From 78f4db5d1d758fa7dbc90ce5606245b69370b05b Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Jan 09 2016 17:35:08 +0000 Subject: Fix virtio 9p thread pool usage CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309) Re-add dist tag --- diff --git a/0001-virtio-9p-use-accessor-to-get-thread-pool.patch b/0001-virtio-9p-use-accessor-to-get-thread-pool.patch deleted file mode 100644 index 655297a..0000000 --- a/0001-virtio-9p-use-accessor-to-get-thread-pool.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Greg Kurz -Subject: [PATCH] virtio-9p: use accessor to get thread_pool -Date: Sun, 20 Dec 2015 12:19:05 +0100 - -The aio_context_new() function does not allocate a thread pool. This is -deferred to the first call to the aio_get_thread_pool() accessor. It is -hence forbidden to access the thread_pool field directly, as it may be -NULL. The accessor *must* be used always. - -Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e -Cc: qemu-stable@nongnu.org -Reviewed-by: Michael Tokarev -Tested-by: Michael Tokarev -Signed-off-by: Greg Kurz - - hw/9pfs/virtio-9p-coth.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c -index fb6e8f80e0f4..ab9425c60fd2 100644 ---- a/hw/9pfs/virtio-9p-coth.c -+++ b/hw/9pfs/virtio-9p-coth.c -@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) - void co_run_in_worker_bh(void *opaque) - { - Coroutine *co = opaque; -- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, -+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), - coroutine_enter_func, co, coroutine_enter_cb, co); - } - - - - diff --git a/0001-virtio-9p-use-accessor-to-get-thread_pool.patch b/0001-virtio-9p-use-accessor-to-get-thread_pool.patch new file mode 100644 index 0000000..83da7db --- /dev/null +++ b/0001-virtio-9p-use-accessor-to-get-thread_pool.patch @@ -0,0 +1,31 @@ +From: Greg Kurz +Date: Wed, 23 Dec 2015 10:56:58 +0100 +Subject: [PATCH] virtio-9p: use accessor to get thread_pool + +The aio_context_new() function does not allocate a thread pool. This is +deferred to the first call to the aio_get_thread_pool() accessor. It is +hence forbidden to access the thread_pool field directly, as it may be +NULL. The accessor *must* be used always. + +Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e +Reviewed-by: Michael Tokarev +Tested-by: Michael Tokarev +Cc: qemu-stable@nongnu.org +Signed-off-by: Greg Kurz +(cherry picked from commit 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6) +--- + hw/9pfs/virtio-9p-coth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c +index fb6e8f8..ab9425c 100644 +--- a/hw/9pfs/virtio-9p-coth.c ++++ b/hw/9pfs/virtio-9p-coth.c +@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) + void co_run_in_worker_bh(void *opaque) + { + Coroutine *co = opaque; +- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, ++ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), + coroutine_enter_func, co, coroutine_enter_cb, co); + } diff --git a/0002-ehci-make-idt-processing-more-robust.patch b/0002-ehci-make-idt-processing-more-robust.patch new file mode 100644 index 0000000..d8caaff --- /dev/null +++ b/0002-ehci-make-idt-processing-more-robust.patch @@ -0,0 +1,45 @@ +From: Gerd Hoffmann +Date: Mon, 14 Dec 2015 09:21:23 +0100 +Subject: [PATCH] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: qemu-stable@nongnu.org +Reported-by: Qinghao Tang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 156a2e4dbffa85997636a7a39ef12da6f1b40254) +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 4e2161b..d07f228 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp; ++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + diff --git a/qemu.spec b/qemu.spec index ea984ae..aa553e2 100644 --- a/qemu.spec +++ b/qemu.spec @@ -40,7 +40,7 @@ Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.5.0 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -71,7 +71,10 @@ Source13: qemu-kvm.sh # For modprobe.d Source20: kvm.conf -Patch0001: 0001-virtio-9p-use-accessor-to-get-thread-pool.patch +# Fix virtio 9p thread pool usage +Patch0001: 0001-virtio-9p-use-accessor-to-get-thread_pool.patch +# CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309) +Patch0002: 0002-ehci-make-idt-processing-more-robust.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -1166,6 +1169,11 @@ getent passwd qemu >/dev/null || \ %changelog +* Sat Jan 09 2016 Cole Robinson - 2:2.5.0-3 +- Fix virtio 9p thread pool usage +- CVE-2015-8558: DoS by infinite loop in ehci_advance_state (bz #1291309) +- Re-add dist tag + * Thu Jan 7 2016 Paolo Bonzini - 2:2.5.0-2 - add /etc/modprobe.d/kvm.conf - add 0001-virtio-9p-use-accessor-to-get-thread-pool.patch