futurile/guix-play
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gnu: QEMU: Update to 5.0.0.

Browse Source 
* gnu/packages/patches/qemu-CVE-2020-1711.patch,
gnu/packages/patches/qemu-CVE-2020-7039.patch,
gnu/packages/patches/qemu-CVE-2020-7211.patch,
gnu/packages/patches/qemu-CVE-2020-8608.patch,
gnu/packages/patches/qemu-fix-documentation-build-failure.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Adjust accordingly.
* gnu/packages/virtualization.scm (qemu)[source](patches): Remove.
[arguments]: Add phase 'patch-/bin/sh-references'.  In the 'configure' phase,
add shebang substitutions.  Remove phase 'prevent-network-configuration'.
[inputs]: Change from LIBCAP to LIBCAP-NG.
This commit is contained in:
Marius Bakke 2020-05-08 21:43:04 +02:00
parent 4bdf4182fe
commit 35c43fcdbb
No known key found for this signature in database
GPG Key ID: A2A06DF2A33A54FA
7 changed files with 22 additions and 624 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
gnu/local.mk
View File

@ -1434,11 +1434,6 @@ dist_patch_DATA = \
%D%/packages/patches/python-unittest2-remove-argparse.patch \ %D%/packages/patches/python-unittest2-remove-argparse.patch \
%D%/packages/patches/python-waitress-fix-tests.patch \ %D%/packages/patches/python-waitress-fix-tests.patch \
%D%/packages/patches/qemu-glibc-2.27.patch \ %D%/packages/patches/qemu-glibc-2.27.patch \
%D%/packages/patches/qemu-CVE-2020-1711.patch \
%D%/packages/patches/qemu-CVE-2020-7039.patch \
%D%/packages/patches/qemu-CVE-2020-7211.patch \
%D%/packages/patches/qemu-CVE-2020-8608.patch \
%D%/packages/patches/qemu-fix-documentation-build-failure.patch \
%D%/packages/patches/qrcodegen-cpp-make-install.patch \ %D%/packages/patches/qrcodegen-cpp-make-install.patch \
%D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtbase-moc-ignore-gcc-macro.patch \ %D%/packages/patches/qtbase-moc-ignore-gcc-macro.patch \

69
gnu/packages/patches/qemu-CVE-2020-1711.patch
View File

@ -1,69 +0,0 @@
Fix CVE-2020-1711:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711
Patch copied from upstream source repository:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc
From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
From: Felipe Franciosi <felipe@nutanix.com>
Date: Thu, 23 Jan 2020 12:44:59 +0000
Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
When querying an iSCSI server for the provisioning status of blocks (via
GET LBA STATUS), Qemu only validates that the response descriptor zero's
LBA matches the one requested. Given the SCSI spec allows servers to
respond with the status of blocks beyond the end of the LUN, Qemu may
have its heap corrupted by clearing/setting too many bits at the end of
its allocmap for the LUN.
A malicious guest in control of the iSCSI server could carefully program
Qemu's heap (by selectively setting the bitmap) and then smash it.
This limits the number of bits that iscsi_co_block_status() will try to
update in the allocmap so it can't overflow the bitmap.
Fixes: CVE-2020-1711
Cc: qemu-stable@nongnu.org
Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
---
block/iscsi.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/block/iscsi.c b/block/iscsi.c
index 2aea7e3f13..cbd57294ab 100644
--- a/block/iscsi.c
+++ b/block/iscsi.c
@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
struct scsi_get_lba_status *lbas = NULL;
struct scsi_lba_status_descriptor *lbasd = NULL;
struct IscsiTask iTask;
- uint64_t lba;
+ uint64_t lba, max_bytes;
int ret;
iscsi_co_init_iscsitask(iscsilun, &iTask);
@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
}
lba = offset / iscsilun->block_size;
+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
qemu_mutex_lock(&iscsilun->mutex);
retry:
@@ -764,7 +765,7 @@ retry:
goto out_unlock;
}
- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
--
2.25.0

173
gnu/packages/patches/qemu-CVE-2020-7039.patch
View File

@ -1,173 +0,0 @@
Fix CVE-2020-7039:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039
Patches copied from upstream dependency repository:
https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9
https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80
From 2655fffed7a9e765bcb4701dd876e9dab975f289 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Wed, 8 Jan 2020 00:58:48 +0100
Subject: [PATCH] tcp_emu: Fix oob access
The main loop only checks for one available byte, while we sometimes
need two bytes.
---
CHANGELOG.md | 1 +
src/tcp_subr.c | 7 +++++++
2 files changed, 8 insertions(+)
#diff --git a/CHANGELOG.md b/CHANGELOG.md
#index 00d0ce2..5cf94a8 100644
#--- a/CHANGELOG.md
#+++ b/CHANGELOG.md
#@@ -20,6 +20,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
# ### Fixed
#
# - ncsi: fix checksum OOB memory access
#+ - `tcp_emu()`: fix OOB accesses
#
# ## [4.1.0] - 2019-12-02
#
diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 382aa38..9c1bdec 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -871,6 +871,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
break;
case 5:
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
+
/*
* The difference between versions 1.0 and
* 2.0 is here. For future versions of
@@ -886,6 +889,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
/* This is the field containing the port
* number that RA-player is listening to.
*/
+
+ if (bptr == m->m_data + m->m_len - 1)
+ return 1; /* We need two bytes */
+
lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
if (lport < 6970)
lport += 256; /* don't know why */
--
2.24.1
From ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 9 Jan 2020 15:12:27 +0530
Subject: [PATCH] slirp: use correct size while emulating IRC commands
While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
'm->m_size' to write DCC commands via snprintf(3). This may
lead to OOB write access, because 'bptr' points somewhere in
the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
size to avoid OOB access.
Reported-by: Vishnu Dev TJ <vishnudevtj@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
---
src/tcp_subr.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index 9c1bdec..ee7a938 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -763,7 +763,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), 1);
} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
@@ -773,8 +774,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len +=
- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
@@ -784,8 +785,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len +=
- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
(unsigned long)ntohl(so->so_faddr.s_addr),
ntohs(so->so_fport), n1, 1);
}
--
2.24.1
From 82ebe9c370a0e2970fb5695aa19aa5214a6a1c80 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 9 Jan 2020 15:12:28 +0530
Subject: [PATCH] slirp: use correct size while emulating commands
While emulating services in tcp_emu(), it uses 'mbuf' size
'm->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
size to avoid possible OOB access.
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
---
src/tcp_subr.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index ee7a938..177dfd2 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -681,7 +681,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
n5, n6, x == 7 ? buff : "");
return 1;
@@ -716,8 +716,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len +=
- snprintf(bptr, m->m_size - m->m_len,
+ m->m_len += snprintf(bptr, M_FREEROOM(m),
"27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
@@ -743,8 +742,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len =
- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
+ m->m_len = snprintf(m->m_data, M_ROOM(m),
+ "%d", ntohs(so->so_fport)) + 1;
return 1;
case EMU_IRC:
--
2.24.1

49
gnu/packages/patches/qemu-CVE-2020-7211.patch
View File

@ -1,49 +0,0 @@
Fix CVE-2020-7211:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7211
Patch copied from upstream dependency repository:
https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4
From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 13 Jan 2020 17:44:31 +0530
Subject: [PATCH] slirp: tftp: restrict relative path access
tftp restricts relative or directory path access on Linux systems.
Apply same restrictions on Windows systems too. It helps to avoid
directory traversal issue.
Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
---
src/tftp.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/tftp.c b/src/tftp.c
index 093c2e0..e52e71b 100644
--- a/slirp/src/tftp.c
+++ b/slirp/src/tftp.c
@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
k += 6; /* skipping octet */
/* do sanity checks on the filename */
- if (!strncmp(req_fname, "../", 3) ||
- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
+ if (
+#ifdef G_OS_WIN32
+ strstr(req_fname, "..\\") ||
+ req_fname[strlen(req_fname) - 1] == '\\' ||
+#endif
+ strstr(req_fname, "../") ||
+ req_fname[strlen(req_fname) - 1] == '/') {
tftp_send_error(spt, 2, "Access violation", tp);
return;
}
--
2.24.1

269
gnu/packages/patches/qemu-CVE-2020-8608.patch
View File

@ -1,269 +0,0 @@
Fix CVE-2020-8608:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8608
https://www.openwall.com/lists/oss-security/2020/02/06/2
Patches copied from upstream dependency repository:
https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
https://gitlab.freedesktop.org/slirp/libslirp/commit/30648c03b27fb8d9611b723184216cd3174b6775
From 68ccb8021a838066f0951d4b2817eb6b6f10a843 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 27 Jan 2020 10:24:14 +0100
Subject: [PATCH] tcp_emu: fix unsafe snprintf() usages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various calls to snprintf() assume that snprintf() returns "only" the
number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Before patch ce131029, if there isn't enough room in "m_data" for the
"DCC ..." message, we overflow "m_data".
After the patch, if there isn't enough room for the same, we don't
overflow "m_data", but we set "m_len" out-of-bounds. The next time an
access is bounded by "m_len", we'll have a buffer overflow then.
Use slirp_fmt*() to fix potential OOB memory access.
Reported-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-7-marcandre.lureau@redhat.com>
---
src/tcp_subr.c | 44 +++++++++++++++++++++-----------------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/src/tcp_subr.c b/src/tcp_subr.c
index a699117..a72c86b 100644
--- a/slirp/src/tcp_subr.c
+++ b/slirp/src/tcp_subr.c
@@ -643,8 +643,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
NTOHS(n1);
NTOHS(n2);
m_inc(m, snprintf(NULL, 0, "%d,%d\r\n", n1, n2) + 1);
- m->m_len = snprintf(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
- assert(m->m_len < M_ROOM(m));
+ m->m_len = slirp_fmt(m->m_data, M_ROOM(m), "%d,%d\r\n", n1, n2);
} else {
*eol = '\r';
}
@@ -684,9 +683,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
- n5, n6, x == 7 ? buff : "");
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
return 1;
} else if ((bptr = (char *)strstr(m->m_data, "27 Entering")) != NULL) {
/*
@@ -719,10 +718,9 @@ int tcp_emu(struct socket *so, struct mbuf *m)
n4 = (laddr & 0xff);
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
- n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
-
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
return 1;
}
@@ -745,8 +743,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
(so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
htons(lport), SS_FACCEPTONCE)) != NULL)
- m->m_len = snprintf(m->m_data, M_ROOM(m),
- "%d", ntohs(so->so_fport)) + 1;
+ m->m_len = slirp_fmt0(m->m_data, M_ROOM(m),
+ "%d", ntohs(so->so_fport));
return 1;
case EMU_IRC:
@@ -765,10 +763,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "DCC CHAT chat %lu %u%c\n",
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
} else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
&n1) == 4) {
if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
@@ -776,10 +774,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "DCC SEND %s %lu %u %u%c\n", buff,
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
} else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
&n1) == 4) {
if ((so = tcp_listen(slirp, INADDR_ANY, 0, htonl(laddr),
@@ -787,10 +785,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
return 1;
}
m->m_len = bptr - m->m_data; /* Adjust length */
- m->m_len += snprintf(bptr, M_FREEROOM(m),
- "DCC MOVE %s %lu %u %u%c\n", buff,
- (unsigned long)ntohl(so->so_faddr.s_addr),
- ntohs(so->so_fport), n1, 1);
+ m->m_len += slirp_fmt(bptr, M_FREEROOM(m),
+ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
}
return 1;
--
2.25.1
From 30648c03b27fb8d9611b723184216cd3174b6775 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Date: Mon, 27 Jan 2020 10:24:09 +0100
Subject: [PATCH] util: add slirp_fmt() helpers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Various calls to snprintf() in libslirp assume that snprintf() returns
"only" the number of bytes written (excluding terminating NUL).
https://pubs.opengroup.org/onlinepubs/9699919799/functions/snprintf.html#tag_16_159_04
"Upon successful completion, the snprintf() function shall return the
number of bytes that would be written to s had n been sufficiently
large excluding the terminating null byte."
Introduce slirp_fmt() that handles several pathological cases the
way libslirp usually expect:
- treat error as fatal (instead of silently returning -1)
- fmt0() will always \0 end
- return the number of bytes actually written (instead of what would
have been written, which would usually result in OOB later), including
the ending \0 for fmt0()
- warn if truncation happened (instead of ignoring)
Other less common cases can still be handled with strcpy/snprintf() etc.
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Message-Id: <20200127092414.169796-2-marcandre.lureau@redhat.com>
---
src/util.c | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/util.h | 3 +++
2 files changed, 65 insertions(+)
diff --git a/src/util.c b/src/util.c
index e596087..e3b6257 100644
--- a/slirp/src/util.c
+++ b/slirp/src/util.c
@@ -364,3 +364,65 @@ void slirp_pstrcpy(char *buf, int buf_size, const char *str)
}
*q = '\0';
}
+
+static int slirp_vsnprintf(char *str, size_t size,
+ const char *format, va_list args)
+{
+ int rv = vsnprintf(str, size, format, args);
+
+ if (rv < 0) {
+ g_error("vsnprintf() failed: %s", g_strerror(errno));
+ }
+
+ return rv;
+}
+
+/*
+ * A snprintf()-like function that:
+ * - returns the number of bytes written (excluding optional \0-ending)
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv > size) {
+ g_critical("vsnprintf() truncation");
+ }
+
+ return MIN(rv, size);
+}
+
+/*
+ * A snprintf()-like function that:
+ * - always \0-end (unless size == 0)
+ * - returns the number of bytes actually written, including \0 ending
+ * - dies on error
+ * - warn on truncation
+ */
+int slirp_fmt0(char *str, size_t size, const char *format, ...)
+{
+ va_list args;
+ int rv;
+
+ va_start(args, format);
+ rv = slirp_vsnprintf(str, size, format, args);
+ va_end(args);
+
+ if (rv >= size) {
+ g_critical("vsnprintf() truncation");
+ if (size > 0)
+ str[size - 1] = '\0';
+ rv = size;
+ } else {
+ rv += 1; /* include \0 */
+ }
+
+ return rv;
+}
diff --git a/src/util.h b/src/util.h
index e9c3073..5530c46 100644
--- a/slirp/src/util.h
+++ b/slirp/src/util.h
@@ -181,4 +181,7 @@ static inline int slirp_socket_set_fast_reuse(int fd)
void slirp_pstrcpy(char *buf, int buf_size, const char *str);
+int slirp_fmt(char *str, size_t size, const char *format, ...);
+int slirp_fmt0(char *str, size_t size, const char *format, ...);
+
#endif
--
2.25.1

43
gnu/packages/patches/qemu-fix-documentation-build-failure.patch
View File

@ -1,43 +0,0 @@
Fix a build failure caused by a texinfo bug:
qemu-doc.texi:41: @menu reference to nonexistent node `QEMU Guest Agent'
Patch copied from upstream source repository:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=80bc935eaaf93e5b9a4efe97abd7c51d645f2612
From 80bc935eaaf93e5b9a4efe97abd7c51d645f2612 Mon Sep 17 00:00:00 2001
From: Thomas Huth <thuth@redhat.com>
Date: Mon, 16 Dec 2019 14:29:41 +0100
Subject: [PATCH] qemu-doc: Remove the unused "Guest Agent" node
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The node has been removed from the texi file some months ago, so we
should remove it from the menu section, too.
Fixes: 27a296fce982 ("qemu-ga: Convert invocation documentation to rST")
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20191216132941.25729-1-thuth@redhat.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
qemu-doc.texi | 1 -
1 file changed, 1 deletion(-)
diff --git a/qemu-doc.texi b/qemu-doc.texi
index eea91a2d1e..39f950471f 100644
--- a/qemu-doc.texi
+++ b/qemu-doc.texi
@@ -38,7 +38,6 @@
* Introduction::
* QEMU PC System emulator::
* QEMU System emulator for non PC targets::
-* QEMU Guest Agent::
* QEMU User space emulator::
* System requirements::
* Security::
--
2.24.1

38
gnu/packages/virtualization.scm
View File

@ -14,6 +14,7 @@
;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net> ;;; Copyright © 2020 Jakub Kądziołka <kuba@kadziolka.net>
;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re> ;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re>
;;; Copyright © 2020 Mathieu Othacehe <m.othacehe@gmail.com> ;;; Copyright © 2020 Mathieu Othacehe <m.othacehe@gmail.com>
;;; Copyright © 2020 Marius Bakke <mbakke@fastmail.com>
;;; ;;;
;;; This file is part of GNU Guix. ;;; This file is part of GNU Guix.
;;; ;;;
@ -115,19 +116,14 @@
(define-public qemu (define-public qemu
(package (package
(name "qemu") (name "qemu")
(version "4.2.0") (version "5.0.0")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append "https://download.qemu.org/qemu-" (uri (string-append "https://download.qemu.org/qemu-"
version ".tar.xz")) version ".tar.xz"))
(patches (search-patches "qemu-CVE-2020-1711.patch"
"qemu-CVE-2020-7039.patch"
"qemu-CVE-2020-7211.patch"
"qemu-CVE-2020-8608.patch"
"qemu-fix-documentation-build-failure.patch"))
(sha256 (sha256
(base32 (base32
"1w38hzlw7xp05gcq1nhga7hxvndxy6dfcnzi7q2il8ff110isj6k")))) "1dlcwyshdp94fwd30pddxf9bn2q8dfw5jsvry2gvdj551wmaj4rg"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(arguments (arguments
`(;; Running tests in parallel can occasionally lead to failures, like: `(;; Running tests in parallel can occasionally lead to failures, like:
@ -169,6 +165,14 @@
'("include") '("include")
input-directories) input-directories)
#t))) #t)))
(add-after 'patch-source-shebangs 'patch-/bin/sh-references
(lambda _
;; Ensure the executables created by these source files reference
;; /bin/sh from the store so they work inside the build container.
(substitute* '("block/cloop.c" "migration/exec.c"
"net/tap.c" "tests/qtest/libqtest.c")
(("/bin/sh") (which "sh")))
#t))
(replace 'configure (replace 'configure
(lambda* (#:key inputs outputs (configure-flags '()) (lambda* (#:key inputs outputs (configure-flags '())
#:allow-other-keys) #:allow-other-keys)
@ -178,8 +182,16 @@
(setenv "SHELL" (which "bash")) (setenv "SHELL" (which "bash"))
;; While we're at it, patch for tests. ;; While we're at it, patch for tests.
(substitute* "tests/libqtest.c" (substitute* "tests/qemu-iotests/check"
(("/bin/sh") (which "sh"))) (("#!/usr/bin/env python3")
(string-append "#!" (which "python3"))))
;; Ensure config.status gets the correct shebang off the bat.
;; The build system gets confused if we change it later and
;; attempts to re-run the whole configury, and fails.
(substitute* "configure"
(("#!/bin/sh")
(string-append "#!" (which "sh"))))
;; The binaries need to be linked against -lrt. ;; The binaries need to be linked against -lrt.
(setenv "LDFLAGS" "-lrt") (setenv "LDFLAGS" "-lrt")
@ -218,12 +230,6 @@ exec smbd $@")))
(chmod "samba-wrapper" #o755) (chmod "samba-wrapper" #o755)
(install-file "samba-wrapper" libexec)) (install-file "samba-wrapper" libexec))
#t)) #t))
(add-before 'configure 'prevent-network-configuration
(lambda _
;; Prevent the build from trying to use git to fetch from the net.
(substitute* "Makefile"
(("@./config.status")
"")) #t))
(add-before 'check 'disable-unusable-tests (add-before 'check 'disable-unusable-tests
(lambda* (#:key inputs outputs #:allow-other-keys) (lambda* (#:key inputs outputs #:allow-other-keys)
(substitute* "tests/Makefile.include" (substitute* "tests/Makefile.include"
@ -245,7 +251,7 @@ exec smbd $@")))
("libaio" ,libaio) ("libaio" ,libaio)
("libattr" ,attr) ("libattr" ,attr)
("libcacard" ,libcacard) ; smartcard support ("libcacard" ,libcacard) ; smartcard support
("libcap" ,libcap) ; virtfs support requires libcap & libattr ("libcap-ng" ,libcap-ng) ; virtfs support requires libcap-ng & libattr
("libdrm" ,libdrm) ("libdrm" ,libdrm)
("libepoxy" ,libepoxy) ("libepoxy" ,libepoxy)
("libjpeg" ,libjpeg-turbo) ("libjpeg" ,libjpeg-turbo)