From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes]. Date: Fri, 7 Apr 2017 09:12:31 -0400 Message-ID: <20170407131231.GA25582@jasmine> References: <33cbe8c58db1c1dac061ca8d52cf79b326379f43.1490688315.git.leo@famulari.name> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="V0207lvV8h4k8FAm" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60624) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cwTgx-0008HF-0k for guix-devel@gnu.org; Fri, 07 Apr 2017 09:12:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cwTgs-00041H-Rb for guix-devel@gnu.org; Fri, 07 Apr 2017 09:12:42 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:45107) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cwTgs-000415-B5 for guix-devel@gnu.org; Fri, 07 Apr 2017 09:12:38 -0400 Received: from localhost (unknown [65.210.80.3]) by mail.messagingengine.com (Postfix) with ESMTPA id 054DE2469B for ; Fri, 7 Apr 2017 09:12:37 -0400 (EDT) Content-Disposition: inline In-Reply-To: <33cbe8c58db1c1dac061ca8d52cf79b326379f43.1490688315.git.leo@famulari.name> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --V0207lvV8h4k8FAm Content-Type: multipart/mixed; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 28, 2017 at 04:06:37AM -0400, Leo Famulari wrote: > Fixes CVE-2016-9602 and CVE-2017-{5857,5973,5987,6058,6505}. >=20 > * gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc1. > [source]: Remove obsolete patches. > * gnu/packages/patches/qemu-CVE-2016-10155.patch, > gnu/packages/patches/qemu-CVE-2017-2615.patch, > gnu/packages/patches/qemu-CVE-2017-2620.patch, > gnu/packages/patches/qemu-CVE-2017-2630.patch, > gnu/packages/patches/qemu-CVE-2017-5525.patch, > gnu/packages/patches/qemu-CVE-2017-5526.patch, > gnu/packages/patches/qemu-CVE-2017-5552.patch, > gnu/packages/patches/qemu-CVE-2017-5578.patch, > gnu/packages/patches/qemu-CVE-2017-5579.patch, > gnu/packages/patches/qemu-CVE-2017-5667.patch, > gnu/packages/patches/qemu-CVE-2017-5856.patch, > gnu/packages/patches/qemu-CVE-2017-5898.patch, > gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files. > * gnu/local.mk (dist_patch_DATA): Remove them. Here's an updated version of this patchset, for your reference. --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="0001-gnu-qemu-Update-to-2.9.0-rc3-fixes-CVE-2017-5857-597.patch" Content-Transfer-Encoding: quoted-printable =46rom 6c71528b64c15e4aa85e7d22957ff754165d6e30 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Fri, 7 Apr 2017 09:03:28 -0400 Subject: [PATCH] gnu: qemu: Update to 2.9.0-rc3 [fixes CVE-2017-{5857,5973,5987,6058,6505,7377}]. * gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc3. [source]: Remove obsolete patches. * gnu/packages/patches/qemu-CVE-2016-10155.patch, gnu/packages/patches/qemu-CVE-2017-5525.patch, gnu/packages/patches/qemu-CVE-2017-5526.patch, gnu/packages/patches/qemu-CVE-2017-5552.patch, gnu/packages/patches/qemu-CVE-2017-5578.patch, gnu/packages/patches/qemu-CVE-2017-5579.patch, gnu/packages/patches/qemu-CVE-2017-5856.patch, gnu/packages/patches/qemu-CVE-2017-5898.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 8 --- gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 ------------------- gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 --------------------- gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 ---------------------- gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 ----------------- gnu/packages/patches/qemu-CVE-2017-5578.patch | 39 --------------- gnu/packages/patches/qemu-CVE-2017-5579.patch | 44 ----------------- gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 ----------------------= ---- gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 ----------------- gnu/packages/qemu.scm | 13 +---- 10 files changed, 2 insertions(+), 420 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5578.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5579.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5856.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch diff --git a/gnu/local.mk b/gnu/local.mk index 93bafa282..255f7610e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -889,14 +889,6 @@ dist_patch_DATA =3D \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch= \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ - %D%/packages/patches/qemu-CVE-2016-10155.patch \ - %D%/packages/patches/qemu-CVE-2017-5525.patch \ - %D%/packages/patches/qemu-CVE-2017-5526.patch \ - %D%/packages/patches/qemu-CVE-2017-5552.patch \ - %D%/packages/patches/qemu-CVE-2017-5578.patch \ - %D%/packages/patches/qemu-CVE-2017-5579.patch \ - %D%/packages/patches/qemu-CVE-2017-5856.patch \ - %D%/packages/patches/qemu-CVE-2017-5898.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/= patches/qemu-CVE-2016-10155.patch deleted file mode 100644 index 825edaa81..000000000 --- a/gnu/packages/patches/qemu-CVE-2016-10155.patch +++ /dev/null @@ -1,49 +0,0 @@ -From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 28 Nov 2016 17:49:04 -0800 -Subject: [PATCH] watchdog: 6300esb: add exit function - -When the Intel 6300ESB watchdog is hot unplug. The timer allocated -in realize isn't freed thus leaking memory leak. This patch avoid -this through adding the exit function. - -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3Deb7a20a3616085d46aa6b4b422= 4e15587ec67e6e -this patch is from qemu-git. - -Signed-off-by: Li Qiang -Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - hw/watchdog/wdt_i6300esb.c | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 ---- a/hw/watchdog/wdt_i6300esb.c -+++ b/hw/watchdog/wdt_i6300esb.c -@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **= errp) - /* qemu_register_coalesced_mmio (addr, 0x10); ? */ - } -=20 -+static void i6300esb_exit(PCIDevice *dev) -+{ -+ I6300State *d =3D WATCHDOG_I6300ESB_DEVICE(dev); -+ -+ timer_del(d->timer); -+ timer_free(d->timer); -+} -+ - static WatchdogTimerModel model =3D { - .wdt_name =3D "i6300esb", - .wdt_description =3D "Intel 6300ESB", -@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, vo= id *data) - k->config_read =3D i6300esb_config_read; - k->config_write =3D i6300esb_config_write; - k->realize =3D i6300esb_realize; -+ k->exit =3D i6300esb_exit; - k->vendor_id =3D PCI_VENDOR_ID_INTEL; - k->device_id =3D PCI_DEVICE_ID_INTEL_ESB_9; - k->class_id =3D PCI_CLASS_SYSTEM_OTHER; ---=20 -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/p= atches/qemu-CVE-2017-5525.patch deleted file mode 100644 index d0c0c82a4..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5525.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 14 Dec 2016 18:30:21 -0800 -Subject: [PATCH] audio: ac97: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=3Dutf8 -Content-Transfer-Encoding: 8bit - -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3D12351a91da97b414eec8cdb09f= 1d9f41e535a401 -this patch is from qemu-git - -Currently the ac97 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-Andr=C3=A9 Lureau -Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/ac97.c | 11 +++++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - -diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 ---- a/hw/audio/ac97.c -+++ b/hw/audio/ac97.c -@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **er= rp) - ac97_on_reset (&s->dev.qdev); - } -=20 -+static void ac97_exit(PCIDevice *dev) -+{ -+ AC97LinkState *s =3D DO_UPCAST(AC97LinkState, dev, dev); -+ -+ AUD_close_in(&s->card, s->voice_pi); -+ AUD_close_out(&s->card, s->voice_po); -+ AUD_close_in(&s->card, s->voice_mc); -+ AUD_remove_card(&s->card); -+} -+ - static int ac97_init (PCIBus *bus) - { - pci_create_simple (bus, -1, "AC97"); -@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, voi= d *data) - PCIDeviceClass *k =3D PCI_DEVICE_CLASS (klass); -=20 - k->realize =3D ac97_realize; -+ k->exit =3D ac97_exit; - k->vendor_id =3D PCI_VENDOR_ID_INTEL; - k->device_id =3D PCI_DEVICE_ID_INTEL_82801AA_5; - k->revision =3D 0x01; ---=20 -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/p= atches/qemu-CVE-2017-5526.patch deleted file mode 100644 index 5a6d79645..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5526.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 14 Dec 2016 18:32:22 -0800 -Subject: [PATCH] audio: es1370: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=3Dutf8 -Content-Transfer-Encoding: 8bit - -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3D069eb7b2b8fc47c7cb52e5a4af= 23ea98d939e3da -this patch is from qemu-git. - -Currently the es1370 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-Andr=C3=A9 Lureau -Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/es1370.c | 14 ++++++++++++++ - 1 files changed, 14 insertions(+), 0 deletions(-) - -diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c -index 8449b5f..883ec69 100644 ---- a/hw/audio/es1370.c -+++ b/hw/audio/es1370.c -@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **= errp) - es1370_reset (s); - } -=20 -+static void es1370_exit(PCIDevice *dev) -+{ -+ ES1370State *s =3D ES1370(dev); -+ int i; -+ -+ for (i =3D 0; i < 2; ++i) { -+ AUD_close_out(&s->card, s->dac_voice[i]); -+ } -+ -+ AUD_close_in(&s->card, s->adc_voice); -+ AUD_remove_card(&s->card); -+} -+ - static int es1370_init (PCIBus *bus) - { - pci_create_simple (bus, -1, TYPE_ES1370); -@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, v= oid *data) - PCIDeviceClass *k =3D PCI_DEVICE_CLASS (klass); -=20 - k->realize =3D es1370_realize; -+ k->exit =3D es1370_exit; - k->vendor_id =3D PCI_VENDOR_ID_ENSONIQ; - k->device_id =3D PCI_DEVICE_ID_ENSONIQ_ES1370; - k->class_id =3D PCI_CLASS_MULTIMEDIA_AUDIO; ---=20 -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/p= atches/qemu-CVE-2017-5552.patch deleted file mode 100644 index 50911f4f3..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5552.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 29 Dec 2016 03:11:26 -0500 -Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing -MIME-Version: 1.0 -Content-Type: text/plain; charset=3Dutf8 -Content-Transfer-Encoding: 8bit - -If the virgl_renderer_resource_attach_iov function fails the -'res_iovs' will be leaked. Add check of the return value to -free the 'res_iovs' when failing. - -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3D33243031dad02d161225ba99d7= 82616da133f689 -this patch is from qemu-git. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-Andr=C3=A9 Lureau -Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu-3d.c | 7 +++++-- - 1 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..b13ced3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *= g, - return; - } -=20 -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -- res_iovs, att_rb.nr_entries); -+ ret =3D virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ res_iovs, att_rb.nr_entries); -+ -+ if (ret !=3D 0) -+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); - } -=20 - static void virgl_resource_detach_backing(VirtIOGPU *g, ---=20 -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5578.patch b/gnu/packages/p= atches/qemu-CVE-2017-5578.patch deleted file mode 100644 index 05655bcd9..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5578.patch +++ /dev/null @@ -1,39 +0,0 @@ -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3D204f01b30975923c64006f8067= f0937b91eea68b -this patch is from qemu-git. - - -From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 29 Dec 2016 04:28:41 -0500 -Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing - -In the resource attach backing function, everytime it will -allocate 'res->iov' thus can leading a memory leak. This -patch avoid this. - -Signed-off-by: Li Qiang -Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 6a26258cac..ca88cf478d 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, - return; - } -=20 -+ if (res->iov) { -+ cmd->error =3D VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret =3D virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->io= v); - if (ret !=3D 0) { - cmd->error =3D VIRTIO_GPU_RESP_ERR_UNSPEC; ---=20 -2.11.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5579.patch b/gnu/packages/p= atches/qemu-CVE-2017-5579.patch deleted file mode 100644 index 7630012d5..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5579.patch +++ /dev/null @@ -1,44 +0,0 @@ -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3D8409dc884a201bf74b30a9d232= b6bbdd00cb7e2b -this patch is from qemu-git. - - -From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 4 Jan 2017 00:43:16 -0800 -Subject: [PATCH] serial: fix memory leak in serial exit - -The serial_exit_core function doesn't free some resources. -This can lead memory leak when hotplug and unplug. This -patch avoid this. - -Signed-off-by: Li Qiang -Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - hw/char/serial.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index ffbacd8227..67b18eda12 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) - void serial_exit_core(SerialState *s) - { - qemu_chr_fe_deinit(&s->chr); -+ -+ timer_del(s->modem_status_poll); -+ timer_free(s->modem_status_poll); -+ -+ timer_del(s->fifo_timeout_timer); -+ timer_free(s->fifo_timeout_timer); -+ -+ fifo8_destroy(&s->recv_fifo); -+ fifo8_destroy(&s->xmit_fifo); -+ - qemu_unregister_reset(serial_reset, s); - } -=20 ---=20 -2.11.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/p= atches/qemu-CVE-2017-5856.patch deleted file mode 100644 index bee0824c0..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5856.patch +++ /dev/null @@ -1,68 +0,0 @@ -http://git.qemu.org/?p=3Dqemu.git;a=3Dpatch;h=3D765a707000e838c30b18d712fe= 6cb3dd8e0435f3 -this patch is from qemu-git. - - -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=3D2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang -Signed-off-by: Paolo Bonzini ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, Megasas= Cmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size =3D 0; -- return -1; -+ return -EINVAL; - } - iov_pa =3D megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size =3D megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size =3D iov_size; -- return cmd->iov_size; -+ return 0; - } -=20 - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { -=20 - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval =3D 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr =3D dcmd_cmd_tbl; -=20 - opcode =3D le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len =3D megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode !=3D -1 && cmdptr->opcode !=3D opcode) { - cmdptr++; - } -+ len =3D cmd->iov_size; - if (cmdptr->opcode =3D=3D -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval =3D megasas_dcmd_dummy(s, cmd); ---=20 -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/p= atches/qemu-CVE-2017-5898.patch deleted file mode 100644 index 5a94bb1ae..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5898.patch +++ /dev/null @@ -1,44 +0,0 @@ -Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest): - -http://seclists.org/oss-sec/2017/q1/328 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2017-5898 - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=3Dqemu.git;a=3Dcommitdiff;h=3Dc7dfbf322595d= ed4e70b626bf83158a9f3807c6a - -From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 3 Feb 2017 00:52:28 +0530 -Subject: [PATCH] usb: ccid: check ccid apdu length - -CCID device emulator uses Application Protocol Data Units(APDU) -to exchange command and responses to and from the host. -The length in these units couldn't be greater than 65536. Add -check to ensure the same. It'd also avoid potential integer -overflow in emulated_apdu_from_guest. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-id: 20170202192228.10847-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-smartcard-reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index 89e11b68c4..1325ea1659 100644 ---- a/hw/usb/dev-smartcard-reader.c -+++ b/hw/usb/dev-smartcard-reader.c -@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, C= CID_XferBlock *recv) - DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, - recv->hdr.bSeq, len); - ccid_add_pending_answer(s, (CCID_Header *)recv); -- if (s->card) { -+ if (s->card && len <=3D BULK_OUT_DATA_SIZE) { - ccid_card_apdu_from_guest(s->card, recv->abData, len); - } else { - DPRINTF(s, D_WARN, "warning: discarded apdu\n"); ---=20 -2.11.1 - diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index e0b4695f3..6be23eb62 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -69,23 +69,14 @@ (define-public qemu (package (name "qemu") - (version "2.8.1") + (version "2.9.0-rc3") (source (origin (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qe= mu-" version ".tar.xz")) (sha256 (base32 - "0h342v4n44kh89yyfas4iazvhhsy5m5qk94vsjqpz5zpq1i2ykad")) - (patches (search-patches "qemu-CVE-2016-10155.patch" - "qemu-CVE-2017-5525.patch" - "qemu-CVE-2017-5526.patch" - "qemu-CVE-2017-5552.patch" - "qemu-CVE-2017-5578.patch" - "qemu-CVE-2017-5579.patch" - "qemu-CVE-2017-5856.patch" - "qemu-CVE-2017-5898.patch" - )))) + "00dzw3j2fykm98wvfpb79fyd4rjffnsxrwbs4fvr1v8kxbyqy3ab")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, lik= e: --=20 2.12.2 --fUYQa+Pmc3FrFX/N-- --V0207lvV8h4k8FAm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAljnkDsACgkQJkb6MLrK fwjStRAA0Jp1PA8yiM+WF0QScbB3fAfW5uFerPd5cSW1wutxs1E7byhVTc5n5q+A t2KAhmcNMPAFJrzTrVXi72THPD+a8WPQ1fpXQmjMD3W7ogBc1J48WtsOl4TlC2pv +w8MtVl1eJRT3DGee3+9v8Uzg4Z/dhGSDDrEAsQx9ujwwvDkTN1t1krtIZMGWy9/ 3rqFmsKUrS0CJzcLXZhfDKYdepGXSAoWET6WzNg9JHs7pQdKa8G8Bj5iKvgugAny qyw2C2MTOiFcOwdrEwaPCRnQEk48Qf2sOM313A2veklF4ZJmxpDsbf9nMmkO/TQz WyLRmGl8iaVDzv0G9VUpAViVOjre3CbmnNHLAT/OymYIUQT93AVQcJNigwn12icx KNlehBnkrNseqHvetkS5gohmeDCyb0ACHqE2aMFD9ZwBKEQX6PkhvCarzTw01jYU tCJqBdTg4cot/CQ+IGCd3SKRqpAE1RMS3fbq5nhYA83eUmTA8XMD6DOh5wqch7fP HZj0668OjiBYqPHUVeZ4nlRE9IC5dzo5dwDlPZIsZs6zewWDGss84BxrNmgmw7Xz zQ6uB3JU2ggCMV85iS7ZC0D2kutkuQ5cua2u0v59s5QJ7Da+3ubR5ATeFskGGpH7 FkWiIeiouIiww/x8JNhpeGNO1v7P46ovUTLXAgKHdDFuGrVAGYQ= =RBTa -----END PGP SIGNATURE----- --V0207lvV8h4k8FAm--