rpms/qemu-kvm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import qemu-kvm-6.2.0-11.el9_0.3

Browse Source
This commit is contained in:
CentOS Sources 2022-06-28 04:29:58 -04:00 committed by Stepan Oksanichenko
parent fa43255245
commit 9d4d37bd2f
4 changed files with 263 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
SOURCES/kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch Normal file
View File

@ -0,0 +1,107 @@
From 5688fdb9a3ed192b85dca84c47a7ddfd325778d9 Mon Sep 17 00:00:00 2001
From: Stefano Garzarella <sgarzare@redhat.com>
Date: Thu, 24 Mar 2022 16:04:57 +0100
Subject: [PATCH 1/3] RHEL: disable "seqpacket" for "vhost-vsock-device" in
rhel8.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Stefano Garzarella <sgarzare@redhat.com>
RH-MergeRequest: 135: RHEL: disable "seqpacket" for "vhost-vsock-device" in rhel8.6.0 [rhel-9.0.0.z]
RH-Commit: [1/1] 5ee0de3110deaa0222c9783c00168b536b0c8934
RH-Bugzilla: 2071102
RH-Acked-by: Jason Wang <jasowang@redhat.com>
RH-Acked-by: Eugenio Pérez <eperezma@redhat.com>
RH-Acked-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
vhost-vsock device in RHEL 8 kernels doesn't support seqpacket.
To avoid problems when migrating a VM from RHEL 9 host, we need to
disable it in rhel8-* machine types.
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
hw/core/machine.c | 10 ++++++++++
hw/i386/pc_piix.c | 2 ++
hw/i386/pc_q35.c | 2 ++
hw/s390x/s390-virtio-ccw.c | 1 +
include/hw/boards.h | 3 +++
5 files changed, 18 insertions(+)
diff --git a/hw/core/machine.c b/hw/core/machine.c
index 5fae55d6cd..7dcceb904a 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -43,6 +43,16 @@
const char *rhel_old_machine_deprecation =
"machine types for previous major releases are deprecated";
+GlobalProperty hw_compat_rhel_8_6[] = {
+ /* hw_compat_rhel_8_6 bz 2065589 */
+ /*
+ * vhost-vsock device in RHEL 8 kernels doesn't support seqpacket, so
+ * we need do disable it downstream on the latest hw_compat_rhel_8.
+ */
+ { "vhost-vsock-device", "seqpacket", "off" },
+};
+const size_t hw_compat_rhel_8_6_len = G_N_ELEMENTS(hw_compat_rhel_8_6);
+
/*
* Mostly the same as hw_compat_6_0 and hw_compat_6_1
*/
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index cf68d7498c..08579366b6 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -998,6 +998,8 @@ static void pc_machine_rhel760_options(MachineClass *m)
pcmc->kvmclock_create_always = false;
/* From pc_i440fx_5_1_machine_options() */
pcmc->pci_root_uid = 1;
+ compat_props_add(m->compat_props, hw_compat_rhel_8_6,
+ hw_compat_rhel_8_6_len);
compat_props_add(m->compat_props, hw_compat_rhel_8_5,
hw_compat_rhel_8_5_len);
compat_props_add(m->compat_props, pc_rhel_8_5_compat,
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index c8e06da084..23dacdd923 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -680,6 +680,8 @@ static void pc_q35_machine_rhel860_options(MachineClass *m)
pcmc->smbios_stream_product = "RHEL-AV";
pcmc->smbios_stream_version = "8.6.0";
+ compat_props_add(m->compat_props, hw_compat_rhel_8_6,
+ hw_compat_rhel_8_6_len);
}
DEFINE_PC_MACHINE(q35_rhel860, "pc-q35-rhel8.6.0", pc_q35_init_rhel860,
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index cc78a315e3..13bfa4253e 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -1121,6 +1121,7 @@ static void ccw_machine_rhel860_instance_options(MachineState *machine)
static void ccw_machine_rhel860_class_options(MachineClass *mc)
{
ccw_machine_rhel900_class_options(mc);
+ compat_props_add(mc->compat_props, hw_compat_rhel_8_6, hw_compat_rhel_8_6_len);
/* All RHEL machines for prior major releases are deprecated */
mc->deprecation_reason = rhel_old_machine_deprecation;
diff --git a/include/hw/boards.h b/include/hw/boards.h
index 21d8d5528e..b9c12c4bf2 100644
--- a/include/hw/boards.h
+++ b/include/hw/boards.h
@@ -443,6 +443,9 @@ extern const size_t hw_compat_2_2_len;
extern GlobalProperty hw_compat_2_1[];
extern const size_t hw_compat_2_1_len;
+extern GlobalProperty hw_compat_rhel_8_6[];
+extern const size_t hw_compat_rhel_8_6_len;
+
extern GlobalProperty hw_compat_rhel_8_5[];
extern const size_t hw_compat_rhel_8_5_len;
--
2.31.1

77
SOURCES/kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch Normal file
View File

@ -0,0 +1,77 @@
From 3a8dff1446aaa9a3b93a16ea027214064e84a582 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@rehat.com>
Date: Thu, 14 Apr 2022 10:38:26 -0400
Subject: [PATCH 3/3] vhost-vsock: detach the virqueue element in case of error
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 179: vhost-vsock: detach the virqueue element in case of error
RH-Commit: [1/1] 9275dbff40eb3c7be2abca8369055ca4a1e1e52d (jmaloy/qemu-kvm)
RH-Bugzilla: 2075640
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075640
Upstream: Merged
CVE: CVE-2022-26354
commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf
Author: Stefano Garzarella <sgarzare@redhat.com>
Date: Mon Feb 28 10:50:58 2022 +0100
vhost-vsock: detach the virqueue element in case of error
In vhost_vsock_common_send_transport_reset(), if an element popped from
the virtqueue is invalid, we should call virtqueue_detach_element() to
detach it from the virtqueue before freeing its memory.
Fixes: fc0b9b0e1c ("vhost-vsock: add virtio sockets device")
Fixes: CVE-2022-26354
Cc: qemu-stable@nongnu.org
Reported-by: VictorV <vv474172261@gmail.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Message-Id: <20220228095058.27899-1-sgarzare@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 8d1b247f3748ac4078524130c6d7ae42b6140aaf)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/virtio/vhost-vsock-common.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost-vsock-common.c b/hw/virtio/vhost-vsock-common.c
index 3f3771274e..ed706681ac 100644
--- a/hw/virtio/vhost-vsock-common.c
+++ b/hw/virtio/vhost-vsock-common.c
@@ -153,19 +153,23 @@ static void vhost_vsock_common_send_transport_reset(VHostVSockCommon *vvc)
if (elem->out_num) {
error_report("invalid vhost-vsock event virtqueue element with "
"out buffers");
- goto out;
+ goto err;
}
if (iov_from_buf(elem->in_sg, elem->in_num, 0,
&event, sizeof(event)) != sizeof(event)) {
error_report("vhost-vsock event virtqueue element is too short");
- goto out;
+ goto err;
}
virtqueue_push(vq, elem, sizeof(event));
virtio_notify(VIRTIO_DEVICE(vvc), vq);
-out:
+ g_free(elem);
+ return;
+
+err:
+ virtqueue_detach_element(vq, elem, 0);
g_free(elem);
}
--
2.31.1

61
SOURCES/kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch Normal file
View File

@ -0,0 +1,61 @@
From d1a64781c4f7fa698a359ea078a98029f4f67c1b Mon Sep 17 00:00:00 2001
From: Jason Wang <jasowang@redhat.com>
Date: Tue, 8 Mar 2022 10:42:51 +0800
Subject: [PATCH 2/3] virtio-net: fix map leaking on error during receive
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 178: virtio-net: fix map leaking on error during receive
RH-Commit: [1/1] afdfa3198fcf815de59915136222f73711efd292 (jmaloy/qemu-kvm)
RH-Bugzilla: 2075635
RH-Acked-by: Jason Wang <jasowang@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2075635
Upstream: Merged
CVE: CVE-2022-26353
commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37
Author: Jason Wang <jasowang@redhat.com>
Date: Tue Mar 8 10:42:51 2022 +0800
virtio-net: fix map leaking on error during receive
Commit bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
tries to fix the use after free of the sg by caching the virtqueue
elements in an array and unmap them at once after receiving the
packets, But it forgot to unmap the cached elements on error which
will lead to leaking of mapping and other unexpected results.
Fixing this by detaching the cached elements on error. This addresses
CVE-2022-26353.
Reported-by: Victor Tom <vv474172261@gmail.com>
Cc: qemu-stable@nongnu.org
Fixes: CVE-2022-26353
Fixes: bedd7e93d0196 ("virtio-net: fix use after unmap/free for sg")
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit abe300d9d894f7138e1af7c8e9c88c04bfe98b37)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
hw/net/virtio-net.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index f2014d5ea0..e1f4748831 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1862,6 +1862,7 @@ static ssize_t virtio_net_receive_rcu(NetClientState *nc, const uint8_t *buf,
err:
for (j = 0; j < i; j++) {
+ virtqueue_detach_element(q->rx_vq, elems[j], lens[j]);
g_free(elems[j]);
}
--
2.31.1

19
SPECS/qemu-kvm.spec
View File

@ -151,7 +151,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version} \
Summary: QEMU is a machine emulator and virtualizer Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm Name: qemu-kvm
Version: 6.2.0 Version: 6.2.0
Release: 11%{?rcrel}%{?dist}%{?cc_suffix}.2 Release: 11%{?rcrel}%{?dist}%{?cc_suffix}.3
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
# Epoch 15 used for RHEL 8 # Epoch 15 used for RHEL 8
# Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5)
@ -320,6 +320,12 @@ Patch82: kvm-acpi-fix-OEM-ID-OEM-Table-ID-padding.patch
Patch83: kvm-tests-acpi-update-expected-blobs.patch Patch83: kvm-tests-acpi-update-expected-blobs.patch
# For bz#2043531 - Guest can not start with SLIC acpi table # For bz#2043531 - Guest can not start with SLIC acpi table
Patch84: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch Patch84: kvm-tests-acpi-test-short-OEM_ID-OEM_TABLE_ID-values-in-.patch
# For bz#2071102 - RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-9.0.0.z]
Patch85: kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch
# For bz#2075635 - CVE-2022-26353 qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-9] [rhel-9.0.0.z]
Patch86: kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch
# For bz#2075640 - CVE-2022-26354 qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-9] [rhel-9.0.0.z]
Patch87: kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch
# Source-git patches # Source-git patches
@ -1370,6 +1376,17 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%endif %endif
%changelog %changelog
* Mon May 09 2022 Miroslav Rezanina <mrezanin@redhat.com> - 6.2.0-11.el9_0.3
- kvm-RHEL-disable-seqpacket-for-vhost-vsock-device-in-rhe.patch [bz#2071102]
- kvm-virtio-net-fix-map-leaking-on-error-during-receive.patch [bz#2075635]
- kvm-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch [bz#2075640]
- Resolves: bz#2071102
(RHEL 9.0 guest with vsock device migration failed from RHEL 9.0 > RHEL 8.6 [rhel-9.0.0.z])
- Resolves: bz#2075635
(CVE-2022-26353 qemu-kvm: QEMU: virtio-net: map leaking on error during receive [rhel-9] [rhel-9.0.0.z])
- Resolves: bz#2075640
(CVE-2022-26354 qemu-kvm: QEMU: vhost-vsock: missing virtqueue detach on error can lead to memory leak [rhel-9] [rhel-9.0.0.z])
* Tue Mar 22 2022 <cconte@redhat.com> - 6.2.0-11.el9_0.2 * Tue Mar 22 2022 <cconte@redhat.com> - 6.2.0-11.el9_0.2
- kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2053584] - kvm-pci-expose-TYPE_XIO3130_DOWNSTREAM-name.patch [bz#2053584]
- kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2053584] - kvm-acpi-pcihp-pcie-set-power-on-cap-on-parent-slot.patch [bz#2053584]