Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Matthias Maier <tamiko@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/, app-emulation/qemu/
Date: Mon, 05 Sep 2016 05:30:19
Message-Id: 1473053400.ceb67390ecbe843f184b5bde6428cb9e2f3dcd81.tamiko@gentoo
1 commit: ceb67390ecbe843f184b5bde6428cb9e2f3dcd81
2 Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3 AuthorDate: Mon Sep 5 05:18:46 2016 +0000
4 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5 CommitDate: Mon Sep 5 05:30:00 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb67390
7
8 app-emulation/qemu: apply patch for CVE-2016-6836, bug #591242
9
10 Package-Manager: portage-2.2.28
11
12 .../qemu/files/qemu-2.7.0-CVE-2016-6836.patch | 27 ++++++++++++++++++++++
13 app-emulation/qemu/qemu-2.7.0.ebuild | 1 +
14 2 files changed, 28 insertions(+)
15
16 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
17 new file mode 100644
18 index 00000000..56f7435
19 --- /dev/null
20 +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
21 @@ -0,0 +1,27 @@
22 +From: Li Qiang <address@hidden>
23 +
24 +In Vmxnet3 device emulator while processing transmit(tx) queue,
25 +when it reaches end of packet, it calls vmxnet3_complete_packet.
26 +In that local 'txcq_descr' object is not initialised, which could
27 +leak host memory bytes a guest.
28 +
29 +Reported-by: Li Qiang <address@hidden>
30 +Signed-off-by: Prasad J Pandit <address@hidden>
31 +---
32 + hw/net/vmxnet3.c | 1 +
33 + 1 file changed, 1 insertion(+)
34 +
35 +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
36 +index 90f6943..92f6af9 100644
37 +--- a/hw/net/vmxnet3.c
38 ++++ b/hw/net/vmxnet3.c
39 +@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
40 +
41 + VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
42 +
43 ++ memset(&txcq_descr, 0, sizeof(txcq_descr));
44 + txcq_descr.txdIdx = tx_ridx;
45 + txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
46 +
47 +--
48 +2.5.5
49
50 diff --git a/app-emulation/qemu/qemu-2.7.0.ebuild b/app-emulation/qemu/qemu-2.7.0.ebuild
51 index 6f65fc9..a3aefc2 100644
52 --- a/app-emulation/qemu/qemu-2.7.0.ebuild
53 +++ b/app-emulation/qemu/qemu-2.7.0.ebuild
54 @@ -333,6 +333,7 @@ src_prepare() {
55
56 epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
57 epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
58 + epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch
59 # Fix ld and objcopy being called directly
60 tc-export AR LD OBJCOPY
Report Message
Find on MARC Find on Google Groups