| 1 |
commit: 538fed1c866f2b1ef17d97295a06bd666e828d6f |
| 2 |
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Dec 29 18:20:31 2016 +0000 |
| 4 |
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Dec 29 20:05:08 2016 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=538fed1c |
| 7 |
|
| 8 |
app-emulation/qemu: version bump to 2.8.0 |
| 9 |
|
| 10 |
app-emulation/qemu/Manifest | 1 + |
| 11 |
.../qemu/files/qemu-2.8.0-CVE-2016-10028.patch | 40 ++++++++++++++++++++++ |
| 12 |
.../qemu/files/qemu-2.8.0-CVE-2016-9908.patch | 35 +++++++++++++++++++ |
| 13 |
.../qemu/files/qemu-2.8.0-CVE-2016-9912.patch | 38 ++++++++++++++++++++ |
| 14 |
.../qemu/{qemu-9999.ebuild => qemu-2.8.0.ebuild} | 6 +++- |
| 15 |
app-emulation/qemu/qemu-9999.ebuild | 2 +- |
| 16 |
6 files changed, 120 insertions(+), 2 deletions(-) |
| 17 |
|
| 18 |
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest |
| 19 |
index 5d40bbd..46537bc 100644 |
| 20 |
--- a/app-emulation/qemu/Manifest |
| 21 |
+++ b/app-emulation/qemu/Manifest |
| 22 |
@@ -1,2 +1,3 @@ |
| 23 |
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d |
| 24 |
DIST qemu-2.7.1.tar.bz2 26868403 SHA256 68636788eb69bcb0b44ba220b32b50495d6bd5712a934c282217831c4822958f SHA512 16a83946e9064733254c82c961749bf9c56a0a2a8ee46145b4a78e1452ac0e2548d888963d18c80e28f65202890fd643b0011951b5b1c66ef16234767ed91898 WHIRLPOOL ae3d3c2b2a3700613733659847de6187755631cb09e8c3548ea30cd994357c9ff128646edce88dfe4dce53e6c1c0f37f8de3688ee7e22262033b40f3fc706efa |
| 25 |
+DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5 |
| 26 |
|
| 27 |
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch |
| 28 |
new file mode 100644 |
| 29 |
index 00000000..466c819 |
| 30 |
--- /dev/null |
| 31 |
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch |
| 32 |
@@ -0,0 +1,40 @@ |
| 33 |
+https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html |
| 34 |
+https://bugs.gentoo.org/603444 |
| 35 |
+ |
| 36 |
+From: P J P |
| 37 |
+Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size |
| 38 |
+Date: Wed, 14 Dec 2016 12:31:56 +0530 |
| 39 |
+From: Prasad J Pandit <address@hidden> |
| 40 |
+ |
| 41 |
+Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' |
| 42 |
+command, retrieves the maximum capabilities size to fill in the |
| 43 |
+response object. It continues to fill in capabilities even if |
| 44 |
+retrieved 'max_size' is zero(0), thus resulting in OOB access. |
| 45 |
+Add check to avoid it. |
| 46 |
+ |
| 47 |
+Reported-by: Zhenhao Hong <address@hidden> |
| 48 |
+Signed-off-by: Prasad J Pandit <address@hidden> |
| 49 |
+--- |
| 50 |
+ hw/display/virtio-gpu-3d.c | 6 +++++- |
| 51 |
+ 1 file changed, 5 insertions(+), 1 deletion(-) |
| 52 |
+ |
| 53 |
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c |
| 54 |
+index 758d33a..6ceeba3 100644 |
| 55 |
+--- a/hw/display/virtio-gpu-3d.c |
| 56 |
++++ b/hw/display/virtio-gpu-3d.c |
| 57 |
+@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, |
| 58 |
+ |
| 59 |
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver, |
| 60 |
+ &max_size); |
| 61 |
++ if (!max_size) { |
| 62 |
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; |
| 63 |
++ return; |
| 64 |
++ } |
| 65 |
++ |
| 66 |
+ resp = g_malloc0(sizeof(*resp) + max_size); |
| 67 |
+- |
| 68 |
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; |
| 69 |
+ virgl_renderer_fill_caps(gc.capset_id, |
| 70 |
+ gc.capset_version, |
| 71 |
+-- |
| 72 |
+2.9.3 |
| 73 |
|
| 74 |
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch |
| 75 |
new file mode 100644 |
| 76 |
index 00000000..841de65 |
| 77 |
--- /dev/null |
| 78 |
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch |
| 79 |
@@ -0,0 +1,35 @@ |
| 80 |
+https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html |
| 81 |
+https://bugs.gentoo.org/601826 |
| 82 |
+ |
| 83 |
+From: Li Qiang |
| 84 |
+Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch |
| 85 |
+Date: Tue, 1 Nov 2016 05:37:57 -0700 |
| 86 |
+From: Li Qiang <address@hidden> |
| 87 |
+ |
| 88 |
+In virgl_cmd_get_capset function, it uses g_malloc to allocate |
| 89 |
+a response struct to the guest. As the 'resp'struct hasn't been full |
| 90 |
+initialized it will lead the 'resp->padding' field to the guest. |
| 91 |
+Use g_malloc0 to avoid this. |
| 92 |
+ |
| 93 |
+Signed-off-by: Li Qiang <address@hidden> |
| 94 |
+--- |
| 95 |
+ hw/display/virtio-gpu-3d.c | 2 +- |
| 96 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
| 97 |
+ |
| 98 |
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c |
| 99 |
+index 23f39de..d98b140 100644 |
| 100 |
+--- a/hw/display/virtio-gpu-3d.c |
| 101 |
++++ b/hw/display/virtio-gpu-3d.c |
| 102 |
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, |
| 103 |
+ |
| 104 |
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver, |
| 105 |
+ &max_size); |
| 106 |
+- resp = g_malloc(sizeof(*resp) + max_size); |
| 107 |
++ resp = g_malloc0(sizeof(*resp) + max_size); |
| 108 |
+ |
| 109 |
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; |
| 110 |
+ virgl_renderer_fill_caps(gc.capset_id, |
| 111 |
+-- |
| 112 |
+1.8.3.1 |
| 113 |
+ |
| 114 |
+ |
| 115 |
|
| 116 |
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch |
| 117 |
new file mode 100644 |
| 118 |
index 00000000..55963f7 |
| 119 |
--- /dev/null |
| 120 |
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch |
| 121 |
@@ -0,0 +1,38 @@ |
| 122 |
+https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html |
| 123 |
+https://bugs.gentoo.org/602630 |
| 124 |
+ |
| 125 |
+From: Li Qiang |
| 126 |
+Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy |
| 127 |
+Date: Mon, 28 Nov 2016 21:29:25 -0500 |
| 128 |
+If the guest destroy the resource before detach banking, the 'iov' |
| 129 |
+and 'addrs' field in resource is not freed thus leading memory |
| 130 |
+leak issue. This patch avoid this. |
| 131 |
+ |
| 132 |
+Signed-off-by: Li Qiang <address@hidden> |
| 133 |
+--- |
| 134 |
+ hw/display/virtio-gpu.c | 3 +++ |
| 135 |
+ 1 file changed, 3 insertions(+) |
| 136 |
+ |
| 137 |
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c |
| 138 |
+index 60bce94..98dadf2 100644 |
| 139 |
+--- a/hw/display/virtio-gpu.c |
| 140 |
++++ b/hw/display/virtio-gpu.c |
| 141 |
+@@ -28,6 +28,8 @@ |
| 142 |
+ static struct virtio_gpu_simple_resource* |
| 143 |
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); |
| 144 |
+ |
| 145 |
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); |
| 146 |
++ |
| 147 |
+ #ifdef CONFIG_VIRGL |
| 148 |
+ #include <virglrenderer.h> |
| 149 |
+ #define VIRGL(_g, _virgl, _simple, ...) \ |
| 150 |
+@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, |
| 151 |
+ struct virtio_gpu_simple_resource *res) |
| 152 |
+ { |
| 153 |
+ pixman_image_unref(res->image); |
| 154 |
++ virtio_gpu_cleanup_mapping(res); |
| 155 |
+ QTAILQ_REMOVE(&g->reslist, res, next); |
| 156 |
+ g_free(res); |
| 157 |
+ } |
| 158 |
+-- |
| 159 |
+1.8.3.1 |
| 160 |
|
| 161 |
diff --git a/app-emulation/qemu/qemu-9999.ebuild b/app-emulation/qemu/qemu-2.8.0.ebuild |
| 162 |
similarity index 98% |
| 163 |
copy from app-emulation/qemu/qemu-9999.ebuild |
| 164 |
copy to app-emulation/qemu/qemu-2.8.0.ebuild |
| 165 |
index 4859990..de01f6c 100644 |
| 166 |
--- a/app-emulation/qemu/qemu-9999.ebuild |
| 167 |
+++ b/app-emulation/qemu/qemu-2.8.0.ebuild |
| 168 |
@@ -142,7 +142,7 @@ USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" |
| 169 |
X86_FIRMWARE_DEPEND=" |
| 170 |
>=sys-firmware/ipxe-1.0.0_p20130624 |
| 171 |
pin-upstream-blobs? ( |
| 172 |
- ~sys-firmware/seabios-1.8.2 |
| 173 |
+ ~sys-firmware/seabios-1.10.1 |
| 174 |
~sys-firmware/sgabios-0.1_pre8 |
| 175 |
~sys-firmware/vgabios-0.7a |
| 176 |
) |
| 177 |
@@ -333,6 +333,10 @@ src_prepare() { |
| 178 |
|
| 179 |
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch |
| 180 |
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch |
| 181 |
+ epatch "${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108 |
| 182 |
+ epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch #601826 |
| 183 |
+ epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch #602630 |
| 184 |
+ epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch #603444 |
| 185 |
|
| 186 |
# Fix ld and objcopy being called directly |
| 187 |
tc-export AR LD OBJCOPY |
| 188 |
|
| 189 |
diff --git a/app-emulation/qemu/qemu-9999.ebuild b/app-emulation/qemu/qemu-9999.ebuild |
| 190 |
index 4859990..8b5b30c 100644 |
| 191 |
--- a/app-emulation/qemu/qemu-9999.ebuild |
| 192 |
+++ b/app-emulation/qemu/qemu-9999.ebuild |
| 193 |
@@ -142,7 +142,7 @@ USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" |
| 194 |
X86_FIRMWARE_DEPEND=" |
| 195 |
>=sys-firmware/ipxe-1.0.0_p20130624 |
| 196 |
pin-upstream-blobs? ( |
| 197 |
- ~sys-firmware/seabios-1.8.2 |
| 198 |
+ ~sys-firmware/seabios-1.10.1 |
| 199 |
~sys-firmware/sgabios-0.1_pre8 |
| 200 |
~sys-firmware/vgabios-0.7a |
| 201 |
) |
Archives