Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=5d31396f484d298374752a4fa29fe8aa7d703ad3
commit 5d31396f484d298374752a4fa29fe8aa7d703ad3 Author: crazy <[email protected]> Date: Tue Feb 2 12:31:18 2016 +0100 qemu-2.5.0-5-x86_64 * added sec fixes for : CVE-2015-8558 CVE-2015-8567 CVE-2015-8701 CVE-2015-8743 CVE-2016-1568 diff --git a/source/xapps-extra/qemu/FrugalBuild b/source/xapps-extra/qemu/FrugalBuild index ac885e5..9080bf5 100644 --- a/source/xapps-extra/qemu/FrugalBuild +++ b/source/xapps-extra/qemu/FrugalBuild @@ -7,7 +7,7 @@ USE_DEVEL=${USE_DEVEL:-"n"} pkgname=qemu pkgver=2.5.0 Fuse $USE_DEVEL && pkgver=svn6369 -pkgrel=4 +pkgrel=5 Fuse $USE_DEVEL && pkgrel=1 pkgdesc="QEMU is a FAST! processor emulator" url="http://www.nongnu.org/qemu/"; @@ -21,13 +21,22 @@ groups=('xapps-extra') archs=('i686' 'x86_64') up2date="Flasttar http://wiki.qemu.org/download"; source=(http://wiki.qemu.org/download/${pkgname}-${pkgver//_/-}.tar.bz2 \ - qemu.conf 49-kvm.rules qemu-guest-agent.service 99-qemu-guest-agent.rules README.Frugalware) + qemu.conf 49-kvm.rules qemu-guest-agent.service \ + 99-qemu-guest-agent.rules README.Frugalware \ + qemu-2.5.0-CVE-2015-8558.patch qemu-2.5.0-CVE-2015-8567.patch \ + qemu-2.5.0-CVE-2015-8701.patch qemu-2.5.0-CVE-2015-8743.patch \ + qemu-2.5.0-CVE-2016-1568.patch) sha1sums=('ed6c02a267f9edf98058743f0f76a25743a0dfe7' \ 'b44a774fe5ebcf52275ee0fc33a9654c157204ca' \ '9d9f293fb01d91c12e2f95ba6401a1f1570d70fb' \ '435373031bc0a1fed8abadab912460ddf98bc1c2' \ 'c997e6afd997aeb87791664c2583a009704a6792' \ - '11fea2f36b44297e241d8cbbdbc4cd14f1150b72') + '11fea2f36b44297e241d8cbbdbc4cd14f1150b72' \ + '52f9f89ddbedfc8ee23466f5f886b891aaa572a7' \ + '424e3c16bc2b15388c12a83cec65845933d807f9' \ + '9c88a156fbb1b1ec6d99477e905b96c4fd23d27c' \ + '5c20f58262124cc3cdaf3d0e1375013662bf21f1' \ + '4c5f70a0d0e77c68f872d14b0a98fcb6498286ba') if Fuse $USE_DEVEL; then source=(${source[1]} ${source[2]} ${source[3]} ${source[4]} ${source[5]}) diff --git a/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8558.patch b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8558.patch new file mode 100644 index 0000000..fbc6a0a --- /dev/null +++ b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8558.patch @@ -0,0 +1,50 @@ +https://bugs.gentoo.org/568246 + +From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <[email protected]> +Date: Mon, 14 Dec 2015 09:21:23 +0100 +Subject: [PATCH] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: [email protected] +Reported-by: Qinghao Tang <[email protected]> +Tested-by: P J P <[email protected]> +Signed-off-by: Gerd Hoffmann <[email protected]> +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 4e2161b..d07f228 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp; ++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + +-- +2.6.2 + diff --git a/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8567.patch b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8567.patch new file mode 100644 index 0000000..e196043 --- /dev/null +++ b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8567.patch @@ -0,0 +1,95 @@ +https://bugs.gentoo.org/567868 + +From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 +From: P J P <[email protected]> +Date: Tue, 15 Dec 2015 12:27:54 +0530 +Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device + +Vmxnet3 device emulator does not check if the device is active +before activating it, also it did not free the transmit & receive +buffers while deactivating the device, thus resulting in memory +leakage on the host. This patch fixes both these issues to avoid +host memory leakage. + +Reported-by: Qinghao Tang <[email protected]> +Reviewed-by: Dmitry Fleytman <[email protected]> +Signed-off-by: Prasad J Pandit <[email protected]> +Cc: [email protected] +Signed-off-by: Jason Wang <[email protected]> +--- + hw/net/vmxnet3.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index a5dd79a..9c1adfc 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) + + static void vmxnet3_deactivate_device(VMXNET3State *s) + { +- VMW_CBPRN("Deactivating vmxnet3..."); +- s->device_active = false; ++ if (s->device_active) { ++ VMW_CBPRN("Deactivating vmxnet3..."); ++ vmxnet_tx_pkt_reset(s->tx_pkt); ++ vmxnet_tx_pkt_uninit(s->tx_pkt); ++ vmxnet_rx_pkt_uninit(s->rx_pkt); ++ s->device_active = false; ++ } + } + + static void vmxnet3_reset(VMXNET3State *s) +@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) + + vmxnet3_deactivate_device(s); + vmxnet3_reset_interrupt_states(s); +- vmxnet_tx_pkt_reset(s->tx_pkt); + s->drv_shmem = 0; + s->tx_sop = true; + s->skip_current_tx_pkt = false; +@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) + return; + } + ++ /* Verify if device is active */ ++ if (s->device_active) { ++ VMW_CFPRN("Vmxnet3 device is active"); ++ return; ++ } ++ + vmxnet3_adjust_by_guest_type(s); + vmxnet3_update_features(s); + vmxnet3_update_pm_state(s); +@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) + break; + + case VMXNET3_CMD_QUIESCE_DEV: +- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); ++ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); + vmxnet3_deactivate_device(s); + break; + +@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, + * shared address only after we get the high part + */ + if (val == 0) { +- s->device_active = false; ++ vmxnet3_deactivate_device(s); + } + s->temp_shared_guest_driver_memory = val; + s->drv_shmem = 0; +@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) + static void vmxnet3_net_uninit(VMXNET3State *s) + { + g_free(s->mcast_list); +- vmxnet_tx_pkt_reset(s->tx_pkt); +- vmxnet_tx_pkt_uninit(s->tx_pkt); +- vmxnet_rx_pkt_uninit(s->rx_pkt); ++ vmxnet3_deactivate_device(s); + qemu_del_nic(s->nic); + } + +-- +2.6.2 + diff --git a/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8701.patch b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8701.patch new file mode 100644 index 0000000..0dab1c3 --- /dev/null +++ b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8701.patch @@ -0,0 +1,49 @@ +https://bugs.gentoo.org/570110 + +From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <[email protected]> +Date: Mon, 28 Dec 2015 16:24:08 +0530 +Subject: [PATCH] net: rocker: fix an incorrect array bounds check + +While processing transmit(tx) descriptors in 'tx_consume' routine +the switch emulator suffers from an off-by-one error, if a +descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) +fragments. Fix an incorrect bounds check to avoid it. + +Reported-by: Qinghao Tang <[email protected]> +Cc: [email protected] +Signed-off-by: Prasad J Pandit <[email protected]> +Signed-off-by: Jason Wang <[email protected]> +--- + hw/net/rocker/rocker.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index c57f1a6..2e77e50 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) + frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); + frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); + ++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { ++ goto err_too_many_frags; ++ } + iov[iovcnt].iov_len = frag_len; + iov[iovcnt].iov_base = g_malloc(frag_len); + if (!iov[iovcnt].iov_base) { +@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) + err = -ROCKER_ENXIO; + goto err_bad_io; + } +- +- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { +- goto err_too_many_frags; +- } ++ iovcnt++; + } + + if (iovcnt) { +-- +2.6.2 + diff --git a/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8743.patch b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8743.patch new file mode 100644 index 0000000..b2bca56 --- /dev/null +++ b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2015-8743.patch @@ -0,0 +1,50 @@ +https://bugs.gentoo.org/570988 + +From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <[email protected]> +Date: Thu, 31 Dec 2015 17:05:27 +0530 +Subject: [PATCH] net: ne2000: fix bounds check in ioport operations + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu <[email protected]> +Cc: [email protected] +Signed-off-by: Prasad J Pandit <[email protected]> +Signed-off-by: Jason Wang <[email protected]> +--- + hw/net/ne2000.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 010f9ef..a3dffff 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + stl_le_p(s->mem + addr, val); + } + } +@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return ldl_le_p(s->mem + addr); + } else { + return 0xffffffff; +-- +2.6.2 + diff --git a/source/xapps-extra/qemu/qemu-2.5.0-CVE-2016-1568.patch b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2016-1568.patch new file mode 100644 index 0000000..4ce9a35 --- /dev/null +++ b/source/xapps-extra/qemu/qemu-2.5.0-CVE-2016-1568.patch @@ -0,0 +1,41 @@ +https://bugs.gentoo.org/571566 + +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <[email protected]> +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang <[email protected]> +Signed-off-by: Prasad J Pandit <[email protected]> +Reviewed-by: John Snow <[email protected]> +Message-id: [email protected] +Signed-off-by: John Snow <[email protected]> +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index dd1912e..17f1cbd 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) +-- +2.6.2 + _______________________________________________ Frugalware-git mailing list [email protected] http://frugalware.org/mailman/listinfo/frugalware-git
