Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-emulation/qemu/files
diff options
context:
space:
mode:
authorMike Frysinger <vapier@gentoo.org>2016-12-29 13:20:31 -0500
committerMike Frysinger <vapier@gentoo.org>2016-12-29 15:05:08 -0500
commit538fed1c866f2b1ef17d97295a06bd666e828d6f (patch)
tree9a6e013d6357b6138a942a9fce1d48f769186816 /app-emulation/qemu/files
parentsys-firmware/seabios: version bump to 1.10.1 #599084 (diff)
downloadgentoo-538fed1c866f2b1ef17d97295a06bd666e828d6f.tar.gz
gentoo-538fed1c866f2b1ef17d97295a06bd666e828d6f.tar.bz2
gentoo-538fed1c866f2b1ef17d97295a06bd666e828d6f.zip
app-emulation/qemu: version bump to 2.8.0
Diffstat (limited to 'app-emulation/qemu/files')
-rw-r--r--app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch40
-rw-r--r--app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch35
-rw-r--r--app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch38
3 files changed, 113 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
new file mode 100644
index 000000000000..466c819e78a7
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
@@ -0,0 +1,40 @@
+https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
+https://bugs.gentoo.org/603444
+
+From: P J P
+Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
+Date: Wed, 14 Dec 2016 12:31:56 +0530
+From: Prasad J Pandit <address@hidden>
+
+Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
+command, retrieves the maximum capabilities size to fill in the
+response object. It continues to fill in capabilities even if
+retrieved 'max_size' is zero(0), thus resulting in OOB access.
+Add check to avoid it.
+
+Reported-by: Zhenhao Hong <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/display/virtio-gpu-3d.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 758d33a..6ceeba3 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
++
+ resp = g_malloc0(sizeof(*resp) + max_size);
+-
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+ gc.capset_version,
+--
+2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
new file mode 100644
index 000000000000..841de65d48c0
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
@@ -0,0 +1,35 @@
+https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html
+https://bugs.gentoo.org/601826
+
+From: Li Qiang
+Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch
+Date: Tue, 1 Nov 2016 05:37:57 -0700
+From: Li Qiang <address@hidden>
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <address@hidden>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
+- resp = g_malloc(sizeof(*resp) + max_size);
++ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+--
+1.8.3.1
+
+
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
new file mode 100644
index 000000000000..55963f70b98b
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
@@ -0,0 +1,38 @@
+https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
+https://bugs.gentoo.org/602630
+
+From: Li Qiang
+Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
+Date: Mon, 28 Nov 2016 21:29:25 -0500
+If the guest destroy the resource before detach banking, the 'iov'
+and 'addrs' field in resource is not freed thus leading memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <address@hidden>
+---
+ hw/display/virtio-gpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 60bce94..98dadf2 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -28,6 +28,8 @@
+ static struct virtio_gpu_simple_resource*
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
++
+ #ifdef CONFIG_VIRGL
+ #include <virglrenderer.h>
+ #define VIRGL(_g, _virgl, _simple, ...) \
+@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
+ struct virtio_gpu_simple_resource *res)
+ {
+ pixman_image_unref(res->image);
++ virtio_gpu_cleanup_mapping(res);
+ QTAILQ_REMOVE(&g->reslist, res, next);
+ g_free(res);
+ }
+--
+1.8.3.1