ebasov
/
qemu-kvm
forked from rpms/qemu-kvm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import qemu-kvm-6.2.0-33.module+el8.8.0+19768+98f68f21

Browse Source
i8-stream-rhel changed/i8c-stream-rhel/qemu-kvm-6.2.0-33.module+el8.8.0+19768+98f68f21
MSVSphere Packaging Team 1 year ago
parent 4cdca8a6b6
commit 78b369ac76
8 changed files with 118 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
.gitignore vendored
Unescape View File

@ -1 +1,5 @@
SOURCES/qemu-6.2.0.tar.xz SOURCES/qemu-6.2.0.tar.xz
SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
SOURCES/tests_data_acpi_q35_FACP.slic
SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
SOURCES/tests_data_acpi_virt_SSDT.memhp

4
.qemu-kvm.metadata
Unescape View File

@ -1 +1,5 @@
68cd61a466170115b88817e2d52db2cd7a92f43a SOURCES/qemu-6.2.0.tar.xz 68cd61a466170115b88817e2d52db2cd7a92f43a SOURCES/qemu-6.2.0.tar.xz
c4b34092bc5af1ba7febfca1477320fb024e8acd SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
19349e3517143bd1af56a5444e927ba37a111f72 SOURCES/tests_data_acpi_q35_FACP.slic
4632d10ae8cedad4d5d760ed211f83f0dc81005d SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
ef12eed43cc357fb134db6fa3c7ffc83e222a97d SOURCES/tests_data_acpi_virt_SSDT.memhp

102
SOURCES/kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
Unescape View File

@ -0,0 +1,102 @@
From 5282809c2c0c57228c4ce870dae413e84b09ebf6 Mon Sep 17 00:00:00 2001
From: Jon Maloy <jmaloy@redhat.com>
Date: Tue, 15 Aug 2023 00:08:55 +0000
Subject: [PATCH] io: remove io watch if TLS channel is closed during handshake
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Jon Maloy <jmaloy@redhat.com>
RH-MergeRequest: 303: io: remove io watch if TLS channel is closed during handshake
RH-Bugzilla: 2216510
RH-Acked-by: Peter Xu <peterx@redhat.com>
RH-Acked-by: Stefan Hajnoczi <stefanha@redhat.com>
RH-Commit: [1/1] 40526f8952e752656662e11e935b1fc63a0c1061 (redhat/rhel/src/qemu-kvm/jons-qemu-kvm-2)
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2216510
CVE: CVE-2023-3354
Upstream: Merged
commit 10be627d2b5ec2d6b3dce045144aa739eef678b4
Author: Daniel P. Berrangé <berrange@redhat.com>
Date: Tue Jun 20 09:45:34 2023 +0100
io: remove io watch if TLS channel is closed during handshake
The TLS handshake make take some time to complete, during which time an
I/O watch might be registered with the main loop. If the owner of the
I/O channel invokes qio_channel_close() while the handshake is waiting
to continue the I/O watch must be removed. Failing to remove it will
later trigger the completion callback which the owner is not expecting
to receive. In the case of the VNC server, this results in a SEGV as
vnc_disconnect_start() tries to shutdown a client connection that is
already gone / NULL.
CVE-2023-3354
Reported-by: jiangyegen <jiangyegen@huawei.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Jon Maloy <jmaloy@redhat.com>
---
include/io/channel-tls.h | 1 +
io/channel-tls.c | 18 ++++++++++++------
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git a/include/io/channel-tls.h b/include/io/channel-tls.h
index 5672479e9e..26c67f17e2 100644
--- a/include/io/channel-tls.h
+++ b/include/io/channel-tls.h
@@ -48,6 +48,7 @@ struct QIOChannelTLS {
QIOChannel *master;
QCryptoTLSSession *session;
QIOChannelShutdown shutdown;
+ guint hs_ioc_tag;
};
/**
diff --git a/io/channel-tls.c b/io/channel-tls.c
index c730cb8ec5..bd79e78837 100644
--- a/io/channel-tls.c
+++ b/io/channel-tls.c
@@ -195,12 +195,13 @@ static void qio_channel_tls_handshake_task(QIOChannelTLS *ioc,
}
trace_qio_channel_tls_handshake_pending(ioc, status);
- qio_channel_add_watch_full(ioc->master,
- condition,
- qio_channel_tls_handshake_io,
- data,
- NULL,
- context);
+ ioc->hs_ioc_tag =
+ qio_channel_add_watch_full(ioc->master,
+ condition,
+ qio_channel_tls_handshake_io,
+ data,
+ NULL,
+ context);
}
}
@@ -215,6 +216,7 @@ static gboolean qio_channel_tls_handshake_io(QIOChannel *ioc,
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(
qio_task_get_source(task));
+ tioc->hs_ioc_tag = 0;
g_free(data);
qio_channel_tls_handshake_task(tioc, task, context);
@@ -375,6 +377,10 @@ static int qio_channel_tls_close(QIOChannel *ioc,
{
QIOChannelTLS *tioc = QIO_CHANNEL_TLS(ioc);
+ if (tioc->hs_ioc_tag) {
+ g_clear_handle_id(&tioc->hs_ioc_tag, g_source_remove);
+ }
+
return qio_channel_close(tioc->master, errp);
}
--
2.37.3

BIN
SOURCES/tests_data_acpi_pc_SSDT.dimmpxm
View File

Binary file not shown.

BIN
SOURCES/tests_data_acpi_q35_FACP.slic
View File

Binary file not shown.

BIN
SOURCES/tests_data_acpi_q35_SSDT.dimmpxm
View File

Binary file not shown.

BIN
SOURCES/tests_data_acpi_virt_SSDT.memhp
View File

Binary file not shown.

9
SPECS/qemu-kvm.spec
Unescape View File

@ -83,7 +83,7 @@ Obsoletes: %1-rhev <= %{epoch}:%{version}-%{release}
Summary: QEMU is a machine emulator and virtualizer Summary: QEMU is a machine emulator and virtualizer
Name: qemu-kvm Name: qemu-kvm
Version: 6.2.0 Version: 6.2.0
Release: 32%{?rcrel}%{?dist} Release: 33%{?rcrel}%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 15 Epoch: 15
License: GPLv2 and GPLv2+ and CC-BY License: GPLv2 and GPLv2+ and CC-BY
@ -652,6 +652,8 @@ Patch255: kvm-scsi-protect-req-aiocb-with-AioContext-lock.patch
Patch256: kvm-dma-helpers-prevent-dma_blk_cb-vs-dma_aio_cancel-rac.patch Patch256: kvm-dma-helpers-prevent-dma_blk_cb-vs-dma_aio_cancel-rac.patch
# For bz#2090990 - qemu crash with error scsi_req_unref(SCSIRequest *): Assertion `req->refcount > 0' failed or scsi_dma_complete(void *, int): Assertion `r->req.aiocb != NULL' failed [8.7.0] # For bz#2090990 - qemu crash with error scsi_req_unref(SCSIRequest *): Assertion `req->refcount > 0' failed or scsi_dma_complete(void *, int): Assertion `r->req.aiocb != NULL' failed [8.7.0]
Patch257: kvm-virtio-scsi-reset-SCSI-devices-from-main-loop-thread.patch Patch257: kvm-virtio-scsi-reset-SCSI-devices-from-main-loop-thread.patch
# For bz#2216510 - CVE-2023-3354 virt:rhel/qemu-kvm: QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service [rhel-8.8.0.z]
Patch258: kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch
BuildRequires: wget BuildRequires: wget
BuildRequires: rpm-build BuildRequires: rpm-build
@ -1824,6 +1826,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
* Tue Dec 12 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 15:6.2.0-32 * Tue Dec 12 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 15:6.2.0-32
- Rebuilt for MSVSphere 8.8 - Rebuilt for MSVSphere 8.8
* Fri Aug 25 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-33.el8_8
- kvm-io-remove-io-watch-if-TLS-channel-is-closed-during-h.patch [bz#2216510]
- Resolves: bz#2216510
(CVE-2023-3354 virt:rhel/qemu-kvm: QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service [rhel-8.8.0.z])
* Mon Mar 13 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-32.el8_8 * Mon Mar 13 2023 Jon Maloy <jmaloy@redhat.com> - 6.2.0-32.el8_8
- kvm-aio_wait_kick-add-missing-memory-barrier.patch [bz#2168472] - kvm-aio_wait_kick-add-missing-memory-barrier.patch [bz#2168472]
- kvm-qatomic-add-smp_mb__before-after_rmw.patch [bz#2168472] - kvm-qatomic-add-smp_mb__before-after_rmw.patch [bz#2168472]

Write Preview
Loading…
Cancel
Save