From: Rutger Helling <rhelling@mykolab.com>
To: 33715@debbugs.gnu.org
Subject: [bug#33715] [PATCH] gnu: qemu: Update to 3.1.0.
Date: Wed, 12 Dec 2018 10:06:38 +0100 [thread overview]
Message-ID: <20181212100638.0252ee05@mykolab.com> (raw)
[-- Attachment #1.1: Type: text/plain, Size: 49 bytes --]
Hey Guix,
here's the latest update for QEMU.
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-qemu-Update-to-3.1.0.patch --]
[-- Type: text/x-patch, Size: 9479 bytes --]
From 0e0126079f0beef53ae78cdfb8a793bca95bf296 Mon Sep 17 00:00:00 2001
From: Rutger Helling <rhelling@mykolab.com>
Date: Wed, 12 Dec 2018 09:59:49 +0100
Subject: [PATCH] gnu: qemu: Update to 3.1.0.
* gnu/packages/patches/qemu-CVE-2018-16847.patch: Remove file.
* gnu/packages/patches/qemu-CVE-2018-16867.patch: Remove file.
* gnu/packages/virtualization.scm (qemu): Update to 3.1.0.
[source]: Remove removed patches.
---
.../patches/qemu-CVE-2018-16847.patch | 158 ------------------
.../patches/qemu-CVE-2018-16867.patch | 49 ------
gnu/packages/virtualization.scm | 6 +-
3 files changed, 2 insertions(+), 211 deletions(-)
delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch
diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch
deleted file mode 100644
index c76bdf764..000000000
--- a/gnu/packages/patches/qemu-CVE-2018-16847.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-Fix CVE-2018-16847:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce
-
-From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 20 Nov 2018 19:41:48 +0100
-Subject: [PATCH] nvme: fix out-of-bounds access to the CMB
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Because the CMB BAR has a min_access_size of 2, if you read the last
-byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
-error. This is CVE-2018-16847.
-
-Another way to fix this might be to register the CMB as a RAM memory
-region, which would also be more efficient. However, that might be a
-change for big-endian machines; I didn't think this through and I don't
-know how real hardware works. Add a basic testcase for the CMB in case
-somebody does this change later on.
-
-Cc: Keith Busch <keith.busch@intel.com>
-Cc: qemu-block@nongnu.org
-Reported-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Tested-by: Li Qiang <liq3ea@gmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/block/nvme.c | 2 +-
- tests/Makefile.include | 2 +-
- tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++-------
- 3 files changed, 60 insertions(+), 12 deletions(-)
-
-diff --git a/hw/block/nvme.c b/hw/block/nvme.c
-index 28d284346dd..8c35cab2b43 100644
---- a/hw/block/nvme.c
-+++ b/hw/block/nvme.c
-@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
- .write = nvme_cmb_write,
- .endianness = DEVICE_LITTLE_ENDIAN,
- .impl = {
-- .min_access_size = 2,
-+ .min_access_size = 1,
- .max_access_size = 8,
- },
- };
-diff --git a/tests/Makefile.include b/tests/Makefile.include
-index 613242bc6ef..fb0b449c02a 100644
---- a/tests/Makefile.include
-+++ b/tests/Makefile.include
-@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
- tests/machine-none-test$(EXESUF): tests/machine-none-test.o
- tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
- tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
--tests/nvme-test$(EXESUF): tests/nvme-test.o
-+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
- tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
- tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
- tests/ac97-test$(EXESUF): tests/ac97-test.o
-diff --git a/tests/nvme-test.c b/tests/nvme-test.c
-index 7674a446e4f..2700ba838aa 100644
---- a/tests/nvme-test.c
-+++ b/tests/nvme-test.c
-@@ -8,25 +8,73 @@
- */
-
- #include "qemu/osdep.h"
-+#include "qemu/units.h"
- #include "libqtest.h"
-+#include "libqos/libqos-pc.h"
-+
-+static QOSState *qnvme_start(const char *extra_opts)
-+{
-+ QOSState *qs;
-+ const char *arch = qtest_get_arch();
-+ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
-+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
-+
-+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
-+ qs = qtest_pc_boot(cmd, extra_opts ? : "");
-+ global_qtest = qs->qts;
-+ return qs;
-+ }
-+
-+ g_printerr("nvme tests are only available on x86\n");
-+ exit(EXIT_FAILURE);
-+}
-+
-+static void qnvme_stop(QOSState *qs)
-+{
-+ qtest_shutdown(qs);
-+}
-
--/* Tests only initialization so far. TODO: Replace with functional tests */
- static void nop(void)
- {
-+ QOSState *qs;
-+
-+ qs = qnvme_start(NULL);
-+ qnvme_stop(qs);
- }
-
--int main(int argc, char **argv)
-+static void nvmetest_cmb_test(void)
- {
-- int ret;
-+ const int cmb_bar_size = 2 * MiB;
-+ QOSState *qs;
-+ QPCIDevice *pdev;
-+ QPCIBar bar;
-
-- g_test_init(&argc, &argv, NULL);
-- qtest_add_func("/nvme/nop", nop);
-+ qs = qnvme_start("-global nvme.cmb_size_mb=2");
-+ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
-+ g_assert(pdev != NULL);
-+
-+ qpci_device_enable(pdev);
-+ bar = qpci_iomap(pdev, 2, NULL);
-+
-+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
-+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
-+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
-+
-+ /* Test partially out-of-bounds accesses. */
-+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
-+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
-+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
-+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211);
-+ g_free(pdev);
-
-- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
-- "-device nvme,drive=drv0,serial=foo");
-- ret = g_test_run();
-+ qnvme_stop(qs);
-+}
-
-- qtest_end();
-+int main(int argc, char **argv)
-+{
-+ g_test_init(&argc, &argv, NULL);
-+ qtest_add_func("/nvme/nop", nop);
-+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
-
-- return ret;
-+ return g_test_run();
- }
---
-2.19.2
-
diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch
deleted file mode 100644
index 1403d8e0f..000000000
--- a/gnu/packages/patches/qemu-CVE-2018-16867.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Fix CVE-2018-16867:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
-https://seclists.org/oss-sec/2018/q4/202
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
-
-From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 Dec 2018 11:10:45 +0100
-Subject: [PATCH] usb-mtp: outlaw slashes in filenames
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Slash is unix directory separator, so they are not allowed in filenames.
-Note this also stops the classic escape via "../".
-
-Fixes: CVE-2018-16867
-Reported-by: Michael Hanselmann <public@hansmi.ch>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181203101045.27976-3-kraxel@redhat.com
----
- hw/usb/dev-mtp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
-index 0f6a9702ef1..100b7171f4e 100644
---- a/hw/usb/dev-mtp.c
-+++ b/hw/usb/dev-mtp.c
-@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
-
- filename = utf16_to_str(dataset->length, dataset->filename);
-
-+ if (strchr(filename, '/')) {
-+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
-+ 0, 0, 0, 0);
-+ return;
-+ }
-+
- o = usb_mtp_object_lookup_name(p, filename, dataset->length);
- if (o != NULL) {
- next_handle = o->handle;
---
-2.19.2
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 0502bb38c..8e361558b 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -95,16 +95,14 @@
(define-public qemu
(package
(name "qemu")
- (version "3.0.0")
+ (version "3.1.0")
(source (origin
(method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz"))
- (patches (search-patches "qemu-CVE-2018-16847.patch"
- "qemu-CVE-2018-16867.patch"))
(sha256
(base32
- "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
+ "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.20.0
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next reply other threads:[~2018-12-12 9:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-12 9:06 Rutger Helling [this message]
2018-12-12 11:03 ` [bug#33715] [PATCH] gnu: qemu: Update to 3.1.0. (v2) Rutger Helling
2018-12-13 19:43 ` bug#33715: " Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181212100638.0252ee05@mykolab.com \
--to=rhelling@mykolab.com \
--cc=33715@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.