diff options
| author |   Matthias Maier <tamiko@gentoo.org> | 2017-02-12 22:08:18 -0600 |
|---|---|---|
| committer | Matthias Maier <tamiko@gentoo.org> | 2017-02-12 22:08:18 -0600 |
| commit | cd0007ee8270ccd2773604782ddcc4b67fa3a103 (patch) | |
| tree | 6745cc5c138951f861fd66b4a9f9cdff82fa4892 /app-emulation/qemu/files | |
| parent | sys-apps/portage: make sync-depth message conditional (diff) | |
| download | gentoo-cd0007ee8270ccd2773604782ddcc4b67fa3a103.tar.gz gentoo-cd0007ee8270ccd2773604782ddcc4b67fa3a103.tar.bz2 gentoo-cd0007ee8270ccd2773604782ddcc4b67fa3a103.zip | |
app-emulation/qemu: drop old versions 2.7.0, 2.7.1
Package-Manager: Portage-2.3.3, Repoman-2.3.1
Diffstat (limited to 'app-emulation/qemu/files')
27 files changed, 0 insertions, 1042 deletions
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch deleted file mode 100644 index 56f7435df5b6..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Li Qiang <address@hidden> - -In Vmxnet3 device emulator while processing transmit(tx) queue, -when it reaches end of packet, it calls vmxnet3_complete_packet. -In that local 'txcq_descr' object is not initialised, which could -leak host memory bytes a guest. - -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/net/vmxnet3.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 90f6943..92f6af9 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) - - VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); - -+ memset(&txcq_descr, 0, sizeof(txcq_descr)); - txcq_descr.txdIdx = tx_ridx; - txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); - --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch deleted file mode 100644 index 495faf2f1cbe..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -Vmware Paravirtual SCSI emulation uses command descriptors to -process SCSI commands. These descriptors come with their ring -buffers. A guest could set the page count for these rings to -an arbitrary value, leading to infinite loop or OOB access. -Add check to avoid it. - -Reported-by: Tom Victor <address@hidden> -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/scsi/vmw_pvscsi.c | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -Update per review - -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 5116f4a..4245c15 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input) - return log; - } - --static int -+static void - pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - { - int i; -@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - uint32_t req_ring_size, cmp_ring_size; - m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; - -- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) -- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { -- return -1; -- } - req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; - txr_len_log2 = pvscsi_log2(req_ring_size - 1); -@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - - /* Flush ring state page changes */ - smp_wmb(); -- -- return 0; - } - - static int -@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc) - - trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); - for (i = 0; i < rc->cmpRingNumPages; i++) { -- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]); -+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]); - } - } - -@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) - - trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); - -+ if (!rc->reqRingNumPages -+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES -+ || !rc->cmpRingNumPages -+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } -+ - pvscsi_dbg_dump_tx_rings_config(rc); -- if (pvscsi_ring_init_data(&s->rings, rc) < 0) { -- return PVSCSI_COMMAND_PROCESSING_FAILED; -- } -+ pvscsi_ring_init_data(&s->rings, rc); - - s->rings_info_valid = TRUE; - return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch deleted file mode 100644 index 9c21a6759ad1..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very -long time or go into an infinite loop due to two different bugs: - -1) the request descriptor data length is defined to be 64 bit. While -building SG list from a request descriptor, it gets truncated to 32bit -in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop -situation for large 'dataLen' values, when data_length is cast to uint32_t -and chunk_size becomes always zero. Fix this by removing the incorrect -cast. - -2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the -element has a zero length. Get out of the loop early when this happens, -by introducing an upper limit on the number of SG list elements. - -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/scsi/vmw_pvscsi.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -Update as per: - -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 4245c15..babac5a 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -40,6 +40,8 @@ - #define PVSCSI_MAX_DEVS (64) - #define PVSCSI_MSIX_NUM_VECTORS (1) - -+#define PVSCSI_MAX_SG_ELEM 2048 -+ - #define PVSCSI_MAX_CMD_DATA_WORDS \ - (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) - -@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, - static void - pvscsi_convert_sglist(PVSCSIRequest *r) - { -- int chunk_size; -+ uint32_t chunk_size, elmcnt = 0; - uint64_t data_length = r->req.dataLen; - PVSCSISGState sg = r->sg; -- while (data_length) { -- while (!sg.resid) { -+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { -+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { - pvscsi_get_next_sg_elem(&sg); - trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, - r->sg.resid); - } -- assert(data_length > 0); -- chunk_size = MIN((unsigned) data_length, sg.resid); -+ chunk_size = MIN(data_length, sg.resid); - if (chunk_size) { - qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); - } --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch deleted file mode 100644 index 480de308e0ac..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -When LSI SAS1068 Host Bus emulator builds configuration page -headers, the format string used in 'mptsas_config_manufacturing_1' -was wrong. It could lead to an invalid memory access. - -Reported-by: Tom Victor <address@hidden> -Fix-suggested-by: Paolo Bonzini <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/scsi/mptconfig.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c -index 7071854..1ec895b 100644 ---- a/hw/scsi/mptconfig.c -+++ b/hw/scsi/mptconfig.c -@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address - { - /* VPD - all zeros */ - return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, -- "s256"); -+ "*s256"); - } - - static --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch deleted file mode 100644 index 5e796086ae08..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -When LSI SAS1068 Host Bus emulator builds configuration page -headers, mptsas_config_pack() asserts to check returned size -value is within limit of 256 bytes. Fix that assert expression. - -Suggested-by: Paolo Bonzini <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/scsi/mptconfig.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c -index 1ec895b..531947f 100644 ---- a/hw/scsi/mptconfig.c -+++ b/hw/scsi/mptconfig.c -@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...) - va_end(ap); - - if (data) { -- assert(ret < 256 && (ret % 4) == 0); -+ assert(ret / 4 < 256); - stb_p(*data + 1, ret / 4); - } - return ret; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch deleted file mode 100644 index 7eb5f76dd133..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, -the computed BITMAP and PIXMAP size are checked against the -'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. -Correct these checks to avoid OOB memory access. - -Reported-by: Qinghao Tang <address@hidden> -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/display/vmware_vga.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index e51a05e..6599cf0 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - cursor.bpp = vmsvga_fifo_read(s); - - args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); -- if (cursor.width > 256 || -- cursor.height > 256 || -- cursor.bpp > 32 || -- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || -- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { -+ if (cursor.width > 256 -+ || cursor.height > 256 -+ || cursor.bpp > 32 -+ || SVGA_BITMAP_SIZE(x, y) -+ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) -+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) -+ > sizeof(cursor.image) / sizeof(cursor.image[0])) { - goto badcmd; - } - --- -2.5.5 - diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch deleted file mode 100644 index b9f354537a76..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -Vmware Paravirtual SCSI emulator while processing IO requests -could run into an infinite loop if 'pvscsi_ring_pop_req_descr' -always returned positive value. Limit IO loop to the ring size. - -Cc: address@hidden -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> -Message-Id: <address@hidden> -Signed-off-by: Paolo Bonzini <address@hidden> ---- - hw/scsi/vmw_pvscsi.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index babac5a..a5ce7de 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -247,8 +247,11 @@ static hwaddr - pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) - { - uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); -+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING -+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - -- if (ready_ptr != mgr->consumed_ptr) { -+ if (ready_ptr != mgr->consumed_ptr -+ && ready_ptr - mgr->consumed_ptr < ring_size) { - uint32_t next_ready_ptr = - mgr->consumed_ptr++ & mgr->txr_len_mask; - uint32_t next_ready_page = --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch deleted file mode 100644 index cc605810868c..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 973e7170dddefb491a48df5cba33b2ae151013a0 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 19 Sep 2016 23:55:45 +0530 -Subject: [PATCH] virtio: add check for descriptor's mapped address - -virtio back end uses set of buffers to facilitate I/O operations. -If its size is too large, 'cpu_physical_memory_map' could return -a null address. This would result in a null dereference while -un-mapping descriptors. Add check to avoid it. - -Reported-by: Qinghao Tang <luodalongde@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> -Reviewed-by: Laszlo Ersek <lersek@redhat.com> ---- - hw/virtio/virtio.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index fcf3358d6c0d..bb656b1ccff0 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -495,6 +495,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove - } - - iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); -+ if (!iov[num_sg].iov_base) { -+ error_report("virtio: bogus descriptor or out of resources"); -+ exit(1); -+ } -+ - iov[num_sg].iov_len = len; - addr[num_sg] = pa; - --- -2.11.0 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch deleted file mode 100644 index fdd871b16205..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Li Qiang <address@hidden> - -When processing IO request in mptsas, it uses g_new to allocate -a 'req' object. If an error occurs before 'req->sreq' is -allocated, It could lead to an OOB write in mptsas_free_request -function. Use g_new0 to avoid it. - -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> -Message-Id: <address@hidden> -Cc: address@hidden -Signed-off-by: Paolo Bonzini <address@hidden> ---- - hw/scsi/mptsas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c -index 0e0a22f..eaae1bb 100644 ---- a/hw/scsi/mptsas.c -+++ b/hw/scsi/mptsas.c -@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, - goto bad; - } - -- req = g_new(MPTSASRequest, 1); -+ req = g_new0(MPTSASRequest, 1); - QTAILQ_INSERT_TAIL(&s->pending, req, next); - req->scsi_io = *scsi_io; - req->dev = s; --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch deleted file mode 100644 index d5028bb168c7..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Li Qiang <address@hidden> - -If the xhci uses msix, it doesn't free the corresponding -memory, thus leading a memory leak. This patch avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/usb/hcd-xhci.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 188f954..281a2a5 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) - /* destroy msix memory region */ - if (dev->msix_table && dev->msix_pba - && dev->msix_entry_used) { -- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); -- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); -+ msix_uninit(dev, &xhci->mem, &xhci->mem); - } - - usb_bus_release(&xhci->bus); --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch deleted file mode 100644 index 34b095a51374..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -i.MX Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set an upper limit to number of buffer descriptors. - -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/net/imx_fec.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -Update per - -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html - -diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c -index 1c415ab..1d74827 100644 ---- a/hw/net/imx_fec.c -+++ b/hw/net/imx_fec.c -@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = { - #define PHY_INT_PARFAULT (1 << 2) - #define PHY_INT_AUTONEG_PAGE (1 << 1) - -+#define IMX_MAX_DESC 1024 -+ - static void imx_eth_update(IMXFECState *s); - - /* -@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s) - - static void imx_fec_do_tx(IMXFECState *s) - { -- int frame_size = 0; -+ int frame_size = 0, descnt = 0; - uint8_t frame[ENET_MAX_FRAME_SIZE]; - uint8_t *ptr = frame; - uint32_t addr = s->tx_descriptor; - -- while (1) { -+ while (descnt++ < IMX_MAX_DESC) { - IMXFECBufDesc bd; - int len; - diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch deleted file mode 100644 index 16d072fe7928..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 22 Sep 2016 16:02:37 +0530 -Subject: [PATCH] net: mcf: limit buffer descriptor count - -ColdFire Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set upper limit to number of buffer descriptors. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - hw/net/mcf_fec.c | 5 +++-- - 1 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index 0ee8ad9..d31fea1 100644 ---- a/hw/net/mcf_fec.c -+++ b/hw/net/mcf_fec.c -@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) - #define DPRINTF(fmt, ...) do {} while(0) - #endif - -+#define FEC_MAX_DESC 1024 - #define FEC_MAX_FRAME_SIZE 2032 - - typedef struct { -@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - uint32_t addr; - mcf_fec_bd bd; - int frame_size; -- int len; -+ int len, descnt = 0; - uint8_t frame[FEC_MAX_FRAME_SIZE]; - uint8_t *ptr; - -@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - ptr = frame; - frame_size = 0; - addr = s->tx_descriptor; -- while (1) { -+ while (descnt++ < FEC_MAX_DESC) { - mcf_fec_read_bd(&bd, addr); - DPRINTF("tx_bd %x flags %04x len %d data %08x\n", - addr, bd.flags, bd.length, bd.data); --- -1.7.0.4 - diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch deleted file mode 100644 index 8e6ecff8926c..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -The AMD PC-Net II emulator has set of control and status(CSR) -registers. Of these, CSR76 and CSR78 hold receive and transmit -descriptor ring length respectively. This ring length could range -from 1 to 65535. Setting ring length to zero leads to an infinite -loop in pcnet_rdra_addr. Add check to avoid it. - -Reported-by: Li Qiang <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/net/pcnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 198a01f..3078de8 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) - case 47: /* POLLINT */ - case 72: - case 74: -+ break; - case 76: /* RCVRL */ - case 78: /* XMTRL */ -+ val = (val > 0) ? val : 512; -+ break; - case 112: - if (CSR_STOP(s) || CSR_SPND(s)) - break; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch deleted file mode 100644 index 6fe77f367da5..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Li Qiang <address@hidden> - -In virtio gpu resource create dispatch, if the pixman format is zero -it doesn't free the resource object allocated previously. Thus leading -a host memory leak issue. This patch avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/display/virtio-gpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 7fe6ed8..5b6d17b 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, - qemu_log_mask(LOG_GUEST_ERROR, - "%s: host couldn't handle guest format %d\n", - __func__, c2d.format); -+ g_free(res); - cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; - return; - } --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch deleted file mode 100644 index dce1b2b2a326..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Li Qiang <address@hidden> - -While processing isochronous transfer descriptors(iTD), if the page -select(PG) field value is out of bands it will return. In this -situation the ehci's sg list doesn't be freed thus leading a memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/usb/hcd-ehci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index b093db7..f4ece9a 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, - if (off + len > 4096) { - /* transfer crosses page border */ - if (pg == 6) { -+ qemu_sglist_destroy(&ehci->isgl); - return -1; /* avoid page pg + 1 */ - } - ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch deleted file mode 100644 index 9617cd5dc880..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <address@hidden> -Date: Fri, 7 Oct 2016 10:15:29 +0200 -Subject: [PATCH] xhci: limit the number of link trbs we are willing to process - -Signed-off-by: Gerd Hoffmann <address@hidden> ---- - hw/usb/hcd-xhci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 726435c..ee4fa48 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -54,6 +54,8 @@ - * to the specs when it gets them */ - #define ER_FULL_HACK - -+#define TRB_LINK_LIMIT 4 -+ - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) - #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) -@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - dma_addr_t *addr) - { - PCIDevice *pci_dev = PCI_DEVICE(xhci); -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - ring->dequeue += TRB_SIZE; - return type; - } else { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return 0; -+ } - ring->dequeue = xhci_mask64(trb->parameter); - if (trb->control & TRB_LK_TC) { - ring->ccs = !ring->ccs; -@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - bool ccs = ring->ccs; - /* hack to bundle together the two/three TDs that make a setup transfer */ - bool control_td_set = 0; -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - type = TRB_TYPE(trb); - - if (type == TR_LINK) { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return -length; -+ } - dequeue = xhci_mask64(trb.parameter); - if (trb.control & TRB_LK_TC) { - ccs = !ccs; --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch deleted file mode 100644 index 8c295802c8ae..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Li Qiang <address@hidden> - -In 9pfs read dispatch function, it doesn't free two QEMUIOVector -object thus causing potential memory leak. This patch avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/9pfs/9p.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 119ee58..543a791 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) - if (len < 0) { - /* IO error return the error */ - err = len; -- goto out; -+ goto out_free_iovec; - } - } while (count < max_count && len > 0); - err = pdu_marshal(pdu, offset, "d", count); - if (err < 0) { -- goto out; -+ goto out_free_iovec; - } - err += offset + count; -+out_free_iovec: - qemu_iovec_destroy(&qiov); - qemu_iovec_destroy(&qiov_full); - } else if (fidp->fid_type == P9_FID_XATTR) { --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch deleted file mode 100644 index 74eee7e4d94d..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch +++ /dev/null @@ -1,58 +0,0 @@ -From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH] 9pfs: allocate space for guest originated empty strings - -If a guest sends an empty string paramater to any 9P operation, the current -code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. - -This is unfortunate because it can cause NULL pointer dereference to happen -at various locations in the 9pfs code. And we don't want to check str->data -everywhere we pass it to strcmp() or any other function which expects a -dereferenceable pointer. - -This patch enforces the allocation of genuine C empty strings instead, so -callers don't have to bother. - -Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if -the returned string is empty. It now uses v9fs_string_size() since -name.data cannot be NULL anymore. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -[groug, rewritten title and changelog, - fix empty string check in v9fs_xattrwalk()] -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - fsdev/9p-iov-marshal.c | 2 +- - hw/9pfs/9p.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c -index 663cad5..1d16f8d 100644 ---- a/fsdev/9p-iov-marshal.c -+++ b/fsdev/9p-iov-marshal.c -@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, - str->data = g_malloc(str->size + 1); - copied = v9fs_unpack(str->data, out_sg, out_num, offset, - str->size); -- if (copied > 0) { -+ if (copied >= 0) { - str->data[str->size] = 0; - } else { - v9fs_string_free(str); -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 119ee58..39a7e1d 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque) - goto out; - } - v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); -- if (name.data == NULL) { -+ if (!v9fs_string_size(&name)) { - /* - * listxattr request. Get the size first - */ --- -2.7.3 - diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch deleted file mode 100644 index a27d3a6fb196..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -Rocker network switch emulator has test registers to help debug -DMA operations. While testing host DMA access, a buffer address -is written to register 'TEST_DMA_ADDR' and its size is written to -register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT -test, if DMA buffer size was greater than 'INT_MAX', it leads to -an invalid buffer access. Limit the DMA buffer size to avoid it. - -Reported-by: Huawei PSIRT <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/net/rocker/rocker.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index 30f2ce4..e9d215a 100644 ---- a/hw/net/rocker/rocker.c -+++ b/hw/net/rocker/rocker.c -@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val) - rocker_msix_irq(r, val); - break; - case ROCKER_TEST_DMA_SIZE: -- r->test_dma_size = val; -+ r->test_dma_size = val & 0xFFFF; - break; - case ROCKER_TEST_DMA_ADDR + 4: - r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch deleted file mode 100644 index 23393b7d590d..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -16550A UART device uses an oscillator to generate frequencies -(baud base), which decide communication speed. This speed could -be changed by dividing it by a divider. If the divider is -greater than the baud base, speed is set to zero, leading to a -divide by zero error. Add check to avoid it. - -Reported-by: Huawei PSIRT <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/char/serial.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -Update per - -> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index 3442f47..eec72b7 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) - int speed, parity, data_bits, stop_bits, frame_size; - QEMUSerialSetParams ssp; - -- if (s->divider == 0) -+ if (s->divider == 0 || s->divider > s->baudbase) { - return; -+ } - - /* Start bit. */ - frame_size = 1; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch deleted file mode 100644 index ed6613f89660..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -Intel HDA emulator uses stream of buffers during DMA data -transfers. Each entry has buffer length and buffer pointer -position, which are used to derive bytes to 'copy'. If this -length and buffer pointer were to be same, 'copy' could be -set to zero(0), leading to an infinite loop. Add check to -avoid it. - -Reported-by: Huawei PSIRT <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/audio/intel-hda.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c -index cd95340..537face 100644 ---- a/hw/audio/intel-hda.c -+++ b/hw/audio/intel-hda.c -@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, - } - - left = len; -- while (left > 0) { -+ s = st->bentries; -+ while (left > 0 && s-- > 0) { - copy = left; - if (copy > st->bsize - st->lpib) - copy = st->bsize - st->lpib; --- -2.7.4 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch deleted file mode 100644 index c93f79631fcb..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -RTL8139 ethernet controller in C+ mode supports multiple -descriptor rings, each with maximum of 64 descriptors. While -processing transmit descriptor ring in 'rtl8139_cplus_transmit', -it does not limit the descriptor count and runs forever. Add -check to avoid it. - -Reported-by: Andrew Henderson <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/net/rtl8139.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 3345bc6..f05e59c 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) - { - int txcount = 0; - -- while (rtl8139_cplus_transmit_one(s)) -+ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) - { - ++txcount; - } --- -2.7.4 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch deleted file mode 100644 index 963eca97f486..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Li Qiang <address@hidden> - -The 'fs.xattr.value' field in V9fsFidState object doesn't consider the -situation that this field has been allocated previously. Every time, it -will be allocated directly. This leads a host memory leak issue. This -patch fix this. - --- -1.8.3.1 -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 75ba5f1..a4c7109 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); -+ g_free(xattr_fidp->fs.xattr.value); - xattr_fidp->fs.xattr.value = g_malloc(size); - err = offset; - put_fid(pdu, file_fidp); diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch deleted file mode 100644 index 7520863a7dd8..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch +++ /dev/null @@ -1,27 +0,0 @@ -Author: Li Qiang <liqiang6-s@360.cn> -Date: Mon Oct 17 14:13:58 2016 +0200 - - 9pfs: fix information leak in xattr read - - 9pfs uses g_malloc() to allocate the xattr memory space, if the guest - reads this memory before writing to it, this will leak host heap memory - to the guest. This patch avoid this. - - Signed-off-by: Li Qiang <liqiang6-s@360.cn> - Reviewed-by: Greg Kurz <groug@kaod.org> - Signed-off-by: Greg Kurz <groug@kaod.org> - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 26aa7d5..bf23b01 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); - g_free(xattr_fidp->fs.xattr.value); -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = offset; - put_fid(pdu, file_fidp); - out_nofid: diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch deleted file mode 100644 index f1aec55c228b..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Tue, 1 Nov 2016 12:00:40 +0100 -Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest -originated offset: they must ensure this offset does not go beyond -the size of the extended attribute that was set in v9fs_xattrcreate(). -Unfortunately, the current code implement these checks with unsafe -calculations on 32 and 64 bit values, which may allow a malicious -guest to cause OOB access anyway. - -Fix this by comparing the offset and the xattr size, which are -both uint64_t, before trying to compute the effective number of bytes -to read or write. - -Suggested-by: Greg Kurz <groug@kaod.org> -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Greg Kurz <groug@kaod.org> -Reviewed-By: Guido Günther <agx@sigxcpu.org> -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p.c | 32 ++++++++++++-------------------- - 1 file changed, 12 insertions(+), 20 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index ab18ef2..7705ead 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - ssize_t err; - size_t offset = 7; -- int read_count; -- int64_t xattr_len; -+ uint64_t read_count; - V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); - VirtQueueElement *elem = v->elems[pdu->idx]; - -- xattr_len = fidp->fs.xattr.len; -- read_count = xattr_len - off; -+ if (fidp->fs.xattr.len < off) { -+ read_count = 0; -+ } else { -+ read_count = fidp->fs.xattr.len - off; -+ } - if (read_count > max_count) { - read_count = max_count; -- } else if (read_count < 0) { -- /* -- * read beyond XATTR value -- */ -- read_count = 0; - } - err = pdu_marshal(pdu, offset, "d", read_count); - if (err < 0) { -@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - int i, to_copy; - ssize_t err = 0; -- int write_count; -- int64_t xattr_len; -+ uint64_t write_count; - size_t offset = 7; - - -- xattr_len = fidp->fs.xattr.len; -- write_count = xattr_len - off; -- if (write_count > count) { -- write_count = count; -- } else if (write_count < 0) { -- /* -- * write beyond XATTR value len specified in -- * xattrcreate -- */ -+ if (fidp->fs.xattr.len < off) { - err = -ENOSPC; - goto out; - } -+ write_count = fidp->fs.xattr.len - off; -+ if (write_count > count) { -+ write_count = count; -+ } - err = pdu_marshal(pdu, offset, "d", write_count); - if (err < 0) { - return err; --- -2.7.3 - diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch deleted file mode 100644 index cddff97f7011..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Li Qiang <address@hidden> - -In v9fs_link dispatch function, it doesn't put the 'oldfidp' -fid object, this will make the 'oldfidp->ref' never reach to 0, -thus leading a memory leak issue. This patch fix this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/9pfs/9p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 8b50bfb..29f8b7a 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque) - if (!err) { - err = offset; - } -+ put_fid(pdu, oldfidp); - out: - put_fid(pdu, dfidp); - out_nofid: --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch deleted file mode 100644 index 137272d6b821..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch +++ /dev/null @@ -1,27 +0,0 @@ -Author: Li Qiang <liqiang6-s@360.cn> -Date: Mon Oct 17 14:13:58 2016 +0200 - - 9pfs: fix memory leak in v9fs_write - - If an error occurs when marshalling the transfer length to the guest, the - v9fs_write() function doesn't free an IO vector, thus leading to a memory - leak. This patch fixes the issue. - - Signed-off-by: Li Qiang <liqiang6-s@360.cn> - Reviewed-by: Greg Kurz <groug@kaod.org> - [groug, rephrased the changelog] - Signed-off-by: Greg Kurz <groug@kaod.org> - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index d43a552..e88cf25 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque) - offset = 7; - err = pdu_marshal(pdu, offset, "d", total); - if (err < 0) { -- goto out; -+ goto out_qiov; - } - err += offset; - |