[Frugalware-git] frugalware-0.9: qemu-0.9.1-5solaria1-i686

Miklos Vajna Tue, 10 Mar 2009 03:48:09 -0700

Git-Url: 
http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-0.9.git;a=commitdiff;h=942f3f0913589b53951c095842dca7351de4c48b


commit 942f3f0913589b53951c095842dca7351de4c48b
Author: Miklos Vajna <[email protected]>
Date:   Tue Mar 10 11:47:32 2009 +0100

qemu-0.9.1-5solaria1-i686

- add CVE-2008-4539.diff
- closes #3414

diff --git a/source/xapps-extra/qemu/CVE-2008-4539.diff 
b/source/xapps-extra/qemu/CVE-2008-4539.diff
new file mode 100644
index 0000000..27c64b4
--- /dev/null
+++ b/source/xapps-extra/qemu/CVE-2008-4539.diff
@@ -0,0 +1,331 @@
+Index: qemu-0.9.1/block.c
+===================================================================
+--- qemu-0.9.1.orig/block.c    2008-04-14 11:26:13.000000000 +0200
++++ qemu-0.9.1/block.c 2008-04-14 11:26:14.000000000 +0200
+@@ -549,13 +549,21 @@
+         return -ENOMEDIUM;
+     if (bs->read_only)
+         return -EACCES;
++    if (sector_num < 0)
++        return -EINVAL;
+     if (sector_num == 0 && bs->boot_sector_enabled && nb_sectors > 0) {
+         memcpy(bs->boot_sector_data, buf, 512);
+     }
+     if (drv->bdrv_pwrite) {
+         int ret, len;
++        int64_t ns;
++
+         len = nb_sectors * 512;
+-        ret = drv->bdrv_pwrite(bs, sector_num * 512, buf, len);
++        ns = sector_num * 512;
++        if (ns < 0)
++            return -EINVAL;
++
++        ret = drv->bdrv_pwrite(bs, ns, buf, len);
+         if (ret < 0)
+             return ret;
+         else if (ret != len)
+Index: qemu-0.9.1/hw/cirrus_vga.c
+===================================================================
+--- qemu-0.9.1.orig/hw/cirrus_vga.c    2008-04-14 11:26:14.000000000 +0200
++++ qemu-0.9.1/hw/cirrus_vga.c 2008-04-14 11:26:15.000000000 +0200
+@@ -220,6 +220,20 @@
+ #define CIRRUS_HOOK_NOT_HANDLED 0
+ #define CIRRUS_HOOK_HANDLED 1
+
++#define BLTUNSAFE(s) \
++    ( \
++        ( /* check dst is within bounds */ \
++            (s)->cirrus_blt_height * (s)->cirrus_blt_dstpitch \
++                + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
++                    (s)->vram_size \
++        ) || \
++        ( /* check src is within bounds */ \
++            (s)->cirrus_blt_height * (s)->cirrus_blt_srcpitch \
++                + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
++                    (s)->vram_size \
++        ) \
++    )
++
+ struct CirrusVGAState;
+ typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
+                                      uint8_t * dst, const uint8_t * src,
+@@ -639,7 +653,7 @@
+
+     for (y = 0; y < lines; y++) {
+       off_cur = off_begin;
+-      off_cur_end = off_cur + bytesperline;
++      off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
+       off_cur &= TARGET_PAGE_MASK;
+       while (off_cur < off_cur_end) {
+           cpu_physical_memory_set_dirty(s->vram_offset + off_cur);
+@@ -654,7 +668,11 @@
+ {
+     uint8_t *dst;
+
+-    dst = s->vram_ptr + s->cirrus_blt_dstaddr;
++    dst = s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
++
++    if (BLTUNSAFE(s))
++        return 0;
++
+     (*s->cirrus_rop) (s, dst, src,
+                       s->cirrus_blt_dstpitch, 0,
+                       s->cirrus_blt_width, s->cirrus_blt_height);
+@@ -670,8 +688,10 @@
+ {
+     cirrus_fill_t rop_func;
+
++    if (BLTUNSAFE(s))
++        return 0;
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 
1];
+-    rop_func(s, s->vram_ptr + s->cirrus_blt_dstaddr,
++    rop_func(s, s->vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+              s->cirrus_blt_dstpitch,
+              s->cirrus_blt_width, s->cirrus_blt_height);
+     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
+@@ -690,8 +710,8 @@
+ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
+ {
+     return cirrus_bitblt_common_patterncopy(s,
+-                                          s->vram_ptr +
+-                                            (s->cirrus_blt_srcaddr & ~7));
++                                          s->vram_ptr + 
((s->cirrus_blt_srcaddr & ~7) &
++                                            s->cirrus_addr_mask));
+ }
+
+ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
+@@ -741,8 +761,10 @@
+     if (notify)
+       vga_hw_update();
+
+-    (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
+-                    s->vram_ptr + s->cirrus_blt_srcaddr,
++    (*s->cirrus_rop) (s, s->vram_ptr +
++                        (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++                        s->vram_ptr +
++                        (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
+                     s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
+                     s->cirrus_blt_width, s->cirrus_blt_height);
+
+@@ -768,8 +790,14 @@
+                      s->cirrus_blt_srcaddr - s->start_addr,
+                      s->cirrus_blt_width, s->cirrus_blt_height);
+     } else {
+-      (*s->cirrus_rop) (s, s->vram_ptr + s->cirrus_blt_dstaddr,
+-                        s->vram_ptr + s->cirrus_blt_srcaddr,
++
++    if (BLTUNSAFE(s))
++        return 0;
++
++      (*s->cirrus_rop) (s, s->vram_ptr +
++                (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++                        s->vram_ptr +
++                (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
+                         s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
+                         s->cirrus_blt_width, s->cirrus_blt_height);
+
+@@ -801,8 +829,9 @@
+         } else {
+             /* at least one scan line */
+             do {
+-                (*s->cirrus_rop)(s, s->vram_ptr + s->cirrus_blt_dstaddr,
+-                                 s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 
1);
++                (*s->cirrus_rop)(s, s->vram_ptr +
++                    (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
++                        s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+                 cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
+                                          s->cirrus_blt_width, 1);
+                 s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
+@@ -1920,7 +1949,7 @@
+     unsigned val = mem_value;
+     uint8_t *dst;
+
+-    dst = s->vram_ptr + offset;
++    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
+       if (val & 0x80) {
+           *dst = s->cirrus_shadow_gr1;
+@@ -1943,7 +1972,7 @@
+     unsigned val = mem_value;
+     uint8_t *dst;
+
+-    dst = s->vram_ptr + offset;
++    dst = s->vram_ptr + (offset &= s->cirrus_addr_mask);
+     for (x = 0; x < 8; x++) {
+       if (val & 0x80) {
+           *dst = s->cirrus_shadow_gr1;
+Index: qemu-0.9.1/hw/cirrus_vga_rop.h
+===================================================================
+--- qemu-0.9.1.orig/hw/cirrus_vga_rop.h        2008-01-06 20:38:42.000000000 
+0100
++++ qemu-0.9.1/hw/cirrus_vga_rop.h     2008-04-14 11:26:15.000000000 +0200
+@@ -31,6 +31,12 @@
+     int x,y;
+     dstpitch -= bltwidth;
+     srcpitch -= bltwidth;
++
++    if (dstpitch < 0 || srcpitch < 0) {
++        /* is 0 valid? srcpitch == 0 could be useful */
++        return;
++    }
++
+     for (y = 0; y < bltheight; y++) {
+         for (x = 0; x < bltwidth; x++) {
+             ROP_OP(*dst, *src);
+Index: qemu-0.9.1/hw/dma.c
+===================================================================
+--- qemu-0.9.1.orig/hw/dma.c   2008-01-06 20:38:42.000000000 +0100
++++ qemu-0.9.1/hw/dma.c        2008-04-14 11:26:15.000000000 +0200
+@@ -341,9 +341,11 @@
+ #endif
+
+     r = dma_controllers[ncont].regs + ichan;
+-    n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
+-                             r->now[COUNT], (r->base[COUNT] + 1) << ncont);
+-    r->now[COUNT] = n;
++    if (r->transfer_handler) {
++        n = r->transfer_handler (r->opaque, ichan + (ncont << 2),
++                                 r->now[COUNT], (r->base[COUNT] + 1) << 
ncont);
++        r->now[COUNT] = n;
++    }
+     ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont);
+ }
+
+Index: qemu-0.9.1/hw/fdc.c
+===================================================================
+--- qemu-0.9.1.orig/hw/fdc.c   2008-01-06 20:38:42.000000000 +0100
++++ qemu-0.9.1/hw/fdc.c        2008-04-14 11:26:15.000000000 +0200
+@@ -1247,7 +1247,13 @@
+             len = fdctrl->data_len - fdctrl->data_pos;
+             if (len > FD_SECTOR_LEN)
+                 len = FD_SECTOR_LEN;
+-            bdrv_read(cur_drv->bs, fd_sector(cur_drv), fdctrl->fifo, 1);
++            if (cur_drv->bs) {
++                bdrv_read(cur_drv->bs, fd_sector(cur_drv),
++                          fdctrl->fifo, 1);
++            } else {
++                FLOPPY_ERROR("can't read data from drive\n");
++                return 0;
++            }
+         }
+     }
+     retval = fdctrl->fifo[pos];
+Index: qemu-0.9.1/hw/pc.c
+===================================================================
+--- qemu-0.9.1.orig/hw/pc.c    2008-04-14 11:26:14.000000000 +0200
++++ qemu-0.9.1/hw/pc.c 2008-04-14 11:26:15.000000000 +0200
+@@ -329,7 +329,8 @@
+     case 0x400:
+     case 0x401:
+         fprintf(stderr, "BIOS panic at rombios.c, line %d\n", val);
+-        exit(1);
++        /* according to documentation, these can be safely ignored */
++        break;
+     case 0x402:
+     case 0x403:
+ #ifdef DEBUG_BIOS
+@@ -352,8 +353,9 @@
+         /* LGPL'ed VGA BIOS messages */
+     case 0x501:
+     case 0x502:
++        /* according to documentation, these can be safely ignored */
+         fprintf(stderr, "VGA BIOS panic, line %d\n", val);
+-        exit(1);
++        break;
+     case 0x500:
+     case 0x503:
+ #ifdef DEBUG_BIOS
+Index: qemu-0.9.1/hw/sb16.c
+===================================================================
+--- qemu-0.9.1.orig/hw/sb16.c  2008-01-06 20:38:42.000000000 +0100
++++ qemu-0.9.1/hw/sb16.c       2008-04-14 11:26:15.000000000 +0200
+@@ -1240,8 +1240,10 @@
+             s->block_size);
+ #endif
+
+-    while (s->left_till_irq <= 0) {
+-        s->left_till_irq = s->block_size + s->left_till_irq;
++    if (s->block_size) {
++        while (s->left_till_irq <= 0) {
++            s->left_till_irq = s->block_size + s->left_till_irq;
++        }
+     }
+
+     return dma_pos;
+Index: qemu-0.9.1/slirp/slirp.c
+===================================================================
+--- qemu-0.9.1.orig/slirp/slirp.c      2008-01-06 20:38:44.000000000 +0100
++++ qemu-0.9.1/slirp/slirp.c   2008-04-14 11:26:15.000000000 +0200
+@@ -620,6 +620,10 @@
+         if (!m)
+             return;
+         /* Note: we add to align the IP header */
++        /* taviso: large values in ne2k TCNT register may exceed msize on 
transmit */
++        if (M_FREEROOM(m) < pkt_len + 2) {
++            m_inc(m, pkt_len + 2);
++        }
+         m->m_len = pkt_len + 2;
+         memcpy(m->m_data + 2, pkt, pkt_len);
+
+Index: qemu-0.9.1/target-i386/translate.c
+===================================================================
+--- qemu-0.9.1.orig/target-i386/translate.c    2008-01-06 20:38:45.000000000 
+0100
++++ qemu-0.9.1/target-i386/translate.c 2008-04-14 11:26:15.000000000 +0200
+@@ -5510,6 +5510,7 @@
+         gen_jmp_im(pc_start - s->cs_base);
+         gen_op_into(s->pc - pc_start);
+         break;
++#ifdef WANT_ICEBP
+     case 0xf1: /* icebp (undocumented, exits to external debugger) */
+         if (gen_svm_check_intercept(s, pc_start, SVM_EXIT_ICEBP))
+             break;
+@@ -5521,6 +5522,7 @@
+         cpu_set_log(CPU_LOG_INT | CPU_LOG_TB_IN_ASM);
+ #endif
+         break;
++#endif /* icebp */
+     case 0xfa: /* cli */
+         if (!s->vm86) {
+             if (s->cpl <= s->iopl) {
+Index: qemu-0.9.1/vl.c
+===================================================================
+--- qemu-0.9.1.orig/vl.c       2008-04-14 11:26:14.000000000 +0200
++++ qemu-0.9.1/vl.c    2008-04-14 11:26:54.000000000 +0200
+@@ -4198,8 +4198,8 @@
+     VLANClientState *vc;
+     int fd;
+     int state; /* 0 = getting length, 1 = getting data */
+-    int index;
+-    int packet_len;
++    unsigned int index;
++    unsigned int packet_len;
+     uint8_t buf[4096];
+     struct sockaddr_in dgram_dst; /* contains inet host and port destination 
iff connectionless (SOCK_DGRAM) */
+ } NetSocketState;
+@@ -4230,7 +4230,8 @@
+ static void net_socket_send(void *opaque)
+ {
+     NetSocketState *s = opaque;
+-    int l, size, err;
++    int size, err;
++    unsigned l;
+     uint8_t buf1[4096];
+     const uint8_t *buf;
+
+@@ -4269,7 +4270,15 @@
+             l = s->packet_len - s->index;
+             if (l > size)
+                 l = size;
+-            memcpy(s->buf + s->index, buf, l);
++            if (s->index + l <= sizeof(s->buf)) {
++                memcpy(s->buf + s->index, buf, l);
++            } else {
++                fprintf(stderr, "serious error: oversized packet received,"
++                    "connection terminated.\n");
++                s->state = 0;
++                goto eoc;
++            }
++
+             s->index += l;
+             buf += l;
+             size -= l;
diff --git a/source/xapps-extra/qemu/FrugalBuild 
b/source/xapps-extra/qemu/FrugalBuild
index 6f30d1b..3de096b 100644
--- a/source/xapps-extra/qemu/FrugalBuild
+++ b/source/xapps-extra/qemu/FrugalBuild
@@ -3,7 +3,7 @@

pkgname=qemu
pkgver=0.9.1
-pkgrel=4
+pkgrel=5solaria1
pkgdesc="QEMU is a FAST! processor emulator"
url="http://bellard.org/qemu/";
depends=('sdl' 'zlib' 'alsa-lib')
@@ -13,6 +13,7 @@ archs=('i686' 'x86_64')
up2date="lynx -dump $url/download.html|grep Source|sed 's/.*-\(.*\)\.t.*/\1/'"
source=($url/$pkgname-$pkgver.tar.gz rc.qemu rc.qemu-hu.po \
rc.qemu-system qemu-system CVE-2008-2004.diff \
+       CVE-2008-4539.diff \
README.Frugalware)
sha1sums=('630ea20b5989f0df00128de7f7be661c573ed041' \
'44a6af4642d5f258a7c66e46e3baf7d04bdca9de' \
@@ -20,6 +21,7 @@ sha1sums=('630ea20b5989f0df00128de7f7be661c573ed041' \
'2ba7e84a4bc38907202340ba1323a224dbd5f597' \
'b1c2b53ef74d1461bbd4f83b8a4f1180187f6a30' \
'b7d868669c5324c3afd8d0e0d75f7406150e9839' \
+          'e34542dc1003d9d6c839ae58a781701d9a93c237' \
'17454e4d54872d32071d478774f96cbab8bb0902')

build()
_______________________________________________
Frugalware-git mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-git

[Frugalware-git] frugalware-0.9: qemu-0.9.1-5solaria1-i686

Reply via email to