aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu-system.am6
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-3456.patch85
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch76
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch28
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch71
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5158.patch45
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5745.patch32
-rw-r--r--gnu/packages/qemu.scm10
8 files changed, 36 insertions, 317 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 9f46f7b7e4..147abfc0d6 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -607,7 +607,6 @@ dist_patch_DATA = \
gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \
gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
gnu/packages/patches/qemu-CVE-2015-3209.patch \
- gnu/packages/patches/qemu-CVE-2015-3456.patch \
gnu/packages/patches/qemu-CVE-2015-4037.patch \
gnu/packages/patches/qemu-CVE-2015-4103.patch \
gnu/packages/patches/qemu-CVE-2015-4104.patch \
@@ -620,10 +619,7 @@ dist_patch_DATA = \
gnu/packages/patches/qemu-CVE-2015-4106-pt6.patch \
gnu/packages/patches/qemu-CVE-2015-4106-pt7.patch \
gnu/packages/patches/qemu-CVE-2015-4106-pt8.patch \
- gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch \
- gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch \
- gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch \
- gnu/packages/patches/qemu-CVE-2015-5158.patch \
+ gnu/packages/patches/qemu-CVE-2015-5745.patch \
gnu/packages/patches/qt4-ldflags.patch \
gnu/packages/patches/qt4-tests.patch \
gnu/packages/patches/qt5-runpath.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2015-3456.patch b/gnu/packages/patches/qemu-CVE-2015-3456.patch
deleted file mode 100644
index 9514f7c3e5..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-3456.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Wed, 6 May 2015 09:48:59 +0200
-Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
- buffer
-
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-
-This is CVE-2015-3456.
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
----
- hw/block/fdc.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index f72a392..d8a8edd 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- {
- FDrive *cur_drv;
- uint32_t retval = 0;
-- int pos;
-+ uint32_t pos;
-
- cur_drv = get_cur_drv(fdctrl);
- fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- return 0;
- }
- pos = fdctrl->data_pos;
-+ pos %= FD_SECTOR_LEN;
- if (fdctrl->msr & FD_MSR_NONDMA) {
-- pos %= FD_SECTOR_LEN;
- if (pos == 0) {
- if (fdctrl->data_pos != 0)
- if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
- FDrive *cur_drv = get_cur_drv(fdctrl);
-+ uint32_t pos;
-
-- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+ pos = fdctrl->data_pos - 1;
-+ pos %= FD_SECTOR_LEN;
-+ if (fdctrl->fifo[pos] & 0x80) {
- /* Command parameters done */
-- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+ if (fdctrl->fifo[pos] & 0x40) {
- fdctrl->fifo[0] = fdctrl->fifo[1];
- fdctrl->fifo[2] = 0;
- fdctrl->fifo[3] = 0;
-@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
- FDrive *cur_drv;
-- int pos;
-+ uint32_t pos;
-
- /* Reset mode */
- if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- }
-
- FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
-- fdctrl->fifo[fdctrl->data_pos++] = value;
-+ pos = fdctrl->data_pos++;
-+ pos %= FD_SECTOR_LEN;
-+ fdctrl->fifo[pos] = value;
- if (fdctrl->data_pos == fdctrl->data_len) {
- /* We now have all parameters
- * and will be able to treat the command
---
-2.2.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch
deleted file mode 100644
index 8a41848ddf..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 3 Jun 2015 14:13:31 +0200
-Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
- (CVE-2015-5154)
-
-If the end_transfer_func of a command is called because enough data has
-been read or written for the current PIO transfer, and it fails to
-correctly call the command completion functions, the DRQ bit in the
-status register and s->end_transfer_func may remain set. This allows the
-guest to access further bytes in s->io_buffer beyond s->data_end, and
-eventually overflowing the io_buffer.
-
-One case where this currently happens is emulation of the ATAPI command
-START STOP UNIT.
-
-This patch fixes the problem by adding explicit array bounds checks
-before accessing the buffer instead of relying on end_transfer_func to
-function correctly.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/ide/core.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 122e955..44fcc23 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
- }
-
- p = s->data_ptr;
-+ if (p + 2 > s->data_end) {
-+ return;
-+ }
-+
- *(uint16_t *)p = le16_to_cpu(val);
- p += 2;
- s->data_ptr = p;
-@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
- }
-
- p = s->data_ptr;
-+ if (p + 2 > s->data_end) {
-+ return 0;
-+ }
-+
- ret = cpu_to_le16(*(uint16_t *)p);
- p += 2;
- s->data_ptr = p;
-@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
- }
-
- p = s->data_ptr;
-+ if (p + 4 > s->data_end) {
-+ return;
-+ }
-+
- *(uint32_t *)p = le32_to_cpu(val);
- p += 4;
- s->data_ptr = p;
-@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
- }
-
- p = s->data_ptr;
-+ if (p + 4 > s->data_end) {
-+ return 0;
-+ }
-+
- ret = cpu_to_le32(*(uint32_t *)p);
- p += 4;
- s->data_ptr = p;
---
-1.8.3.1
diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch
deleted file mode 100644
index f860cfa3db..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 3 Jun 2015 14:17:46 +0200
-Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
-
-The command must be completed on all code paths. START STOP UNIT with
-pwrcnd set should succeed without doing anything.
-
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/ide/atapi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
-index 950e311..79dd167 100644
---- a/hw/ide/atapi.c
-+++ b/hw/ide/atapi.c
-@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
-
- if (pwrcnd) {
- /* eject/load only happens for power condition == 0 */
-+ ide_atapi_cmd_ok(s);
- return;
- }
-
---
-1.8.3.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch
deleted file mode 100644
index 3ade9b1600..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 3 Jun 2015 14:41:27 +0200
-Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
-
-This is additional hardening against an end_transfer_func that fails to
-clear the DRQ status bit. The bit must be unset as soon as the PIO
-transfer has completed, so it's better to do this in a central place
-instead of duplicating the code in all commands (and forgetting it in
-some).
-
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/ide/core.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 44fcc23..50449ca 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
- *(uint16_t *)p = le16_to_cpu(val);
- p += 2;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- }
-
- uint32_t ide_data_readw(void *opaque, uint32_t addr)
-@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
- ret = cpu_to_le16(*(uint16_t *)p);
- p += 2;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- return ret;
- }
-
-@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
- *(uint32_t *)p = le32_to_cpu(val);
- p += 4;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- }
-
- uint32_t ide_data_readl(void *opaque, uint32_t addr)
-@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
- ret = cpu_to_le32(*(uint32_t *)p);
- p += 4;
- s->data_ptr = p;
-- if (p >= s->data_end)
-+ if (p >= s->data_end) {
-+ s->status &= ~DRQ_STAT;
- s->end_transfer_func(s);
-+ }
- return ret;
- }
-
---
-1.8.3.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5158.patch b/gnu/packages/patches/qemu-CVE-2015-5158.patch
deleted file mode 100644
index bedbfc8fa4..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5158.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-c170aad8b057223b1139d72e5ce7acceafab4fa9
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date: Tue Jul 21 08:59:39 2015 +0200
-
- scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
-
- This is a guest-triggerable buffer overflow present in QEMU 2.2.0
- and newer. scsi_cdb_length returns -1 as an error value, but the
- caller does not check it.
-
- Luckily, the massive overflow means that QEMU will just SIGSEGV,
- making the impact much smaller.
-
- Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
- Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
- Reviewed-by: Fam Zheng <famz@redhat.com>
- Cc: qemu-stable@nongnu.org
- Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-1 file changed, 6 insertions(+), 1 deletion(-)
- hw/scsi/scsi-bus.c | 7 ++++++-
-
- Modified hw/scsi/scsi-bus.c
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index f50b2f0..f0ae462 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
- int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
- {
- int rc;
-+ int len;
-
- cmd->lba = -1;
-- cmd->len = scsi_cdb_length(buf);
-+ len = scsi_cdb_length(buf);
-+ if (len < 0) {
-+ return -1;
-+ }
-
-+ cmd->len = len;
- switch (dev->type) {
- case TYPE_TAPE:
- rc = scsi_req_stream_xfer(cmd, dev, buf);
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5745.patch b/gnu/packages/patches/qemu-CVE-2015-5745.patch
new file mode 100644
index 0000000000..2326279026
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2015-5745.patch
@@ -0,0 +1,32 @@
+From 7882080388be5088e72c425b02223c02e6cb4295 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 23 Jul 2015 17:52:02 +0300
+Subject: [PATCH] virtio-serial: fix ANY_LAYOUT
+
+Don't assume a specific layout for control messages.
+Required by virtio 1.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/char/virtio-serial-bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
+index 78c73e5..929e49c 100644
+--- a/hw/char/virtio-serial-bus.c
++++ b/hw/char/virtio-serial-bus.c
+@@ -195,7 +195,8 @@ static size_t send_control_msg(VirtIOSerial *vser, void *buf, size_t len)
+ return 0;
+ }
+
+- memcpy(elem.in_sg[0].iov_base, buf, len);
++ /* TODO: detect a buffer that's too short, set NEEDS_RESET */
++ iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len);
+
+ virtqueue_push(vq, &elem, len);
+ virtio_notify(VIRTIO_DEVICE(vser), vq);
+--
+2.4.3
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 6979655122..b2ef95d03b 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -44,16 +44,15 @@
;; This is QEMU without GUI support.
(package
(name "qemu-headless")
- (version "2.3.0")
+ (version "2.3.1")
(source (origin
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
version ".tar.bz2"))
(sha256
(base32
- "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
+ "0px1vhkglxzjdxkkqln98znv832n1sn79g5inh3aw72216c047b6"))
(patches (map search-patch '("qemu-CVE-2015-3209.patch"
- "qemu-CVE-2015-3456.patch"
"qemu-CVE-2015-4037.patch"
"qemu-CVE-2015-4103.patch"
"qemu-CVE-2015-4104.patch"
@@ -66,10 +65,7 @@
"qemu-CVE-2015-4106-pt6.patch"
"qemu-CVE-2015-4106-pt7.patch"
"qemu-CVE-2015-4106-pt8.patch"
- "qemu-CVE-2015-5154-pt1.patch"
- "qemu-CVE-2015-5154-pt2.patch"
- "qemu-CVE-2015-5154-pt3.patch"
- "qemu-CVE-2015-5158.patch")))))
+ "qemu-CVE-2015-5745.patch")))))
(build-system gnu-build-system)
(arguments
'(#:phases (alist-replace