gnu: qemu: Patch CVE-2017-{2615, 5578, 5579, 5856}.
* gnu/packages/qemu.scm (qemu)[source]: Add patches. * gnu/packages/patches/qemu-CVE-2017-2615, gnu/packages/patches/qemu-CVE-2017-5578, gnu/packages/patches/qemu-CVE-2017-5579, gnu/packages/patches/qemu-CVE-2017-5856: New files. * gnu/local.mk (dist_patch_DATA): Register them.
This commit is contained in:
parent
3e9750c368
commit
b352b57655
|
@ -860,9 +860,13 @@ dist_patch_DATA = \
|
||||||
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
|
||||||
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2016-10155.patch \
|
%D%/packages/patches/qemu-CVE-2016-10155.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-2615.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5525.patch \
|
%D%/packages/patches/qemu-CVE-2017-5525.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5526.patch \
|
%D%/packages/patches/qemu-CVE-2017-5526.patch \
|
||||||
%D%/packages/patches/qemu-CVE-2017-5552.patch \
|
%D%/packages/patches/qemu-CVE-2017-5552.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-5578.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-5579.patch \
|
||||||
|
%D%/packages/patches/qemu-CVE-2017-5856.patch \
|
||||||
%D%/packages/patches/qt4-ldflags.patch \
|
%D%/packages/patches/qt4-ldflags.patch \
|
||||||
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
|
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
|
||||||
%D%/packages/patches/rapicorn-isnan.patch \
|
%D%/packages/patches/rapicorn-isnan.patch \
|
||||||
|
|
|
@ -0,0 +1,52 @@
|
||||||
|
http://git.qemu.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
|
||||||
|
this patch is from qemu-git.
|
||||||
|
|
||||||
|
|
||||||
|
From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Date: Wed, 1 Feb 2017 09:35:01 +0100
|
||||||
|
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
|
||||||
|
|
||||||
|
When doing bitblt copy in backward mode, we should minus the
|
||||||
|
blt width first just like the adding in the forward mode. This
|
||||||
|
can avoid the oob access of the front of vga's vram.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
|
||||||
|
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||||
|
address, so check it as-is against vram size ]
|
||||||
|
|
||||||
|
Cc: qemu-stable@nongnu.org
|
||||||
|
Cc: P J P <ppandit@redhat.com>
|
||||||
|
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||||
|
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||||
|
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||||
|
---
|
||||||
|
hw/display/cirrus_vga.c | 7 +++----
|
||||||
|
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||||
|
index 7db6409dc5..16f27e8ac5 100644
|
||||||
|
--- a/hw/display/cirrus_vga.c
|
||||||
|
+++ b/hw/display/cirrus_vga.c
|
||||||
|
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||||
|
{
|
||||||
|
if (pitch < 0) {
|
||||||
|
int64_t min = addr
|
||||||
|
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||||
|
- int32_t max = addr
|
||||||
|
- + s->cirrus_blt_width;
|
||||||
|
- if (min < 0 || max > s->vga.vram_size) {
|
||||||
|
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||||
|
+ - s->cirrus_blt_width;
|
||||||
|
+ if (min < -1 || addr >= s->vga.vram_size) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -0,0 +1,39 @@
|
||||||
|
http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b
|
||||||
|
this patch is from qemu-git.
|
||||||
|
|
||||||
|
|
||||||
|
From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Li Qiang <liq3ea@gmail.com>
|
||||||
|
Date: Thu, 29 Dec 2016 04:28:41 -0500
|
||||||
|
Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
|
||||||
|
|
||||||
|
In the resource attach backing function, everytime it will
|
||||||
|
allocate 'res->iov' thus can leading a memory leak. This
|
||||||
|
patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||||
|
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
hw/display/virtio-gpu.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||||
|
index 6a26258cac..ca88cf478d 100644
|
||||||
|
--- a/hw/display/virtio-gpu.c
|
||||||
|
+++ b/hw/display/virtio-gpu.c
|
||||||
|
@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (res->iov) {
|
||||||
|
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
|
||||||
|
if (ret != 0) {
|
||||||
|
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
|
||||||
|
this patch is from qemu-git.
|
||||||
|
|
||||||
|
|
||||||
|
From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Date: Wed, 4 Jan 2017 00:43:16 -0800
|
||||||
|
Subject: [PATCH] serial: fix memory leak in serial exit
|
||||||
|
|
||||||
|
The serial_exit_core function doesn't free some resources.
|
||||||
|
This can lead memory leak when hotplug and unplug. This
|
||||||
|
patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
hw/char/serial.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||||
|
index ffbacd8227..67b18eda12 100644
|
||||||
|
--- a/hw/char/serial.c
|
||||||
|
+++ b/hw/char/serial.c
|
||||||
|
@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
|
||||||
|
void serial_exit_core(SerialState *s)
|
||||||
|
{
|
||||||
|
qemu_chr_fe_deinit(&s->chr);
|
||||||
|
+
|
||||||
|
+ timer_del(s->modem_status_poll);
|
||||||
|
+ timer_free(s->modem_status_poll);
|
||||||
|
+
|
||||||
|
+ timer_del(s->fifo_timeout_timer);
|
||||||
|
+ timer_free(s->fifo_timeout_timer);
|
||||||
|
+
|
||||||
|
+ fifo8_destroy(&s->recv_fifo);
|
||||||
|
+ fifo8_destroy(&s->xmit_fifo);
|
||||||
|
+
|
||||||
|
qemu_unregister_reset(serial_reset, s);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.11.0
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
|
||||||
|
this patch is from qemu-git.
|
||||||
|
|
||||||
|
|
||||||
|
From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Date: Mon, 2 Jan 2017 11:03:33 +0100
|
||||||
|
Subject: [PATCH] megasas: fix guest-triggered memory leak
|
||||||
|
|
||||||
|
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
|
||||||
|
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
|
||||||
|
Avoid this by returning only the status from map_dcmd, and loading
|
||||||
|
cmd->iov_size in the caller.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
hw/scsi/megasas.c | 11 ++++++-----
|
||||||
|
1 files changed, 6 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||||
|
index 67fc1e7..6233865 100644
|
||||||
|
--- a/hw/scsi/megasas.c
|
||||||
|
+++ b/hw/scsi/megasas.c
|
||||||
|
@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||||
|
trace_megasas_dcmd_invalid_sge(cmd->index,
|
||||||
|
cmd->frame->header.sge_count);
|
||||||
|
cmd->iov_size = 0;
|
||||||
|
- return -1;
|
||||||
|
+ return -EINVAL;
|
||||||
|
}
|
||||||
|
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
|
||||||
|
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
|
||||||
|
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
|
||||||
|
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
|
||||||
|
cmd->iov_size = iov_size;
|
||||||
|
- return cmd->iov_size;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
|
||||||
|
@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
|
||||||
|
|
||||||
|
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||||
|
{
|
||||||
|
- int opcode, len;
|
||||||
|
+ int opcode;
|
||||||
|
int retval = 0;
|
||||||
|
+ size_t len;
|
||||||
|
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
||||||
|
|
||||||
|
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
||||||
|
trace_megasas_handle_dcmd(cmd->index, opcode);
|
||||||
|
- len = megasas_map_dcmd(s, cmd);
|
||||||
|
- if (len < 0) {
|
||||||
|
+ if (megasas_map_dcmd(s, cmd) < 0) {
|
||||||
|
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
||||||
|
}
|
||||||
|
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
||||||
|
cmdptr++;
|
||||||
|
}
|
||||||
|
+ len = cmd->iov_size;
|
||||||
|
if (cmdptr->opcode == -1) {
|
||||||
|
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
||||||
|
retval = megasas_dcmd_dummy(s, cmd);
|
||||||
|
--
|
||||||
|
1.7.0.4
|
||||||
|
|
|
@ -78,9 +78,13 @@
|
||||||
(base32
|
(base32
|
||||||
"0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs"))
|
"0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs"))
|
||||||
(patches (search-patches "qemu-CVE-2016-10155.patch"
|
(patches (search-patches "qemu-CVE-2016-10155.patch"
|
||||||
|
"qemu-CVE-2017-2615.patch"
|
||||||
"qemu-CVE-2017-5525.patch"
|
"qemu-CVE-2017-5525.patch"
|
||||||
"qemu-CVE-2017-5526.patch"
|
"qemu-CVE-2017-5526.patch"
|
||||||
"qemu-CVE-2017-5552.patch"))))
|
"qemu-CVE-2017-5552.patch"
|
||||||
|
"qemu-CVE-2017-5578.patch"
|
||||||
|
"qemu-CVE-2017-5579.patch"
|
||||||
|
"qemu-CVE-2017-5856.patch"))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(arguments
|
(arguments
|
||||||
'(;; Running tests in parallel can occasionally lead to failures, like:
|
'(;; Running tests in parallel can occasionally lead to failures, like:
|
||||||
|
|
Loading…
Reference in New Issue