[arch-commits] Commit in qemu/trunk (7 files)
Sébastien Luttringer
seblu at archlinux.org
Tue Aug 18 21:39:13 UTC 2015
Date: Tuesday, August 18, 2015 @ 23:39:12
Author: seblu
Revision: 243959
upgpkg: qemu 2.4.0-1
- fix FS#45922
- implement FS#45950
- remove example file in /etc; directory removed by upstream.
Added:
qemu/trunk/qemu-ga.service
Modified:
qemu/trunk/PKGBUILD
qemu/trunk/qemu.install
Deleted:
qemu/trunk/CVE-2015-3214.patch
qemu/trunk/CVE-2015-3456.patch
qemu/trunk/CVE-2015-5154.patch
qemu/trunk/CVE-2015-5158.patch
---------------------+
CVE-2015-3214.patch | 40 -----------
CVE-2015-3456.patch | 84 ------------------------
CVE-2015-5154.patch | 175 --------------------------------------------------
CVE-2015-5158.patch | 46 -------------
PKGBUILD | 31 ++++----
qemu-ga.service | 8 ++
qemu.install | 7 +-
7 files changed, 29 insertions(+), 362 deletions(-)
Deleted: CVE-2015-3214.patch
===================================================================
--- CVE-2015-3214.patch 2015-08-18 21:17:42 UTC (rev 243958)
+++ CVE-2015-3214.patch 2015-08-18 21:39:12 UTC (rev 243959)
@@ -1,40 +0,0 @@
-From 7d08e1fae6150a3c0867dba6f75cf00946b3163c Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse at redhat.com>
-Date: Tue, 2 Jun 2015 14:32:06 +0200
-Subject: [PATCH] i8254: fix out-of-bounds memory access in pit_ioport_read()
-
-Due converting PIO to the new memory read/write api we no longer provide
-separate I/O region lenghts for read and write operations. As a result,
-reading from PIT Mode/Command register will end with accessing
-pit->channels with invalid index.
-
-Fix this by ignoring read from the Mode/Command register.
-
-This is CVE-2015-3214.
-
-Signed-off-by: Petr Matousek <pmatouse at redhat.com>
-Reported-by: Matt Tait <matttait at google.com>
----
- hw/timer/i8254.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
-index 3450c98..9b65a33 100644
---- a/hw/timer/i8254.c
-+++ b/hw/timer/i8254.c
-@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
- PITChannelState *s;
-
- addr &= 3;
-+
-+ if (addr == 3) {
-+ /* Mode/Command register is write only, read is ignored */
-+ return 0;
-+ }
-+
- s = &pit->channels[addr];
- if (s->status_latched) {
- s->status_latched = 0;
---
-2.1.0
-
Deleted: CVE-2015-3456.patch
===================================================================
--- CVE-2015-3456.patch 2015-08-18 21:17:42 UTC (rev 243958)
+++ CVE-2015-3456.patch 2015-08-18 21:39:12 UTC (rev 243959)
@@ -1,84 +0,0 @@
-From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse at redhat.com>
-Date: Wed, 6 May 2015 09:48:59 +0200
-Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
-
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-
-This is CVE-2015-3456.
-
-Signed-off-by: Petr Matousek <pmatouse at redhat.com>
-Reviewed-by: John Snow <jsnow at redhat.com>
-Signed-off-by: John Snow <jsnow at redhat.com>
----
- hw/block/fdc.c | 17 +++++++++++------
- 1 files changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index f72a392..d8a8edd 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- {
- FDrive *cur_drv;
- uint32_t retval = 0;
-- int pos;
-+ uint32_t pos;
-
- cur_drv = get_cur_drv(fdctrl);
- fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- return 0;
- }
- pos = fdctrl->data_pos;
-+ pos %= FD_SECTOR_LEN;
- if (fdctrl->msr & FD_MSR_NONDMA) {
-- pos %= FD_SECTOR_LEN;
- if (pos == 0) {
- if (fdctrl->data_pos != 0)
- if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
- FDrive *cur_drv = get_cur_drv(fdctrl);
-+ uint32_t pos;
-
-- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+ pos = fdctrl->data_pos - 1;
-+ pos %= FD_SECTOR_LEN;
-+ if (fdctrl->fifo[pos] & 0x80) {
- /* Command parameters done */
-- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+ if (fdctrl->fifo[pos] & 0x40) {
- fdctrl->fifo[0] = fdctrl->fifo[1];
- fdctrl->fifo[2] = 0;
- fdctrl->fifo[3] = 0;
-@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
- FDrive *cur_drv;
-- int pos;
-+ uint32_t pos;
-
- /* Reset mode */
- if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- }
-
- FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
-- fdctrl->fifo[fdctrl->data_pos++] = value;
-+ pos = fdctrl->data_pos++;
-+ pos %= FD_SECTOR_LEN;
-+ fdctrl->fifo[pos] = value;
- if (fdctrl->data_pos == fdctrl->data_len) {
- /* We now have all parameters
- * and will be able to treat the command
---
-1.7.0.4
-
Deleted: CVE-2015-5154.patch
===================================================================
--- CVE-2015-5154.patch 2015-08-18 21:17:42 UTC (rev 243958)
+++ CVE-2015-5154.patch 2015-08-18 21:39:12 UTC (rev 243959)
@@ -1,175 +0,0 @@
-From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf at redhat.com>
-Date: Wed, 3 Jun 2015 14:13:31 +0200
-Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
- (CVE-2015-5154)
-
-If the end_transfer_func of a command is called because enough data has
-been read or written for the current PIO transfer, and it fails to
-correctly call the command completion functions, the DRQ bit in the
-status register and s->end_transfer_func may remain set. This allows the
-guest to access further bytes in s->io_buffer beyond s->data_end, and
-eventually overflowing the io_buffer.
-
-One case where this currently happens is emulation of the ATAPI command
-START STOP UNIT.
-
-This patch fixes the problem by adding explicit array bounds checks
-before accessing the buffer instead of relying on end_transfer_func to
-function correctly.
-
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Kevin Wolf <kwolf at redhat.com>
----
- hw/ide/core.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 122e955..44fcc23 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
- }
-
- p = s->data_ptr;
-+ if (p + 2 > s->data_end) {
-+ return;
-+ }
-+
- *(uint16_t *)p = le16_to_cpu(val);
- p += 2;
- s->data_ptr = p;
-@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
- }
-
- p = s->data_ptr;
-+ if (p + 2 > s->data_end) {
-+ return 0;
-+ }
-+
- ret = cpu_to_le16(*(uint16_t *)p);
- p += 2;
- s->data_ptr = p;
-@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
- }
-
- p = s->data_ptr;
-+ if (p + 4 > s->data_end) {
-+ return;
-+ }
-+
- *(uint32_t *)p = le32_to_cpu(val);
- p += 4;
- s->data_ptr = p;
-@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
- }
-
- p = s->data_ptr;
-+ if (p + 4 > s->data_end) {
-+ return 0;
-+ }
-+
- ret = cpu_to_le32(*(uint32_t *)p);
- p += 4;
- s->data_ptr = p;
---
-1.8.3.1
-From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf at redhat.com>
-Date: Wed, 3 Jun 2015 14:17:46 +0200
-Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
-
-The command must be completed on all code paths. START STOP UNIT with
-pwrcnd set should succeed without doing anything.
-
-Signed-off-by: Kevin Wolf <kwolf at redhat.com>
----
- hw/ide/atapi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
-index 950e311..79dd167 100644
---- a/hw/ide/atapi.c
-+++ b/hw/ide/atapi.c
-@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
-
- if (pwrcnd) {
- /* eject/load only happens for power condition == 0 */
-+ ide_atapi_cmd_ok(s);
- return;
- }
-
---
-1.8.3.1
-
-From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf at redhat.com>
-Date: Wed, 3 Jun 2015 14:41:27 +0200
-Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
-
-This is additional hardening against an end_transfer_func that fails to
-clear the DRQ status bit. The bit must be unset as soon as the PIO
-transfer has completed, so it's better to do this in a central place
-instead of duplicating the code in all commands (and forgetting it in
-some).
-
-Signed-off-by: Kevin Wolf <kwolf at redhat.com>
----
- hw/ide/core.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 44fcc23..50449ca 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
- *(uint16_t *)p = le16_to_cpu(val);
- p += 2;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- }
-
- uint32_t ide_data_readw(void *opaque, uint32_t addr)
-@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
- ret = cpu_to_le16(*(uint16_t *)p);
- p += 2;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- return ret;
- }
-
-@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
- *(uint32_t *)p = le32_to_cpu(val);
- p += 4;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- }
-
- uint32_t ide_data_readl(void *opaque, uint32_t addr)
-@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
- ret = cpu_to_le32(*(uint32_t *)p);
- p += 4;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- return ret;
- }
-
---
-1.8.3.1
-
Deleted: CVE-2015-5158.patch
===================================================================
--- CVE-2015-5158.patch 2015-08-18 21:17:42 UTC (rev 243958)
+++ CVE-2015-5158.patch 2015-08-18 21:39:12 UTC (rev 243959)
@@ -1,46 +0,0 @@
-From c170aad8b057223b1139d72e5ce7acceafab4fa9 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini at redhat.com>
-Date: Tue, 21 Jul 2015 08:59:39 +0200
-Subject: [PATCH] scsi: fix buffer overflow in scsi_req_parse_cdb
- (CVE-2015-5158)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a guest-triggerable buffer overflow present in QEMU 2.2.0
-and newer. scsi_cdb_length returns -1 as an error value, but the
-caller does not check it.
-
-Luckily, the massive overflow means that QEMU will just SIGSEGV,
-making the impact much smaller.
-
-Reported-by: Zhu Donghai (朱东海) <donghai.zdh at alibaba-inc.com>
-Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
-Reviewed-by: Fam Zheng <famz at redhat.com>
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
- hw/scsi/scsi-bus.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index f50b2f0..f0ae462 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
- int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
- {
- int rc;
-+ int len;
-
- cmd->lba = -1;
-- cmd->len = scsi_cdb_length(buf);
-+ len = scsi_cdb_length(buf);
-+ if (len < 0) {
-+ return -1;
-+ }
-
-+ cmd->len = len;
- switch (dev->type) {
- case TYPE_TAPE:
- rc = scsi_req_stream_xfer(cmd, dev, buf);
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-08-18 21:17:42 UTC (rev 243958)
+++ PKGBUILD 2015-08-18 21:39:12 UTC (rev 243959)
@@ -7,9 +7,10 @@
'qemu-block-iscsi'
'qemu-block-rbd'
'qemu-block-gluster'
+ 'qemu-guest-agent'
'libcacard')
-pkgver=2.3.0
-pkgrel=7
+pkgver=2.4.0
+pkgrel=1
arch=('i686' 'x86_64')
license=('GPL2' 'LGPL2.1')
url='http://wiki.qemu.org/'
@@ -19,18 +20,12 @@
'libiscsi' 'libcacard' 'spice' 'spice-protocol' 'python2'
'usbredir' 'ceph' 'glusterfs' 'libssh2' 'lzo' 'snappy')
source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2
- CVE-2015-3456.patch
- CVE-2015-5154.patch
- CVE-2015-3214.patch
- CVE-2015-5158.patch
qemu.sysusers
+ qemu-ga.service
65-kvm.rules)
-md5sums=('2fab3ea4460de9b57192e5b8b311f221'
- '5e8a68940c4e0267e795a6ddd144e00e'
- '311d3845dda4795bf63107c3dcbf2bea'
- '29840d5f2fa93ff447bf9dd120d12e5a'
- 'cd87c265dfec4d8aa3767d5d047cd397'
+md5sums=('186ee8194140a484a455f8e3c74589f4'
'49778d11c28af170c4bebcc648b0ace1'
+ '44ee242d758f9318c6a1ea1dae96aa3a'
'33ab286a20242dda7743a900f369d68a')
prepare() {
@@ -100,9 +95,6 @@
# https://bugs.archlinux.org/task/32565
chmod u+s usr/lib/qemu/qemu-bridge-helper
- # add sample config
- echo 'allow br0' > etc/qemu/bridge.conf.sample
-
# manual striping in scripts directory
find usr/src/linux-${_kernver}/scripts -type f -perm -u+w 2>/dev/null|while read binary ; do
case "$(file -bi "$binary")" in
@@ -119,6 +111,9 @@
# remove splitted block modules
rm usr/lib/qemu/block-{iscsi,rbd,gluster}.so
+
+ # remove guest agent
+ rm usr/bin/qemu-ga
}
package_libcacard() {
@@ -154,4 +149,12 @@
install -D qemu-${pkgver}/block-gluster.so "${pkgdir}"/usr/lib/qemu/block-gluster.so
}
+package_qemu-guest-agent() {
+ pkgdesc='QEMU Guest Agent'
+ depends=('glibc' 'gcc-libs' 'glib2')
+
+ install -D qemu-${pkgver}/qemu-ga "${pkgdir}"/usr/bin/qemu-ga
+ install -D qemu-ga.service "${pkgdir}"/usr/lib/systemd/system/qemu-ga.service
+}
+
# vim:set ts=2 sw=2 et:
Added: qemu-ga.service
===================================================================
--- qemu-ga.service (rev 0)
+++ qemu-ga.service 2015-08-18 21:39:12 UTC (rev 243959)
@@ -0,0 +1,8 @@
+[Unit]
+Description=QEMU Guest Agent
+
+[Service]
+ExecStart=/usr/bin/qemu-ga
+
+[Install]
+WantedBy=multi-user.target
Modified: qemu.install
===================================================================
--- qemu.install 2015-08-18 21:17:42 UTC (rev 243958)
+++ qemu.install 2015-08-18 21:39:12 UTC (rev 243959)
@@ -3,9 +3,10 @@
# create kvm group
systemd-sysusers qemu.conf
- # retrigger events on modules files when already loaded
- [[ -e /dev/kvm ]] && udevadm trigger /dev/kvm
- [[ -e /dev/vhost-net ]] && udevadm trigger /dev/vhost-net
+ # trigger events on modules files when already loaded
+ for _f in /sys/devices/virtual/misc/{kvm,vhost-net}; do
+ [[ -e "$_f" ]] && udevadm trigger "$_f"
+ done
}
# arg 1: the new package version
More information about the arch-commits
mailing list