Synchronization with qemu-kvm-5.2.0-4.el8

- Not required specific SLOF version
2021-02-02 13:27:53 +01:00 · 2021-02-02 13:27:53 +01:00 · e6d35e8f4a
commit e6d35e8f4a
parent b5941f2b18
2 changed files with 59 additions and 2 deletions
--- a/0054-Drop-bogus-IPv6-messages.patch
+++ b/0054-Drop-bogus-IPv6-messages.patch
@ -0,0 +1,51 @@
+From 1b118c53c70d9fa4ba3dcdf172039d29335bed73 Mon Sep 17 00:00:00 2001
+From: Jon Maloy <jmaloy@redhat.com>
+Date: Wed, 20 Jan 2021 00:13:11 -0500
+Subject: Drop bogus IPv6 messages
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Jon Maloy <jmaloy@redhat.com>
+Message-id: <20210120001311.1356511-2-jmaloy@redhat.com>
+Patchwork-id: 100699
+O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 1/1] Drop bogus IPv6 messages
+Bugzilla: 1918061
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Stefano Garzarella <sgarzare@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+
+From: Ralf Haferkamp <rhafer@suse.com>
+
+Drop IPv6 message shorter than what's mentioned in the payload
+length header (+ the size of the IPv6 header). They're invalid an could
+lead to data leakage in icmp6_send_echoreply().
+
+(cherry picked from libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0)
+Signed-off-by: Jon Maloy <jmaloy@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ slirp/src/ip6_input.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c
+index a83e4f8e3d..f7ef354ee4 100644
+--- a/slirp/src/ip6_input.c
+++ b/slirp/src/ip6_input.c
+@@ -56,6 +56,13 @@ void ip6_input(struct mbuf *m)
+         goto bad;
+     }
+ 
+    // Check if the message size is big enough to hold what's
+    // set in the payload length header. If not this is an invalid
+    // packet
+    if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) {
+        goto bad;
+    }
+
+     /* check ip_ttl for a correct ICMP reply */
+     if (ip6->ip_hl == 0) {
+         icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS);
+-- 
+2.18.4
+
--- a/qemu-kvm.spec
+++ b/qemu-kvm.spec
@ -64,7 +64,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 5.2.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@ -144,6 +144,7 @@ Patch0048: 0048-memory-Skip-bad-range-assertion-if-notifier-is-DEVIO.patch
 Patch0049: 0049-RHEL-Switch-pvpanic-test-to-q35.patch
 Patch0050: 0050-8.4-x86-machine-type.patch
 Patch0051: 0051-memory-clamp-cached-translation-in-case-it-points-to.patch
+Patch0054: 0054-Drop-bogus-IPv6-messages.patch

 BuildRequires: wget
 BuildRequires: rpm-build
@ -281,7 +282,7 @@ Requires: edk2-aarch64
 %endif

 %ifarch %{power64}
-Requires: SLOF >= %{SLOF_gittagdate}-1.git%{SLOF_gittagcommit}
+Requires: SLOF
 %endif
 Requires: libseccomp >= 2.4.0
 # For compressed guest memory dumps
@ -1324,6 +1325,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :


 %changelog
+* Wed Jan 27 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.2.0-4.el8
+- kvm-Drop-bogus-IPv6-messages.patch [bz#1918061]
+- Resolves: bz#1918061
+  (CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8])
+
 * Mon Jan 18 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.2.0-3.el8
 - kvm-block-nvme-Implement-fake-truncate-coroutine.patch [bz#1848834]
 - kvm-spec-find-system-python-via-meson.patch [bz#1899619]