Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-qemu-de...@alioth-lists.debian.net
Please unblock package qemu [ Reason ] The new qemu release fixes a few security bugs, and fixes one non-security-related bug which especially affects upgrades from buster to bullseye, where some virtual machines, notable Windows, fails badly when migrated from buster qemu to bullseye qemu. All the changes has been taken from upstream - either already released in 6.0, or addressed in qemu stable series. [ Impact ] The main issue here is the brokeness of Virtual Machines when upgraded from buster to bullseye. This is #990675. In my opinion, it should definitely be fixed for bullseye, or else we will have broken systems after the upgrade. The rest are the security issues fixed by this release. The debdiff is rather large, but this is mostly because of the amount of changes, not because of the size of the changes. [ Tests ] Most tests has been done by the upstream qemu and its users. All the changes I used in this release are already included upstream. I tested at least the ide change (#983575), it does not seem to limit the regular operations of the emulated device, while it fixes the corner case which is what this bug is about. I also tested migration buster=>bullseye, and now with the fix for #990675, it works as expected. [ Risks ] Most of the areas which are touched by this update are rarely used in practice. In particular, 3 bugs in pvrdma code are about vmware compatibility, so should not affect most users of qemu. For 2 USB changes there should be more active users but these seems to be easy, at least they look right to me. While qemu has become one of the key packages, we should try to keep it in line with upstream fixes, I think. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] (Anything else the release team should know.) unblock qemu/1:5.2+dfsg-11 diff -Nru qemu-5.2+dfsg/debian/changelog qemu-5.2+dfsg/debian/changelog --- qemu-5.2+dfsg/debian/changelog 2021-04-16 12:43:36.000000000 +0300 +++ qemu-5.2+dfsg/debian/changelog 2021-07-18 16:14:41.000000000 +0300 @@ -1,3 +1,23 @@ +qemu (1:5.2+dfsg-11) unstable; urgency=medium + + * i386-acpi-restore-device-paths-for-pre-5.1-vms.patch + This fixes a serious issue in some VMs (in particuar, Windows & MacOS) + when migrating from buster qemu to bullseye qemu. + (Closes: #990675) + * pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch + (Closes: #990565, CVE-2021-3582) + * pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch + (Closes: #990564, CVE-2021-3607) + * pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch + (Closes: #990563, CVE-2021-3608) + * ide-atapi-check-logical-block-address-and-read-size-CVE-2020-29443.patch + (Closes: #983575, CVE-2020-29443) + * usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch + usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch + (Closes: #988157, CVE-2021-3527) + + -- Michael Tokarev <m...@tls.msk.ru> Sun, 18 Jul 2021 16:14:41 +0300 + qemu (1:5.2+dfsg-10) unstable; urgency=medium * 5 sdhci fixes from upstream: diff -Nru qemu-5.2+dfsg/debian/patches/i386-acpi-restore-device-paths-for-pre-5.1-vms.patch qemu-5.2+dfsg/debian/patches/i386-acpi-restore-device-paths-for-pre-5.1-vms.patch --- qemu-5.2+dfsg/debian/patches/i386-acpi-restore-device-paths-for-pre-5.1-vms.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/i386-acpi-restore-device-paths-for-pre-5.1-vms.patch 2021-07-05 21:47:06.000000000 +0300 @@ -0,0 +1,98 @@ +Commit-Id: 0a343a5add75f9f90c65e932863d57ddbcb28f5c +From: Vitaly Cheptsov <chept...@ispras.ru> +Date: Mon, 1 Mar 2021 22:59:18 +0300 +Subject: i386/acpi: restore device paths for pre-5.1 vms +Bug-Debian: http://bugs.debian.org/990675 + +After fixing the _UID value for the primary PCI root bridge in +af1b80ae it was discovered that this change updates Windows +configuration in an incompatible way causing network configuration +failure unless DHCP is used. More details provided on the list: + +https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg08484.html + +This change reverts the _UID update from 1 to 0 for q35 and i440fx +VMs before version 5.2 to maintain the original behaviour when +upgrading. + +Cc: qemu-sta...@nongnu.org +Cc: qemu-de...@nongnu.org +Reported-by: Thomas Lamprecht <t.lampre...@proxmox.com> +Suggested-by: Michael S. Tsirkin <m...@redhat.com> +Signed-off-by: Vitaly Cheptsov <chept...@ispras.ru> +Message-Id: <20210301195919.9333-1-chept...@ispras.ru> +Tested-by: Thomas Lamprecht <t.lampre...@proxmox.com> +Reviewed-by: Igor Mammedov <imamm...@redhat.com> +Reviewed-by: Michael S. Tsirkin <m...@redhat.com> +Signed-off-by: Michael S. Tsirkin <m...@redhat.com> +Fixes: af1b80ae56c9 ("i386/acpi: fix inconsistent QEMU/OVMF device paths") +--- + hw/i386/acpi-build.c | 4 ++-- + hw/i386/pc_piix.c | 2 ++ + hw/i386/pc_q35.c | 2 ++ + include/hw/i386/pc.h | 1 + + 4 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/hw/i386/acpi-build.c b/hw/i386/acpi-build.c +index 31a5f6f4a5..442b4629a9 100644 +--- a/hw/i386/acpi-build.c ++++ b/hw/i386/acpi-build.c +@@ -1278,5 +1278,5 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, + aml_append(dev, aml_name_decl("_HID", aml_eisaid("PNP0A03"))); + aml_append(dev, aml_name_decl("_ADR", aml_int(0))); +- aml_append(dev, aml_name_decl("_UID", aml_int(0))); ++ aml_append(dev, aml_name_decl("_UID", aml_int(pcmc->pci_root_uid))); + aml_append(sb_scope, dev); + aml_append(dsdt, sb_scope); +@@ -1297,5 +1297,5 @@ build_dsdt(GArray *table_data, BIOSLinker *linker, + aml_append(dev, aml_name_decl("_CID", aml_eisaid("PNP0A03"))); + aml_append(dev, aml_name_decl("_ADR", aml_int(0))); +- aml_append(dev, aml_name_decl("_UID", aml_int(0))); ++ aml_append(dev, aml_name_decl("_UID", aml_int(pcmc->pci_root_uid))); + aml_append(dev, build_q35_osc_method()); + aml_append(sb_scope, dev); +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index 2904b40163..46cc951073 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -406,4 +406,5 @@ static void pc_i440fx_machine_options(MachineClass *m) + PCMachineClass *pcmc = PC_MACHINE_CLASS(m); + pcmc->default_nic_model = "e1000"; ++ pcmc->pci_root_uid = 0; + + m->family = "pc_piix"; +@@ -449,4 +450,5 @@ static void pc_i440fx_5_1_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_5_1, pc_compat_5_1_len); + pcmc->kvmclock_create_always = false; ++ pcmc->pci_root_uid = 1; + } + +diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c +index 0a212443aa..53450190f5 100644 +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -330,4 +330,5 @@ static void pc_q35_machine_options(MachineClass *m) + PCMachineClass *pcmc = PC_MACHINE_CLASS(m); + pcmc->default_nic_model = "e1000e"; ++ pcmc->pci_root_uid = 0; + + m->family = "pc_q35"; +@@ -376,4 +377,5 @@ static void pc_q35_5_1_machine_options(MachineClass *m) + compat_props_add(m->compat_props, pc_compat_5_1, pc_compat_5_1_len); + pcmc->kvmclock_create_always = false; ++ pcmc->pci_root_uid = 1; + } + +diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h +index c9d194a5e7..d4c3d73c11 100644 +--- a/include/hw/i386/pc.h ++++ b/include/hw/i386/pc.h +@@ -106,4 +106,5 @@ struct PCMachineClass { + unsigned acpi_data_size; + bool do_not_add_smb_acpi; ++ int pci_root_uid; + + /* SMBIOS compat: */ +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/ide-atapi-check-logical-block-address-and-read-size-CVE-2020-29443.patch qemu-5.2+dfsg/debian/patches/ide-atapi-check-logical-block-address-and-read-size-CVE-2020-29443.patch --- qemu-5.2+dfsg/debian/patches/ide-atapi-check-logical-block-address-and-read-size-CVE-2020-29443.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/ide-atapi-check-logical-block-address-and-read-size-CVE-2020-29443.patch 2021-07-18 10:40:57.000000000 +0300 @@ -0,0 +1,102 @@ +Commit-Id: b8d7f1bc59276fec85e4d09f1567613a3e14d31e +From: Prasad J Pandit <p...@fedoraproject.org> +Date: Mon, 18 Jan 2021 17:21:30 +0530 +Subject: ide: atapi: check logical block address and read size (CVE-2020-29443) +Bug-Debian: https://bugs.debian.org/983575 + +While processing ATAPI cmd_read/cmd_read_cd commands, +Logical Block Address (LBA) maybe invalid OR closer to the last block, +leading to an OOB access issues. Add range check to avoid it. + +Fixes: CVE-2020-29443 +Reported-by: Wenxiang Qian <leonwxq...@gmail.com> +Suggested-by: Paolo Bonzini <pbonz...@redhat.com> +Reviewed-by: Paolo Bonzini <pbonz...@redhat.com> +Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> +Message-Id: <20210118115130.457044-1-ppan...@redhat.com> +Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> +--- + hw/ide/atapi.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c +index e79157863f..b626199e3d 100644 +--- a/hw/ide/atapi.c ++++ b/hw/ide/atapi.c +@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size) + static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors, + int sector_size) + { ++ assert(0 <= lba && lba < (s->nb_sectors >> 2)); ++ + s->lba = lba; + s->packet_transfer_size = nb_sectors * sector_size; + s->elementary_transfer_size = 0; +@@ -420,6 +422,8 @@ eot: + static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors, + int sector_size) + { ++ assert(0 <= lba && lba < (s->nb_sectors >> 2)); ++ + s->lba = lba; + s->packet_transfer_size = nb_sectors * sector_size; + s->io_buffer_size = 0; +@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf) + + static void cmd_read(IDEState *s, uint8_t* buf) + { +- int nb_sectors, lba; ++ unsigned int nb_sectors, lba; ++ ++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ ++ uint64_t total_sectors = s->nb_sectors >> 2; + + if (buf[0] == GPCMD_READ_10) { + nb_sectors = lduw_be_p(buf + 7); + } else { + nb_sectors = ldl_be_p(buf + 6); + } +- +- lba = ldl_be_p(buf + 2); + if (nb_sectors == 0) { + ide_atapi_cmd_ok(s); + return; + } + ++ lba = ldl_be_p(buf + 2); ++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { ++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); ++ return; ++ } ++ + ide_atapi_cmd_read(s, lba, nb_sectors, 2048); + } + + static void cmd_read_cd(IDEState *s, uint8_t* buf) + { +- int nb_sectors, lba, transfer_request; ++ unsigned int nb_sectors, lba, transfer_request; + +- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; +- lba = ldl_be_p(buf + 2); ++ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */ ++ uint64_t total_sectors = s->nb_sectors >> 2; + ++ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8]; + if (nb_sectors == 0) { + ide_atapi_cmd_ok(s); + return; + } + ++ lba = ldl_be_p(buf + 2); ++ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) { ++ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR); ++ return; ++ } ++ + transfer_request = buf[9] & 0xf8; + if (transfer_request == 0x00) { + /* nothing */ +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch qemu-5.2+dfsg/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch --- qemu-5.2+dfsg/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch 2021-07-18 10:29:38.000000000 +0300 @@ -0,0 +1,40 @@ +Commit-ID: 32e5703cfea07c91e6e84bcb0313f633bb146534 +From: Marcel Apfelbaum <marcel.apfelb...@gmail.com> +Date: Wed, 30 Jun 2021 14:46:34 +0300 +Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607) +Bug-Debian: https://bugs.debian.org/990564 + +Check the guest passed a non zero page count +for pvrdma device ring buffers. + +Fixes: CVE-2021-3607 +Reported-by: VictorV (Kunlun Lab) <vv474172...@gmail.com> +Reviewed-by: VictorV (Kunlun Lab) <vv474172...@gmail.com> +Signed-off-by: Marcel Apfelbaum <mar...@redhat.com> +Message-Id: <20210630114634.2168872-1-mar...@redhat.com> +Reviewed-by: Yuval Shaia <yuval.shaia...@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia...@gmail.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelb...@gmail.com> +--- + hw/rdma/vmw/pvrdma_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 84ae8024fc..7c0c3551a8 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, + uint64_t *dir, *tbl; + int rc = 0; + ++ if (!num_pages) { ++ rdma_error_report("Ring pages count must be strictly positive"); ++ return -EINVAL; ++ } ++ + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory (ring %s)", name); +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch qemu-5.2+dfsg/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch --- qemu-5.2+dfsg/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch 2021-07-18 10:25:40.000000000 +0300 @@ -0,0 +1,43 @@ +Commit-Id: 284f191b4abad213aed04cb0458e1600fd18d7c4 +From: Marcel Apfelbaum <mar...@redhat.com> +Date: Wed, 16 Jun 2021 14:06:00 +0300 +Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) +Bug-Debian: https://bugs.debian.org/990565 + +Ensure mremap boundaries not trusting the guest kernel to +pass the correct buffer length. + +Fixes: CVE-2021-3582 +Reported-by: VictorV (Kunlun Lab) <vv474172...@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172...@gmail.com> +Signed-off-by: Marcel Apfelbaum <mar...@redhat.com> +Message-Id: <20210616110600.20889-1-marcel.apfelb...@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia...@gmail.com> +Tested-by: Yuval Shaia <yuval.shaia...@gmail.com> +Reviewed-by: Prasad J Pandit <p...@fedoraproject.org> +Signed-off-by: Marcel Apfelbaum <marcel.apfelb...@gmail.com> +--- + hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index f59879e257..da7ddfa548 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, + return NULL; + } + ++ length = ROUND_UP(length, TARGET_PAGE_SIZE); ++ if (nchunks * TARGET_PAGE_SIZE != length) { ++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, ++ (unsigned long)length); ++ return NULL; ++ } ++ + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); + if (!dir) { + rdma_error_report("Failed to map to page directory"); +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch qemu-5.2+dfsg/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch --- qemu-5.2+dfsg/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch 2021-07-18 10:31:25.000000000 +0300 @@ -0,0 +1,40 @@ +Commit-Id: 66ae37d8cc313f89272e711174a846a229bcdbd3 +From: Marcel Apfelbaum <marcel.apfelb...@gmail.com> +Date: Wed, 30 Jun 2021 14:52:46 +0300 +Subject: pvrdma: Fix the ring init error flow (CVE-2021-3608) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/990563 + +Do not unmap uninitialized dma addresses. + +Fixes: CVE-2021-3608 +Reviewed-by: VictorV (Kunlun Lab) <vv474172...@gmail.com> +Tested-by: VictorV (Kunlun Lab) <vv474172...@gmail.com> +Signed-off-by: Marcel Apfelbaum <mar...@redhat.com> +Message-Id: <20210630115246.2178219-1-mar...@redhat.com> +Tested-by: Yuval Shaia <yuval.shaia...@gmail.com> +Reviewed-by: Yuval Shaia <yuval.shaia...@gmail.com> +Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> +Signed-off-by: Marcel Apfelbaum <marcel.apfelb...@gmail.com> +--- + hw/rdma/vmw/pvrdma_dev_ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c +index 074ac59b84..42130667a7 100644 +--- a/hw/rdma/vmw/pvrdma_dev_ring.c ++++ b/hw/rdma/vmw/pvrdma_dev_ring.c +@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev, + qatomic_set(&ring->ring_state->cons_head, 0); + */ + ring->npages = npages; +- ring->pages = g_malloc(npages * sizeof(void *)); ++ ring->pages = g_malloc0(npages * sizeof(void *)); + + for (i = 0; i < npages; i++) { + if (!tbl[i]) { +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/series qemu-5.2+dfsg/debian/patches/series --- qemu-5.2+dfsg/debian/patches/series 2021-04-16 12:43:36.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/series 2021-07-18 16:08:32.000000000 +0300 @@ -11,6 +11,7 @@ slof-ensure-ld-is-called-with-C-locale.patch spelling.diff pc-bios-descriptors-fix-paths-in-json-files.patch +i386-acpi-restore-device-paths-for-pre-5.1-vms.patch memory-clamp-cached-translation-if-points-to-MMIO-region-CVE-2020-27821.patch configure-replace-enable-disable-git-update-with-wit.patch arm_gic-fix-interrupt-ID-in-GICD_SGIR-CVE-2021-20221.patch @@ -39,3 +40,9 @@ sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch +pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch +pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch +pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch +ide-atapi-check-logical-block-address-and-read-size-CVE-2020-29443.patch +usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch +usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch diff -Nru qemu-5.2+dfsg/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch qemu-5.2+dfsg/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch --- qemu-5.2+dfsg/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch 2021-07-18 16:06:34.000000000 +0300 @@ -0,0 +1,37 @@ +Commit-Id: 05a40b172e4d691371534828078be47e7fff524c +From: Gerd Hoffmann <kra...@redhat.com> +Date: Mon, 3 May 2021 15:29:15 +0200 +Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527) +Bug-Debian: https://bugs.debian.org/988157 + +usb-host and usb-redirect try to batch bulk transfers by combining many +small usb packets into a single, large transfer request, to reduce the +overhead and improve performance. + +This patch adds a size limit of 1 MiB for those combined packets to +restrict the host resources the guest can bind that way. + +Signed-off-by: Gerd Hoffmann <kra...@redhat.com> +Message-Id: <20210503132915.2335822-6-kra...@redhat.com> +--- + hw/usb/combined-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c +index 5d57e883dc..e56802f89a 100644 +--- a/hw/usb/combined-packet.c ++++ b/hw/usb/combined-packet.c +@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep) + if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok || + next == NULL || + /* Work around for Linux usbfs bulk splitting + migration */ +- (totalsize == (16 * KiB - 36) && p->int_req)) { ++ (totalsize == (16 * KiB - 36) && p->int_req) || ++ /* Next package may grow combined package over 1MiB */ ++ totalsize > 1 * MiB - ep->max_packet_size) { + usb_device_handle_data(ep->dev, first); + assert(first->status == USB_RET_ASYNC); + if (first->combined) { +-- +2.30.2 + diff -Nru qemu-5.2+dfsg/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch qemu-5.2+dfsg/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch --- qemu-5.2+dfsg/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch 1970-01-01 03:00:00.000000000 +0300 +++ qemu-5.2+dfsg/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch 2021-07-18 16:09:30.000000000 +0300 @@ -0,0 +1,54 @@ +Commit-Id: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 +From: Gerd Hoffmann <kra...@redhat.com> +Date: Mon, 3 May 2021 15:29:12 +0200 +Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Bug-Debian: https://bugs.debian.org/988157 + +Use autofree heap allocation instead. + +Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket") +Reviewed-by: Philippe Mathieu-Daudé <phi...@redhat.com> +Signed-off-by: Gerd Hoffmann <kra...@redhat.com> +Tested-by: Philippe Mathieu-Daudé <phi...@redhat.com> +Message-Id: <20210503132915.2335822-3-kra...@redhat.com> +--- + hw/usb/redirect.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index 17f06f3417..6a75b0dc4a 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p, + .endpoint = ep, + .length = p->iov.size + }; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + /* No id, we look at the ep when receiving a status back */ + usb_packet_copy(p, buf, p->iov.size); + usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet, +@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p, + usbredirparser_send_bulk_packet(dev->parser, p->id, + &bulk_packet, NULL, 0); + } else { +- uint8_t buf[size]; ++ g_autofree uint8_t *buf = g_malloc(size); + usb_packet_copy(p, buf, size); + usbredir_log_data(dev, "bulk data out:", buf, size); + usbredirparser_send_bulk_packet(dev->parser, p->id, +@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev, + USBPacket *p, uint8_t ep) + { + struct usb_redir_interrupt_packet_header interrupt_packet; +- uint8_t buf[p->iov.size]; ++ g_autofree uint8_t *buf = g_malloc(p->iov.size); + + DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep, + p->iov.size, p->id); +-- +2.30.2 +
