<feed xmlns='http://www.w3.org/2005/Atom'>
<title>qemu/qemu.git, branch stable-3.0</title>
<subtitle>QEMU main repository</subtitle>
<id>https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/atom?h=stable-3.0</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/atom?h=stable-3.0'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/'/>
<updated>2019-04-12T03:27:39+00:00</updated>
<entry>
<title>Update version for 3.0.1 release</title>
<updated>2019-04-12T03:27:39+00:00</updated>
<author>
<name>Michael Roth</name>
<email>mdroth@linux.vnet.ibm.com</email>
</author>
<published>2019-04-12T03:27:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=1dfcf652e6ae5eb6b98d2c55a509e8eb054a2fab'/>
<id>urn:sha1:1dfcf652e6ae5eb6b98d2c55a509e8eb054a2fab</id>
<content type='text'>
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vhost-user: Fix userfaultfd leak</title>
<updated>2019-04-08T21:50:20+00:00</updated>
<author>
<name>Ilya Maximets</name>
<email>i.maximets@samsung.com</email>
</author>
<published>2018-10-08T16:05:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=a4a50214137f7f46c52fc90b6ba5f084e4f9c88e'/>
<id>urn:sha1:a4a50214137f7f46c52fc90b6ba5f084e4f9c88e</id>
<content type='text'>
'fd' received from the vhost side is never freed.
Also, everything (including 'postcopy_listen' state) should be
cleaned up on vhost cleanup.

Fixes: 46343570c06e ("vhost+postcopy: Wire up POSTCOPY_END notify")
Fixes: f82c11165ffa ("vhost+postcopy: Register shared ufd with postcopy")
Cc: qemu-stable@nongnu.org
Signed-off-by: Ilya Maximets &lt;i.maximets@samsung.com&gt;
Message-Id: &lt;20181008160536.6332-3-i.maximets@samsung.com&gt;
Reviewed-by: Dr. David Alan Gilbert &lt;dgilbert@redhat.com&gt;
Reviewed-by: Maxime Coquelin &lt;maxime.coquelin@redhat.com&gt;
Signed-off-by: Dr. David Alan Gilbert &lt;dgilbert@redhat.com&gt;
(cherry picked from commit c4f753859ae6da1aeb93cad19c586fea1925e269)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>vhost-user: Don't ask for reply on postcopy mem table set</title>
<updated>2019-04-08T21:47:37+00:00</updated>
<author>
<name>Ilya Maximets</name>
<email>i.maximets@samsung.com</email>
</author>
<published>2018-10-02T14:09:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=a0380bdae91be55e38af3d9e1ba30e82a5abecea'/>
<id>urn:sha1:a0380bdae91be55e38af3d9e1ba30e82a5abecea</id>
<content type='text'>
According to documentation, NEED_REPLY_MASK should not be set
for VHOST_USER_SET_MEM_TABLE request in postcopy mode.
This restriction was mistakenly applied to 'reply_supported'
variable, which is local and used only for non-postcopy case.

CC: Dr. David Alan Gilbert &lt;dgilbert@redhat.com&gt;
Fixes: 9bb38019942c ("vhost+postcopy: Send address back to qemu")
Signed-off-by: Ilya Maximets &lt;i.maximets@samsung.com&gt;
Message-Id: &lt;20181002140947.4107-1-i.maximets@samsung.com&gt;
Reviewed-by: Maxime Coquelin &lt;maxime.coquelin@redhat.com&gt;
Signed-off-by: Dr. David Alan Gilbert &lt;dgilbert@redhat.com&gt;
(cherry picked from commit 5ce43896e1679e706db1562d0e2d86ad428ed1e6)
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>ppc/pnv: check size before data buffer access</title>
<updated>2019-04-02T18:17:03+00:00</updated>
<author>
<name>Prasad J Pandit</name>
<email>pjp@fedoraproject.org</email>
</author>
<published>2018-10-26T12:33:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=8d2527617218cc65dfd978432b5e2159eb87ae5a'/>
<id>urn:sha1:8d2527617218cc65dfd978432b5e2159eb87ae5a</id>
<content type='text'>
While performing PowerNV memory r/w operations, the access length
'sz' could exceed the data[4] buffer size. Add check to avoid OOB
access.

Reported-by: Moguofang &lt;moguofang@huawei.com&gt;
Signed-off-by: Prasad J Pandit &lt;pjp@fedoraproject.org&gt;
Reviewed-by: Cédric Le Goater &lt;clg@kaod.org&gt;
Signed-off-by: David Gibson &lt;david@gibson.dropbear.id.au&gt;
(cherry picked from commit d07945e78eb6b593cd17a4640c1fc9eb35e3245d)
*CVE-2018-18954
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>slirp: check data length while emulating ident function</title>
<updated>2019-04-02T18:16:34+00:00</updated>
<author>
<name>Prasad J Pandit</name>
<email>pjp@fedoraproject.org</email>
</author>
<published>2019-01-13T17:59:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=345fab6ffe57b0bf6dccbc0844f45f77b91d9de0'/>
<id>urn:sha1:345fab6ffe57b0bf6dccbc0844f45f77b91d9de0</id>
<content type='text'>
While emulating identification protocol, tcp_emu() does not check
available space in the 'sc_rcv-&gt;sb_data' buffer. It could lead to
heap buffer overflow issue. Add check to avoid it.

Reported-by: Kira &lt;864786842@qq.com&gt;
Signed-off-by: Prasad J Pandit &lt;pjp@fedoraproject.org&gt;
Signed-off-by: Samuel Thibault &lt;samuel.thibault@ens-lyon.org&gt;
(cherry picked from commit a7104eda7dab99d0cdbd3595c211864cba415905)
*CVE-2019-6778
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>lsi53c895a: check message length value is valid</title>
<updated>2019-04-02T18:15:18+00:00</updated>
<author>
<name>Prasad J Pandit</name>
<email>pjp@fedoraproject.org</email>
</author>
<published>2018-10-26T19:43:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7'/>
<id>urn:sha1:bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7</id>
<content type='text'>
While writing a message in 'lsi_do_msgin', message length value
in 'msg_len' could be invalid due to an invalid migration stream.
Add an assertion to avoid an out of bounds access, and reject
the incoming migration data if it contains an invalid message
length.

Discovered by Deja vu Security. Reported by Oracle.

Signed-off-by: Prasad J Pandit &lt;pjp@fedoraproject.org&gt;
Message-Id: &lt;20181026194314.18663-1-ppandit@redhat.com&gt;
Signed-off-by: Paolo Bonzini &lt;pbonzini@redhat.com&gt;
(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6)
*CVE-2018-18849
*avoid context dep. on c921370b22c
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>seccomp: set the seccomp filter to all threads</title>
<updated>2019-04-02T18:11:49+00:00</updated>
<author>
<name>Marc-André Lureau</name>
<email>marcandre.lureau@redhat.com</email>
</author>
<published>2018-08-22T17:02:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=f43a6b314aa506afd70b56767ba704ddd5cbde2e'/>
<id>urn:sha1:f43a6b314aa506afd70b56767ba704ddd5cbde2e</id>
<content type='text'>
When using "-seccomp on", the seccomp policy is only applied to the
main thread, the vcpu worker thread and other worker threads created
after seccomp policy is applied; the seccomp policy is not applied to
e.g. the RCU thread because it is created before the seccomp policy is
applied and SECCOMP_FILTER_FLAG_TSYNC isn't used.

This can be verified with
for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done
Seccomp:	2
Seccomp:	0
Seccomp:	0
Seccomp:	2
Seccomp:	2
Seccomp:	2

Starting with libseccomp 2.2.0 and kernel &gt;= 3.17, we can use
seccomp_attr_set(ctx, &gt; SCMP_FLTATR_CTL_TSYNC, 1) to update the policy
on all threads.

libseccomp requirement was bumped to 2.2.0 in previous patch.
libseccomp should fail to set the filter if it can't honour
SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on
kernel &lt; 3.17.

Signed-off-by: Marc-André Lureau &lt;marcandre.lureau@redhat.com&gt;
Acked-by: Eduardo Otubo &lt;otubo@redhat.com&gt;
(cherry picked from commit 70dfabeaa79ba4d7a3b699abe1a047c8012db114)
*CVE-2018-15746
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>configure: require libseccomp 2.2.0</title>
<updated>2019-04-02T18:11:31+00:00</updated>
<author>
<name>Marc-André Lureau</name>
<email>marcandre.lureau@redhat.com</email>
</author>
<published>2018-08-22T17:02:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=9d01327689a786beba7aabab76816f689aa2565f'/>
<id>urn:sha1:9d01327689a786beba7aabab76816f689aa2565f</id>
<content type='text'>
The following patch is going to require TSYNC, which is only available
since libseccomp 2.2.0.

libseccomp 2.2.0 was released February 12, 2015.

According to repology, libseccomp version in different distros:

  RHEL-7: 2.3.1
  Debian (Stretch): 2.3.1
  OpenSUSE Leap 15: 2.3.2
  Ubuntu (Xenial):  2.3.1

This will drop support for -sandbox on:

  Debian (Jessie): 2.1.1 (but 2.2.3 in backports)

Signed-off-by: Marc-André Lureau &lt;marcandre.lureau@redhat.com&gt;
Acked-by: Eduardo Otubo &lt;otubo@redhat.com&gt;
(cherry picked from commit d0699bd37c48067cffbd80383172efc29da6d2f9)
*CVE-2018-15746
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>seccomp: prefer SCMP_ACT_KILL_PROCESS if available</title>
<updated>2019-04-02T18:11:03+00:00</updated>
<author>
<name>Marc-André Lureau</name>
<email>marcandre.lureau@redhat.com</email>
</author>
<published>2018-08-22T17:02:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=9ad3314fa32a555c880344b960702af85ad6a231'/>
<id>urn:sha1:9ad3314fa32a555c880344b960702af85ad6a231</id>
<content type='text'>
The upcoming libseccomp release should have SCMP_ACT_KILL_PROCESS
action (https://github.com/seccomp/libseccomp/issues/96).

SCMP_ACT_KILL_PROCESS is preferable to immediately terminate the
offending process, rather than having the SIGSYS handler running.

Use SECCOMP_GET_ACTION_AVAIL to check availability of kernel support,
as libseccomp will fallback on SCMP_ACT_KILL otherwise, and we still
prefer SCMP_ACT_TRAP.

Signed-off-by: Marc-André Lureau &lt;marcandre.lureau@redhat.com&gt;
Reviewed-by: Daniel P. Berrangé &lt;berrange@redhat.com&gt;
Acked-by: Eduardo Otubo &lt;otubo@redhat.com&gt;
(cherry picked from commit bda08a5764d470f101fa38635d30b41179a313e1)
*CVE-2018-15746
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
<entry>
<title>seccomp: use SIGSYS signal instead of killing the thread</title>
<updated>2019-04-02T18:10:37+00:00</updated>
<author>
<name>Marc-André Lureau</name>
<email>marcandre.lureau@redhat.com</email>
</author>
<published>2018-08-22T17:02:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/virt/qemu/qemu.git/commit/?id=8eba63e1d246b2a40a96519951d4079a806e1b27'/>
<id>urn:sha1:8eba63e1d246b2a40a96519951d4079a806e1b27</id>
<content type='text'>
The seccomp action SCMP_ACT_KILL results in immediate termination of
the thread that made the bad system call. However, qemu being
multi-threaded, it keeps running. There is no easy way for parent
process / management layer (libvirt) to know about that situation.

Instead, the default SIGSYS handler when invoked with SCMP_ACT_TRAP
will terminate the program and core dump.

This may not be the most secure solution, but probably better than
just killing the offending thread. SCMP_ACT_KILL_PROCESS has been
added in Linux 4.14 to improve the situation, which I propose to use
by default if available in the next patch.

Related to:
https://bugzilla.redhat.com/show_bug.cgi?id=1594456

Signed-off-by: Marc-André Lureau &lt;marcandre.lureau@redhat.com&gt;
Reviewed-by: Daniel P. Berrangé &lt;berrange@redhat.com&gt;
Acked-by: Eduardo Otubo &lt;otubo@redhat.com&gt;
(cherry picked from commit 6f2231e9b0931e1998d9ed0c509adf7aedc02db2)
*CVE-2018-15746
Signed-off-by: Michael Roth &lt;mdroth@linux.vnet.ibm.com&gt;
</content>
</entry>
</feed>
