1 |
commit: ceb67390ecbe843f184b5bde6428cb9e2f3dcd81 |
2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Sep 5 05:18:46 2016 +0000 |
4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 5 05:30:00 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb67390 |
7 |
|
8 |
app-emulation/qemu: apply patch for CVE-2016-6836, bug #591242 |
9 |
|
10 |
Package-Manager: portage-2.2.28 |
11 |
|
12 |
.../qemu/files/qemu-2.7.0-CVE-2016-6836.patch | 27 ++++++++++++++++++++++ |
13 |
app-emulation/qemu/qemu-2.7.0.ebuild | 1 + |
14 |
2 files changed, 28 insertions(+) |
15 |
|
16 |
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch |
17 |
new file mode 100644 |
18 |
index 00000000..56f7435 |
19 |
--- /dev/null |
20 |
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch |
21 |
@@ -0,0 +1,27 @@ |
22 |
+From: Li Qiang <address@hidden> |
23 |
+ |
24 |
+In Vmxnet3 device emulator while processing transmit(tx) queue, |
25 |
+when it reaches end of packet, it calls vmxnet3_complete_packet. |
26 |
+In that local 'txcq_descr' object is not initialised, which could |
27 |
+leak host memory bytes a guest. |
28 |
+ |
29 |
+Reported-by: Li Qiang <address@hidden> |
30 |
+Signed-off-by: Prasad J Pandit <address@hidden> |
31 |
+--- |
32 |
+ hw/net/vmxnet3.c | 1 + |
33 |
+ 1 file changed, 1 insertion(+) |
34 |
+ |
35 |
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c |
36 |
+index 90f6943..92f6af9 100644 |
37 |
+--- a/hw/net/vmxnet3.c |
38 |
++++ b/hw/net/vmxnet3.c |
39 |
+@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) |
40 |
+ |
41 |
+ VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); |
42 |
+ |
43 |
++ memset(&txcq_descr, 0, sizeof(txcq_descr)); |
44 |
+ txcq_descr.txdIdx = tx_ridx; |
45 |
+ txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); |
46 |
+ |
47 |
+-- |
48 |
+2.5.5 |
49 |
|
50 |
diff --git a/app-emulation/qemu/qemu-2.7.0.ebuild b/app-emulation/qemu/qemu-2.7.0.ebuild |
51 |
index 6f65fc9..a3aefc2 100644 |
52 |
--- a/app-emulation/qemu/qemu-2.7.0.ebuild |
53 |
+++ b/app-emulation/qemu/qemu-2.7.0.ebuild |
54 |
@@ -333,6 +333,7 @@ src_prepare() { |
55 |
|
56 |
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch |
57 |
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch |
58 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch |
59 |
# Fix ld and objcopy being called directly |
60 |
tc-export AR LD OBJCOPY |