1 |
commit: ea97b0c7b7466e74a67ad714b07509c752f5870c |
2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Apr 29 21:01:30 2017 +0000 |
4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Apr 29 21:31:56 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea97b0c7 |
7 |
|
8 |
app-emulation/qemu: Various security patches for 2.9.0 |
9 |
|
10 |
bug 616636, CVE-2017-8112 |
11 |
bug 616870 [1] |
12 |
bug 616872 [2] |
13 |
bug 616874 [1] |
14 |
|
15 |
[1] minor change, queued upstream, no CVE assigned yet |
16 |
[2] queued upstream, no CVE assigned yet |
17 |
|
18 |
Package-Manager: Portage-2.3.3, Repoman-2.3.2 |
19 |
|
20 |
.../qemu/files/qemu-2.9.0-CVE-2017-8112.patch | 22 +++++++ |
21 |
.../qemu/files/qemu-2.9.0-bug616870.patch | 22 +++++++ |
22 |
.../qemu/files/qemu-2.9.0-bug616872.patch | 76 ++++++++++++++++++++++ |
23 |
.../qemu/files/qemu-2.9.0-bug616874.patch | 34 ++++++++++ |
24 |
.../{qemu-2.9.0.ebuild => qemu-2.9.0-r1.ebuild} | 4 ++ |
25 |
5 files changed, 158 insertions(+) |
26 |
|
27 |
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch |
28 |
new file mode 100644 |
29 |
index 00000000000..31fb69bf897 |
30 |
--- /dev/null |
31 |
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch |
32 |
@@ -0,0 +1,22 @@ |
33 |
+CVE-2017-8112 |
34 |
+ |
35 |
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html |
36 |
+--- |
37 |
+ hw/scsi/vmw_pvscsi.c | 2 +- |
38 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
39 |
+ |
40 |
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c |
41 |
+index 7557546..4a106da 100644 |
42 |
+--- a/hw/scsi/vmw_pvscsi.c |
43 |
++++ b/hw/scsi/vmw_pvscsi.c |
44 |
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) |
45 |
+ uint32_t len_log2; |
46 |
+ uint32_t ring_size; |
47 |
+ |
48 |
+- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { |
49 |
++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { |
50 |
+ return -1; |
51 |
+ } |
52 |
+ ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; |
53 |
+-- |
54 |
+2.9.3 |
55 |
|
56 |
diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch b/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch |
57 |
new file mode 100644 |
58 |
index 00000000000..4f7f870210c |
59 |
--- /dev/null |
60 |
+++ b/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch |
61 |
@@ -0,0 +1,22 @@ |
62 |
+bug #616870 |
63 |
+ |
64 |
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html |
65 |
+--- |
66 |
+ audio/audio.c | 2 ++ |
67 |
+ 1 file changed, 2 insertions(+) |
68 |
+ |
69 |
+diff --git a/audio/audio.c b/audio/audio.c |
70 |
+index c8898d8422..beafed209b 100644 |
71 |
+--- a/audio/audio.c |
72 |
++++ b/audio/audio.c |
73 |
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) |
74 |
+ sw = sw1; |
75 |
+ } |
76 |
+ QLIST_REMOVE (cap, entries); |
77 |
++ g_free (cap->hw.mix_buf); |
78 |
++ g_free (cap->buf); |
79 |
+ g_free (cap); |
80 |
+ } |
81 |
+ return; |
82 |
+-- |
83 |
+2.9.3 |
84 |
|
85 |
diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch b/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch |
86 |
new file mode 100644 |
87 |
index 00000000000..0a34dae671c |
88 |
--- /dev/null |
89 |
+++ b/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch |
90 |
@@ -0,0 +1,76 @@ |
91 |
+bug #616872 |
92 |
+ |
93 |
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html |
94 |
+--- |
95 |
+ ui/input.c | 14 +++++++++++--- |
96 |
+ 1 file changed, 11 insertions(+), 3 deletions(-) |
97 |
+ |
98 |
+diff --git a/ui/input.c b/ui/input.c |
99 |
+index ed88cda6d6..fb1f404095 100644 |
100 |
+--- a/ui/input.c |
101 |
++++ b/ui/input.c |
102 |
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = |
103 |
+ QTAILQ_HEAD_INITIALIZER(kbd_queue); |
104 |
+ static QEMUTimer *kbd_timer; |
105 |
+ static uint32_t kbd_default_delay_ms = 10; |
106 |
++static uint32_t queue_count; |
107 |
++static uint32_t queue_limit = 1024; |
108 |
+ |
109 |
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, |
110 |
+ QemuInputHandler *handler) |
111 |
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) |
112 |
+ break; |
113 |
+ } |
114 |
+ QTAILQ_REMOVE(queue, item, node); |
115 |
++ queue_count--; |
116 |
+ g_free(item); |
117 |
+ } |
118 |
+ } |
119 |
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, |
120 |
+ item->delay_ms = delay_ms; |
121 |
+ item->timer = timer; |
122 |
+ QTAILQ_INSERT_TAIL(queue, item, node); |
123 |
++ queue_count++; |
124 |
+ |
125 |
+ if (start_timer) { |
126 |
+ timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) |
127 |
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, |
128 |
+ item->src = src; |
129 |
+ item->evt = evt; |
130 |
+ QTAILQ_INSERT_TAIL(queue, item, node); |
131 |
++ queue_count++; |
132 |
+ } |
133 |
+ |
134 |
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) |
135 |
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) |
136 |
+ |
137 |
+ item->type = QEMU_INPUT_QUEUE_SYNC; |
138 |
+ QTAILQ_INSERT_TAIL(queue, item, node); |
139 |
++ queue_count++; |
140 |
+ } |
141 |
+ |
142 |
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) |
143 |
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) |
144 |
+ qemu_input_event_send(src, evt); |
145 |
+ qemu_input_event_sync(); |
146 |
+ qapi_free_InputEvent(evt); |
147 |
+- } else { |
148 |
++ } else if (queue_count < queue_limit) { |
149 |
+ qemu_input_queue_event(&kbd_queue, src, evt); |
150 |
+ qemu_input_queue_sync(&kbd_queue); |
151 |
+ } |
152 |
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) |
153 |
+ kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, |
154 |
+ &kbd_queue); |
155 |
+ } |
156 |
+- qemu_input_queue_delay(&kbd_queue, kbd_timer, |
157 |
+- delay_ms ? delay_ms : kbd_default_delay_ms); |
158 |
++ if (queue_count < queue_limit) { |
159 |
++ qemu_input_queue_delay(&kbd_queue, kbd_timer, |
160 |
++ delay_ms ? delay_ms : kbd_default_delay_ms); |
161 |
++ } |
162 |
+ } |
163 |
+ |
164 |
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) |
165 |
+-- |
166 |
+2.9.3 |
167 |
|
168 |
diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch b/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch |
169 |
new file mode 100644 |
170 |
index 00000000000..08911dd0bfb |
171 |
--- /dev/null |
172 |
+++ b/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch |
173 |
@@ -0,0 +1,34 @@ |
174 |
+bug #616874 |
175 |
+ |
176 |
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html |
177 |
+--- |
178 |
+ hw/scsi/megasas.c | 10 +++++----- |
179 |
+ 1 file changed, 5 insertions(+), 5 deletions(-) |
180 |
+ |
181 |
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c |
182 |
+index 84b8caf..804122a 100644 |
183 |
+--- a/hw/scsi/megasas.c |
184 |
++++ b/hw/scsi/megasas.c |
185 |
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, |
186 |
+ case MFI_SEQ: |
187 |
+ trace_megasas_mmio_writel("MFI_SEQ", val); |
188 |
+ /* Magic sequence to start ADP reset */ |
189 |
+- if (adp_reset_seq[s->adp_reset] == val) { |
190 |
+- s->adp_reset++; |
191 |
++ if (adp_reset_seq[s->adp_reset++] == val) { |
192 |
++ if (s->adp_reset == 6) { |
193 |
++ s->adp_reset = 0; |
194 |
++ s->diag = MFI_DIAG_WRITE_ENABLE; |
195 |
++ } |
196 |
+ } else { |
197 |
+ s->adp_reset = 0; |
198 |
+ s->diag = 0; |
199 |
+ } |
200 |
+- if (s->adp_reset == 6) { |
201 |
+- s->diag = MFI_DIAG_WRITE_ENABLE; |
202 |
+- } |
203 |
+ break; |
204 |
+ case MFI_DIAG: |
205 |
+ trace_megasas_mmio_writel("MFI_DIAG", val); |
206 |
+-- |
207 |
+2.9.3 |
208 |
|
209 |
diff --git a/app-emulation/qemu/qemu-2.9.0.ebuild b/app-emulation/qemu/qemu-2.9.0-r1.ebuild |
210 |
similarity index 99% |
211 |
rename from app-emulation/qemu/qemu-2.9.0.ebuild |
212 |
rename to app-emulation/qemu/qemu-2.9.0-r1.ebuild |
213 |
index 5ec3aac1a10..2d6bed861d6 100644 |
214 |
--- a/app-emulation/qemu/qemu-2.9.0.ebuild |
215 |
+++ b/app-emulation/qemu/qemu-2.9.0-r1.ebuild |
216 |
@@ -190,6 +190,10 @@ RDEPEND="${CDEPEND} |
217 |
PATCHES=( |
218 |
"${FILESDIR}"/${PN}-2.5.0-cflags.patch |
219 |
"${FILESDIR}"/${PN}-2.5.0-sysmacros.patch |
220 |
+ "${FILESDIR}"/${PN}-2.9.0-bug616870.patch |
221 |
+ "${FILESDIR}"/${PN}-2.9.0-bug616872.patch |
222 |
+ "${FILESDIR}"/${PN}-2.9.0-bug616874.patch |
223 |
+ "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch |
224 |
) |
225 |
|
226 |
STRIP_MASK="/usr/share/qemu/palcode-clipper" |