Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package qemu
The updated release includes 3 bugfixes. Changelog with comments:
* e1000-discard-oversized-packets-based-on-SBP_LPE.patch: the second
half of the fix for CVE-2012-6075. (Finally Closes: #696051)
This is a security fix for CVE-2012-6075. As it turned out, there are
2 sides of this issue, and 2 halves for the fix. While we thought the
change in previous release (1.1.2+dfsg-3) was enough, it actually is not,
since the bug can be triggered using another conditions too. Complete
fix contains in 2 changes (which touches the same area):
e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
(which was included in 1.1.2+dfsg-3 release) and
e1000-discard-oversized-packets-based-on-SBP_LPE.patch
(being included now).
These patches are used in a recent qemu & qemu-kvm security update in
squeeze (stable-security) too. Both patches are from upstream.
I tried my usual pile of guests here trying to verify there's no
visible regressions due to that, all guests seems to continue working
fine. The changes only affects e1000 device emulation, and has no
impact on other parts of qemu.
* linux-user-fix-mips-32-on-64-prealloc-case.patch (Closes: #668658)
This is a simple patch which unbreaks MIPS 32bit emulation on 64bit host.
Before this patch, mips32 were completely unusable/unworking on any 64bit
host, including the most commonly used amd64 one. Also a low-risk change,
since it is specific to this architecture (and only for the 32-on-64 case),
and makes previously completely non-working stuff working.
It is a fix for bug of priority "Important", but I think it really is
important to fix this for wheezy and not let wheezy be released without
it, since emulation of mips is important enough.
* fix USB regression introduced in 1.1 (Closes: #683983)
uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
Big thanks to Peter Schaefer (https://bugs.launchpad.net/bugs/1033727)
for the help identifying the fix.
This is another fix for "Important" bug. As it turned out, many real USB
devices which worked in previous versions of qemu[-kvm] (in wheezy/testing,
before 1.1 version) were broken since 1.1 version. I've got many reports
about various devices not working anymore. It turned out that only certain
sequence of events triggers this issue, and not all guests and not all devices
triggers it, but general result of this bug is quite bad. Supporting USB in
a more or less reliable way is important because qemu is often used to run
proprietary windows-only programs to flash a phone over USB or things like
that, where there's no other good choice available (short of purchasing a
separate PC just for that).
I'm requesting to unblock both qemu and qemu-kvm at once, since the two are
kept in the same state, and since the fixes applicable to both at the same
time. However, the mips-related fix is not needed for qemu-kvm, since this
one is x86-only. So qemu-kvm change does not include the mips-related fix.
Other than that, the changes are exactly the same, including version numbers.
Debdiff between qemu/1.1.2+dfsg-3 (currently in testing) and qemu/1.1.2+dfsg-5:
------
diff -Nru qemu-1.1.2+dfsg/debian/changelog qemu-1.1.2+dfsg/debian/changelog
--- qemu-1.1.2+dfsg/debian/changelog 2012-12-16 23:24:01.000000000 +0400
+++ qemu-1.1.2+dfsg/debian/changelog 2013-01-14 12:20:29.000000000 +0400
@@ -1,3 +1,20 @@
+qemu (1.1.2+dfsg-5) unstable; urgency=low
+
+ * fix USB regression introduced in 1.1 (Closes: #683983)
+ uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
+ Big thanks to Peter Schaefer (https://bugs.launchpad.net/bugs/1033727)
+ for the help identifying the fix.
+
+ -- Michael Tokarev <m...@tls.msk.ru> Mon, 14 Jan 2013 12:20:29 +0400
+
+qemu (1.1.2+dfsg-4) unstable; urgency=medium
+
+ * linux-user-fix-mips-32-on-64-prealloc-case.patch (Closes: #668658)
+ * e1000-discard-oversized-packets-based-on-SBP_LPE.patch: the second
+ half of the fix for CVE-2012-6075. (Finally Closes: #696051)
+
+ -- Michael Tokarev <m...@tls.msk.ru> Wed, 09 Jan 2013 23:05:17 +0400
+
qemu (1.1.2+dfsg-3) unstable; urgency=low
* add build-dependency on libcap-dev [linux-any] to enable virtfs support
diff -Nru
qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch
qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch
---
qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-1.1.2+dfsg/debian/patches/e1000-discard-oversized-packets-based-on-SBP_LPE.patch
2013-01-14 12:13:18.000000000 +0400
@@ -0,0 +1,39 @@
+commit 2c0331f4f7d241995452b99afaf0aab00493334a
+Author: Michael Contreras <mich...@inetric.com>
+Date: Wed Dec 5 13:31:30 2012 -0500
+Bug-Debian: http://bugs.debian.org/696051
+Comment: second half of the fix for CVE-2012-6075
+Comment: see also
e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
+
+ e1000: Discard oversized packets based on SBP|LPE
+
+ Discard packets longer than 16384 when !SBP to match the hardware behavior.
+
+ Signed-off-by: Michael Contreras <mich...@inetric.com>
+ Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
+
+diff --git a/hw/e1000.c b/hw/e1000.c
+index 92fb00a..8fd1654 100644
+--- a/hw/e1000.c
++++ b/hw/e1000.c
+@@ -61,6 +61,8 @@ static int debugflags = DBGBIT(TXERR) | DBGBIT(GENERAL);
+
+ /* this is the size past which hardware will drop packets when setting LPE=0
*/
+ #define MAXIMUM_ETHERNET_VLAN_SIZE 1522
++/* this is the size past which hardware will drop packets when setting LPE=1
*/
++#define MAXIMUM_ETHERNET_LPE_SIZE 16384
+
+ /*
+ * HW models:
+@@ -809,8 +811,9 @@ e1000_receive(NetClientState *nc, const uint8_t *buf,
size_t size)
+ }
+
+ /* Discard oversized packets if !LPE and !SBP. */
+- if (size > MAXIMUM_ETHERNET_VLAN_SIZE
+- && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)
++ if ((size > MAXIMUM_ETHERNET_LPE_SIZE ||
++ (size > MAXIMUM_ETHERNET_VLAN_SIZE
++ && !(s->mac_reg[RCTL] & E1000_RCTL_LPE)))
+ && !(s->mac_reg[RCTL] & E1000_RCTL_SBP)) {
+ return size;
+ }
diff -Nru
qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
---
qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
2012-12-16 19:47:51.000000000 +0400
+++
qemu-1.1.2+dfsg/debian/patches/e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
2013-01-14 12:13:18.000000000 +0400
@@ -3,6 +3,8 @@
Date: Sun, 2 Dec 2012 20:11:22 -0800
Subject: e1000: Discard packets that are too long if !SBP and !LPE
Bug-Debian: http://bugs.debian.org/696051
+Comment: first half of the fix for CVE-2012-6075
+Comment: see also e1000-discard-oversized-packets-based-on-SBP_LPE.patch
Comment: http://patchwork.ozlabs.org/patch/203291/
Comment: Michael Contreras:
Comment: Tested with linux guest. This error can potentially be exploited. At
the very
diff -Nru
qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch
qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch
---
qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-1.1.2+dfsg/debian/patches/linux-user-fix-mips-32-on-64-prealloc-case.patch
2013-01-14 12:13:18.000000000 +0400
@@ -0,0 +1,38 @@
+From 314992b1a48a5a2a0f2b14195f959ad2c3f5b3ff Mon Sep 17 00:00:00 2001
+From: Alexander Graf <ag...@suse.de>
+Date: Thu, 3 Jan 2013 14:17:18 +0100
+Subject: linux-user: fix mips 32-on-64 prealloc case
+Bug-Debian: http://bugs.debian.org/668658
+
+MIPS only supports 31 bits of virtual address space for user space, so let's
+make sure we stay within that limit with our preallocated memory block.
+
+This fixes the MIPS user space targets when executed without command line
+option.
+
+Signed-off-by: Alexander Graf <ag...@suse.de>
+Signed-off-by: Aurelien Jarno <aurel...@aurel32.net>
+---
+ linux-user/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/linux-user/main.c b/linux-user/main.c
+index f6c4c8d..9ade1bf 100644
+--- a/linux-user/main.c
++++ b/linux-user/main.c
+@@ -57,7 +57,12 @@ int have_guest_base;
+ * This way we will never overlap with our own libraries or binaries or stack
+ * or anything else that QEMU maps.
+ */
++# ifdef TARGET_MIPS
++/* MIPS only supports 31 bits of virtual address space for user space */
++unsigned long reserved_va = 0x77000000;
++# else
+ unsigned long reserved_va = 0xf7000000;
++# endif
+ #else
+ unsigned long reserved_va;
+ #endif
+--
+1.7.10.4
+
diff -Nru qemu-1.1.2+dfsg/debian/patches/series
qemu-1.1.2+dfsg/debian/patches/series
--- qemu-1.1.2+dfsg/debian/patches/series 2012-12-16 19:47:52.000000000
+0400
+++ qemu-1.1.2+dfsg/debian/patches/series 2013-01-14 12:15:03.000000000
+0400
@@ -3,6 +3,7 @@
configure-nss-usbredir.patch
do-not-include-libutil.h.patch
tcg_s390-fix-ld_st-with-CONFIG_TCG_PASS_AREG0.patch
+linux-user-fix-mips-32-on-64-prealloc-case.patch
net-add--netdev-options-to-man-page.patch
revert-serial-fix-retry-logic.patch
intel_hda-do-not-call-msi_reset-when-only-device-state-needs-resetting.patch
@@ -11,9 +12,11 @@
net-notify-iothread-after-flushing-queue.patch
e1000-flush-queue-whenever-can_receive-can-go-from-false-to-true.patch
e1000-discard-packets-that-are-too-long-if-not-SBP-and-not-LPE.patch
+e1000-discard-oversized-packets-based-on-SBP_LPE.patch
eepro100-fix-network-hang-when-rx-buffers-run-out.patch
fixes-related-to-processing-of-qemu-s-numa-option.patch
qcow2-fix-avail_sectors-in-cluster-allocation-code.patch
qcow2-fix-refcount-table-size-calculation.patch
tap-reset-vnet-header-size-on-open.patch
vmdk-fix-data-corruption-bug-in-WRITE-and-READ-handling.patch
+uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
diff -Nru
qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
---
qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
1970-01-01 03:00:00.000000000 +0300
+++
qemu-1.1.2+dfsg/debian/patches/uhci-don-t-queue-up-packets-after-one-with-the-SPD-flag-set.patch
2013-01-14 12:19:32.000000000 +0400
@@ -0,0 +1,50 @@
+From 5d19515502b3d4e4d0d538c6f84a2e93f0d57928 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdego...@redhat.com>
+Date: Wed, 12 Sep 2012 15:08:40 +0200
+Subject: uhci: Don't queue up packets after one with the SPD flag set
+Bug-Debian: http://bugs.debian.org/683983
+Bug: https://bugs.launchpad.net/bugs/1033727
+X-Git-Url:
http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=72a04d0c178f01908d74539230d9de64ffc6da19
+Comment: unlike the original patch comment says, it fixes several USB devices
+
+Don't queue up packets after a packet with the SPD (short packet detect)
+flag set. Since we won't know if the packet will actually be short until it
+has completed, and if it is short we should stop the queue.
+
+This fixes a miniature photoframe emulating a USB cdrom with the windows
+software for it not working.
+
+Signed-off-by: Hans de Goede <hdego...@redhat.com>
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+(cherry picked from commit 72a04d0c178f01908d74539230d9de64ffc6da19)
+Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
+---
+ hw/usb/hcd-uhci.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-uhci.c b/hw/usb/hcd-uhci.c
+index a8bb164..766e7ad 100644
+--- a/hw/usb/hcd-uhci.c
++++ b/hw/usb/hcd-uhci.c
+@@ -986,6 +986,9 @@ static void uhci_fill_queue(UHCIState *s, UHCI_TD *td)
+ }
+ assert(ret == TD_RESULT_ASYNC_START);
+ assert(int_mask == 0);
++ if (ptd.ctrl & TD_CTRL_SPD) {
++ break;
++ }
+ plink = ptd.link;
+ }
+ }
+@@ -1083,7 +1086,7 @@ static void uhci_process_frame(UHCIState *s)
+
+ case TD_RESULT_ASYNC_START:
+ trace_usb_uhci_td_async(curr_qh & ~0xf, link & ~0xf);
+- if (is_valid(td.link)) {
++ if (is_valid(td.link) && !(td.ctrl & TD_CTRL_SPD)) {
+ uhci_fill_queue(s, &td);
+ }
+ link = curr_qh ? qh.link : td.link;
+--
+1.7.10.4
+
------
unblock qemu/1.1.2+dfsg-5
unblock qemu-kvm/1.1.2+dfsg-5
Thank you!
/mjt
--
To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive:
http://lists.debian.org/20130115133855.22329.19416.reportbug@gandalf.local
