aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-06-03 18:32:57 -0400
committerLeo Famulari <leo@famulari.name>2017-06-03 20:50:10 -0400
commit8b5cb8d0542115b840b0086be1dbc00c116c7877 (patch)
treedeb9d816351268c2d53f85c2f521a86f3be828cb
parent34cfeca84e62b92e4f2b32c5bf33fe4982253f48 (diff)
downloadpatches-8b5cb8d0542115b840b0086be1dbc00c116c7877.tar
patches-8b5cb8d0542115b840b0086be1dbc00c116c7877.tar.gz
gnu: qemu: Fix CVE-2017-{8112,8309,8379,8380}.
* gnu/packages/patches/qemu-CVE-2017-8112.patch, gnu/packages/patches/qemu-CVE-2017-8309.patch, gnu/packages/patches/qemu-CVE-2017-8379.patch, gnu/packages/patches/qemu-CVE-2017-8380.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/qemu.scm (qemu)[source]: Use them.
-rw-r--r--gnu/local.mk4
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8112.patch41
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8309.patch46
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8379.patch98
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-8380.patch53
-rw-r--r--gnu/packages/qemu.scm6
6 files changed, 247 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index c94291f435..0449e8adc6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -954,6 +954,10 @@ dist_patch_DATA = \
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
%D%/packages/patches/qemu-CVE-2017-7493.patch \
+ %D%/packages/patches/qemu-CVE-2017-8112.patch \
+ %D%/packages/patches/qemu-CVE-2017-8309.patch \
+ %D%/packages/patches/qemu-CVE-2017-8379.patch \
+ %D%/packages/patches/qemu-CVE-2017-8380.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/qtscript-disable-tests.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch
new file mode 100644
index 0000000000..88b33aa2f0
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8112.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-8112:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e
+
+From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 25 Apr 2017 18:36:23 +0530
+Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
+
+A guest could set the message ring page count to zero, resulting in
+infinite loop. Add check to avoid it.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 75575461e2..4a106da856 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+ uint32_t len_log2;
+ uint32_t ring_size;
+
+- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+ return -1;
+ }
+ ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+--
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch
new file mode 100644
index 0000000000..dc4b4006b7
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8309.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-8309:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a
+
+From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+
+Fixes: CVE-2017-8309
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel@redhat.com
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8422..beafed209b 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+ sw = sw1;
+ }
+ QLIST_REMOVE (cap, entries);
++ g_free (cap->hw.mix_buf);
++ g_free (cap->buf);
+ g_free (cap);
+ }
+ return;
+--
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch
new file mode 100644
index 0000000000..200b133d3e
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8379.patch
@@ -0,0 +1,98 @@
+Fix CVE-2017-8379:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
+
+From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 10:42:37 +0200
+Subject: [PATCH] input: limit kbd queue depth
+
+Apply a limit to the number of items we accept into the keyboard queue.
+
+Impact: Without this limit vnc clients can exhaust host memory by
+sending keyboard events faster than qemu feeds them to the guest.
+
+Fixes: CVE-2017-8379
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: jiangxin1@huawei.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20170428084237.23960-1-kraxel@redhat.com
+---
+ ui/input.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ui/input.c b/ui/input.c
+index ed88cda6d6..fb1f404095 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
+ QTAILQ_HEAD_INITIALIZER(kbd_queue);
+ static QEMUTimer *kbd_timer;
+ static uint32_t kbd_default_delay_ms = 10;
++static uint32_t queue_count;
++static uint32_t queue_limit = 1024;
+
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
+ QemuInputHandler *handler)
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
+ break;
+ }
+ QTAILQ_REMOVE(queue, item, node);
++ queue_count--;
+ g_free(item);
+ }
+ }
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
+ item->delay_ms = delay_ms;
+ item->timer = timer;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+
+ if (start_timer) {
+ timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
+ item->src = src;
+ item->evt = evt;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+ }
+
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+
+ item->type = QEMU_INPUT_QUEUE_SYNC;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+ }
+
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
+ qemu_input_event_send(src, evt);
+ qemu_input_event_sync();
+ qapi_free_InputEvent(evt);
+- } else {
++ } else if (queue_count < queue_limit) {
+ qemu_input_queue_event(&kbd_queue, src, evt);
+ qemu_input_queue_sync(&kbd_queue);
+ }
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
+ kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
+ &kbd_queue);
+ }
+- qemu_input_queue_delay(&kbd_queue, kbd_timer,
+- delay_ms ? delay_ms : kbd_default_delay_ms);
++ if (queue_count < queue_limit) {
++ qemu_input_queue_delay(&kbd_queue, kbd_timer,
++ delay_ms ? delay_ms : kbd_default_delay_ms);
++ }
+ }
+
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
+--
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch
new file mode 100644
index 0000000000..65e49fc885
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8380.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8380:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
+
+From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 24 Apr 2017 17:36:34 +0530
+Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
+
+While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
+an off-by-one error could occur as 's->adp_reset' index is not
+reset after reading the last sequence.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/megasas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 84b8caf901..804122ab05 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
+ case MFI_SEQ:
+ trace_megasas_mmio_writel("MFI_SEQ", val);
+ /* Magic sequence to start ADP reset */
+- if (adp_reset_seq[s->adp_reset] == val) {
+- s->adp_reset++;
++ if (adp_reset_seq[s->adp_reset++] == val) {
++ if (s->adp_reset == 6) {
++ s->adp_reset = 0;
++ s->diag = MFI_DIAG_WRITE_ENABLE;
++ }
+ } else {
+ s->adp_reset = 0;
+ s->diag = 0;
+ }
+- if (s->adp_reset == 6) {
+- s->diag = MFI_DIAG_WRITE_ENABLE;
+- }
+ break;
+ case MFI_DIAG:
+ trace_megasas_mmio_writel("MFI_DIAG", val);
+--
+2.13.0
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 0734b6d0f7..31354b25d7 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -74,7 +74,11 @@
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
version ".tar.xz"))
- (patches (search-patches "qemu-CVE-2017-7493.patch"))
+ (patches (search-patches "qemu-CVE-2017-7493.patch"
+ "qemu-CVE-2017-8112.patch"
+ "qemu-CVE-2017-8309.patch"
+ "qemu-CVE-2017-8379.patch"
+ "qemu-CVE-2017-8380.patch"))
(sha256
(base32
"08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))