diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2018-16847.patch | 158 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2018-16867.patch | 49 |
2 files changed, 0 insertions, 207 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch deleted file mode 100644 index c76bdf764a..0000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16847.patch +++ /dev/null @@ -1,158 +0,0 @@ -Fix CVE-2018-16847: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce - -From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Tue, 20 Nov 2018 19:41:48 +0100 -Subject: [PATCH] nvme: fix out-of-bounds access to the CMB -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Because the CMB BAR has a min_access_size of 2, if you read the last -byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one -error. This is CVE-2018-16847. - -Another way to fix this might be to register the CMB as a RAM memory -region, which would also be more efficient. However, that might be a -change for big-endian machines; I didn't think this through and I don't -know how real hardware works. Add a basic testcase for the CMB in case -somebody does this change later on. - -Cc: Keith Busch <keith.busch@intel.com> -Cc: qemu-block@nongnu.org -Reported-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Li Qiang <liq3ea@gmail.com> -Tested-by: Li Qiang <liq3ea@gmail.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> ---- - hw/block/nvme.c | 2 +- - tests/Makefile.include | 2 +- - tests/nvme-test.c | 68 +++++++++++++++++++++++++++++++++++------- - 3 files changed, 60 insertions(+), 12 deletions(-) - -diff --git a/hw/block/nvme.c b/hw/block/nvme.c -index 28d284346dd..8c35cab2b43 100644 ---- a/hw/block/nvme.c -+++ b/hw/block/nvme.c -@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = { - .write = nvme_cmb_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .impl = { -- .min_access_size = 2, -+ .min_access_size = 1, - .max_access_size = 8, - }, - }; -diff --git a/tests/Makefile.include b/tests/Makefile.include -index 613242bc6ef..fb0b449c02a 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o - tests/machine-none-test$(EXESUF): tests/machine-none-test.o - tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y) - tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y) --tests/nvme-test$(EXESUF): tests/nvme-test.o -+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y) - tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o - tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o - tests/ac97-test$(EXESUF): tests/ac97-test.o -diff --git a/tests/nvme-test.c b/tests/nvme-test.c -index 7674a446e4f..2700ba838aa 100644 ---- a/tests/nvme-test.c -+++ b/tests/nvme-test.c -@@ -8,25 +8,73 @@ - */ - - #include "qemu/osdep.h" -+#include "qemu/units.h" - #include "libqtest.h" -+#include "libqos/libqos-pc.h" -+ -+static QOSState *qnvme_start(const char *extra_opts) -+{ -+ QOSState *qs; -+ const char *arch = qtest_get_arch(); -+ const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw " -+ "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s"; -+ -+ if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) { -+ qs = qtest_pc_boot(cmd, extra_opts ? : ""); -+ global_qtest = qs->qts; -+ return qs; -+ } -+ -+ g_printerr("nvme tests are only available on x86\n"); -+ exit(EXIT_FAILURE); -+} -+ -+static void qnvme_stop(QOSState *qs) -+{ -+ qtest_shutdown(qs); -+} - --/* Tests only initialization so far. TODO: Replace with functional tests */ - static void nop(void) - { -+ QOSState *qs; -+ -+ qs = qnvme_start(NULL); -+ qnvme_stop(qs); - } - --int main(int argc, char **argv) -+static void nvmetest_cmb_test(void) - { -- int ret; -+ const int cmb_bar_size = 2 * MiB; -+ QOSState *qs; -+ QPCIDevice *pdev; -+ QPCIBar bar; - -- g_test_init(&argc, &argv, NULL); -- qtest_add_func("/nvme/nop", nop); -+ qs = qnvme_start("-global nvme.cmb_size_mb=2"); -+ pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0)); -+ g_assert(pdev != NULL); -+ -+ qpci_device_enable(pdev); -+ bar = qpci_iomap(pdev, 2, NULL); -+ -+ qpci_io_writel(pdev, bar, 0, 0xccbbaa99); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99); -+ -+ /* Test partially out-of-bounds accesses. */ -+ qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211); -+ g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11); -+ g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211); -+ g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211); -+ g_free(pdev); - -- qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw " -- "-device nvme,drive=drv0,serial=foo"); -- ret = g_test_run(); -+ qnvme_stop(qs); -+} - -- qtest_end(); -+int main(int argc, char **argv) -+{ -+ g_test_init(&argc, &argv, NULL); -+ qtest_add_func("/nvme/nop", nop); -+ qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test); - -- return ret; -+ return g_test_run(); - } --- -2.19.2 - diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch deleted file mode 100644 index 1403d8e0f8..0000000000 --- a/gnu/packages/patches/qemu-CVE-2018-16867.patch +++ /dev/null @@ -1,49 +0,0 @@ -Fix CVE-2018-16867: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867 -https://seclists.org/oss-sec/2018/q4/202 - -Patch copied from upstream source repository: - -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6 - -From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Mon, 3 Dec 2018 11:10:45 +0100 -Subject: [PATCH] usb-mtp: outlaw slashes in filenames -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Slash is unix directory separator, so they are not allowed in filenames. -Note this also stops the classic escape via "../". - -Fixes: CVE-2018-16867 -Reported-by: Michael Hanselmann <public@hansmi.ch> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-id: 20181203101045.27976-3-kraxel@redhat.com ---- - hw/usb/dev-mtp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 0f6a9702ef1..100b7171f4e 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s) - - filename = utf16_to_str(dataset->length, dataset->filename); - -+ if (strchr(filename, '/')) { -+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, -+ 0, 0, 0, 0); -+ return; -+ } -+ - o = usb_mtp_object_lookup_name(p, filename, dataset->length); - if (o != NULL) { - next_handle = o->handle; --- -2.19.2 - |