for content length. + */ +#if LIBCURL_VERSION_NUM >= 0x073700 + if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, &cl)) { + goto out; + } +#else + if (curl_easy_getinfo(state->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &cl)) { goto out; } +#endif /* Prior CURL 7.19.4 return value of 0 could mean that the file size is not * know or the size is zero. From 7.19.4 CURL returns -1 if size is not * known and zero if it is really zero-length file. */ #if LIBCURL_VERSION_NUM >= 0x071304 - if (d < 0) { + if (cl < 0) { pstrcpy(state->errmsg, CURL_ERROR_SIZE, "Server didn't report file size."); goto out; } #else - if (d <= 0) { + if (cl <= 0) { pstrcpy(state->errmsg, CURL_ERROR_SIZE, "Unknown file size or zero-length file."); goto out; } #endif - s->len = d; + s->len = cl; if ((!strncasecmp(s->url, "http://";, strlen("http://";)) || !strncasecmp(s->url, "https://";, strlen("https://";))) ++++++ block-io_uring-revert-Use-io_uring_regis.patch ++++++ --- /var/tmp/diff_new_pack.oTkLX6/_old 2023-02-28 12:48:09.400291205 +0100 +++ /var/tmp/diff_new_pack.oTkLX6/_new 2023-02-28 12:48:09.404291230 +0100 @@ -66,10 +66,10 @@ void luring_cleanup(LuringState *s) diff --git a/meson.build b/meson.build -index 6641e86c0107906bb07d6b35d54a..265fea0648a8b651306deae60c0f 100644 +index 41f693a822a7ec58085bb53a8518..ef7f024fde3f7ed66d54db0dfa13 100644 --- a/meson.build +++ b/meson.build -@@ -1805,7 +1805,6 @@ config_host_data.set('CONFIG_LIBNFS', libnfs.found()) +@@ -1793,7 +1793,6 @@ config_host_data.set('CONFIG_LIBNFS', libnfs.found()) config_host_data.set('CONFIG_LIBSSH', libssh.found()) config_host_data.set('CONFIG_LINUX_AIO', libaio.found()) config_host_data.set('CONFIG_LINUX_IO_URING', linux_io_uring.found()) ++++++ bundles.tar.xz ++++++ Binary files old/621da7789083b80d6f1ff1c0fb499334007b4f51.bundle and new/621da7789083b80d6f1ff1c0fb499334007b4f51.bundle differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/repo new/repo --- old/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu.git +g...@github.com:openSUSE/qemu.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/ipxe/repo new/roms/ipxe/repo --- old/roms/ipxe/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/roms/ipxe/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu-ipxe.git +https://git.qemu.org/git/ipxe.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/opensbi/repo new/roms/opensbi/repo --- old/roms/opensbi/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/roms/opensbi/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu-opensbi.git +https://git.qemu.org/git/opensbi.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/qboot/repo new/roms/qboot/repo --- old/roms/qboot/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/roms/qboot/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu-qboot.git +https://github.com/bonzini/qboot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/seabios/repo new/roms/seabios/repo --- old/roms/seabios/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/roms/seabios/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu-seabios.git +https://git.qemu.org/git/seabios.git/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/sgabios/repo new/roms/sgabios/repo --- old/roms/sgabios/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/roms/sgabios/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu-sgabios.git +https://git.qemu.org/git/sgabios.git diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/roms/skiboot/repo new/roms/skiboot/repo --- old/roms/skiboot/repo 2022-09-20 19:50:47.000000000 +0200 +++ new/roms/skiboot/repo 2023-01-27 12:17:20.000000000 +0100 @@ -1 +1 @@ -https://github.com/openSUSE/qemu-skiboot.git +https://gitlab.com/qemu-project/skiboot.git ++++++ hw-pvrdma-Protect-against-buggy-or-malic.patch ++++++ From: Yuval Shaia <yuval.shaia...@gmail.com> Date: Sun, 3 Apr 2022 12:52:34 +0300 Subject: hw/pvrdma: Protect against buggy or malicious guest driver Guest driver might execute HW commands when shared buffers are not yet allocated. This could happen on purpose (malicious guest) or because of some other guest/host address mapping error. We need to protect againts such case. Fixes: CVE-2022-1050 Reported-by: Raven <wxhu...@gmail.com> Signed-off-by: Yuval Shaia <yuval.shaia...@gmail.com> Message-Id: <20220403095234.2210-1-yuval.shaia...@gmail.com> Signed-off-by: Laurent Vivier <laur...@vivier.eu> (cherry picked from commit 31c4b6fb0293e359f9ef8a61892667e76eea4c99) Resolves: bsc#1197653 Signed-off-by: Dario Faggioli <dfaggi...@suse.com> --- hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index da7ddfa548ffb349dd3d695a6766..89db963c4683909242f3a7c68c03 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) dsr_info = &dev->dsr_info; + if (!dsr_info->dsr) { + /* Buggy or malicious guest driver */ + rdma_error_report("Exec command without dsr, req or rsp buffers"); + goto out; + } + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command"); ++++++ linux-user-remove-conditionals-for-many-.patch ++++++ --- /var/tmp/diff_new_pack.oTkLX6/_old 2023-02-28 12:48:09.648292815 +0100 +++ /var/tmp/diff_new_pack.oTkLX6/_new 2023-02-28 12:48:09.652292842 +0100 @@ -5,9 +5,6 @@ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -Git-commit: 0000000000000000000000000000000000000000 -Refereces: bsc#1204001 - These ioctls have been defined in linux/fs.h for a long time * BLKGETSIZE64 - <2.6.12 (linux.git epoch) @@ -27,7 +24,9 @@ in syscall.c anyway thanks to the previous patch. Thus we can assume they always exist and remove the conditional checks. -Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com +(cherry picked from commit ed98cdecf8dabce137f693641777503112d884b3) +Resolves: bsc#1204001 Signed-off-by: Dario Faggioli <dfaggi...@suse.com> --- linux-user/ioctls.h | 24 ------------------------
