gnu: qemu: Patch CVE-2016-857{6,7,8}.

* gnu/packages/qemu.scm (qemu)[source]: Add patches.
* gnu/packages/patches/qemu-CVE-2016-8576.patch,
gnu/packages/patches/qemu-CVE-2016-8577.patch,
gnu/packages/patches/qemu-CVE-2016-8578.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
This commit is contained in:
Efraim Flashner 2016-10-10 22:29:43 +03:00
parent 8f941dd24f
commit bde70caa06
No known key found for this signature in database
GPG key ID: F4C1D3917EACEE93
5 changed files with 132 additions and 1 deletions

View file

@ -809,6 +809,9 @@ dist_patch_DATA = \
%D%/packages/patches/python-paste-remove-website-test.patch \
%D%/packages/patches/python-paste-remove-timing-test.patch \
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
%D%/packages/patches/qemu-CVE-2016-8576.patch \
%D%/packages/patches/qemu-CVE-2016-8577.patch \
%D%/packages/patches/qemu-CVE-2016-8578.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \

View file

@ -0,0 +1,62 @@
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 7 Oct 2016 10:15:29 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 726435c..ee4fa48 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;
--
1.8.3.1

View file

@ -0,0 +1,36 @@
Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read
From: Li Qiang <liq3ea@gmail.com>
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
object thus causing potential memory leak. This patch avoid this.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
---
hw/9pfs/9p.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..543a791 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
if (len < 0) {
/* IO error return the error */
err = len;
- goto out;
+ goto out_free_iovec;
}
} while (count < max_count && len > 0);
err = pdu_marshal(pdu, offset, "d", count);
if (err < 0) {
- goto out;
+ goto out_free_iovec;
}
err += offset + count;
+out_free_iovec:
qemu_iovec_destroy(&qiov);
qemu_iovec_destroy(&qiov_full);
} else if (fidp->fid_type == P9_FID_XATTR) {
--
1.8.3.1

View file

@ -0,0 +1,27 @@
From: Li Qiang <liq3ea@gmail.com>
In 9pfs function v9fs_iov_vunmarshal, it will not allocate space
for empty string. This will cause several NULL pointer dereference
issues. this patch fix this issue.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
---
fsdev/9p-iov-marshal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
--
1.8.3.1

View file

@ -76,7 +76,10 @@ (define-public qemu
version ".tar.bz2"))
(sha256
(base32
"0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij"))))
"0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij"))
(patches (search-patches "qemu-CVE-2016-8576.patch"
"qemu-CVE-2016-8577.patch"
"qemu-CVE-2016-8578.patch"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like: