From patchwork Wed Dec 12 11:03:34 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Rutger Helling X-Patchwork-Id: 460 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9C56816929; Wed, 12 Dec 2018 11:04:24 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) by mira.cbaines.net (Postfix) with ESMTP id D12B416928 for ; Wed, 12 Dec 2018 11:04:23 +0000 (GMT) Received: from localhost ([::1]:43818 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gX2JT-0003AR-Ct for patchwork@mira.cbaines.net; Wed, 12 Dec 2018 06:04:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:59622) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gX2JK-0003AH-Kc for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gX2JB-000458-1L for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:09 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:40288) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gX2J8-000414-5l for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1gX2J8-0002CJ-17 for guix-patches@gnu.org; Wed, 12 Dec 2018 06:04:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#33715] [PATCH] gnu: qemu: Update to 3.1.0. (v2) Resent-From: Rutger Helling Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 12 Dec 2018 11:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 33715 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 33715@debbugs.gnu.org Received: via spool by 33715-submit@debbugs.gnu.org id=B33715.15446126368435 (code B ref 33715); Wed, 12 Dec 2018 11:04:01 +0000 Received: (at 33715) by debbugs.gnu.org; 12 Dec 2018 11:03:56 +0000 Received: from localhost ([127.0.0.1]:44546 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gX2Iw-0002Bp-0U for submit@debbugs.gnu.org; Wed, 12 Dec 2018 06:03:56 -0500 Received: from mx.kolabnow.com ([95.128.36.41]:31542) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1gX2Is-0002BY-FA for 33715@debbugs.gnu.org; Wed, 12 Dec 2018 06:03:48 -0500 Received: from localhost (unknown [127.0.0.1]) by ext-mx-out001.mykolab.com (Postfix) with ESMTP id 4FBFB6E6 for <33715@debbugs.gnu.org>; Wed, 12 Dec 2018 12:03:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mykolab.com; h= content-type:content-type:mime-version:references:in-reply-to :message-id:subject:subject:from:from:date:date:received :received:received; s=dkim20160331; t=1544612618; x=1546427019; bh=grLc+6DvRzELNgpcJYBCk95fNvYGZaq/AeEGnLF/v6A=; b=kTdFaf6wMzcB nMvQD3RDNkpiaFGvSKjblEdsBCEQLNv21sEQkRa+mHPtbE7Lu26lwMTQyu7qEMxQ npw91bBmRJ6v1M42xa0QEVvqoaKztrM1wGdtOM2sbEhpmtsLhePH7E6PMDiWaIuQ bl4RQymXP7HvC+QPYglsC8ThH99AlI8KJU2csv85144EQT+3MSyHysMeeiqJCUGE KgVxbAOrlm8nnQRPfKQchVWE+CamuHGeQtQAUg2vZNO3D9T91qZa3GgXw9un8OY2 Xj2hWgTH8leXmDxGHoi4DQVl7lQlDw+TxCqIaOuORkXCbCLtXYg/BNrlaOk+UNX/ WeFHD/oOucWaGPFHiilSo4TrOvhwcAiYDbluoF4PhZXl71dVXXB16aUS8tBk8OYj mzRJogVZ1LvGDXkGUsNI9KrKbWeIUjRT5zJtFBQcgFxPhD9y6r2AvSzJaFKSDisV NncixKa74KCwS7jWBVceP1lrw3Tj0XHAV7yjVTgumr4f+n6AO3TJ9rQHWE40/8yv O/oOmQYoxFf2+QkJfZwS+RWYVuDLvLNGK8U2cd2MY5yOZHUBqE79OOHLML7XmuGO soT1vlvRRiO0AAtk0iyhBsald6D9HXg/lPZSNq+mXMvxCM1GNBBiug5qzB59wZvq xMjUrhvuEZY57/2Ya4txU5BElY1x/7o= X-Virus-Scanned: amavisd-new at mykolab.com Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out001.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciUwVIrwhPpy for <33715@debbugs.gnu.org>; Wed, 12 Dec 2018 12:03:38 +0100 (CET) Received: from int-mx003.mykolab.com (unknown [10.9.13.3]) by ext-mx-out001.mykolab.com (Postfix) with ESMTPS id 60077657 for <33715@debbugs.gnu.org>; Wed, 12 Dec 2018 12:03:38 +0100 (CET) Received: from ext-subm001.mykolab.com (unknown [10.9.6.1]) by int-mx003.mykolab.com (Postfix) with ESMTPS id 4A347A35 for <33715@debbugs.gnu.org>; Wed, 12 Dec 2018 12:03:38 +0100 (CET) Date: Wed, 12 Dec 2018 12:03:34 +0100 From: Rutger Helling Message-ID: <20181212120334.3d9e6dc9@mykolab.com> In-Reply-To: <20181212100638.0252ee05@mykolab.com> References: <20181212100638.0252ee05@mykolab.com> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Forgot to remove the obsolete patches from local.mk. Here's a fixed version. > Hey Guix, > > here's the latest update for QEMU. From 8d82f31c8b4c7249b82314d4354e5973cb04c2c2 Mon Sep 17 00:00:00 2001 From: Rutger Helling Date: Wed, 12 Dec 2018 11:57:36 +0100 Subject: [PATCH] gnu: qemu: Update to 3.1.0. * gnu/local.mk: Remove qemu-CVE-2018-16847.patch and qemu-CVE-2018-16867.patch. * gnu/packages/patches/qemu-CVE-2018-16847.patch: Remove file. * gnu/packages/patches/qemu-CVE-2018-16867.patch: Remove file. * gnu/packages/virtualization.scm (qemu): Update to 3.1.0. [source]: Remove removed patches. --- gnu/local.mk | 2 - .../patches/qemu-CVE-2018-16847.patch | 158 ------------------ .../patches/qemu-CVE-2018-16867.patch | 49 ------ gnu/packages/virtualization.scm | 6 +- 4 files changed, 2 insertions(+), 213 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch diff --git a/gnu/local.mk b/gnu/local.mk index e566c221f..47217a8c1 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1110,8 +1110,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \ - %D%/packages/patches/qemu-CVE-2018-16847.patch \ - %D%/packages/patches/qemu-CVE-2018-16867.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtbase-use-TZDIR.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch deleted file mode 100644 index c76bdf764..000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16847.patch +++ /dev/null @@ -1,158 +0,0 @@ -Fix CVE-2018-16847: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce - -From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Tue, 20 Nov 2018 19:41:48 +0100 -Subject: [PATCH] nvme: fix out-of-bounds access to the CMB -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Because the CMB BAR has a min_access_size of 2, if you read the last -byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one -error. This is CVE-2018-16847. - -Another way to fix this might be to register the CMB as a RAM memory -region, which would also be more efficient. However, that might be a -change for big-endian machines; I didn't think this through and I don't -know how real hardware works. Add a basic testcase for the CMB in case -somebody does this change later on. - -Cc: Keith Busch -Cc: qemu-block@nongnu.org -Reported-by: Li Qiang -Reviewed-by: Li Qiang -Tested-by: Li Qiang -Signed-off-by: Paolo Bonzini -Reviewed-by: Philippe Mathieu-Daudé -Tested-by: Philippe Mathieu-Daudé -Signed-off-by: Kevin Wolf ---- - hw/block/nvme.c | 2 +- - tests/Makefile.include | 2 +- - tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++------- - 3 files changed, 60 insertions(+), 12 deletions(-) - -diff --git a/hw/block/nvme.c b/hw/block/nvme.c -index 28d284346dd..8c35cab2b43 100644 ---- a/hw/block/nvme.c -+++ b/hw/block/nvme.c -@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = { - .write = nvme_cmb_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .impl = { -- .min_access_size = 2, -+ .min_access_size = 1, - .max_access_size = 8, - }, - }; -diff --git a/tests/Makefile.include b/tests/Makefile.include -index 613242bc6ef..fb0b449c02a 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o - tests/machine-none-test$(EXESUF): tests/machine-none-test.o - tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y) - tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y) --tests/nvme-test$(EXESUF): tests/nvme-test.o -+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y) - tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o - tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o - tests/ac97-test$(EXESUF): tests/ac97-test.o -diff --git a/tests/nvme-test.c b/tests/nvme-test.c -index 7674a446e4f..2700ba838aa 100644 ---- a/tests/nvme-test.c -+++ b/tests/nvme-test.c -@@ -8,25 +8,73 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/units.h" - #include "libqtest.h" -+#include "libqos/libqos-pc.h" -+ -+static QOSState *qnvme_start(const char *extra_opts) -+{ -+ QOSState *qs; -+ const char *arch = qtest_get_arch(); -+ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw " -+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s"; -+ -+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { -+ qs = qtest_pc_boot(cmd, extra_opts ? : ""); -+ global_qtest = qs->qts; -+ return qs; -+ } -+ -+ g_printerr("nvme tests are only available on x86\n"); -+ exit(EXIT_FAILURE); -+} -+ -+static void qnvme_stop(QOSState *qs) -+{ -+ qtest_shutdown(qs); -+} - --/* Tests only initialization so far. TODO: Replace with functional tests */ - static void nop(void) - { -+ QOSState *qs; -+ -+ qs = qnvme_start(NULL); -+ qnvme_stop(qs); - } - --int main(int argc, char **argv) -+static void nvmetest_cmb_test(void) - { -- int ret; -+ const int cmb_bar_size = 2 * MiB; -+ QOSState *qs; -+ QPCIDevice *pdev; -+ QPCIBar bar; - -- g_test_init(&argc, &argv, NULL); -- qtest_add_func("/nvme/nop", nop); -+ qs = qnvme_start("-global nvme.cmb_size_mb=2"); -+ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); -+ g_assert(pdev != NULL); -+ -+ qpci_device_enable(pdev); -+ bar = qpci_iomap(pdev, 2, NULL); -+ -+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99); -+ -+ /* Test partially out-of-bounds accesses. */ -+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211); -+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211); -+ g_free(pdev); - -- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw " -- "-device nvme,drive=drv0,serial=foo"); -- ret = g_test_run(); -+ qnvme_stop(qs); -+} - -- qtest_end(); -+int main(int argc, char **argv) -+{ -+ g_test_init(&argc, &argv, NULL); -+ qtest_add_func("/nvme/nop", nop); -+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test); - -- return ret; -+ return g_test_run(); - } --- -2.19.2 - diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch deleted file mode 100644 index 1403d8e0f..000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16867.patch +++ /dev/null @@ -1,49 +0,0 @@ -Fix CVE-2018-16867: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867 -https://seclists.org/oss-sec/2018/q4/202 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6 - -From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 3 Dec 2018 11:10:45 +0100 -Subject: [PATCH] usb-mtp: outlaw slashes in filenames -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Slash is unix directory separator, so they are not allowed in filenames. -Note this also stops the classic escape via "../". - -Fixes: CVE-2018-16867 -Reported-by: Michael Hanselmann -Signed-off-by: Gerd Hoffmann -Reviewed-by: Philippe Mathieu-Daudé -Message-id: 20181203101045.27976-3-kraxel@redhat.com ---- - hw/usb/dev-mtp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 0f6a9702ef1..100b7171f4e 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) - - filename = utf16_to_str(dataset->length, dataset->filename); - -+ if (strchr(filename, '/')) { -+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, -+ 0, 0, 0, 0); -+ return; -+ } -+ - o = usb_mtp_object_lookup_name(p, filename, dataset->length); - if (o != NULL) { - next_handle = o->handle; --- -2.19.2 - diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm index 0502bb38c..8e361558b 100644 --- a/gnu/packages/virtualization.scm +++ b/gnu/packages/virtualization.scm @@ -95,16 +95,14 @@ (define-public qemu (package (name "qemu") - (version "3.0.0") + (version "3.1.0") (source (origin (method url-fetch) (uri (string-append "https://download.qemu.org/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2018-16847.patch" - "qemu-CVE-2018-16867.patch")) (sha256 (base32 - "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld")))) + "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- 2.20.0