diff -Nru qemu-3.1+dfsg/debian/changelog qemu-3.1+dfsg/debian/changelog --- qemu-3.1+dfsg/debian/changelog 2019-01-08 08:41:08.000000000 +0000 +++ qemu-3.1+dfsg/debian/changelog 2019-02-19 05:43:04.000000000 +0000 @@ -1,3 +1,21 @@ +qemu (1:3.1+dfsg-2ubuntu2) disco; urgency=medium + + * disable pvrdma - besides several security holes there are many other + bugs there as well, and the amount of patches applied upstream after + 3.1 release is large (Closes, or actuallymakes unimportant again) + - CVE-2018-20123 + - CVE-2018-20124 + - CVE-2018-20125 + - CVE-2018-20126 + - CVE-2018-20191 + - CVE-2018-20216 + * scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch + - CVE-2019-6501 + * slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch + - CVE-2019-6778 + + -- Christian Ehrhardt Tue, 19 Feb 2019 06:43:04 +0100 + qemu (1:3.1+dfsg-2ubuntu1) disco; urgency=medium * Merge with Debian testing, Among many other things this fixes LP Bugs: diff -Nru qemu-3.1+dfsg/debian/control qemu-3.1+dfsg/debian/control --- qemu-3.1+dfsg/debian/control 2019-01-08 08:41:08.000000000 +0000 +++ qemu-3.1+dfsg/debian/control 2019-02-19 05:43:04.000000000 +0000 @@ -62,6 +62,8 @@ librdmacm-dev, libibverbs-dev, libibumad-dev, +# pvrdma is too buggy in 3.1, disable it for now +# --disable-pvrdma # glusterfs is debian-only since ubuntu/glusterfs is in universe (MIR LP: #1274247) # --enable-vnc-sasl libsasl2-dev, diff -Nru qemu-3.1+dfsg/debian/control-in qemu-3.1+dfsg/debian/control-in --- qemu-3.1+dfsg/debian/control-in 2019-01-08 08:41:08.000000000 +0000 +++ qemu-3.1+dfsg/debian/control-in 2019-02-19 05:42:31.000000000 +0000 @@ -66,6 +66,8 @@ :ubuntu: librdmacm-dev, :ubuntu: libibverbs-dev, :ubuntu: libibumad-dev, +# pvrdma is too buggy in 3.1, disable it for now +# --disable-pvrdma # glusterfs is debian-only since ubuntu/glusterfs is in universe (MIR LP: #1274247) :debian:# --enable-glusterfs :debian: glusterfs-common, diff -Nru qemu-3.1+dfsg/debian/patches/scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch qemu-3.1+dfsg/debian/patches/scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch --- qemu-3.1+dfsg/debian/patches/scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch 2019-02-19 05:38:27.000000000 +0000 @@ -0,0 +1,72 @@ +From: Paolo Bonzini +Date: Mon, 4 Feb 2019 19:35:45 +0100 +Subject: scsi-generic: avoid possible out-of-bounds access to r->buf (CVE-2019-6501) +Bug-Debian: http://bugs.debian.org/920222 + +Whenever the allocation length of a SCSI request is shorter than the size of the +VPD page list, page_idx is used blindly to index into r->buf. Even though +the stores in the insertion sort are protected against overflows, the same is not +true of the reads and the final store of 0xb0. + +This basically does the same thing as commit 57dbb58d80 ("scsi-generic: avoid +out-of-bounds access to VPD page list", 2018-11-06), except that here the +allocation length can be chosen by the guest. Note that according to the SCSI +standard, the contents of the PAGE LENGTH field are not altered based +on the allocation length. + +The code was introduced by commit 6c219fc8a1 ("scsi-generic: keep VPD +page list sorted", 2018-11-06) but the overflow was already possible before. + +Reported-by: Kevin Wolf +Fixes: a71c775b24ebc664129eb1d9b4c360590353efd5 +Signed-off-by: Paolo Bonzini +--- + hw/scsi/scsi-generic.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/hw/scsi/scsi-generic.c b/hw/scsi/scsi-generic.c +index 7237b41..42700e8 100644 +--- a/hw/scsi/scsi-generic.c ++++ b/hw/scsi/scsi-generic.c +@@ -182,7 +182,7 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s) + /* Also take care of the opt xfer len. */ + stl_be_p(&r->buf[12], + MIN_NON_ZERO(max_transfer, ldl_be_p(&r->buf[12]))); +- } else if (s->needs_vpd_bl_emulation && page == 0x00) { ++ } else if (s->needs_vpd_bl_emulation && page == 0x00 && r->buflen >= 4) { + /* + * Now we're capable of supplying the VPD Block Limits + * response if the hardware can't. Add it in the INQUIRY +@@ -193,18 +193,20 @@ static void scsi_handle_inquiry_reply(SCSIGenericReq *r, SCSIDevice *s) + * and will use it to proper setup the SCSI device. + * + * VPD page numbers must be sorted, so insert 0xb0 at the +- * right place with an in-place insert. After the initialization +- * part of the for loop is executed, the device response is +- * at r[0] to r[page_idx - 1]. ++ * right place with an in-place insert. When the while loop ++ * begins the device response is at r[0] to r[page_idx - 1]. + */ +- for (page_idx = lduw_be_p(r->buf + 2) + 4; +- page_idx > 4 && r->buf[page_idx - 1] >= 0xb0; +- page_idx--) { ++ page_idx = lduw_be_p(r->buf + 2) + 4; ++ page_idx = MIN(page_idx, r->buflen); ++ while (page_idx > 4 && r->buf[page_idx - 1] >= 0xb0) { + if (page_idx < r->buflen) { + r->buf[page_idx] = r->buf[page_idx - 1]; + } ++ page_idx--; ++ } ++ if (page_idx < r->buflen) { ++ r->buf[page_idx] = 0xb0; + } +- r->buf[page_idx] = 0xb0; + stw_be_p(r->buf + 2, lduw_be_p(r->buf + 2) + 1); + } + } +-- +1.8.3.1 + + + diff -Nru qemu-3.1+dfsg/debian/patches/series qemu-3.1+dfsg/debian/patches/series --- qemu-3.1+dfsg/debian/patches/series 2019-01-08 08:41:08.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/series 2019-02-19 05:40:39.000000000 +0000 @@ -3,6 +3,8 @@ usb-mtp-use-O_NOFOLLOW-and-O_CLOEXEC-CVE-2018-16872.patch bt-use-size_t-type-for-length-parameters-instead-of-int-CVE-2018-19665.patch hw_usb-fix-mistaken-de-initialization-of-CCID-state.patch +scsi-generic-avoid-possible-oob-access-to-r-buf-CVE-2019-6501.patch +slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch # ubuntu patches ubuntu/expose-vmx_qemu64cpu.patch diff -Nru qemu-3.1+dfsg/debian/patches/slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch qemu-3.1+dfsg/debian/patches/slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch --- qemu-3.1+dfsg/debian/patches/slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch 1970-01-01 00:00:00.000000000 +0000 +++ qemu-3.1+dfsg/debian/patches/slirp-check-data-length-while-emulating-ident-function-CVE-2019-6778.patch 2019-02-19 05:40:22.000000000 +0000 @@ -0,0 +1,36 @@ +Commit-Id: a7104eda7dab99d0cdbd3595c211864cba415905 +From: Prasad J Pandit +Date: Sun, 13 Jan 2019 23:29:48 +0530 +Subject: slirp: check data length while emulating ident function (CVE-2019-6778) +Bug-Debian: http://bugs.debian.org/921525 + +While emulating identification protocol, tcp_emu() does not check +available space in the 'sc_rcv->sb_data' buffer. It could lead to +heap buffer overflow issue. Add check to avoid it. + +Reported-by: Kira <864786842@qq.com> +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +--- + slirp/tcp_subr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c +index 4a9a5b5edc..23a841f26e 100644 +--- a/slirp/tcp_subr.c ++++ b/slirp/tcp_subr.c +@@ -634,6 +634,11 @@ tcp_emu(struct socket *so, struct mbuf *m) + socklen_t addrlen = sizeof(struct sockaddr_in); + struct sbuf *so_rcv = &so->so_rcv; + ++ if (m->m_len > so_rcv->sb_datalen ++ - (so_rcv->sb_wptr - so_rcv->sb_data)) { ++ return 1; ++ } ++ + memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); + so_rcv->sb_wptr += m->m_len; + so_rcv->sb_rptr += m->m_len; +-- +2.11.0 +