gnu: QEMU: Fix CVE-2018-16847 and CVE-2018-16867.
* gnu/packages/patches/qemu-CVE-2018-16847.patch, gnu/packages/patches/qemu-CVE-2018-16867.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/virtualization.scm (qemu)[source]: Use them.master
parent
d553ee8082
commit
e6c28113e6
|
@ -1111,6 +1111,8 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/python-unittest2-remove-argparse.patch \
|
%D%/packages/patches/python-unittest2-remove-argparse.patch \
|
||||||
%D%/packages/patches/python-waitress-fix-tests.patch \
|
%D%/packages/patches/python-waitress-fix-tests.patch \
|
||||||
%D%/packages/patches/qemu-glibc-2.27.patch \
|
%D%/packages/patches/qemu-glibc-2.27.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2018-16847.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2018-16867.patch \
|
||||||
%D%/packages/patches/qt4-ldflags.patch \
|
%D%/packages/patches/qt4-ldflags.patch \
|
||||||
%D%/packages/patches/qtbase-use-TZDIR.patch \
|
%D%/packages/patches/qtbase-use-TZDIR.patch \
|
||||||
%D%/packages/patches/qtscript-disable-tests.patch \
|
%D%/packages/patches/qtscript-disable-tests.patch \
|
||||||
|
|
|
@ -0,0 +1,158 @@
|
||||||
|
Fix CVE-2018-16847:
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce
|
||||||
|
|
||||||
|
From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Date: Tue, 20 Nov 2018 19:41:48 +0100
|
||||||
|
Subject: [PATCH] nvme: fix out-of-bounds access to the CMB
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Because the CMB BAR has a min_access_size of 2, if you read the last
|
||||||
|
byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
|
||||||
|
error. This is CVE-2018-16847.
|
||||||
|
|
||||||
|
Another way to fix this might be to register the CMB as a RAM memory
|
||||||
|
region, which would also be more efficient. However, that might be a
|
||||||
|
change for big-endian machines; I didn't think this through and I don't
|
||||||
|
know how real hardware works. Add a basic testcase for the CMB in case
|
||||||
|
somebody does this change later on.
|
||||||
|
|
||||||
|
Cc: Keith Busch <keith.busch@intel.com>
|
||||||
|
Cc: qemu-block@nongnu.org
|
||||||
|
Reported-by: Li Qiang <liq3ea@gmail.com>
|
||||||
|
Reviewed-by: Li Qiang <liq3ea@gmail.com>
|
||||||
|
Tested-by: Li Qiang <liq3ea@gmail.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||||
|
---
|
||||||
|
hw/block/nvme.c | 2 +-
|
||||||
|
tests/Makefile.include | 2 +-
|
||||||
|
tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++-------
|
||||||
|
3 files changed, 60 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/block/nvme.c b/hw/block/nvme.c
|
||||||
|
index 28d284346dd..8c35cab2b43 100644
|
||||||
|
--- a/hw/block/nvme.c
|
||||||
|
+++ b/hw/block/nvme.c
|
||||||
|
@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
|
||||||
|
.write = nvme_cmb_write,
|
||||||
|
.endianness = DEVICE_LITTLE_ENDIAN,
|
||||||
|
.impl = {
|
||||||
|
- .min_access_size = 2,
|
||||||
|
+ .min_access_size = 1,
|
||||||
|
.max_access_size = 8,
|
||||||
|
},
|
||||||
|
};
|
||||||
|
diff --git a/tests/Makefile.include b/tests/Makefile.include
|
||||||
|
index 613242bc6ef..fb0b449c02a 100644
|
||||||
|
--- a/tests/Makefile.include
|
||||||
|
+++ b/tests/Makefile.include
|
||||||
|
@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
|
||||||
|
tests/machine-none-test$(EXESUF): tests/machine-none-test.o
|
||||||
|
tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
|
||||||
|
tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
|
||||||
|
-tests/nvme-test$(EXESUF): tests/nvme-test.o
|
||||||
|
+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
|
||||||
|
tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
|
||||||
|
tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
|
||||||
|
tests/ac97-test$(EXESUF): tests/ac97-test.o
|
||||||
|
diff --git a/tests/nvme-test.c b/tests/nvme-test.c
|
||||||
|
index 7674a446e4f..2700ba838aa 100644
|
||||||
|
--- a/tests/nvme-test.c
|
||||||
|
+++ b/tests/nvme-test.c
|
||||||
|
@@ -8,25 +8,73 @@
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "qemu/osdep.h"
|
||||||
|
+#include "qemu/units.h"
|
||||||
|
#include "libqtest.h"
|
||||||
|
+#include "libqos/libqos-pc.h"
|
||||||
|
+
|
||||||
|
+static QOSState *qnvme_start(const char *extra_opts)
|
||||||
|
+{
|
||||||
|
+ QOSState *qs;
|
||||||
|
+ const char *arch = qtest_get_arch();
|
||||||
|
+ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
|
||||||
|
+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
|
||||||
|
+
|
||||||
|
+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
|
||||||
|
+ qs = qtest_pc_boot(cmd, extra_opts ? : "");
|
||||||
|
+ global_qtest = qs->qts;
|
||||||
|
+ return qs;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ g_printerr("nvme tests are only available on x86\n");
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void qnvme_stop(QOSState *qs)
|
||||||
|
+{
|
||||||
|
+ qtest_shutdown(qs);
|
||||||
|
+}
|
||||||
|
|
||||||
|
-/* Tests only initialization so far. TODO: Replace with functional tests */
|
||||||
|
static void nop(void)
|
||||||
|
{
|
||||||
|
+ QOSState *qs;
|
||||||
|
+
|
||||||
|
+ qs = qnvme_start(NULL);
|
||||||
|
+ qnvme_stop(qs);
|
||||||
|
}
|
||||||
|
|
||||||
|
-int main(int argc, char **argv)
|
||||||
|
+static void nvmetest_cmb_test(void)
|
||||||
|
{
|
||||||
|
- int ret;
|
||||||
|
+ const int cmb_bar_size = 2 * MiB;
|
||||||
|
+ QOSState *qs;
|
||||||
|
+ QPCIDevice *pdev;
|
||||||
|
+ QPCIBar bar;
|
||||||
|
|
||||||
|
- g_test_init(&argc, &argv, NULL);
|
||||||
|
- qtest_add_func("/nvme/nop", nop);
|
||||||
|
+ qs = qnvme_start("-global nvme.cmb_size_mb=2");
|
||||||
|
+ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
|
||||||
|
+ g_assert(pdev != NULL);
|
||||||
|
+
|
||||||
|
+ qpci_device_enable(pdev);
|
||||||
|
+ bar = qpci_iomap(pdev, 2, NULL);
|
||||||
|
+
|
||||||
|
+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
|
||||||
|
+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
|
||||||
|
+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
|
||||||
|
+
|
||||||
|
+ /* Test partially out-of-bounds accesses. */
|
||||||
|
+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
|
||||||
|
+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
|
||||||
|
+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
|
||||||
|
+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211);
|
||||||
|
+ g_free(pdev);
|
||||||
|
|
||||||
|
- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
|
||||||
|
- "-device nvme,drive=drv0,serial=foo");
|
||||||
|
- ret = g_test_run();
|
||||||
|
+ qnvme_stop(qs);
|
||||||
|
+}
|
||||||
|
|
||||||
|
- qtest_end();
|
||||||
|
+int main(int argc, char **argv)
|
||||||
|
+{
|
||||||
|
+ g_test_init(&argc, &argv, NULL);
|
||||||
|
+ qtest_add_func("/nvme/nop", nop);
|
||||||
|
+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
|
||||||
|
|
||||||
|
- return ret;
|
||||||
|
+ return g_test_run();
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
Fix CVE-2018-16867:
|
||||||
|
|
||||||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
|
||||||
|
https://seclists.org/oss-sec/2018/q4/202
|
||||||
|
|
||||||
|
Patch copied from upstream source repository:
|
||||||
|
|
||||||
|
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
|
||||||
|
|
||||||
|
From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Mon, 3 Dec 2018 11:10:45 +0100
|
||||||
|
Subject: [PATCH] usb-mtp: outlaw slashes in filenames
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Slash is unix directory separator, so they are not allowed in filenames.
|
||||||
|
Note this also stops the classic escape via "../".
|
||||||
|
|
||||||
|
Fixes: CVE-2018-16867
|
||||||
|
Reported-by: Michael Hanselmann <public@hansmi.ch>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||||
|
Message-id: 20181203101045.27976-3-kraxel@redhat.com
|
||||||
|
---
|
||||||
|
hw/usb/dev-mtp.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
|
||||||
|
index 0f6a9702ef1..100b7171f4e 100644
|
||||||
|
--- a/hw/usb/dev-mtp.c
|
||||||
|
+++ b/hw/usb/dev-mtp.c
|
||||||
|
@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
|
||||||
|
|
||||||
|
filename = utf16_to_str(dataset->length, dataset->filename);
|
||||||
|
|
||||||
|
+ if (strchr(filename, '/')) {
|
||||||
|
+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
|
||||||
|
+ 0, 0, 0, 0);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
o = usb_mtp_object_lookup_name(p, filename, dataset->length);
|
||||||
|
if (o != NULL) {
|
||||||
|
next_handle = o->handle;
|
||||||
|
--
|
||||||
|
2.19.2
|
||||||
|
|
|
@ -100,6 +100,8 @@
|
||||||
(method url-fetch)
|
(method url-fetch)
|
||||||
(uri (string-append "https://download.qemu.org/qemu-"
|
(uri (string-append "https://download.qemu.org/qemu-"
|
||||||
version ".tar.xz"))
|
version ".tar.xz"))
|
||||||
|
(patches (search-patches "qemu-CVE-2018-16847.patch"
|
||||||
|
"qemu-CVE-2018-16867.patch"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
|
"04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
|
||||||
|
|
Loading…
Reference in New Issue