gnu: qemu: Update to 2.10.0.
* gnu/packages/patches/qemu-CVE-2017-10664.patch, gnu/packages/patches/qemu-CVE-2017-10806.patch, gnu/packages/patches/qemu-CVE-2017-10911.patch, gnu/packages/patches/qemu-CVE-2017-11334.patch, gnu/packages/patches/qemu-CVE-2017-11434.patch, gnu/packages/patches/qemu-CVE-2017-12809.patch: gnu/packages/patches/qemu-CVE-2017-7493.patch, gnu/packages/patches/qemu-CVE-2017-8112.patch, gnu/packages/patches/qemu-CVE-2017-8309.patch, gnu/packages/patches/qemu-CVE-2017-8379.patch, gnu/packages/patches/qemu-CVE-2017-8380.patch, gnu/packages/patches/qemu-CVE-2017-9524.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/virtualization.scm (qemu): Update to 2.10.0. [source](patches): Remove.
This commit is contained in:
parent
ffeeda6bab
commit
2de7d137b3
12
gnu/local.mk
12
gnu/local.mk
|
@ -971,18 +971,6 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
||||
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-7493.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-8112.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-8309.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-8379.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-8380.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-9524.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-10664.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-10806.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-10911.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-11334.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-11434.patch \
|
||||
%D%/packages/patches/qemu-CVE-2017-12809.patch \
|
||||
%D%/packages/patches/qt4-ldflags.patch \
|
||||
%D%/packages/patches/qtscript-disable-tests.patch \
|
||||
%D%/packages/patches/quagga-reproducible-build.patch \
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
Fix CVE-2017-10664:
|
||||
|
||||
https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1466190
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-10664
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
|
||||
|
||||
diff --git a/qemu-nbd.c b/qemu-nbd.c
|
||||
index 9464a0461c..4dd3fd4732 100644
|
||||
--- a/qemu-nbd.c
|
||||
+++ b/qemu-nbd.c
|
||||
@@ -581,6 +581,10 @@ int main(int argc, char **argv)
|
||||
sa_sigterm.sa_handler = termsig_handler;
|
||||
sigaction(SIGTERM, &sa_sigterm, NULL);
|
||||
|
||||
+#ifdef CONFIG_POSIX
|
||||
+ signal(SIGPIPE, SIG_IGN);
|
||||
+#endif
|
||||
+
|
||||
module_call_init(MODULE_INIT_TRACE);
|
||||
qcrypto_init(&error_fatal);
|
||||
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
Fix CVE-2017-10806:
|
||||
|
||||
https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1468496
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-10806
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index b001a27f05..ad5ef783a6 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
|
||||
static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
|
||||
const uint8_t *data, int len)
|
||||
{
|
||||
- int i, j, n;
|
||||
-
|
||||
if (dev->debug < usbredirparser_debug_data) {
|
||||
return;
|
||||
}
|
||||
-
|
||||
- for (i = 0; i < len; i += j) {
|
||||
- char buf[128];
|
||||
-
|
||||
- n = sprintf(buf, "%s", desc);
|
||||
- for (j = 0; j < 8 && i + j < len; j++) {
|
||||
- n += sprintf(buf + n, " %02X", data[i + j]);
|
||||
- }
|
||||
- error_report("%s", buf);
|
||||
- }
|
||||
+ qemu_hexdump((char *)data, stderr, desc, len);
|
||||
}
|
||||
|
||||
/*
|
|
@ -1,106 +0,0 @@
|
|||
Fix CVE-2017-10911:
|
||||
|
||||
https://xenbits.xen.org/xsa/advisory-216.html
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-10911
|
||||
|
||||
Patch copied from Xen Security Advisory:
|
||||
|
||||
https://xenbits.xen.org/xsa/xsa216-qemuu.patch
|
||||
|
||||
--- a/hw/block/xen_blkif.h
|
||||
+++ b/hw/block/xen_blkif.h
|
||||
@@ -14,9 +14,6 @@
|
||||
struct blkif_common_request {
|
||||
char dummy;
|
||||
};
|
||||
-struct blkif_common_response {
|
||||
- char dummy;
|
||||
-};
|
||||
|
||||
/* i386 protocol version */
|
||||
#pragma pack(push, 4)
|
||||
@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {
|
||||
blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */
|
||||
uint64_t nr_sectors; /* # of contiguous sectors to discard */
|
||||
};
|
||||
-struct blkif_x86_32_response {
|
||||
- uint64_t id; /* copied from request */
|
||||
- uint8_t operation; /* copied from request */
|
||||
- int16_t status; /* BLKIF_RSP_??? */
|
||||
-};
|
||||
typedef struct blkif_x86_32_request blkif_x86_32_request_t;
|
||||
-typedef struct blkif_x86_32_response blkif_x86_32_response_t;
|
||||
#pragma pack(pop)
|
||||
|
||||
/* x86_64 protocol version */
|
||||
@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {
|
||||
blkif_sector_t sector_number; /* start sector idx on disk (r/w only) */
|
||||
uint64_t nr_sectors; /* # of contiguous sectors to discard */
|
||||
};
|
||||
-struct blkif_x86_64_response {
|
||||
- uint64_t __attribute__((__aligned__(8))) id;
|
||||
- uint8_t operation; /* copied from request */
|
||||
- int16_t status; /* BLKIF_RSP_??? */
|
||||
-};
|
||||
typedef struct blkif_x86_64_request blkif_x86_64_request_t;
|
||||
-typedef struct blkif_x86_64_response blkif_x86_64_response_t;
|
||||
|
||||
DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
|
||||
- struct blkif_common_response);
|
||||
+ struct blkif_response);
|
||||
DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
|
||||
- struct blkif_x86_32_response);
|
||||
+ struct blkif_response QEMU_PACKED);
|
||||
DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
|
||||
- struct blkif_x86_64_response);
|
||||
+ struct blkif_response);
|
||||
|
||||
union blkif_back_rings {
|
||||
blkif_back_ring_t native;
|
||||
--- a/hw/block/xen_disk.c
|
||||
+++ b/hw/block/xen_disk.c
|
||||
@@ -769,31 +769,30 @@ static int blk_send_response_one(struct
|
||||
struct XenBlkDev *blkdev = ioreq->blkdev;
|
||||
int send_notify = 0;
|
||||
int have_requests = 0;
|
||||
- blkif_response_t resp;
|
||||
- void *dst;
|
||||
-
|
||||
- resp.id = ioreq->req.id;
|
||||
- resp.operation = ioreq->req.operation;
|
||||
- resp.status = ioreq->status;
|
||||
+ blkif_response_t *resp;
|
||||
|
||||
/* Place on the response ring for the relevant domain. */
|
||||
switch (blkdev->protocol) {
|
||||
case BLKIF_PROTOCOL_NATIVE:
|
||||
- dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
|
||||
+ resp = RING_GET_RESPONSE(&blkdev->rings.native,
|
||||
+ blkdev->rings.native.rsp_prod_pvt);
|
||||
break;
|
||||
case BLKIF_PROTOCOL_X86_32:
|
||||
- dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
|
||||
- blkdev->rings.x86_32_part.rsp_prod_pvt);
|
||||
+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
|
||||
+ blkdev->rings.x86_32_part.rsp_prod_pvt);
|
||||
break;
|
||||
case BLKIF_PROTOCOL_X86_64:
|
||||
- dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
|
||||
- blkdev->rings.x86_64_part.rsp_prod_pvt);
|
||||
+ resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
|
||||
+ blkdev->rings.x86_64_part.rsp_prod_pvt);
|
||||
break;
|
||||
default:
|
||||
- dst = NULL;
|
||||
return 0;
|
||||
}
|
||||
- memcpy(dst, &resp, sizeof(resp));
|
||||
+
|
||||
+ resp->id = ioreq->req.id;
|
||||
+ resp->operation = ioreq->req.operation;
|
||||
+ resp->status = ioreq->status;
|
||||
+
|
||||
blkdev->rings.common.rsp_prod_pvt++;
|
||||
|
||||
RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
|
|
@ -1,52 +0,0 @@
|
|||
Fix CVE-2017-11334:
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1471638
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11334
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=04bf2526ce87f21b32c9acba1c5518708c243ad0
|
||||
|
||||
From 04bf2526ce87f21b32c9acba1c5518708c243ad0 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Jul 2017 18:08:40 +0530
|
||||
Subject: [PATCH] exec: use qemu_ram_ptr_length to access guest ram
|
||||
|
||||
When accessing guest's ram block during DMA operation, use
|
||||
'qemu_ram_ptr_length' to get ram block pointer. It ensures
|
||||
that DMA operation of given length is possible; And avoids
|
||||
any OOB memory access situations.
|
||||
|
||||
Reported-by: Alex <broscutamaker@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20170712123840.29328-1-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
exec.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/exec.c b/exec.c
|
||||
index a083ff89ad..ad103ce483 100644
|
||||
--- a/exec.c
|
||||
+++ b/exec.c
|
||||
@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr,
|
||||
}
|
||||
} else {
|
||||
/* RAM case */
|
||||
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
|
||||
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
|
||||
memcpy(ptr, buf, l);
|
||||
invalidate_and_set_dirty(mr, addr1, l);
|
||||
}
|
||||
@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr,
|
||||
}
|
||||
} else {
|
||||
/* RAM case */
|
||||
- ptr = qemu_map_ram_ptr(mr->ram_block, addr1);
|
||||
+ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l);
|
||||
memcpy(buf, ptr, l);
|
||||
}
|
||||
|
||||
--
|
||||
2.13.3
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
Fix CVE-2017-11434:
|
||||
|
||||
https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1472611
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434
|
||||
https://security-tracker.debian.org/tracker/CVE-2017-11434
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0
|
||||
|
||||
diff --git a/slirp/bootp.c b/slirp/bootp.c
|
||||
index 5a4646c182..5dd1a415b5 100644
|
||||
--- a/slirp/bootp.c
|
||||
+++ b/slirp/bootp.c
|
||||
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
|
||||
if (p >= p_end)
|
||||
break;
|
||||
len = *p++;
|
||||
+ if (p + len > p_end) {
|
||||
+ break;
|
||||
+ }
|
||||
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
|
||||
|
||||
switch(tag) {
|
|
@ -1,38 +0,0 @@
|
|||
http://openwall.com/lists/oss-security/2017/08/21/2
|
||||
https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html
|
||||
|
||||
The block backend changed in a way that flushing empty CDROM drives now
|
||||
crashes. Amend IDE to avoid doing so until the root problem can be
|
||||
addressed for 2.11.
|
||||
|
||||
Original patch by John Snow <address@hidden>.
|
||||
|
||||
Reported-by: Kieron Shorrock <address@hidden>
|
||||
Signed-off-by: Stefan Hajnoczi <address@hidden>
|
||||
---
|
||||
hw/ide/core.c | 10 +++++++++-
|
||||
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index 0b48b64d3a..bea39536b0 100644
|
||||
--- a/hw/ide/core.c
|
||||
+++ b/hw/ide/core.c
|
||||
@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s)
|
||||
s->status |= BUSY_STAT;
|
||||
ide_set_retry(s);
|
||||
block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
|
||||
- s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
|
||||
+
|
||||
+ if (blk_bs(s->blk)) {
|
||||
+ s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
|
||||
+ } else {
|
||||
+ /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this
|
||||
+ * temporary workaround when blk_aio_*() functions handle NULL blk_bs.
|
||||
+ */
|
||||
+ ide_flush_cb(s, 0);
|
||||
+ }
|
||||
}
|
||||
|
||||
static void ide_cfata_metadata_inquiry(IDEState *s)
|
||||
--
|
||||
2.13.3
|
|
@ -1,182 +0,0 @@
|
|||
Fix CVE-2017-7493:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7493
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commit;h=7a95434e0ca8a037fd8aa1a2e2461f92585eb77b
|
||||
|
||||
From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
|
||||
From: Greg Kurz <groug@kaod.org>
|
||||
Date: Fri, 5 May 2017 14:48:08 +0200
|
||||
Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
|
||||
|
||||
When using the mapped-file security mode, we shouldn't let the client mess
|
||||
with the metadata. The current code already tries to hide the metadata dir
|
||||
from the client by skipping it in local_readdir(). But the client can still
|
||||
access or modify it through several other operations. This can be used to
|
||||
escalate privileges in the guest.
|
||||
|
||||
Affected backend operations are:
|
||||
- local_mknod()
|
||||
- local_mkdir()
|
||||
- local_open2()
|
||||
- local_symlink()
|
||||
- local_link()
|
||||
- local_unlinkat()
|
||||
- local_renameat()
|
||||
- local_rename()
|
||||
- local_name_to_path()
|
||||
|
||||
Other operations are safe because they are only passed a fid path, which
|
||||
is computed internally in local_name_to_path().
|
||||
|
||||
This patch converts all the functions listed above to fail and return
|
||||
EINVAL when being passed the name of the metadata dir. This may look
|
||||
like a poor choice for errno, but there's no such thing as an illegal
|
||||
path name on Linux and I could not think of anything better.
|
||||
|
||||
This fixes CVE-2017-7493.
|
||||
|
||||
Reported-by: Leo Gaspard <leo@gaspard.io>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-by: Eric Blake <eblake@redhat.com>
|
||||
---
|
||||
hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 56 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
|
||||
index f3ebca4f7a..a2486566af 100644
|
||||
--- a/hw/9pfs/9p-local.c
|
||||
+++ b/hw/9pfs/9p-local.c
|
||||
@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
|
||||
return telldir(fs->dir.stream);
|
||||
}
|
||||
|
||||
+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
|
||||
+{
|
||||
+ return !strcmp(name, VIRTFS_META_DIR);
|
||||
+}
|
||||
+
|
||||
static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
|
||||
{
|
||||
struct dirent *entry;
|
||||
@@ -465,8 +470,8 @@ again:
|
||||
if (ctx->export_flags & V9FS_SM_MAPPED) {
|
||||
entry->d_type = DT_UNKNOWN;
|
||||
} else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
|
||||
- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
|
||||
- /* skp the meta data directory */
|
||||
+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
|
||||
+ /* skip the meta data directory */
|
||||
goto again;
|
||||
}
|
||||
entry->d_type = DT_UNKNOWN;
|
||||
@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Mark all the open to not follow symlinks
|
||||
*/
|
||||
@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
|
||||
int err = -1;
|
||||
int dirfd;
|
||||
|
||||
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(fs_ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
|
||||
int ret = -1;
|
||||
int odirfd, ndirfd;
|
||||
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
odirfd = local_opendir_nofollow(ctx, odirpath);
|
||||
if (odirfd == -1) {
|
||||
goto out;
|
||||
@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
|
||||
static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
|
||||
const char *name, V9fsPath *target)
|
||||
{
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (dir_path) {
|
||||
v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
|
||||
} else if (strcmp(name, "/")) {
|
||||
@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
|
||||
int ret;
|
||||
int odirfd, ndirfd;
|
||||
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ (local_is_mapped_file_metadata(ctx, old_name) ||
|
||||
+ local_is_mapped_file_metadata(ctx, new_name))) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
odirfd = local_opendir_nofollow(ctx, olddir->data);
|
||||
if (odirfd == -1) {
|
||||
return -1;
|
||||
@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
|
||||
int ret;
|
||||
int dirfd;
|
||||
|
||||
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
|
||||
+ local_is_mapped_file_metadata(ctx, name)) {
|
||||
+ errno = EINVAL;
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
dirfd = local_opendir_nofollow(ctx, dir->data);
|
||||
if (dirfd == -1) {
|
||||
return -1;
|
||||
--
|
||||
2.13.0
|
||||
|
|
@ -1,41 +0,0 @@
|
|||
Fix CVE-2017-8112:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e
|
||||
|
||||
From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 18:36:23 +0530
|
||||
Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
|
||||
|
||||
A guest could set the message ring page count to zero, resulting in
|
||||
infinite loop. Add check to avoid it.
|
||||
|
||||
Reported-by: YY Z <bigbird475958471@gmail.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 75575461e2..4a106da856 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
uint32_t len_log2;
|
||||
uint32_t ring_size;
|
||||
|
||||
- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
return -1;
|
||||
}
|
||||
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|
||||
--
|
||||
2.13.0
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
Fix CVE-2017-8309:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a
|
||||
|
||||
From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 28 Apr 2017 09:56:12 +0200
|
||||
Subject: [PATCH] audio: release capture buffers
|
||||
|
||||
AUD_add_capture() allocates two buffers which are never released.
|
||||
Add the missing calls to AUD_del_capture().
|
||||
|
||||
Impact: Allows vnc clients to exhaust host memory by repeatedly
|
||||
starting and stopping audio capture.
|
||||
|
||||
Fixes: CVE-2017-8309
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Huawei PSIRT <PSIRT@huawei.com>
|
||||
Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170428075612.9997-1-kraxel@redhat.com
|
||||
---
|
||||
audio/audio.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/audio/audio.c b/audio/audio.c
|
||||
index c8898d8422..beafed209b 100644
|
||||
--- a/audio/audio.c
|
||||
+++ b/audio/audio.c
|
||||
@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
|
||||
sw = sw1;
|
||||
}
|
||||
QLIST_REMOVE (cap, entries);
|
||||
+ g_free (cap->hw.mix_buf);
|
||||
+ g_free (cap->buf);
|
||||
g_free (cap);
|
||||
}
|
||||
return;
|
||||
--
|
||||
2.13.0
|
||||
|
|
@ -1,98 +0,0 @@
|
|||
Fix CVE-2017-8379:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
|
||||
|
||||
From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Fri, 28 Apr 2017 10:42:37 +0200
|
||||
Subject: [PATCH] input: limit kbd queue depth
|
||||
|
||||
Apply a limit to the number of items we accept into the keyboard queue.
|
||||
|
||||
Impact: Without this limit vnc clients can exhaust host memory by
|
||||
sending keyboard events faster than qemu feeds them to the guest.
|
||||
|
||||
Fixes: CVE-2017-8379
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Huawei PSIRT <PSIRT@huawei.com>
|
||||
Reported-by: jiangxin1@huawei.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 20170428084237.23960-1-kraxel@redhat.com
|
||||
---
|
||||
ui/input.c | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ui/input.c b/ui/input.c
|
||||
index ed88cda6d6..fb1f404095 100644
|
||||
--- a/ui/input.c
|
||||
+++ b/ui/input.c
|
||||
@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
|
||||
QTAILQ_HEAD_INITIALIZER(kbd_queue);
|
||||
static QEMUTimer *kbd_timer;
|
||||
static uint32_t kbd_default_delay_ms = 10;
|
||||
+static uint32_t queue_count;
|
||||
+static uint32_t queue_limit = 1024;
|
||||
|
||||
QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
|
||||
QemuInputHandler *handler)
|
||||
@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
|
||||
break;
|
||||
}
|
||||
QTAILQ_REMOVE(queue, item, node);
|
||||
+ queue_count--;
|
||||
g_free(item);
|
||||
}
|
||||
}
|
||||
@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
|
||||
item->delay_ms = delay_ms;
|
||||
item->timer = timer;
|
||||
QTAILQ_INSERT_TAIL(queue, item, node);
|
||||
+ queue_count++;
|
||||
|
||||
if (start_timer) {
|
||||
timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
|
||||
@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
|
||||
item->src = src;
|
||||
item->evt = evt;
|
||||
QTAILQ_INSERT_TAIL(queue, item, node);
|
||||
+ queue_count++;
|
||||
}
|
||||
|
||||
static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
|
||||
@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
|
||||
|
||||
item->type = QEMU_INPUT_QUEUE_SYNC;
|
||||
QTAILQ_INSERT_TAIL(queue, item, node);
|
||||
+ queue_count++;
|
||||
}
|
||||
|
||||
void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
|
||||
@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
|
||||
qemu_input_event_send(src, evt);
|
||||
qemu_input_event_sync();
|
||||
qapi_free_InputEvent(evt);
|
||||
- } else {
|
||||
+ } else if (queue_count < queue_limit) {
|
||||
qemu_input_queue_event(&kbd_queue, src, evt);
|
||||
qemu_input_queue_sync(&kbd_queue);
|
||||
}
|
||||
@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
|
||||
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
|
||||
&kbd_queue);
|
||||
}
|
||||
- qemu_input_queue_delay(&kbd_queue, kbd_timer,
|
||||
- delay_ms ? delay_ms : kbd_default_delay_ms);
|
||||
+ if (queue_count < queue_limit) {
|
||||
+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
|
||||
+ delay_ms ? delay_ms : kbd_default_delay_ms);
|
||||
+ }
|
||||
}
|
||||
|
||||
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
|
||||
--
|
||||
2.13.0
|
||||
|
|
@ -1,53 +0,0 @@
|
|||
Fix CVE-2017-8380:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380
|
||||
|
||||
Patch copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
|
||||
|
||||
From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 24 Apr 2017 17:36:34 +0530
|
||||
Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
|
||||
|
||||
While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
|
||||
an off-by-one error could occur as 's->adp_reset' index is not
|
||||
reset after reading the last sequence.
|
||||
|
||||
Reported-by: YY Z <bigbird475958471@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
hw/scsi/megasas.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index 84b8caf901..804122ab05 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
|
||||
case MFI_SEQ:
|
||||
trace_megasas_mmio_writel("MFI_SEQ", val);
|
||||
/* Magic sequence to start ADP reset */
|
||||
- if (adp_reset_seq[s->adp_reset] == val) {
|
||||
- s->adp_reset++;
|
||||
+ if (adp_reset_seq[s->adp_reset++] == val) {
|
||||
+ if (s->adp_reset == 6) {
|
||||
+ s->adp_reset = 0;
|
||||
+ s->diag = MFI_DIAG_WRITE_ENABLE;
|
||||
+ }
|
||||
} else {
|
||||
s->adp_reset = 0;
|
||||
s->diag = 0;
|
||||
}
|
||||
- if (s->adp_reset == 6) {
|
||||
- s->diag = MFI_DIAG_WRITE_ENABLE;
|
||||
- }
|
||||
break;
|
||||
case MFI_DIAG:
|
||||
trace_megasas_mmio_writel("MFI_DIAG", val);
|
||||
--
|
||||
2.13.0
|
||||
|
|
@ -1,287 +0,0 @@
|
|||
Fix CVE-2017-9524:
|
||||
|
||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9524
|
||||
http://seclists.org/oss-sec/2017/q2/454
|
||||
|
||||
Patches copied from upstream source repository:
|
||||
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af
|
||||
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=0c9390d978cbf61e8f16c9f580fa96b305c43568
|
||||
|
||||
From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Fri, 26 May 2017 22:04:21 -0500
|
||||
Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation
|
||||
|
||||
If a non-NBD client connects to qemu-nbd, we would end up with
|
||||
a SIGSEGV in nbd_client_put() because we were trying to
|
||||
unregister the client's association to the export, even though
|
||||
we skipped inserting the client into that list. Easy trigger
|
||||
in two terminals:
|
||||
|
||||
$ qemu-nbd -p 30001 --format=raw file
|
||||
$ nmap 127.0.0.1 -p 30001
|
||||
|
||||
nmap claims that it thinks it connected to a pago-services1
|
||||
server (which probably means nmap could be updated to learn the
|
||||
NBD protocol and give a more accurate diagnosis of the open
|
||||
port - but that's not our problem), then terminates immediately,
|
||||
so our call to nbd_negotiate() fails. The fix is to reorder
|
||||
nbd_co_client_start() to ensure that all initialization occurs
|
||||
before we ever try talking to a client in nbd_negotiate(), so
|
||||
that the teardown sequence on negotiation failure doesn't fault
|
||||
while dereferencing a half-initialized object.
|
||||
|
||||
While debugging this, I also noticed that nbd_update_server_watch()
|
||||
called by nbd_client_closed() was still adding a channel to accept
|
||||
the next client, even when the state was no longer RUNNING. That
|
||||
is fixed by making nbd_can_accept() pay attention to the current
|
||||
state.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
|
||||
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
Message-Id: <20170527030421.28366-1-eblake@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
nbd/server.c | 8 +++-----
|
||||
qemu-nbd.c | 2 +-
|
||||
2 files changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/nbd/server.c b/nbd/server.c
|
||||
index ee59e5d234..49b55f6ede 100644
|
||||
--- a/nbd/server.c
|
||||
+++ b/nbd/server.c
|
||||
@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
|
||||
|
||||
if (exp) {
|
||||
nbd_export_get(exp);
|
||||
+ QTAILQ_INSERT_TAIL(&exp->clients, client, next);
|
||||
}
|
||||
+ qemu_co_mutex_init(&client->send_lock);
|
||||
+
|
||||
if (nbd_negotiate(data)) {
|
||||
client_close(client);
|
||||
goto out;
|
||||
}
|
||||
- qemu_co_mutex_init(&client->send_lock);
|
||||
-
|
||||
- if (exp) {
|
||||
- QTAILQ_INSERT_TAIL(&exp->clients, client, next);
|
||||
- }
|
||||
|
||||
nbd_client_receive_next_request(client);
|
||||
|
||||
diff --git a/qemu-nbd.c b/qemu-nbd.c
|
||||
index f60842fd86..651f85ecc1 100644
|
||||
--- a/qemu-nbd.c
|
||||
+++ b/qemu-nbd.c
|
||||
@@ -325,7 +325,7 @@ out:
|
||||
|
||||
static int nbd_can_accept(void)
|
||||
{
|
||||
- return nb_fds < shared;
|
||||
+ return state == RUNNING && nb_fds < shared;
|
||||
}
|
||||
|
||||
static void nbd_export_closed(NBDExport *exp)
|
||||
--
|
||||
2.13.1
|
||||
|
||||
From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Blake <eblake@redhat.com>
|
||||
Date: Thu, 8 Jun 2017 17:26:17 -0500
|
||||
Subject: [PATCH] nbd: Fix regression on resiliency to port scan
|
||||
|
||||
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
|
||||
server would not quit, regardless of how many probe connections
|
||||
came and went, until a connection actually negotiated). But we
|
||||
broke that in commit ee7d7aa when removing the return value to
|
||||
nbd_client_new(), although that patch also introduced a bug causing
|
||||
an assertion failure on a client that fails negotiation. We then
|
||||
made it worse during refactoring in commit 1a6245a (a segfault
|
||||
before we could even assert); the (masked) assertion was cleaned
|
||||
up in d3780c2 (still in 2.6), and just recently we finally fixed
|
||||
the segfault ("nbd: Fully intialize client in case of failed
|
||||
negotiation"). But that still means that ever since we added
|
||||
TLS support to qemu-nbd, we have been vulnerable to an ill-timed
|
||||
port-scan being able to cause a denial of service by taking down
|
||||
qemu-nbd before a real client has a chance to connect.
|
||||
|
||||
Since negotiation is now handled asynchronously via coroutines,
|
||||
we no longer have a synchronous point of return by re-adding a
|
||||
return value to nbd_client_new(). So this patch instead wires
|
||||
things up to pass the negotiation status through the close_fn
|
||||
callback function.
|
||||
|
||||
Simple test across two terminals:
|
||||
$ qemu-nbd -f raw -p 30001 file
|
||||
$ nmap 127.0.0.1 -p 30001 && \
|
||||
qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
|
||||
|
||||
Note that this patch does not change what constitutes successful
|
||||
negotiation (thus, a client must enter transmission phase before
|
||||
that client can be considered as a reason to terminate the server
|
||||
when the connection ends). Perhaps we may want to tweak things
|
||||
in a later patch to also treat a client that uses NBD_OPT_ABORT
|
||||
as being a 'successful' negotiation (the client correctly talked
|
||||
the NBD protocol, and informed us it was not going to use our
|
||||
export after all), but that's a discussion for another day.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
|
||||
|
||||
Signed-off-by: Eric Blake <eblake@redhat.com>
|
||||
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
blockdev-nbd.c | 6 +++++-
|
||||
include/block/nbd.h | 2 +-
|
||||
nbd/server.c | 24 +++++++++++++++---------
|
||||
qemu-nbd.c | 4 ++--
|
||||
4 files changed, 23 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/blockdev-nbd.c b/blockdev-nbd.c
|
||||
index dd0860f4a6..28f551a7b0 100644
|
||||
--- a/blockdev-nbd.c
|
||||
+++ b/blockdev-nbd.c
|
||||
@@ -27,6 +27,10 @@ typedef struct NBDServerData {
|
||||
|
||||
static NBDServerData *nbd_server;
|
||||
|
||||
+static void nbd_blockdev_client_closed(NBDClient *client, bool ignored)
|
||||
+{
|
||||
+ nbd_client_put(client);
|
||||
+}
|
||||
|
||||
static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
|
||||
gpointer opaque)
|
||||
@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition,
|
||||
qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server");
|
||||
nbd_client_new(NULL, cioc,
|
||||
nbd_server->tlscreds, NULL,
|
||||
- nbd_client_put);
|
||||
+ nbd_blockdev_client_closed);
|
||||
object_unref(OBJECT(cioc));
|
||||
return TRUE;
|
||||
}
|
||||
diff --git a/include/block/nbd.h b/include/block/nbd.h
|
||||
index 416257abca..8fa5ce51f3 100644
|
||||
--- a/include/block/nbd.h
|
||||
+++ b/include/block/nbd.h
|
||||
@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp,
|
||||
QIOChannelSocket *sioc,
|
||||
QCryptoTLSCreds *tlscreds,
|
||||
const char *tlsaclname,
|
||||
- void (*close)(NBDClient *));
|
||||
+ void (*close_fn)(NBDClient *, bool));
|
||||
void nbd_client_get(NBDClient *client);
|
||||
void nbd_client_put(NBDClient *client);
|
||||
|
||||
diff --git a/nbd/server.c b/nbd/server.c
|
||||
index 49b55f6ede..f2b1aa47ce 100644
|
||||
--- a/nbd/server.c
|
||||
+++ b/nbd/server.c
|
||||
@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports);
|
||||
|
||||
struct NBDClient {
|
||||
int refcount;
|
||||
- void (*close)(NBDClient *client);
|
||||
+ void (*close_fn)(NBDClient *client, bool negotiated);
|
||||
|
||||
bool no_zeroes;
|
||||
NBDExport *exp;
|
||||
@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client)
|
||||
}
|
||||
}
|
||||
|
||||
-static void client_close(NBDClient *client)
|
||||
+static void client_close(NBDClient *client, bool negotiated)
|
||||
{
|
||||
if (client->closing) {
|
||||
return;
|
||||
@@ -793,8 +793,8 @@ static void client_close(NBDClient *client)
|
||||
NULL);
|
||||
|
||||
/* Also tell the client, so that they release their reference. */
|
||||
- if (client->close) {
|
||||
- client->close(client);
|
||||
+ if (client->close_fn) {
|
||||
+ client->close_fn(client, negotiated);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp)
|
||||
|
||||
nbd_export_get(exp);
|
||||
QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) {
|
||||
- client_close(client);
|
||||
+ client_close(client, true);
|
||||
}
|
||||
nbd_export_set_name(exp, NULL);
|
||||
nbd_export_set_description(exp, NULL);
|
||||
@@ -1337,7 +1337,7 @@ done:
|
||||
|
||||
out:
|
||||
nbd_request_put(req);
|
||||
- client_close(client);
|
||||
+ client_close(client, true);
|
||||
nbd_client_put(client);
|
||||
}
|
||||
|
||||
@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque)
|
||||
qemu_co_mutex_init(&client->send_lock);
|
||||
|
||||
if (nbd_negotiate(data)) {
|
||||
- client_close(client);
|
||||
+ client_close(client, false);
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -1373,11 +1373,17 @@ out:
|
||||
g_free(data);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Create a new client listener on the given export @exp, using the
|
||||
+ * given channel @sioc. Begin servicing it in a coroutine. When the
|
||||
+ * connection closes, call @close_fn with an indication of whether the
|
||||
+ * client completed negotiation.
|
||||
+ */
|
||||
void nbd_client_new(NBDExport *exp,
|
||||
QIOChannelSocket *sioc,
|
||||
QCryptoTLSCreds *tlscreds,
|
||||
const char *tlsaclname,
|
||||
- void (*close_fn)(NBDClient *))
|
||||
+ void (*close_fn)(NBDClient *, bool))
|
||||
{
|
||||
NBDClient *client;
|
||||
NBDClientNewData *data = g_new(NBDClientNewData, 1);
|
||||
@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp,
|
||||
object_ref(OBJECT(client->sioc));
|
||||
client->ioc = QIO_CHANNEL(sioc);
|
||||
object_ref(OBJECT(client->ioc));
|
||||
- client->close = close_fn;
|
||||
+ client->close_fn = close_fn;
|
||||
|
||||
data->client = client;
|
||||
data->co = qemu_coroutine_create(nbd_co_client_start, data);
|
||||
diff --git a/qemu-nbd.c b/qemu-nbd.c
|
||||
index 651f85ecc1..9464a0461c 100644
|
||||
--- a/qemu-nbd.c
|
||||
+++ b/qemu-nbd.c
|
||||
@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp)
|
||||
|
||||
static void nbd_update_server_watch(void);
|
||||
|
||||
-static void nbd_client_closed(NBDClient *client)
|
||||
+static void nbd_client_closed(NBDClient *client, bool negotiated)
|
||||
{
|
||||
nb_fds--;
|
||||
- if (nb_fds == 0 && !persistent && state == RUNNING) {
|
||||
+ if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) {
|
||||
state = TERMINATE;
|
||||
}
|
||||
nbd_update_server_watch();
|
||||
--
|
||||
2.13.1
|
||||
|
|
@ -72,26 +72,14 @@
|
|||
(define-public qemu
|
||||
(package
|
||||
(name "qemu")
|
||||
(version "2.9.0")
|
||||
(version "2.10.0")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
|
||||
(uri (string-append "https://download.qemu.org/qemu-"
|
||||
version ".tar.xz"))
|
||||
(patches (search-patches "qemu-CVE-2017-7493.patch"
|
||||
"qemu-CVE-2017-8112.patch"
|
||||
"qemu-CVE-2017-8309.patch"
|
||||
"qemu-CVE-2017-8379.patch"
|
||||
"qemu-CVE-2017-8380.patch"
|
||||
"qemu-CVE-2017-9524.patch"
|
||||
"qemu-CVE-2017-10664.patch"
|
||||
"qemu-CVE-2017-10806.patch"
|
||||
"qemu-CVE-2017-10911.patch"
|
||||
"qemu-CVE-2017-11334.patch"
|
||||
"qemu-CVE-2017-11434.patch"
|
||||
"qemu-CVE-2017-12809.patch"))
|
||||
(sha256
|
||||
(base32
|
||||
"08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
|
||||
"0dgk7zcni41nf1jp84y0m6dk2nb4frnh571m8hkiv0m4hz4imn2m"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(;; Running tests in parallel can occasionally lead to failures, like:
|
||||
|
|
Loading…
Reference in New Issue