diff --git a/debian/patches/extra/0018-block-gluster-correctly-set-max_pdiscard-which-is-in.patch b/debian/patches/extra/0018-block-gluster-correctly-set-max_pdiscard-which-is-in.patch new file mode 100644 index 0000000..91676e4 --- /dev/null +++ b/debian/patches/extra/0018-block-gluster-correctly-set-max_pdiscard-which-is-in.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Fabian Ebner +Date: Fri, 6 May 2022 14:38:35 +0200 +Subject: [PATCH] block/gluster: correctly set max_pdiscard which is int64_t + +Previously, max_pdiscard would be zero in the following assertion: +qemu-system-x86_64: ../block/io.c:3166: bdrv_co_pdiscard: Assertion +`max_pdiscard >= bs->bl.request_alignment' failed. + +Fixes: 0c8022876f ("block: use int64_t instead of int in driver discard handlers") +Signed-off-by: Fabian Ebner +Signed-off-by: Thomas Lamprecht +--- + block/gluster.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/block/gluster.c b/block/gluster.c +index 398976bc66..592e71b22a 100644 +--- a/block/gluster.c ++++ b/block/gluster.c +@@ -891,7 +891,7 @@ out: + static void qemu_gluster_refresh_limits(BlockDriverState *bs, Error **errp) + { + bs->bl.max_transfer = GLUSTER_MAX_TRANSFER; +- bs->bl.max_pdiscard = SIZE_MAX; ++ bs->bl.max_pdiscard = INT64_MAX; + } + + static int qemu_gluster_reopen_prepare(BDRVReopenState *state, +@@ -1304,7 +1304,7 @@ static coroutine_fn int qemu_gluster_co_pdiscard(BlockDriverState *bs, + GlusterAIOCB acb; + BDRVGlusterState *s = bs->opaque; + +- assert(bytes <= SIZE_MAX); /* rely on max_pdiscard */ ++ assert(bytes <= INT64_MAX); /* rely on max_pdiscard */ + + acb.size = 0; + acb.ret = 0; diff --git a/debian/patches/extra/0019-ui-vnc.c-Fixed-a-deadlock-bug.patch b/debian/patches/extra/0019-ui-vnc.c-Fixed-a-deadlock-bug.patch new file mode 100644 index 0000000..722ab2c --- /dev/null +++ b/debian/patches/extra/0019-ui-vnc.c-Fixed-a-deadlock-bug.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Rao Lei +Date: Fri, 6 May 2022 14:38:36 +0200 +Subject: [PATCH] ui/vnc.c: Fixed a deadlock bug. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The GDB statck is as follows: +(gdb) bt +0 __lll_lock_wait (futex=futex@entry=0x56211df20360, private=0) at lowlevellock.c:52 +1 0x00007f263caf20a3 in __GI___pthread_mutex_lock (mutex=0x56211df20360) at ../nptl/pthread_mutex_lock.c:80 +2 0x000056211a757364 in qemu_mutex_lock_impl (mutex=0x56211df20360, file=0x56211a804857 "../ui/vnc-jobs.h", line=60) + at ../util/qemu-thread-posix.c:80 +3 0x000056211a0ef8c7 in vnc_lock_output (vs=0x56211df14200) at ../ui/vnc-jobs.h:60 +4 0x000056211a0efcb7 in vnc_clipboard_send (vs=0x56211df14200, count=1, dwords=0x7ffdf1701338) at ../ui/vnc-clipboard.c:138 +5 0x000056211a0f0129 in vnc_clipboard_notify (notifier=0x56211df244c8, data=0x56211dd1bbf0) at ../ui/vnc-clipboard.c:209 +6 0x000056211a75dde8 in notifier_list_notify (list=0x56211afa17d0 , data=0x56211dd1bbf0) at ../util/notify.c:39 +7 0x000056211a0bf0e6 in qemu_clipboard_update (info=0x56211dd1bbf0) at ../ui/clipboard.c:50 +8 0x000056211a0bf05d in qemu_clipboard_peer_release (peer=0x56211df244c0, selection=QEMU_CLIPBOARD_SELECTION_CLIPBOARD) + at ../ui/clipboard.c:41 +9 0x000056211a0bef9b in qemu_clipboard_peer_unregister (peer=0x56211df244c0) at ../ui/clipboard.c:19 +10 0x000056211a0d45f3 in vnc_disconnect_finish (vs=0x56211df14200) at ../ui/vnc.c:1358 +11 0x000056211a0d4c9d in vnc_client_read (vs=0x56211df14200) at ../ui/vnc.c:1611 +12 0x000056211a0d4df8 in vnc_client_io (ioc=0x56211ce70690, condition=G_IO_IN, opaque=0x56211df14200) at ../ui/vnc.c:1649 +13 0x000056211a5b976c in qio_channel_fd_source_dispatch + (source=0x56211ce50a00, callback=0x56211a0d4d71 , user_data=0x56211df14200) at ../io/channel-watch.c:84 +14 0x00007f263ccede8e in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 +15 0x000056211a77d4a1 in glib_pollfds_poll () at ../util/main-loop.c:232 +16 0x000056211a77d51f in os_host_main_loop_wait (timeout=958545) at ../util/main-loop.c:255 +17 0x000056211a77d630 in main_loop_wait (nonblocking=0) at ../util/main-loop.c:531 +18 0x000056211a45bc8e in qemu_main_loop () at ../softmmu/runstate.c:726 +19 0x000056211a0b45fa in main (argc=69, argv=0x7ffdf1701778, envp=0x7ffdf17019a8) at ../softmmu/main.c:50 + +From the call trace, we can see it is a deadlock bug. +vnc_disconnect_finish will acquire the output_mutex. +But, the output_mutex will be acquired again in vnc_clipboard_send. +Repeated locking will cause deadlock. So, I move +qemu_clipboard_peer_unregister() behind vnc_unlock_output(); + +Fixes: 0bf41cab93e ("ui/vnc: clipboard support") +Signed-off-by: Lei Rao +Reviewed-by: Marc-André Lureau +Message-Id: <20220105020808.597325-1-lei.rao@intel.com> +Signed-off-by: Gerd Hoffmann +(cherry-picked from commit 1dbbe6f172810026c51dc84ed927a3cc23017949) +[FE: trivial backport for 6.2] +Signed-off-by: Fabian Ebner +Signed-off-by: Thomas Lamprecht +--- + ui/vnc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ui/vnc.c b/ui/vnc.c +index af02522e84..b253e85c65 100644 +--- a/ui/vnc.c ++++ b/ui/vnc.c +@@ -1354,12 +1354,12 @@ void vnc_disconnect_finish(VncState *vs) + /* last client gone */ + vnc_update_server_surface(vs->vd); + } ++ vnc_unlock_output(vs); ++ + if (vs->cbpeer.update.notify) { + qemu_clipboard_peer_unregister(&vs->cbpeer); + } + +- vnc_unlock_output(vs); +- + qemu_mutex_destroy(&vs->output_mutex); + if (vs->bh != NULL) { + qemu_bh_delete(vs->bh); diff --git a/debian/patches/extra/0020-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch b/debian/patches/extra/0020-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch new file mode 100644 index 0000000..cac949b --- /dev/null +++ b/debian/patches/extra/0020-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch @@ -0,0 +1,37 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:11:06 +0200 +Subject: [PATCH] display/qxl-render: fix race condition in qxl_cursor + (CVE-2021-4207) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Avoid fetching 'width' and 'height' a second time to prevent possible +race condition. Refer to security advisory +https://starlabs.sg/advisories/22-4207/ for more information. + +Fixes: CVE-2021-4207 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081106.343235-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 9569f5cb5b4bffa9d3ebc8ba7da1e03830a9a895) +Signed-off-by: Thomas Lamprecht +--- + hw/display/qxl-render.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index d28849b121..237ed293ba 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -266,7 +266,7 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + } + break; + case SPICE_CURSOR_TYPE_ALPHA: +- size = sizeof(uint32_t) * cursor->header.width * cursor->header.height; ++ size = sizeof(uint32_t) * c->width * c->height; + qxl_unpack_chunks(c->data, size, qxl, &cursor->chunk, group_id); + if (qxl->debug > 2) { + cursor_print_ascii_art(c, "qxl/alpha"); diff --git a/debian/patches/extra/0021-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch b/debian/patches/extra/0021-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch new file mode 100644 index 0000000..7c295f9 --- /dev/null +++ b/debian/patches/extra/0021-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch @@ -0,0 +1,83 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella +Date: Thu, 7 Apr 2022 10:17:12 +0200 +Subject: [PATCH] ui/cursor: fix integer overflow in cursor_alloc + (CVE-2021-4206) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Prevent potential integer overflow by limiting 'width' and 'height' to +512x512. Also change 'datasize' type to size_t. Refer to security +advisory https://starlabs.sg/advisories/22-4206/ for more information. + +Fixes: CVE-2021-4206 +Signed-off-by: Mauro Matteo Cascella +Reviewed-by: Marc-André Lureau +Message-Id: <20220407081712.345609-1-mcascell@redhat.com> +Signed-off-by: Gerd Hoffmann +(cherry picked from commit fa892e9abb728e76afcf27323ab29c57fb0fe7aa) +Signed-off-by: Thomas Lamprecht +--- + hw/display/qxl-render.c | 7 +++++++ + hw/display/vmware_vga.c | 2 ++ + ui/cursor.c | 8 +++++++- + 3 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c +index 237ed293ba..ca217004bf 100644 +--- a/hw/display/qxl-render.c ++++ b/hw/display/qxl-render.c +@@ -247,6 +247,13 @@ static QEMUCursor *qxl_cursor(PCIQXLDevice *qxl, QXLCursor *cursor, + size_t size; + + c = cursor_alloc(cursor->header.width, cursor->header.height); ++ ++ if (!c) { ++ qxl_set_guest_bug(qxl, "%s: cursor %ux%u alloc error", __func__, ++ cursor->header.width, cursor->header.height); ++ goto fail; ++ } ++ + c->hot_x = cursor->header.hot_spot_x; + c->hot_y = cursor->header.hot_spot_y; + switch (cursor->header.type) { +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e2969a6c81..2b81d6122f 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -509,6 +509,8 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s, + int i, pixels; + + qc = cursor_alloc(c->width, c->height); ++ assert(qc != NULL); ++ + qc->hot_x = c->hot_x; + qc->hot_y = c->hot_y; + switch (c->bpp) { +diff --git a/ui/cursor.c b/ui/cursor.c +index 1d62ddd4d0..835f0802f9 100644 +--- a/ui/cursor.c ++++ b/ui/cursor.c +@@ -46,6 +46,8 @@ static QEMUCursor *cursor_parse_xpm(const char *xpm[]) + + /* parse pixel data */ + c = cursor_alloc(width, height); ++ assert(c != NULL); ++ + for (pixel = 0, y = 0; y < height; y++, line++) { + for (x = 0; x < height; x++, pixel++) { + idx = xpm[line][x]; +@@ -91,7 +93,11 @@ QEMUCursor *cursor_builtin_left_ptr(void) + QEMUCursor *cursor_alloc(int width, int height) + { + QEMUCursor *c; +- int datasize = width * height * sizeof(uint32_t); ++ size_t datasize = width * height * sizeof(uint32_t); ++ ++ if (width > 512 || height > 512) { ++ return NULL; ++ } + + c = g_malloc0(sizeof(QEMUCursor) + datasize); + c->width = width; diff --git a/debian/patches/series b/debian/patches/series index 9a75f9b..769d997 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -15,6 +15,10 @@ extra/0014-vhost-vsock-detach-the-virqueue-element-in-case-of-e.patch extra/0015-vhost-user-remove-VirtQ-notifier-restore.patch extra/0016-vhost-user-fix-VirtQ-notifier-cleanup.patch extra/0017-virtio-fix-the-condition-for-iommu_platform-not-supp.patch +extra/0018-block-gluster-correctly-set-max_pdiscard-which-is-in.patch +extra/0019-ui-vnc.c-Fixed-a-deadlock-bug.patch +extra/0020-display-qxl-render-fix-race-condition-in-qxl_cursor-.patch +extra/0021-ui-cursor-fix-integer-overflow-in-cursor_alloc-CVE-2.patch bitmap-mirror/0001-drive-mirror-add-support-for-sync-bitmap-mode-never.patch bitmap-mirror/0002-drive-mirror-add-support-for-conditional-and-always-.patch bitmap-mirror/0003-mirror-add-check-for-bitmap-mode-without-bitmap.patch