[app-emulation/qemu] bump to include cve fixes, remove vgabios stuff from it, pin seabios to in-overlay version so we don't clash with tree

app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch

@@ -0,0 +1,40 @@
+From 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 3 Apr 2014 19:52:25 +0300
+Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
+
+CVE-2013-4541
+
+s->setup_len and s->setup_index are fed into usb_packet_copy as
+size/offset into s->data_buf, it's possible for invalid state to exploit
+this to load arbitrary data.
+
+setup_len and setup_index should be checked to make sure
+they are not negative.
+
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+---
+ hw/usb/bus.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/bus.c b/hw/usb/bus.c
+index fe70429..e48b19f 100644
+--- a/hw/usb/bus.c
++++ b/hw/usb/bus.c
+@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
+     } else {
+         dev->attached = 1;
+     }
+-    if (dev->setup_index >= sizeof(dev->data_buf) ||
++    if (dev->setup_index < 0 ||
++        dev->setup_len < 0 ||
++        dev->setup_index >= sizeof(dev->data_buf) ||
+         dev->setup_len >= sizeof(dev->data_buf)) {
+         return -EINVAL;
+     }
+-- 
+1.9.3
+

app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch

@@ -0,0 +1,48 @@
+From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 15 May 2014 16:10:11 +0200
+Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222)
+
+Too large L2 table sizes cause unbounded allocations. Images actually
+created by qemu-img only have 512 byte or 4k L2 tables.
+
+To keep things consistent with cluster sizes, allow ranges between 512
+bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
+working, but L2 table sizes smaller than a cluster don't make a lot of
+sense).
+
+This also means that the number of bytes on the virtual disk that are
+described by the same L2 table is limited to at most 8k * 64k or 2^29,
+preventively avoiding any integer overflows.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+---
+ block/qcow.c               |  8 ++++++++
+ tests/qemu-iotests/092     | 15 +++++++++++++++
+ tests/qemu-iotests/092.out | 11 +++++++++++
+ 3 files changed, 34 insertions(+)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index e60df23..e8038e5 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+         goto fail;
+     }
+ 
++    /* l2_bits specifies number of entries; storing a uint64_t in each entry,
++     * so bytes = num_entries << 3. */
++    if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
++        error_setg(errp, "L2 table size must be between 512 and 64k");
++        ret = -EINVAL;
++        goto fail;
++    }
++
+     if (header.crypt_method > QCOW_CRYPT_AES) {
+         error_setg(errp, "invalid encryption method in qcow header");
+         ret = -EINVAL;
+-- 
+1.9.3
+

app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch

@@ -0,0 +1,57 @@
+From 46485de0cb357b57373e1ca895adedf1f3ed46ec Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Thu, 8 May 2014 13:08:20 +0200
+Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223)
+
+A huge image size could cause s->l1_size to overflow. Make sure that
+images never require a L1 table larger than what fits in s->l1_size.
+
+This cannot only cause unbounded allocations, but also the allocation of
+a too small L1 table, resulting in out-of-bounds array accesses (both
+reads and writes).
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/qcow.c               | 16 ++++++++++++++--
+ tests/qemu-iotests/092     |  9 +++++++++
+ tests/qemu-iotests/092.out |  7 +++++++
+ 3 files changed, 30 insertions(+), 2 deletions(-)
+
+diff --git a/block/qcow.c b/block/qcow.c
+index e8038e5..3566c05 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
+     int cluster_sectors;
+     int l2_bits;
+     int l2_size;
+-    int l1_size;
++    unsigned int l1_size;
+     uint64_t cluster_offset_mask;
+     uint64_t l1_table_offset;
+     uint64_t *l1_table;
+@@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+ 
+     /* read the level 1 table */
+     shift = s->cluster_bits + s->l2_bits;
+-    s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
++    if (header.size > UINT64_MAX - (1LL << shift)) {
++        error_setg(errp, "Image too large");
++        ret = -EINVAL;
++        goto fail;
++    } else {
++        uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
++        if (l1_size > INT_MAX / sizeof(uint64_t)) {
++            error_setg(errp, "Image too large");
++            ret = -EINVAL;
++            goto fail;
++        }
++        s->l1_size = l1_size;
++    }
+ 
+     s->l1_table_offset = header.l1_table_offset;
+     s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
+-- 
+1.9.3
+

app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch

@@ -0,0 +1,52 @@
+From 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Wed, 7 May 2014 17:30:30 +0200
+Subject: [PATCH] qcow1: Check maximum cluster size
+
+Huge values for header.cluster_bits cause unbounded allocations (e.g.
+for s->cluster_cache) and crash qemu this way. Less huge values may
+survive those allocations, but can cause integer overflows later on.
+
+The only cluster sizes that qemu can create are 4k (for standalone
+images) and 512 (for images with backing files), so we can limit it
+to 64k.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Reviewed-by: Benoit Canet <benoit@irqsave.net>
+---
+ block/qcow.c               | 10 ++++++--
+ tests/qemu-iotests/092     | 63 ++++++++++++++++++++++++++++++++++++++++++++++
+ tests/qemu-iotests/092.out | 13 ++++++++++
+ tests/qemu-iotests/group   |  1 +
+ 4 files changed, 85 insertions(+), 2 deletions(-)
+ create mode 100755 tests/qemu-iotests/092
+ create mode 100644 tests/qemu-iotests/092.out
+
+diff --git a/block/qcow.c b/block/qcow.c
+index 3684794..e60df23 100644
+--- a/block/qcow.c
++++ b/block/qcow.c
+@@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
+         goto fail;
+     }
+ 
+-    if (header.size <= 1 || header.cluster_bits < 9) {
+-        error_setg(errp, "invalid value in qcow header");
++    if (header.size <= 1) {
++        error_setg(errp, "Image size is too small (must be at least 2 bytes)");
+         ret = -EINVAL;
+         goto fail;
+     }
++    if (header.cluster_bits < 9 || header.cluster_bits > 16) {
++        error_setg(errp, "Cluster size must be between 512 and 64k");
++        ret = -EINVAL;
++        goto fail;
++    }
++
+     if (header.crypt_method > QCOW_CRYPT_AES) {
+         error_setg(errp, "invalid encryption method in qcow header");
+         ret = -EINVAL;
+-- 
+1.9.3
+

app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch

@@ -0,0 +1,41 @@
+https://bugs.gentoo.org/510208
+
+From 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Tue, 13 May 2014 12:33:16 +0300
+Subject: [PATCH] usb: fix up post load checks
+
+Correct post load checks:
+1. dev->setup_len == sizeof(dev->data_buf)
+    seems fine, no need to fail migration
+2. When state is DATA, passing index > len
+   will cause memcpy with negative length,
+   resulting in heap overflow
+
+First of the issues was reported by dgilbert.
+
+Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Juan Quintela <quintela@redhat.com>
+---
+ hw/usb/bus.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/bus.c b/hw/usb/bus.c
+index 699aa10..927a47b 100644
+--- a/hw/usb/bus.c
++++ b/hw/usb/bus.c
+@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
+     }
+     if (dev->setup_index < 0 ||
+         dev->setup_len < 0 ||
+-        dev->setup_index >= sizeof(dev->data_buf) ||
+-        dev->setup_len >= sizeof(dev->data_buf)) {
++        dev->setup_index > dev->setup_len ||
++        dev->setup_len > sizeof(dev->data_buf)) {
+         return -EINVAL;
+     }
+     return 0;
+-- 
+1.9.3
+

app-emulation/qemu/qemu-2.0.0-r1.ebuild

@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.0.0.ebuild,v 1.2 2014/04/20 02:04:18 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.0.0-r1.ebuild,v 1.2 2014/05/31 16:14:44 vapier Exp $
 
 EAPI=5
 
@@ -90,12 +90,12 @@ RDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} )
 	!static-user? ( ${USER_LIB_DEPEND//\[static-libs(+)]} )
 	qemu_softmmu_targets_i386? (
 		>=sys-firmware/ipxe-1.0.0_p20130624
-		~sys-firmware/seabios-1.7.4
+		=sys-firmware/seabios-1.7.4-r1
 		~sys-firmware/sgabios-0.1_pre8
 	)
 	qemu_softmmu_targets_x86_64? (
 		>=sys-firmware/ipxe-1.0.0_p20130624
-		~sys-firmware/seabios-1.7.4
+		=sys-firmware/seabios-1.7.4-r1
 		~sys-firmware/sgabios-0.1_pre8
 	)
 	accessibility? ( app-accessibility/brltty )
@@ -227,7 +227,12 @@ src_prepare() {
 		Makefile Makefile.target || die
 
 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
-	epatch "${FILESDIR}"/qemu-9999-virtfs-proxy-helper-accept.patch
+	epatch "${FILESDIR}"/qemu-9999-virtfs-proxy-helper-accept.patch #486714
+	epatch "${FILESDIR}"/${P}-CVE-2013-4541.patch #510208
+	epatch "${FILESDIR}"/${P}-usb-post-load-checks.patch #510208
+	epatch "${FILESDIR}"/${P}-qcow-check-max-sizes.patch #510234
+	epatch "${FILESDIR}"/${P}-CVE-2014-0222.patch #510234
+	epatch "${FILESDIR}"/${P}-CVE-2014-0223.patch #510234
 	[[ -n ${BACKPORTS} ]] && \
 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
 			epatch
@@ -269,6 +274,7 @@ qemu_src_configure() {
 		--disable-werror
 		--python="${PYTHON}"
 		--cc="$(tc-getCC)"
+		--cxx="$(tc-getCXX)"
 		--host-cc="$(tc-getBUILD_CC)"
 		$(use_enable debug debug-info)
 		$(use_enable debug debug-tcg)
@@ -446,16 +452,6 @@ src_install() {
 			udev_dorules "${FILESDIR}"/65-kvm.rules
 		fi
 
-		if use qemu_softmmu_targets_x86_64 ; then
-			newbin "${FILESDIR}/qemu-kvm-1.4" qemu-kvm
-			ewarn "The deprecated '/usr/bin/kvm' symlink is no longer installed"
-			ewarn "You should use '/usr/bin/qemu-kvm', you may need to edit"
-			ewarn "your libvirt configs or other wrappers for ${PN}"
-		elif use x86 || use amd64; then
-			elog "You disabled QEMU_SOFTMMU_TARGETS=x86_64, this disables install"
-			elog "of the /usr/bin/qemu-kvm script."
-		fi
-
 		if use python; then
 			python_foreach_impl qemu_python_install
 		fi
@@ -536,6 +532,13 @@ pkg_postinst() {
 		ewarn "any saved states with a newer qemu."
 		ewarn
 		ewarn "qemu-kvm was the primary qemu provider in Gentoo through 1.2.x"
+
+		if use x86 || use amd64; then
+			ewarn
+			ewarn "The /usr/bin/kvm and /usr/bin/qemu-kvm wrappers are no longer"
+			ewarn "installed.  In order to use kvm acceleration, pass the flag"
+			ewarn "-enable-kvm when running your system target."
+		fi
 	fi
 
 	virtfs_caps+="cap_chown,cap_dac_override,cap_fowner,cap_fsetid,"