diff options
| author | Marius Bakke <mbakke@fastmail.com> | 2020-05-08 21:43:04 +0200 |
|---|---|---|
| committer | Marius Bakke <mbakke@fastmail.com> | 2020-05-08 21:43:04 +0200 |
| commit | 35c43fcdbb408a5755efebc13241dd9082360aa1 (patch) | |
| tree | 4ad992d7abf0888cfc4ab9ac0930a0680f8ca61b /gnu/packages/patches/qemu-CVE-2020-1711.patch | |
| parent | 4bdf4182fe080c3409f6ef9b410146b67cfa2595 (diff) | |
gnu: QEMU: Update to 5.0.0.
* gnu/packages/patches/qemu-CVE-2020-1711.patch,
gnu/packages/patches/qemu-CVE-2020-7039.patch,
gnu/packages/patches/qemu-CVE-2020-7211.patch,
gnu/packages/patches/qemu-CVE-2020-8608.patch,
gnu/packages/patches/qemu-fix-documentation-build-failure.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/virtualization.scm (qemu)[source](patches): Remove.
[arguments]: Add phase 'patch-/bin/sh-references'. In the 'configure' phase,
add shebang substitutions. Remove phase 'prevent-network-configuration'.
[inputs]: Change from LIBCAP to LIBCAP-NG.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2020-1711.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2020-1711.patch | 69 |
1 files changed, 0 insertions, 69 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2020-1711.patch b/gnu/packages/patches/qemu-CVE-2020-1711.patch deleted file mode 100644 index 32d04f61dd..0000000000 --- a/gnu/packages/patches/qemu-CVE-2020-1711.patch +++ /dev/null @@ -1,69 +0,0 @@ -Fix CVE-2020-1711: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc - -From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 -From: Felipe Franciosi <felipe@nutanix.com> -Date: Thu, 23 Jan 2020 12:44:59 +0000 -Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) - -When querying an iSCSI server for the provisioning status of blocks (via -GET LBA STATUS), Qemu only validates that the response descriptor zero's -LBA matches the one requested. Given the SCSI spec allows servers to -respond with the status of blocks beyond the end of the LUN, Qemu may -have its heap corrupted by clearing/setting too many bits at the end of -its allocmap for the LUN. - -A malicious guest in control of the iSCSI server could carefully program -Qemu's heap (by selectively setting the bitmap) and then smash it. - -This limits the number of bits that iscsi_co_block_status() will try to -update in the allocmap so it can't overflow the bitmap. - -Fixes: CVE-2020-1711 -Cc: qemu-stable@nongnu.org -Signed-off-by: Felipe Franciosi <felipe@nutanix.com> -Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> -Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - block/iscsi.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/block/iscsi.c b/block/iscsi.c -index 2aea7e3f13..cbd57294ab 100644 ---- a/block/iscsi.c -+++ b/block/iscsi.c -@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, - struct scsi_get_lba_status *lbas = NULL; - struct scsi_lba_status_descriptor *lbasd = NULL; - struct IscsiTask iTask; -- uint64_t lba; -+ uint64_t lba, max_bytes; - int ret; - - iscsi_co_init_iscsitask(iscsilun, &iTask); -@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, - } - - lba = offset / iscsilun->block_size; -+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; - - qemu_mutex_lock(&iscsilun->mutex); - retry: -@@ -764,7 +765,7 @@ retry: - goto out_unlock; - } - -- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; -+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); - - if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || - lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { --- -2.25.0 - |