[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#698221: marked as done (unblock: qemu/1.1.2+dfsg-5 qemu-kvm/1.1.2+dfsg-5)

Your message dated Sat, 19 Jan 2013 12:23:00 +0100
with message-id <20130119112300.GQ5676@radis.cristau.org>
and subject line Re: Bug#698221: unblock: qemu/1.1.2+dfsg-5 qemu-kvm/1.1.2+dfsg-5
has caused the Debian Bug report #698221,
regarding unblock: qemu/1.1.2+dfsg-5 qemu-kvm/1.1.2+dfsg-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
698221: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698221
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package qemu

The updated release includes 3 bugfixes.  Changelog with comments:

  * e1000-discard-oversized-packets-based-on-SBP_LPE.patch: the second
    half of the fix for CVE-2012-6075. (Finally Closes: #696051)

This is a security fix for CVE-2012-6075.  As it turned out, there are
2 sides of this issue, and 2 halves for the fix.  While we thought the
change in previous release (1.1.2+dfsg-3) was enough, it actually is not,
since the bug can be triggered using another conditions too.  Complete
fix contains in 2 changes (which touches the same area):

 e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
  (which was included in 1.1.2+dfsg-3 release) and
 e1000-discard-oversized-packets-based-on-SBP_LPE.patch
  (being included now).

These patches are used in a recent qemu & qemu-kvm security update in
squeeze (stable-security) too.  Both patches are from upstream.

I tried my usual pile of guests here trying to verify there's no
visible regressions due to that, all guests seems to continue working
fine.  The changes only affects e1000 device emulation, and has no
impact on other parts of qemu.


  * linux-user-fix-mips-32-on-64-prealloc-case.patch (Closes: #668658)

This is a simple patch which unbreaks MIPS 32bit emulation on 64bit host.
Before this patch, mips32 were completely unusable/unworking on any 64bit
host, including the most commonly used amd64 one.  Also a low-risk change,
since it is specific to this architecture (and only for the 32-on-64 case),
and makes previously completely non-working stuff working.

It is a fix for bug of priority "Important", but I think it really is
important to fix this for wheezy and not let wheezy be released without
it, since emulation of mips is important enough.


  * fix USB regression introduced in 1.1 (Closes: #683983)
    uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
    Big thanks to Peter Schaefer (https://bugs.launchpad.net/bugs/1033727)
    for the help identifying the fix.

This is another fix for "Important" bug.  As it turned out, many real USB
devices which worked in previous versions of qemu[-kvm] (in wheezy/testing,
before 1.1 version) were broken since 1.1 version.  I've got many reports
about various devices not working anymore.  It turned out that only certain
sequence of events triggers this issue, and not all guests and not all devices
triggers it, but general result of this bug is quite bad.  Supporting USB in
a more or less reliable way is important because qemu is often used to run
proprietary windows-only programs to flash a phone over USB or things like
that, where there's no other good choice available (short of purchasing a
separate PC just for that).

I'm requesting to unblock both qemu and qemu-kvm at once, since the two are
kept in the same state, and since the fixes applicable to both at the same
time.  However, the mips-related fix is not needed for qemu-kvm, since this
one is x86-only.  So qemu-kvm change does not include the mips-related fix.
Other than that, the changes are exactly the same, including version numbers.

Debdiff between qemu/1.1.2+dfsg-3 (currently in testing) and qemu/1.1.2+dfsg-5:

------
diff -Nru qemu-1.1.2+dfsg/debian/changelog qemu-1.1.2+dfsg/debian/changelog
--- qemu-1.1.2+dfsg/debian/changelog	2012-12-16 23:24:01.000000000 +0400
+++ qemu-1.1.2+dfsg/debian/changelog	2013-01-14 12:20:29.000000000 +0400
@@ -1,3 +1,20 @@
+qemu (1.1.2+dfsg-5) unstable; urgency=low
+
+  * fix USB regression introduced in 1.1 (Closes: #683983)
+    uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
+    Big thanks to Peter Schaefer (https://bugs.launchpad.net/bugs/1033727)
+    for the help identifying the fix.
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Mon, 14 Jan 2013 12:20:29 +0400
+
+qemu (1.1.2+dfsg-4) unstable; urgency=medium
+
+  * linux-user-fix-mips-32-on-64-prealloc-case.patch (Closes: #668658)
+  * e1000-discard-oversized-packets-based-on-SBP_LPE.patch: the second
+    half of the fix for CVE-2012-6075. (Finally Closes: #696051)
+
+ -- Michael Tokarev <mjt@tls.msk.ru>  Wed, 09 Jan 2013 23:05:17 +0400
+
 qemu (1.1.2+dfsg-3) unstable; urgency=low
 
   * add build-dependency on libcap-dev [linux-any] to enable virtfs support
diff -Nru qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch
--- qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch	1970-01-01 03:00:00.000000000 +0300
+++ qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch	2013-01-14 12:13:18.000000000 +0400
@@ -0,0 +1,39 @@
+commit 2c0331f4f7d241995452b99afaf0aab00493334a
+Author: Michael Contreras <michael@inetric.com>
+Date:   Wed Dec 5 13:31:30 2012 -0500
+Bug-Debian: http://bugs.debian.org/696051
+Comment: second half of the fix for CVE-2012-6075
+Comment: see also e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
+
+    e1000: Discard oversized packets based on SBP|LPE
+    
+    Discard packets longer than 16384 when !SBP to match the hardware behavior.
+    
+    Signed-off-by: Michael Contreras <michael@inetric.com>
+    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 92fb00a..8fd1654 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+ 
+ /* this is the size past which hardware will drop packets when setting LPE=0 */
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1 */
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+ 
+ /*
+  * HW models:
+@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const uint8_t *buf, size_t size)
+     }
+ 
+     /* Discard oversized packets if !LPE and !SBP. */
+-    if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+-        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++    if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++        (size > MAXIMUM_ETHERNET_VLAN_SIZE
++        && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+         && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+         return size;
+     }
diff -Nru qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
--- qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch	2012-12-16 19:47:51.000000000 +0400
+++ qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch	2013-01-14 12:13:18.000000000 +0400
@@ -3,6 +3,8 @@
 Date: Sun, 2 Dec 2012 20:11:22 -0800
 Subject: e1000: Discard packets that are too long if !SBP and !LPE
 Bug-Debian: http://bugs.debian.org/696051
+Comment: first half of the fix for CVE-2012-6075
+Comment: see also e1000-discard-oversized-packets-based-on-SBP_LPE.patch
 Comment: http://patchwork.ozlabs.org/patch/203291/
 Comment: Michael Contreras:
 Comment: Tested with linux guest. This error can potentially be exploited. At the very
diff -Nru qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch
--- qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch	1970-01-01 03:00:00.000000000 +0300
+++ qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch	2013-01-14 12:13:18.000000000 +0400
@@ -0,0 +1,38 @@
+From 314992b1a48a5a2a0f2b14195f959ad2c3f5b3ff Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@suse.de>
+Date: Thu, 3 Jan 2013 14:17:18 +0100
+Subject: linux-user: fix mips 32-on-64 prealloc case
+Bug-Debian: http://bugs.debian.org/668658
+
+MIPS only supports 31 bits of virtual address space for user space, so let's
+make sure we stay within that limit with our preallocated memory block.
+
+This fixes the MIPS user space targets when executed without command line
+option.
+
+Signed-off-by: Alexander Graf <agraf@suse.de>
+Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
+---
+ linux-user/main.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/linux-user/main.c b/linux-user/main.c
+index f6c4c8d..9ade1bf 100644
+--- a/linux-user/main.c
++++ b/linux-user/main.c
+@@ -57,7 +57,12 @@ int have_guest_base;
+  * This way we will never overlap with our own libraries or binaries or stack
+  * or anything else that QEMU maps.
+  */
++# ifdef TARGET_MIPS
++/* MIPS only supports 31 bits of virtual address space for user space */
++unsigned long reserved_va = 0x77000000;
++# else
+ unsigned long reserved_va = 0xf7000000;
++# endif
+ #else
+ unsigned long reserved_va;
+ #endif
+-- 
+1.7.10.4
+
diff -Nru qemu-1.1.2+dfsg/debian/patches/series qemu-1.1.2+dfsg/debian/patches/series
--- qemu-1.1.2+dfsg/debian/patches/series	2012-12-16 19:47:52.000000000 +0400
+++ qemu-1.1.2+dfsg/debian/patches/series	2013-01-14 12:15:03.000000000 +0400
@@ -3,6 +3,7 @@
 configure-nss-usbredir.patch
 do-not-include-libutil.h.patch
 tcg_s390-fix-ld_st-with-CONFIG_TCG_PASS_AREG0.patch
+linux-user-fix-mips-32-on-64-prealloc-case.patch
 net-add--netdev-options-to-man-page.patch
 revert-serial-fix-retry-logic.patch
 intel_hda-do-not-call-msi_reset-when-only-device-state-needs-resetting.patch
@@ -11,9 +12,11 @@
 net-notify-iothread-after-flushing-queue.patch
 e1000-flush-queue-whenever-can_receive-can-go-from-false-to-true.patch
 e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
+e1000-discard-oversized-packets-based-on-SBP_LPE.patch
 eepro100-fix-network-hang-when-rx-buffers-run-out.patch
 fixes-related-to-processing-of-qemu-s-numa-option.patch
 qcow2-fix-avail_sectors-in-cluster-allocation-code.patch
 qcow2-fix-refcount-table-size-calculation.patch
 tap-reset-vnet-header-size-on-open.patch
 vmdk-fix-data-corruption-bug-in-WRITE-and-READ-handling.patch
+uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
diff -Nru qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
--- qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch	1970-01-01 03:00:00.000000000 +0300
+++ qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch	2013-01-14 12:19:32.000000000 +0400
@@ -0,0 +1,50 @@
+From 5d19515502b3d4e4d0d538c6f84a2e93f0d57928 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Wed, 12 Sep 2012 15:08:40 +0200
+Subject: uhci: Don't queue up packets after one with the SPD flag set
+Bug-Debian: http://bugs.debian.org/683983
+Bug: https://bugs.launchpad.net/bugs/1033727
+X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=72a04d0c178f01908d74539230d9de64ffc6da19
+Comment: unlike the original patch comment says, it fixes several USB devices
+
+Don't queue up packets after a packet with the SPD (short packet detect)
+flag set. Since we won't know if the packet will actually be short until it
+has completed, and if it is short we should stop the queue.
+
+This fixes a miniature photoframe emulating a USB cdrom with the windows
+software for it not working.
+
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+(cherry picked from commit 72a04d0c178f01908d74539230d9de64ffc6da19)
+Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
+---
+ hw/usb/hcd-uhci.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
+index a8bb164..766e7ad 100644
+--- a/hw/usb/hcd-uhci.c
++++ b/hw/usb/hcd-uhci.c
+@@ -986,6 +986,9 @@ static void uhci_fill_queue(UHCIState *s, UHCI_TD *td)
+         }
+         assert(ret == TD_RESULT_ASYNC_START);
+         assert(int_mask == 0);
++        if (ptd.ctrl & TD_CTRL_SPD) {
++            break;
++        }
+         plink = ptd.link;
+     }
+ }
+@@ -1083,7 +1086,7 @@ static void uhci_process_frame(UHCIState *s)
+ 
+         case TD_RESULT_ASYNC_START:
+             trace_usb_uhci_td_async(curr_qh & ~0xf, link & ~0xf);
+-            if (is_valid(td.link)) {
++            if (is_valid(td.link) && !(td.ctrl & TD_CTRL_SPD)) {
+                 uhci_fill_queue(s, &td);
+             }
+             link = curr_qh ? qh.link : td.link;
+-- 
+1.7.10.4
+
------

unblock qemu/1.1.2+dfsg-5
unblock qemu-kvm/1.1.2+dfsg-5

Thank you!

/mjt

--- End Message ---
--- Begin Message --- 
On Tue, Jan 15, 2013 at 17:38:55 +0400, Michael Tokarev wrote:

> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package qemu
> 
qemu{,-kvm} unblocked.

Cheers,
Julien

Attachment: signature.asc
Description: Digital signature


--- End Message ---
Reply to: