Ubuntu
qemu package

Merge ~paelzer/ubuntu/+source/qemu:merge-6.0-2exp-impish into ubuntu/+source/qemu:ubuntu/devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/qemu
  3. merge-6.0-2exp-impish
  4. Merge into ubuntu/devel
Proposed by Christian Ehrhardt 
Status: Superseded
Proposed branch: ~paelzer/ubuntu/+source/qemu:merge-6.0-2exp-impish
Merge into: ubuntu/+source/qemu:ubuntu/devel
Diff against target: 760 lines (+581/-5) (has conflicts)
14 files modified
debian/changelog (+109/-0)
debian/control (+11/-0)
debian/control-in (+13/-0)
debian/optionrom.mak (+1/-1)
debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch (+40/-0)
debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch (+43/-0)
debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch (+40/-0)
debian/patches/series (+14/-0)
debian/patches/target-ppc-fix-load-endianness-for-lxvwsx-lxvdsx.patch (+45/-0)
debian/patches/ubuntu/avoid-fcf-clashing-with-i486.patch (+23/-0)
debian/patches/ubuntu/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch (+119/-0)
debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch (+37/-0)
debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch (+54/-0)
debian/rules (+32/-4)
Conflict in debian/changelog
Conflict in debian/control
Conflict in debian/control-in
Conflict in debian/patches/series
Conflict in debian/rules
Reviewer Review Type Date Requested Status
Canonical Server Pending
Canonical Server Core Reviewers Pending
Review via email: mp+407156@code.launchpad.net

This proposal has been superseded by a proposal from 2021-08-16.

To post a comment you must log in.

Unmerged commits

5abe357... by Christian Ehrhardt 

changelog: 1:6.0+dfsg-2expubuntu1

Signed-off-by: Christian Ehrhardt <email address hidden>

d461655... by Christian Ehrhardt 

d/p/u/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch: add new 3931 and 3932 machines (LP: #1932175)

Signed-off-by: Christian Ehrhardt <email address hidden>

be207da... by Christian Ehrhardt 

d/optionrom.mak, d/p/u/avoid-fcf-clashing-with-i486.patch: fix
-fcf-protection being unavailble on -march=i486 (LP: #1940029)

Note: Can be dropped once fixed in the compiler toolchain.

Signed-off-by: Christian Ehrhardt <email address hidden>

a75600c... by Christian Ehrhardt 

d/control: regenerated from d/control-in

Signed-off-by: Christian Ehrhardt <email address hidden>

1315416... by Christian Ehrhardt 

merge-changelogs

Signed-off-by: Christian Ehrhardt <email address hidden>

fea132d... by Christian Ehrhardt 

debian/qemu-block-extra.postinst: enable mount unit on install/upgrade

Note: this default-on behavior might stay Ubuntu-only as Debian would
prefer an opt-in, while we'd like it to work out of the box.

Signed-off-by: Christian Ehrhardt <email address hidden>

e58e184... by Christian Ehrhardt 

d/p/ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch: avoid segfaults by uretprobes (LP: #1929926)

Signed-off-by: Christian Ehrhardt <email address hidden>

8a24cc3... by Christian Ehrhardt 

d/p/ubuntu/define-ubuntu-machine-types.patch: add ubuntu machine types for v6.0

Signed-off-by: Christian Ehrhardt <email address hidden>

bba6c7b... by Christian Ehrhardt 

d/p/ubuntu/enable-svm-by-default.patch: update to match v6.0

Signed-off-by: Christian Ehrhardt <email address hidden>

0b0596c... by Christian Ehrhardt 

d/control.in: Make qemu-system-x86-microvm a transitional package (drop after 22.04)

Signed-off-by: Christian Ehrhardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 244f19a..32b8162 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,109 @@
6+<<<<<<< debian/changelog
7+=======
8+qemu (1:6.0+dfsg-2expubuntu1) impish; urgency=medium
9+
10+ * Merge with Debian experimental, remaining changes:
11+ - qemu-kvm to systemd unit
12+ - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
13+ hugepages and architecture specifics
14+ - d/qemu-system-common.qemu-kvm.service: systemd unit to call
15+ qemu-kvm-init
16+ - d/qemu-system-common.install: install helper script
17+ - d/qemu-system-common.qemu-kvm.default: defaults for
18+ /etc/default/qemu-kvm
19+ - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
20+ - Distribution specific machine type
21+ (LP: 1304107 1621042 1776189 1761372 1761372 1776189)
22+ - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
23+ types containing release versioned machine attributes
24+ - d/qemu-system-x86.NEWS Info on fixed machine type defintions
25+ for host-phys-bits=true
26+ - Add an info about -hpb machine type in debian/qemu-system-x86.NEWS
27+ - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
28+ - Enable nesting by default
29+ - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
30+ in qemu64 on amd
31+ [ No more strictly needed, but required for backward compatibility ]
32+ - improved dependencies
33+ - Make qemu-system-common depend on qemu-block-extra
34+ - Make qemu-utils depend on qemu-block-extra
35+ - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
36+ - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
37+ reference 256k path
38+ - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
39+ handle incoming migrations from former releases.
40+ - d/qemu-system-x86.README.Debian: add info about updated nesting changes
41+ - d/control*, d/rules: disable xen by default, but provide universe
42+ package qemu-system-x86-xen as alternative
43+ [includes compat links changes of 5.0-5ubuntu4]
44+ - d/p/ubuntu/enable-svm-by-default.patch: update to match v6.0
45+ - d/p/ubuntu/define-ubuntu-machine-types.patch: add ubuntu machine types
46+ for v6.0
47+ - d/p/ubuntu/lp-1929926-*: avoid segfaults by uretprobes (LP 1929926)
48+ - Ease the use of module retention on upgrades (LP 1913421)
49+ - debian/qemu-block-extra.postinst: enable mount unit on install/upgrade
50+ * Dropped Changes [in 1:6.0+dfsg-2exp]:
51+ - d/control-in: Disable capstone disassembler library support (universe)
52+ - Disable fuse export (universe dependency)
53+ - Ease the use of module retention on upgrades (LP 1913421)
54+ - d/run-qemu.mount, d/rules: provide run-qemu.mount in qemu-block-extra
55+ - d/rules: only save modules if /run/qemu isn't noexec
56+ - d/rules: clear all (current and former) modules on purge
57+ - d/control: qemu 6.0 broke libvirt <7.2 add a breaks to avoid partial
58+ upgrade issues (LP 1932264)
59+ - Enable SDL as secondary UI backend (LP 1256185)
60+ - d/control: add build dependency libsdl2-dev
61+ - d/control: enable sdl graphics on build
62+ - d/qemu-system-gui.install: add ui-sdl.so
63+ - d/control: add runtime dependency to libgl1
64+ * Dropped Changes [no more needed]
65+ - let qemu-utils recommend sharutils
66+ * Added changes:
67+ - d/optionrom.mak, d/p/u/avoid-fcf-clashing-with-i486.patch: fix
68+ -fcf-protection being unavailble on -march=i486 (LP: #1940029)
69+ - d/p/u/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch: add new 3931
70+ and 3932 machines (LP: #1932175)
71+
72+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Thu, 12 Aug 2021 15:35:12 +0200
73+
74+qemu (1:6.0+dfsg-2exp) experimental; urgency=medium
75+
76+ [ Christian Ehrhardt ]
77+ * qemu 6.0 broke libvirt <7.2, add a Breaks
78+ to avoid partial upgrade issues (LP: #1932264)
79+ * enable SDL as secondary UI backend (LP: #1256185)
80+ * clear all (current and former) modules on purge
81+ * only save modules if /run/qemu isn't noexec
82+ * provide run-qemu.mount in qemu-block-extra
83+ (disabled in debian for now)
84+ * Disable capstone disassembler library support in ubuntu (universe)
85+
86+ [ Michael Tokarev ]
87+ * qemu does not ship Changelog file anymore
88+ * drop version from libfuse-dev build-depends (noticed by Ville Skyttä)
89+ * a few patches from upstream stable:
90+ - target-ppc-fix-load-endianness-for-lxvwsx-lxvdsx.patch
91+ fix various crashes in ppc system emulation.
92+ Thanks to Christian Ehrhardt for pointing this out
93+ - pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch
94+ (Closes: #990565, CVE-2021-3582)
95+ - pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch
96+ (Closes: #990564, CVE-2021-3607)
97+ - pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch
98+ (Closes: #990563, CVE-2021-3608)
99+ - usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
100+ usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch
101+ (Closes: #988157, CVE-2021-3527)
102+ * mention closing of 3 bugs in am53c974 (ESP) device emulation by 6.0
103+ (Closes: #979679, CVE-2020-35504)
104+ (Closes: #984455, CVE-2020-35505)
105+ (Closes: #984454, CVE-2020-35506)
106+ * make fuse debian-only, since libfuse3 in ubuntu is in universe
107+ * fix microvm default machine type for a new build system (LP: #1936894)
108+
109+ -- Michael Tokarev <mjt@tls.msk.ru> Wed, 21 Jul 2021 19:43:37 +0300
110+
111+>>>>>>> debian/changelog
112 qemu (1:6.0+dfsg-1~ubuntu3) impish; urgency=medium
113
114 * d/p/u/lp-1935617-target-ppc-Fix-load-endianness-for-lxvwsx-lxvdsx.patch:
115@@ -99,6 +205,9 @@ qemu (1:6.0+dfsg-1~ubuntu1) impish; urgency=medium
116 qemu (1:6.0+dfsg-1~exp0) experimental; urgency=medium
117
118 * new upstream release
119+ Closes: #979679, CVE-2020-35504
120+ Closes: #984455, CVE-2020-35505
121+ Closes: #984454, CVE-2020-35506
122 * remove obsolete patches, refresh use-fixed-data-path.patch
123 * use libncurses-dev, not old libncursesw5-dev
124 * enable fuse export (and build-depend on libfuse3-dev)
125diff --git a/debian/control b/debian/control
126index 28a2e35..638cfe8 100644
127--- a/debian/control
128+++ b/debian/control
129@@ -18,6 +18,10 @@ Build-Depends: debhelper-compat (= 12),
130 texinfo, python3-sphinx,
131 # iasl (from acpica-tools) is used only in a single test these days, not for building
132 # acpica-tools,
133+<<<<<<< debian/control
134+=======
135+# libcapstone is in universe in ubuntu
136+>>>>>>> debian/control
137 # --enable-linux-aio linux-*
138 libaio-dev [linux-any],
139 # --audio-drv-list=pa,alsa,oss,sdl linux-*
140@@ -37,6 +41,10 @@ Build-Depends: debhelper-compat (= 12),
141 # --enable-fdt
142 # libfdt #931046
143 libfdt-dev (>> 1.5.0-2~),
144+<<<<<<< debian/control
145+=======
146+# in ubuntu libfuse3 is in universe
147+>>>>>>> debian/control
148 # --enable-gnutls
149 gnutls-dev,
150 # --enable-gtk --enable-vte
151@@ -460,7 +468,10 @@ Multi-Arch: foreign
152 Breaks: qemu-system-common (<< 1:3.1+dfsg-3~)
153 Depends: ${shlibs:Depends}, ${misc:Depends},
154 qemu-block-extra (= ${binary:Version})
155+<<<<<<< debian/control
156 Recommends: sharutils
157+=======
158+>>>>>>> debian/control
159 Suggests: debootstrap,
160 Description: QEMU utilities
161 QEMU is a fast processor emulator: currently the package supports
162diff --git a/debian/control-in b/debian/control-in
163index 9dcf5bb..ceb03ab 100644
164--- a/debian/control-in
165+++ b/debian/control-in
166@@ -18,6 +18,10 @@ Build-Depends: debhelper-compat (= 12),
167 texinfo, python3-sphinx,
168 # iasl (from acpica-tools) is used only in a single test these days, not for building
169 # acpica-tools,
170+<<<<<<< debian/control-in
171+=======
172+# libcapstone is in universe in ubuntu
173+>>>>>>> debian/control-in
174 :debian:# --enable-capstone=system
175 :debian: libcapstone-dev (>> 4.0.2~),
176 # --enable-linux-aio linux-*
177@@ -39,6 +43,12 @@ Build-Depends: debhelper-compat (= 12),
178 # --enable-fdt
179 # libfdt #931046
180 libfdt-dev (>> 1.5.0-2~),
181+<<<<<<< debian/control-in
182+=======
183+# in ubuntu libfuse3 is in universe
184+:debian:# --enable-fuse
185+:debian: libfuse3-dev,
186+>>>>>>> debian/control-in
187 # --enable-gnutls
188 gnutls-dev,
189 # --enable-gtk --enable-vte
190@@ -471,7 +481,10 @@ Multi-Arch: foreign
191 Breaks: qemu-system-common (<< 1:3.1+dfsg-3~)
192 Depends: ${shlibs:Depends}, ${misc:Depends},
193 :ubuntu: qemu-block-extra (= ${binary:Version})
194+<<<<<<< debian/control-in
195 :ubuntu:Recommends: sharutils
196+=======
197+>>>>>>> debian/control-in
198 Suggests: debootstrap,
199 :debian: qemu-block-extra (= ${binary:Version}),
200 Description: QEMU utilities
201diff --git a/debian/optionrom.mak b/debian/optionrom.mak
202index 4d45238..204caa0 100644
203--- a/debian/optionrom.mak
204+++ b/debian/optionrom.mak
205@@ -1,7 +1,7 @@
206 LD = ld
207 OBJCOPY = objcopy
208 CC = cc
209-CFLAGS = -O2 -m16 -Wa,-32 -march=i486 \
210+CFLAGS = -O2 -m16 -Wa,-32 -march=i486 -fcf-protection=none \
211 -ffreestanding -fno-stack-protector -fno-pie \
212 -I${SRC_PATH}/include
213 VPATH = ${SRC_PATH}/pc-bios/optionrom
214diff --git a/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch b/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch
215new file mode 100644
216index 0000000..888301a
217--- /dev/null
218+++ b/debian/patches/pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch
219@@ -0,0 +1,40 @@
220+Commit-ID: 32e5703cfea07c91e6e84bcb0313f633bb146534
221+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
222+Date: Wed, 30 Jun 2021 14:46:34 +0300
223+Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607)
224+Bug-Debian: https://bugs.debian.org/990564
225+
226+Check the guest passed a non zero page count
227+for pvrdma device ring buffers.
228+
229+Fixes: CVE-2021-3607
230+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
231+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
232+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
233+Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
234+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
235+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
236+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
237+---
238+ hw/rdma/vmw/pvrdma_main.c | 5 +++++
239+ 1 file changed, 5 insertions(+)
240+
241+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
242+index 84ae8024fc..7c0c3551a8 100644
243+--- a/hw/rdma/vmw/pvrdma_main.c
244++++ b/hw/rdma/vmw/pvrdma_main.c
245+@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
246+ uint64_t *dir, *tbl;
247+ int rc = 0;
248+
249++ if (!num_pages) {
250++ rdma_error_report("Ring pages count must be strictly positive");
251++ return -EINVAL;
252++ }
253++
254+ dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
255+ if (!dir) {
256+ rdma_error_report("Failed to map to page directory (ring %s)", name);
257+--
258+2.30.2
259+
260diff --git a/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch b/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch
261new file mode 100644
262index 0000000..bd450ff
263--- /dev/null
264+++ b/debian/patches/pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch
265@@ -0,0 +1,43 @@
266+Commit-Id: 284f191b4abad213aed04cb0458e1600fd18d7c4
267+From: Marcel Apfelbaum <marcel@redhat.com>
268+Date: Wed, 16 Jun 2021 14:06:00 +0300
269+Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
270+Bug-Debian: https://bugs.debian.org/990565
271+
272+Ensure mremap boundaries not trusting the guest kernel to
273+pass the correct buffer length.
274+
275+Fixes: CVE-2021-3582
276+Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
277+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
278+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
279+Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
280+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
281+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
282+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
283+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
284+---
285+ hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
286+ 1 file changed, 7 insertions(+)
287+
288+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
289+index f59879e257..da7ddfa548 100644
290+--- a/hw/rdma/vmw/pvrdma_cmd.c
291++++ b/hw/rdma/vmw/pvrdma_cmd.c
292+@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
293+ return NULL;
294+ }
295+
296++ length = ROUND_UP(length, TARGET_PAGE_SIZE);
297++ if (nchunks * TARGET_PAGE_SIZE != length) {
298++ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
299++ (unsigned long)length);
300++ return NULL;
301++ }
302++
303+ dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
304+ if (!dir) {
305+ rdma_error_report("Failed to map to page directory");
306+--
307+2.30.2
308+
309diff --git a/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch b/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch
310new file mode 100644
311index 0000000..abaab08
312--- /dev/null
313+++ b/debian/patches/pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch
314@@ -0,0 +1,40 @@
315+Commit-Id: 66ae37d8cc313f89272e711174a846a229bcdbd3
316+From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
317+Date: Wed, 30 Jun 2021 14:52:46 +0300
318+Subject: pvrdma: Fix the ring init error flow (CVE-2021-3608)
319+MIME-Version: 1.0
320+Content-Type: text/plain; charset=UTF-8
321+Content-Transfer-Encoding: 8bit
322+Bug-Debian: https://bugs.debian.org/990563
323+
324+Do not unmap uninitialized dma addresses.
325+
326+Fixes: CVE-2021-3608
327+Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
328+Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
329+Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
330+Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
331+Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
332+Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
333+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
334+Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
335+---
336+ hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
337+ 1 file changed, 1 insertion(+), 1 deletion(-)
338+
339+diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
340+index 074ac59b84..42130667a7 100644
341+--- a/hw/rdma/vmw/pvrdma_dev_ring.c
342++++ b/hw/rdma/vmw/pvrdma_dev_ring.c
343+@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
344+ qatomic_set(&ring->ring_state->cons_head, 0);
345+ */
346+ ring->npages = npages;
347+- ring->pages = g_malloc(npages * sizeof(void *));
348++ ring->pages = g_malloc0(npages * sizeof(void *));
349+
350+ for (i = 0; i < npages; i++) {
351+ if (!tbl[i]) {
352+--
353+2.30.2
354+
355diff --git a/debian/patches/series b/debian/patches/series
356index 32d6bad..e2e69fd 100644
357--- a/debian/patches/series
358+++ b/debian/patches/series
359@@ -11,10 +11,24 @@ slof-remove-user-and-host-from-release-version.patch
360 slof-ensure-ld-is-called-with-C-locale.patch
361 vnc-spelling.patch
362 spelling-addtional.patch
363+<<<<<<< debian/patches/series
364+=======
365+target-ppc-fix-load-endianness-for-lxvwsx-lxvdsx.patch
366+pvrdma-fix-possible-mremap-overflow-in-pvrdma-device-CVE-2021-3582.patch
367+pvrdma-ensure-correct-input-on-ring-init-CVE-2021-3607.patch
368+pvrdma-fix-the-ring-init-error-flow-CVE-2021-3608.patch
369+usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
370+usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch
371+>>>>>>> debian/patches/series
372
373 # ubuntu patches
374 ubuntu/enable-svm-by-default.patch
375 ubuntu/define-ubuntu-machine-types.patch
376 ubuntu/pre-bionic-256k-ipxe-efi-roms.patch
377 ubuntu/lp-1929926-target-s390x-Fix-translation-exception-on-illegal-in.patch
378+<<<<<<< debian/patches/series
379 ubuntu/lp-1935617-target-ppc-Fix-load-endianness-for-lxvwsx-lxvdsx.patch
380+=======
381+ubuntu/avoid-fcf-clashing-with-i486.patch
382+ubuntu/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch
383+>>>>>>> debian/patches/series
384diff --git a/debian/patches/target-ppc-fix-load-endianness-for-lxvwsx-lxvdsx.patch b/debian/patches/target-ppc-fix-load-endianness-for-lxvwsx-lxvdsx.patch
385new file mode 100644
386index 0000000..2adc1a2
387--- /dev/null
388+++ b/debian/patches/target-ppc-fix-load-endianness-for-lxvwsx-lxvdsx.patch
389@@ -0,0 +1,45 @@
390+Commit-Id: 861f10fd528263a507476b8c4dda93a9588dfa5c
391+From: Giuseppe Musacchio <thatlemon@gmail.com>
392+Date: Tue, 18 May 2021 15:30:20 +0200
393+Subject: target/ppc: Fix load endianness for lxvwsx/lxvdsx
394+
395+TARGET_WORDS_BIGENDIAN may not match the machine endianness if that's a
396+runtime-configurable parameter.
397+
398+Fixes: bcb0b7b1a1c05707304f80ca6f523d557816f85c
399+Fixes: afae37d98ae991c0792c867dbd9f32f988044318
400+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/212
401+
402+Signed-off-by: Giuseppe Musacchio <thatlemon@gmail.com>
403+Message-Id: <20210518133020.58927-1-thatlemon@gmail.com>
404+Tested-by: Paul A. Clarke <pc@us.ibm.com>
405+Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
406+---
407+ target/ppc/translate/vsx-impl.c.inc | 4 ++--
408+ 1 file changed, 2 insertions(+), 2 deletions(-)
409+
410+diff --git a/target/ppc/translate/vsx-impl.c.inc b/target/ppc/translate/vsx-impl.c.inc
411+index b817d31260..57a7f73bba 100644
412+--- a/target/ppc/translate/vsx-impl.c.inc
413++++ b/target/ppc/translate/vsx-impl.c.inc
414+@@ -139,7 +139,7 @@ static void gen_lxvwsx(DisasContext *ctx)
415+ gen_addr_reg_index(ctx, EA);
416+
417+ data = tcg_temp_new_i32();
418+- tcg_gen_qemu_ld_i32(data, EA, ctx->mem_idx, MO_TEUL);
419++ tcg_gen_qemu_ld_i32(data, EA, ctx->mem_idx, DEF_MEMOP(MO_UL));
420+ tcg_gen_gvec_dup_i32(MO_UL, vsr_full_offset(xT(ctx->opcode)), 16, 16, data);
421+
422+ tcg_temp_free(EA);
423+@@ -162,7 +162,7 @@ static void gen_lxvdsx(DisasContext *ctx)
424+ gen_addr_reg_index(ctx, EA);
425+
426+ data = tcg_temp_new_i64();
427+- tcg_gen_qemu_ld_i64(data, EA, ctx->mem_idx, MO_TEQ);
428++ tcg_gen_qemu_ld_i64(data, EA, ctx->mem_idx, DEF_MEMOP(MO_Q));
429+ tcg_gen_gvec_dup_i64(MO_Q, vsr_full_offset(xT(ctx->opcode)), 16, 16, data);
430+
431+ tcg_temp_free(EA);
432+--
433+2.30.2
434+
435diff --git a/debian/patches/ubuntu/avoid-fcf-clashing-with-i486.patch b/debian/patches/ubuntu/avoid-fcf-clashing-with-i486.patch
436new file mode 100644
437index 0000000..8af232f
438--- /dev/null
439+++ b/debian/patches/ubuntu/avoid-fcf-clashing-with-i486.patch
440@@ -0,0 +1,23 @@
441+Description: Disable fcf protection in i486 rom builds
442+ Some of the qemu roms build really old coe with -march=i486 -m16, but
443+ in this more -fcf-protection isn't available, but recently enabled.
444+ That causes:
445+ cc1: error: ‘-fcf-protection’ is not compatible with this target
446+ Avoid that by disabling the feature in these compile calls until the
447+ problem is resolved on the toolchain level.
448+Forwarded: no
449+X-Not-Forwarded-Reason: Only a problem of the Ubuntu compiler defaults
450+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
451+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1940029
452+Last-Update: 2021-08-16
453+--- a/pc-bios/optionrom/Makefile
454++++ b/pc-bios/optionrom/Makefile
455+@@ -13,7 +13,7 @@ CFLAGS = -O2 -g
456+ quiet-command = $(if $(V),$1,$(if $(2),@printf " %-7s %s\n" $2 $3 && $1, @$1))
457+ cc-option = $(if $(shell $(CC) $1 -c -o /dev/null -xc /dev/null >/dev/null 2>&1 && echo OK), $1, $2)
458+
459+-override CFLAGS += -march=i486 -Wall
460++override CFLAGS += -march=i486 -Wall -fcf-protection=none
461+
462+ # Flags for dependency generation
463+ override CPPFLAGS += -MMD -MP -MT $@ -MF $(@D)/$(*F).d
464diff --git a/debian/patches/ubuntu/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch b/debian/patches/ubuntu/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch
465new file mode 100644
466index 0000000..6c82066
467--- /dev/null
468+++ b/debian/patches/ubuntu/lp-1932175-s390x-cpumodel-add-3931-and-3932.patch
469@@ -0,0 +1,119 @@
470+From fb4a08121695a88acefcbcd86f1376df079eefee Mon Sep 17 00:00:00 2001
471+From: Christian Borntraeger <borntraeger@de.ibm.com>
472+Date: Tue, 22 Jun 2021 22:19:23 +0200
473+Subject: [PATCH] s390x/cpumodel: add 3931 and 3932
474+
475+This defines 5 new facilities and the new 3931 and 3932 machines.
476+As before the name is not yet known and we do use gen16a and gen16b.
477+The new features are part of the full model.
478+
479+The default model is still empty (same as z15) and will be added
480+in a separate patch at a later point in time.
481+
482+Also add the dependencies of new facilities and as a fix for z15 add
483+a dependency from S390_FEAT_VECTOR_PACKED_DECIMAL_ENH to
484+S390_VECTOR_PACKED_DECIMAL.
485+
486+[merged <20210701084348.26556-1-borntraeger@de.ibm.com>]
487+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
488+Message-Id: <20210622201923.150205-2-borntraeger@de.ibm.com>
489+Reviewed-by: David Hildenbrand <david@redhat.com>
490+Signed-off-by: Cornelia Huck <cohuck@redhat.com>
491+
492+Origin: backport, https://git.qemu.org/?p=qemu.git;a=commit;h=fb4a081216
493+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1932175
494+Last-Update: 2021-08-16
495+
496+---
497+ target/s390x/cpu_features_def.h.inc | 5 +++++
498+ target/s390x/cpu_models.c | 6 ++++++
499+ target/s390x/gen-features.c | 14 ++++++++++++++
500+ 3 files changed, 25 insertions(+)
501+
502+--- a/target/s390x/cpu_features_def.h.inc
503++++ b/target/s390x/cpu_features_def.h.inc
504+@@ -109,6 +109,11 @@ DEF_FEAT(VECTOR_PACKED_DECIMAL_ENH, "vxp
505+ DEF_FEAT(MSA_EXT_9, "msa9-base", STFL, 155, "Message-security-assist-extension-9 facility (excluding subfunctions)")
506+ DEF_FEAT(ETOKEN, "etoken", STFL, 156, "Etoken facility")
507+ DEF_FEAT(UNPACK, "unpack", STFL, 161, "Unpack facility")
508++DEF_FEAT(NNPA, "nnpa", STFL, 165, "NNPA facility")
509++DEF_FEAT(VECTOR_PACKED_DECIMAL_ENH2, "vxpdeh2", STFL, 192, "Vector-Packed-Decimal-Enhancement facility 2")
510++DEF_FEAT(BEAR_ENH, "beareh", STFL, 193, "BEAR-enhancement facility")
511++DEF_FEAT(RDP, "rdp", STFL, 194, "Reset-DAT-protection facility")
512++DEF_FEAT(PAI, "pai", STFL, 196, "Processor-Activity-Instrumentation facility")
513+
514+ /* Features exposed via SCLP SCCB Byte 80 - 98 (bit numbers relative to byte-80) */
515+ DEF_FEAT(SIE_GSLS, "gsls", SCLP_CONF_CHAR, 40, "SIE: Guest-storage-limit-suppression facility")
516+--- a/target/s390x/cpu_models.c
517++++ b/target/s390x/cpu_models.c
518+@@ -88,6 +88,8 @@ static S390CPUDef s390_cpu_defs[] = {
519+ CPUDEF_INIT(0x3907, 14, 1, 47, 0x08000000U, "z14ZR1", "IBM z14 Model ZR1 GA1"),
520+ CPUDEF_INIT(0x8561, 15, 1, 47, 0x08000000U, "gen15a", "IBM z15 T01 GA1"),
521+ CPUDEF_INIT(0x8562, 15, 1, 47, 0x08000000U, "gen15b", "IBM z15 T02 GA1"),
522++ CPUDEF_INIT(0x3931, 16, 1, 47, 0x08000000U, "gen16a", "IBM 3931 GA1"),
523++ CPUDEF_INIT(0x3932, 16, 1, 47, 0x08000000U, "gen16b", "IBM 3932 GA1"),
524+ };
525+
526+ #define QEMU_MAX_CPU_TYPE 0x2964
527+@@ -812,6 +814,8 @@ static void check_consistency(const S390
528+ { S390_FEAT_MSA_EXT_9, S390_FEAT_MSA_EXT_4 },
529+ { S390_FEAT_MULTIPLE_EPOCH, S390_FEAT_TOD_CLOCK_STEERING },
530+ { S390_FEAT_VECTOR_PACKED_DECIMAL, S390_FEAT_VECTOR },
531++ { S390_FEAT_VECTOR_PACKED_DECIMAL_ENH, S390_FEAT_VECTOR_PACKED_DECIMAL },
532++ { S390_FEAT_VECTOR_PACKED_DECIMAL_ENH2, S390_FEAT_VECTOR_PACKED_DECIMAL_ENH },
533+ { S390_FEAT_VECTOR_ENH, S390_FEAT_VECTOR },
534+ { S390_FEAT_INSTRUCTION_EXEC_PROT, S390_FEAT_SIDE_EFFECT_ACCESS_ESOP2 },
535+ { S390_FEAT_SIDE_EFFECT_ACCESS_ESOP2, S390_FEAT_ESOP },
536+@@ -843,6 +847,8 @@ static void check_consistency(const S390
537+ { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH },
538+ { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP },
539+ { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB },
540++ { S390_FEAT_NNPA, S390_FEAT_VECTOR },
541++ { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING },
542+ };
543+ int i;
544+
545+--- a/target/s390x/gen-features.c
546++++ b/target/s390x/gen-features.c
547+@@ -424,6 +424,8 @@ static uint16_t base_GEN15_GA1[] = {
548+ S390_FEAT_MISC_INSTRUCTION_EXT3,
549+ };
550+
551++#define base_GEN16_GA1 EmptyFeat
552++
553+ /* Full features (in order of release)
554+ * Automatically includes corresponding base features.
555+ * Full features are all features this hardware supports even if kvm/QEMU do not
556+@@ -567,6 +569,15 @@ static uint16_t full_GEN15_GA1[] = {
557+ S390_FEAT_UNPACK,
558+ };
559+
560++static uint16_t full_GEN16_GA1[] = {
561++ S390_FEAT_NNPA,
562++ S390_FEAT_VECTOR_PACKED_DECIMAL_ENH2,
563++ S390_FEAT_BEAR_ENH,
564++ S390_FEAT_RDP,
565++ S390_FEAT_PAI,
566++};
567++
568++
569+ /* Default features (in order of release)
570+ * Automatically includes corresponding base features.
571+ * Default features are all features this version of QEMU supports for this
572+@@ -652,6 +663,8 @@ static uint16_t default_GEN15_GA1[] = {
573+ S390_FEAT_ETOKEN,
574+ };
575+
576++#define default_GEN16_GA1 EmptyFeat
577++
578+ /* QEMU (CPU model) features */
579+
580+ static uint16_t qemu_V2_11[] = {
581+@@ -782,6 +795,7 @@ static CpuFeatDefSpec CpuFeatDef[] = {
582+ CPU_FEAT_INITIALIZER(GEN14_GA1),
583+ CPU_FEAT_INITIALIZER(GEN14_GA2),
584+ CPU_FEAT_INITIALIZER(GEN15_GA1),
585++ CPU_FEAT_INITIALIZER(GEN16_GA1),
586+ };
587+
588+ #define FEAT_GROUP_INITIALIZER(_name) \
589diff --git a/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch b/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
590new file mode 100644
591index 0000000..9212ada
592--- /dev/null
593+++ b/debian/patches/usb-limit-combined-packets-to-1-MiB-CVE-2021-3527.patch
594@@ -0,0 +1,37 @@
595+Commit-Id: 05a40b172e4d691371534828078be47e7fff524c
596+From: Gerd Hoffmann <kraxel@redhat.com>
597+Date: Mon, 3 May 2021 15:29:15 +0200
598+Subject: usb: limit combined packets to 1 MiB (CVE-2021-3527)
599+Bug-Debian: https://bugs.debian.org/988157
600+
601+usb-host and usb-redirect try to batch bulk transfers by combining many
602+small usb packets into a single, large transfer request, to reduce the
603+overhead and improve performance.
604+
605+This patch adds a size limit of 1 MiB for those combined packets to
606+restrict the host resources the guest can bind that way.
607+
608+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
609+Message-Id: <20210503132915.2335822-6-kraxel@redhat.com>
610+---
611+ hw/usb/combined-packet.c | 4 +++-
612+ 1 file changed, 3 insertions(+), 1 deletion(-)
613+
614+diff --git a/hw/usb/combined-packet.c b/hw/usb/combined-packet.c
615+index 5d57e883dc..e56802f89a 100644
616+--- a/hw/usb/combined-packet.c
617++++ b/hw/usb/combined-packet.c
618+@@ -171,7 +171,9 @@ void usb_ep_combine_input_packets(USBEndpoint *ep)
619+ if ((p->iov.size % ep->max_packet_size) != 0 || !p->short_not_ok ||
620+ next == NULL ||
621+ /* Work around for Linux usbfs bulk splitting + migration */
622+- (totalsize == (16 * KiB - 36) && p->int_req)) {
623++ (totalsize == (16 * KiB - 36) && p->int_req) ||
624++ /* Next package may grow combined package over 1MiB */
625++ totalsize > 1 * MiB - ep->max_packet_size) {
626+ usb_device_handle_data(ep->dev, first);
627+ assert(first->status == USB_RET_ASYNC);
628+ if (first->combined) {
629+--
630+2.30.2
631+
632diff --git a/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch b/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch
633new file mode 100644
634index 0000000..4725d63
635--- /dev/null
636+++ b/debian/patches/usb-redir-avoid-dynamic-stack-allocation-CVE-2021-3527.patch
637@@ -0,0 +1,54 @@
638+Commit-Id: 7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
639+From: Gerd Hoffmann <kraxel@redhat.com>
640+Date: Mon, 3 May 2021 15:29:12 +0200
641+Subject: usb/redir: avoid dynamic stack allocation (CVE-2021-3527)
642+MIME-Version: 1.0
643+Content-Type: text/plain; charset=UTF-8
644+Content-Transfer-Encoding: 8bit
645+Bug-Debian: https://bugs.debian.org/988157
646+
647+Use autofree heap allocation instead.
648+
649+Fixes: 4f4321c11ff ("usb: use iovecs in USBPacket")
650+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
651+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
652+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
653+Message-Id: <20210503132915.2335822-3-kraxel@redhat.com>
654+---
655+ hw/usb/redirect.c | 6 +++---
656+ 1 file changed, 3 insertions(+), 3 deletions(-)
657+
658+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
659+index 17f06f3417..6a75b0dc4a 100644
660+--- a/hw/usb/redirect.c
661++++ b/hw/usb/redirect.c
662+@@ -620,7 +620,7 @@ static void usbredir_handle_iso_data(USBRedirDevice *dev, USBPacket *p,
663+ .endpoint = ep,
664+ .length = p->iov.size
665+ };
666+- uint8_t buf[p->iov.size];
667++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
668+ /* No id, we look at the ep when receiving a status back */
669+ usb_packet_copy(p, buf, p->iov.size);
670+ usbredirparser_send_iso_packet(dev->parser, 0, &iso_packet,
671+@@ -818,7 +818,7 @@ static void usbredir_handle_bulk_data(USBRedirDevice *dev, USBPacket *p,
672+ usbredirparser_send_bulk_packet(dev->parser, p->id,
673+ &bulk_packet, NULL, 0);
674+ } else {
675+- uint8_t buf[size];
676++ g_autofree uint8_t *buf = g_malloc(size);
677+ usb_packet_copy(p, buf, size);
678+ usbredir_log_data(dev, "bulk data out:", buf, size);
679+ usbredirparser_send_bulk_packet(dev->parser, p->id,
680+@@ -923,7 +923,7 @@ static void usbredir_handle_interrupt_out_data(USBRedirDevice *dev,
681+ USBPacket *p, uint8_t ep)
682+ {
683+ struct usb_redir_interrupt_packet_header interrupt_packet;
684+- uint8_t buf[p->iov.size];
685++ g_autofree uint8_t *buf = g_malloc(p->iov.size);
686+
687+ DPRINTF("interrupt-out ep %02X len %zd id %"PRIu64"\n", ep,
688+ p->iov.size, p->id);
689+--
690+2.30.2
691+
692diff --git a/debian/rules b/debian/rules
693index ab302ed..7b8f6cb 100755
694--- a/debian/rules
695+++ b/debian/rules
696@@ -128,8 +128,9 @@ ifneq ($(filter $(DEB_HOST_ARCH),amd64),)
697 # microvm system
698 rm -rf b/qemu-microvm; mkdir -p b/qemu-microvm
699 cd b/qemu-microvm && \
700- ../../configure ${common_configure_opts} --disable-user \
701- --enable-system --enable-kvm \
702+ ../../configure ${common_configure_opts} \
703+ --extra-cflags="$(CFLAGS) $(CPPFLAGS) -DCONFIG_MICROVM_DEFAULT=1" \
704+ --disable-user --enable-system --enable-kvm \
705 --disable-linux-user --disable-modules --disable-docs \
706 --disable-libssh --disable-tcmalloc --disable-glusterfs \
707 --disable-seccomp --disable-bzip2 --disable-slirp --disable-vde \
708@@ -155,7 +156,30 @@ ifneq ($(filter $(DEB_HOST_ARCH),amd64),)
709 --without-default-devices \
710 $(QEMU_CONFIGURE_OPTIONS) || \
711 { echo ===== CONFIGURE FAILED ===; tail -n 50 config.log; exit 1; }
712- echo "#define CONFIG_MICROVM_DEFAULT 1" >> b/qemu-microvm/x86_64-softmmu/config-target.h
713+endif
714+
715+ifeq ($(VENDOR),UBUNTU)
716+ifneq ($(filter $(DEB_HOST_ARCH),amd64 i386),)
717+# like above but with:
718+# --enable-xen
719+# --disable-linux-user (not needed for this binary)
720+# reduced --target-list as needed for xen
721+# xen can only be configured on x86, so skip other build architectures
722+ # system build for qemu-system-x86-xen
723+ rm -rf b/qemu-xen; mkdir -p b/qemu-xen
724+ cd b/qemu-xen && \
725+ ../../configure ${common_configure_opts} --disable-user \
726+ --${enable_system}-system \
727+ --disable-linux-user \
728+ --enable-xen \
729+ --target-list="aarch64-softmmu arm-softmmu i386-softmmu x86_64-softmmu"
730+ --enable-modules \
731+ --enable-module-upgrades \
732+ $(shell sh debian/extract-config-opts \
733+ $(DEB_HOST_ARCH_OS)-$(DEB_HOST_ARCH) debian/control) \
734+ $(QEMU_CONFIGURE_OPTIONS) || \
735+ { echo ===== CONFIGURE FAILED ===; tail -n 50 config.log; exit 1; }
736+endif
737 endif
738
739 ifeq ($(VENDOR),UBUNTU)
740@@ -402,7 +426,7 @@ endif # enable_linux_user
741 dh_install -a
742 dh_missing --list-missing
743 dh_installdocs -a -Nqemu-user-binfmt
744- dh_installchangelogs -a -Nqemu-user-binfmt -XChangelog
745+ dh_installchangelogs -a -Nqemu-user-binfmt
746 dh_installdocs -a -pqemu-user-binfmt --link-doc=qemu-user
747 dh_installman -a
748 dh_installudev -a
749@@ -417,7 +441,11 @@ endif
750 dh_installsystemd -a -pqemu-system-common --no-restart-on-upgrade --name=qemu-kvm
751 dh_installinit -a -pqemu-guest-agent
752 dh_installsystemd -a -pqemu-guest-agent --no-start --no-enable
753+<<<<<<< debian/rules
754 dh_installsystemd -a -pqemu-block-extra --no-restart-on-upgrade --name=run-qemu.mount
755+=======
756+ dh_installsystemd -a -pqemu-block-extra --no-start --no-enable --no-restart-on-upgrade --name=run-qemu.mount
757+>>>>>>> debian/rules
758 dh_link -a
759 dh_lintian -a
760 dh_strip -a

Subscribers

People subscribed via source and target branches