Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: m...@tls.msk.ru
Various low severity qemu issues, but since quite a few
of those have piled up, it makes sense to move to an
update. Debdiff below.
Cheers,
Moritz
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2020-07-24 14:00:34.000000000 +0200
+++ qemu-3.1+dfsg/debian/changelog 2022-02-15 18:53:24.000000000 +0100
@@ -1,3 +1,34 @@
+qemu (1:3.1+dfsg-8+deb10u9) buster; urgency=medium
+
+ * CVE-2021-3930
+ * CVE-2021-3748 (Closes: #993401)
+ * CVE-2021-3713 (Closes: #992727)
+ * CVE-2021-3682 (Closes: #991911)
+ * CVE-2021-3608 (Closes: #990563)
+ * CVE-2021-3607 (Closes: #990564)
+ * CVE-2021-3582 (Closes: #990565)
+ * CVE-2021-3527 (Closes: #988157)
+ * CVE-2021-3392 (Closes: #984449)
+ * CVE-2021-20257 (Closes: #984450)
+ * CVE-2021-20221
+ * CVE-2021-20203 (Closes: #984452)
+ * CVE-2021-20196 (Closes: #984453)
+ * CVE-2021-20181
+ * CVE-2020-35505 (Closes: #979679)
+ * CVE-2020-35504 (Closes: #979679)
+ * CVE-2020-27617 (Closes: #973324)
+ * CVE-2020-25723 (Closes: #975276)
+ * CVE-2020-25624 (Closes: #970541)
+ * CVE-2020-25625 (Closes: #970542)
+ * CVE-2020-25085 (Closes: #970540)
+ * CVE-2020-25084 (Closes: #970539)
+ * CVE-2020-15859 (Closes: #965978)
+ * CVE-2020-13253 (Closes: #961297)
+ * None of the slirp changes got backported to 3.1, if you use it you should
+ really upgrade to the version of qemu in bullseye
+
+ -- Moritz Mühlenhoff <j...@debian.org> Tue, 15 Feb 2022 18:53:24 +0100
+
qemu (1:3.1+dfsg-8+deb10u8) buster-security; urgency=medium
* mention fixing of CVE-2020-13765 in 3.1+dfsg-8+deb10u6
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-13253.patch 2022-02-01
16:26:24.000000000 +0100
@@ -0,0 +1,80 @@
+790762e5487114341cccc5bffcec4cb3c022c3cd / CVE-2020-13253
+
+--- qemu-3.1+dfsg.orig/hw/sd/sd.c
++++ qemu-3.1+dfsg/hw/sd/sd.c
+@@ -1149,12 +1149,14 @@ static sd_rsp_type_t sd_normal_command(S
+ case 17: /* CMD17: READ_SINGLE_BLOCK */
+ switch (sd->state) {
+ case sd_transfer_state:
++ if (addr + sd->blk_len > sd->size) {
++ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
++ }
++
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+-
+- if (sd->data_start + sd->blk_len > sd->size)
+- sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+
+ default:
+@@ -1165,12 +1167,14 @@ static sd_rsp_type_t sd_normal_command(S
+ case 18: /* CMD18: READ_MULTIPLE_BLOCK */
+ switch (sd->state) {
+ case sd_transfer_state:
++ if (addr + sd->blk_len > sd->size) {
++ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
++ }
++
+ sd->state = sd_sendingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+-
+- if (sd->data_start + sd->blk_len > sd->size)
+- sd->card_status |= ADDRESS_ERROR;
+ return sd_r1;
+
+ default:
+@@ -1210,13 +1214,17 @@ static sd_rsp_type_t sd_normal_command(S
+ /* Writing in SPI mode not implemented. */
+ if (sd->spi)
+ break;
++
++ if (addr + sd->blk_len > sd->size) {
++ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
++ }
++
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size)
+- sd->card_status |= ADDRESS_ERROR;
+ if (sd_wp_addr(sd, sd->data_start))
+ sd->card_status |= WP_VIOLATION;
+ if (sd->csd[14] & 0x30)
+@@ -1234,13 +1242,17 @@ static sd_rsp_type_t sd_normal_command(S
+ /* Writing in SPI mode not implemented. */
+ if (sd->spi)
+ break;
++
++ if (addr + sd->blk_len > sd->size) {
++ sd->card_status |= ADDRESS_ERROR;
++ return sd_r1;
++ }
++
+ sd->state = sd_receivingdata_state;
+ sd->data_start = addr;
+ sd->data_offset = 0;
+ sd->blk_written = 0;
+
+- if (sd->data_start + sd->blk_len > sd->size)
+- sd->card_status |= ADDRESS_ERROR;
+ if (sd_wp_addr(sd, sd->data_start))
+ sd->card_status |= WP_VIOLATION;
+ if (sd->csd[14] & 0x30)
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-15859.patch 2022-02-01
16:31:48.000000000 +0100
@@ -0,0 +1,14 @@
+22dc8663d9fc7baa22100544c600b6285a63c7a3 / CVE-2020-15859
+
+--- qemu-3.1+dfsg.orig/net/queue.c
++++ qemu-3.1+dfsg/net/queue.c
+@@ -250,6 +250,9 @@ void qemu_net_queue_purge(NetQueue *queu
+
+ bool qemu_net_queue_flush(NetQueue *queue)
+ {
++ if (queue->delivering)
++ return false;
++
+ while (!QTAILQ_EMPTY(&queue->packets)) {
+ NetPacket *packet;
+ int ret;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25084.patch 2022-02-01
16:36:57.000000000 +0100
@@ -0,0 +1,16 @@
+21bc31524e8ca487e976f713b878d7338ee00df2 / CVE-2020-25084
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-xhci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-xhci.c
+@@ -1607,7 +1607,10 @@ static int xhci_setup_packet(XHCITransfe
+ xhci_xfer_create_sgl(xfer, dir == USB_TOKEN_IN); /* Also sets int_req */
+ usb_packet_setup(&xfer->packet, dir, ep, xfer->streamid,
+ xfer->trbs[0].addr, false, xfer->int_req);
+- usb_packet_map(&xfer->packet, &xfer->sgl);
++ if (usb_packet_map(&xfer->packet, &xfer->sgl)) {
++ qemu_sglist_destroy(&xfer->sgl);
++ return -1;
++ }
+ DPRINTF("xhci: setup packet pid 0x%x addr %d ep %d\n",
+ xfer->packet.pid, ep->dev->addr, ep->nr);
+ return 0;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25085.patch 2022-02-01
16:41:15.000000000 +0100
@@ -0,0 +1,13 @@
+dfba99f17feb6d4a129da19d38df1bcd8579d1c3 / CVE-2020-25085
+
+--- qemu-3.1+dfsg.orig/hw/sd/sdhci.c
++++ qemu-3.1+dfsg/hw/sd/sdhci.c
+@@ -1144,7 +1144,7 @@ sdhci_write(void *opaque, hwaddr offset,
+ break;
+ case SDHC_BLKSIZE:
+ if (!TRANSFERRING_DATA(s->prnsts)) {
+- MASKED_WRITE(s->blksize, mask, value);
++ MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
+ MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
+ }
+
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25624.patch 2022-02-01
17:10:14.000000000 +0100
@@ -0,0 +1,58 @@
+1328fe0c32d5474604105b8105310e944976b058 / CVE-2020-25624
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-ohci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-ohci.c
+@@ -797,7 +797,11 @@ static int ohci_service_iso_td(OHCIState
+ }
+
+ start_offset = iso_td.offset[relative_frame_number];
+- next_offset = iso_td.offset[relative_frame_number + 1];
++ if (relative_frame_number < frame_count) {
++ next_offset = iso_td.offset[relative_frame_number + 1];
++ } else {
++ next_offset = iso_td.be;
++ }
+
+ if (!(OHCI_BM(start_offset, TD_PSW_CC) & 0xe) ||
+ ((relative_frame_number < frame_count) &&
+@@ -830,7 +834,12 @@ static int ohci_service_iso_td(OHCIState
+ }
+ } else {
+ /* Last packet in the ISO TD */
+- end_addr = iso_td.be;
++ end_addr = next_offset;
++ }
++
++ if (start_addr > end_addr) {
++ trace_usb_ohci_iso_td_bad_cc_overrun(start_addr, end_addr);
++ return 1;
+ }
+
+ if ((start_addr & OHCI_PAGE_MASK) != (end_addr & OHCI_PAGE_MASK)) {
+@@ -839,6 +848,9 @@ static int ohci_service_iso_td(OHCIState
+ } else {
+ len = end_addr - start_addr + 1;
+ }
++ if (len > sizeof(ohci->usb_buf)) {
++ len = sizeof(ohci->usb_buf);
++ }
+
+ if (len && dir != OHCI_TD_DIR_IN) {
+ if (ohci_copy_iso_td(ohci, start_addr, end_addr, ohci->usb_buf, len,
+@@ -1037,8 +1049,16 @@ static int ohci_service_td(OHCIState *oh
+ if ((td.cbp & 0xfffff000) != (td.be & 0xfffff000)) {
+ len = (td.be & 0xfff) + 0x1001 - (td.cbp & 0xfff);
+ } else {
++ if (td.cbp > td.be) {
++ trace_usb_ohci_iso_td_bad_cc_overrun(td.cbp, td.be);
++ ohci_die(ohci);
++ return 1;
++ }
+ len = (td.be - td.cbp) + 1;
+ }
++ if (len > sizeof(ohci->usb_buf)) {
++ len = sizeof(ohci->usb_buf);
++ }
+
+ pktlen = len;
+ if (len && dir != OHCI_TD_DIR_IN) {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25625.patch 2022-02-01
16:53:28.000000000 +0100
@@ -0,0 +1,15 @@
+1be90ebecc95b09a2ee5af3f60c412b45a766c4f / CVE-2020-25625
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-ohci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-ohci.c
+@@ -753,6 +753,10 @@ static int ohci_service_iso_td(OHCIState
+ the next ISO TD of the same ED */
+ trace_usb_ohci_iso_td_relative_frame_number_big(relative_frame_number,
+ frame_count);
++ if (OHCI_CC_DATAOVERRUN == OHCI_BM(iso_td.flags, TD_CC)) {
++ /* avoid infinite loop */
++ return 1;
++ }
+ OHCI_SET_BM(iso_td.flags, TD_CC, OHCI_CC_DATAOVERRUN);
+ ed->head &= ~OHCI_DPTR_MASK;
+ ed->head |= (iso_td.next & OHCI_DPTR_MASK);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-25723.patch 2022-02-01
17:13:16.000000000 +0100
@@ -0,0 +1,28 @@
+2fdb42d840400d58f2e706ecca82c142b97bcbd6 / CVE-2020-25723
+
+--- qemu-3.1+dfsg.orig/hw/usb/hcd-ehci.c
++++ qemu-3.1+dfsg/hw/usb/hcd-ehci.c
+@@ -1371,7 +1371,10 @@ static int ehci_execute(EHCIPacket *p, c
+ spd = (p->pid == USB_TOKEN_IN && NLPTR_TBIT(p->qtd.altnext) == 0);
+ usb_packet_setup(&p->packet, p->pid, ep, 0, p->qtdaddr, spd,
+ (p->qtd.token & QTD_TOKEN_IOC) != 0);
+- usb_packet_map(&p->packet, &p->sgl);
++ if (usb_packet_map(&p->packet, &p->sgl)) {
++ qemu_sglist_destroy(&p->sgl);
++ return -1;
++ }
+ p->async = EHCI_ASYNC_INITIALIZED;
+ }
+
+@@ -1447,7 +1450,10 @@ static int ehci_process_itd(EHCIState *e
+ if (ep && ep->type == USB_ENDPOINT_XFER_ISOC) {
+ usb_packet_setup(&ehci->ipacket, pid, ep, 0, addr, false,
+ (itd->transact[i] & ITD_XACT_IOC) != 0);
+- usb_packet_map(&ehci->ipacket, &ehci->isgl);
++ if (usb_packet_map(&ehci->ipacket, &ehci->isgl)) {
++ qemu_sglist_destroy(&ehci->isgl);
++ return -1;
++ }
+ usb_handle_packet(dev, &ehci->ipacket);
+ usb_packet_unmap(&ehci->ipacket, &ehci->isgl);
+ } else {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-27617.patch 2022-02-01
17:17:03.000000000 +0100
@@ -0,0 +1,24 @@
+7564bf7701f00214cdc8a678a9f7df765244def1 / CVE-2020-27617
+
+--- qemu-3.1+dfsg.orig/net/eth.c
++++ qemu-3.1+dfsg/net/eth.c
+@@ -16,6 +16,7 @@
+ */
+
+ #include "qemu/osdep.h"
++#include "qemu/log.h"
+ #include "net/eth.h"
+ #include "net/checksum.h"
+ #include "qemu-common.h"
+@@ -72,9 +73,8 @@ eth_get_gso_type(uint16_t l3_proto, uint
+ return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
+ }
+ }
+-
+- /* Unsupported offload */
+- g_assert_not_reached();
++ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
++ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
+
+ return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
+ }
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35504.patch 2022-02-04
17:20:46.000000000 +0100
@@ -0,0 +1,26 @@
+0db895361b8a82e1114372ff9f4857abea605701 / CVE-2020-35504
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -252,6 +252,9 @@ static void esp_do_dma(ESPState *s)
+ s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
+ return;
+ }
++ if (!s->current_req) {
++ return;
++ }
+ if (s->async_len == 0) {
+ /* Defer until data is available. */
+ return;
+@@ -265,6 +268,11 @@ static void esp_do_dma(ESPState *s)
+ } else {
+ s->dma_memory_write(s->dma_opaque, s->async_buf, len);
+ }
++
++ if (!s->current_req) {
++ return;
++ }
++
+ s->dma_left -= len;
+ s->async_buf += len;
+ s->async_len -= len;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2020-35505.patch 2022-02-04
17:30:17.000000000 +0100
@@ -0,0 +1,15 @@
+99545751734035b76bd372c4e7215bb337428d89 / CVE-2020-35505
+
+--- qemu-3.1+dfsg.orig/hw/scsi/esp.c
++++ qemu-3.1+dfsg/hw/scsi/esp.c
+@@ -135,6 +135,10 @@ static void do_busid_cmd(ESPState *s, ui
+
+ trace_esp_do_busid_cmd(busid);
+ lun = busid & 7;
++
++ if (!s->current_dev) {
++ return;
++ }
+ current_lun = scsi_device_find(&s->bus, 0, s->current_dev->id, lun);
+ s->current_req = scsi_req_new(current_lun, 0, lun, buf, s);
+ datalen = scsi_req_enqueue(s->current_req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20181.patch 2022-02-04
17:33:05.000000000 +0100
@@ -0,0 +1,25 @@
+89fbea8737e8f7b954745a1ffc4238d377055305 / CVE-2021-20181
+
+--- qemu-3.1+dfsg.orig/hw/9pfs/9p.c
++++ qemu-3.1+dfsg/hw/9pfs/9p.c
+@@ -498,9 +498,9 @@ static int coroutine_fn v9fs_mark_fids_u
+ {
+ int err;
+ V9fsState *s = pdu->s;
+- V9fsFidState *fidp, head_fid;
++ V9fsFidState *fidp;
+
+- head_fid.next = s->fid_list;
++again:
+ for (fidp = s->fid_list; fidp; fidp = fidp->next) {
+ if (fidp->path.size != path->size) {
+ continue;
+@@ -520,7 +520,7 @@ static int coroutine_fn v9fs_mark_fids_u
+ * switched to the worker thread
+ */
+ if (err == 0) {
+- fidp = &head_fid;
++ goto again;
+ }
+ }
+ }
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20203.patch 2022-02-04
20:11:13.000000000 +0100
@@ -0,0 +1,52 @@
+d05dcd94aee88728facafb993c7280547eb4d645 / CVE-2021-20203
+
+--- qemu-3.1+dfsg.orig/hw/net/vmxnet3.c
++++ qemu-3.1+dfsg/hw/net/vmxnet3.c
+@@ -1532,6 +1532,7 @@ static void vmxnet3_activate_device(VMXN
+ vmxnet3_setup_rx_filtering(s);
+ /* Cache fields from shared memory */
+ s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
++ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
+ VMW_CFPRN("MTU is %u", s->mtu);
+
+ s->max_rx_frags =
+@@ -1585,6 +1586,9 @@ static void vmxnet3_activate_device(VMXN
+ /* Read rings memory locations for TX queues */
+ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
+ size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
++ if (size > VMXNET3_TX_RING_MAX_SIZE) {
++ size = VMXNET3_TX_RING_MAX_SIZE;
++ }
+
+ vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
+ sizeof(struct Vmxnet3_TxDesc), false);
+@@ -1595,6 +1599,9 @@ static void vmxnet3_activate_device(VMXN
+ /* TXC ring */
+ pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
+ size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
++ if (size > VMXNET3_TC_RING_MAX_SIZE) {
++ size = VMXNET3_TC_RING_MAX_SIZE;
++ }
+ vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
+ sizeof(struct Vmxnet3_TxCompDesc), true);
+ VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
+@@ -1636,6 +1643,9 @@ static void vmxnet3_activate_device(VMXN
+ /* RX rings */
+ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa,
conf.rxRingBasePA[j]);
+ size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa,
conf.rxRingSize[j]);
++ if (size > VMXNET3_RX_RING_MAX_SIZE) {
++ size = VMXNET3_RX_RING_MAX_SIZE;
++ }
+ vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
+ sizeof(struct Vmxnet3_RxDesc), false);
+ VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
+@@ -1645,6 +1655,9 @@ static void vmxnet3_activate_device(VMXN
+ /* RXC ring */
+ pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
+ size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
++ if (size > VMXNET3_RC_RING_MAX_SIZE) {
++ size = VMXNET3_RC_RING_MAX_SIZE;
++ }
+ vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
+ sizeof(struct Vmxnet3_RxCompDesc), true);
+ VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20221.patch 2022-02-11
17:20:09.000000000 +0100
@@ -0,0 +1,13 @@
+edfe2eb4360cde4ed5d95bda7777edcb3510f76a / CVE-2021-20221
+
+--- qemu-3.1+dfsg.orig/hw/intc/arm_gic.c
++++ qemu-3.1+dfsg/hw/intc/arm_gic.c
+@@ -1453,7 +1453,7 @@ static void gic_dist_writel(void *opaque
+ int target_cpu;
+
+ cpu = gic_get_current_cpu(s);
+- irq = value & 0x3ff;
++ irq = value & 0xf;
+ switch ((value >> 24) & 3) {
+ case 0:
+ mask = (value >> 16) & ALL_CPU_MASK;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-20257.patch 2022-02-11
17:23:08.000000000 +0100
@@ -0,0 +1,22 @@
+3de46e6fc489c52c9431a8a832ad8170a7569bd8 / CVE-2021-20257
+
+--- qemu-3.1+dfsg.orig/hw/net/e1000.c
++++ qemu-3.1+dfsg/hw/net/e1000.c
+@@ -657,6 +657,9 @@ process_tx_desc(E1000State *s, struct e1
+ msh = tp->tso_props.hdr_len + tp->tso_props.mss;
+ do {
+ bytes = split_size;
++ if (tp->size >= msh) {
++ goto eop;
++ }
+ if (tp->size + bytes > msh)
+ bytes = msh - tp->size;
+
+@@ -682,6 +685,7 @@ process_tx_desc(E1000State *s, struct e1
+ tp->size += split_size;
+ }
+
++eop:
+ if (!(txd_lower & E1000_TXD_CMD_EOP))
+ return;
+ if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3392.patch 2022-02-11
17:25:18.000000000 +0100
@@ -0,0 +1,45 @@
+3791642c8d60029adf9b00bcb4e34d7d8a1aea4d / CVE-2021-3392
+
+--- qemu-3.1+dfsg.orig/hw/scsi/mptsas.c
++++ qemu-3.1+dfsg/hw/scsi/mptsas.c
+@@ -252,13 +252,10 @@ static int mptsas_build_sgl(MPTSASState
+
+ static void mptsas_free_request(MPTSASRequest *req)
+ {
+- MPTSASState *s = req->dev;
+-
+ if (req->sreq != NULL) {
+ req->sreq->hba_private = NULL;
+ scsi_req_unref(req->sreq);
+ req->sreq = NULL;
+- QTAILQ_REMOVE(&s->pending, req, next);
+ }
+ qemu_sglist_destroy(&req->qsg);
+ g_free(req);
+@@ -304,7 +301,6 @@ static int mptsas_process_scsi_io_reques
+ }
+
+ req = g_new0(MPTSASRequest, 1);
+- QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
+
+@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevic
+
+ s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
+
+- QTAILQ_INIT(&s->pending);
+-
+ scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info,
NULL);
+ }
+
+--- qemu-3.1+dfsg.orig/hw/scsi/mptsas.h
++++ qemu-3.1+dfsg/hw/scsi/mptsas.h
+@@ -74,7 +74,6 @@ struct MPTSASState {
+ uint16_t reply_frame_size;
+
+ SCSIBus bus;
+- QTAILQ_HEAD(, MPTSASRequest) pending;
+ };
+
+ void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3527.patch 2022-02-11
17:30:48.000000000 +0100
@@ -0,0 +1,45 @@
+7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 and
05a40b172e4d691371534828078be47e7fff524c
+CVE-2021-3527
+
+--- qemu-3.1+dfsg.orig/hw/usb/combined-packet.c
++++ qemu-3.1+dfsg/hw/usb/combined-packet.c
+@@ -172,7 +172,9 @@ void usb_ep_combine_input_packets(USBEnd
+ if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
+ next == NULL ||
+ /* Work around for Linux usbfs bulk splitting + migration */
+- (totalsize == (16 * KiB - 36) && p->int_req)) {
++ (totalsize == (16 * KiB - 36) && p->int_req) ||
++ /* Next package may grow combined package over 1MiB */
++ totalsize > 1 * MiB - ep->max_packet_size) {
+ usb_device_handle_data(ep->dev, first);
+ assert(first->status == USB_RET_ASYNC);
+ if (first->combined) {
+--- qemu-3.1+dfsg.orig/hw/usb/redirect.c
++++ qemu-3.1+dfsg/hw/usb/redirect.c
+@@ -602,7 +602,7 @@ static void usbredir_handle_iso_data(USB
+ .endpoint = ep,
+ .length = p->iov.size
+ };
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+ /* No id, we look at the ep when receiving a status back */
+ usb_packet_copy(p, buf, p->iov.size);
+ usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
+@@ -800,7 +800,7 @@ static void usbredir_handle_bulk_data(US
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+ &bulk_packet, NULL, 0);
+ } else {
+- uint8_t buf[size];
++ g_autofree uint8_t *buf = g_malloc(size);
+ usb_packet_copy(p, buf, size);
+ usbredir_log_data(dev, "bulk data out:", buf, size);
+ usbredirparser_send_bulk_packet(dev->parser, p->id,
+@@ -873,7 +873,7 @@ static void usbredir_handle_interrupt_ou
+ USBPacket *p, uint8_t ep)
+ {
+ struct usb_redir_interrupt_packet_header interrupt_packet;
+- uint8_t buf[p->iov.size];
++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
+
+ DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
+ p->iov.size, p->id);
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3582.patch 2022-02-14
17:28:53.000000000 +0100
@@ -0,0 +1,18 @@
+284f191b4abad213aed04cb0458e1600fd18d7c4 / CVE-2021-3582
+
+--- qemu-3.1+dfsg.orig/hw/rdma/vmw/pvrdma_cmd.c
++++ qemu-3.1+dfsg/hw/rdma/vmw/pvrdma_cmd.c
+@@ -39,6 +39,13 @@ static void *pvrdma_map_to_pdir(PCIDevic
+ return NULL;
+ }
+
++ length = ROUND_UP(length, TARGET_PAGE_SIZE);
++ if (nchunks * TARGET_PAGE_SIZE != length) {
++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
++ (unsigned long)length);
++ return NULL;
++ }
++
+ dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
+ if (!dir) {
+ error_report("PVRDMA: Failed to map to page directory");
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3607.patch 2022-02-15
15:14:56.000000000 +0100
@@ -0,0 +1,15 @@
+32e5703cfea07c91e6e84bcb0313f633bb146534 / CVE-2021-3607
+
+--- qemu-3.1+dfsg.orig/hw/rdma/vmw/pvrdma_main.c
++++ qemu-3.1+dfsg/hw/rdma/vmw/pvrdma_main.c
+@@ -71,6 +71,10 @@ static int init_dev_ring(PvrdmaRing *rin
+ pr_dbg("Initializing device ring %s\n", name);
+ pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)dir_addr);
+ pr_dbg("num_pages=%d\n", num_pages);
++ if (!num_pages) {
++ rdma_error_report("Ring pages count must be strictly positive");
++ return -EINVAL;
++ }
+ dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
+ if (!dir) {
+ pr_err("Failed to map to page directory\n");
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3608.patch 2022-02-15
15:17:10.000000000 +0100
@@ -0,0 +1,13 @@
+66ae37d8cc313f89272e711174a846a229bcdbd3 /CVE-2021-3608
+
+--- qemu-3.1+dfsg.orig/hw/rdma/vmw/pvrdma_dev_ring.c
++++ qemu-3.1+dfsg/hw/rdma/vmw/pvrdma_dev_ring.c
+@@ -42,7 +42,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, c
+ atomic_set(&ring->ring_state->cons_head, 0);
+ */
+ ring->npages = npages;
+- ring->pages = g_malloc(npages * sizeof(void *));
++ ring->pages = g_malloc0(npages * sizeof(void *));
+
+ for (i = 0; i < npages; i++) {
+ if (!tbl[i]) {
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3682.patch 2022-02-15
15:18:56.000000000 +0100
@@ -0,0 +1,13 @@
+5e796671e6b8d5de4b0b423dce1b3eba144a92c9 / CVE-2021-3682
+
+--- qemu-3.1+dfsg.orig/hw/usb/redirect.c
++++ qemu-3.1+dfsg/hw/usb/redirect.c
+@@ -458,7 +458,7 @@ static int bufp_alloc(USBRedirDevice *de
+ if (dev->endpoint[EP2I(ep)].bufpq_dropping_packets) {
+ if (dev->endpoint[EP2I(ep)].bufpq_size >
+ dev->endpoint[EP2I(ep)].bufpq_target_size) {
+- free(data);
++ free(free_on_destroy);
+ return -1;
+ }
+ dev->endpoint[EP2I(ep)].bufpq_dropping_packets = 0;
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3713.patch 2022-02-15
18:40:40.000000000 +0100
@@ -0,0 +1,36 @@
+13b250b12ad3c59114a6a17d59caf073ce45b33a / CVE-2021-3713
+
+--- qemu-3.1+dfsg.orig/hw/usb/dev-uas.c
++++ qemu-3.1+dfsg/hw/usb/dev-uas.c
+@@ -827,6 +827,9 @@ static void usb_uas_handle_data(USBDevic
+ }
+ break;
+ case UAS_PIPE_ID_STATUS:
++ if (p->stream > UAS_MAX_STREAMS) {
++ goto err_stream;
++ }
+ if (p->stream) {
+ QTAILQ_FOREACH(st, &uas->results, next) {
+ if (st->stream == p->stream) {
+@@ -854,6 +857,9 @@ static void usb_uas_handle_data(USBDevic
+ break;
+ case UAS_PIPE_ID_DATA_IN:
+ case UAS_PIPE_ID_DATA_OUT:
++ if (p->stream > UAS_MAX_STREAMS) {
++ goto err_stream;
++ }
+ if (p->stream) {
+ req = usb_uas_find_request(uas, p->stream);
+ } else {
+@@ -889,6 +895,11 @@ static void usb_uas_handle_data(USBDevic
+ p->status = USB_RET_STALL;
+ break;
+ }
++
++err_stream:
++ error_report("%s: invalid stream %d", __func__, p->stream);
++ p->status = USB_RET_STALL;
++ return;
+ }
+
+ static void usb_uas_unrealize(USBDevice *dev, Error **errp)
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3748.patch 2022-02-15
18:42:34.000000000 +0100
@@ -0,0 +1,94 @@
+bedd7e93d01961fcb16a97ae45d93acf357e11f6 / CVE-2021-3748
+
+--- qemu-3.1+dfsg.orig/hw/net/virtio-net.c
++++ qemu-3.1+dfsg/hw/net/virtio-net.c
+@@ -1194,10 +1194,13 @@ static ssize_t virtio_net_receive_rcu(Ne
+ VirtIONet *n = qemu_get_nic_opaque(nc);
+ VirtIONetQueue *q = virtio_net_get_subqueue(nc);
+ VirtIODevice *vdev = VIRTIO_DEVICE(n);
++ VirtQueueElement *elems[VIRTQUEUE_MAX_SIZE];
++ size_t lens[VIRTQUEUE_MAX_SIZE];
+ struct iovec mhdr_sg[VIRTQUEUE_MAX_SIZE];
+ struct virtio_net_hdr_mrg_rxbuf mhdr;
+ unsigned mhdr_cnt = 0;
+- size_t offset, i, guest_offset;
++ size_t offset, i, guest_offset, j;
++ ssize_t err;
+
+ if (!virtio_net_can_receive(nc)) {
+ return -1;
+@@ -1220,6 +1223,12 @@ static ssize_t virtio_net_receive_rcu(Ne
+
+ total = 0;
+
++ if (i == VIRTQUEUE_MAX_SIZE) {
++ virtio_error(vdev, "virtio-net unexpected long buffer chain");
++ err = size;
++ goto err;
++ }
++
+ elem = virtqueue_pop(q->rx_vq, sizeof(VirtQueueElement));
+ if (!elem) {
+ if (i) {
+@@ -1231,7 +1240,8 @@ static ssize_t virtio_net_receive_rcu(Ne
+ n->guest_hdr_len, n->host_hdr_len,
+ vdev->guest_features);
+ }
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ if (elem->in_num < 1) {
+@@ -1239,7 +1249,8 @@ static ssize_t virtio_net_receive_rcu(Ne
+ "virtio-net receive queue contains no in buffers");
+ virtqueue_detach_element(q->rx_vq, elem, 0);
+ g_free(elem);
+- return -1;
++ err = -1;
++ goto err;
+ }
+
+ sg = elem->in_sg;
+@@ -1271,12 +1282,13 @@ static ssize_t virtio_net_receive_rcu(Ne
+ if (!n->mergeable_rx_bufs && offset < size) {
+ virtqueue_unpop(q->rx_vq, elem, total);
+ g_free(elem);
+- return size;
++ err = size;
++ goto err;
+ }
+
+- /* signal other side */
+- virtqueue_fill(q->rx_vq, elem, total, i++);
+- g_free(elem);
++ elems[i] = elem;
++ lens[i] = total;
++ i++;
+ }
+
+ if (mhdr_cnt) {
+@@ -1286,10 +1298,23 @@ static ssize_t virtio_net_receive_rcu(Ne
+ &mhdr.num_buffers, sizeof mhdr.num_buffers);
+ }
+
++ for (j = 0; j < i; j++) {
++ /* signal other side */
++ virtqueue_fill(q->rx_vq, elems[j], lens[j], j);
++ g_free(elems[j]);
++ }
++
+ virtqueue_flush(q->rx_vq, i);
+ virtio_notify(vdev, q->rx_vq);
+
+ return size;
++
++err:
++ for (j = 0; j < i; j++) {
++ g_free(elems[j]);
++ }
++
++ return err;
+ }
+
+ static ssize_t virtio_net_receive(NetClientState *nc, const uint8_t *buf,
diff -Nru qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch
qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch
--- qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch 1970-01-01
01:00:00.000000000 +0100
+++ qemu-3.1+dfsg/debian/patches/CVE-2021-3930.patch 2022-02-15
18:44:07.000000000 +0100
@@ -0,0 +1,24 @@
+b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 / CVE-2021-3930
+
+--- qemu-3.1+dfsg.orig/hw/scsi/scsi-disk.c
++++ qemu-3.1+dfsg/hw/scsi/scsi-disk.c
+@@ -1082,6 +1082,7 @@ static int mode_sense_page(SCSIDiskState
+ uint8_t *p = *p_outbuf + 2;
+ int length;
+
++ assert(page < ARRAY_SIZE(mode_sense_valid));
+ if ((mode_sense_valid[page] & (1 << s->qdev.type)) == 0) {
+ return -1;
+ }
+@@ -1422,6 +1423,11 @@ static int scsi_disk_check_mode_select(S
+ return -1;
+ }
+
++ /* MODE_PAGE_ALLS is only valid for MODE SENSE commands */
++ if (page == MODE_PAGE_ALLS) {
++ return -1;
++ }
++
+ p = mode_current;
+ memset(mode_current, 0, inlen + 2);
+ len = mode_sense_page(s, page, &p, 0);
diff -Nru qemu-3.1+dfsg/debian/patches/series
qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2020-07-24 14:00:34.000000000 +0200
+++ qemu-3.1+dfsg/debian/patches/series 2022-02-15 18:53:24.000000000 +0100
@@ -49,3 +49,26 @@
sm501-replace-hand-written-implementation-with-pixman-CVE-2020-12829.patch
usb-fix-setup_len-init-CVE-2020-14364.patch
net-assertion-in-net_tx_pkt_add_raw_fragment-CVE-2020-16092.patch
+CVE-2020-13253.patch
+CVE-2020-15859.patch
+CVE-2020-25084.patch
+CVE-2020-25085.patch
+CVE-2020-25625.patch
+CVE-2020-25624.patch
+CVE-2020-25723.patch
+CVE-2020-27617.patch
+CVE-2020-35504.patch
+CVE-2020-35505.patch
+CVE-2021-20181.patch
+CVE-2021-20203.patch
+CVE-2021-20221.patch
+CVE-2021-20257.patch
+CVE-2021-3392.patch
+CVE-2021-3527.patch
+CVE-2021-3582.patch
+CVE-2021-3607.patch
+CVE-2021-3608.patch
+CVE-2021-3682.patch
+CVE-2021-3713.patch
+CVE-2021-3748.patch
+CVE-2021-3930.patch
