gentoo/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch

From: Prasad J Pandit <address@hidden>

The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.

Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
 hw/dma/rc4030.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
         break;
     /* Interval timer reload */
     case 0x0228:
-        s->itr = val;
+        s->itr = val & 0x01FF;
         qemu_irq_lower(s->timer_irq);
         set_next_tick(s);
         break;
-- 
2.5.5
[app-emulation/qemu] sync with tree 2016-10-27 17:01:55 +02:00			`From: Prasad J Pandit <address@hidden>`

			`The JAZZ RC4030 chipset emulator has a periodic timer and`
			`associated interval reload register. The reload value is used`
			`as divider when computing timer's next tick value. If reload`
			`value is large, it could lead to divide by zero error. Limit`
			`the interval reload value to avoid it.`

			`Reported-by: Huawei PSIRT <address@hidden>`
			`Signed-off-by: Prasad J Pandit <address@hidden>`
			`---`
			`hw/dma/rc4030.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c`
			`index 2f2576f..c1b4997 100644`
			`--- a/hw/dma/rc4030.c`
			`+++ b/hw/dma/rc4030.c`
			`@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,`
			`break;`
			`/* Interval timer reload */`
			`case 0x0228:`
			`- s->itr = val;`
			`+ s->itr = val & 0x01FF;`
			`qemu_irq_lower(s->timer_irq);`
			`set_next_tick(s);`
			`break;`
			`--`
			`2.5.5`