From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59622) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gX2JK-0003AH-Kc for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gX2JB-000458-1L for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:09 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:40288) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gX2J8-000414-5l for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gX2J8-0002CJ-17 for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:02 -0500 Subject: [bug#33715] [PATCH] gnu: qemu: Update to 3.1.0. (v2) Resent-Message-ID: Date: Wed, 12 Dec 2018 12:03:34 +0100 From: Rutger Helling Message-ID: <20181212120334.3d9e6dc9@mykolab.com> In-Reply-To: <20181212100638.0252ee05@mykolab.com> References: <20181212100638.0252ee05@mykolab.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/2DODW=Qw7Xgp0bb/Zjk.VSy"; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 33715@debbugs.gnu.org --Sig_/2DODW=Qw7Xgp0bb/Zjk.VSy Content-Type: multipart/mixed; boundary="MP_/riepVXvRwle+vp9WBl3yVOc" --MP_/riepVXvRwle+vp9WBl3yVOc Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Forgot to remove the obsolete patches from local.mk. Here's a fixed version. > Hey Guix, >=20 > here's the latest update for QEMU. --MP_/riepVXvRwle+vp9WBl3yVOc Content-Type: text/x-patch Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename=0001-gnu-qemu-Update-to-3.1.0-v2.patch =46rom 8d82f31c8b4c7249b82314d4354e5973cb04c2c2 Mon Sep 17 00:00:00 2001 From: Rutger Helling Date: Wed, 12 Dec 2018 11:57:36 +0100 Subject: [PATCH] gnu: qemu: Update to 3.1.0. * gnu/local.mk: Remove qemu-CVE-2018-16847.patch and qemu-CVE-2018-16867.patch. * gnu/packages/patches/qemu-CVE-2018-16847.patch: Remove file. * gnu/packages/patches/qemu-CVE-2018-16867.patch: Remove file. * gnu/packages/virtualization.scm (qemu): Update to 3.1.0. [source]: Remove removed patches. --- gnu/local.mk | 2 - .../patches/qemu-CVE-2018-16847.patch | 158 ------------------ .../patches/qemu-CVE-2018-16867.patch | 49 ------ gnu/packages/virtualization.scm | 6 +- 4 files changed, 2 insertions(+), 213 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch diff --git a/gnu/local.mk b/gnu/local.mk index e566c221f..47217a8c1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1110,8 +1110,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ - %D%/packages/patches/qemu-CVE-2018-16847.patch \ - %D%/packages/patches/qemu-CVE-2018-16867.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/= patches/qemu-CVE-2018-16847.patch deleted file mode 100644 index c76bdf764..000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16847.patch +++ /dev/null @@ -1,158 +0,0 @@ -Fix CVE-2018-16847: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-16847 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=3Dqemu.git;a=3Dcommitdiff;h=3D87ad860c622cc8f8916b= 5232bd8728c08f938fce - -From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Tue, 20 Nov 2018 19:41:48 +0100 -Subject: [PATCH] nvme: fix out-of-bounds access to the CMB -MIME-Version: 1.0 -Content-Type: text/plain; charset=3DUTF-8 -Content-Transfer-Encoding: 8bit - -Because the CMB BAR has a min_access_size of 2, if you read the last -byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one -error. This is CVE-2018-16847. - -Another way to fix this might be to register the CMB as a RAM memory -region, which would also be more efficient. However, that might be a -change for big-endian machines; I didn't think this through and I don't -know how real hardware works. Add a basic testcase for the CMB in case -somebody does this change later on. - -Cc: Keith Busch -Cc: qemu-block@nongnu.org -Reported-by: Li Qiang -Reviewed-by: Li Qiang -Tested-by: Li Qiang -Signed-off-by: Paolo Bonzini -Reviewed-by: Philippe Mathieu-Daud=C3=A9 -Tested-by: Philippe Mathieu-Daud=C3=A9 -Signed-off-by: Kevin Wolf ---- - hw/block/nvme.c | 2 +- - tests/Makefile.include | 2 +- - tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++------- - 3 files changed, 60 insertions(+), 12 deletions(-) - -diff --git a/hw/block/nvme.c b/hw/block/nvme.c -index 28d284346dd..8c35cab2b43 100644 ---- a/hw/block/nvme.c -+++ b/hw/block/nvme.c -@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops =3D { - .write =3D nvme_cmb_write, - .endianness =3D DEVICE_LITTLE_ENDIAN, - .impl =3D { -- .min_access_size =3D 2, -+ .min_access_size =3D 1, - .max_access_size =3D 8, - }, - }; -diff --git a/tests/Makefile.include b/tests/Makefile.include -index 613242bc6ef..fb0b449c02a 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o - tests/machine-none-test$(EXESUF): tests/machine-none-test.o - tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj= -y) - tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-o= bj-y) --tests/nvme-test$(EXESUF): tests/nvme-test.o -+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y) - tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o - tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o - tests/ac97-test$(EXESUF): tests/ac97-test.o -diff --git a/tests/nvme-test.c b/tests/nvme-test.c -index 7674a446e4f..2700ba838aa 100644 ---- a/tests/nvme-test.c -+++ b/tests/nvme-test.c -@@ -8,25 +8,73 @@ - */ -=20 - #include "qemu/osdep.h" -+#include "qemu/units.h" - #include "libqtest.h" -+#include "libqos/libqos-pc.h" -+ -+static QOSState *qnvme_start(const char *extra_opts) -+{ -+ QOSState *qs; -+ const char *arch =3D qtest_get_arch(); -+ const char *cmd =3D "-drive id=3Ddrv0,if=3Dnone,file=3Dnull-co://,for= mat=3Draw " -+ "-device nvme,addr=3D0x4.0,serial=3Dfoo,drive=3Ddrv= 0 %s"; -+ -+ if (strcmp(arch, "i386") =3D=3D 0 || strcmp(arch, "x86_64") =3D=3D 0)= { -+ qs =3D qtest_pc_boot(cmd, extra_opts ? : ""); -+ global_qtest =3D qs->qts; -+ return qs; -+ } -+ -+ g_printerr("nvme tests are only available on x86\n"); -+ exit(EXIT_FAILURE); -+} -+ -+static void qnvme_stop(QOSState *qs) -+{ -+ qtest_shutdown(qs); -+} -=20 --/* Tests only initialization so far. TODO: Replace with functional tests = */ - static void nop(void) - { -+ QOSState *qs; -+ -+ qs =3D qnvme_start(NULL); -+ qnvme_stop(qs); - } -=20 --int main(int argc, char **argv) -+static void nvmetest_cmb_test(void) - { -- int ret; -+ const int cmb_bar_size =3D 2 * MiB; -+ QOSState *qs; -+ QPCIDevice *pdev; -+ QPCIBar bar; -=20 -- g_test_init(&argc, &argv, NULL); -- qtest_add_func("/nvme/nop", nop); -+ qs =3D qnvme_start("-global nvme.cmb_size_mb=3D2"); -+ pdev =3D qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); -+ g_assert(pdev !=3D NULL); -+ -+ qpci_device_enable(pdev); -+ bar =3D qpci_iomap(pdev, 2, NULL); -+ -+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), =3D=3D, 0x99); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), =3D=3D, 0xaa99); -+ -+ /* Test partially out-of-bounds accesses. */ -+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), =3D=3D, 0= x11); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=3D, 0x2= 211); -+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=3D, 0x4= 4332211); -+ g_free(pdev); -=20 -- qtest_start("-drive id=3Ddrv0,if=3Dnone,file=3Dnull-co://,format=3Dra= w " -- "-device nvme,drive=3Ddrv0,serial=3Dfoo"); -- ret =3D g_test_run(); -+ qnvme_stop(qs); -+} -=20 -- qtest_end(); -+int main(int argc, char **argv) -+{ -+ g_test_init(&argc, &argv, NULL); -+ qtest_add_func("/nvme/nop", nop); -+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test); -=20 -- return ret; -+ return g_test_run(); - } ---=20 -2.19.2 - diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/= patches/qemu-CVE-2018-16867.patch deleted file mode 100644 index 1403d8e0f..000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16867.patch +++ /dev/null @@ -1,49 +0,0 @@ -Fix CVE-2018-16867: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2018-16867 -https://seclists.org/oss-sec/2018/q4/202 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=3Dqemu.git;a=3Dcommitdiff;h=3Dc52d46e041b42bb1ee6f= 692e00a0abe37a9659f6 - -From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 3 Dec 2018 11:10:45 +0100 -Subject: [PATCH] usb-mtp: outlaw slashes in filenames -MIME-Version: 1.0 -Content-Type: text/plain; charset=3DUTF-8 -Content-Transfer-Encoding: 8bit - -Slash is unix directory separator, so they are not allowed in filenames. -Note this also stops the classic escape via "../". - -Fixes: CVE-2018-16867 -Reported-by: Michael Hanselmann -Signed-off-by: Gerd Hoffmann -Reviewed-by: Philippe Mathieu-Daud=C3=A9 -Message-id: 20181203101045.27976-3-kraxel@redhat.com ---- - hw/usb/dev-mtp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 0f6a9702ef1..100b7171f4e 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) -=20 - filename =3D utf16_to_str(dataset->length, dataset->filename); -=20 -+ if (strchr(filename, '/')) { -+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, -+ 0, 0, 0, 0); -+ return; -+ } -+ - o =3D usb_mtp_object_lookup_name(p, filename, dataset->length); - if (o !=3D NULL) { - next_handle =3D o->handle; ---=20 -2.19.2 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.= scm index 0502bb38c..8e361558b 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -95,16 +95,14 @@ (define-public qemu (package (name "qemu") - (version "3.0.0") + (version "3.1.0") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2018-16847.patch" - "qemu-CVE-2018-16867.patch")) (sha256 (base32 - "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld")))) + "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, lik= e: --=20 2.20.0 --MP_/riepVXvRwle+vp9WBl3yVOc-- --Sig_/2DODW=Qw7Xgp0bb/Zjk.VSy Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEAVThuRzJ2e93ZI3n86cn20T8yjYFAlwQ6wYACgkQ86cn20T8 yja24QgAs70ppSOVSKI3aUEgR/FpTjzO+2JiZ1FRGPakJ/klDTTeqcXzdwV7T2D7 63vff7nXYkm1wKAh31nxPFxG3sWoD2PHFsRyfsVMbnekYywI1jkUC1wF/WxIprTZ eu0dPRk5Ka8HHLMrAeKK2AlqZXU2ItypC4DNg5YtqKgfvVb87ArPyVe6mnBAC72e Ykix+P323x5jCLejRaArmvbjGFTkevjg7BYFzmrhfqSykg7lOeEs1Y8l5TJtmhpe D8ZUDi/ohAnLuoahrhKevL/PdTPPyskZHe2vvDXmjbXkHVMrhs3YH28m55Bp1yvN kizbR1BBgBhRd53TJR+Vek3wlzMxAw== =eTwW -----END PGP SIGNATURE----- --Sig_/2DODW=Qw7Xgp0bb/Zjk.VSy--