From: Leo Famulari <leo@famulari.name>
To: guix-devel@gnu.org
Subject: [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes].
Date: Tue, 28 Mar 2017 04:06:37 -0400 [thread overview]
Message-ID: <33cbe8c58db1c1dac061ca8d52cf79b326379f43.1490688315.git.leo@famulari.name> (raw)
In-Reply-To: <cover.1490688315.git.leo@famulari.name>
In-Reply-To: <cover.1490688315.git.leo@famulari.name>
Fixes CVE-2016-9602 and CVE-2017-{5857,5973,5987,6058,6505}.
* gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc1.
[source]: Remove obsolete patches.
* gnu/packages/patches/qemu-CVE-2016-10155.patch,
gnu/packages/patches/qemu-CVE-2017-2615.patch,
gnu/packages/patches/qemu-CVE-2017-2620.patch,
gnu/packages/patches/qemu-CVE-2017-2630.patch,
gnu/packages/patches/qemu-CVE-2017-5525.patch,
gnu/packages/patches/qemu-CVE-2017-5526.patch,
gnu/packages/patches/qemu-CVE-2017-5552.patch,
gnu/packages/patches/qemu-CVE-2017-5578.patch,
gnu/packages/patches/qemu-CVE-2017-5579.patch,
gnu/packages/patches/qemu-CVE-2017-5667.patch,
gnu/packages/patches/qemu-CVE-2017-5856.patch,
gnu/packages/patches/qemu-CVE-2017-5898.patch,
gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
gnu/local.mk | 13 ---
gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 ---------
gnu/packages/patches/qemu-CVE-2017-2615.patch | 52 ----------
gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 -------------------------
gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 ---------
gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 ----------
gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 -----------
gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5578.patch | 39 -------
gnu/packages/patches/qemu-CVE-2017-5579.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5667.patch | 46 ---------
gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 -------------
gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 ----------
gnu/packages/qemu.scm | 19 +---
15 files changed, 3 insertions(+), 764 deletions(-)
delete mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2615.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2620.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2630.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5578.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5579.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5667.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5856.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5931.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index cc187e2d2..b9ce02ac6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -877,19 +877,6 @@ dist_patch_DATA = \
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
- %D%/packages/patches/qemu-CVE-2016-10155.patch \
- %D%/packages/patches/qemu-CVE-2017-2615.patch \
- %D%/packages/patches/qemu-CVE-2017-2620.patch \
- %D%/packages/patches/qemu-CVE-2017-2630.patch \
- %D%/packages/patches/qemu-CVE-2017-5525.patch \
- %D%/packages/patches/qemu-CVE-2017-5526.patch \
- %D%/packages/patches/qemu-CVE-2017-5552.patch \
- %D%/packages/patches/qemu-CVE-2017-5578.patch \
- %D%/packages/patches/qemu-CVE-2017-5579.patch \
- %D%/packages/patches/qemu-CVE-2017-5667.patch \
- %D%/packages/patches/qemu-CVE-2017-5856.patch \
- %D%/packages/patches/qemu-CVE-2017-5898.patch \
- %D%/packages/patches/qemu-CVE-2017-5931.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch
deleted file mode 100644
index 825edaa81..000000000
--- a/gnu/packages/patches/qemu-CVE-2016-10155.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
-this patch is from qemu-git.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
- /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
-
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+ timer_del(d->timer);
-+ timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
- .wdt_name = "i6300esb",
- .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
- k->config_read = i6300esb_config_read;
- k->config_write = i6300esb_config_write;
- k->realize = i6300esb_realize;
-+ k->exit = i6300esb_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
- k->class_id = PCI_CLASS_SYSTEM_OTHER;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-2615.patch b/gnu/packages/patches/qemu-CVE-2017-2615.patch
deleted file mode 100644
index ede1f8c89..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-2615.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
-this patch is from qemu-git.
-
-
-From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
- address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409dc5..16f27e8ac5 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
- if (pitch < 0) {
- int64_t min = addr
-- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-- int32_t max = addr
-- + s->cirrus_blt_width;
-- if (min < 0 || max > s->vga.vram_size) {
-+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+ - s->cirrus_blt_width;
-+ if (min < -1 || addr >= s->vga.vram_size) {
- return true;
- }
- } else {
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch
deleted file mode 100644
index d3111827b..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-2620.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-Fix CVE-2017-2620:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620
-https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html
-
-Both patches copied from upstream source repository:
-
-Fixes CVE-2017-2620:
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298
-
-The CVE-2017-2620 bug-fix depends on this earlier patch:
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061
-
-From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 8 Feb 2017 11:18:36 +0100
-Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
- (CVE-2017-2620)
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all. Oops. Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 1deb52070a..b9e7cb1df1 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
- int w;
-
-+ if (blit_is_unsafe(s, true)) {
-+ return 0;
-+ }
-+
- s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
- s->cirrus_srcptr = &s->cirrus_bltbuf[0];
- s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- }
- s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
- }
-+
-+ /* the blit_is_unsafe call above should catch this */
-+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
- s->cirrus_srcptr = s->cirrus_bltbuf;
- s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
- cirrus_update_memory_access(s);
---
-2.12.0
-
-From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 9 Jan 2017 13:35:20 -0700
-Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
- blit_is_unsafe
-
-Commit 4299b90 added a check which is too broad, given that the source
-pitch value is not required to be initialized for solid fill operations.
-This patch refines the blit_is_unsafe() check to ignore source pitch in
-that case. After applying the above commit as a security patch, we
-noticed the SLES 11 SP4 guest gui failed to initialize properly.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Message-id: 20170109203520.5619-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index bdb092ee9d..379910db2d 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- return false;
- }
-
--static bool blit_is_unsafe(struct CirrusVGAState *s)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
- /* should be the case, see cirrus_bitblt_start */
- assert(s->cirrus_blt_width > 0);
-@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
- return true;
- }
-+ if (dst_only) {
-+ return false;
-+ }
- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
- return true;
-@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
-
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
-
-- if (blit_is_unsafe(s))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- (*s->cirrus_rop) (s, dst, src,
-@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
- cirrus_fill_t rop_func;
-
-- if (blit_is_unsafe(s)) {
-+ if (blit_is_unsafe(s, true)) {
- return 0;
- }
- rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
-- if (blit_is_unsafe(s))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
---
-2.12.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch
deleted file mode 100644
index b154d171f..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-2630.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix CVE-2017-2630:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630
-https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85
-
-From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Date: Tue, 7 Mar 2017 09:16:27 -0600
-Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630]
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Comparison symbol is misused. It may lead to memory corruption.
-Introduced in commit 7d3123e.
-
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
-[eblake: add CVE details, update conditional]
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20170307151627.27212-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- nbd/client.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nbd/client.c b/nbd/client.c
-index 5c9dee37fa..3dc2564cd0 100644
---- a/nbd/client.c
-+++ b/nbd/client.c
-@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
- char small[1024];
- char *buffer;
-
-- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
-+ buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size));
- while (size > 0) {
- ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
-
---
-2.12.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch
deleted file mode 100644
index d0c0c82a4..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5525.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401
-this patch is from qemu-git
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
- ac97_on_reset (&s->dev.qdev);
- }
-
-+static void ac97_exit(PCIDevice *dev)
-+{
-+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+ AUD_close_in(&s->card, s->voice_pi);
-+ AUD_close_out(&s->card, s->voice_po);
-+ AUD_close_in(&s->card, s->voice_mc);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = ac97_realize;
-+ k->exit = ac97_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
- k->revision = 0x01;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch
deleted file mode 100644
index 5a6d79645..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5526.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
-this patch is from qemu-git.
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 files changed, 14 insertions(+), 0 deletions(-)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
- es1370_reset (s);
- }
-
-+static void es1370_exit(PCIDevice *dev)
-+{
-+ ES1370State *s = ES1370(dev);
-+ int i;
-+
-+ for (i = 0; i < 2; ++i) {
-+ AUD_close_out(&s->card, s->dac_voice[i]);
-+ }
-+
-+ AUD_close_in(&s->card, s->adc_voice);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = es1370_realize;
-+ k->exit = es1370_exit;
- k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
- k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
- k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch
deleted file mode 100644
index 50911f4f3..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5552.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689
-this patch is from qemu-git.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index e29f099..b13ced3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-- res_iovs, att_rb.nr_entries);
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ res_iovs, att_rb.nr_entries);
-+
-+ if (ret != 0)
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
-
- static void virgl_resource_detach_backing(VirtIOGPU *g,
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5578.patch b/gnu/packages/patches/qemu-CVE-2017-5578.patch
deleted file mode 100644
index 05655bcd9..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5578.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b
-this patch is from qemu-git.
-
-
-From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 04:28:41 -0500
-Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
-
-In the resource attach backing function, everytime it will
-allocate 'res->iov' thus can leading a memory leak. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 6a26258cac..ca88cf478d 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5579.patch b/gnu/packages/patches/qemu-CVE-2017-5579.patch
deleted file mode 100644
index 7630012d5..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5579.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
-this patch is from qemu-git.
-
-
-From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index ffbacd8227..67b18eda12 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
- qemu_chr_fe_deinit(&s->chr);
-+
-+ timer_del(s->modem_status_poll);
-+ timer_free(s->modem_status_poll);
-+
-+ timer_del(s->fifo_timeout_timer);
-+ timer_free(s->fifo_timeout_timer);
-+
-+ fifo8_destroy(&s->recv_fifo);
-+ fifo8_destroy(&s->xmit_fifo);
-+
- qemu_unregister_reset(serial_reset, s);
- }
-
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch b/gnu/packages/patches/qemu-CVE-2017-5667.patch
deleted file mode 100644
index 5adea0d27..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5667.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
-
-http://seclists.org/oss-sec/2017/q1/243
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
-
-From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Feb 2017 18:29:59 +0000
-Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
-
-While doing multi block SDMA transfer in routine
-'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
-index 'begin' and data length 's->data_count' could end up to be same.
-This could lead to an OOB access issue. Correct transfer data length
-to avoid it.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20170130064736.9236-1-ppandit@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 01fbf228be..5bd5ab6319 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- boundary_count -= block_size - begin;
- }
- dma_memory_read(&address_space_memory, s->sdmasysad,
-- &s->fifo_buffer[begin], s->data_count);
-+ &s->fifo_buffer[begin], s->data_count - begin);
- s->sdmasysad += s->data_count - begin;
- if (s->data_count == block_size) {
- for (n = 0; n < block_size; n++) {
---
-2.11.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/patches/qemu-CVE-2017-5856.patch
deleted file mode 100644
index bee0824c0..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5856.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
-this patch is from qemu-git.
-
-
-From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 67fc1e7..6233865 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
- trace_megasas_dcmd_invalid_sge(cmd->index,
- cmd->frame->header.sge_count);
- cmd->iov_size = 0;
-- return -1;
-+ return -EINVAL;
- }
- iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
- iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
- pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
- qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
- cmd->iov_size = iov_size;
-- return cmd->iov_size;
-+ return 0;
- }
-
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
-
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
-- int opcode, len;
-+ int opcode;
- int retval = 0;
-+ size_t len;
- const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
-
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
-- len = megasas_map_dcmd(s, cmd);
-- if (len < 0) {
-+ if (megasas_map_dcmd(s, cmd) < 0) {
- return MFI_STAT_MEMORY_NOT_AVAILABLE;
- }
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
- cmdptr++;
- }
-+ len = cmd->iov_size;
- if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
- retval = megasas_dcmd_dummy(s, cmd);
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch
deleted file mode 100644
index 5a94bb1ae..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5898.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
-
-http://seclists.org/oss-sec/2017/q1/328
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
-
-From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index 89e11b68c4..1325ea1659 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
- DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
- recv->hdr.bSeq, len);
- ccid_add_pending_answer(s, (CCID_Header *)recv);
-- if (s->card) {
-+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
- ccid_card_apdu_from_guest(s->card, recv->abData, len);
- } else {
- DPRINTF(s, D_WARN, "warning: discarded apdu\n");
---
-2.11.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch
deleted file mode 100644
index 08910e5fa..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5931.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
-
-http://seclists.org/oss-sec/2017/q1/337
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
-
-From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-
-Using uint_64 instead of size_t to avoid the integer overflow.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e859..c23e1ad458 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- uint32_t hash_start_src_offset = 0, len_to_hash = 0;
- uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
-
-- size_t max_len, curr_size = 0;
-+ uint64_t max_len, curr_size = 0;
- size_t s;
-
- /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- return NULL;
- }
-
-- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
- if (unlikely(max_len > vcrypto->conf.max_size)) {
- virtio_error(vdev, "virtio-crypto too big length");
- return NULL;
---
-2.11.1
-
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 07ab871fa..758d1e988 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -69,27 +69,14 @@
(define-public qemu
(package
(name "qemu")
- (version "2.8.0")
+ (version "2.9.0-rc1")
(source (origin
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
- version ".tar.bz2"))
+ version ".tar.xz"))
(sha256
(base32
- "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs"))
- (patches (search-patches "qemu-CVE-2016-10155.patch"
- "qemu-CVE-2017-2615.patch"
- "qemu-CVE-2017-2620.patch"
- "qemu-CVE-2017-2630.patch"
- "qemu-CVE-2017-5525.patch"
- "qemu-CVE-2017-5526.patch"
- "qemu-CVE-2017-5552.patch"
- "qemu-CVE-2017-5578.patch"
- "qemu-CVE-2017-5579.patch"
- "qemu-CVE-2017-5667.patch"
- "qemu-CVE-2017-5856.patch"
- "qemu-CVE-2017-5898.patch"
- "qemu-CVE-2017-5931.patch"))))
+ "07p0qk090a7444j31wf8fp02bg19mrai8a7awszp04y9jjd1ziwc"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.12.0
next prev parent reply other threads:[~2017-03-28 8:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-28 8:06 [PATCH 0/1] QEMU 2.9.0-rc1 Leo Famulari
2017-03-28 8:06 ` Leo Famulari [this message]
2017-04-07 13:12 ` [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes] Leo Famulari
2017-03-30 19:27 ` [PATCH 0/1] QEMU 2.9.0-rc1 Marius Bakke
2017-03-30 23:37 ` Leo Famulari
2017-03-31 8:03 ` Ludovic Courtès
2017-04-01 0:01 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=33cbe8c58db1c1dac061ca8d52cf79b326379f43.1490688315.git.leo@famulari.name \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).