Synchronization with qemu-kvm-5.2.0-11.el8

kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch

@@ -0,0 +1,49 @@
+From 51c6fc79d712c73bfeec2e4ff6779da3cab649fd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 1 Mar 2021 08:39:20 -0500
+Subject: [PATCH 2/4] qxl: also notify the rendering is done when skipping it
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20210301083920.895324-3-marcandre.lureau@redhat.com>
+Patchwork-id: 101275
+O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 2/2] qxl: also notify the rendering is done when skipping it
+Bugzilla: 1932190
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Sergio Lopez Pascual <slp@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+Asynchronous handlers may be waiting for the graphic_hw_update_done() to
+be called in this case too.
+
+Fixes: 4d6316218 ("console: add graphic_hw_update_done()")
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210201201422.446552-3-marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit b577ab2dda3afc7d6a7befabcf226507ff06c17c)
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/display/qxl-render.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index 3ce2e57b8f..d28849b121 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -181,6 +181,7 @@ void qxl_render_update(PCIQXLDevice *qxl)
+         qxl->mode == QXL_MODE_UNDEFINED) {
+         qxl_render_update_area_unlocked(qxl);
+         qemu_mutex_unlock(&qxl->ssd.lock);
++        graphic_hw_update_done(qxl->ssd.dcl.con);
+         return;
+     }
+ 
+-- 
+2.27.0
+

kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch

@@ -0,0 +1,50 @@
+From 94dc0414a7d5dadbbfc29a19617df7facb0ea7d6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
+Date: Mon, 1 Mar 2021 08:39:19 -0500
+Subject: [PATCH 1/4] qxl: set qxl.ssd.dcl.con on secondary devices
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: <20210301083920.895324-2-marcandre.lureau@redhat.com>
+Patchwork-id: 101274
+O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 1/2] qxl: set qxl.ssd.dcl.con on secondary devices
+Bugzilla: 1932190
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+RH-Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+RH-Acked-by: Sergio Lopez Pascual <slp@redhat.com>
+
+From: Marc-André Lureau <marcandre.lureau@redhat.com>
+
+On secondary QXL devices, the console is only set on qxl.vga.con. But
+graphic_hw_update_done() is called with qxl.ssd.dcl.con.
+
+Like for primary QXL devices, set qxl.sdd.dcl.con = qxl.vga.con.
+
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-Id: <20210201201422.446552-2-marcandre.lureau@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+
+(cherry picked from commit c502758670432195d61ff848b1b47b0f78918ae2)
+Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ hw/display/qxl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 431c107096..50f4756b6a 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -2266,6 +2266,7 @@ static void qxl_realize_secondary(PCIDevice *dev, Error **errp)
+                            qxl->vga.vram_size, &error_fatal);
+     qxl->vga.vram_ptr = memory_region_get_ram_ptr(&qxl->vga.vram);
+     qxl->vga.con = graphic_console_init(DEVICE(dev), 0, &qxl_ops, qxl);
++    qxl->ssd.dcl.con = qxl->vga.con;
+     qxl->id = qemu_console_get_index(qxl->vga.con); /* == channel_id */
+ 
+     qxl_realize_common(qxl, errp);
+-- 
+2.27.0
+

kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch

@@ -0,0 +1,224 @@
+From 6a0564e81d5e329f955c4391809daf248f078481 Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Thu, 4 Mar 2021 15:49:01 -0500
+Subject: [PATCH 4/4] virtiofs: drop remapped security.capability xattr as
+ needed
+
+RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-id: <20210304154901.47930-3-dgilbert@redhat.com>
+Patchwork-id: 101305
+O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 2/2] virtiofs: drop remapped security.capability xattr as needed
+Bugzilla: 1935071
+RH-Acked-by: Connor Kuehl <ckuehl@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+
+On Linux, the 'security.capability' xattr holds a set of
+capabilities that can change when an executable is run, giving
+a limited form of privilege escalation to those programs that
+the writer of the file deemed worthy.
+
+Any write causes the 'security.capability' xattr to be dropped,
+stopping anyone from gaining privilege by modifying a blessed
+file.
+
+Fuse relies on the daemon to do this dropping, and in turn the
+daemon relies on the host kernel to drop the xattr for it.  However,
+with the addition of -o xattrmap, the xattr that the guest
+stores its capabilities in is now not the same as the one that
+the host kernel automatically clears.
+
+Where the mapping changes 'security.capability', explicitly clear
+the remapped name to preserve the same behaviour.
+
+This bug is assigned CVE-2021-20263.
+
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
+(cherry picked from commit e586edcb410543768ef009eaa22a2d9dd4a53846)
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+  Downstream slight context difference due to missing d64907ac FUSE_HANDLE_KILLPRIV_V2
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ docs/tools/virtiofsd.rst         |  4 ++
+ tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
+ 2 files changed, 80 insertions(+), 1 deletion(-)
+
+diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
+index 5b3be8a6d6..6e0fc94005 100644
+--- a/docs/tools/virtiofsd.rst
++++ b/docs/tools/virtiofsd.rst
+@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
+ to the matched **key** (or all attributes if **key** is empty).
+ There may be at most one 'map' rule and it must be the last rule in the set.
+ 
++Note: When the 'security.capability' xattr is remapped, the daemon has to do
++extra work to remove it during many operations, which the host kernel normally
++does itself.
++
+ xattr-mapping Examples
+ ----------------------
+ 
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index f06074d81f..9c33b0344b 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -160,6 +160,7 @@ struct lo_data {
+     int posix_lock;
+     int xattr;
+     char *xattrmap;
++    char *xattr_security_capability;
+     char *source;
+     char *modcaps;
+     double timeout;
+@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;
+ 
+ static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
+                                 uint64_t mnt_id);
++static int xattr_map_client(const struct lo_data *lo, const char *client_name,
++                            char **out_name);
+ 
+ static int is_dot_or_dotdot(const char *name)
+ {
+@@ -365,6 +368,37 @@ out:
+     return ret;
+ }
+ 
++/*
++ * The host kernel normally drops security.capability xattr's on
++ * any write, however if we're remapping xattr names we need to drop
++ * whatever the clients security.capability is actually stored as.
++ */
++static int drop_security_capability(const struct lo_data *lo, int fd)
++{
++    if (!lo->xattr_security_capability) {
++        /* We didn't remap the name, let the host kernel do it */
++        return 0;
++    }
++    if (!fremovexattr(fd, lo->xattr_security_capability)) {
++        /* All good */
++        return 0;
++    }
++
++    switch (errno) {
++    case ENODATA:
++        /* Attribute didn't exist, that's fine */
++        return 0;
++
++    case ENOTSUP:
++        /* FS didn't support attribute anyway, also fine */
++        return 0;
++
++    default:
++        /* Hmm other error */
++        return errno;
++    }
++}
++
+ static void lo_map_init(struct lo_map *map)
+ {
+     map->elems = NULL;
+@@ -718,6 +752,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+         uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
+         gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
+ 
++        saverr = drop_security_capability(lo, ifd);
++        if (saverr) {
++            goto out_err;
++        }
++
+         res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+         if (res == -1) {
+             saverr = errno;
+@@ -737,6 +776,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+             }
+         }
+ 
++        saverr = drop_security_capability(lo, truncfd);
++        if (saverr) {
++            if (!fi) {
++                close(truncfd);
++            }
++            goto out_err;
++        }
++
+         res = ftruncate(truncfd, attr->st_size);
+         saverr = res == -1 ? errno : 0;
+         if (!fi) {
+@@ -1727,6 +1774,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
+         if (fd < 0) {
+             return -fd;
+         }
++        if (fi->flags & (O_TRUNC)) {
++            int err = drop_security_capability(lo, fd);
++            if (err) {
++                close(fd);
++                return err;
++            }
++        }
+     }
+ 
+     pthread_mutex_lock(&lo->mutex);
+@@ -2115,6 +2169,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
+              "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,
+              out_buf.buf[0].size, (unsigned long)off);
+ 
++    res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
++    if (res) {
++        fuse_reply_err(req, res);
++        return;
++    }
++
+     /*
+      * If kill_priv is set, drop CAP_FSETID which should lead to kernel
+      * clearing setuid/setgid on file.
+@@ -2354,6 +2414,7 @@ static void parse_xattrmap(struct lo_data *lo)
+ {
+     const char *map = lo->xattrmap;
+     const char *tmp;
++    int ret;
+ 
+     lo->xattr_map_nentries = 0;
+     while (*map) {
+@@ -2384,7 +2445,7 @@ static void parse_xattrmap(struct lo_data *lo)
+              * the last entry.
+              */
+             parse_xattrmap_map(lo, map, sep);
+-            return;
++            break;
+         } else {
+             fuse_log(FUSE_LOG_ERR,
+                      "%s: Unexpected type;"
+@@ -2453,6 +2514,19 @@ static void parse_xattrmap(struct lo_data *lo)
+         fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
+         exit(1);
+     }
++
++    ret = xattr_map_client(lo, "security.capability",
++                           &lo->xattr_security_capability);
++    if (ret) {
++        fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
++                strerror(ret));
++        exit(1);
++    }
++    if (!strcmp(lo->xattr_security_capability, "security.capability")) {
++        /* 1-1 mapping, don't need to do anything */
++        free(lo->xattr_security_capability);
++        lo->xattr_security_capability = NULL;
++    }
+ }
+ 
+ /*
+@@ -3481,6 +3555,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
+ 
+     free(lo->xattrmap);
+     free_xattrmap(lo);
++    free(lo->xattr_security_capability);
+     free(lo->source);
+ }
+ 
+-- 
+2.27.0
+

kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch

@@ -0,0 +1,100 @@
+From 22fe525a532619088a135c0f5f80bde12da68109 Mon Sep 17 00:00:00 2001
+From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Date: Thu, 4 Mar 2021 15:49:00 -0500
+Subject: [PATCH 3/4] virtiofsd: Save error code early at the failure callsite
+
+RH-Author: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-id: <20210304154901.47930-2-dgilbert@redhat.com>
+Patchwork-id: 101304
+O-Subject: [RHEL-AV-8.4.0 qemu-kvm PATCH 1/2] virtiofsd: Save error code early at the failure callsite
+Bugzilla: 1935071
+RH-Acked-by: Connor Kuehl <ckuehl@redhat.com>
+RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
+RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+From: Vivek Goyal <vgoyal@redhat.com>
+
+Change error code handling slightly in lo_setattr(). Right now we seem
+to jump to out_err and assume that "errno" is valid and use that to
+send reply.
+
+But if caller has to do some other operations before jumping to out_err,
+then it does the dance of first saving errno to saverr and the restore
+errno before jumping to out_err. This makes it more confusing.
+
+I am about to make more changes where caller will have to do some
+work after error before jumping to out_err. I found it easier to
+change the convention a bit. That is caller saves error in "saverr"
+before jumping to out_err. And out_err uses "saverr" to send error
+back and does not rely on "errno" having actual error.
+
+v3: Resolved conflicts in lo_setattr() due to lo_inode_open() changes.
+
+Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
+Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Message-Id: <20210208224024.43555-2-vgoyal@redhat.com>
+(cherry picked from commit 1e08f164e9fdc9528ad6990012301b9a04b0bc90)
+Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
+Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
+---
+ tools/virtiofsd/passthrough_ll.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
+index 03c5e0d13c..f06074d81f 100644
+--- a/tools/virtiofsd/passthrough_ll.c
++++ b/tools/virtiofsd/passthrough_ll.c
+@@ -710,6 +710,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+             res = fchmodat(lo->proc_self_fd, procname, attr->st_mode, 0);
+         }
+         if (res == -1) {
++            saverr = errno;
+             goto out_err;
+         }
+     }
+@@ -719,6 +720,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+ 
+         res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
+         if (res == -1) {
++            saverr = errno;
+             goto out_err;
+         }
+     }
+@@ -730,16 +732,15 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+         } else {
+             truncfd = lo_inode_open(lo, inode, O_RDWR);
+             if (truncfd < 0) {
+-                errno = -truncfd;
++                saverr = -truncfd;
+                 goto out_err;
+             }
+         }
+ 
+         res = ftruncate(truncfd, attr->st_size);
++        saverr = res == -1 ? errno : 0;
+         if (!fi) {
+-            saverr = errno;
+             close(truncfd);
+-            errno = saverr;
+         }
+         if (res == -1) {
+             goto out_err;
+@@ -772,6 +773,7 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+             res = utimensat(lo->proc_self_fd, procname, tv, 0);
+         }
+         if (res == -1) {
++            saverr = errno;
+             goto out_err;
+         }
+     }
+@@ -780,7 +782,6 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
+     return lo_getattr(req, ino, fi);
+ 
+ out_err:
+-    saverr = errno;
+     lo_inode_put(lo, &inode);
+     fuse_reply_err(req, saverr);
+ }
+-- 
+2.27.0
+

qemu-kvm.spec

@@ -64,7 +64,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
 Summary: QEMU is a machine emulator and virtualizer
 Name: qemu-kvm
 Version: 5.2.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
 Epoch: 15
 License: GPLv2 and GPLv2+ and CC-BY
@@ -284,6 +284,14 @@ Patch122: kvm-virtio-net-add-missing-object_unref.patch
 Patch123: kvm-x86-cpu-Populate-SVM-CPUID-feature-bits.patch
 # For bz#1926785 - [RFE] AMD Milan - Add KVM/support for EPYC-Milan CPU Model - Fast Train
 Patch124: kvm-i386-Add-the-support-for-AMD-EPYC-3rd-generation-pro.patch
+# For bz#1932190 - Timeout when dump the screen from 2nd VGA
+Patch125: kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch
+# For bz#1932190 - Timeout when dump the screen from 2nd VGA
+Patch126: kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch
+# For bz#1935071 - CVE-2021-20263 virt:8.4/qemu-kvm: QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option [rhel-av-8]
+Patch127: kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch
+# For bz#1935071 - CVE-2021-20263 virt:8.4/qemu-kvm: QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option [rhel-av-8]
+Patch128: kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch
 
 BuildRequires: wget
 BuildRequires: rpm-build
@@ -1473,6 +1481,16 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
 
 
 %changelog
+* Mon Mar 15 2021 Miroslav Rezanina <mrezanin@redhat.com> - 5.2.0-11.el9
+- kvm-qxl-set-qxl.ssd.dcl.con-on-secondary-devices.patch [bz#1932190]
+- kvm-qxl-also-notify-the-rendering-is-done-when-skipping-.patch [bz#1932190]
+- kvm-virtiofsd-Save-error-code-early-at-the-failure-calls.patch [bz#1935071]
+- kvm-virtiofs-drop-remapped-security.capability-xattr-as-.patch [bz#1935071]
+- Resolves: bz#1932190
+  (Timeout when dump the screen from 2nd VGA)
+- Resolves: bz#1935071
+  (CVE-2021-20263 virt:8.4/qemu-kvm: QEMU: virtiofsd: 'security.capabilities' is not dropped with xattrmap option [rhel-av-8])
+
 * Wed Mar 03 2021 Danilo Cesar Lemes de Paula <ddepaula@redhat.com> - 5.2.0-10.el8
 - kvm-migration-dirty-bitmap-Use-struct-for-alias-map-inne.patch [bz#1930757]
 - kvm-migration-dirty-bitmap-Allow-control-of-bitmap-persi.patch [bz#1930757]