Gentoo Archives: gentoo-commits

From: Matthias Maier <tamiko@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/, app-emulation/qemu/files/
Date: Sat, 29 Apr 2017 21:32:34
Message-Id: 1493501516.ea97b0c7b7466e74a67ad714b07509c752f5870c.tamiko@gentoo
1 commit: ea97b0c7b7466e74a67ad714b07509c752f5870c
2 Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3 AuthorDate: Sat Apr 29 21:01:30 2017 +0000
4 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5 CommitDate: Sat Apr 29 21:31:56 2017 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea97b0c7
7
8 app-emulation/qemu: Various security patches for 2.9.0
9
10 bug 616636, CVE-2017-8112
11 bug 616870 [1]
12 bug 616872 [2]
13 bug 616874 [1]
14
15 [1] minor change, queued upstream, no CVE assigned yet
16 [2] queued upstream, no CVE assigned yet
17
18 Package-Manager: Portage-2.3.3, Repoman-2.3.2
19
20 .../qemu/files/qemu-2.9.0-CVE-2017-8112.patch | 22 +++++++
21 .../qemu/files/qemu-2.9.0-bug616870.patch | 22 +++++++
22 .../qemu/files/qemu-2.9.0-bug616872.patch | 76 ++++++++++++++++++++++
23 .../qemu/files/qemu-2.9.0-bug616874.patch | 34 ++++++++++
24 .../{qemu-2.9.0.ebuild => qemu-2.9.0-r1.ebuild} | 4 ++
25 5 files changed, 158 insertions(+)
26
27 diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
28 new file mode 100644
29 index 00000000000..31fb69bf897
30 --- /dev/null
31 +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
32 @@ -0,0 +1,22 @@
33 +CVE-2017-8112
34 +
35 +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html
36 +---
37 + hw/scsi/vmw_pvscsi.c | 2 +-
38 + 1 file changed, 1 insertion(+), 1 deletion(-)
39 +
40 +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
41 +index 7557546..4a106da 100644
42 +--- a/hw/scsi/vmw_pvscsi.c
43 ++++ b/hw/scsi/vmw_pvscsi.c
44 +@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
45 + uint32_t len_log2;
46 + uint32_t ring_size;
47 +
48 +- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
49 ++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
50 + return -1;
51 + }
52 + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
53 +--
54 +2.9.3
55
56 diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch b/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch
57 new file mode 100644
58 index 00000000000..4f7f870210c
59 --- /dev/null
60 +++ b/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch
61 @@ -0,0 +1,22 @@
62 +bug #616870
63 +
64 +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
65 +---
66 + audio/audio.c | 2 ++
67 + 1 file changed, 2 insertions(+)
68 +
69 +diff --git a/audio/audio.c b/audio/audio.c
70 +index c8898d8422..beafed209b 100644
71 +--- a/audio/audio.c
72 ++++ b/audio/audio.c
73 +@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
74 + sw = sw1;
75 + }
76 + QLIST_REMOVE (cap, entries);
77 ++ g_free (cap->hw.mix_buf);
78 ++ g_free (cap->buf);
79 + g_free (cap);
80 + }
81 + return;
82 +--
83 +2.9.3
84
85 diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch b/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch
86 new file mode 100644
87 index 00000000000..0a34dae671c
88 --- /dev/null
89 +++ b/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch
90 @@ -0,0 +1,76 @@
91 +bug #616872
92 +
93 +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
94 +---
95 + ui/input.c | 14 +++++++++++---
96 + 1 file changed, 11 insertions(+), 3 deletions(-)
97 +
98 +diff --git a/ui/input.c b/ui/input.c
99 +index ed88cda6d6..fb1f404095 100644
100 +--- a/ui/input.c
101 ++++ b/ui/input.c
102 +@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
103 + QTAILQ_HEAD_INITIALIZER(kbd_queue);
104 + static QEMUTimer *kbd_timer;
105 + static uint32_t kbd_default_delay_ms = 10;
106 ++static uint32_t queue_count;
107 ++static uint32_t queue_limit = 1024;
108 +
109 + QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
110 + QemuInputHandler *handler)
111 +@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
112 + break;
113 + }
114 + QTAILQ_REMOVE(queue, item, node);
115 ++ queue_count--;
116 + g_free(item);
117 + }
118 + }
119 +@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
120 + item->delay_ms = delay_ms;
121 + item->timer = timer;
122 + QTAILQ_INSERT_TAIL(queue, item, node);
123 ++ queue_count++;
124 +
125 + if (start_timer) {
126 + timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
127 +@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
128 + item->src = src;
129 + item->evt = evt;
130 + QTAILQ_INSERT_TAIL(queue, item, node);
131 ++ queue_count++;
132 + }
133 +
134 + static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
135 +@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
136 +
137 + item->type = QEMU_INPUT_QUEUE_SYNC;
138 + QTAILQ_INSERT_TAIL(queue, item, node);
139 ++ queue_count++;
140 + }
141 +
142 + void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
143 +@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
144 + qemu_input_event_send(src, evt);
145 + qemu_input_event_sync();
146 + qapi_free_InputEvent(evt);
147 +- } else {
148 ++ } else if (queue_count < queue_limit) {
149 + qemu_input_queue_event(&kbd_queue, src, evt);
150 + qemu_input_queue_sync(&kbd_queue);
151 + }
152 +@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
153 + kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
154 + &kbd_queue);
155 + }
156 +- qemu_input_queue_delay(&kbd_queue, kbd_timer,
157 +- delay_ms ? delay_ms : kbd_default_delay_ms);
158 ++ if (queue_count < queue_limit) {
159 ++ qemu_input_queue_delay(&kbd_queue, kbd_timer,
160 ++ delay_ms ? delay_ms : kbd_default_delay_ms);
161 ++ }
162 + }
163 +
164 + InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
165 +--
166 +2.9.3
167
168 diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch b/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch
169 new file mode 100644
170 index 00000000000..08911dd0bfb
171 --- /dev/null
172 +++ b/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch
173 @@ -0,0 +1,34 @@
174 +bug #616874
175 +
176 +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
177 +---
178 + hw/scsi/megasas.c | 10 +++++-----
179 + 1 file changed, 5 insertions(+), 5 deletions(-)
180 +
181 +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
182 +index 84b8caf..804122a 100644
183 +--- a/hw/scsi/megasas.c
184 ++++ b/hw/scsi/megasas.c
185 +@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
186 + case MFI_SEQ:
187 + trace_megasas_mmio_writel("MFI_SEQ", val);
188 + /* Magic sequence to start ADP reset */
189 +- if (adp_reset_seq[s->adp_reset] == val) {
190 +- s->adp_reset++;
191 ++ if (adp_reset_seq[s->adp_reset++] == val) {
192 ++ if (s->adp_reset == 6) {
193 ++ s->adp_reset = 0;
194 ++ s->diag = MFI_DIAG_WRITE_ENABLE;
195 ++ }
196 + } else {
197 + s->adp_reset = 0;
198 + s->diag = 0;
199 + }
200 +- if (s->adp_reset == 6) {
201 +- s->diag = MFI_DIAG_WRITE_ENABLE;
202 +- }
203 + break;
204 + case MFI_DIAG:
205 + trace_megasas_mmio_writel("MFI_DIAG", val);
206 +--
207 +2.9.3
208
209 diff --git a/app-emulation/qemu/qemu-2.9.0.ebuild b/app-emulation/qemu/qemu-2.9.0-r1.ebuild
210 similarity index 99%
211 rename from app-emulation/qemu/qemu-2.9.0.ebuild
212 rename to app-emulation/qemu/qemu-2.9.0-r1.ebuild
213 index 5ec3aac1a10..2d6bed861d6 100644
214 --- a/app-emulation/qemu/qemu-2.9.0.ebuild
215 +++ b/app-emulation/qemu/qemu-2.9.0-r1.ebuild
216 @@ -190,6 +190,10 @@ RDEPEND="${CDEPEND}
217 PATCHES=(
218 "${FILESDIR}"/${PN}-2.5.0-cflags.patch
219 "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
220 + "${FILESDIR}"/${PN}-2.9.0-bug616870.patch
221 + "${FILESDIR}"/${PN}-2.9.0-bug616872.patch
222 + "${FILESDIR}"/${PN}-2.9.0-bug616874.patch
223 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch
224 )
225
226 STRIP_MASK="/usr/share/qemu/palcode-clipper"