Bug #1897854 “groovy qemu-arm-static: /build/qemu-W3R0Rj/qemu-5....” : Bugs : qemu package : Ubuntu

Ryutaroh Matsumoto (emojifreak) on 2020-09-30

summary:

- qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-user/elfload.c:2317:
- pgb_reserved_va: Assertion `guest_base != 0' failed.
+ groovy qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-
+ user/elfload.c:2317: pgb_reserved_va: Assertion `guest_base != 0'
+ failed.

Revision history for this message

Paride Legovini (paride) wrote on 2020-10-01:

#1

Hello Ryutaroh,

I tried to reproduce the problem by running the command you provided basically as-it on an up-to-date Groovy amd64 system, but I couldn't:

$ dpkg-query -W | grep qemu-user-static
qemu-user-static 1:5.0-5ubuntu9

$ mmdebstrap --architectures=armhf,arm64 --variant=apt --components="main contrib non-free" --include=linux-image-arm64,udev,kmod,e2fsprogs,btrfs-progs,systemd-sysv,libpam-systemd,libnss-systemd,dbus-user-session,locales,tzdata,openssh-server,bash,apt-utils,whiptail,vim-tiny,less,man-db,wpasupplicant,crda,raspi-firmware,firmware-brcm80211,firmware-linux-free,firmware-misc-nonfree,keyboard-configuration,console-setup bullseye /home/paride/delme/
I: automatically chosen mode: unshare
I: armhf cannot be executed, falling back to qemu-user
I: running apt-get update...
done
I: downloading packages with apt...
done
I: extracting archives...
done
I: installing packages...
done
I: installing remaining packages inside the chroot...
done
I: cleaning package lists and apt cache...
done
done

Could you please confirm the problem is reproducible, and provide any other bit of information about your setup that may be relevant?

Also: in the bug description you wrote "Host is Ubuntu Focal". Did you mean Groovy?

For the moment I'm setting the status of this report to Incomplete, please change it back to New after commenting back and we'll look at it again. Thanks!

Changed in qemu (Ubuntu):
status:	New → Incomplete

Revision history for this message

Paolo Pisati (p-pisati) wrote on 2020-10-29:

#2

I'm experiencing the same issue:

$ sudo qemu-debootstrap --arch armhf groovy armhf-chroot
...
I: Running command: chroot armhf-chroot /debootstrap/debootstrap --second-stage
qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-user/elfload.c:2317: pgb_reserved_va: Assertion `guest_base != 0' failed.
Aborted (core dumped)

this on a recent Groovy amd64 installation.

flag@harukaze:~/canonical$ dpkg -l | grep debootstrap
ii debootstrap 1.0.123ubuntu1 all Bootstrap a basic Debian system

Revision history for this message

Doug Torrance (profzoom) wrote on 2020-11-03:

#3

I'm also running into this trying to set up a pbuilder environment:

$ pbuilder-dist sid armhf create
...
I: Running command: chroot /var/cache/pbuilder/build/430992 /debootstrap/debootstrap --second-stage
qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-user/elfload.c:2317: pgb_reserved_va: Assertion `guest_base != 0' failed.
Aborted (core dumped)

This appears to have been fixed upstream [1, 2] in qemu 5.1, which has been in Debian unstable since August [3], but hasn't been merged into Ubuntu yet.

[1] https://bugs.launchpad.net/qemu/+bug/1888728
[2] https://github.com/qemu/qemu/commit/c9f8066
[3] https://tracker.debian.org/news/1169793/accepted-qemu-151dfsg-1-source-into-unstable/

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-11-04:

#4

Thanks Doug,
I'm working on 5.1 already.
Once done we can evaluate and consider SRUing this ...

Changed in qemu (Ubuntu):
status:	Incomplete → Triaged
tags:	added: qemu-21.04

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-11-19:

#5

Download full text (17.9 KiB)

This bug was fixed in the package qemu - 1:5.1+dfsg-4ubuntu1

---------------
qemu (1:5.1+dfsg-4ubuntu1) hirsute; urgency=medium

  * Merge with Debian testing, remaining changes:
    Fixes qemu-arm-static Assertion `guest_base != 0' failed (LP: #1897854)
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type (LP: 1304107 1621042)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types
      - d/qemu-system-x86.NEWS Info on fixed machine type definitions
        for host-phys-bits=true (LP: 1776189)
      - add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - provide pseries-bionic-2.11-sxxm type as convenience with all
        meltdown/spectre workarounds enabled by default. (LP: 1761372).
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - improved dependencies
      - Make qemu-system-common depend on qemu-block-extra
      - Make qemu-utils depend on qemu-block-extra
      - let qemu-utils recommend sharutils
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/control-in: Disable capstone disassembler library support (universe)
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - d/control*, d/rules: disable xen by default, but provide universe
      package qemu-system-x86-xen as alternative
      [includes compat links changes of 5.0-5ubuntu4]
    - allow qemu to load old modules post upgrade (LP 1847361)
      - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on
        upgrade
      - d/rules: generate maintainer scripts matching package version on build
      - d/rules: enable --enable-module-upgrades where --enable-modules is set
    - d/control: regenerate debian/control out of control-in
  * Dropped changes [in Debian or no more needed]
    - d/control-in: disable pmem on ppc64 as it is currently considered
      experimental on that architecture (pmdk v1.8-1)
    - d/rules: makefile definitions can't be recursive - sys_systems for s390x
    - d/rules: report config log from the correct subdir
    - d/control-in: disable rbd support unavailable on riscv (LP: 1872931)
    - Pick further changes for groovy from debian/master since 5.0-5
      - ati-vga-check-mm_index-before-recursive-call-CVE-2...

This bug was fixed in the package qemu - 1:5.1+dfsg-4ubuntu1

---------------
qemu (1:5.1+dfsg-4ubuntu1) hirsute; urgency=medium

* Merge with Debian testing, remaining changes:
    Fixes qemu-arm-static Assertion `guest_base != 0' failed (LP: #1897854)
    - qemu-kvm to systemd unit
      - d/qemu-kvm-init: script for QEMU KVM preparation modules, ksm,
        hugepages and architecture specifics
      - d/qemu-system-common.qemu-kvm.service: systemd unit to call
        qemu-kvm-init
      - d/qemu-system-common.install: install helper script
      - d/qemu-system-common.qemu-kvm.default: defaults for
        /etc/default/qemu-kvm
      - d/rules: call dh_installinit and dh_installsystemd for qemu-kvm
    - Distribution specific machine type (LP: 1304107 1621042)
      - d/p/ubuntu/define-ubuntu-machine-types.patch: define distro machine
        types
      - d/qemu-system-x86.NEWS Info on fixed machine type definitions
        for host-phys-bits=true (LP: 1776189)
      - add an info about -hpb machine type in debian/qemu-system-x86.NEWS
      - provide pseries-bionic-2.11-sxxm type as convenience with all
        meltdown/spectre workarounds enabled by default. (LP: 1761372).
      - ubuntu-q35 alias added to auto-select the most recent q35 ubuntu type
    - Enable nesting by default
      - d/p/ubuntu/enable-svm-by-default.patch: Enable nested svm by default
        in qemu64 on amd
        [ No more strictly needed, but required for backward compatibility ]
    - improved dependencies
      - Make qemu-system-common depend on qemu-block-extra
      - Make qemu-utils depend on qemu-block-extra
      - let qemu-utils recommend sharutils
    - tolerate ipxe size change on migrations to >=18.04 (LP: 1713490)
      - d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: old machine types
        reference 256k path
      - d/control-in: depend on ipxe-qemu-256k-compat-efi-roms to be able to
        handle incoming migrations from former releases.
    - d/control-in: Disable capstone disassembler library support (universe)
    - d/qemu-system-x86.README.Debian: add info about updated nesting changes
    - d/control*, d/rules: disable xen by default, but provide universe
      package qemu-system-x86-xen as alternative
      [includes compat links changes of 5.0-5ubuntu4]
    - allow qemu to load old modules post upgrade (LP 1847361)
      - d/qemu-block-extra.*.in, d/qemu-system-gui.*.in: save shared objects on
        upgrade
      - d/rules: generate maintainer scripts matching package version on build
      - d/rules: enable --enable-module-upgrades where --enable-modules is set
    - d/control: regenerate debian/control out of control-in
  * Dropped changes [in Debian or no more needed]
    - d/control-in: disable pmem on ppc64 as it is currently considered
      experimental on that architecture (pmdk v1.8-1)
    - d/rules: makefile definitions can't be recursive - sys_systems for s390x
    - d/rules: report config log from the correct subdir
    - d/control-in: disable rbd support unavailable on riscv (LP: 1872931)
    - Pick further changes for groovy from debian/master since 5.0-5
      - ati-vga-check-mm_index-before-recursive-call-CVE-2020-13800.patch
      - revert-memory-accept-mismatching-sizes-in-memory_region_access_...patch
      - exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
      - megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
      - megasas-use-unsigned-type-for-positive-numeric-fields.patch
      - megasas-fix-possible-out-of-bounds-array-access.patch
      - nbd-server-avoid-long-error-message-assertions-CVE-2020-10761.patch
      - es1370-check-total-frame-count-against-current-...-CVE-2020-13361.patch
      - a few patches from the stable series:
        - fix-tulip-breakage.patch
        - 9p-lock-directory-streams-with-a-CoMutex.patch
          Prevent deadlocks in 9pfs readdir code
        - net-do-not-include-a-newline-in-the-id-of-nic-device.patch
          Fix newline accidentally sneaked into id string of a nic
        - qemu-nbd-close-inherited-stderr.patch
        - virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
        - virtio-balloon-fix-free-page-hinting-without-an-iothread.patch
        - virtio-balloon-unref-the-iothread-when-unrealizing.patch
      - acpi-tmr-allow-2-byte-reads.patch
      - reapply CVE-2020-13253 fixes from upstream
      - linux-user-refactor-ipc-syscall-and-support-of-semtimedop.patch
      - linux-user-add-netlink-RTM_SETLINK-command.patch
      - d/control: since qemu-system-data now contains module(s),
        it can't be multi-arch. Ditto for qemu-block-extra.
      - qemu-system-foo: depend on exact version of qemu-system-data,
        due to the latter having modules
      - acpi-allow-accessing-acpi-cnt-register-by-byte.patch'
        This is another incarnation of the recent bugfix which actually enabled
        memory access constraints, like #964247
      - acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
        this replace acpi-allow-accessing-acpi-cnt-register-by-byte.patch
        and acpi-tmr-allow-2-byte-reads.patch, a more complete fix
      - xhci-fix-valid.max_access_size-to-access-address-registers.patch
        fix one more incarnation of the breakage after the CVE-2020-13754 fix
      - do not install outdated (0.12 and before) Changelog
      - xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
        ARM-only XGMAC NIC, possible buffer overflow during packet transmission
        Closes: CVE-2020-15863
      - sm501 OOB read/write due to integer overflow in sm501_2d_operation()
      - riscv-allow-64-bit-access-to-SiFive-CLINT.patch
        another fix for revert-memory-accept-.. CVE-2020-13754
      - seabios-hppa-fno-ipa-sra.patch fix ftbfs with gcc-10
    - d/control-in: build-dep libcap is no more needed
    - arch aware kvm wrappers
      [upstream now automatically enables KVM if available and called with
       kvm* name, provides KVM as before but with auto-fallback to tcg.
       Former behavior of KVM-or-die can be achieved via -machine accel=kvm ]
  * Dropped changes [upstream now]
    - d/p/u/usb-fix-setup_len-init-CVE-2020-14364.patch: sanity check usb
      setup_len
    - d/p/u/lp-1887930-*: Enable Channel Path Handling for vfio-ccw (LP 1887930)
    - d/p/u/lp-1894942-*: fix virtio-ccw host/guest notification (LP 1894942)
    - d/p/ubuntu/lp-1887935-vfio-ccw-allow-non-prefetch-ORBs.patch: fix boot
      from vfio-ccw (LP 1887935)
    - fix qemu-user-static initialization to allow executing systemd (LP 1890881)
    - fix assertion failue in net_tx_pkt_add_raw_fragment (LP 1891187)
    - d/p/ubuntu/lp-1883984-target-s390x-Fix-SQXBR.patch: avoid crash on
      SQXBR (LP 1883984)
    - d/p/lp-1890154-*: fix -no-reboot on s390x secure boot (LP 1890154)
    - d/p/ubuntu/lp-1887763-*: fix TCG sizing that OOMed many small CI
      environments (LP 1887763)
    - d/p/ubuntu/lp-1835546-*: backport the s390x protvirt feature (LP 1835546)
    - debian/patches/ubuntu/lp-1878973-*: fix assert in qemu-guest-agent that
      crashes it on shutdown (LP 1878973)
    - update d/p/ubuntu/lp-1835546-* to the final versions
    - d/p/ubuntu/virtio-net-fix-rsc_ext-compat-handling.patch: fix
      FTBFS in groovy
  * Added Changes:
    - update ubuntu machine types for hirsute@5.1
    - d/control: regenerated from d/control-in
    - d/control, d/rules: build with gcc-9 on armhf as workaround until
      resolved in gcc-10 (LP: 1890435)

qemu (1:5.1+dfsg-4) unstable; urgency=high

* mention closing of CVE-2020-16092 by 5.1
  * usb-fix-setup_len-init-CVE-2020-14364.patch
    Closes: #968947, CVE-2020-14364
    (OOB r/w access in USB emulation)

qemu (1:5.1+dfsg-3) unstable; urgency=medium

* fix one more issue in last upload. This is what happens when
    you do "obvious" stuff in a hurry without proper testing..

qemu (1:5.1+dfsg-2) unstable; urgency=medium

* fix brown-paper bag bug in last upload

qemu (1:5.1+dfsg-1) unstable; urgency=medium

* hw-display-qxl.so depends on spice so install it
    only if it is built just like ui-spice-app
  * note #931046 for libfdt

qemu (1:5.1+dfsg-0exp1) experimental; urgency=medium

* new upstream release 5.1.0. Make source DFSG-clean again
    Closes: #968088
    Closes: CVE-2020-16092 (net_tx_pkt_add_raw_fragment in e1000e & vmxnet3)
  * remove all patches which are applied upstream
  * do not install non-existing doc/qemu/*-ref.*
  * qemu-pr-helper is now in /usr/lib/qemu not /usr/bin
  * virtfs-proxy-helper is in /usr/lib/qemu now, not /usr/bin
  * new architecture: qemu-system-avr
  * refresh d/get-orig-source.sh
  * d/get-orig-source.sh: report already removed files in dfsg-clean
  * install common modules in qemu-system-common
  * lintian tag renamed: shared-lib-without-dependency-information to
    shared-library-lacks-prerequisites

qemu (1:5.0-14) unstable; urgency=high

* this is a bugfix release before breaking toys with the new upstream
  * riscv-allow-64-bit-access-to-SiFive-CLINT.patch
    (another fix for revert-memory-accept-..-CVE-2020-13754)
  * install /usr/lib/*/qemu/ui-curses.so in qemu-system-common
    Closes: #966517

qemu (1:5.0-13) unstable; urgency=medium

* seabios-hppa-fno-ipa-sra.patch
    fix ftbfs with gcc-10

qemu (1:5.0-12) unstable; urgency=medium

* acpi-accept-byte-and-word-access-to-core-ACPI-registers.patch
    this replace cpi-allow-accessing-acpi-cnt-register-by-byte.patch
    and acpi-tmr-allow-2-byte-reads.patch, a more complete fix
  * xhci-fix-valid.max_access_size-to-access-address-registers.patch
    fix one more incarnation of the breakage after the CVE-2020-13754 fix
  * do not install outdated (0.12 and before) Changelog (Closes: #965381)
  * xgmac-fix-buffer-overflow-in-xgmac_enet_send-CVE-2020-15863.patch
    ARM-only XGMAC NIC, possible buffer overflow during packet transmission
    Closes: CVE-2020-15863
  * sm501 OOB read/write due to integer overflow in sm501_2d_operation()
    List of patches:
     sm501-convert-printf-abort-to-qemu_log_mask.patch
     sm501-shorten-long-variable-names-in-sm501_2d_operation.patch
     sm501-use-BIT-macro-to-shorten-constant.patch
     sm501-clean-up-local-variables-in-sm501_2d_operation.patch
     sm501-replace-hand-written-implementation-with-pixman-CVE-2020-12829.patch
    Closes: #961451, CVE-2020-12829

qemu (1:5.0-11) unstable; urgency=high

* d/control-in: only enable opengl (libdrm&Co) on linux
  * d/control-in: spice: drop versioned deps (even jessie version is enough),
    drop libspice-protocol-dev (automatically pulled by libspice-server-dev),
    and build on more architectures
  * change from debhelper versioned dependency to debhelper-compat (=12)
  * acpi-allow-accessing-acpi-cnt-register-by-byte.patch' (Closes: #964793)
    This is another incarnation of the recent bugfix which actually enabled
    memory access constraints, like #964247
    Urgency = high due to this issue.

qemu (1:5.0-10) unstable; urgency=medium

* fix the wrong $(if) construct for s390x kvm link (FTBFS on s390x)
  * use the same $(if) construct to simplify #ifdeffery

qemu (1:5.0-9) unstable; urgency=medium

* move kvm executable/script from qemu-kvm to qemu-system-foo,
    make it multi-arch, and remove qemu-kvm package
  * remove libcacard leftovers from d/.gitignore
  * linux-user-refactor-ipc-syscall-and-support-of-semtimedop.patch
    (Closes: #965109)
  * linux-user-add-netlink-RTM_SETLINK-command.patch (Closes: #964289)
  * libudev is linux-specific, do not build-depend on it
    on kfreebsd and others
  * install virtiofsd in d/rules (!sparc64) instead of
    d/qemu-system-common.install (fixes FTBFS on sparc64)
  * confirm -static-pie not working today still
  * d/control: since qemu-system-data now contains module(s),
    it can't be multi-arch. Ditto for qemu-block-extra.
  * qemu-system-foo: depend on exact version of qemu-system-data,
    due to the latter having modules
  * build all modules since there are modules anyway,
    no need to hack them in d/rules
  * fix spelling in a patch name/subject inlast upload
  * d/rules: do not use dh_install and dh_movefiles for individual
    pkgs, open-code mkdir+cp/mv, b/c dh_install acts on all files
    listed in d/foo.install too, in addition to given on command-line
  * remove trailing whitespace from d/changelog

qemu (1:5.0-8) unstable; urgency=medium

* d/control: rdma is linux-only, do not enable it on kfreebsd & hurd
  * add comment about virtiofsd conditional to d/qemu-system-common.install
    Now qemu FTBFS on sparc64 since virtiofsd is not built due to missing
    seccomp onn that platform, we should either make virtiofsd conditional
    (!sparc64) or fix seccomp on sparc64 and build-depend on it
  * openbios-use-source_date_epoch-in-makefile.patch (Closes: #963466)
  * seabios-hppa-use-consistant-date-and-remove-hostname.patch (Closes: #963467)
  * slof-remove-user-and-host-from-release-version.patch (Closes: #963472)
  * slof-ensure-ld-is-called-with-C-locale.patch (Closes: #963470)
  * update previous changelog, mention #945997
  * reapply CVE-2020-13253 fixed from upstream:
    sdcard-simplify-realize-a-bit.patch (preparation for the next patch)
    sdcard-dont-allow-invalid-SD-card-sizes.patch (half part of CVE-2020-13253)
    sdcard-update-coding-style-to-make-checkpatch-happy.patch (preparational)
    sdcard-dont-switch-to-ReceivingData-if-address-is-in..-CVE-2020-13253.patch
    Closes: #961297, CVE-2020-13253

qemu (1:5.0-7) unstable; urgency=medium

* Revert "d/rules: report config log from the correct subdir - base build"
  * Revert "d/rules: report config log from the correct subdir - microvm build"
  * acpi-tmr-allow-2-byte-reads.patch (Closes: #964247)
  * remove sdcard-dont-switch-to-ReceivingData-if-add...-CVE-2020-13253.patch -
    upstream decided to fix it differently (Reopens: #961297, CVE-2020-13253)
  * explicitly specify --enable-tools on hppa and do the same trick
    with --enable-tcg-interpreter --enable-tools on a few other unsupported
    arches (Closes: #964372, #945997)

qemu (1:5.0-6) unstable; urgency=medium

[ Christian Ehrhardt ]
  * d/control-in: disable pmem on ppc64 as it is currently considered
    experimental on that architecture
  * d/rules: makefile definitions can't be recursive - sys_systems for s390x
  * d/rules: report config log from the correct subdir - base build
  * d/rules: report config log from the correct subdir - microvm build
  * d/control-in: disable rbd support unavailable on riscv
  * fix assert in qemu guest agent that crashes on shutdown (LP: #1878973)
  * d/control-in: build-dep libcap is no more needed
  * d/rules: update -spice compat (Ubuntu only)

[ Michael Tokarev ]
  * save block modules on upgrades (LP: #1847361)
    After upgrade a still running qemu of a former version can't load the
    new modules e.g. for extended storage support. Qemu 5.0 has the code to
    allow defining a path that it will load these modules from.
  * ati-vga-check-mm_index-before-recursive-call-CVE-2020-13800.patch
    Closes: CVE-2020-13800, ati-vga allows guest OS users to trigger
    infinite recursion via a crafted mm_index value during
    ati_mm_read or ati_mm_write call.
  * revert-memory-accept-mismatching-sizes-in-memory_region_access_valid...patch
    Closes: CVE-2020-13754, possible OOB memory accesses in a bunch of qemu
    devices which uses min_access_size and max_access_size Memory API fields.
    Also closes: CVE-2020-13791
  * exec-set-map-length-to-zero-when-returning-NULL-CVE-2020-13659.patch
    CVE-2020-13659: address_space_map in exec.c can trigger
    a NULL pointer dereference related to BounceBuffer
  * megasas-use-unsigned-type-for-reply_queue_head-and-check-index...patch
    Closes: #961887, CVE-2020-13362, megasas_lookup_frame in hw/scsi/megasas.c
    has an OOB read via a crafted reply_queue_head field from a guest OS user
  * megasas-use-unsigned-type-for-positive-numeric-fields.patch
    fix other possible cases like in CVE-2020-13362 (#961887)
  * megasas-fix-possible-out-of-bounds-array-access.patch
    Some tracepoints use a guest-controlled value as an index into the
    mfi_frame_desc[] array. Thus a malicious guest could cause a very low
    impact OOB errors here
  * nbd-server-avoid-long-error-message-assertions-CVE-2020-10761.patch
    Closes: CVE-2020-10761, An assertion failure issue in the QEMU NBD Server.
    This flaw occurs when an nbd-client sends a spec-compliant request that is
    near the boundary of maximum permitted request length. A remote nbd-client
    could use this flaw to crash the qemu-nbd server resulting in a DoS.
  * es1370-check-total-frame-count-against-current-frame-CVE-2020-13361.patch
    Closes: CVE-2020-13361, es1370_transfer_audio in hw/audio/es1370.c does not
    properly validate the frame count, which allows guest OS users to trigger
    an out-of-bounds access during an es1370_write() operation
  * sdcard-dont-switch-to-ReceivingData-if-address-is-in...-CVE-2020-13253.patch
    CVE-2020-13253: sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated
    address, which leads to an out-of-bounds read during sdhci_write()
    operations.  A guest OS user can crash the QEMU process.
    And a preparational patch,
    sdcard-update-coding-style-to-make-checkpatch-happy.patch
  * a few patches from the stable series:
    - fix-tulip-breakage.patch
      The tulip network driver in a qemu-system-hppa emulation is broken in
      the sense that bigger network packages aren't received any longer and
      thus even running e.g. "apt update" inside the VM fails. Fix this.
    - 9p-lock-directory-streams-with-a-CoMutex.patch
      Prevent deadlocks in 9pfs readdir code
    - net-do-not-include-a-newline-in-the-id-of-nic-device.patch
      Fix newline accidentally sneaked into id string of a nic
    - qemu-nbd-close-inherited-stderr.patch
    - virtio-balloon-fix-free-page-hinting-check-on-unreal.patch
    - virtio-balloon-fix-free-page-hinting-without-an-iothread.patch
    - virtio-balloon-unref-the-iothread-when-unrealizing.patch

[ Aurelien Jarno ]
  * Remove myself from maintainers

-- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 29 Oct 2020 12:37:31 +0100

Changed in qemu (Ubuntu):
status:	Triaged → Fix Released

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2020-11-30:

#6

We've bundled this fix for Groovy (Thanks Mark) with another upcoming upload.
This should soon be resolved in groovy as well.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-11-30:

#7

This bug was fixed in the package qemu - 1:5.0-5ubuntu9.2

---------------
qemu (1:5.0-5ubuntu9.2) groovy-security; urgency=medium

  * SECURITY UPDATE: heap buffer overflow in sdhci_sdma_transfer_multi_blocks()
    - debian/patches/ubuntu/CVE-2020-17380.patch: fix DMA Transfer Block
      Size field in hw/sd/sdhci.c.
    - CVE-2020-17380
    - CVE-2020-25085
  * SECURITY UPDATE: use-after-free via unchecked return value
    - debian/patches/ubuntu/CVE-2020-25084.patch: check return value of
      'usb_packet_map' in hw/usb/hcd-xhci.c.
    - CVE-2020-25084
  * SECURITY UPDATE: out-of-bound access issue
    - debian/patches/ubuntu/CVE-2020-25624.patch: check len and
      frame_number variables in hw/usb/hcd-ohci.c.
    - CVE-2020-25624
  * SECURITY UPDATE: infinite loop when a TD list has a loop
    - debian/patches/ubuntu/CVE-2020-25625.patch: check for processed TD
      before retire in hw/usb/hcd-ohci.c.
    - CVE-2020-25625
  * SECURITY UPDATE: assertion failure through usb_packet_unmap()
    - debian/patches/ubuntu/CVE-2020-25723.patch: check return value of
      'usb_packet_map' in hw/usb/hcd-ehci.c.
    - CVE-2020-25723
  * SECURITY UPDATE: bounds issue in ati_2d_blt
    - debian/patches/ubuntu/CVE-2020-27616.patch: check x y display
      parameter values in hw/display/ati_2d.c.
    - CVE-2020-27616
  * SECURITY UPDATE: assertion failure
    - debian/patches/ubuntu/CVE-2020-27617.patch: remove an assert call in
      eth_get_gso_type in net/eth.c.
    - CVE-2020-27617
  * Assertion failure via zero mmap_min_addr (LP: #1897854)
    - debian/patches/ubuntu/lp1897854-Ensure-mmap_min_addr-is-non-zero.patch:
      ensure mmap_min_addr is non-zero in linux-user/main.c.

-- Marc Deslauriers <email address hidden> Fri, 20 Nov 2020 08:02:13 -0500

Changed in qemu (Ubuntu Groovy):
status:	New → Fix Released

Affects		Status	Importance	Assigned to	Milestone
	qemu (Ubuntu)	Fix Released	Undecided	Unassigned
	Groovy	Fix Released	Undecided	Unassigned

Ubuntu
qemu package

groovy qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-user/elfload.c:2317: pgb_reserved_va: Assertion `guest_base != 0' failed.

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntuqemu package

groovy qemu-arm-static: /build/qemu-W3R0Rj/qemu-5.0/linux-user/elfload.c:2317: pgb_reserved_va: Assertion `guest_base != 0' failed.

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
qemu package