[gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/, app-emulation/qemu/

Sun, 04 Sep 2016 22:30:37 -0700 

commit:     ceb67390ecbe843f184b5bde6428cb9e2f3dcd81
Author:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Mon Sep  5 05:18:46 2016 +0000
Commit:     Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Mon Sep  5 05:30:00 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ceb67390

app-emulation/qemu: apply patch for CVE-2016-6836, bug #591242

Package-Manager: portage-2.2.28

 .../qemu/files/qemu-2.7.0-CVE-2016-6836.patch      | 27 ++++++++++++++++++++++
 app-emulation/qemu/qemu-2.7.0.ebuild               |  1 +
 2 files changed, 28 insertions(+)

diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch 
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
new file mode 100644
index 00000000..56f7435
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
@@ -0,0 +1,27 @@
+From: Li Qiang <address@hidden>
+
+In Vmxnet3 device emulator while processing transmit(tx) queue,
+when it reaches end of packet, it calls vmxnet3_complete_packet.
+In that local 'txcq_descr' object is not initialised, which could
+leak host memory bytes a guest.
+
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/net/vmxnet3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 90f6943..92f6af9 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int 
qidx, uint32_t tx_ridx)
+ 
+     VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+ 
++    memset(&txcq_descr, 0, sizeof(txcq_descr));
+     txcq_descr.txdIdx = tx_ridx;
+     txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
+ 
+-- 
+2.5.5

diff --git a/app-emulation/qemu/qemu-2.7.0.ebuild 
b/app-emulation/qemu/qemu-2.7.0.ebuild
index 6f65fc9..a3aefc2 100644
--- a/app-emulation/qemu/qemu-2.7.0.ebuild
+++ b/app-emulation/qemu/qemu-2.7.0.ebuild
@@ -333,6 +333,7 @@ src_prepare() {
 
        epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
        epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
+       epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch
        # Fix ld and objcopy being called directly
        tc-export AR LD OBJCOPY

Reply via email to