* Mon Sep 16 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.1.0-10.el8

- kvm-spapr-xive-Mask-the-EAS-when-allocating-an-IRQ.patch [bz#1748725] - kvm-block-create-Do-not-abort-if-a-block-driver-is-not-a.patch [bz#1746267] - kvm-virtio-blk-Cancel-the-pending-BH-when-the-dataplane-.patch [bz#1717321] - kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch [bz#1749737] - Resolves: bz#1717321 (qemu-kvm core dumped when repeat "system_reset" multiple times during guest boot) - Resolves: bz#1746267 (qemu coredump: qemu-kvm: block/create.c:68: qmp_blockdev_create: Assertion `drv' failed) - Resolves: bz#1748725 ([ppc][migration][v6.3-rc1-p1ce8930]basic migration failed with "qemu-kvm: KVM_SET_DEVICE_ATTR failed: Group 3 attr 0x0000000000001309: Device or resource busy") - Resolves: bz#1749737 (CVE-2019-15890 qemu-kvm: QEMU: Slirp: use-after-free during packet reassembly [rhel-av-8])
2019-09-16 20:28:31 +01:00 · 2019-09-16 20:28:31 +01:00 · a05903a904
parent 200e3560ab
commit a05903a904
5 changed files with 346 additions and 1 deletions
--- a/kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch
+++ b/kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch
@ -0,0 +1,61 @@
+From 01e95b17878444859b15e79f7690d32a3532907e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Mon, 16 Sep 2019 17:07:00 +0100
+Subject: [PATCH 4/4] Using ip_deq after m_free might read pointers from an
+ allocation reuse.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190916170700.647-2-philmd@redhat.com>
+Patchwork-id: 90470
+O-Subject: [RHEL-AV-8.1.0 qemu-kvm PATCH 1/1] Using ip_deq after m_free might read pointers from an allocation reuse.
+Bugzilla: 1749737
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+This would be difficult to exploit, but that is still related with
+CVE-2019-14378 which generates fragmented IP packets that would trigger this
+issue and at least produce a DoS.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+(cherry picked from libslirp commit c59279437eda91841b9d26079c70b8a540d41204)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/src/ip_input.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c
+index 8c75d91..df1c846 100644
+--- a/slirp/src/ip_input.c
+++ b/slirp/src/ip_input.c
+@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
+      */
+     while (q != (struct ipasfrag *)&fp->frag_link &&
+            ip->ip_off + ip->ip_len > q->ipf_off) {
+        struct ipasfrag *prev;
+         i = (ip->ip_off + ip->ip_len) - q->ipf_off;
+         if (i < q->ipf_len) {
+             q->ipf_len -= i;
+@@ -299,9 +300,11 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp)
+             m_adj(dtom(slirp, q), i);
+             break;
+         }
+        prev = q;
+         q = q->ipf_next;
+-        m_free(dtom(slirp, q->ipf_prev));
+-        ip_deq(q->ipf_prev);
+        ip_deq(prev);
+        m_free(dtom(slirp, prev));
+
+     }
+ 
+ insert:
+-- 
+1.8.3.1
+
--- a/kvm-block-create-Do-not-abort-if-a-block-driver-is-not-a.patch
+++ b/kvm-block-create-Do-not-abort-if-a-block-driver-is-not-a.patch
@ -0,0 +1,107 @@
+From df8fadfd9450c8709864db44c2f676d40f323f95 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 13 Sep 2019 14:12:25 +0100
+Subject: [PATCH 2/4] block/create: Do not abort if a block driver is not
+ available
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190913141225.12022-2-philmd@redhat.com>
+Patchwork-id: 90451
+O-Subject: [RHEL-7.7 qemu-kvm-rhev + RHEL-AV-8.1.0 qemu-kvm PATCH v2 1/1] block/create: Do not abort if a block driver is not available
+Bugzilla: 1746267
+RH-Acked-by: Kevin Wolf <kwolf@redhat.com>
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+The 'blockdev-create' QMP command was introduced as experimental
+feature in commit b0292b851b8, using the assert() debug call.
+It got promoted to 'stable' command in 3fb588a0f2c, but the
+assert call was not removed.
+
+Some block drivers are optional, and bdrv_find_format() might
+return a NULL value, triggering the assertion.
+
+Stable code is not expected to abort, so return an error instead.
+
+This is easily reproducible when libnfs is not installed:
+
+  ./configure
+  [...]
+  module support    no
+  Block whitelist (rw)
+  Block whitelist (ro)
+  libiscsi support  yes
+  libnfs support    no
+  [...]
+
+Start QEMU:
+
+  $ qemu-system-x86_64 -S -qmp unix:/tmp/qemu.qmp,server,nowait
+
+Send the 'blockdev-create' with the 'nfs' driver:
+
+  $ ( cat << 'EOF'
+  {'execute': 'qmp_capabilities'}
+  {'execute': 'blockdev-create', 'arguments': {'job-id': 'x', 'options': {'size': 0, 'driver': 'nfs', 'location': {'path': '/', 'server': {'host': '::1', 'type': 'inet'}}}}, 'id': 'x'}
+  EOF
+  ) | socat STDIO UNIX:/tmp/qemu.qmp
+  {"QMP": {"version": {"qemu": {"micro": 50, "minor": 1, "major": 4}, "package": "v4.1.0-733-g89ea03a7dc"}, "capabilities": ["oob"]}}
+  {"return": {}}
+
+QEMU crashes:
+
+  $ gdb qemu-system-x86_64 core
+  Program received signal SIGSEGV, Segmentation fault.
+  (gdb) bt
+  #0  0x00007ffff510957f in raise () at /lib64/libc.so.6
+  #1  0x00007ffff50f3895 in abort () at /lib64/libc.so.6
+  #2  0x00007ffff50f3769 in _nl_load_domain.cold.0 () at /lib64/libc.so.6
+  #3  0x00007ffff5101a26 in .annobin_assert.c_end () at /lib64/libc.so.6
+  #4  0x0000555555d7e1f1 in qmp_blockdev_create (job_id=0x555556baee40 "x", options=0x555557666610, errp=0x7fffffffc770) at block/create.c:69
+  #5  0x0000555555c96b52 in qmp_marshal_blockdev_create (args=0x7fffdc003830, ret=0x7fffffffc7f8, errp=0x7fffffffc7f0) at qapi/qapi-commands-block-core.c:1314
+  #6  0x0000555555deb0a0 in do_qmp_dispatch (cmds=0x55555645de70 <qmp_commands>, request=0x7fffdc005c70, allow_oob=false, errp=0x7fffffffc898) at qapi/qmp-dispatch.c:131
+  #7  0x0000555555deb2a1 in qmp_dispatch (cmds=0x55555645de70 <qmp_commands>, request=0x7fffdc005c70, allow_oob=false) at qapi/qmp-dispatch.c:174
+
+With this patch applied, QEMU returns a QMP error:
+
+  {'execute': 'blockdev-create', 'arguments': {'job-id': 'x', 'options': {'size': 0, 'driver': 'nfs', 'location': {'path': '/', 'server': {'host': '::1', 'type': 'inet'}}}}, 'id': 'x'}
+  {"id": "x", "error": {"class": "GenericError", "desc": "Block driver 'nfs' not found or not supported"}}
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Xu Tian <xutian@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit d90d5cae2b10efc0e8d0b3cc91ff16201853d3ba)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ block/create.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/block/create.c b/block/create.c
+index 9534121..de5e97b 100644
+--- a/block/create.c
+++ b/block/create.c
+@@ -63,9 +63,13 @@ void qmp_blockdev_create(const char *job_id, BlockdevCreateOptions *options,
+     const char *fmt = BlockdevDriver_str(options->driver);
+     BlockDriver *drv = bdrv_find_format(fmt);
+ 
+    if (!drv) {
+        error_setg(errp, "Block driver '%s' not found or not supported", fmt);
+        return;
+    }
+
+     /* If the driver is in the schema, we know that it exists. But it may not
+      * be whitelisted. */
+-    assert(drv);
+     if (bdrv_uses_whitelist() && !bdrv_is_whitelisted(drv, false)) {
+         error_setg(errp, "Driver is not whitelisted");
+         return;
+-- 
+1.8.3.1
+
--- a/kvm-spapr-xive-Mask-the-EAS-when-allocating-an-IRQ.patch
+++ b/kvm-spapr-xive-Mask-the-EAS-when-allocating-an-IRQ.patch
@ -0,0 +1,63 @@
+From 6a7245ed7802dff5479228376a4119e095db33b2 Mon Sep 17 00:00:00 2001
+From: Laurent Vivier <lvivier@redhat.com>
+Date: Wed, 11 Sep 2019 09:43:17 +0100
+Subject: [PATCH 1/4] spapr/xive: Mask the EAS when allocating an IRQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laurent Vivier <lvivier@redhat.com>
+Message-id: <20190911094317.21266-1-lvivier@redhat.com>
+Patchwork-id: 90392
+O-Subject: [RHEL-AV-8.1.0 qemu-kvm PATCH] spapr/xive: Mask the EAS when allocating an IRQ
+Bugzilla: 1748725
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+
+From: Cédric Le Goater <clg@kaod.org>
+
+If an IRQ is allocated and not configured, such as a MSI requested by
+a PCI driver, it can be saved in its default state and possibly later
+on restored using the same state. If not initially MASKED, KVM will
+try to find a matching priority/target tuple for the interrupt and
+fail to restore the VM because 0/0 is not a valid target.
+
+When allocating a IRQ number, the EAS should be set to a sane default :
+VALID and MASKED.
+
+Reported-by: Satheesh Rajendran <sathnaga@linux.vnet.ibm.com>
+Signed-off-by: Cédric Le Goater <clg@kaod.org>
+Message-Id: <20190813164420.9829-1-clg@kaod.org>
+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
+(cherry picked from commit f55750e4e4fb35b6a12c81c485f16494e2c61ad2)
+Signed-off-by: Laurent Vivier <lvivier@redhat.com>
+
+BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1748725
+BRANCH: rhel-av-8.1.0/master-4.1.0
+UPSTREAM: merged
+BREW: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=23451934
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/intc/spapr_xive.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/intc/spapr_xive.c b/hw/intc/spapr_xive.c
+index 3ae311d..1f9c624 100644
+--- a/hw/intc/spapr_xive.c
+++ b/hw/intc/spapr_xive.c
+@@ -534,7 +534,10 @@ bool spapr_xive_irq_claim(SpaprXive *xive, uint32_t lisn, bool lsi)
+         return false;
+     }
+ 
+-    xive->eat[lisn].w |= cpu_to_be64(EAS_VALID);
+    /*
+     * Set default values when allocating an IRQ number
+     */
+    xive->eat[lisn].w |= cpu_to_be64(EAS_VALID | EAS_MASKED);
+     if (lsi) {
+         xive_source_irq_set_lsi(xsrc, lisn);
+     }
+-- 
+1.8.3.1
+
--- a/kvm-virtio-blk-Cancel-the-pending-BH-when-the-dataplane-.patch
+++ b/kvm-virtio-blk-Cancel-the-pending-BH-when-the-dataplane-.patch
@ -0,0 +1,92 @@
+From df7d91dda24b27c89ff8ce1b9cc72c7ed7350be2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Fri, 13 Sep 2019 14:16:25 +0100
+Subject: [PATCH 3/4] virtio-blk: Cancel the pending BH when the dataplane is
+ reset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: <20190913141625.12521-2-philmd@redhat.com>
+Patchwork-id: 90453
+O-Subject: [RHEL-7.7.z qemu-kvm-rhev + RHEL-8.1.0 qemu-kvm + RHEL-AV-8.1.0 qemu-kvm PATCH v2 1/1] virtio-blk: Cancel the pending BH when the dataplane is reset
+Bugzilla: 1717321
+RH-Acked-by: John Snow <jsnow@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
+
+When 'system_reset' is called, the main loop clear the memory
+region cache before the BH has a chance to execute. Later when
+the deferred function is called, some assumptions that were
+made when scheduling them are no longer true when they actually
+execute.
+
+This is what happens using a virtio-blk device (fresh RHEL7.8 install):
+
+ $ (sleep 12.3; echo system_reset; sleep 12.3; echo system_reset; sleep 1; echo q) \
+   | qemu-system-x86_64 -m 4G -smp 8 -boot menu=on \
+     -device virtio-blk-pci,id=image1,drive=drive_image1 \
+     -drive file=/var/lib/libvirt/images/rhel78.qcow2,if=none,id=drive_image1,format=qcow2,cache=none \
+     -device virtio-net-pci,netdev=net0,id=nic0,mac=52:54:00:c4:e7:84 \
+     -netdev tap,id=net0,script=/bin/true,downscript=/bin/true,vhost=on \
+     -monitor stdio -serial null -nographic
+  (qemu) system_reset
+  (qemu) system_reset
+  (qemu) qemu-system-x86_64: hw/virtio/virtio.c:225: vring_get_region_caches: Assertion `caches != NULL' failed.
+  Aborted
+
+  (gdb) bt
+  Thread 1 (Thread 0x7f109c17b680 (LWP 10939)):
+  #0  0x00005604083296d1 in vring_get_region_caches (vq=0x56040a24bdd0) at hw/virtio/virtio.c:227
+  #1  0x000056040832972b in vring_avail_flags (vq=0x56040a24bdd0) at hw/virtio/virtio.c:235
+  #2  0x000056040832d13d in virtio_should_notify (vdev=0x56040a240630, vq=0x56040a24bdd0) at hw/virtio/virtio.c:1648
+  #3  0x000056040832d1f8 in virtio_notify_irqfd (vdev=0x56040a240630, vq=0x56040a24bdd0) at hw/virtio/virtio.c:1662
+  #4  0x00005604082d213d in notify_guest_bh (opaque=0x56040a243ec0) at hw/block/dataplane/virtio-blk.c:75
+  #5  0x000056040883dc35 in aio_bh_call (bh=0x56040a243f10) at util/async.c:90
+  #6  0x000056040883dccd in aio_bh_poll (ctx=0x560409161980) at util/async.c:118
+  #7  0x0000560408842af7 in aio_dispatch (ctx=0x560409161980) at util/aio-posix.c:460
+  #8  0x000056040883e068 in aio_ctx_dispatch (source=0x560409161980, callback=0x0, user_data=0x0) at util/async.c:261
+  #9  0x00007f10a8fca06d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
+  #10 0x0000560408841445 in glib_pollfds_poll () at util/main-loop.c:215
+  #11 0x00005604088414bf in os_host_main_loop_wait (timeout=0) at util/main-loop.c:238
+  #12 0x00005604088415c4 in main_loop_wait (nonblocking=0) at util/main-loop.c:514
+  #13 0x0000560408416b1e in main_loop () at vl.c:1923
+  #14 0x000056040841e0e8 in main (argc=20, argv=0x7ffc2c3f9c58, envp=0x7ffc2c3f9d00) at vl.c:4578
+
+Fix this by cancelling the BH when the virtio dataplane is stopped.
+
+[This is version of the patch was modified as discussed with Philippe on
+the mailing list thread.
+--Stefan]
+
+Reported-by: Yihuang Yu <yihyu@redhat.com>
+Suggested-by: Stefan Hajnoczi <stefanha@redhat.com>
+Fixes: https://bugs.launchpad.net/qemu/+bug/1839428
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20190816171503.24761-1-philmd@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit ebb6ff25cd888a52a64a9adc3692541c6d1d9a42)
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/block/dataplane/virtio-blk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/block/dataplane/virtio-blk.c b/hw/block/dataplane/virtio-blk.c
+index 158c78f..5fea76d 100644
+--- a/hw/block/dataplane/virtio-blk.c
+++ b/hw/block/dataplane/virtio-blk.c
+@@ -297,6 +297,9 @@ void virtio_blk_data_plane_stop(VirtIODevice *vdev)
+         virtio_bus_cleanup_host_notifier(VIRTIO_BUS(qbus), i);
+     }
+ 
+    qemu_bh_cancel(s->bh);
+    notify_guest_bh(s); /* final chance to notify guest */
+
+     /* Clean up guest notifier (irq) */
+     k->set_guest_notifiers(qbus->parent, nvqs, false);
+ 
+-- 
+1.8.3.1
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -67,7 +67,7 @@ Obsoletes: %1-rhev
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 4.1.0
-Release: 9%{?dist}
+Release: 10%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -190,6 +190,14 @@ Patch53: kvm-migration-update-ram_counters-for-multifd-sync-packe.patch
 Patch54: kvm-spapr-pci-Consolidate-de-allocation-of-MSIs.patch
 # For bz#1750200 - [RHEL8.1][QEMU4.1]boot up guest with vf device,then system_reset guest,error prompt(qemu-kvm: Can't allocate MSIs for device 2800: IRQ 4904 is not free)
 Patch55: kvm-spapr-pci-Free-MSIs-during-reset.patch
+# For bz#1748725 - [ppc][migration][v6.3-rc1-p1ce8930]basic migration failed with "qemu-kvm: KVM_SET_DEVICE_ATTR failed: Group 3 attr 0x0000000000001309: Device or resource busy"
+Patch56: kvm-spapr-xive-Mask-the-EAS-when-allocating-an-IRQ.patch
+# For bz#1746267 - qemu coredump: qemu-kvm: block/create.c:68: qmp_blockdev_create: Assertion `drv' failed
+Patch57: kvm-block-create-Do-not-abort-if-a-block-driver-is-not-a.patch
+# For bz#1717321 - qemu-kvm core dumped when repeat "system_reset" multiple times during guest boot
+Patch58: kvm-virtio-blk-Cancel-the-pending-BH-when-the-dataplane-.patch
+# For bz#1749737 - CVE-2019-15890 qemu-kvm: QEMU: Slirp: use-after-free during packet reassembly [rhel-av-8]
+Patch59: kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch

 BuildRequires: wget
 BuildRequires: rpm-build
@ -1131,6 +1139,20 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \


 %changelog
+* Mon Sep 16 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.1.0-10.el8
+- kvm-spapr-xive-Mask-the-EAS-when-allocating-an-IRQ.patch [bz#1748725]
+- kvm-block-create-Do-not-abort-if-a-block-driver-is-not-a.patch [bz#1746267]
+- kvm-virtio-blk-Cancel-the-pending-BH-when-the-dataplane-.patch [bz#1717321]
+- kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a.patch [bz#1749737]
+- Resolves: bz#1717321
+  (qemu-kvm core dumped when repeat "system_reset" multiple times during guest boot)
+- Resolves: bz#1746267
+  (qemu coredump: qemu-kvm: block/create.c:68: qmp_blockdev_create: Assertion `drv' failed)
+- Resolves: bz#1748725
+  ([ppc][migration][v6.3-rc1-p1ce8930]basic migration failed with "qemu-kvm: KVM_SET_DEVICE_ATTR failed: Group 3 attr 0x0000000000001309: Device or resource busy")
+- Resolves: bz#1749737
+  (CVE-2019-15890 qemu-kvm: QEMU: Slirp: use-after-free during packet reassembly [rhel-av-8])
+
 * Tue Sep 10 2019 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.1.0-9.el8
 - kvm-migration-always-initialise-ram_counters-for-a-new-m.patch [bz#1734316]
 - kvm-migration-add-qemu_file_update_transfer-interface.patch [bz#1734316]