diff options
Diffstat (limited to 'gnu')
| -rw-r--r-- | gnu/local.mk | 3 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2016-8576.patch | 62 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2016-8577.patch | 36 | ||||
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2016-8578.patch | 27 | ||||
| -rw-r--r-- | gnu/packages/qemu.scm | 11 |
5 files changed, 5 insertions, 134 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index 3a56c840bc..f55d8e5e74 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -819,9 +819,6 @@ dist_patch_DATA = \ %D%/packages/patches/python-paste-remove-website-test.patch \ %D%/packages/patches/python-paste-remove-timing-test.patch \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ - %D%/packages/patches/qemu-CVE-2016-8576.patch \ - %D%/packages/patches/qemu-CVE-2016-8577.patch \ - %D%/packages/patches/qemu-CVE-2016-8578.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-8576.patch b/gnu/packages/patches/qemu-CVE-2016-8576.patch deleted file mode 100644 index 5031b59d81..0000000000 --- a/gnu/packages/patches/qemu-CVE-2016-8576.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Fri, 7 Oct 2016 10:15:29 +0200 -Subject: [PATCH] xhci: limit the number of link trbs we are willing to process - -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/hcd-xhci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 726435c..ee4fa48 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -54,6 +54,8 @@ - * to the specs when it gets them */ - #define ER_FULL_HACK - -+#define TRB_LINK_LIMIT 4 -+ - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) - #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) -@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - dma_addr_t *addr) - { - PCIDevice *pci_dev = PCI_DEVICE(xhci); -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - ring->dequeue += TRB_SIZE; - return type; - } else { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return 0; -+ } - ring->dequeue = xhci_mask64(trb->parameter); - if (trb->control & TRB_LK_TC) { - ring->ccs = !ring->ccs; -@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - bool ccs = ring->ccs; - /* hack to bundle together the two/three TDs that make a setup transfer */ - bool control_td_set = 0; -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - type = TRB_TYPE(trb); - - if (type == TR_LINK) { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return -length; -+ } - dequeue = xhci_mask64(trb.parameter); - if (trb.control & TRB_LK_TC) { - ccs = !ccs; --- -1.8.3.1 - diff --git a/gnu/packages/patches/qemu-CVE-2016-8577.patch b/gnu/packages/patches/qemu-CVE-2016-8577.patch deleted file mode 100644 index c4132d2fb1..0000000000 --- a/gnu/packages/patches/qemu-CVE-2016-8577.patch +++ /dev/null @@ -1,36 +0,0 @@ -Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read -From: Li Qiang <liq3ea@gmail.com> - -In 9pfs read dispatch function, it doesn't free two QEMUIOVector -object thus causing potential memory leak. This patch avoid this. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> ---- - hw/9pfs/9p.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 119ee58..543a791 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) - if (len < 0) { - /* IO error return the error */ - err = len; -- goto out; -+ goto out_free_iovec; - } - } while (count < max_count && len > 0); - err = pdu_marshal(pdu, offset, "d", count); - if (err < 0) { -- goto out; -+ goto out_free_iovec; - } - err += offset + count; -+out_free_iovec: - qemu_iovec_destroy(&qiov); - qemu_iovec_destroy(&qiov_full); - } else if (fidp->fid_type == P9_FID_XATTR) { --- -1.8.3.1 - diff --git a/gnu/packages/patches/qemu-CVE-2016-8578.patch b/gnu/packages/patches/qemu-CVE-2016-8578.patch deleted file mode 100644 index 92ba365727..0000000000 --- a/gnu/packages/patches/qemu-CVE-2016-8578.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Li Qiang <liq3ea@gmail.com> - -In 9pfs function v9fs_iov_vunmarshal, it will not allocate space -for empty string. This will cause several NULL pointer dereference -issues. this patch fix this issue. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> ---- - fsdev/9p-iov-marshal.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c -index 663cad5..1d16f8d 100644 ---- a/fsdev/9p-iov-marshal.c -+++ b/fsdev/9p-iov-marshal.c -@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, - str->data = g_malloc(str->size + 1); - copied = v9fs_unpack(str->data, out_sg, out_num, offset, - str->size); -- if (copied > 0) { -+ if (copied >= 0) { - str->data[str->size] = 0; - } else { - v9fs_string_free(str); --- -1.8.3.1 - diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 805bb33b6b..4c47a09902 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -69,17 +69,14 @@ (define-public qemu (package (name "qemu") - (version "2.7.0") + (version "2.8.0") (source (origin (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.bz2")) (sha256 (base32 - "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij")) - (patches (search-patches "qemu-CVE-2016-8576.patch" - "qemu-CVE-2016-8577.patch" - "qemu-CVE-2016-8578.patch")))) + "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: @@ -106,6 +103,8 @@ (apply system* `("./configure" ,(string-append "--cc=" (which "gcc")) + ;; Some architectures insist on using HOST_CC + ,(string-append "--host-cc=" (which "gcc")) "--disable-debug-info" ; save build space "--enable-virtfs" ; just to be sure ,(string-append "--prefix=" out) @@ -124,7 +123,7 @@ (add-before 'check 'make-gtester-verbose (lambda _ ;; Make GTester verbose to facilitate investigation upon failure. - (setenv "V" "1"))) + (setenv "V" "1") #t)) (add-before 'check 'disable-test-qga (lambda _ (substitute* "tests/Makefile.include" |