From: "Mike Frysinger" <vapier@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/, app-emulation/qemu/files/
Date: Thu, 29 Dec 2016 20:09:09 +0000 (UTC) [thread overview]
Message-ID: <1483041908.538fed1c866f2b1ef17d97295a06bd666e828d6f.vapier@gentoo> (raw)
commit: 538fed1c866f2b1ef17d97295a06bd666e828d6f
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Thu Dec 29 18:20:31 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Thu Dec 29 20:05:08 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=538fed1c
app-emulation/qemu: version bump to 2.8.0
app-emulation/qemu/Manifest | 1 +
.../qemu/files/qemu-2.8.0-CVE-2016-10028.patch | 40 ++++++++++++++++++++++
.../qemu/files/qemu-2.8.0-CVE-2016-9908.patch | 35 +++++++++++++++++++
.../qemu/files/qemu-2.8.0-CVE-2016-9912.patch | 38 ++++++++++++++++++++
.../qemu/{qemu-9999.ebuild => qemu-2.8.0.ebuild} | 6 +++-
app-emulation/qemu/qemu-9999.ebuild | 2 +-
6 files changed, 120 insertions(+), 2 deletions(-)
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest
index 5d40bbd..46537bc 100644
--- a/app-emulation/qemu/Manifest
+++ b/app-emulation/qemu/Manifest
@@ -1,2 +1,3 @@
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d
DIST qemu-2.7.1.tar.bz2 26868403 SHA256 68636788eb69bcb0b44ba220b32b50495d6bd5712a934c282217831c4822958f SHA512 16a83946e9064733254c82c961749bf9c56a0a2a8ee46145b4a78e1452ac0e2548d888963d18c80e28f65202890fd643b0011951b5b1c66ef16234767ed91898 WHIRLPOOL ae3d3c2b2a3700613733659847de6187755631cb09e8c3548ea30cd994357c9ff128646edce88dfe4dce53e6c1c0f37f8de3688ee7e22262033b40f3fc706efa
+DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
new file mode 100644
index 00000000..466c819
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
@@ -0,0 +1,40 @@
+https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
+https://bugs.gentoo.org/603444
+
+From: P J P
+Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
+Date: Wed, 14 Dec 2016 12:31:56 +0530
+From: Prasad J Pandit <address@hidden>
+
+Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
+command, retrieves the maximum capabilities size to fill in the
+response object. It continues to fill in capabilities even if
+retrieved 'max_size' is zero(0), thus resulting in OOB access.
+Add check to avoid it.
+
+Reported-by: Zhenhao Hong <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/display/virtio-gpu-3d.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 758d33a..6ceeba3 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
++
+ resp = g_malloc0(sizeof(*resp) + max_size);
+-
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+ gc.capset_version,
+--
+2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
new file mode 100644
index 00000000..841de65
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
@@ -0,0 +1,35 @@
+https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html
+https://bugs.gentoo.org/601826
+
+From: Li Qiang
+Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch
+Date: Tue, 1 Nov 2016 05:37:57 -0700
+From: Li Qiang <address@hidden>
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <address@hidden>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
+- resp = g_malloc(sizeof(*resp) + max_size);
++ resp = g_malloc0(sizeof(*resp) + max_size);
+
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+--
+1.8.3.1
+
+
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
new file mode 100644
index 00000000..55963f7
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
@@ -0,0 +1,38 @@
+https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
+https://bugs.gentoo.org/602630
+
+From: Li Qiang
+Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
+Date: Mon, 28 Nov 2016 21:29:25 -0500
+If the guest destroy the resource before detach banking, the 'iov'
+and 'addrs' field in resource is not freed thus leading memory
+leak issue. This patch avoid this.
+
+Signed-off-by: Li Qiang <address@hidden>
+---
+ hw/display/virtio-gpu.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 60bce94..98dadf2 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -28,6 +28,8 @@
+ static struct virtio_gpu_simple_resource*
+ virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+
++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
++
+ #ifdef CONFIG_VIRGL
+ #include <virglrenderer.h>
+ #define VIRGL(_g, _virgl, _simple, ...) \
+@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
+ struct virtio_gpu_simple_resource *res)
+ {
+ pixman_image_unref(res->image);
++ virtio_gpu_cleanup_mapping(res);
+ QTAILQ_REMOVE(&g->reslist, res, next);
+ g_free(res);
+ }
+--
+1.8.3.1
diff --git a/app-emulation/qemu/qemu-9999.ebuild b/app-emulation/qemu/qemu-2.8.0.ebuild
similarity index 98%
copy from app-emulation/qemu/qemu-9999.ebuild
copy to app-emulation/qemu/qemu-2.8.0.ebuild
index 4859990..de01f6c 100644
--- a/app-emulation/qemu/qemu-9999.ebuild
+++ b/app-emulation/qemu/qemu-2.8.0.ebuild
@@ -142,7 +142,7 @@ USER_LIB_DEPEND="${COMMON_LIB_DEPEND}"
X86_FIRMWARE_DEPEND="
>=sys-firmware/ipxe-1.0.0_p20130624
pin-upstream-blobs? (
- ~sys-firmware/seabios-1.8.2
+ ~sys-firmware/seabios-1.10.1
~sys-firmware/sgabios-0.1_pre8
~sys-firmware/vgabios-0.7a
)
@@ -333,6 +333,10 @@ src_prepare() {
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
+ epatch "${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108
+ epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch #601826
+ epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch #602630
+ epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch #603444
# Fix ld and objcopy being called directly
tc-export AR LD OBJCOPY
diff --git a/app-emulation/qemu/qemu-9999.ebuild b/app-emulation/qemu/qemu-9999.ebuild
index 4859990..8b5b30c 100644
--- a/app-emulation/qemu/qemu-9999.ebuild
+++ b/app-emulation/qemu/qemu-9999.ebuild
@@ -142,7 +142,7 @@ USER_LIB_DEPEND="${COMMON_LIB_DEPEND}"
X86_FIRMWARE_DEPEND="
>=sys-firmware/ipxe-1.0.0_p20130624
pin-upstream-blobs? (
- ~sys-firmware/seabios-1.8.2
+ ~sys-firmware/seabios-1.10.1
~sys-firmware/sgabios-0.1_pre8
~sys-firmware/vgabios-0.7a
)
next reply other threads:[~2016-12-29 20:09 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-29 20:09 Mike Frysinger [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-02-03 9:19 [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/, app-emulation/qemu/files/ Sam James
2024-12-02 14:50 Sam James
2024-10-06 9:37 Sam James
2023-08-26 3:51 Sam James
2023-07-02 23:01 Sam James
2023-05-05 18:11 Matthias Maier
2023-03-12 0:38 Andreas K. Hüttel
2023-02-22 11:32 Sam James
2023-01-18 18:59 John Helmert III
2022-09-16 19:41 Georgy Yakovlev
2022-07-05 1:05 WANG Xuerui
2022-04-04 18:44 John Helmert III
2022-01-11 13:40 Matthias Maier
2021-12-20 6:42 Matthias Maier
2021-12-08 1:23 John Helmert III
2021-10-11 3:49 John Helmert III
2021-09-23 2:08 Matthias Maier
2021-05-26 6:54 Sergei Trofimovich
2021-05-12 6:55 Sergei Trofimovich
2021-04-12 19:39 Sergei Trofimovich
2021-02-01 18:01 Sergei Trofimovich
2021-01-31 14:29 Sergei Trofimovich
2021-01-31 9:38 Sergei Trofimovich
2020-12-14 8:46 Sergei Trofimovich
2020-12-10 9:02 Sergei Trofimovich
2020-11-24 8:38 Sergei Trofimovich
2020-09-20 8:23 Sergei Trofimovich
2020-09-19 7:33 Sergei Trofimovich
2020-09-05 7:08 Sergei Trofimovich
2020-08-13 22:36 Sergei Trofimovich
2020-07-09 22:55 Sergei Trofimovich
2020-04-30 23:47 Sergei Trofimovich
2020-04-18 22:06 Matthias Maier
2020-04-08 18:51 Matthias Maier
2020-02-06 15:52 Matthias Maier
2019-09-22 2:12 Matthias Maier
2019-07-28 18:21 Matthias Maier
2019-05-19 23:42 Matthias Maier
2019-04-29 6:48 Matthias Maier
2018-12-19 21:47 Matthias Maier
2018-08-19 17:49 Matthias Maier
2018-07-23 15:06 Jason Donenfeld
2018-06-15 17:47 Matthias Maier
2018-03-27 16:18 Matthias Maier
2018-02-12 22:48 Matthias Maier
2018-02-11 20:27 Matthias Maier
2017-09-01 1:32 Matthias Maier
2017-07-26 19:37 Matthias Maier
2017-07-26 18:57 Matthias Maier
2017-05-18 4:20 Matthias Maier
2017-04-29 21:32 Matthias Maier
2017-04-12 5:03 Matthias Maier
2017-02-21 12:03 Matthias Maier
2017-02-13 6:40 Matthias Maier
2017-02-13 4:58 Matthias Maier
2017-01-20 19:28 Mike Frysinger
2016-10-26 21:48 Matthias Maier
2016-09-18 4:33 Matthias Maier
2016-09-10 2:23 Matthias Maier
2016-03-28 22:03 Mike Frysinger
2016-02-15 15:27 Doug Goldstein
2016-01-18 4:59 Mike Frysinger
2015-12-17 15:12 Mike Frysinger
2015-10-15 20:24 Markos Chandras
2015-10-10 0:59 Mike Frysinger
2015-09-07 5:50 Mike Frysinger
2015-08-10 11:05 Mike Frysinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483041908.538fed1c866f2b1ef17d97295a06bd666e828d6f.vapier@gentoo \
--to=vapier@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox