Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi!
I've prepared next release of the qemu debian package, with
a few bugfixes, and am asking if it's okay to upload these
changes to unstable (targetting buster). The change includes
3 security fixes which should go anyway, and 2 "other" fixes
which are questionable, hence the pre-approval bugreport/question.
All changes are "easy" ones, and are mostly one-liners and are
easy for review. All bugfixes has been appied upstream too.
Is it okay for the changes to go to buster?
Thanks,
/mjt
diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog
--- qemu-3.1+dfsg/debian/changelog 2019-03-27 14:24:06.000000000 +0300
+++ qemu-3.1+dfsg/debian/changelog 2019-05-27 07:49:25.000000000 +0300
@@ -1,3 +1,23 @@
+qemu (1:3.1+dfsg-8) unstable; urgency=high
+
+ * sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
+ fixes a null-pointer dereference in sparc/sun4u emulated hw
+ Closes: #927439, CVE-2019-5008
+ * enable-md-no.patch & enable-md-clear.patch
+ mitigation for MDS (Microarchitectural Data Sampling) issues
+ Closes: #929067,
+ CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+ * qxl-check-release-info-object-CVE-2019-12155.patch
+ fixes null-pointer deref in qxl cleanup code
+ Closes: #929353, CVE-2019-12155
+ * aarch32-exception-return-to-switch-from-hyp-mon.patch
+ fixes booting U-Boot in UEFI mode on aarch32
+ Closes: #927763
+ * stop qemu-system-common pre-depending on adduser
+ Closes: #929261
+
+ -- Michael Tokarev <m...@tls.msk.ru> Mon, 27 May 2019 07:49:25 +0300
+
qemu (1:3.1+dfsg-7) unstable; urgency=high
[ Michael Tokarev ]
diff -Nru qemu-3.1+dfsg/debian/control qemu-3.1+dfsg/debian/control
--- qemu-3.1+dfsg/debian/control 2019-03-11 14:35:35.000000000 +0300
+++ qemu-3.1+dfsg/debian/control 2019-05-27 07:49:25.000000000 +0300
@@ -191,7 +191,6 @@
Package: qemu-system-common
Architecture: amd64 arm arm64 armel armhf i386 ia64 kfreebsd-amd64
kfreebsd-i386 mips mipsel mips64 mips64el powerpc powerpcspe ppc64 ppc64el
s390x sparc sparc64 x32
Multi-Arch: foreign
-Pre-Depends: adduser
Replaces: qemu-system-data (<< 1:3.1+dfsg-1~), qemu-utils (<< 1:3.1+dfsg-3~)
Breaks: qemu-system-data (<< 1:3.1+dfsg-1~), qemu-utils (<< 1:3.1+dfsg-3~)
Depends: ${misc:Depends}, ${shlibs:Depends},
diff -Nru qemu-3.1+dfsg/debian/control-in qemu-3.1+dfsg/debian/control-in
--- qemu-3.1+dfsg/debian/control-in 2019-03-11 14:19:34.000000000 +0300
+++ qemu-3.1+dfsg/debian/control-in 2019-05-27 07:49:25.000000000 +0300
@@ -196,7 +196,6 @@
Package: qemu-system-common
Architecture: amd64 arm arm64 armel armhf i386 ia64 kfreebsd-amd64
kfreebsd-i386 mips mipsel mips64 mips64el powerpc powerpcspe ppc64 ppc64el
s390x sparc sparc64 x32
Multi-Arch: foreign
-Pre-Depends: adduser
Replaces: qemu-system-data (<< 1:3.1+dfsg-1~), qemu-utils (<< 1:3.1+dfsg-3~)
Breaks: qemu-system-data (<< 1:3.1+dfsg-1~), qemu-utils (<< 1:3.1+dfsg-3~)
Depends: ${misc:Depends}, ${shlibs:Depends},
diff -Nru
qemu-3.1+dfsg/debian/patches/aarch32-exception-return-to-switch-from-hyp-mon.patch
qemu-3.1+dfsg/debian/patches/aarch32-exception-return-to-switch-from-hyp-mon.patch
---
qemu-3.1+dfsg/debian/patches/aarch32-exception-return-to-switch-from-hyp-mon.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-3.1+dfsg/debian/patches/aarch32-exception-return-to-switch-from-hyp-mon.patch
2019-05-27 07:46:35.000000000 +0300
@@ -0,0 +1,56 @@
+From: Alexander Graf <ag...@suse.de>
+Date: Mon, 21 Jan 2019 10:23:11 +0000
+Subject: target/arm: Allow Aarch32 exception return to switch from Mon->Hyp
+Commit-Id: 2d2a4549cc29850aab891495685a7b31f5254b12
+Bug-Debian: http://bugs.debian.org/927763
+
+In U-boot, we switch from S-SVC -> Mon -> Hyp mode when we want to
+enter Hyp mode. The change into Hyp mode is done by doing an
+exception return from Mon. This doesn't work with current QEMU.
+
+The problem is that in bad_mode_switch() we refuse to allow
+the change of mode.
+
+Note that bad_mode_switch() is used to do validation for two situations:
+
+ (1) changes to mode by instructions writing to CPSR.M
+ (ie not exception take/return) -- this corresponds to the
+ Armv8 Arm ARM pseudocode Arch32.WriteModeByInstr
+ (2) changes to mode by exception return
+
+Attempting to enter or leave Hyp mode via case (1) is forbidden in
+v8 and UNPREDICTABLE in v7, and QEMU is correct to disallow it
+there. However, we're already doing that check at the top of the
+bad_mode_switch() function, so if that passes then we should allow
+the case (2) exception return mode changes to switch into Hyp mode.
+
+We want to test whether we're trying to return to the nonexistent
+"secure Hyp" mode, so we need to look at arm_is_secure_below_el3()
+rather than arm_is_secure(), since the latter is always true if
+we're in Mon (EL3).
+
+Signed-off-by: Alexander Graf <ag...@suse.de>
+Reviewed-by: Peter Maydell <peter.mayd...@linaro.org>
+Message-id: 20190109152430.32359-1-ag...@suse.de
+[PMM: rewrote commit message]
+Signed-off-by: Peter Maydell <peter.mayd...@linaro.org>
+---
+ target/arm/helper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/target/arm/helper.c b/target/arm/helper.c
+index f00c141ef9..9bf8fbd8f9 100644
+--- a/target/arm/helper.c
++++ b/target/arm/helper.c
+@@ -6297,7 +6297,7 @@ static int bad_mode_switch(CPUARMState *env, int mode,
CPSRWriteType write_type)
+ return 0;
+ case ARM_CPU_MODE_HYP:
+ return !arm_feature(env, ARM_FEATURE_EL2)
+- || arm_current_el(env) < 2 || arm_is_secure(env);
++ || arm_current_el(env) < 2 || arm_is_secure_below_el3(env);
+ case ARM_CPU_MODE_MON:
+ return arm_current_el(env) < 3;
+ default:
+--
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/enable-md-clear.patch
qemu-3.1+dfsg/debian/patches/enable-md-clear.patch
--- qemu-3.1+dfsg/debian/patches/enable-md-clear.patch 1970-01-01
03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/enable-md-clear.patch 2019-05-20
13:08:32.000000000 +0300
@@ -0,0 +1,68 @@
+>From a57fa50701c6a0fbe5ac7dbcc314c3c970bff899 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonz...@redhat.com>
+Date: Fri, 1 Mar 2019 21:40:52 +0100
+Subject: target/i386: define md-clear bit
+Bug-Debian: http://bugs.debian.org/929067
+
+md-clear is a new CPUID bit which is set when microcode provides the
+mechanism to invoke a flush of various exploitable CPU buffers by invoking
+the VERW instruction. Add the new feature, and pass it down to
+Hypervisor.framework guests.
+
+Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
+
+[Backported to qemu 3.1 - sbeattie]
+
+---
+ The last hunk is only needed for OS X, but anyway this is going
+ to be the patch that will be committed upstream.
+
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+
+ target/i386/cpu.c | 2 +-
+ target/i386/cpu.h | 1 +
+ target/i386/hvf/x86_cpuid.c | 3 ++-
+ 3 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index d990070c59..16da90562c 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1075,7 +1075,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS]
= {
+ .feat_names = {
+ NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
+ NULL, NULL, NULL, NULL,
+- NULL, NULL, NULL, NULL,
++ NULL, NULL, "md-clear", NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, "pconfig", NULL,
+ NULL, NULL, NULL, NULL,
+diff --git a/target/i386/cpu.h b/target/i386/cpu.h
+index 26412f15eb..cbfab1a421 100644
+--- a/target/i386/cpu.h
++++ b/target/i386/cpu.h
+@@ -692,6 +692,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network
Instructions */
+ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation
Single Precision */
++#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data
Clear */
+ #define CPUID_7_0_EDX_PCONFIG (1U << 18) /* Platform Configuration */
+ #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
+ #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/
+diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c
+index 9874a46e92..f76ba50424 100644
+--- a/target/i386/hvf/x86_cpuid.c
++++ b/target/i386/hvf/x86_cpuid.c
+@@ -103,7 +103,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t
idx,
+ }
+
+ ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ;
+- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS;
++ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS
| \
++ CPUID_7_0_EDX_MD_CLEAR;
+ } else {
+ ebx = 0;
+ ecx = 0;
+--
+2.20.1
+
diff -Nru qemu-3.1+dfsg/debian/patches/enable-md-no.patch
qemu-3.1+dfsg/debian/patches/enable-md-no.patch
--- qemu-3.1+dfsg/debian/patches/enable-md-no.patch 1970-01-01
03:00:00.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/enable-md-no.patch 2019-05-27
07:48:08.000000000 +0300
@@ -0,0 +1,29 @@
+From: Paolo Bonzini <pbonz...@redhat.com>
+Subject: target/i386: add MDS-NO feature
+Bug-Debian: http://bugs.debian.org/929067
+
+Microarchitectural Data Sampling is a hardware vulnerability which allows
+unprivileged speculative access to data which is available in various CPU
+internal buffers.
+
+Some Intel processors use the ARCH_CAP_MDS_NO bit in the IA32_ARCH_CAPABILITIES
+MSR to report that they are not vulnerable, make it available to guests.
+
+Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
+--
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+
+diff --git a/target/i386/cpu.c b/target/i386/cpu.c
+index 722c5514d4..558347e6c3 100644
+--- a/target/i386/cpu.c
++++ b/target/i386/cpu.c
+@@ -1184,7 +1184,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS]
= {
+ .type = MSR_FEATURE_WORD,
+ .feat_names = {
+ "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
+- "ssb-no", NULL, NULL, NULL,
++ "ssb-no", "mds-no", NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+
diff -Nru
qemu-3.1+dfsg/debian/patches/qxl-check-release-info-object-CVE-2019-12155.patch
qemu-3.1+dfsg/debian/patches/qxl-check-release-info-object-CVE-2019-12155.patch
---
qemu-3.1+dfsg/debian/patches/qxl-check-release-info-object-CVE-2019-12155.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-3.1+dfsg/debian/patches/qxl-check-release-info-object-CVE-2019-12155.patch
2019-05-27 07:48:22.000000000 +0300
@@ -0,0 +1,35 @@
+Commit-Id: d52680fc932efb8a2f334cc6993e705ed1e31e99
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Thu, 25 Apr 2019 12:05:34 +0530
+Subject: qxl: check release info object (CVE-2019-12155)
+Bug-Debian: http://bugs.debian.org/929353
+
+When releasing spice resources in release_resource() routine,
+if release info object 'ext.info' is null, it leads to null
+pointer dereference. Add check to avoid it.
+
+Reported-by: Bugs SysSec <bugs-sys...@rub.de>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-id: 20190425063534.32747-1-ppan...@redhat.com
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+---
+ hw/display/qxl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index c8ce5781e03..632923add23 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -777,6 +777,9 @@ static void interface_release_resource(QXLInstance *sin,
+ QXLReleaseRing *ring;
+ uint64_t *item, id;
+
++ if (!ext.info) {
++ return;
++ }
+ if (ext.group_id == MEMSLOT_GROUP_HOST) {
+ /* host group -> vga mode update request */
+ QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id);
+--
+2.11.0
+
diff -Nru qemu-3.1+dfsg/debian/patches/series
qemu-3.1+dfsg/debian/patches/series
--- qemu-3.1+dfsg/debian/patches/series 2019-03-27 14:16:54.000000000 +0300
+++ qemu-3.1+dfsg/debian/patches/series 2019-05-27 07:48:22.000000000 +0300
@@ -9,3 +9,8 @@
i2c-ddc-fix-oob-read-CVE-2019-3812.patch
slirp-check-sscanf-result-when-emulating-ident-CVE-2019-9824.patch
device_tree-don-t-use-load_image-CVE-2018-20815.patch
+sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
+aarch32-exception-return-to-switch-from-hyp-mon.patch
+enable-md-no.patch
+enable-md-clear.patch
+qxl-check-release-info-object-CVE-2019-12155.patch
diff -Nru
qemu-3.1+dfsg/debian/patches/sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
qemu-3.1+dfsg/debian/patches/sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
---
qemu-3.1+dfsg/debian/patches/sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-3.1+dfsg/debian/patches/sun4u-add-power_mem_read-routine-CVE-2019-5008.patch
2019-05-27 07:46:35.000000000 +0300
@@ -0,0 +1,42 @@
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Fri, 4 Jan 2019 15:19:10 +0530
+Subject: sun4u: add power_mem_read routine
+Commit-Id: ad280559c68360c9f1cd7be063857853759e6a73
+Bug-Debian: http://bugs.debian.org/927439
+
+Define skeleton 'power_mem_read' routine. Avoid NULL dereference.
+
+Reported-by: Fakhri Zulkifli <mohdfakhrizulki...@gmail.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Signed-off-by: Mark Cave-Ayland <mark.cave-ayl...@ilande.co.uk>
+---
+ hw/sparc64/sun4u.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/sparc64/sun4u.c b/hw/sparc64/sun4u.c
+index 37ecc14c6d..518d695de3 100644
+--- a/hw/sparc64/sun4u.c
++++ b/hw/sparc64/sun4u.c
+@@ -214,6 +214,11 @@ typedef struct PowerDevice {
+ } PowerDevice;
+
+ /* Power */
++static uint64_t power_mem_read(void *opaque, hwaddr addr, unsigned size)
++{
++ return 0;
++}
++
+ static void power_mem_write(void *opaque, hwaddr addr,
+ uint64_t val, unsigned size)
+ {
+@@ -224,6 +229,7 @@ static void power_mem_write(void *opaque, hwaddr addr,
+ }
+
+ static const MemoryRegionOps power_mem_ops = {
++ .read = power_mem_read,
+ .write = power_mem_write,
+ .endianness = DEVICE_NATIVE_ENDIAN,
+ .valid = {
+--
+2.11.0
+
unblock qemu/1:3.1+dfsg-8
-- System Information:
Debian Release: 9.9
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-debug'), (500, 'oldstable'), (199,
'testing'), (50, 'unstable'), (40, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8),
LANGUAGE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
