gnu: qemu: Update to 2.9.0 [security fixes].

Fixes CVE-2017-{5857,5973,5987,6058,6505,7377,7471,7718}. * gnu/packages/qemu.scm (qemu): Update to 2.9.0. [source]: Remove obsolete patches. * gnu/packages/patches/qemu-CVE-2016-10155.patch, gnu/packages/patches/qemu-CVE-2017-5525.patch, gnu/packages/patches/qemu-CVE-2017-5526.patch, gnu/packages/patches/qemu-CVE-2017-5552.patch, gnu/packages/patches/qemu-CVE-2017-5578.patch, gnu/packages/patches/qemu-CVE-2017-5579.patch, gnu/packages/patches/qemu-CVE-2017-5856.patch, gnu/packages/patches/qemu-CVE-2017-5898.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them.
2017-04-07 09:03:28 -04:00 · 2017-04-07 09:03:28 -04:00 · dfa663c963
parent 7252964244
commit dfa663c963
10 changed files with 2 additions and 420 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -898,14 +898,6 @@ dist_patch_DATA =						\
  %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
  %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch	\
  %D%/packages/patches/python2-subprocess32-disable-input-test.patch	\
  %D%/packages/patches/qemu-CVE-2016-10155.patch			\
  %D%/packages/patches/qemu-CVE-2017-5525.patch			\
  %D%/packages/patches/qemu-CVE-2017-5526.patch			\
  %D%/packages/patches/qemu-CVE-2017-5552.patch			\
  %D%/packages/patches/qemu-CVE-2017-5578.patch			\
  %D%/packages/patches/qemu-CVE-2017-5579.patch			\
  %D%/packages/patches/qemu-CVE-2017-5856.patch			\
  %D%/packages/patches/qemu-CVE-2017-5898.patch			\
  %D%/packages/patches/qt4-ldflags.patch			\
  %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
  %D%/packages/patches/rapicorn-isnan.patch			\
--- a/gnu/packages/patches/qemu-CVE-2016-10155.patch
+++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch
@ -1,49 +0,0 @@
 From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
 From: Li Qiang <liqiang6-s@360.cn>
 Date: Mon, 28 Nov 2016 17:49:04 -0800
 Subject: [PATCH] watchdog: 6300esb: add exit function
 When the Intel 6300ESB watchdog is hot unplug. The timer allocated
 in realize isn't freed thus leaking memory leak. This patch avoid
 this through adding the exit function.
 http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
 this patch is from qemu-git.
 Signed-off-by: Li Qiang <liqiang6-s@360.cn>
 Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 ---
 hw/watchdog/wdt_i6300esb.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)
 diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
 index a83d951..49b3cd1 100644
 --- a/hw/watchdog/wdt_i6300esb.c
 +++ b/hw/watchdog/wdt_i6300esb.c
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
     /* qemu_register_coalesced_mmio (addr, 0x10); ? */
 }
 +static void i6300esb_exit(PCIDevice *dev)
 +{
 +    I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
 +
 +    timer_del(d->timer);
 +    timer_free(d->timer);
 +}
 +
 static WatchdogTimerModel model = {
     .wdt_name = "i6300esb",
     .wdt_description = "Intel 6300ESB",
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
     k->config_read = i6300esb_config_read;
     k->config_write = i6300esb_config_write;
     k->realize = i6300esb_realize;
 +    k->exit = i6300esb_exit;
     k->vendor_id = PCI_VENDOR_ID_INTEL;
     k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
     k->class_id = PCI_CLASS_SYSTEM_OTHER;
 -- 
 1.7.0.4
--- a/gnu/packages/patches/qemu-CVE-2017-5525.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5525.patch
@ -1,55 +0,0 @@
 From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
 From: Li Qiang <liqiang6-s@360.cn>
 Date: Wed, 14 Dec 2016 18:30:21 -0800
 Subject: [PATCH] audio: ac97: add exit function
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf8
 Content-Transfer-Encoding: 8bit
 http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401
 this patch is from qemu-git
 Currently the ac97 device emulation doesn't have a exit function,
 hot unplug this device will leak some memory. Add a exit function to
 avoid this.
 Signed-off-by: Li Qiang <liqiang6-s@360.cn>
 Reviewed-by: Marc-AndrÃ© Lureau <marcandre.lureau@redhat.com>
 Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 ---
 hw/audio/ac97.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)
 diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
 index cbd959e..c306575 100644
 --- a/hw/audio/ac97.c
 +++ b/hw/audio/ac97.c
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
     ac97_on_reset (&s->dev.qdev);
 }
 +static void ac97_exit(PCIDevice *dev)
 +{
 +    AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
 +
 +    AUD_close_in(&s->card, s->voice_pi);
 +    AUD_close_out(&s->card, s->voice_po);
 +    AUD_close_in(&s->card, s->voice_mc);
 +    AUD_remove_card(&s->card);
 +}
 +
 static int ac97_init (PCIBus *bus)
 {
     pci_create_simple (bus, -1, "AC97");
@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
     k->realize = ac97_realize;
 +    k->exit = ac97_exit;
     k->vendor_id = PCI_VENDOR_ID_INTEL;
     k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
     k->revision = 0x01;
 -- 
 1.7.0.4
--- a/gnu/packages/patches/qemu-CVE-2017-5526.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5526.patch
@ -1,58 +0,0 @@
 From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
 From: Li Qiang <liqiang6-s@360.cn>
 Date: Wed, 14 Dec 2016 18:32:22 -0800
 Subject: [PATCH] audio: es1370: add exit function
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf8
 Content-Transfer-Encoding: 8bit
 http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
 this patch is from qemu-git.
 Currently the es1370 device emulation doesn't have a exit function,
 hot unplug this device will leak some memory. Add a exit function to
 avoid this.
 Signed-off-by: Li Qiang <liqiang6-s@360.cn>
 Reviewed-by: Marc-AndrÃ© Lureau <marcandre.lureau@redhat.com>
 Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 ---
 hw/audio/es1370.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)
 diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
 index 8449b5f..883ec69 100644
 --- a/hw/audio/es1370.c
 +++ b/hw/audio/es1370.c
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
     es1370_reset (s);
 }
 +static void es1370_exit(PCIDevice *dev)
 +{
 +    ES1370State *s = ES1370(dev);
 +    int i;
 +
 +    for (i = 0; i < 2; ++i) {
 +        AUD_close_out(&s->card, s->dac_voice[i]);
 +    }
 +
 +    AUD_close_in(&s->card, s->adc_voice);
 +    AUD_remove_card(&s->card);
 +}
 +
 static int es1370_init (PCIBus *bus)
 {
     pci_create_simple (bus, -1, TYPE_ES1370);
@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
     k->realize = es1370_realize;
 +    k->exit = es1370_exit;
     k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
     k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
     k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
 -- 
 1.7.0.4
--- a/gnu/packages/patches/qemu-CVE-2017-5552.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch
@ -1,44 +0,0 @@
 From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
 From: Li Qiang <liq3ea@gmail.com>
 Date: Thu, 29 Dec 2016 03:11:26 -0500
 Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
 MIME-Version: 1.0
 Content-Type: text/plain; charset=utf8
 Content-Transfer-Encoding: 8bit
 If the virgl_renderer_resource_attach_iov function fails the
 'res_iovs' will be leaked. Add check of the return value to
 free the 'res_iovs' when failing.
 http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689
 this patch is from qemu-git.
 Signed-off-by: Li Qiang <liq3ea@gmail.com>
 Reviewed-by: Marc-AndrÃ© Lureau <marcandre.lureau@redhat.com>
 Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 ---
 hw/display/virtio-gpu-3d.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)
 diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
 index e29f099..b13ced3 100644
 --- a/hw/display/virtio-gpu-3d.c
 +++ b/hw/display/virtio-gpu-3d.c
@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
         return;
     }
 -    virgl_renderer_resource_attach_iov(att_rb.resource_id,
 -                                       res_iovs, att_rb.nr_entries);
 +    ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
 +                                             res_iovs, att_rb.nr_entries);
 +
 +    if (ret != 0)
 +        virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
 }
 static void virgl_resource_detach_backing(VirtIOGPU *g,
 -- 
 1.7.0.4
--- a/gnu/packages/patches/qemu-CVE-2017-5578.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5578.patch
@ -1,39 +0,0 @@
 http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b
 this patch is from qemu-git.
 From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
 From: Li Qiang <liq3ea@gmail.com>
 Date: Thu, 29 Dec 2016 04:28:41 -0500
 Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
 In the resource attach backing function, everytime it will
 allocate 'res->iov' thus can leading a memory leak. This
 patch avoid this.
 Signed-off-by: Li Qiang <liq3ea@gmail.com>
 Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 ---
 hw/display/virtio-gpu.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
 index 6a26258cac..ca88cf478d 100644
 --- a/hw/display/virtio-gpu.c
 +++ b/hw/display/virtio-gpu.c
@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
         return;
     }
 +    if (res->iov) {
 +        cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
 +        return;
 +    }
 +
     ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
     if (ret != 0) {
         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
 -- 
 2.11.0
--- a/gnu/packages/patches/qemu-CVE-2017-5579.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5579.patch
@ -1,44 +0,0 @@
 http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
 this patch is from qemu-git.
 From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
 From: Li Qiang <liqiang6-s@360.cn>
 Date: Wed, 4 Jan 2017 00:43:16 -0800
 Subject: [PATCH] serial: fix memory leak in serial exit
 The serial_exit_core function doesn't free some resources.
 This can lead memory leak when hotplug and unplug. This
 patch avoid this.
 Signed-off-by: Li Qiang <liqiang6-s@360.cn>
 Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 ---
 hw/char/serial.c | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/hw/char/serial.c b/hw/char/serial.c
 index ffbacd8227..67b18eda12 100644
 --- a/hw/char/serial.c
 +++ b/hw/char/serial.c
@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
 void serial_exit_core(SerialState *s)
 {
     qemu_chr_fe_deinit(&s->chr);
 +
 +    timer_del(s->modem_status_poll);
 +    timer_free(s->modem_status_poll);
 +
 +    timer_del(s->fifo_timeout_timer);
 +    timer_free(s->fifo_timeout_timer);
 +
 +    fifo8_destroy(&s->recv_fifo);
 +    fifo8_destroy(&s->xmit_fifo);
 +
     qemu_unregister_reset(serial_reset, s);
 }
 -- 
 2.11.0
--- a/gnu/packages/patches/qemu-CVE-2017-5856.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5856.patch
@ -1,68 +0,0 @@
 http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
 this patch is from qemu-git.
 From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Mon, 2 Jan 2017 11:03:33 +0100
 Subject: [PATCH] megasas: fix guest-triggered memory leak
 If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
 will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
 Avoid this by returning only the status from map_dcmd, and loading
 cmd->iov_size in the caller.
 Reported-by: Li Qiang <liqiang6-s@360.cn>
 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
 ---
 hw/scsi/megasas.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)
 diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
 index 67fc1e7..6233865 100644
 --- a/hw/scsi/megasas.c
 +++ b/hw/scsi/megasas.c
@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
         trace_megasas_dcmd_invalid_sge(cmd->index,
                                        cmd->frame->header.sge_count);
         cmd->iov_size = 0;
 -        return -1;
 +        return -EINVAL;
     }
     iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
     iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
     pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
     qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
     cmd->iov_size = iov_size;
 -    return cmd->iov_size;
 +    return 0;
 }
 static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
 static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
 {
 -    int opcode, len;
 +    int opcode;
     int retval = 0;
 +    size_t len;
     const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
     opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
     trace_megasas_handle_dcmd(cmd->index, opcode);
 -    len = megasas_map_dcmd(s, cmd);
 -    if (len < 0) {
 +    if (megasas_map_dcmd(s, cmd) < 0) {
         return MFI_STAT_MEMORY_NOT_AVAILABLE;
     }
     while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
         cmdptr++;
     }
 +    len = cmd->iov_size;
     if (cmdptr->opcode == -1) {
         trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
         retval = megasas_dcmd_dummy(s, cmd);
 -- 
 1.7.0.4
--- a/gnu/packages/patches/qemu-CVE-2017-5898.patch
+++ b/gnu/packages/patches/qemu-CVE-2017-5898.patch
@ -1,44 +0,0 @@
 Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
 http://seclists.org/oss-sec/2017/q1/328
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
 Patch copied from upstream source repository:
 http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
 From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
 From: Prasad J Pandit <pjp@fedoraproject.org>
 Date: Fri, 3 Feb 2017 00:52:28 +0530
 Subject: [PATCH] usb: ccid: check ccid apdu length
 CCID device emulator uses Application Protocol Data Units(APDU)
 to exchange command and responses to and from the host.
 The length in these units couldn't be greater than 65536. Add
 check to ensure the same. It'd also avoid potential integer
 overflow in emulated_apdu_from_guest.
 Reported-by: Li Qiang <liqiang6-s@360.cn>
 Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
 Message-id: 20170202192228.10847-1-ppandit@redhat.com
 Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
 ---
 hw/usb/dev-smartcard-reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
 index 89e11b68c4..1325ea1659 100644
 --- a/hw/usb/dev-smartcard-reader.c
 +++ b/hw/usb/dev-smartcard-reader.c
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
     DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
                 recv->hdr.bSeq, len);
     ccid_add_pending_answer(s, (CCID_Header *)recv);
 -    if (s->card) {
 +    if (s->card && len <= BULK_OUT_DATA_SIZE) {
         ccid_card_apdu_from_guest(s->card, recv->abData, len);
     } else {
         DPRINTF(s, D_WARN, "warning: discarded apdu\n");
 -- 
 2.11.1
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@ -69,23 +69,14 @@
 (define-public qemu
  (package
    (name "qemu")
-    (version "2.8.1")
+    (version "2.9.0")
    (source (origin
             (method url-fetch)
             (uri (string-append "http://wiki.qemu-project.org/download/qemu-"
                                 version ".tar.xz"))
             (sha256
              (base32
-               "0h342v4n44kh89yyfas4iazvhhsy5m5qk94vsjqpz5zpq1i2ykad"))
+               "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
             (patches (search-patches "qemu-CVE-2016-10155.patch"
                                      "qemu-CVE-2017-5525.patch"
                                      "qemu-CVE-2017-5526.patch"
                                      "qemu-CVE-2017-5552.patch"
                                      "qemu-CVE-2017-5578.patch"
                                      "qemu-CVE-2017-5579.patch"
                                      "qemu-CVE-2017-5856.patch"
                                      "qemu-CVE-2017-5898.patch"
                                      ))))
    (build-system gnu-build-system)
    (arguments
     '(;; Running tests in parallel can occasionally lead to failures, like: