| 1 |
commit: b054426687f5eccea1873b53afed11100ca1eb8d |
| 2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Mon Mar 27 03:18:22 2017 +0000 |
| 4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Mar 27 03:40:37 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0544266 |
| 7 |
|
| 8 |
app-emulation/qemu: security patches, bug #612220 |
| 9 |
|
| 10 |
CVE-2017-6505, bug #612220 |
| 11 |
|
| 12 |
Package-Manager: Portage-2.3.3, Repoman-2.3.2 |
| 13 |
|
| 14 |
.../qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 ++++++++++++++++++++++ |
| 15 |
.../{qemu-2.8.0-r7.ebuild => qemu-2.8.0-r8.ebuild} | 1 + |
| 16 |
2 files changed, 53 insertions(+) |
| 17 |
|
| 18 |
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch |
| 19 |
new file mode 100644 |
| 20 |
index 00000000000..a15aa96bd56 |
| 21 |
--- /dev/null |
| 22 |
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch |
| 23 |
@@ -0,0 +1,52 @@ |
| 24 |
+From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 |
| 25 |
+From: Li Qiang <liqiang6-s@×××.cn> |
| 26 |
+Date: Tue, 7 Feb 2017 02:23:33 -0800 |
| 27 |
+Subject: [PATCH] usb: ohci: limit the number of link eds |
| 28 |
+ |
| 29 |
+The guest may builds an infinite loop with link eds. This patch |
| 30 |
+limit the number of linked ed to avoid this. |
| 31 |
+ |
| 32 |
+Signed-off-by: Li Qiang <liqiang6-s@×××.cn> |
| 33 |
+Message-id: 5899a02e.45ca240a.6c373.93c1@×××××××××.com |
| 34 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
| 35 |
+--- |
| 36 |
+ hw/usb/hcd-ohci.c | 9 ++++++++- |
| 37 |
+ 1 file changed, 8 insertions(+), 1 deletion(-) |
| 38 |
+ |
| 39 |
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c |
| 40 |
+index 2cba3e3..21c93e0 100644 |
| 41 |
+--- a/hw/usb/hcd-ohci.c |
| 42 |
++++ b/hw/usb/hcd-ohci.c |
| 43 |
+@@ -42,6 +42,8 @@ |
| 44 |
+ |
| 45 |
+ #define OHCI_MAX_PORTS 15 |
| 46 |
+ |
| 47 |
++#define ED_LINK_LIMIT 4 |
| 48 |
++ |
| 49 |
+ static int64_t usb_frame_time; |
| 50 |
+ static int64_t usb_bit_time; |
| 51 |
+ |
| 52 |
+@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) |
| 53 |
+ uint32_t next_ed; |
| 54 |
+ uint32_t cur; |
| 55 |
+ int active; |
| 56 |
+- |
| 57 |
++ uint32_t link_cnt = 0; |
| 58 |
+ active = 0; |
| 59 |
+ |
| 60 |
+ if (head == 0) |
| 61 |
+@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) |
| 62 |
+ |
| 63 |
+ next_ed = ed.next & OHCI_DPTR_MASK; |
| 64 |
+ |
| 65 |
++ if (++link_cnt > ED_LINK_LIMIT) { |
| 66 |
++ ohci_die(ohci); |
| 67 |
++ return 0; |
| 68 |
++ } |
| 69 |
++ |
| 70 |
+ if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { |
| 71 |
+ uint32_t addr; |
| 72 |
+ /* Cancel pending packets for ED that have been paused. */ |
| 73 |
+-- |
| 74 |
+2.10.2 |
| 75 |
+ |
| 76 |
|
| 77 |
diff --git a/app-emulation/qemu/qemu-2.8.0-r7.ebuild b/app-emulation/qemu/qemu-2.8.0-r8.ebuild |
| 78 |
similarity index 99% |
| 79 |
rename from app-emulation/qemu/qemu-2.8.0-r7.ebuild |
| 80 |
rename to app-emulation/qemu/qemu-2.8.0-r8.ebuild |
| 81 |
index 2088438d8e5..8df1a91630a 100644 |
| 82 |
--- a/app-emulation/qemu/qemu-2.8.0-r7.ebuild |
| 83 |
+++ b/app-emulation/qemu/qemu-2.8.0-r8.ebuild |
| 84 |
@@ -206,6 +206,7 @@ PATCHES=( |
| 85 |
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 |
| 86 |
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638 |
| 87 |
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206 |
| 88 |
+ "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220 |
| 89 |
) |
| 90 |
|
| 91 |
STRIP_MASK="/usr/share/qemu/palcode-clipper" |
Archives