Browse Source

[app-emulation/qemu] sync with tree

master
Robert Förster 6 years ago
parent
commit
e4e0ab828b
  1. 34
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
  2. 38
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
  3. 31
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
  4. 26
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
  5. 45
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch
  6. 52
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch
  7. 32
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch
  8. 25
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch
  9. 26
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch
  10. 61
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch
  11. 34
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch
  12. 58
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch
  13. 30
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch
  14. 29
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
  15. 34
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch
  16. 31
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch
  17. 29
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch
  18. 4
      app-emulation/qemu/files/qemu-binfmt.initd-r1
  19. 24
      app-emulation/qemu/qemu-2.7.0-r5.ebuild

34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch

@ -0,0 +1,34 @@
From: Prasad J Pandit <address@hidden>
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: address@hidden
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index babac5a..a5ce7de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -247,8 +247,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =
--
1.8.3.1

38
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch

@ -0,0 +1,38 @@
From: Prasad J Pandit <address@hidden>
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference
while un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/virtio/virtio.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 15ee3a7..0a4c5b6 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
- iov[num_sg].iov_len = len;
- addr[num_sg] = pa;
+ if (iov[num_sg].iov_base) {
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+ pa += len;
+ num_sg++;
+ }
sz -= len;
- pa += len;
- num_sg++;
}
*p_num_sg = num_sg;
}
--
2.5.5

31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch

@ -0,0 +1,31 @@
From: Li Qiang <address@hidden>
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;
--
1.8.3.1

26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch

@ -0,0 +1,26 @@
From: Li Qiang <address@hidden>
If the xhci uses msix, it doesn't free the corresponding
memory, thus leading a memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/usb/hcd-xhci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
/* destroy msix memory region */
if (dev->msix_table && dev->msix_pba
&& dev->msix_entry_used) {
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
}
usb_bus_release(&xhci->bus);
--
1.8.3.1

45
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch

@ -0,0 +1,45 @@
From: Prasad J Pandit <address@hidden>
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/imx_fec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Update per
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..1d74827 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
#define PHY_INT_PARFAULT (1 << 2)
#define PHY_INT_AUTONEG_PAGE (1 << 1)
+#define IMX_MAX_DESC 1024
+
static void imx_eth_update(IMXFECState *s);
/*
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;

52
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch

@ -0,0 +1,52 @@
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/mcf_fec.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);
--
1.7.0.4

32
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch

@ -0,0 +1,32 @@
From: Prasad J Pandit <address@hidden>
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;
--
2.5.5

25
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch

@ -0,0 +1,25 @@
From: Li Qiang <address@hidden>
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7fe6ed8..5b6d17b 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
qemu_log_mask(LOG_GUEST_ERROR,
"%s: host couldn't handle guest format %d\n",
__func__, c2d.format);
+ g_free(res);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
return;
}
--
1.8.3.1

26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch

@ -0,0 +1,26 @@
From: Li Qiang <address@hidden>
While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list doesn't be freed thus leading a memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/usb/hcd-ehci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
if (off + len > 4096) {
/* transfer crosses page border */
if (pg == 6) {
+ qemu_sglist_destroy(&ehci->isgl);
return -1; /* avoid page pg + 1 */
}
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
--
1.8.3.1

61
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch

@ -0,0 +1,61 @@
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Fri, 7 Oct 2016 10:15:29 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 726435c..ee4fa48 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;
--
1.8.3.1

34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch

@ -0,0 +1,34 @@
From: Li Qiang <address@hidden>
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
object thus causing potential memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/9pfs/9p.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..543a791 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
if (len < 0) {
/* IO error return the error */
err = len;
- goto out;
+ goto out_free_iovec;
}
} while (count < max_count && len > 0);
err = pdu_marshal(pdu, offset, "d", count);
if (err < 0) {
- goto out;
+ goto out_free_iovec;
}
err += offset + count;
+out_free_iovec:
qemu_iovec_destroy(&qiov);
qemu_iovec_destroy(&qiov_full);
} else if (fidp->fid_type == P9_FID_XATTR) {
--
1.8.3.1

58
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch

@ -0,0 +1,58 @@
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
If a guest sends an empty string paramater to any 9P operation, the current
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
This is unfortunate because it can cause NULL pointer dereference to happen
at various locations in the 9pfs code. And we don't want to check str->data
everywhere we pass it to strcmp() or any other function which expects a
dereferenceable pointer.
This patch enforces the allocation of genuine C empty strings instead, so
callers don't have to bother.
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
the returned string is empty. It now uses v9fs_string_size() since
name.data cannot be NULL anymore.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
[groug, rewritten title and changelog,
fix empty string check in v9fs_xattrwalk()]
Signed-off-by: Greg Kurz <groug@kaod.org>
---
fsdev/9p-iov-marshal.c | 2 +-
hw/9pfs/9p.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..39a7e1d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
goto out;
}
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
- if (name.data == NULL) {
+ if (!v9fs_string_size(&name)) {
/*
* listxattr request. Get the size first
*/
--
2.7.3

30
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch

@ -0,0 +1,30 @@
From: Prasad J Pandit <address@hidden>
Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rocker/rocker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
rocker_msix_irq(r, val);
break;
case ROCKER_TEST_DMA_SIZE:
- r->test_dma_size = val;
+ r->test_dma_size = val & 0xFFFF;
break;
case ROCKER_TEST_DMA_ADDR + 4:
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
--
2.5.5

29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch

@ -0,0 +1,29 @@
From: Prasad J Pandit <address@hidden>
The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/dma/rc4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
break;
/* Interval timer reload */
case 0x0228:
- s->itr = val;
+ s->itr = val & 0x01FF;
qemu_irq_lower(s->timer_irq);
set_next_tick(s);
break;
--
2.5.5

34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch

@ -0,0 +1,34 @@
From: Prasad J Pandit <address@hidden>
16550A UART device uses an oscillator to generate frequencies
(baud base), which decide communication speed. This speed could
be changed by dividing it by a divider. If the divider is
greater than the baud base, speed is set to zero, leading to a
divide by zero error. Add check to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/char/serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Update per
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47..eec72b7 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
int speed, parity, data_bits, stop_bits, frame_size;
QEMUSerialSetParams ssp;
- if (s->divider == 0)
+ if (s->divider == 0 || s->divider > s->baudbase) {
return;
+ }
/* Start bit. */
frame_size = 1;
--
2.5.5

31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch

@ -0,0 +1,31 @@
From: Prasad J Pandit <address@hidden>
Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/audio/intel-hda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
}
left = len;
- while (left > 0) {
+ s = st->bentries;
+ while (left > 0 && s-- > 0) {
copy = left;
if (copy > st->bsize - st->lpib)
copy = st->bsize - st->lpib;
--
2.7.4

29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch

@ -0,0 +1,29 @@
From: Prasad J Pandit <address@hidden>
RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: Andrew Henderson <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 3345bc6..f05e59c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
{
int txcount = 0;
- while (rtl8139_cplus_transmit_one(s))
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
{
++txcount;
}
--
2.7.4

4
app-emulation/qemu/files/qemu-binfmt.initd-r1

@ -1,5 +1,5 @@
#!/sbin/openrc-run
# Copyright 1999-2014 Gentoo Foundation
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
@ -75,7 +75,7 @@ start() {
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
#echo 'Please check cpu value and header information for m68k!'

24
app-emulation/qemu/qemu-2.7.0-r2.ebuild → app-emulation/qemu/qemu-2.7.0-r5.ebuild

@ -12,7 +12,7 @@ PYTHON_REQ_USE="ncurses,readline"
PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
user udev fcaps readme.gentoo pax-utils l10n
user udev fcaps readme.gentoo-r1 pax-utils l10n
if [[ ${PV} = *9999* ]]; then
EGIT_REPO_URI="git://git.qemu.org/qemu.git"
@ -111,7 +111,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
virtual/opengl
media-libs/libepoxy[static-libs(+)]
media-libs/mesa[static-libs(+)]
media-libs/mesa[egl,gles2]
media-libs/mesa[egl,gles2,gbm]
)
png? ( media-libs/libpng:0=[static-libs(+)] )
pulseaudio? ( media-sound/pulseaudio )
@ -282,8 +282,6 @@ pkg_setup() {
enewgroup kvm 78
}
#S="${WORKDIR}/${MY_P}"
# Sanity check to make sure target lists are kept up-to-date.
check_targets() {
local var=$1 mak=$2
@ -338,12 +336,30 @@ src_prepare() {
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242
epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950
epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956
epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368
epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520
epatch "${FILESDIR}"/${P}-CVE-2016-7907.patch # bug 596048
epatch "${FILESDIR}"/${P}-CVE-2016-7908.patch # bug 596049
epatch "${FILESDIR}"/${P}-CVE-2016-7909.patch # bug 596048
epatch "${FILESDIR}"/${P}-CVE-2016-7994-1.patch # bug 596738
epatch "${FILESDIR}"/${P}-CVE-2016-7994-2.patch # bug 596738
epatch "${FILESDIR}"/${P}-CVE-2016-8576.patch # bug 596752
epatch "${FILESDIR}"/${P}-CVE-2016-8577.patch # bug 596776
epatch "${FILESDIR}"/${P}-CVE-2016-8578.patch # bug 596774
epatch "${FILESDIR}"/${P}-CVE-2016-8668.patch # bug 597110
epatch "${FILESDIR}"/${P}-CVE-2016-8669-1.patch # bug 597108
epatch "${FILESDIR}"/${P}-CVE-2016-8669-2.patch # bug 597108
epatch "${FILESDIR}"/${P}-CVE-2016-8909.patch # bug 598044
epatch "${FILESDIR}"/${P}-CVE-2016-8910.patch # bug 598046
# Fix ld and objcopy being called directly
tc-export AR LD OBJCOPY
Loading…
Cancel
Save