Hello community, here is the log from the commit of package qemu for openSUSE:Factory checked in at 2019-02-04 21:25:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qemu (Old) and /work/SRC/openSUSE:Factory/.qemu.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu" Mon Feb 4 21:25:04 2019 rev:150 rq:670650 version:3.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qemu/qemu-linux-user.changes 2019-01-11 14:04:12.031877850 +0100 +++ /work/SRC/openSUSE:Factory/.qemu.new.28833/qemu-linux-user.changes 2019-02-04 21:25:08.527599451 +0100 @@ -1,0 +2,29 @@ +Wed Jan 30 15:54:31 UTC 2019 - Liang Yan <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0057-s390x-Return-specification-exceptio.patch + +------------------------------------------------------------------- +Fri Jan 25 19:21:00 UTC 2019 - Bruce Rogers <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0056-slirp-check-data-length-while-emula.patch + +------------------------------------------------------------------- +Thu Jan 17 21:58:04 UTC 2019 - Bruce Rogers <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch + +------------------------------------------------------------------- +Tue Jan 15 13:58:26 UTC 2019 - Liang Yan <[email protected]> + +- Fix pwrite64/pread64 to return 0 over -1 for a + zero length NULL buffer in qemu (bsc#1121600) + 0054-linux-user-make-pwrite64-pread64-fd.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/qemu/qemu-testsuite.changes 2019-01-11 14:04:12.079877802 +0100 +++ /work/SRC/openSUSE:Factory/.qemu.new.28833/qemu-testsuite.changes 2019-02-04 21:25:08.595599434 +0100 @@ -1,0 +2,50 @@ +Fri Feb 1 23:34:52 UTC 2019 - Bruce Rogers <[email protected]> + +- Increase memory needed to build qemu-testsuite for ppc* arch's + in _constraints file + +------------------------------------------------------------------- +Wed Jan 30 15:54:30 UTC 2019 - Liang Yan <[email protected]> + +- Return specification exception for unimplemented diag 308 subcodes + rather than a hardware error (bsc#1123179) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0057-s390x-Return-specification-exceptio.patch + +------------------------------------------------------------------- +Fri Jan 25 19:20:59 UTC 2019 - Bruce Rogers <[email protected]> + +- Fix OOB issue in slirp (CVE-2019-6778 bsc#1123156) + 0056-slirp-check-data-length-while-emula.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +- Fix ipxe GCC 9 incompatibilities (bsc#1121464) + ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch + ipxe-build-Disable-gcc-address-of-packed-member-warning.patch + +------------------------------------------------------------------- +Thu Jan 17 21:58:02 UTC 2019 - Bruce Rogers <[email protected]> + +- Tweak Xen interface to be compatible with upcoming v4.12 Xen + 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 + +------------------------------------------------------------------- +Tue Jan 15 13:58:25 UTC 2019 - Liang Yan <[email protected]> + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-3.1 +* Patches added: + 0054-linux-user-make-pwrite64-pread64-fd.patch + (bsc#1121600) + +------------------------------------------------------------------- +Mon Jan 14 16:15:37 UTC 2019 - Bruce Rogers <[email protected]> + +- Clarify that move to include v3.1.0 in qemu package corresponds + with fate#327089, which of course builds on v3.0.0 mentioned + previously, and that among other patches which this change + obsoletes (because functionality is included in base version) I + will mention one pointed out by reviewers: + 0094-s390x-cpumodels-add-z14-Model-ZR1.patch + +------------------------------------------------------------------- qemu.changes: same change New: ---- 0054-linux-user-make-pwrite64-pread64-fd.patch 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch 0056-slirp-check-data-length-while-emula.patch 0057-s390x-Return-specification-exceptio.patch ipxe-build-Disable-gcc-address-of-packed-member-warning.patch ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qemu-linux-user.spec ++++++ --- /var/tmp/diff_new_pack.w6QWZ1/_old 2019-02-04 21:25:10.211599031 +0100 +++ /var/tmp/diff_new_pack.w6QWZ1/_new 2019-02-04 21:25:10.215599030 +0100 @@ -85,6 +85,10 @@ Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch +Patch0054: 0054-linux-user-make-pwrite64-pread64-fd.patch +Patch0055: 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch +Patch0056: 0056-slirp-check-data-length-while-emula.patch +Patch0057: 0057-s390x-Return-specification-exceptio.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. ExcludeArch: s390 @@ -169,6 +173,10 @@ %patch0051 -p1 %patch0052 -p1 %patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 %build ./configure \ ++++++ qemu-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.w6QWZ1/_old 2019-02-04 21:25:10.231599026 +0100 +++ /var/tmp/diff_new_pack.w6QWZ1/_new 2019-02-04 21:25:10.231599026 +0100 @@ -190,6 +190,10 @@ Patch0051: 0051-pvrdma-check-return-value-from-pvrd.patch Patch0052: 0052-pvrdma-release-ring-object-in-case-.patch Patch0053: 0053-block-Fix-hangs-in-synchronous-APIs.patch +Patch0054: 0054-linux-user-make-pwrite64-pread64-fd.patch +Patch0055: 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch +Patch0056: 0056-slirp-check-data-length-while-emula.patch +Patch0057: 0057-s390x-Return-specification-exceptio.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -202,6 +206,8 @@ Patch1201: ipxe-use-gcc6-for-more-compact-code.patch Patch1202: ipxe-efi-guard-strncpy-with-gcc-warning-ignore-pragma.patch Patch1203: ipxe-fix-build.patch +Patch1204: ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch +Patch1205: ipxe-build-Disable-gcc-address-of-packed-member-warning.patch # sgabios - path: roms/sgabios (patch range 1300-1399) Patch1300: sgabios-stable-buildid.patch @@ -971,6 +977,10 @@ %patch0051 -p1 %patch0052 -p1 %patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 pushd roms/seabios %patch1100 -p1 @@ -986,6 +996,8 @@ %endif %patch1202 -p1 %patch1203 -p1 +%patch1204 -p1 +%patch1205 -p1 popd pushd roms/sgabios qemu.spec: same change ++++++ 0047-pvrdma-release-device-resources-in-.patch ++++++ --- /var/tmp/diff_new_pack.w6QWZ1/_old 2019-02-04 21:25:10.331599001 +0100 +++ /var/tmp/diff_new_pack.w6QWZ1/_new 2019-02-04 21:25:10.331599001 +0100 @@ -12,7 +12,7 @@ Reviewed-by: Yuval Shaia <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> (cherry picked from commit cce648613bc802be1b894227f7fd94d88476ea07) -[BR: BSC#1119437] +[BR: BSC#1119437 CVE-2018-20123] Signed-off-by: Bruce Rogers <[email protected]> --- hw/rdma/vmw/pvrdma_main.c | 3 ++- ++++++ 0048-rdma-check-num_sge-does-not-exceed-.patch ++++++ --- /var/tmp/diff_new_pack.w6QWZ1/_old 2019-02-04 21:25:10.335599000 +0100 +++ /var/tmp/diff_new_pack.w6QWZ1/_new 2019-02-04 21:25:10.339599000 +0100 @@ -12,7 +12,8 @@ Reviewed-by: Yuval Shaia <[email protected]> Signed-off-by: Marcel Apfelbaum <[email protected]> (cherry picked from commit 0e68373cc2b3a063ce067bc0cc3edaf370752890) -[BR: BSC#1119840, modified complete_work() calls to be comp_handler()] +[BR: BSC#1119840 CVE-2018-20124, modified complete_work() calls to be +comp_handler()] Signed-off-by: Bruce Rogers <[email protected]> --- hw/rdma/rdma_backend.c | 8 ++++---- ++++++ 0054-linux-user-make-pwrite64-pread64-fd.patch ++++++ From: Peter Maydell <[email protected]> Date: Tue, 8 Jan 2019 18:49:00 +0000 Subject: linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Linux returns success if pwrite64() or pread64() are called with a zero length NULL buffer, but QEMU was returning -TARGET_EFAULT. This is the same bug that we fixed in commit 58cfa6c2e6eb51b23cc9 for the write syscall, and long before that in 38d840e6790c29f59 for the read syscall. Fixes: https://bugs.launchpad.net/qemu/+bug/1810433 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Laurent Vivier <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Message-Id: <[email protected]> Signed-off-by: Laurent Vivier <[email protected]> (cherry picked from commit 2bd3f8998e1e7dcd9afc29fab252fb9936f9e956) [LY: BSC#1121600] Signed-off-by: Liang Yan <[email protected]> --- linux-user/syscall.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/linux-user/syscall.c b/linux-user/syscall.c index d978c67d6b..4d3b98c6f7 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c @@ -9723,8 +9723,15 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1, arg4 = arg5; arg5 = arg6; } - if (!(p = lock_user(VERIFY_WRITE, arg2, arg3, 0))) - return -TARGET_EFAULT; + if (arg2 == 0 && arg3 == 0) { + /* Special-case NULL buffer and zero length, which should succeed */ + p = 0; + } else { + p = lock_user(VERIFY_WRITE, arg2, arg3, 0); + if (!p) { + return -TARGET_EFAULT; + } + } ret = get_errno(pread64(arg1, p, arg3, target_offset64(arg4, arg5))); unlock_user(p, arg2, ret); return ret; @@ -9733,8 +9740,15 @@ static abi_long do_syscall1(void *cpu_env, int num, abi_ulong arg1, arg4 = arg5; arg5 = arg6; } - if (!(p = lock_user(VERIFY_READ, arg2, arg3, 1))) - return -TARGET_EFAULT; + if (arg2 == 0 && arg3 == 0) { + /* Special-case NULL buffer and zero length, which should succeed */ + p = 0; + } else { + p = lock_user(VERIFY_READ, arg2, arg3, 1); + if (!p) { + return -TARGET_EFAULT; + } + } ret = get_errno(pwrite64(arg1, p, arg3, target_offset64(arg4, arg5))); unlock_user(p, arg2, 0); return ret; ++++++ 0055-xen-Add-xen-v4.12-based-xc_domain_c.patch ++++++ From: Bruce Rogers <[email protected]> Date: Thu, 17 Jan 2019 14:40:10 -0700 Subject: xen: Add xen v4.12 based xc_domain_create call In xen v4.12, the xc_domain_create call parameters changed. Signed-off-by: Bruce Rogers <[email protected]> --- include/hw/xen/xen_common.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/include/hw/xen/xen_common.h b/include/hw/xen/xen_common.h index 93f631e5bf..42b088ae90 100644 --- a/include/hw/xen/xen_common.h +++ b/include/hw/xen/xen_common.h @@ -674,7 +674,15 @@ static inline int xen_domain_create(xc_interface *xc, uint32_t ssidref, xen_domain_handle_t handle, uint32_t flags, uint32_t *pdomid) { +#if CONFIG_XEN_CTRL_INTERFACE_VERSION < 41200 return xc_domain_create(xc, ssidref, handle, flags, pdomid, NULL); +#else + struct xen_domctl_createdomain create; + create.ssidref = ssidref; + memcpy(&(create.handle), handle, sizeof(xen_domain_handle_t)); + create.flags = flags; + return xc_domain_create(xc, pdomid, &create); +#endif } #endif #endif ++++++ 0056-slirp-check-data-length-while-emula.patch ++++++ From: Prasad J Pandit <[email protected]> Date: Sun, 13 Jan 2019 23:29:48 +0530 Subject: slirp: check data length while emulating ident function While emulating identification protocol, tcp_emu() does not check available space in the 'sc_rcv->sb_data' buffer. It could lead to heap buffer overflow issue. Add check to avoid it. Reported-by: Kira <[email protected]> Signed-off-by: Prasad J Pandit <[email protected]> Signed-off-by: Samuel Thibault <[email protected]> (cherry picked from commit a7104eda7dab99d0cdbd3595c211864cba415905) [BR: BSC#1123156 CVE-2019-6778, modify patch to use spaces instead of tabs] Signed-off-by: Bruce Rogers <[email protected]> --- slirp/tcp_subr.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c index fa61349cbb..7a23ce738c 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -635,6 +635,10 @@ tcp_emu(struct socket *so, struct mbuf *m) socklen_t addrlen = sizeof(struct sockaddr_in); struct sbuf *so_rcv = &so->so_rcv; + if (m->m_len > so_rcv->sb_datalen - (so_rcv->sb_wptr - so_rcv->sb_data)) { + return 1; + } + memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); so_rcv->sb_wptr += m->m_len; so_rcv->sb_rptr += m->m_len; ++++++ 0057-s390x-Return-specification-exceptio.patch ++++++ From: Janosch Frank <[email protected]> Date: Fri, 11 Jan 2019 12:36:57 +0100 Subject: s390x: Return specification exception for unimplemented diag 308 subcodes The architecture specifies specification exceptions for all unavailable subcodes. The presence of subcodes is indicated by checking some query subcode. For example 6 will indicate that 3-6 are available. So future systems might call new subcodes to check for new features. This should not trigger a hw error, instead we return the architectured specification exception. Signed-off-by: Janosch Frank <[email protected]> Cc: [email protected] Message-Id: <[email protected]> Reviewed-by: Christian Borntraeger <[email protected]> Reviewed-by: David Hildenbrand <[email protected]> Signed-off-by: Cornelia Huck <[email protected]> (cherry picked from commit 37dbd1f4d4805edcd18d94eb202bb3461b3cd52d) [LY: BSC#1123179] Signed-off-by: Liang Yan <[email protected]> --- target/s390x/diag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target/s390x/diag.c b/target/s390x/diag.c index acb0f3d4af..aafa740f61 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -130,7 +130,7 @@ out: } return; default: - hw_error("Unhandled diag308 subcode %" PRIx64, subcode); + s390_program_interrupt(env, PGM_SPECIFICATION, ILEN_AUTO, ra); break; } } ++++++ _constraints ++++++ --- /var/tmp/diff_new_pack.w6QWZ1/_old 2019-02-04 21:25:10.423598978 +0100 +++ /var/tmp/diff_new_pack.w6QWZ1/_new 2019-02-04 21:25:10.423598978 +0100 @@ -38,7 +38,7 @@ </conditions> <hardware> <memory> - <size unit="M">3600</size> + <size unit="M">4000</size> </memory> </hardware> </overwrite> ++++++ ipxe-build-Disable-gcc-address-of-packed-member-warning.patch ++++++ >From 0ee72a15887b838d967c3b05070d5ad86f0d729a Mon Sep 17 00:00:00 2001 From: Bruce Rogers <[email protected]> Date: Fri, 25 Jan 2019 10:29:16 -0700 Subject: [PATCH] [build] Disable gcc address of packed member warning GCC 9.0 introduces a new warning for using pointers to packed structure and union members. ipxe code is replete with this usage, partly because the architectures it is designed for handle unaligned accesses. Therefore this warning is not very helpful and since the default build considers warnings to be errors, needs to be disabled. [BR: BSC#1121464] Signed-off-by: Bruce Rogers <[email protected]> --- src/Makefile.housekeeping | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/Makefile.housekeeping b/src/Makefile.housekeeping index f8334921..e7f1ece0 100644 --- a/src/Makefile.housekeeping +++ b/src/Makefile.housekeeping @@ -646,6 +646,17 @@ $(BIN)/.certificate.der.% : $(BIN)/.cert CERT_ALL := $(foreach i,$(call seq,1,$(CERT_COUNT)),\ CERT ( $(i), \"$(word $(i),$(CERT_DERS))\" )) + +# GCC 9.0 introduces a new warning for using pointers to packed +# structure and union members. ipxe code is replete with this usage, +# partly because the architectures it is designed for handle unaligned +# accesses. Therefore this warning is not very helpful and since the +# default build considers warnings to be errors, needs to be disabled. +# +WNAOPM_TEST = $(CC) -Waddress-of-packed-member -x c -c /dev/null -o /dev/null \ + >/dev/null 2>&1 +WNAOPM_FLAGS := $(shell $(WNAOPM_TEST) && $(ECHO) '-Wno-address-of-packed-member') +WORKAROUND_CFLAGS += $(WNAOPM_FLAGS) endif certstore_DEPS += $(CERT_LIST) $(CERT_FILES) $(CERT_PEMS) $(CERT_DERS) -- 2.20.1 ++++++ ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch ++++++ >From 1280c1f65b73d6d0c4833e39a3bb8194bd03f906 Mon Sep 17 00:00:00 2001 From: Bruce Rogers <[email protected]> Date: Fri, 25 Jan 2019 09:37:44 -0700 Subject: [PATCH] [efi] Simplify diagnostic for NULL handle MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Compiling with GCC 9 now warns as follows: interface/efi/efi_debug.c:334:3: error: ‘%s’ directive argument is null [-Werror=format-overflow=] 334 | printf ( "HANDLE %s could not retrieve protocols\n", | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 335 | efi_handle_name ( handle ) ); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Simplify this diagnostic by simply indicating a <NULL> has been passed as a handle. [BR: BSC#1121464] Signed-off-by: Bruce Rogers <[email protected]> --- src/interface/efi/efi_debug.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/interface/efi/efi_debug.c b/src/interface/efi/efi_debug.c index 8ea0a822..19fba767 100644 --- a/src/interface/efi/efi_debug.c +++ b/src/interface/efi/efi_debug.c @@ -331,8 +331,7 @@ void dbg_efi_protocols ( EFI_HANDLE handle ) { /* Sanity check */ if ( ! handle ) { - printf ( "HANDLE %s could not retrieve protocols\n", - efi_handle_name ( handle ) ); + printf ( "HANDLE <NULL> could not retrieve protocols\n" ); return; } -- 2.20.1 ++++++ qemu.spec.in ++++++ --- /var/tmp/diff_new_pack.w6QWZ1/_old 2019-02-04 21:25:10.551598946 +0100 +++ /var/tmp/diff_new_pack.w6QWZ1/_new 2019-02-04 21:25:10.551598946 +0100 @@ -147,6 +147,8 @@ Patch1201: ipxe-use-gcc6-for-more-compact-code.patch Patch1202: ipxe-efi-guard-strncpy-with-gcc-warning-ignore-pragma.patch Patch1203: ipxe-fix-build.patch +Patch1204: ipxe-efi-Simplify-diagnostic-for-NULL-handle.patch +Patch1205: ipxe-build-Disable-gcc-address-of-packed-member-warning.patch # sgabios - path: roms/sgabios (patch range 1300-1399) Patch1300: sgabios-stable-buildid.patch @@ -879,6 +881,8 @@ %endif %patch1202 -p1 %patch1203 -p1 +%patch1204 -p1 +%patch1205 -p1 popd pushd roms/sgabios
