summaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorRutger Helling <rhelling@mykolab.com>2018-12-12 11:57:36 +0100
committerLeo Famulari <leo@famulari.name>2018-12-13 14:40:52 -0500
commit6b34499dc62a55283dabd04c39f9b4d53fcf13c8 (patch)
treef595185c122240bac5ee02813da5625d760a2e6c /gnu
parent5e741ff0212cc09e086f566493508166f4e2e1b8 (diff)
gnu: qemu: Update to 3.1.0.
* gnu/packages/virtualization.scm (qemu): Update to 3.1.0. [source]: Remove obsolete patches. * gnu/packages/patches/qemu-CVE-2018-16847.patch, gnu/packages/patches/qemu-CVE-2018-16867.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk2
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-16847.patch158
-rw-r--r--gnu/packages/patches/qemu-CVE-2018-16867.patch49
-rw-r--r--gnu/packages/virtualization.scm6
4 files changed, 2 insertions, 213 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index 4f2437befa..0f34ec9a3d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1112,8 +1112,6 @@ dist_patch_DATA = \
%D%/packages/patches/python-unittest2-remove-argparse.patch \
%D%/packages/patches/python-waitress-fix-tests.patch \
%D%/packages/patches/qemu-glibc-2.27.patch \
- %D%/packages/patches/qemu-CVE-2018-16847.patch \
- %D%/packages/patches/qemu-CVE-2018-16867.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtbase-use-TZDIR.patch \
%D%/packages/patches/qtscript-disable-tests.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch
deleted file mode 100644
index c76bdf764a..0000000000
--- a/gnu/packages/patches/qemu-CVE-2018-16847.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-Fix CVE-2018-16847:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce
-
-From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue, 20 Nov 2018 19:41:48 +0100
-Subject: [PATCH] nvme: fix out-of-bounds access to the CMB
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Because the CMB BAR has a min_access_size of 2, if you read the last
-byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
-error. This is CVE-2018-16847.
-
-Another way to fix this might be to register the CMB as a RAM memory
-region, which would also be more efficient. However, that might be a
-change for big-endian machines; I didn't think this through and I don't
-know how real hardware works. Add a basic testcase for the CMB in case
-somebody does this change later on.
-
-Cc: Keith Busch <keith.busch@intel.com>
-Cc: qemu-block@nongnu.org
-Reported-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Li Qiang <liq3ea@gmail.com>
-Tested-by: Li Qiang <liq3ea@gmail.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/block/nvme.c | 2 +-
- tests/Makefile.include | 2 +-
- tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++-------
- 3 files changed, 60 insertions(+), 12 deletions(-)
-
-diff --git a/hw/block/nvme.c b/hw/block/nvme.c
-index 28d284346dd..8c35cab2b43 100644
---- a/hw/block/nvme.c
-+++ b/hw/block/nvme.c
-@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
- .write = nvme_cmb_write,
- .endianness = DEVICE_LITTLE_ENDIAN,
- .impl = {
-- .min_access_size = 2,
-+ .min_access_size = 1,
- .max_access_size = 8,
- },
- };
-diff --git a/tests/Makefile.include b/tests/Makefile.include
-index 613242bc6ef..fb0b449c02a 100644
---- a/tests/Makefile.include
-+++ b/tests/Makefile.include
-@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
- tests/machine-none-test$(EXESUF): tests/machine-none-test.o
- tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
- tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
--tests/nvme-test$(EXESUF): tests/nvme-test.o
-+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
- tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
- tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
- tests/ac97-test$(EXESUF): tests/ac97-test.o
-diff --git a/tests/nvme-test.c b/tests/nvme-test.c
-index 7674a446e4f..2700ba838aa 100644
---- a/tests/nvme-test.c
-+++ b/tests/nvme-test.c
-@@ -8,25 +8,73 @@
- */
-
- #include "qemu/osdep.h"
-+#include "qemu/units.h"
- #include "libqtest.h"
-+#include "libqos/libqos-pc.h"
-+
-+static QOSState *qnvme_start(const char *extra_opts)
-+{
-+ QOSState *qs;
-+ const char *arch = qtest_get_arch();
-+ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
-+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
-+
-+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
-+ qs = qtest_pc_boot(cmd, extra_opts ? : "");
-+ global_qtest = qs->qts;
-+ return qs;
-+ }
-+
-+ g_printerr("nvme tests are only available on x86\n");
-+ exit(EXIT_FAILURE);
-+}
-+
-+static void qnvme_stop(QOSState *qs)
-+{
-+ qtest_shutdown(qs);
-+}
-
--/* Tests only initialization so far. TODO: Replace with functional tests */
- static void nop(void)
- {
-+ QOSState *qs;
-+
-+ qs = qnvme_start(NULL);
-+ qnvme_stop(qs);
- }
-
--int main(int argc, char **argv)
-+static void nvmetest_cmb_test(void)
- {
-- int ret;
-+ const int cmb_bar_size = 2 * MiB;
-+ QOSState *qs;
-+ QPCIDevice *pdev;
-+ QPCIBar bar;
-
-- g_test_init(&argc, &argv, NULL);
-- qtest_add_func("/nvme/nop", nop);
-+ qs = qnvme_start("-global nvme.cmb_size_mb=2");
-+ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
-+ g_assert(pdev != NULL);
-+
-+ qpci_device_enable(pdev);
-+ bar = qpci_iomap(pdev, 2, NULL);
-+
-+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
-+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
-+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
-+
-+ /* Test partially out-of-bounds accesses. */
-+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
-+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
-+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
-+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211);
-+ g_free(pdev);
-
-- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
-- "-device nvme,drive=drv0,serial=foo");
-- ret = g_test_run();
-+ qnvme_stop(qs);
-+}
-
-- qtest_end();
-+int main(int argc, char **argv)
-+{
-+ g_test_init(&argc, &argv, NULL);
-+ qtest_add_func("/nvme/nop", nop);
-+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
-
-- return ret;
-+ return g_test_run();
- }
---
-2.19.2
-
diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch
deleted file mode 100644
index 1403d8e0f8..0000000000
--- a/gnu/packages/patches/qemu-CVE-2018-16867.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Fix CVE-2018-16867:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
-https://seclists.org/oss-sec/2018/q4/202
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
-
-From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Mon, 3 Dec 2018 11:10:45 +0100
-Subject: [PATCH] usb-mtp: outlaw slashes in filenames
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Slash is unix directory separator, so they are not allowed in filenames.
-Note this also stops the classic escape via "../".
-
-Fixes: CVE-2018-16867
-Reported-by: Michael Hanselmann <public@hansmi.ch>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20181203101045.27976-3-kraxel@redhat.com
----
- hw/usb/dev-mtp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
-index 0f6a9702ef1..100b7171f4e 100644
---- a/hw/usb/dev-mtp.c
-+++ b/hw/usb/dev-mtp.c
-@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
-
- filename = utf16_to_str(dataset->length, dataset->filename);
-
-+ if (strchr(filename, '/')) {
-+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
-+ 0, 0, 0, 0);
-+ return;
-+ }
-+
- o = usb_mtp_object_lookup_name(p, filename, dataset->length);
- if (o != NULL) {
- next_handle = o->handle;
---
-2.19.2
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 0502bb38c4..8e361558bf 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -95,16 +95,14 @@
(define-public qemu
(package
(name "qemu")
- (version "3.0.0")
+ (version "3.1.0")
(source (origin
(method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz"))
- (patches (search-patches "qemu-CVE-2018-16847.patch"
- "qemu-CVE-2018-16867.patch"))
(sha256
(base32
- "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
+ "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like: