app-emulation/qemu: security fixes

CVE-2017-7471, bug #616484

CVE-2017-7718, bug #616482
  already applied on stable-2.8 as 3328c14e63f08fb07e8c6dec779c9d365e9e9864

CVE-2017-7980, bug #616462
  already applied on stable-2.8 as a290442234fa214fcb7f45fc91d802bcb8d05c4b
                                   031700e4527b9e05798f7040dccdf638da27aee2

CVE-2017-8086, bug #616460

Package-Manager: Portage-2.3.5, Repoman-2.3.2

3 files changed, 94 insertions, 0 deletions

diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
new file mode 100644
index 000000000000..c5366f5758e7
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
@@ -0,0 +1,64 @@
+From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001
+From: Greg Kurz <groug@kaod.org>
+Date: Mon, 17 Apr 2017 10:53:23 +0200
+Subject: [PATCH] 9pfs: local: set the path of the export root to "."
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The local backend was recently converted to using "at*()" syscalls in order
+to ensure all accesses happen below the shared directory. This requires that
+we only pass relative paths, otherwise the dirfd argument to the "at*()"
+syscalls is ignored and the path is treated as an absolute path in the host.
+This is actually the case for paths in all fids, with the notable exception
+of the root fid, whose path is "/". This causes the following backend ops to
+act on the "/" directory of the host instead of the virtfs shared directory
+when the export root is involved:
+- lstat
+- chmod
+- chown
+- utimensat
+
+ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
+host for example. This could cause security issues with a privileged QEMU.
+
+All "*at()" syscalls are being passed an open file descriptor. In the case
+of the export root, this file descriptor points to the path in the host that
+was passed to -fsdev.
+
+The fix is thus as simple as changing the path of the export root fid to be
+"." instead of "/".
+
+This is CVE-2017-7471.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Léo Gaspard <leo@gaspard.io>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+Reviewed-by: Eric Blake <eblake@redhat.com>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+---
+ hw/9pfs/9p-local.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
+index 45e9a1f..f3ebca4 100644
+--- a/hw/9pfs/9p-local.c
++++ b/hw/9pfs/9p-local.c
+@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
+ {
+     if (dir_path) {
+         v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
+-    } else {
++    } else if (strcmp(name, "/")) {
+         v9fs_path_sprintf(target, "%s", name);
++    } else {
++        /* We want the path of the export root to be relative, otherwise
++         * "*at()" syscalls would treat it as "/" in the host.
++         */
++        v9fs_path_sprintf(target, "%s", ".");
+     }
+     return 0;
+ }
+-- 
+2.10.2
+
diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
new file mode 100644
index 000000000000..eac72f3dcb59
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
@@ -0,0 +1,28 @@
+From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Fri, 7 Apr 2017 03:48:52 -0700
+Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr
+
+Free 'orig_value' in error path.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p-xattr.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c
+index eec160b..d05c1a1 100644
+--- a/hw/9pfs/9p-xattr.c
++++ b/hw/9pfs/9p-xattr.c
+@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
+     g_free(name);
+     close_preserve_errno(dirfd);
+     if (xattr_len < 0) {
++        g_free(orig_value);
+         return -1;
+     }
+ 
+-- 
+2.10.2
+
diff --git a/app-emulation/qemu/qemu-2.8.1-r1.ebuild b/app-emulation/qemu/qemu-2.8.1-r2.ebuild
index 62dcf5761393..2e9ad1977aac 100644
--- a/app-emulation/qemu/qemu-2.8.1-r1.ebuild
+++ b/app-emulation/qemu/qemu-2.8.1-r2.ebuild
@@ -207,6 +207,8 @@ PATCHES=(
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch   #609398
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch   #612220
 	"${FILESDIR}"/${PN}-2.8.0-CVE-2017-7377.patch   #614744
+	"${FILESDIR}"/${PN}-2.8.1-CVE-2017-7471.patch   #616484
+	"${FILESDIR}"/${PN}-2.8.1-CVE-2017-8086.patch   #616460
 )
 
 STRIP_MASK="/usr/share/qemu/palcode-clipper"