From e6d35e8f4a92e4ec0a3a4b4de372962206053e59 Mon Sep 17 00:00:00 2001 From: Miroslav Rezanina Date: Tue, 2 Feb 2021 13:27:53 +0100 Subject: [PATCH] Synchronization with qemu-kvm-5.2.0-4.el8 - Not required specific SLOF version --- 0054-Drop-bogus-IPv6-messages.patch | 51 +++++++++++++++++++++++++++++ qemu-kvm.spec | 10 ++++-- 2 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 0054-Drop-bogus-IPv6-messages.patch diff --git a/0054-Drop-bogus-IPv6-messages.patch b/0054-Drop-bogus-IPv6-messages.patch new file mode 100644 index 0000000..1ba8fd9 --- /dev/null +++ b/0054-Drop-bogus-IPv6-messages.patch @@ -0,0 +1,51 @@ +From 1b118c53c70d9fa4ba3dcdf172039d29335bed73 Mon Sep 17 00:00:00 2001 +From: Jon Maloy +Date: Wed, 20 Jan 2021 00:13:11 -0500 +Subject: Drop bogus IPv6 messages +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Jon Maloy +Message-id: <20210120001311.1356511-2-jmaloy@redhat.com> +Patchwork-id: 100699 +O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 1/1] Drop bogus IPv6 messages +Bugzilla: 1918061 +RH-Acked-by: Philippe Mathieu-Daudé +RH-Acked-by: Stefano Garzarella +RH-Acked-by: Thomas Huth + +From: Ralf Haferkamp + +Drop IPv6 message shorter than what's mentioned in the payload +length header (+ the size of the IPv6 header). They're invalid an could +lead to data leakage in icmp6_send_echoreply(). + +(cherry picked from libslirp commit c7ede54cbd2e2b25385325600958ba0124e31cc0) +Signed-off-by: Jon Maloy +Signed-off-by: Danilo C. L. de Paula +--- + slirp/src/ip6_input.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/slirp/src/ip6_input.c b/slirp/src/ip6_input.c +index a83e4f8e3d..f7ef354ee4 100644 +--- a/slirp/src/ip6_input.c ++++ b/slirp/src/ip6_input.c +@@ -56,6 +56,13 @@ void ip6_input(struct mbuf *m) + goto bad; + } + ++ // Check if the message size is big enough to hold what's ++ // set in the payload length header. If not this is an invalid ++ // packet ++ if (m->m_len < ntohs(ip6->ip_pl) + sizeof(struct ip6)) { ++ goto bad; ++ } ++ + /* check ip_ttl for a correct ICMP reply */ + if (ip6->ip_hl == 0) { + icmp6_send_error(m, ICMP6_TIMXCEED, ICMP6_TIMXCEED_INTRANS); +-- +2.18.4 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 39fd078..50db574 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -64,7 +64,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 5.2.0 -Release: 3%{?dist} +Release: 4%{?dist} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 15 License: GPLv2 and GPLv2+ and CC-BY @@ -144,6 +144,7 @@ Patch0048: 0048-memory-Skip-bad-range-assertion-if-notifier-is-DEVIO.patch Patch0049: 0049-RHEL-Switch-pvpanic-test-to-q35.patch Patch0050: 0050-8.4-x86-machine-type.patch Patch0051: 0051-memory-clamp-cached-translation-in-case-it-points-to.patch +Patch0054: 0054-Drop-bogus-IPv6-messages.patch BuildRequires: wget BuildRequires: rpm-build @@ -281,7 +282,7 @@ Requires: edk2-aarch64 %endif %ifarch %{power64} -Requires: SLOF >= %{SLOF_gittagdate}-1.git%{SLOF_gittagcommit} +Requires: SLOF %endif Requires: libseccomp >= 2.4.0 # For compressed guest memory dumps @@ -1324,6 +1325,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %changelog +* Wed Jan 27 2021 Danilo Cesar Lemes de Paula - 5.2.0-4.el8 +- kvm-Drop-bogus-IPv6-messages.patch [bz#1918061] +- Resolves: bz#1918061 + (CVE-2020-10756 virt:rhel/qemu-kvm: QEMU: slirp: networking out-of-bounds read information disclosure vulnerability [rhel-av-8]) + * Mon Jan 18 2021 Danilo Cesar Lemes de Paula - 5.2.0-3.el8 - kvm-block-nvme-Implement-fake-truncate-coroutine.patch [bz#1848834] - kvm-spec-find-system-python-via-meson.patch [bz#1899619]