diff --git a/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch b/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch new file mode 100644 index 0000000..c4e0d81 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch @@ -0,0 +1,40 @@ +From 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Thu, 3 Apr 2014 19:52:25 +0300 +Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load + +CVE-2013-4541 + +s->setup_len and s->setup_index are fed into usb_packet_copy as +size/offset into s->data_buf, it's possible for invalid state to exploit +this to load arbitrary data. + +setup_len and setup_index should be checked to make sure +they are not negative. + +Cc: Gerd Hoffmann +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Gerd Hoffmann +Signed-off-by: Juan Quintela +--- + hw/usb/bus.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/bus.c b/hw/usb/bus.c +index fe70429..e48b19f 100644 +--- a/hw/usb/bus.c ++++ b/hw/usb/bus.c +@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id) + } else { + dev->attached = 1; + } +- if (dev->setup_index >= sizeof(dev->data_buf) || ++ if (dev->setup_index < 0 || ++ dev->setup_len < 0 || ++ dev->setup_index >= sizeof(dev->data_buf) || + dev->setup_len >= sizeof(dev->data_buf)) { + return -EINVAL; + } +-- +1.9.3 + diff --git a/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch b/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch new file mode 100644 index 0000000..754ad48 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch @@ -0,0 +1,48 @@ +From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 15 May 2014 16:10:11 +0200 +Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222) + +Too large L2 table sizes cause unbounded allocations. Images actually +created by qemu-img only have 512 byte or 4k L2 tables. + +To keep things consistent with cluster sizes, allow ranges between 512 +bytes and 64k (in fact, down to 1 entry = 8 bytes is technically +working, but L2 table sizes smaller than a cluster don't make a lot of +sense). + +This also means that the number of bytes on the virtual disk that are +described by the same L2 table is limited to at most 8k * 64k or 2^29, +preventively avoiding any integer overflows. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Benoit Canet +--- + block/qcow.c | 8 ++++++++ + tests/qemu-iotests/092 | 15 +++++++++++++++ + tests/qemu-iotests/092.out | 11 +++++++++++ + 3 files changed, 34 insertions(+) + +diff --git a/block/qcow.c b/block/qcow.c +index e60df23..e8038e5 100644 +--- a/block/qcow.c ++++ b/block/qcow.c +@@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, + goto fail; + } + ++ /* l2_bits specifies number of entries; storing a uint64_t in each entry, ++ * so bytes = num_entries << 3. */ ++ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) { ++ error_setg(errp, "L2 table size must be between 512 and 64k"); ++ ret = -EINVAL; ++ goto fail; ++ } ++ + if (header.crypt_method > QCOW_CRYPT_AES) { + error_setg(errp, "invalid encryption method in qcow header"); + ret = -EINVAL; +-- +1.9.3 + diff --git a/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch b/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch new file mode 100644 index 0000000..a5b20a4 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch @@ -0,0 +1,57 @@ +From 46485de0cb357b57373e1ca895adedf1f3ed46ec Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Thu, 8 May 2014 13:08:20 +0200 +Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223) + +A huge image size could cause s->l1_size to overflow. Make sure that +images never require a L1 table larger than what fits in s->l1_size. + +This cannot only cause unbounded allocations, but also the allocation of +a too small L1 table, resulting in out-of-bounds array accesses (both +reads and writes). + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +--- + block/qcow.c | 16 ++++++++++++++-- + tests/qemu-iotests/092 | 9 +++++++++ + tests/qemu-iotests/092.out | 7 +++++++ + 3 files changed, 30 insertions(+), 2 deletions(-) + +diff --git a/block/qcow.c b/block/qcow.c +index e8038e5..3566c05 100644 +--- a/block/qcow.c ++++ b/block/qcow.c +@@ -61,7 +61,7 @@ typedef struct BDRVQcowState { + int cluster_sectors; + int l2_bits; + int l2_size; +- int l1_size; ++ unsigned int l1_size; + uint64_t cluster_offset_mask; + uint64_t l1_table_offset; + uint64_t *l1_table; +@@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, + + /* read the level 1 table */ + shift = s->cluster_bits + s->l2_bits; +- s->l1_size = (header.size + (1LL << shift) - 1) >> shift; ++ if (header.size > UINT64_MAX - (1LL << shift)) { ++ error_setg(errp, "Image too large"); ++ ret = -EINVAL; ++ goto fail; ++ } else { ++ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift; ++ if (l1_size > INT_MAX / sizeof(uint64_t)) { ++ error_setg(errp, "Image too large"); ++ ret = -EINVAL; ++ goto fail; ++ } ++ s->l1_size = l1_size; ++ } + + s->l1_table_offset = header.l1_table_offset; + s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t)); +-- +1.9.3 + diff --git a/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch b/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch new file mode 100644 index 0000000..54fdd79 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch @@ -0,0 +1,52 @@ +From 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f Mon Sep 17 00:00:00 2001 +From: Kevin Wolf +Date: Wed, 7 May 2014 17:30:30 +0200 +Subject: [PATCH] qcow1: Check maximum cluster size + +Huge values for header.cluster_bits cause unbounded allocations (e.g. +for s->cluster_cache) and crash qemu this way. Less huge values may +survive those allocations, but can cause integer overflows later on. + +The only cluster sizes that qemu can create are 4k (for standalone +images) and 512 (for images with backing files), so we can limit it +to 64k. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Kevin Wolf +Reviewed-by: Benoit Canet +--- + block/qcow.c | 10 ++++++-- + tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++ + tests/qemu-iotests/092.out | 13 ++++++++++ + tests/qemu-iotests/group | 1 + + 4 files changed, 85 insertions(+), 2 deletions(-) + create mode 100755 tests/qemu-iotests/092 + create mode 100644 tests/qemu-iotests/092.out + +diff --git a/block/qcow.c b/block/qcow.c +index 3684794..e60df23 100644 +--- a/block/qcow.c ++++ b/block/qcow.c +@@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags, + goto fail; + } + +- if (header.size <= 1 || header.cluster_bits < 9) { +- error_setg(errp, "invalid value in qcow header"); ++ if (header.size <= 1) { ++ error_setg(errp, "Image size is too small (must be at least 2 bytes)"); + ret = -EINVAL; + goto fail; + } ++ if (header.cluster_bits < 9 || header.cluster_bits > 16) { ++ error_setg(errp, "Cluster size must be between 512 and 64k"); ++ ret = -EINVAL; ++ goto fail; ++ } ++ + if (header.crypt_method > QCOW_CRYPT_AES) { + error_setg(errp, "invalid encryption method in qcow header"); + ret = -EINVAL; +-- +1.9.3 + diff --git a/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch b/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch new file mode 100644 index 0000000..4e85c59 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch @@ -0,0 +1,41 @@ +https://bugs.gentoo.org/510208 + +From 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 13 May 2014 12:33:16 +0300 +Subject: [PATCH] usb: fix up post load checks + +Correct post load checks: +1. dev->setup_len == sizeof(dev->data_buf) + seems fine, no need to fail migration +2. When state is DATA, passing index > len + will cause memcpy with negative length, + resulting in heap overflow + +First of the issues was reported by dgilbert. + +Reported-by: "Dr. David Alan Gilbert" +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Juan Quintela +--- + hw/usb/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/bus.c b/hw/usb/bus.c +index 699aa10..927a47b 100644 +--- a/hw/usb/bus.c ++++ b/hw/usb/bus.c +@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id) + } + if (dev->setup_index < 0 || + dev->setup_len < 0 || +- dev->setup_index >= sizeof(dev->data_buf) || +- dev->setup_len >= sizeof(dev->data_buf)) { ++ dev->setup_index > dev->setup_len || ++ dev->setup_len > sizeof(dev->data_buf)) { + return -EINVAL; + } + return 0; +-- +1.9.3 + diff --git a/app-emulation/qemu/qemu-2.0.0.ebuild b/app-emulation/qemu/qemu-2.0.0-r1.ebuild similarity index 96% rename from app-emulation/qemu/qemu-2.0.0.ebuild rename to app-emulation/qemu/qemu-2.0.0-r1.ebuild index 420c8ad..336b01e 100644 --- a/app-emulation/qemu/qemu-2.0.0.ebuild +++ b/app-emulation/qemu/qemu-2.0.0-r1.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.0.0.ebuild,v 1.2 2014/04/20 02:04:18 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.0.0-r1.ebuild,v 1.2 2014/05/31 16:14:44 vapier Exp $ EAPI=5 @@ -90,12 +90,12 @@ RDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) !static-user? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) qemu_softmmu_targets_i386? ( >=sys-firmware/ipxe-1.0.0_p20130624 - ~sys-firmware/seabios-1.7.4 + =sys-firmware/seabios-1.7.4-r1 ~sys-firmware/sgabios-0.1_pre8 ) qemu_softmmu_targets_x86_64? ( >=sys-firmware/ipxe-1.0.0_p20130624 - ~sys-firmware/seabios-1.7.4 + =sys-firmware/seabios-1.7.4-r1 ~sys-firmware/sgabios-0.1_pre8 ) accessibility? ( app-accessibility/brltty ) @@ -227,7 +227,12 @@ src_prepare() { Makefile Makefile.target || die epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch - epatch "${FILESDIR}"/qemu-9999-virtfs-proxy-helper-accept.patch + epatch "${FILESDIR}"/qemu-9999-virtfs-proxy-helper-accept.patch #486714 + epatch "${FILESDIR}"/${P}-CVE-2013-4541.patch #510208 + epatch "${FILESDIR}"/${P}-usb-post-load-checks.patch #510208 + epatch "${FILESDIR}"/${P}-qcow-check-max-sizes.patch #510234 + epatch "${FILESDIR}"/${P}-CVE-2014-0222.patch #510234 + epatch "${FILESDIR}"/${P}-CVE-2014-0223.patch #510234 [[ -n ${BACKPORTS} ]] && \ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ epatch @@ -269,6 +274,7 @@ qemu_src_configure() { --disable-werror --python="${PYTHON}" --cc="$(tc-getCC)" + --cxx="$(tc-getCXX)" --host-cc="$(tc-getBUILD_CC)" $(use_enable debug debug-info) $(use_enable debug debug-tcg) @@ -446,16 +452,6 @@ src_install() { udev_dorules "${FILESDIR}"/65-kvm.rules fi - if use qemu_softmmu_targets_x86_64 ; then - newbin "${FILESDIR}/qemu-kvm-1.4" qemu-kvm - ewarn "The deprecated '/usr/bin/kvm' symlink is no longer installed" - ewarn "You should use '/usr/bin/qemu-kvm', you may need to edit" - ewarn "your libvirt configs or other wrappers for ${PN}" - elif use x86 || use amd64; then - elog "You disabled QEMU_SOFTMMU_TARGETS=x86_64, this disables install" - elog "of the /usr/bin/qemu-kvm script." - fi - if use python; then python_foreach_impl qemu_python_install fi @@ -536,6 +532,13 @@ pkg_postinst() { ewarn "any saved states with a newer qemu." ewarn ewarn "qemu-kvm was the primary qemu provider in Gentoo through 1.2.x" + + if use x86 || use amd64; then + ewarn + ewarn "The /usr/bin/kvm and /usr/bin/qemu-kvm wrappers are no longer" + ewarn "installed. In order to use kvm acceleration, pass the flag" + ewarn "-enable-kvm when running your system target." + fi fi virtfs_caps+="cap_chown,cap_dac_override,cap_fowner,cap_fsetid,"