1 |
commit: b054426687f5eccea1873b53afed11100ca1eb8d |
2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Mar 27 03:18:22 2017 +0000 |
4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Mar 27 03:40:37 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0544266 |
7 |
|
8 |
app-emulation/qemu: security patches, bug #612220 |
9 |
|
10 |
CVE-2017-6505, bug #612220 |
11 |
|
12 |
Package-Manager: Portage-2.3.3, Repoman-2.3.2 |
13 |
|
14 |
.../qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 ++++++++++++++++++++++ |
15 |
.../{qemu-2.8.0-r7.ebuild => qemu-2.8.0-r8.ebuild} | 1 + |
16 |
2 files changed, 53 insertions(+) |
17 |
|
18 |
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch |
19 |
new file mode 100644 |
20 |
index 00000000000..a15aa96bd56 |
21 |
--- /dev/null |
22 |
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch |
23 |
@@ -0,0 +1,52 @@ |
24 |
+From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 |
25 |
+From: Li Qiang <liqiang6-s@×××.cn> |
26 |
+Date: Tue, 7 Feb 2017 02:23:33 -0800 |
27 |
+Subject: [PATCH] usb: ohci: limit the number of link eds |
28 |
+ |
29 |
+The guest may builds an infinite loop with link eds. This patch |
30 |
+limit the number of linked ed to avoid this. |
31 |
+ |
32 |
+Signed-off-by: Li Qiang <liqiang6-s@×××.cn> |
33 |
+Message-id: 5899a02e.45ca240a.6c373.93c1@×××××××××.com |
34 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
35 |
+--- |
36 |
+ hw/usb/hcd-ohci.c | 9 ++++++++- |
37 |
+ 1 file changed, 8 insertions(+), 1 deletion(-) |
38 |
+ |
39 |
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c |
40 |
+index 2cba3e3..21c93e0 100644 |
41 |
+--- a/hw/usb/hcd-ohci.c |
42 |
++++ b/hw/usb/hcd-ohci.c |
43 |
+@@ -42,6 +42,8 @@ |
44 |
+ |
45 |
+ #define OHCI_MAX_PORTS 15 |
46 |
+ |
47 |
++#define ED_LINK_LIMIT 4 |
48 |
++ |
49 |
+ static int64_t usb_frame_time; |
50 |
+ static int64_t usb_bit_time; |
51 |
+ |
52 |
+@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) |
53 |
+ uint32_t next_ed; |
54 |
+ uint32_t cur; |
55 |
+ int active; |
56 |
+- |
57 |
++ uint32_t link_cnt = 0; |
58 |
+ active = 0; |
59 |
+ |
60 |
+ if (head == 0) |
61 |
+@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) |
62 |
+ |
63 |
+ next_ed = ed.next & OHCI_DPTR_MASK; |
64 |
+ |
65 |
++ if (++link_cnt > ED_LINK_LIMIT) { |
66 |
++ ohci_die(ohci); |
67 |
++ return 0; |
68 |
++ } |
69 |
++ |
70 |
+ if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { |
71 |
+ uint32_t addr; |
72 |
+ /* Cancel pending packets for ED that have been paused. */ |
73 |
+-- |
74 |
+2.10.2 |
75 |
+ |
76 |
|
77 |
diff --git a/app-emulation/qemu/qemu-2.8.0-r7.ebuild b/app-emulation/qemu/qemu-2.8.0-r8.ebuild |
78 |
similarity index 99% |
79 |
rename from app-emulation/qemu/qemu-2.8.0-r7.ebuild |
80 |
rename to app-emulation/qemu/qemu-2.8.0-r8.ebuild |
81 |
index 2088438d8e5..8df1a91630a 100644 |
82 |
--- a/app-emulation/qemu/qemu-2.8.0-r7.ebuild |
83 |
+++ b/app-emulation/qemu/qemu-2.8.0-r8.ebuild |
84 |
@@ -206,6 +206,7 @@ PATCHES=( |
85 |
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 |
86 |
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638 |
87 |
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206 |
88 |
+ "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220 |
89 |
) |
90 |
|
91 |
STRIP_MASK="/usr/share/qemu/palcode-clipper" |