mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: qemu: Update to 2.5.0; add fixes for security flaws.
* gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file. * gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch, gnu/packages/patches/qemu-CVE-2015-8558.patch, gnu/packages/patches/qemu-CVE-2015-8567.patch, gnu/packages/patches/qemu-CVE-2015-8613.patch, gnu/packages/patches/qemu-CVE-2015-8701.patch, gnu/packages/patches/qemu-CVE-2015-8743.patch, gnu/packages/patches/qemu-CVE-2016-1568.patch, gnu/packages/patches/qemu-CVE-2016-1922.patch: New files. * gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the new patches. * gnu/packages/qemu.scm (qemu): Update to 2.5.0. [source]: Remove old patches and add new ones. [arguments]: Add 'disable-test-qga' phase. (%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables.
This commit is contained in:
parent
80cc3a0a4a
commit
fd9a5b0fc3
11 changed files with 440 additions and 167 deletions
|
@ -682,7 +682,14 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
|
||||
gnu/packages/patches/python-configobj-setuptools.patch \
|
||||
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-6855.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-8558.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-8567.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-8613.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-8701.patch \
|
||||
gnu/packages/patches/qemu-CVE-2015-8743.patch \
|
||||
gnu/packages/patches/qemu-CVE-2016-1568.patch \
|
||||
gnu/packages/patches/qemu-CVE-2016-1922.patch \
|
||||
gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch \
|
||||
gnu/packages/patches/qt4-ldflags.patch \
|
||||
gnu/packages/patches/ratpoison-shell.patch \
|
||||
gnu/packages/patches/readline-link-ncurses.patch \
|
||||
|
|
|
@ -1,144 +0,0 @@
|
|||
From d9033e1d3aa666c5071580617a57bd853c5d794a Mon Sep 17 00:00:00 2001
|
||||
From: John Snow <jsnow@redhat.com>
|
||||
Date: Thu, 17 Sep 2015 14:17:05 -0400
|
||||
Subject: [PATCH] ide: fix ATAPI command permissions
|
||||
|
||||
We're a little too lenient with what we'll let an ATAPI drive handle.
|
||||
Clamp down on the IDE command execution table to remove CD_OK permissions
|
||||
from commands that are not and have never been ATAPI commands.
|
||||
|
||||
For ATAPI command validity, please see:
|
||||
- ATA4 Section 6.5 ("PACKET Command feature set")
|
||||
- ATA8/ACS Section 4.3 ("The PACKET feature set")
|
||||
- ACS3 Section 4.3 ("The PACKET feature set")
|
||||
|
||||
ACS3 has a historical command validity table in Table B.4
|
||||
("Historical Command Assignments") that can be referenced to find when
|
||||
a command was introduced, deprecated, obsoleted, etc.
|
||||
|
||||
The only reference for ATAPI command validity is by checking that
|
||||
version's PACKET feature set section.
|
||||
|
||||
ATAPI was introduced by T13 into ATA4, all commands retired prior to ATA4
|
||||
therefore are assumed to have never been ATAPI commands.
|
||||
|
||||
Mandatory commands, as listed in ATA8-ACS3, are:
|
||||
|
||||
- DEVICE RESET
|
||||
- EXECUTE DEVICE DIAGNOSTIC
|
||||
- IDENTIFY DEVICE
|
||||
- IDENTIFY PACKET DEVICE
|
||||
- NOP
|
||||
- PACKET
|
||||
- READ SECTOR(S)
|
||||
- SET FEATURES
|
||||
|
||||
Optional commands as listed in ATA8-ACS3, are:
|
||||
|
||||
- FLUSH CACHE
|
||||
- READ LOG DMA EXT
|
||||
- READ LOG EXT
|
||||
- WRITE LOG DMA EXT
|
||||
- WRITE LOG EXT
|
||||
|
||||
All other commands are illegal to send to an ATAPI device and should
|
||||
be rejected by the device.
|
||||
|
||||
CD_OK removal justifications:
|
||||
|
||||
0x06 WIN_DSM Defined in ACS2. Not valid for ATAPI.
|
||||
0x21 WIN_READ_ONCE Retired in ATA5. Not ATAPI in ATA4.
|
||||
0x94 WIN_STANDBYNOW2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x95 WIN_IDLEIMMEDIATE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x96 WIN_STANDBY2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x97 WIN_SETIDLE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x98 WIN_CHECKPOWERMODE2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0x99 WIN_SLEEPNOW2 Retired in ATA4. Did not coexist with ATAPI.
|
||||
0xE0 WIN_STANDBYNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE1 WIN_IDLEIMMDIATE Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE2 WIN_STANDBY Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE3 WIN_SETIDLE1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE4 WIN_CHECKPOWERMODE1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xE5 WIN_SLEEPNOW1 Not part of ATAPI in ATA4, ACS or ACS3.
|
||||
0xF8 WIN_READ_NATIVE_MAX Obsoleted in ACS3. Not ATAPI in ATA4 or ACS.
|
||||
|
||||
This patch fixes a divide by zero fault that can be caused by sending
|
||||
the WIN_READ_NATIVE_MAX command to an ATAPI drive, which causes it to
|
||||
attempt to use zeroed CHS values to perform sector arithmetic.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
Reviewed-by: Markus Armbruster <armbru@redhat.com>
|
||||
Message-id: 1441816082-21031-1-git-send-email-jsnow@redhat.com
|
||||
CC: qemu-stable@nongnu.org
|
||||
---
|
||||
hw/ide/core.c | 30 +++++++++++++++---------------
|
||||
1 file changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/hw/ide/core.c b/hw/ide/core.c
|
||||
index 8ba04df..1cc6945 100644
|
||||
--- a/hw/ide/core.c
|
||||
+++ b/hw/ide/core.c
|
||||
@@ -1746,11 +1746,11 @@ static const struct {
|
||||
} ide_cmd_table[0x100] = {
|
||||
/* NOP not implemented, mandatory for CD */
|
||||
[CFA_REQ_EXT_ERROR_CODE] = { cmd_cfa_req_ext_error_code, CFA_OK },
|
||||
- [WIN_DSM] = { cmd_data_set_management, ALL_OK },
|
||||
+ [WIN_DSM] = { cmd_data_set_management, HD_CFA_OK },
|
||||
[WIN_DEVICE_RESET] = { cmd_device_reset, CD_OK },
|
||||
[WIN_RECAL] = { cmd_nop, HD_CFA_OK | SET_DSC},
|
||||
[WIN_READ] = { cmd_read_pio, ALL_OK },
|
||||
- [WIN_READ_ONCE] = { cmd_read_pio, ALL_OK },
|
||||
+ [WIN_READ_ONCE] = { cmd_read_pio, HD_CFA_OK },
|
||||
[WIN_READ_EXT] = { cmd_read_pio, HD_CFA_OK },
|
||||
[WIN_READDMA_EXT] = { cmd_read_dma, HD_CFA_OK },
|
||||
[WIN_READ_NATIVE_MAX_EXT] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
|
||||
@@ -1769,12 +1769,12 @@ static const struct {
|
||||
[CFA_TRANSLATE_SECTOR] = { cmd_cfa_translate_sector, CFA_OK },
|
||||
[WIN_DIAGNOSE] = { cmd_exec_dev_diagnostic, ALL_OK },
|
||||
[WIN_SPECIFY] = { cmd_nop, HD_CFA_OK | SET_DSC },
|
||||
- [WIN_STANDBYNOW2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_IDLEIMMEDIATE2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_STANDBY2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_SETIDLE2] = { cmd_nop, ALL_OK },
|
||||
- [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, ALL_OK | SET_DSC },
|
||||
- [WIN_SLEEPNOW2] = { cmd_nop, ALL_OK },
|
||||
+ [WIN_STANDBYNOW2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_IDLEIMMEDIATE2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_STANDBY2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_SETIDLE2] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_CHECKPOWERMODE2] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
|
||||
+ [WIN_SLEEPNOW2] = { cmd_nop, HD_CFA_OK },
|
||||
[WIN_PACKETCMD] = { cmd_packet, CD_OK },
|
||||
[WIN_PIDENTIFY] = { cmd_identify_packet, CD_OK },
|
||||
[WIN_SMART] = { cmd_smart, HD_CFA_OK | SET_DSC },
|
||||
@@ -1788,19 +1788,19 @@ static const struct {
|
||||
[WIN_WRITEDMA] = { cmd_write_dma, HD_CFA_OK },
|
||||
[WIN_WRITEDMA_ONCE] = { cmd_write_dma, HD_CFA_OK },
|
||||
[CFA_WRITE_MULTI_WO_ERASE] = { cmd_write_multiple, CFA_OK },
|
||||
- [WIN_STANDBYNOW1] = { cmd_nop, ALL_OK },
|
||||
- [WIN_IDLEIMMEDIATE] = { cmd_nop, ALL_OK },
|
||||
- [WIN_STANDBY] = { cmd_nop, ALL_OK },
|
||||
- [WIN_SETIDLE1] = { cmd_nop, ALL_OK },
|
||||
- [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, ALL_OK | SET_DSC },
|
||||
- [WIN_SLEEPNOW1] = { cmd_nop, ALL_OK },
|
||||
+ [WIN_STANDBYNOW1] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_IDLEIMMEDIATE] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_STANDBY] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_SETIDLE1] = { cmd_nop, HD_CFA_OK },
|
||||
+ [WIN_CHECKPOWERMODE1] = { cmd_check_power_mode, HD_CFA_OK | SET_DSC },
|
||||
+ [WIN_SLEEPNOW1] = { cmd_nop, HD_CFA_OK },
|
||||
[WIN_FLUSH_CACHE] = { cmd_flush_cache, ALL_OK },
|
||||
[WIN_FLUSH_CACHE_EXT] = { cmd_flush_cache, HD_CFA_OK },
|
||||
[WIN_IDENTIFY] = { cmd_identify, ALL_OK },
|
||||
[WIN_SETFEATURES] = { cmd_set_features, ALL_OK | SET_DSC },
|
||||
[IBM_SENSE_CONDITION] = { cmd_ibm_sense_condition, CFA_OK | SET_DSC },
|
||||
[CFA_WEAR_LEVEL] = { cmd_cfa_erase_sectors, HD_CFA_OK | SET_DSC },
|
||||
- [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, ALL_OK | SET_DSC },
|
||||
+ [WIN_READ_NATIVE_MAX] = { cmd_read_native_max, HD_CFA_OK | SET_DSC },
|
||||
};
|
||||
|
||||
static bool ide_cmd_permitted(IDEState *s, uint32_t cmd)
|
||||
--
|
||||
2.4.3
|
||||
|
48
gnu/packages/patches/qemu-CVE-2015-8558.patch
Normal file
48
gnu/packages/patches/qemu-CVE-2015-8558.patch
Normal file
|
@ -0,0 +1,48 @@
|
|||
From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 14 Dec 2015 09:21:23 +0100
|
||||
Subject: [PATCH] ehci: make idt processing more robust
|
||||
|
||||
Make ehci_process_itd return an error in case we didn't do any actual
|
||||
iso transfer because we've found no active transaction. That'll avoid
|
||||
ehci happily run in circles forever if the guest builds a loop out of
|
||||
idts.
|
||||
|
||||
This is CVE-2015-8558.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 4e2161b..d07f228 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
{
|
||||
USBDevice *dev;
|
||||
USBEndpoint *ep;
|
||||
- uint32_t i, len, pid, dir, devaddr, endp;
|
||||
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
||||
uint32_t pg, off, ptr1, ptr2, max, mult;
|
||||
|
||||
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
||||
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
ehci_raise_irq(ehci, USBSTS_INT);
|
||||
}
|
||||
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
||||
+ xfers++;
|
||||
}
|
||||
}
|
||||
- return 0;
|
||||
+ return xfers ? 0 : -1;
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
2.6.3
|
||||
|
93
gnu/packages/patches/qemu-CVE-2015-8567.patch
Normal file
93
gnu/packages/patches/qemu-CVE-2015-8567.patch
Normal file
|
@ -0,0 +1,93 @@
|
|||
From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Tue, 15 Dec 2015 12:27:54 +0530
|
||||
Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
|
||||
|
||||
Vmxnet3 device emulator does not check if the device is active
|
||||
before activating it, also it did not free the transmit & receive
|
||||
buffers while deactivating the device, thus resulting in memory
|
||||
leakage on the host. This patch fixes both these issues to avoid
|
||||
host memory leakage.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/vmxnet3.c | 24 ++++++++++++++++--------
|
||||
1 file changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index a5dd79a..9c1adfc 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
|
||||
|
||||
static void vmxnet3_deactivate_device(VMXNET3State *s)
|
||||
{
|
||||
- VMW_CBPRN("Deactivating vmxnet3...");
|
||||
- s->device_active = false;
|
||||
+ if (s->device_active) {
|
||||
+ VMW_CBPRN("Deactivating vmxnet3...");
|
||||
+ vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
+ vmxnet_tx_pkt_uninit(s->tx_pkt);
|
||||
+ vmxnet_rx_pkt_uninit(s->rx_pkt);
|
||||
+ s->device_active = false;
|
||||
+ }
|
||||
}
|
||||
|
||||
static void vmxnet3_reset(VMXNET3State *s)
|
||||
@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
|
||||
|
||||
vmxnet3_deactivate_device(s);
|
||||
vmxnet3_reset_interrupt_states(s);
|
||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
s->drv_shmem = 0;
|
||||
s->tx_sop = true;
|
||||
s->skip_current_tx_pkt = false;
|
||||
@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
|
||||
return;
|
||||
}
|
||||
|
||||
+ /* Verify if device is active */
|
||||
+ if (s->device_active) {
|
||||
+ VMW_CFPRN("Vmxnet3 device is active");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
vmxnet3_adjust_by_guest_type(s);
|
||||
vmxnet3_update_features(s);
|
||||
vmxnet3_update_pm_state(s);
|
||||
@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
|
||||
break;
|
||||
|
||||
case VMXNET3_CMD_QUIESCE_DEV:
|
||||
- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
|
||||
+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
|
||||
vmxnet3_deactivate_device(s);
|
||||
break;
|
||||
|
||||
@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
|
||||
* shared address only after we get the high part
|
||||
*/
|
||||
if (val == 0) {
|
||||
- s->device_active = false;
|
||||
+ vmxnet3_deactivate_device(s);
|
||||
}
|
||||
s->temp_shared_guest_driver_memory = val;
|
||||
s->drv_shmem = 0;
|
||||
@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
|
||||
static void vmxnet3_net_uninit(VMXNET3State *s)
|
||||
{
|
||||
g_free(s->mcast_list);
|
||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
||||
- vmxnet_tx_pkt_uninit(s->tx_pkt);
|
||||
- vmxnet_rx_pkt_uninit(s->rx_pkt);
|
||||
+ vmxnet3_deactivate_device(s);
|
||||
qemu_del_nic(s->nic);
|
||||
}
|
||||
|
||||
--
|
||||
2.6.3
|
||||
|
35
gnu/packages/patches/qemu-CVE-2015-8613.patch
Normal file
35
gnu/packages/patches/qemu-CVE-2015-8613.patch
Normal file
|
@ -0,0 +1,35 @@
|
|||
From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Mon, 21 Dec 2015 15:13:13 +0530
|
||||
Subject: [PATCH] scsi: initialise info object with appropriate size
|
||||
|
||||
While processing controller 'CTRL_GET_INFO' command, the routine
|
||||
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
|
||||
appropriate size to null initialise it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index d7dc667..576f56c 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
BusChild *kid;
|
||||
int num_pd_disks = 0;
|
||||
|
||||
- memset(&info, 0x0, cmd->iov_size);
|
||||
+ memset(&info, 0x0, dcmd_size);
|
||||
if (cmd->iov_size < dcmd_size) {
|
||||
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
|
||||
dcmd_size);
|
||||
--
|
||||
2.6.3
|
||||
|
47
gnu/packages/patches/qemu-CVE-2015-8701.patch
Normal file
47
gnu/packages/patches/qemu-CVE-2015-8701.patch
Normal file
|
@ -0,0 +1,47 @@
|
|||
From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 28 Dec 2015 16:24:08 +0530
|
||||
Subject: [PATCH] net: rocker: fix an incorrect array bounds check
|
||||
|
||||
While processing transmit(tx) descriptors in 'tx_consume' routine
|
||||
the switch emulator suffers from an off-by-one error, if a
|
||||
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
|
||||
fragments. Fix an incorrect bounds check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/rocker/rocker.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index c57f1a6..2e77e50 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
||||
frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
|
||||
frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
|
||||
|
||||
+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
|
||||
+ goto err_too_many_frags;
|
||||
+ }
|
||||
iov[iovcnt].iov_len = frag_len;
|
||||
iov[iovcnt].iov_base = g_malloc(frag_len);
|
||||
if (!iov[iovcnt].iov_base) {
|
||||
@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
||||
err = -ROCKER_ENXIO;
|
||||
goto err_bad_io;
|
||||
}
|
||||
-
|
||||
- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
|
||||
- goto err_too_many_frags;
|
||||
- }
|
||||
+ iovcnt++;
|
||||
}
|
||||
|
||||
if (iovcnt) {
|
||||
--
|
||||
2.6.3
|
||||
|
48
gnu/packages/patches/qemu-CVE-2015-8743.patch
Normal file
48
gnu/packages/patches/qemu-CVE-2015-8743.patch
Normal file
|
@ -0,0 +1,48 @@
|
|||
From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 31 Dec 2015 17:05:27 +0530
|
||||
Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
|
||||
|
||||
While doing ioport r/w operations, ne2000 device emulation suffers
|
||||
from OOB r/w errors. Update respective array bounds check to avoid
|
||||
OOB access.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/ne2000.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
||||
index 010f9ef..a3dffff 100644
|
||||
--- a/hw/net/ne2000.c
|
||||
+++ b/hw/net/ne2000.c
|
||||
@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
|
||||
uint32_t val)
|
||||
{
|
||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
||||
- if (addr < 32 ||
|
||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
||||
+ if (addr < 32
|
||||
+ || (addr >= NE2000_PMEM_START
|
||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
||||
stl_le_p(s->mem + addr, val);
|
||||
}
|
||||
}
|
||||
@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
|
||||
static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
|
||||
{
|
||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
||||
- if (addr < 32 ||
|
||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
||||
+ if (addr < 32
|
||||
+ || (addr >= NE2000_PMEM_START
|
||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
||||
return ldl_le_p(s->mem + addr);
|
||||
} else {
|
||||
return 0xffffffff;
|
||||
--
|
||||
2.6.3
|
||||
|
39
gnu/packages/patches/qemu-CVE-2016-1568.patch
Normal file
39
gnu/packages/patches/qemu-CVE-2016-1568.patch
Normal file
|
@ -0,0 +1,39 @@
|
|||
From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 11 Jan 2016 14:10:42 -0500
|
||||
Subject: [PATCH] ide: ahci: reset ncq object to unused on error
|
||||
|
||||
When processing NCQ commands, AHCI device emulation prepares a
|
||||
NCQ transfer object; To which an aio control block(aiocb) object
|
||||
is assigned in 'execute_ncq_command'. In case, when the NCQ
|
||||
command is invalid, the 'aiocb' object is not assigned, and NCQ
|
||||
transfer object is left as 'used'. This leads to a use after
|
||||
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
|
||||
Reset NCQ transfer object to 'unused' to avoid it.
|
||||
|
||||
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
||||
Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
||||
---
|
||||
hw/ide/ahci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
||||
index dd1912e..17f1cbd 100644
|
||||
--- a/hw/ide/ahci.c
|
||||
+++ b/hw/ide/ahci.c
|
||||
@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
|
||||
ide_state->error = ABRT_ERR;
|
||||
ide_state->status = READY_STAT | ERR_STAT;
|
||||
ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
|
||||
+ ncq_tfs->used = 0;
|
||||
}
|
||||
|
||||
static void ncq_finish(NCQTransferState *ncq_tfs)
|
||||
--
|
||||
2.6.3
|
||||
|
65
gnu/packages/patches/qemu-CVE-2016-1922.patch
Normal file
65
gnu/packages/patches/qemu-CVE-2016-1922.patch
Normal file
|
@ -0,0 +1,65 @@
|
|||
From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Fri, 18 Dec 2015 11:35:07 +0530
|
||||
Subject: [PATCH] i386: avoid null pointer dereference
|
||||
|
||||
Hello,
|
||||
|
||||
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
|
||||
occurs while doing I/O port write operations via hmp interface. In that,
|
||||
'current_cpu' remains null as it is not called from cpu_exec loop, which
|
||||
results in the said issue.
|
||||
|
||||
Below is a proposed (tested)patch to fix this issue; Does it look okay?
|
||||
|
||||
===
|
||||
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 18 Dec 2015 11:16:07 +0530
|
||||
Subject: [PATCH] i386: avoid null pointer dereference
|
||||
|
||||
When I/O port write operation is called from hmp interface,
|
||||
'current_cpu' remains null, as it is not called from cpu_exec()
|
||||
loop. This leads to a null pointer dereference in vapic_write
|
||||
routine. Add check to avoid it.
|
||||
|
||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: P J P <ppandit@redhat.com>
|
||||
---
|
||||
hw/i386/kvmvapic.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||
index c6d34b2..f0922da 100644
|
||||
--- a/hw/i386/kvmvapic.c
|
||||
+++ b/hw/i386/kvmvapic.c
|
||||
@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
|
||||
static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
unsigned int size)
|
||||
{
|
||||
- CPUState *cs = current_cpu;
|
||||
- X86CPU *cpu = X86_CPU(cs);
|
||||
- CPUX86State *env = &cpu->env;
|
||||
- hwaddr rom_paddr;
|
||||
VAPICROMState *s = opaque;
|
||||
+ X86CPU *cpu;
|
||||
+ CPUX86State *env;
|
||||
+ hwaddr rom_paddr;
|
||||
|
||||
- cpu_synchronize_state(cs);
|
||||
+ if (!current_cpu) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ cpu_synchronize_state(current_cpu);
|
||||
+ cpu = X86_CPU(current_cpu);
|
||||
+ env = &cpu->env;
|
||||
|
||||
/*
|
||||
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
|
||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
Date: Wed, 23 Dec 2015 10:56:58 +0100
|
||||
Subject: [PATCH] virtio-9p: use accessor to get thread_pool
|
||||
|
||||
The aio_context_new() function does not allocate a thread pool. This is
|
||||
deferred to the first call to the aio_get_thread_pool() accessor. It is
|
||||
hence forbidden to access the thread_pool field directly, as it may be
|
||||
NULL. The accessor *must* be used always.
|
||||
|
||||
Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
|
||||
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
||||
---
|
||||
hw/9pfs/virtio-9p-coth.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
|
||||
index fb6e8f8..ab9425c 100644
|
||||
--- a/hw/9pfs/virtio-9p-coth.c
|
||||
+++ b/hw/9pfs/virtio-9p-coth.c
|
||||
@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
|
||||
void co_run_in_worker_bh(void *opaque)
|
||||
{
|
||||
Coroutine *co = opaque;
|
||||
- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
|
||||
+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
|
||||
coroutine_enter_func, co, coroutine_enter_cb, co);
|
||||
}
|
||||
--
|
||||
2.6.3
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
;;; GNU Guix --- Functional package management for GNU
|
||||
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
|
||||
;;; Copyright © 2015 Mark H Weaver <mhw@netris.org>
|
||||
;;; Copyright © 2015, 2016 Mark H Weaver <mhw@netris.org>
|
||||
;;;
|
||||
;;; This file is part of GNU Guix.
|
||||
;;;
|
||||
|
@ -51,35 +51,27 @@ (define (qemu-patch commit file-name sha256)
|
|||
(sha256 sha256)
|
||||
(file-name file-name)))
|
||||
|
||||
(define %glib-memory-vtable-patch
|
||||
(qemu-patch "deb847bf"
|
||||
"qemu-glib-memory-vtable.patch"
|
||||
(base32
|
||||
"0afb7rvxy14104jxmhr7m02w5baiz0c7vhq3h642h09jgxrcmzzi")))
|
||||
|
||||
(define %glib-duplicate-test-patch
|
||||
(qemu-patch "98cf48f6"
|
||||
"qemu-glib-duplicate-test.patch"
|
||||
(base32
|
||||
"1aicbplzdj5s5y13jmqyvfajay05x9dnkzd197waz8v6kha7d9d5")))
|
||||
|
||||
(define-public qemu
|
||||
(package
|
||||
(name "qemu")
|
||||
(version "2.4.0.1")
|
||||
(version "2.5.0")
|
||||
(source (origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
|
||||
version ".tar.bz2"))
|
||||
(sha256
|
||||
(base32
|
||||
"1nqv5p94zpnhcaqkifnn83ap7dd0qrb0qiicswbyhhby0f48pzpc"))
|
||||
(patches (list (search-patch "qemu-CVE-2015-6855.patch")
|
||||
|
||||
;; These two patches allow QEMU's tests to run
|
||||
;; correctly with 'gtester' from the latest GLib.
|
||||
%glib-memory-vtable-patch
|
||||
%glib-duplicate-test-patch))))
|
||||
"1m3j6xl7msrniidkvr5pw9d44yba5m7hm42xz8xy77v105s8hhrl"))
|
||||
(patches
|
||||
(map search-patch
|
||||
'("qemu-virtio-9p-use-accessor-to-get-thread-pool.patch"
|
||||
"qemu-CVE-2015-8558.patch"
|
||||
"qemu-CVE-2015-8567.patch"
|
||||
"qemu-CVE-2016-1922.patch"
|
||||
"qemu-CVE-2015-8613.patch"
|
||||
"qemu-CVE-2015-8701.patch"
|
||||
"qemu-CVE-2015-8743.patch"
|
||||
"qemu-CVE-2016-1568.patch")))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
'(#:phases (alist-replace
|
||||
|
@ -120,7 +112,16 @@ (define-public qemu
|
|||
(string-append infodir "/" info)))
|
||||
(find-files "." "\\.info$"))
|
||||
#t)))))
|
||||
%standard-phases))))
|
||||
(alist-cons-before
|
||||
'check 'disable-test-qga
|
||||
(lambda _
|
||||
(substitute* "tests/Makefile"
|
||||
;; Comment out the test-qga test, which needs /sys and
|
||||
;; fails within the build environment.
|
||||
(("check-unit-.* tests/test-qga" all)
|
||||
(string-append "# " all)))
|
||||
#t)
|
||||
%standard-phases)))))
|
||||
|
||||
(inputs ; TODO: Add optional inputs.
|
||||
`(("sdl" ,sdl)
|
||||
|
|
Loading…
Reference in a new issue