Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package qemu for openSUSE:Factory checked in
at 2021-10-29 22:32:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/qemu (Old)
and /work/SRC/openSUSE:Factory/.qemu.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qemu"
Fri Oct 29 22:32:58 2021 rev:214 rq:927619 version:unknown
Changes:
--------
--- /work/SRC/openSUSE:Factory/qemu/qemu.changes 2021-10-20
20:23:00.361330731 +0200
+++ /work/SRC/openSUSE:Factory/.qemu.new.1890/qemu.changes 2021-10-29
22:33:03.367655444 +0200
@@ -1,0 +2,11 @@
+Tue Oct 26 20:53:59 UTC 2021 - Jos?? Ricardo Ziviani <jose.zivi...@suse.com>
+
+- qemu: virtio-net: heap use-after-free in virtio_net_receive_rcu
+ (bsc#1189938 CVE-2021-3748)
+ solved by virtio-net-fix-use-after-unmap-free-for-.patch
+- kvm,qemu: out-of-bounds write in UAS (USB Attached SCSI) device emulation
+ (bsc#1189702 CVE-2021-3713)
+* Patches added:
+ uas-add-stream-number-sanity-checks.patch
+
+-------------------------------------------------------------------
New:
----
uas-add-stream-number-sanity-checks.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ qemu.spec ++++++
--- /var/tmp/diff_new_pack.QVyXqo/_old 2021-10-29 22:33:05.203656137 +0200
+++ /var/tmp/diff_new_pack.QVyXqo/_new 2021-10-29 22:33:05.207656138 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package qemu
+# spec file
#
# Copyright (c) 2021 SUSE LLC
#
@@ -195,6 +195,7 @@
Patch00060: virtio-mem-pci-Fix-memory-leak-when-crea.patch
Patch00061: vhost-vsock-fix-migration-issue-when-seq.patch
Patch00062: block-introduce-max_hw_iov-for-use-in-sc.patch
+Patch00063: uas-add-stream-number-sanity-checks.patch
# Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch
@@ -1148,6 +1149,7 @@
%patch00060 -p1
%patch00061 -p1
%patch00062 -p1
+%patch00063 -p1
%patch01000 -p1
%patch01001 -p1
%patch01002 -p1
++++++ bundles.tar.xz ++++++
Binary files old/f9baca549e44791be0dd98de15add3d8452a8af0.bundle and
new/f9baca549e44791be0dd98de15add3d8452a8af0.bundle differ
Binary files
old/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/666c3280cc11dc433c303d79a83d4ffbdd12cc8d.bundle
and
new/roms/edk2/BaseTools/Source/C/BrotliCompress/brotli/666c3280cc11dc433c303d79a83d4ffbdd12cc8d.bundle
differ
Binary files old/roms/ipxe/4bd064de239dab2426b31c9789a1f4d78087dc63.bundle and
new/roms/ipxe/4bd064de239dab2426b31c9789a1f4d78087dc63.bundle differ
Binary files old/roms/qboot/a5300c4949b8d4de2d34bedfaed66793f48ec948.bundle and
new/roms/qboot/a5300c4949b8d4de2d34bedfaed66793f48ec948.bundle differ
Binary files old/roms/seabios/155821a1990b6de78dde5f98fa5ab90e802021e0.bundle
and new/roms/seabios/155821a1990b6de78dde5f98fa5ab90e802021e0.bundle differ
Binary files old/roms/sgabios/cbaee52287e5f32373181cff50a00b6c4ac9015a.bundle
and new/roms/sgabios/cbaee52287e5f32373181cff50a00b6c4ac9015a.bundle differ
++++++ uas-add-stream-number-sanity-checks.patch ++++++
From: Gerd Hoffmann <kra...@redhat.com>
Date: Wed, 18 Aug 2021 14:05:05 +0200
Subject: uas: add stream number sanity checks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Git-commit: 13b250b12ad3c59114a6a17d59caf073ce45b33a
References: bsc#1189702 CVE-2021-3713
The device uses the guest-supplied stream number unchecked, which can
lead to guest-triggered out-of-band access to the UASDevice->data3 and
UASDevice->status3 fields. Add the missing checks.
Fixes: CVE-2021-3713
Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
Reported-by: Chen Zhe <chen...@huawei.com>
Reported-by: Tan Jingguo <tanjing...@huawei.com>
Reviewed-by: Philippe Mathieu-Daud?? <phi...@redhat.com>
Message-Id: <20210818120505.1258262-2-kra...@redhat.com>
Signed-off-by: Jose R Ziviani <jose.zivi...@suse.com>
---
hw/usb/dev-uas.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/usb/dev-uas.c b/hw/usb/dev-uas.c
index 263056231c794735c29584e821a8..f6309a5ebfdcc84f81945dd04be0 100644
--- a/hw/usb/dev-uas.c
+++ b/hw/usb/dev-uas.c
@@ -840,6 +840,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket
*p)
}
break;
case UAS_PIPE_ID_STATUS:
+ if (p->stream > UAS_MAX_STREAMS) {
+ goto err_stream;
+ }
if (p->stream) {
QTAILQ_FOREACH(st, &uas->results, next) {
if (st->stream == p->stream) {
@@ -867,6 +870,9 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket
*p)
break;
case UAS_PIPE_ID_DATA_IN:
case UAS_PIPE_ID_DATA_OUT:
+ if (p->stream > UAS_MAX_STREAMS) {
+ goto err_stream;
+ }
if (p->stream) {
req = usb_uas_find_request(uas, p->stream);
} else {
@@ -902,6 +908,11 @@ static void usb_uas_handle_data(USBDevice *dev, USBPacket
*p)
p->status = USB_RET_STALL;
break;
}
+
+err_stream:
+ error_report("%s: invalid stream %d", __func__, p->stream);
+ p->status = USB_RET_STALL;
+ return;
}
static void usb_uas_unrealize(USBDevice *dev)
++++++ vhost-vsock-fix-migration-issue-when-seq.patch ++++++
--- /var/tmp/diff_new_pack.QVyXqo/_old 2021-10-29 22:33:05.767656350 +0200
+++ /var/tmp/diff_new_pack.QVyXqo/_new 2021-10-29 22:33:05.767656350 +0200
@@ -56,7 +56,10 @@
{
VHostVSockCommon *vvc = VHOST_VSOCK_COMMON(vdev);
+ VHostVSock *vsock = VHOST_VSOCK(vdev);
-+
+
+- virtio_add_feature(&requested_features, VIRTIO_VSOCK_F_SEQPACKET);
+- return vhost_get_features(&vvc->vhost_dev, feature_bits,
+- requested_features);
+ if (vsock->seqpacket != ON_OFF_AUTO_OFF) {
+ virtio_add_feature(&requested_features, VIRTIO_VSOCK_F_SEQPACKET);
+ }
@@ -68,10 +71,7 @@
+ !virtio_has_feature(requested_features, VIRTIO_VSOCK_F_SEQPACKET)) {
+ error_setg(errp, "vhost-vsock backend doesn't support seqpacket");
+ }
-
-- virtio_add_feature(&requested_features, VIRTIO_VSOCK_F_SEQPACKET);
-- return vhost_get_features(&vvc->vhost_dev, feature_bits,
-- requested_features);
++
+ return requested_features;
}
++++++ virtio-net-fix-use-after-unmap-free-for-.patch ++++++
--- /var/tmp/diff_new_pack.QVyXqo/_old 2021-10-29 22:33:05.779656354 +0200
+++ /var/tmp/diff_new_pack.QVyXqo/_new 2021-10-29 22:33:05.783656356 +0200
@@ -3,6 +3,7 @@
Subject: virtio-net: fix use after unmap/free for sg
Git-commit: bedd7e93d01961fcb16a97ae45d93acf357e11f6
+References: CVE-2021-3748 1189938
When mergeable buffer is enabled, we try to set the num_buffers after
the virtqueue elem has been unmapped. This will lead several issues,
