From e6c28113e6d74c713f8d77bd3d8a543e6871a413 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Thu, 6 Dec 2018 15:12:51 -0500
Subject: gnu: QEMU: Fix CVE-2018-16847 and CVE-2018-16867.

* gnu/packages/patches/qemu-CVE-2018-16847.patch,
gnu/packages/patches/qemu-CVE-2018-16867.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/virtualization.scm (qemu)[source]: Use them.
---
 gnu/local.mk                                   |   2 +
 gnu/packages/patches/qemu-CVE-2018-16847.patch | 158 +++++++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2018-16867.patch |  49 ++++++++
 gnu/packages/virtualization.scm                |   2 +
 4 files changed, 211 insertions(+)
 create mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch

(limited to 'gnu')

diff --git a/gnu/local.mk b/gnu/local.mk
index a400e6223e..a35e5ae7e3 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1111,6 +1111,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-unittest2-remove-argparse.patch	\
   %D%/packages/patches/python-waitress-fix-tests.patch		\
   %D%/packages/patches/qemu-glibc-2.27.patch 			\
+  %D%/packages/patches/qemu-CVE-2018-16847.patch 		\
+  %D%/packages/patches/qemu-CVE-2018-16867.patch 		\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtbase-use-TZDIR.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch
new file mode 100644
index 0000000000..c76bdf764a
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2018-16847.patch
@@ -0,0 +1,158 @@
+Fix CVE-2018-16847:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce
+
+From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 20 Nov 2018 19:41:48 +0100
+Subject: [PATCH] nvme: fix out-of-bounds access to the CMB
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Because the CMB BAR has a min_access_size of 2, if you read the last
+byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
+error.  This is CVE-2018-16847.
+
+Another way to fix this might be to register the CMB as a RAM memory
+region, which would also be more efficient.  However, that might be a
+change for big-endian machines; I didn't think this through and I don't
+know how real hardware works.  Add a basic testcase for the CMB in case
+somebody does this change later on.
+
+Cc: Keith Busch <keith.busch@intel.com>
+Cc: qemu-block@nongnu.org
+Reported-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Tested-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ hw/block/nvme.c        |  2 +-
+ tests/Makefile.include |  2 +-
+ tests/nvme-test.c      | 68 +++++++++++++++++++++++++++++++++++-------
+ 3 files changed, 60 insertions(+), 12 deletions(-)
+
+diff --git a/hw/block/nvme.c b/hw/block/nvme.c
+index 28d284346dd..8c35cab2b43 100644
+--- a/hw/block/nvme.c
++++ b/hw/block/nvme.c
+@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
+     .write = nvme_cmb_write,
+     .endianness = DEVICE_LITTLE_ENDIAN,
+     .impl = {
+-        .min_access_size = 2,
++        .min_access_size = 1,
+         .max_access_size = 8,
+     },
+ };
+diff --git a/tests/Makefile.include b/tests/Makefile.include
+index 613242bc6ef..fb0b449c02a 100644
+--- a/tests/Makefile.include
++++ b/tests/Makefile.include
+@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
+ tests/machine-none-test$(EXESUF): tests/machine-none-test.o
+ tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
+ tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
+-tests/nvme-test$(EXESUF): tests/nvme-test.o
++tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
+ tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
+ tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
+ tests/ac97-test$(EXESUF): tests/ac97-test.o
+diff --git a/tests/nvme-test.c b/tests/nvme-test.c
+index 7674a446e4f..2700ba838aa 100644
+--- a/tests/nvme-test.c
++++ b/tests/nvme-test.c
+@@ -8,25 +8,73 @@
+  */
+ 
+ #include "qemu/osdep.h"
++#include "qemu/units.h"
+ #include "libqtest.h"
++#include "libqos/libqos-pc.h"
++
++static QOSState *qnvme_start(const char *extra_opts)
++{
++    QOSState *qs;
++    const char *arch = qtest_get_arch();
++    const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
++                      "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
++
++    if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
++        qs = qtest_pc_boot(cmd, extra_opts ? : "");
++        global_qtest = qs->qts;
++        return qs;
++    }
++
++    g_printerr("nvme tests are only available on x86\n");
++    exit(EXIT_FAILURE);
++}
++
++static void qnvme_stop(QOSState *qs)
++{
++    qtest_shutdown(qs);
++}
+ 
+-/* Tests only initialization so far. TODO: Replace with functional tests */
+ static void nop(void)
+ {
++    QOSState *qs;
++
++    qs = qnvme_start(NULL);
++    qnvme_stop(qs);
+ }
+ 
+-int main(int argc, char **argv)
++static void nvmetest_cmb_test(void)
+ {
+-    int ret;
++    const int cmb_bar_size = 2 * MiB;
++    QOSState *qs;
++    QPCIDevice *pdev;
++    QPCIBar bar;
+ 
+-    g_test_init(&argc, &argv, NULL);
+-    qtest_add_func("/nvme/nop", nop);
++    qs = qnvme_start("-global nvme.cmb_size_mb=2");
++    pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
++    g_assert(pdev != NULL);
++
++    qpci_device_enable(pdev);
++    bar = qpci_iomap(pdev, 2, NULL);
++
++    qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
++    g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
++    g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
++
++    /* Test partially out-of-bounds accesses.  */
++    qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
++    g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
++    g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
++    g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211);
++    g_free(pdev);
+ 
+-    qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
+-                "-device nvme,drive=drv0,serial=foo");
+-    ret = g_test_run();
++    qnvme_stop(qs);
++}
+ 
+-    qtest_end();
++int main(int argc, char **argv)
++{
++    g_test_init(&argc, &argv, NULL);
++    qtest_add_func("/nvme/nop", nop);
++    qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
+ 
+-    return ret;
++    return g_test_run();
+ }
+-- 
+2.19.2
+
diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch
new file mode 100644
index 0000000000..1403d8e0f8
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2018-16867.patch
@@ -0,0 +1,49 @@
+Fix CVE-2018-16867:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
+https://seclists.org/oss-sec/2018/q4/202
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
+
+From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 3 Dec 2018 11:10:45 +0100
+Subject: [PATCH] usb-mtp: outlaw slashes in filenames
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Slash is unix directory separator, so they are not allowed in filenames.
+Note this also stops the classic escape via "../".
+
+Fixes: CVE-2018-16867
+Reported-by: Michael Hanselmann <public@hansmi.ch>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-id: 20181203101045.27976-3-kraxel@redhat.com
+---
+ hw/usb/dev-mtp.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
+index 0f6a9702ef1..100b7171f4e 100644
+--- a/hw/usb/dev-mtp.c
++++ b/hw/usb/dev-mtp.c
+@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
+ 
+     filename = utf16_to_str(dataset->length, dataset->filename);
+ 
++    if (strchr(filename, '/')) {
++        usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
++                             0, 0, 0, 0);
++        return;
++    }
++
+     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
+     if (o != NULL) {
+         next_handle = o->handle;
+-- 
+2.19.2
+
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 2f8e541d40..0502bb38c4 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -100,6 +100,8 @@
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-"
                                  version ".tar.xz"))
+             (patches (search-patches "qemu-CVE-2018-16847.patch"
+                                      "qemu-CVE-2018-16867.patch"))
              (sha256
               (base32
                "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
-- 
cgit v1.2.3