rpms
/
qemu-kvm
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import qemu-kvm-4.2.0-48.module+el8.4.0+11909+3300d70f.3

This commit is contained in:
CentOS Sources 2021-08-10 08:04:33 -04:00 committed by Andrew Lukoshko
parent 37497531ab
commit a10ea90e86
21 changed files with 1417 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
SOURCES/kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch Normal file
View File

@ -0,0 +1,82 @@
From 6c2949cba8971971c89fb1e5db9e557dfcd156ef Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 21 Apr 2021 22:30:04 -0400
Subject: [PATCH 5/8] acpi: accept byte and word access to core ACPI registers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210421223006.19650-5-jmaloy@redhat.com>
Patchwork-id: 101482
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 4/6] acpi: accept byte and word access to core ACPI registers
Bugzilla: 1944621
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: Michael Tokarev <mjt@tls.msk.ru>
All ISA registers should be accessible as bytes, words or dwords
(if wide enough). Fix the access constraints for acpi-pm-evt,
acpi-pm-tmr & acpi-cnt registers.
Fixes: 5d971f9e67 (memory: Revert "memory: accept mismatching sizes in memory_region_access_valid")
Fixes: afafe4bbe0 (apci: switch cnt to memory api)
Fixes: 77d58b1e47 (apci: switch timer to memory api)
Fixes: b5a7c024d2 (apci: switch evt to memory api)
Buglink: https://lore.kernel.org/xen-devel/20200630170913.123646-1-anthony.perard@citrix.com/T/
Buglink: https://bugs.debian.org/964793
BugLink: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964247
BugLink: https://bugs.launchpad.net/bugs/1886318
Reported-By: Simon John <git@the-jedi.co.uk>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Message-Id: <20200720160627.15491-1-mjt@msgid.tls.msk.ru>
Cc: qemu-stable@nongnu.org
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit dba04c3488c4699f5afe96f66e448b1d447cf3fb)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/acpi/core.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/hw/acpi/core.c b/hw/acpi/core.c
index 45cbed49ab..d85052c34a 100644
--- a/hw/acpi/core.c
+++ b/hw/acpi/core.c
@@ -461,7 +461,8 @@ static void acpi_pm_evt_write(void *opaque, hwaddr addr, uint64_t val,
static const MemoryRegionOps acpi_pm_evt_ops = {
.read = acpi_pm_evt_read,
.write = acpi_pm_evt_write,
- .valid.min_access_size = 2,
+ .impl.min_access_size = 2,
+ .valid.min_access_size = 1,
.valid.max_access_size = 2,
.endianness = DEVICE_LITTLE_ENDIAN,
};
@@ -530,7 +531,8 @@ static void acpi_pm_tmr_write(void *opaque, hwaddr addr, uint64_t val,
static const MemoryRegionOps acpi_pm_tmr_ops = {
.read = acpi_pm_tmr_read,
.write = acpi_pm_tmr_write,
- .valid.min_access_size = 4,
+ .impl.min_access_size = 4,
+ .valid.min_access_size = 1,
.valid.max_access_size = 4,
.endianness = DEVICE_LITTLE_ENDIAN,
};
@@ -602,7 +604,8 @@ static void acpi_pm_cnt_write(void *opaque, hwaddr addr, uint64_t val,
static const MemoryRegionOps acpi_pm_cnt_ops = {
.read = acpi_pm_cnt_read,
.write = acpi_pm_cnt_write,
- .valid.min_access_size = 2,
+ .impl.min_access_size = 2,
+ .valid.min_access_size = 1,
.valid.max_access_size = 2,
.endianness = DEVICE_LITTLE_ENDIAN,
};
--
2.27.0

60
SOURCES/kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch Normal file
View File

@ -0,0 +1,60 @@
From 1cbb554a4057afd4d71c04757ef7fd1bbb7114ee Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:46 -0400
Subject: [PATCH 8/9] cadence_gem: switch to use qemu_receive_packet() for
loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-9-jmaloy@redhat.com>
Patchwork-id: 101793
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 8/9] cadence_gem: switch to use qemu_receive_packet() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit e73adfbeec9d4e008630c814759052ed945c3fed)
Conflict: upstream commit 24d62fd5028e ("net: cadence_gem: Move tx/rx
packet buffert to CadenceGEMState") is missing in this version, so
we stick to using the original stack variable tx_packet in the calls.
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/cadence_gem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
index b8be73dc55..be7c91123b 100644
--- a/hw/net/cadence_gem.c
+++ b/hw/net/cadence_gem.c
@@ -1225,8 +1225,8 @@ static void gem_transmit(CadenceGEMState *s)
/* Send the packet somewhere */
if (s->phy_loop || (s->regs[GEM_NWCTRL] &
GEM_NWCTRL_LOCALLOOP)) {
- gem_receive(qemu_get_queue(s->nic), tx_packet,
- total_bytes);
+ qemu_receive_packet(qemu_get_queue(s->nic), tx_packet,
+ total_bytes);
} else {
qemu_send_packet(qemu_get_queue(s->nic), tx_packet,
total_bytes);
--
2.27.0

53
SOURCES/kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch Normal file
View File

@ -0,0 +1,53 @@
From 4044e97e37188a9844cc6cd66d8b7819acccb27e Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:41 -0400
Subject: [PATCH 3/9] dp8393x: switch to use qemu_receive_packet() for loopback
packet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-4-jmaloy@redhat.com>
Patchwork-id: 101789
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 3/9] dp8393x: switch to use qemu_receive_packet() for loopback packet
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Jason Wang <jasowang@redhat.com>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 331d2ac9ea307c990dc86e6493e8f0c48d14bb33)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/dp8393x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
index 3d991af163..6d55b5de64 100644
--- a/hw/net/dp8393x.c
+++ b/hw/net/dp8393x.c
@@ -482,7 +482,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
if (nc->info->can_receive(nc)) {
s->loopback_packet = 1;
- nc->info->receive(nc, s->tx_buffer, tx_len);
+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
}
} else {
/* Transmit packet */
--
2.27.0

52
SOURCES/kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch Normal file
View File

@ -0,0 +1,52 @@
From bf44928b2ac2cb8b9608209d5425533458fd2b8a Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:40 -0400
Subject: [PATCH 2/9] e1000: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-3-jmaloy@redhat.com>
Patchwork-id: 101784
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 2/9] e1000: switch to use qemu_receive_packet() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Jason Wang <jasowang@redhat.com>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 1caff0340f49c93d535c6558a5138d20d475315c)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/e1000.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
index fc73fdd6fa..f6ae78748a 100644
--- a/hw/net/e1000.c
+++ b/hw/net/e1000.c
@@ -547,7 +547,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
NetClientState *nc = qemu_get_queue(s->nic);
if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}
--
2.27.0

80
SOURCES/kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch Normal file
View File

@ -0,0 +1,80 @@
From fd46dd1555e5955cf55b463ef126cf5cfac1d7ae Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Fri, 21 May 2021 23:04:32 -0400
Subject: [PATCH 8/8] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210521230432.585518-2-jmaloy@redhat.com>
Patchwork-id: 101625
O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
Bugzilla: 1952986
RH-Acked-by: Danilo de Paula <ddepaula@redhat.com>
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
From: Philippe Mathieu-Daudé <f4bug@amsat.org>
Per the ARM Generic Interrupt Controller Architecture specification
(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
not 10:
- 4.3 Distributor register descriptions
- 4.3.15 Software Generated Interrupt Register, GICD_SG
- Table 4-21 GICD_SGIR bit assignments
The Interrupt ID of the SGI to forward to the specified CPU
interfaces. The value of this field is the Interrupt ID, in
the range 0-15, for example a value of 0b0011 specifies
Interrupt ID 3.
Correct the irq mask to fix an undefined behavior (which eventually
lead to a heap-buffer-overflow, see [Buglink]):
$ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
[I 1612088147.116987] OPENED
[R +0.278293] writel 0x8000f00 0xff4affb0
../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
This fixes a security issue when running with KVM on Arm with
kernel-irqchip=off. (The default is kernel-irqchip=on, which is
unaffected, and which is also the correct choice for performance.)
Cc: qemu-stable@nongnu.org
Fixes: CVE-2021-20221
Fixes: 9ee6e8bb853 ("ARMv7 support.")
Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
Reported-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20210131103401.217160-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit edfe2eb4360cde4ed5d95bda7777edcb3510f76a)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/intc/arm_gic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
index 1d7da7baa2..df355f4d11 100644
--- a/hw/intc/arm_gic.c
+++ b/hw/intc/arm_gic.c
@@ -1455,7 +1455,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
int target_cpu;
cpu = gic_get_current_cpu(s);
- irq = value & 0x3ff;
+ irq = value & 0xf;
switch ((value >> 24) & 3) {
case 0:
mask = (value >> 16) & ALL_CPU_MASK;
--
2.27.0

53
SOURCES/kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch Normal file
View File

@ -0,0 +1,53 @@
From 0438b497def59f2101864d79a20e50b896ae1870 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:47 -0400
Subject: [PATCH 9/9] lan9118: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-10-jmaloy@redhat.com>
Patchwork-id: 101790
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 9/9] lan9118: switch to use qemu_receive_packet() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 37cee01784ff0df13e5209517e1b3594a5e792d1)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/lan9118.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
index ed551f2178..7bb4633f0f 100644
--- a/hw/net/lan9118.c
+++ b/hw/net/lan9118.c
@@ -667,7 +667,7 @@ static void do_tx_packet(lan9118_state *s)
/* FIXME: Honor TX disable, and allow queueing of packets. */
if (s->phy_control & 0x4000) {
/* This assumes the receive routine doesn't touch the VLANClient. */
- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
} else {
qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
}
--
2.27.0

47
SOURCES/kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch Normal file
View File

@ -0,0 +1,47 @@
From 17813233c9bb5c93c7f3c7fc350641f8e76e769c Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 21 Apr 2021 22:30:02 -0400
Subject: [PATCH 3/8] libqos: pci-pc: use 32-bit write for EJ register
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210421223006.19650-3-jmaloy@redhat.com>
Patchwork-id: 101484
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 2/6] libqos: pci-pc: use 32-bit write for EJ register
Bugzilla: 1944621
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
The memory region ops have min_access_size == 4 so obey it.
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 4b7c06837ae0b1ff56473202a42e7e386f53d6db)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
tests/libqos/pci-pc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/libqos/pci-pc.c b/tests/libqos/pci-pc.c
index 0bc591d1da..3bb2eb3ba8 100644
--- a/tests/libqos/pci-pc.c
+++ b/tests/libqos/pci-pc.c
@@ -186,7 +186,7 @@ void qpci_unplug_acpi_device_test(QTestState *qts, const char *id, uint8_t slot)
g_assert(!qdict_haskey(response, "error"));
qobject_unref(response);
- qtest_outb(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
+ qtest_outl(qts, ACPI_PCIHP_ADDR + PCI_EJ_BASE, 1 << slot);
qtest_qmp_eventwait(qts, "DEVICE_DELETED");
}
--
2.27.0

48
SOURCES/kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch Normal file
View File

@ -0,0 +1,48 @@
From 9c10bd2a3cd83c06add41e61a970da304fb0d3bf Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 21 Apr 2021 22:30:01 -0400
Subject: [PATCH 2/8] libqos: usb-hcd-ehci: use 32-bit write for config
register
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210421223006.19650-2-jmaloy@redhat.com>
Patchwork-id: 101478
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 1/6] libqos: usb-hcd-ehci: use 32-bit write for config register
Bugzilla: 1944621
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: Paolo Bonzini <pbonzini@redhat.com>
The memory region ops have min_access_size == 4 so obey it.
Tested-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 89ed83d8b23c11d250c290593cad3ca839d5b053)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
tests/usb-hcd-ehci-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/usb-hcd-ehci-test.c b/tests/usb-hcd-ehci-test.c
index 5251d539e9..c51e8bb223 100644
--- a/tests/usb-hcd-ehci-test.c
+++ b/tests/usb-hcd-ehci-test.c
@@ -96,7 +96,7 @@ static void pci_ehci_port_1(void)
static void pci_ehci_config(void)
{
/* hands over all ports from companion uhci to ehci */
- qpci_io_writew(ehci1.dev, ehci1.bar, 0x60, 1);
+ qpci_io_writel(ehci1.dev, ehci1.bar, 0x60, 1);
}
static void pci_uhci_port_2(void)
--
2.27.0

104
SOURCES/kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch Normal file
View File

@ -0,0 +1,104 @@
From e4010373c72eab2342d2ba7f10c1ddf43dc618c8 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 21 Apr 2021 22:30:03 -0400
Subject: [PATCH 4/8] memory: Revert "memory: accept mismatching sizes in
memory_region_access_valid"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210421223006.19650-4-jmaloy@redhat.com>
Patchwork-id: 101480
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 3/6] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"
Bugzilla: 1944621
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: "Michael S. Tsirkin" <mst@redhat.com>
Memory API documentation documents valid .min_access_size and .max_access_size
fields and explains that any access outside these boundaries is blocked.
This is what devices seem to assume.
However this is not what the implementation does: it simply
ignores the boundaries unless there's an "accepts" callback.
Naturally, this breaks a bunch of devices.
Revert to the documented behaviour.
Devices that want to allow any access can just drop the valid field,
or add the impl field to have accesses converted to appropriate
length.
Cc: qemu-stable@nongnu.org
Reviewed-by: Richard Henderson <rth@twiddle.net>
Fixes: CVE-2020-13754
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1842363
Fixes: a014ed07bd5a ("memory: accept mismatching sizes in memory_region_access_valid")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20200610134731.1514409-1-mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 5d971f9e672507210e77d020d89e0e89165c8fc9)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
memory.c | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
diff --git a/memory.c b/memory.c
index 5a4a80842d..0cfcb72a5a 100644
--- a/memory.c
+++ b/memory.c
@@ -1351,35 +1351,24 @@ bool memory_region_access_valid(MemoryRegion *mr,
bool is_write,
MemTxAttrs attrs)
{
- int access_size_min, access_size_max;
- int access_size, i;
-
- if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ if (mr->ops->valid.accepts
+ && !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
return false;
}
- if (!mr->ops->valid.accepts) {
- return true;
- }
-
- access_size_min = mr->ops->valid.min_access_size;
- if (!mr->ops->valid.min_access_size) {
- access_size_min = 1;
+ if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ return false;
}
- access_size_max = mr->ops->valid.max_access_size;
+ /* Treat zero as compatibility all valid */
if (!mr->ops->valid.max_access_size) {
- access_size_max = 4;
+ return true;
}
- access_size = MAX(MIN(size, access_size_max), access_size_min);
- for (i = 0; i < size; i += access_size) {
- if (!mr->ops->valid.accepts(mr->opaque, addr + i, access_size,
- is_write, attrs)) {
- return false;
- }
+ if (size > mr->ops->valid.max_access_size
+ || size < mr->ops->valid.min_access_size) {
+ return false;
}
-
return true;
}
--
2.27.0

187
SOURCES/kvm-net-introduce-qemu_receive_packet.patch Normal file
View File

@ -0,0 +1,187 @@
From ee23b82cc9174c96ea73252e2986cf822999494b Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:39 -0400
Subject: [PATCH 1/9] net: introduce qemu_receive_packet()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-2-jmaloy@redhat.com>
Patchwork-id: 101785
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 1/9] net: introduce qemu_receive_packet()
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Jason Wang <jasowang@redhat.com>
Some NIC supports loopback mode and this is done by calling
nc->info->receive() directly which in fact suppresses the effort of
reentrancy check that is done in qemu_net_queue_send().
Unfortunately we can't use qemu_net_queue_send() here since for
loopback there's no sender as peer, so this patch introduce a
qemu_receive_packet() which is used for implementing loopback mode
for a NIC with this check.
NIC that supports loopback mode will be converted to this helper.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 705df5466c98f3efdd2b68d3b31dad86858acad7)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
include/net/net.h | 5 +++++
include/net/queue.h | 8 ++++++++
net/net.c | 38 +++++++++++++++++++++++++++++++-------
net/queue.c | 22 ++++++++++++++++++++++
4 files changed, 66 insertions(+), 7 deletions(-)
diff --git a/include/net/net.h b/include/net/net.h
index e175ba9677..1b32a8aaec 100644
--- a/include/net/net.h
+++ b/include/net/net.h
@@ -142,12 +142,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
void qemu_del_net_client(NetClientState *nc);
typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
+int qemu_can_receive_packet(NetClientState *nc);
int qemu_can_send_packet(NetClientState *nc);
ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
int iovcnt);
ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
int iovcnt, NetPacketSent *sent_cb);
ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
+ssize_t qemu_receive_packet_iov(NetClientState *nc,
+ const struct iovec *iov,
+ int iovcnt);
ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
int size, NetPacketSent *sent_cb);
diff --git a/include/net/queue.h b/include/net/queue.h
index c0269bb1dc..9f2f289d77 100644
--- a/include/net/queue.h
+++ b/include/net/queue.h
@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
void qemu_del_net_queue(NetQueue *queue);
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+ const uint8_t *data,
+ size_t size);
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+ const struct iovec *iov,
+ int iovcnt);
+
ssize_t qemu_net_queue_send(NetQueue *queue,
NetClientState *sender,
unsigned flags,
diff --git a/net/net.c b/net/net.c
index 84aa6d8d00..d0b651ca95 100644
--- a/net/net.c
+++ b/net/net.c
@@ -516,6 +516,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
#endif
}
+int qemu_can_receive_packet(NetClientState *nc)
+{
+ if (nc->receive_disabled) {
+ return 0;
+ } else if (nc->info->can_receive &&
+ !nc->info->can_receive(nc)) {
+ return 0;
+ }
+ return 1;
+}
+
int qemu_can_send_packet(NetClientState *sender)
{
int vm_running = runstate_is_running();
@@ -528,13 +539,7 @@ int qemu_can_send_packet(NetClientState *sender)
return 1;
}
- if (sender->peer->receive_disabled) {
- return 0;
- } else if (sender->peer->info->can_receive &&
- !sender->peer->info->can_receive(sender->peer)) {
- return 0;
- }
- return 1;
+ return qemu_can_receive_packet(sender->peer);
}
static ssize_t filter_receive_iov(NetClientState *nc,
@@ -667,6 +672,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
return qemu_send_packet_async(nc, buf, size, NULL);
}
+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
+{
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
+}
+
+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
+ int iovcnt)
+{
+ if (!qemu_can_receive_packet(nc)) {
+ return 0;
+ }
+
+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
+}
+
ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
{
return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
diff --git a/net/queue.c b/net/queue.c
index 61276ca4be..7c0b72c8ef 100644
--- a/net/queue.c
+++ b/net/queue.c
@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
return ret;
}
+ssize_t qemu_net_queue_receive(NetQueue *queue,
+ const uint8_t *data,
+ size_t size)
+{
+ if (queue->delivering) {
+ return 0;
+ }
+
+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
+}
+
+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
+ const struct iovec *iov,
+ int iovcnt)
+{
+ if (queue->delivering) {
+ return 0;
+ }
+
+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
+}
+
ssize_t qemu_net_queue_send(NetQueue *queue,
NetClientState *sender,
unsigned flags,
--
2.27.0

62
SOURCES/kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch Normal file
View File

@ -0,0 +1,62 @@
From 04c233dd15e3b5bc842af371c3433eb723ffb6e6 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 23 Mar 2021 22:11:13 -0400
Subject: [PATCH 1/8] net: remove an assert call in eth_get_gso_type
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210323221113.1893864-2-jmaloy@redhat.com>
Patchwork-id: 101364
O-Subject: [RHEL-8.4.0 qemu-kvm PATCH 1/1] net: remove an assert call in eth_get_gso_type
Bugzilla: 1939494
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Xiao Wang <jasowang@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Prasad J Pandit <pjp@fedoraproject.org>
eth_get_gso_type() routine returns segmentation offload type based on
L3 protocol type. It calls g_assert_not_reached if L3 protocol is
unknown, making the following return statement unreachable. Remove the
g_assert call, it maybe triggered by a guest user.
Reported-by: Gaoning Pan <pgn@zju.edu.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 7564bf7701f00214cdc8a678a9f7df765244def1)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
net/eth.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/eth.c b/net/eth.c
index 0c1d413ee2..1e0821c5f8 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -16,6 +16,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/log.h"
#include "net/eth.h"
#include "net/checksum.h"
#include "net/tap.h"
@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
}
}
-
- /* Unsupported offload */
- g_assert_not_reached();
+ qemu_log_mask(LOG_UNIMP, "%s: probably not GSO frame, "
+ "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
}
--
2.27.0

46
SOURCES/kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch Normal file
View File

@ -0,0 +1,46 @@
From 3d7ff6c57357e1fb8453b26200cfd239e9cdaa72 Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Thu, 24 Jun 2021 14:50:46 -0400
Subject: [PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is
reached
RH-Author: Thomas Huth <thuth@redhat.com>
Message-id: <20210624145047.483112-3-thuth@redhat.com>
Patchwork-id: 101762
O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 2/3] pc-bios/s390-ccw: break loop if a null block number is reached
Bugzilla: 1975679
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
Break the loop if `cur_block_nr` is a null block number because this
means that the end of chunk is reached. In this case we will try to
boot the default entry.
Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
Reviewed-by: Collin Walling <walling@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Message-Id: <20200924085926.21709-3-mhartmay@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 468184ec9024f4f7b55247f70ec57554e8a500d7)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
pc-bios/s390-ccw/bootmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index bb6e003270..624f524331 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -192,7 +192,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
for (i = 0; i < STAGE2_BLK_CNT_MAX; i++) {
cur_block_nr = eckd_block_num(&s1b->seek[i].chs);
- if (!cur_block_nr) {
+ if (!cur_block_nr || is_null_block_number(cur_block_nr)) {
break;
}
--
2.27.0

44
SOURCES/kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch Normal file
View File

@ -0,0 +1,44 @@
From c3f15d52ad265bba0b21453d2d8b69f597092c25 Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Thu, 24 Jun 2021 14:50:47 -0400
Subject: [PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end
of chunk is reached
RH-Author: Thomas Huth <thuth@redhat.com>
Message-id: <20210624145047.483112-4-thuth@redhat.com>
Patchwork-id: 101763
O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 3/3] pc-bios/s390-ccw: don't try to read the next block if end of chunk is reached
Bugzilla: 1975679
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
Don't read the block if a null block number is reached, because this means that
the end of chunk is reached.
Reviewed-by: Collin Walling <walling@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Message-Id: <20210416074736.17409-1-mhartmay@linux.ibm.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit a6625d38cce3901a7c1cba069f0abcf743a293f1)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
pc-bios/s390-ccw/bootmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index 624f524331..8458b15cb6 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -212,7 +212,7 @@ static int eckd_get_boot_menu_index(block_number_t s1b_block_nr)
next_block_nr = eckd_block_num(&s1b->seek[i + 1].chs);
}
- if (next_block_nr) {
+ if (next_block_nr && !is_null_block_number(next_block_nr)) {
read_block(next_block_nr, s2_next_blk,
"Cannot read stage2 boot loader");
}
--
2.27.0

47
SOURCES/kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch Normal file
View File

@ -0,0 +1,47 @@
From 93ddbd8ba056141dd68d973d534b67dad9882052 Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Thu, 24 Jun 2021 14:50:45 -0400
Subject: [PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error
RH-Author: Thomas Huth <thuth@redhat.com>
Message-id: <20210624145047.483112-2-thuth@redhat.com>
Patchwork-id: 101764
O-Subject: [RHEL-8.2.0.z / RHEL-8.4.0.z qemu-kvm PATCH 1/3] pc-bios/s390-ccw: fix off-by-one error
Bugzilla: 1975679
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Jon Maloy <jmaloy@redhat.com>
RH-Acked-by: Cornelia Huck <cohuck@redhat.com>
This error takes effect when the magic value "zIPL" is located at the
end of a block. For example if s2_cur_blk = 0x7fe18000 and the magic
value "zIPL" is located at 0x7fe18ffc - 0x7fe18fff.
Fixes: ba831b25262a ("s390-ccw: read stage2 boot loader data to find menu")
Reviewed-by: Collin Walling <walling@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Message-Id: <20200924085926.21709-2-mhartmay@linux.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
[thuth: Use "<= ... - 4" instead of "< ... - 3"]
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 5f97ba0c74ccace0a4014460de9751ff3c6f454a)
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
pc-bios/s390-ccw/bootmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index e91ea719ff..bb6e003270 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -163,7 +163,7 @@ static bool find_zipl_boot_menu_banner(int *offset)
int i;
/* Menu banner starts with "zIPL" */
- for (i = 0; i < virtio_get_block_size() - 4; i++) {
+ for (i = 0; i <= virtio_get_block_size() - 4; i++) {
if (magic_match(s2_cur_blk + i, ZIPL_MAGIC_EBCDIC)) {
*offset = i;
return true;
--
2.27.0

54
SOURCES/kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch Normal file
View File

@ -0,0 +1,54 @@
From 3427c5573a7ab788e0c39e30b4d0ed5db85f03b3 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:45 -0400
Subject: [PATCH 7/9] pcnet: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-8-jmaloy@redhat.com>
Patchwork-id: 101791
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 7/9] pcnet: switch to use qemu_receive_packet() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/pcnet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index f3f18d8598..dcd3fc4948 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1250,7 +1250,7 @@ txagain:
if (BCR_SWSTYLE(s) == 1)
add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
s->looptest = 0;
} else {
if (s->nic) {
--
2.27.0

54
SOURCES/kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch Normal file
View File

@ -0,0 +1,54 @@
From e0b83063b76725878c466f1b8918c61864cfd0c2 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:44 -0400
Subject: [PATCH 6/9] rtl8139: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-7-jmaloy@redhat.com>
Patchwork-id: 101792
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 6/9] rtl8139: switch to use qemu_receive_packet() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Alexander Bulekov <alxndr@bu.edu>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 5311fb805a4403bba024e83886fa0e7572265de4)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 21d80e96cf..ccb04faa4c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -1793,7 +1793,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
}
DPRINTF("+++ transmit loopback mode\n");
- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
if (iov) {
g_free(buf2);
--
2.27.0

84
SOURCES/kvm-softmmu-memory-Log-invalid-memory-accesses.patch Normal file
View File

@ -0,0 +1,84 @@
From 251adb595eb7e39e9368cb7ed07f9a4c42d28d2c Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 21 Apr 2021 22:30:06 -0400
Subject: [PATCH 7/8] softmmu/memory: Log invalid memory accesses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210421223006.19650-7-jmaloy@redhat.com>
Patchwork-id: 101481
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 6/6] softmmu/memory: Log invalid memory accesses
Bugzilla: 1944621
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: Philippe Mathieu-Daudé <philmd@redhat.com>
Log invalid memory accesses with as GUEST_ERROR.
This is particularly useful since commit 5d971f9e67 which reverted
("memory: accept mismatching sizes in memory_region_access_valid").
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20201005152725.2143444-1-philmd@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 21786c7e59847b1612406ff394958f22e5b323f8)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
memory.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/memory.c b/memory.c
index 0cfcb72a5a..660df8159a 100644
--- a/memory.c
+++ b/memory.c
@@ -14,6 +14,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/log.h"
#include "qapi/error.h"
#include "cpu.h"
#include "exec/memory.h"
@@ -1353,10 +1354,18 @@ bool memory_region_access_valid(MemoryRegion *mr,
{
if (mr->ops->valid.accepts
&& !mr->ops->valid.accepts(mr->opaque, addr, size, is_write, attrs)) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
+ "0x%" HWADDR_PRIX ", size %u, "
+ "region '%s', reason: rejected\n",
+ addr, size, memory_region_name(mr));
return false;
}
if (!mr->ops->valid.unaligned && (addr & (size - 1))) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
+ "0x%" HWADDR_PRIX ", size %u, "
+ "region '%s', reason: unaligned\n",
+ addr, size, memory_region_name(mr));
return false;
}
@@ -1367,6 +1376,13 @@ bool memory_region_access_valid(MemoryRegion *mr,
if (size > mr->ops->valid.max_access_size
|| size < mr->ops->valid.min_access_size) {
+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid access at addr "
+ "0x%" HWADDR_PRIX ", size %u, "
+ "region '%s', reason: invalid size "
+ "(min:%u max:%u)\n",
+ addr, size, memory_region_name(mr),
+ mr->ops->valid.min_access_size,
+ mr->ops->valid.max_access_size);
return false;
}
return true;
--
2.27.0

54
SOURCES/kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch Normal file
View File

@ -0,0 +1,54 @@
From 1a56df13e6a033548b22489d3b148009c8f80718 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:42 -0400
Subject: [PATCH 4/9] sungem: switch to use qemu_receive_packet() for loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-5-jmaloy@redhat.com>
Patchwork-id: 101786
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 4/9] sungem: switch to use qemu_receive_packet() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Jason Wang <jasowang@redhat.com>
This patch switches to use qemu_receive_packet() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 8c92060d3c0248bd4d515719a35922cd2391b9b4)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/sungem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/sungem.c b/hw/net/sungem.c
index f31d41ac5b..8b202b5c15 100644
--- a/hw/net/sungem.c
+++ b/hw/net/sungem.c
@@ -305,7 +305,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
NetClientState *nc = qemu_get_queue(s->nic);
if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
- nc->info->receive(nc, buf, size);
+ qemu_receive_packet(nc, buf, size);
} else {
qemu_send_packet(nc, buf, size);
}
--
2.27.0

53
SOURCES/kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch Normal file
View File

@ -0,0 +1,53 @@
From 199915a03857c1e4e0a6ac90a46496b1a8abd702 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 29 Jun 2021 03:42:43 -0400
Subject: [PATCH 5/9] tx_pkt: switch to use qemu_receive_packet_iov() for
loopback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210629034247.3286477-6-jmaloy@redhat.com>
Patchwork-id: 101788
O-Subject: [RHEL-8.4.0.z qemu-kvm PATCH v2 5/9] tx_pkt: switch to use qemu_receive_packet_iov() for loopback
Bugzilla: 1932917
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
From: Jason Wang <jasowang@redhat.com>
This patch switches to use qemu_receive_receive_iov() which can detect
reentrancy and return early.
This is intended to address CVE-2021-3416.
Cc: Prasad J Pandit <ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 8c552542b81e56ff532dd27ec6e5328954bdda73)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/net/net_tx_pkt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
index 54d4c3bbd0..646cdfaf4d 100644
--- a/hw/net/net_tx_pkt.c
+++ b/hw/net/net_tx_pkt.c
@@ -544,7 +544,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
NetClientState *nc, const struct iovec *iov, int iov_cnt)
{
if (pkt->is_loopback) {
- nc->info->receive_iov(nc, iov, iov_cnt);
+ qemu_receive_packet_iov(nc, iov, iov_cnt);
} else {
qemu_sendv_packet(nc, iov, iov_cnt);
}
--
2.27.0

76
SOURCES/kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch Normal file
View File

@ -0,0 +1,76 @@
From 33e907b7be4636a726d40a3d68cab24574bc597a Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Wed, 21 Apr 2021 22:30:05 -0400
Subject: [PATCH 6/8] xhci: fix valid.max_access_size to access address
registers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
Message-id: <20210421223006.19650-6-jmaloy@redhat.com>
Patchwork-id: 101483
O-Subject: [RHEL-8.5.0 qemu-kvm PATCH v2 5/6] xhci: fix valid.max_access_size to access address registers
Bugzilla: 1944621
RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
From: Laurent Vivier <lvivier@redhat.com>
QEMU XHCI advertises AC64 (64-bit addressing) but doesn't allow
64-bit mode access in "runtime" and "operational" MemoryRegionOps.
Set the max_access_size based on sizeof(dma_addr_t) as AC64 is set.
XHCI specs:
"If the xHC supports 64-bit addressing (AC64 = 1), then software
should write 64-bit registers using only Qword accesses. If a
system is incapable of issuing Qword accesses, then writes to the
64-bit address fields shall be performed using 2 Dword accesses;
low Dword-first, high-Dword second. If the xHC supports 32-bit
addressing (AC64 = 0), then the high Dword of registers containing
64-bit address fields are unused and software should write addresses
using only Dword accesses"
The problem has been detected with SLOF, as linux kernel always accesses
registers using 32-bit access even if AC64 is set and revealed by
5d971f9e6725 ("memory: Revert "memory: accept mismatching sizes in memory_region_access_valid"")
Suggested-by: Alexey Kardashevskiy <aik@au1.ibm.com>
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Message-id: 20200721083322.90651-1-lvivier@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 8e67fda2dd6202ccec093fda561107ba14830a17)
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
---
hw/usb/hcd-xhci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 646c78cde9..ab449bb003 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3183,7 +3183,7 @@ static const MemoryRegionOps xhci_oper_ops = {
.read = xhci_oper_read,
.write = xhci_oper_write,
.valid.min_access_size = 4,
- .valid.max_access_size = 4,
+ .valid.max_access_size = sizeof(dma_addr_t),
.endianness = DEVICE_LITTLE_ENDIAN,
};
@@ -3199,7 +3199,7 @@ static const MemoryRegionOps xhci_runtime_ops = {
.read = xhci_runtime_read,
.write = xhci_runtime_write,
.valid.min_access_size = 4,
- .valid.max_access_size = 4,
+ .valid.max_access_size = sizeof(dma_addr_t),
.endianness = DEVICE_LITTLE_ENDIAN,
};
--
2.27.0

78
SPECS/qemu-kvm.spec
View File

@ -67,7 +67,7 @@ Obsoletes: %1-rhev
Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm
Version: 4.2.0
Release: 48%{?dist}
Release: 48%{?dist}.3
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY
@ -1130,6 +1130,46 @@ Patch489: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch
Patch490: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch
# For bz#1917451 - CVE-2020-29443 virt:rhel/qemu-kvm: QEMU: ide: atapi: OOB access while processing read commands [rhel-8.4.0]
Patch491: kvm-ide-atapi-check-logical-block-address-and-read-size-.patch
# For bz#1939494 - CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.4.0.z]
Patch492: kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch
# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
Patch493: kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch
# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
Patch494: kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch
# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
Patch495: kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch
# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
Patch496: kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch
# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
Patch497: kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch
# For bz#1944621 - CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z]
Patch498: kvm-softmmu-memory-Log-invalid-memory-accesses.patch
# For bz#1952986 - CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.4.0.z]
Patch499: kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch
# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]
Patch500: kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch
# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]
Patch501: kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch
# For bz#1975679 - RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z]
Patch502: kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch503: kvm-net-introduce-qemu_receive_packet.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch504: kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch505: kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch506: kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch507: kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch508: kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch509: kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch510: kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch
# For bz#1932917 - CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z]
Patch511: kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch
BuildRequires: wget
BuildRequires: rpm-build
@ -2078,6 +2118,42 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
%changelog
* Wed Jul 21 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8_4.3
- kvm-net-introduce-qemu_receive_packet.patch [bz#1932917]
- kvm-e1000-switch-to-use-qemu_receive_packet-for-loopback.patch [bz#1932917]
- kvm-dp8393x-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917]
- kvm-sungem-switch-to-use-qemu_receive_packet-for-loopbac.patch [bz#1932917]
- kvm-tx_pkt-switch-to-use-qemu_receive_packet_iov-for-loo.patch [bz#1932917]
- kvm-rtl8139-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917]
- kvm-pcnet-switch-to-use-qemu_receive_packet-for-loopback.patch [bz#1932917]
- kvm-cadence_gem-switch-to-use-qemu_receive_packet-for-lo.patch [bz#1932917]
- kvm-lan9118-switch-to-use-qemu_receive_packet-for-loopba.patch [bz#1932917]
- Resolves: bz#1932917
(CVE-2021-3416 virt:rhel/qemu-kvm: QEMU: net: infinite loop in loopback mode may lead to stack overflow [rhel-8.4.z])
* Tue Jul 06 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8_4.2
- kvm-pc-bios-s390-ccw-fix-off-by-one-error.patch [bz#1975679]
- kvm-pc-bios-s390-ccw-break-loop-if-a-null-block-number-i.patch [bz#1975679]
- kvm-pc-bios-s390-ccw-don-t-try-to-read-the-next-block-if.patch [bz#1975679]
- Resolves: bz#1975679
(RHEL8.4 Nightly[0322] - KVM guest fails to find zipl boot menu index (qemu-kvm) [rhel-8.4.0.z])
* Thu Jun 03 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8_4
- kvm-net-remove-an-assert-call-in-eth_get_gso_type.patch [bz#1939494]
- kvm-libqos-usb-hcd-ehci-use-32-bit-write-for-config-regi.patch [bz#1944621]
- kvm-libqos-pci-pc-use-32-bit-write-for-EJ-register.patch [bz#1944621]
- kvm-memory-Revert-memory-accept-mismatching-sizes-in-mem.patch [bz#1944621]
- kvm-acpi-accept-byte-and-word-access-to-core-ACPI-regist.patch [bz#1944621]
- kvm-xhci-fix-valid.max_access_size-to-access-address-reg.patch [bz#1944621]
- kvm-softmmu-memory-Log-invalid-memory-accesses.patch [bz#1944621]
- kvm-hw-intc-arm_gic-Fix-interrupt-ID-in-GICD_SGIR-regist.patch [bz#1952986]
- Resolves: bz#1939494
(CVE-2020-27617 virt:rhel/qemu-kvm: QEMU: net: an assert failure via eth_get_gso_type [rhel-8.4.0.z])
- Resolves: bz#1944621
(CVE-2020-13754 virt:rhel/qemu-kvm: QEMU: msix: OOB access during mmio operations may lead to DoS [rhel-8.4.0.z])
- Resolves: bz#1952986
(CVE-2021-20221 virt:rhel/qemu-kvm: qemu: out-of-bound heap buffer access via an interrupt ID field [rhel-8.4.0.z])
* Tue Mar 16 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 4.2.0-48.el8
- kvm-ide-atapi-check-logical-block-address-and-read-size-.patch [bz#1917451]
- Resolves: bz#1917451