commit: ea97b0c7b7466e74a67ad714b07509c752f5870c
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Sat Apr 29 21:01:30 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Sat Apr 29 21:31:56 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ea97b0c7
app-emulation/qemu: Various security patches for 2.9.0
bug 616636, CVE-2017-8112
bug 616870 [1]
bug 616872 [2]
bug 616874 [1]
[1] minor change, queued upstream, no CVE assigned yet
[2] queued upstream, no CVE assigned yet
Package-Manager: Portage-2.3.3, Repoman-2.3.2
.../qemu/files/qemu-2.9.0-CVE-2017-8112.patch | 22 +++++++
.../qemu/files/qemu-2.9.0-bug616870.patch | 22 +++++++
.../qemu/files/qemu-2.9.0-bug616872.patch | 76 ++++++++++++++++++++++
.../qemu/files/qemu-2.9.0-bug616874.patch | 34 ++++++++++
.../{qemu-2.9.0.ebuild => qemu-2.9.0-r1.ebuild} | 4 ++
5 files changed, 158 insertions(+)
diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
new file mode 100644
index 00000000000..31fb69bf897
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch
@@ -0,0 +1,22 @@
+CVE-2017-8112
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html
+---
+ hw/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 7557546..4a106da 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m,
PVSCSICmdDescSetupMsgRing *ri)
+ uint32_t len_log2;
+ uint32_t ring_size;
+
+- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+ return -1;
+ }
+ ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+--
+2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch
b/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch
new file mode 100644
index 00000000000..4f7f870210c
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-bug616870.patch
@@ -0,0 +1,22 @@
+bug #616870
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8422..beafed209b 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void
*cb_opaque)
+ sw = sw1;
+ }
+ QLIST_REMOVE (cap, entries);
++ g_free (cap->hw.mix_buf);
++ g_free (cap->buf);
+ g_free (cap);
+ }
+ return;
+--
+2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch
b/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch
new file mode 100644
index 00000000000..0a34dae671c
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-bug616872.patch
@@ -0,0 +1,76 @@
+bug #616872
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
+---
+ ui/input.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ui/input.c b/ui/input.c
+index ed88cda6d6..fb1f404095 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead,
QemuInputEventQueue) kbd_queue =
+ QTAILQ_HEAD_INITIALIZER(kbd_queue);
+ static QEMUTimer *kbd_timer;
+ static uint32_t kbd_default_delay_ms = 10;
++static uint32_t queue_count;
++static uint32_t queue_limit = 1024;
+
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
+ QemuInputHandler *handler)
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
+ break;
+ }
+ QTAILQ_REMOVE(queue, item, node);
++ queue_count--;
+ g_free(item);
+ }
+ }
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct
QemuInputEventQueueHead *queue,
+ item->delay_ms = delay_ms;
+ item->timer = timer;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+
+ if (start_timer) {
+ timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct
QemuInputEventQueueHead *queue,
+ item->src = src;
+ item->evt = evt;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+ }
+
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct
QemuInputEventQueueHead *queue)
+
+ item->type = QEMU_INPUT_QUEUE_SYNC;
+ QTAILQ_INSERT_TAIL(queue, item, node);
++ queue_count++;
+ }
+
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue
*key, bool down)
+ qemu_input_event_send(src, evt);
+ qemu_input_event_sync();
+ qapi_free_InputEvent(evt);
+- } else {
++ } else if (queue_count < queue_limit) {
+ qemu_input_queue_event(&kbd_queue, src, evt);
+ qemu_input_queue_sync(&kbd_queue);
+ }
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
+ kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
+ &kbd_queue);
+ }
+- qemu_input_queue_delay(&kbd_queue, kbd_timer,
+- delay_ms ? delay_ms : kbd_default_delay_ms);
++ if (queue_count < queue_limit) {
++ qemu_input_queue_delay(&kbd_queue, kbd_timer,
++ delay_ms ? delay_ms : kbd_default_delay_ms);
++ }
+ }
+
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
+--
+2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch
b/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch
new file mode 100644
index 00000000000..08911dd0bfb
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.9.0-bug616874.patch
@@ -0,0 +1,34 @@
+bug #616874
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
+---
+ hw/scsi/megasas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 84b8caf..804122a 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr
addr,
+ case MFI_SEQ:
+ trace_megasas_mmio_writel("MFI_SEQ", val);
+ /* Magic sequence to start ADP reset */
+- if (adp_reset_seq[s->adp_reset] == val) {
+- s->adp_reset++;
++ if (adp_reset_seq[s->adp_reset++] == val) {
++ if (s->adp_reset == 6) {
++ s->adp_reset = 0;
++ s->diag = MFI_DIAG_WRITE_ENABLE;
++ }
+ } else {
+ s->adp_reset = 0;
+ s->diag = 0;
+ }
+- if (s->adp_reset == 6) {
+- s->diag = MFI_DIAG_WRITE_ENABLE;
+- }
+ break;
+ case MFI_DIAG:
+ trace_megasas_mmio_writel("MFI_DIAG", val);
+--
+2.9.3
diff --git a/app-emulation/qemu/qemu-2.9.0.ebuild
b/app-emulation/qemu/qemu-2.9.0-r1.ebuild
similarity index 99%
rename from app-emulation/qemu/qemu-2.9.0.ebuild
rename to app-emulation/qemu/qemu-2.9.0-r1.ebuild
index 5ec3aac1a10..2d6bed861d6 100644
--- a/app-emulation/qemu/qemu-2.9.0.ebuild
+++ b/app-emulation/qemu/qemu-2.9.0-r1.ebuild
@@ -190,6 +190,10 @@ RDEPEND="${CDEPEND}
PATCHES=(
"${FILESDIR}"/${PN}-2.5.0-cflags.patch
"${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
+ "${FILESDIR}"/${PN}-2.9.0-bug616870.patch
+ "${FILESDIR}"/${PN}-2.9.0-bug616872.patch
+ "${FILESDIR}"/${PN}-2.9.0-bug616874.patch
+ "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch
)
STRIP_MASK="/usr/share/qemu/palcode-clipper"
