From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes]. Date: Tue, 28 Mar 2017 04:06:37 -0400 Message-ID: <33cbe8c58db1c1dac061ca8d52cf79b326379f43.1490688315.git.leo@famulari.name> References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53401) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csm9b-0000H2-8o for guix-devel@gnu.org; Tue, 28 Mar 2017 04:07:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1csm9W-00079Q-Ow for guix-devel@gnu.org; Tue, 28 Mar 2017 04:06:59 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:49283) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1csm9M-00077f-CA for guix-devel@gnu.org; Tue, 28 Mar 2017 04:06:54 -0400 Received: from localhost.localdomain (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id D629B7E6B8 for ; Tue, 28 Mar 2017 04:06:43 -0400 (EDT) In-Reply-To: In-Reply-To: References: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Fixes CVE-2016-9602 and CVE-2017-{5857,5973,5987,6058,6505}. * gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc1. [source]: Remove obsolete patches. * gnu/packages/patches/qemu-CVE-2016-10155.patch, gnu/packages/patches/qemu-CVE-2017-2615.patch, gnu/packages/patches/qemu-CVE-2017-2620.patch, gnu/packages/patches/qemu-CVE-2017-2630.patch, gnu/packages/patches/qemu-CVE-2017-5525.patch, gnu/packages/patches/qemu-CVE-2017-5526.patch, gnu/packages/patches/qemu-CVE-2017-5552.patch, gnu/packages/patches/qemu-CVE-2017-5578.patch, gnu/packages/patches/qemu-CVE-2017-5579.patch, gnu/packages/patches/qemu-CVE-2017-5667.patch, gnu/packages/patches/qemu-CVE-2017-5856.patch, gnu/packages/patches/qemu-CVE-2017-5898.patch, gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Remove them. --- gnu/local.mk | 13 --- gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 --------- gnu/packages/patches/qemu-CVE-2017-2615.patch | 52 ---------- gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 ------------------------- gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 --------- gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 ---------- gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 ----------- gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 -------- gnu/packages/patches/qemu-CVE-2017-5578.patch | 39 ------- gnu/packages/patches/qemu-CVE-2017-5579.patch | 44 -------- gnu/packages/patches/qemu-CVE-2017-5667.patch | 46 --------- gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 ------------- gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 -------- gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 ---------- gnu/packages/qemu.scm | 19 +--- 15 files changed, 3 insertions(+), 764 deletions(-) delete mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2615.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2620.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2630.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5578.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5579.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5667.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5856.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5931.patch diff --git a/gnu/local.mk b/gnu/local.mk index cc187e2d2..b9ce02ac6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -877,19 +877,6 @@ dist_patch_DATA = \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ - %D%/packages/patches/qemu-CVE-2016-10155.patch \ - %D%/packages/patches/qemu-CVE-2017-2615.patch \ - %D%/packages/patches/qemu-CVE-2017-2620.patch \ - %D%/packages/patches/qemu-CVE-2017-2630.patch \ - %D%/packages/patches/qemu-CVE-2017-5525.patch \ - %D%/packages/patches/qemu-CVE-2017-5526.patch \ - %D%/packages/patches/qemu-CVE-2017-5552.patch \ - %D%/packages/patches/qemu-CVE-2017-5578.patch \ - %D%/packages/patches/qemu-CVE-2017-5579.patch \ - %D%/packages/patches/qemu-CVE-2017-5667.patch \ - %D%/packages/patches/qemu-CVE-2017-5856.patch \ - %D%/packages/patches/qemu-CVE-2017-5898.patch \ - %D%/packages/patches/qemu-CVE-2017-5931.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch deleted file mode 100644 index 825edaa81..000000000 --- a/gnu/packages/patches/qemu-CVE-2016-10155.patch +++ /dev/null @@ -1,49 +0,0 @@ -From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 28 Nov 2016 17:49:04 -0800 -Subject: [PATCH] watchdog: 6300esb: add exit function - -When the Intel 6300ESB watchdog is hot unplug. The timer allocated -in realize isn't freed thus leaking memory leak. This patch avoid -this through adding the exit function. - -http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e -this patch is from qemu-git. - -Signed-off-by: Li Qiang -Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - hw/watchdog/wdt_i6300esb.c | 9 +++++++++ - 1 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 ---- a/hw/watchdog/wdt_i6300esb.c -+++ b/hw/watchdog/wdt_i6300esb.c -@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) - /* qemu_register_coalesced_mmio (addr, 0x10); ? */ - } - -+static void i6300esb_exit(PCIDevice *dev) -+{ -+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); -+ -+ timer_del(d->timer); -+ timer_free(d->timer); -+} -+ - static WatchdogTimerModel model = { - .wdt_name = "i6300esb", - .wdt_description = "Intel 6300ESB", -@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) - k->config_read = i6300esb_config_read; - k->config_write = i6300esb_config_write; - k->realize = i6300esb_realize; -+ k->exit = i6300esb_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; - k->class_id = PCI_CLASS_SYSTEM_OTHER; --- -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-2615.patch b/gnu/packages/patches/qemu-CVE-2017-2615.patch deleted file mode 100644 index ede1f8c89..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-2615.patch +++ /dev/null @@ -1,52 +0,0 @@ -http://git.qemu.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64 -this patch is from qemu-git. - - -From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 1 Feb 2017 09:35:01 +0100 -Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -Signed-off-by: Li Qiang - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -Cc: qemu-stable@nongnu.org -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann -Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com -Reviewed-by: Laszlo Ersek ---- - hw/display/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 7db6409dc5..16f27e8ac5 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - { - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max > s->vga.vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vga.vram_size) { - return true; - } - } else { --- -2.11.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch deleted file mode 100644 index d3111827b..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-2620.patch +++ /dev/null @@ -1,134 +0,0 @@ -Fix CVE-2017-2620: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620 -https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html - -Both patches copied from upstream source repository: - -Fixes CVE-2017-2620: -http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298 - -The CVE-2017-2620 bug-fix depends on this earlier patch: -http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061 - -From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Wed, 8 Feb 2017 11:18:36 +0100 -Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo - (CVE-2017-2620) - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 1deb52070a..b9e7cb1df1 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s, true)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -2.12.0 - -From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001 -From: Bruce Rogers -Date: Mon, 9 Jan 2017 13:35:20 -0700 -Subject: [PATCH] display: cirrus: ignore source pitch value as needed in - blit_is_unsafe - -Commit 4299b90 added a check which is too broad, given that the source -pitch value is not required to be initialized for solid fill operations. -This patch refines the blit_is_unsafe() check to ignore source pitch in -that case. After applying the above commit as a security patch, we -noticed the SLES 11 SP4 guest gui failed to initialize properly. - -Signed-off-by: Bruce Rogers -Message-id: 20170109203520.5619-1-brogers@suse.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index bdb092ee9d..379910db2d 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - return false; - } - --static bool blit_is_unsafe(struct CirrusVGAState *s) -+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) - { - /* should be the case, see cirrus_bitblt_start */ - assert(s->cirrus_blt_width > 0); -@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) - s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { - return true; - } -+ if (dst_only) { -+ return false; -+ } - if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, - s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { - return true; -@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, - - dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); - -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - (*s->cirrus_rop) (s, dst, src, -@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) - { - cirrus_fill_t rop_func; - -- if (blit_is_unsafe(s)) { -+ if (blit_is_unsafe(s, true)) { - return 0; - } - rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; -@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) - - static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) - { -- if (blit_is_unsafe(s)) -+ if (blit_is_unsafe(s, false)) - return 0; - - return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, --- -2.12.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch deleted file mode 100644 index b154d171f..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-2630.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix CVE-2017-2630: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630 -https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85 - -From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001 -From: Vladimir Sementsov-Ogievskiy -Date: Tue, 7 Mar 2017 09:16:27 -0600 -Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630] -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Comparison symbol is misused. It may lead to memory corruption. -Introduced in commit 7d3123e. - -Signed-off-by: Vladimir Sementsov-Ogievskiy -Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com> -[eblake: add CVE details, update conditional] -Signed-off-by: Eric Blake -Reviewed-by: Marc-André Lureau -Message-Id: <20170307151627.27212-1-eblake@redhat.com> -Signed-off-by: Paolo Bonzini ---- - nbd/client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nbd/client.c b/nbd/client.c -index 5c9dee37fa..3dc2564cd0 100644 ---- a/nbd/client.c -+++ b/nbd/client.c -@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) - char small[1024]; - char *buffer; - -- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); -+ buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size)); - while (size > 0) { - ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); - --- -2.12.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch deleted file mode 100644 index d0c0c82a4..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5525.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 14 Dec 2016 18:30:21 -0800 -Subject: [PATCH] audio: ac97: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401 -this patch is from qemu-git - -Currently the ac97 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/ac97.c | 11 +++++++++++ - 1 files changed, 11 insertions(+), 0 deletions(-) - -diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 ---- a/hw/audio/ac97.c -+++ b/hw/audio/ac97.c -@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) - ac97_on_reset (&s->dev.qdev); - } - -+static void ac97_exit(PCIDevice *dev) -+{ -+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); -+ -+ AUD_close_in(&s->card, s->voice_pi); -+ AUD_close_out(&s->card, s->voice_po); -+ AUD_close_in(&s->card, s->voice_mc); -+ AUD_remove_card(&s->card); -+} -+ - static int ac97_init (PCIBus *bus) - { - pci_create_simple (bus, -1, "AC97"); -@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = ac97_realize; -+ k->exit = ac97_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; - k->revision = 0x01; --- -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch deleted file mode 100644 index 5a6d79645..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5526.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 14 Dec 2016 18:32:22 -0800 -Subject: [PATCH] audio: es1370: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da -this patch is from qemu-git. - -Currently the es1370 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/es1370.c | 14 ++++++++++++++ - 1 files changed, 14 insertions(+), 0 deletions(-) - -diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c -index 8449b5f..883ec69 100644 ---- a/hw/audio/es1370.c -+++ b/hw/audio/es1370.c -@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) - es1370_reset (s); - } - -+static void es1370_exit(PCIDevice *dev) -+{ -+ ES1370State *s = ES1370(dev); -+ int i; -+ -+ for (i = 0; i < 2; ++i) { -+ AUD_close_out(&s->card, s->dac_voice[i]); -+ } -+ -+ AUD_close_in(&s->card, s->adc_voice); -+ AUD_remove_card(&s->card); -+} -+ - static int es1370_init (PCIBus *bus) - { - pci_create_simple (bus, -1, TYPE_ES1370); -@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = es1370_realize; -+ k->exit = es1370_exit; - k->vendor_id = PCI_VENDOR_ID_ENSONIQ; - k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; - k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; --- -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch deleted file mode 100644 index 50911f4f3..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5552.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 29 Dec 2016 03:11:26 -0500 -Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -If the virgl_renderer_resource_attach_iov function fails the -'res_iovs' will be leaked. Add check of the return value to -free the 'res_iovs' when failing. - -http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689 -this patch is from qemu-git. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu-3d.c | 7 +++++-- - 1 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..b13ced3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -- res_iovs, att_rb.nr_entries); -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ res_iovs, att_rb.nr_entries); -+ -+ if (ret != 0) -+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); - } - - static void virgl_resource_detach_backing(VirtIOGPU *g, --- -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5578.patch b/gnu/packages/patches/qemu-CVE-2017-5578.patch deleted file mode 100644 index 05655bcd9..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5578.patch +++ /dev/null @@ -1,39 +0,0 @@ -http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b -this patch is from qemu-git. - - -From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 29 Dec 2016 04:28:41 -0500 -Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing - -In the resource attach backing function, everytime it will -allocate 'res->iov' thus can leading a memory leak. This -patch avoid this. - -Signed-off-by: Li Qiang -Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 6a26258cac..ca88cf478d 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; --- -2.11.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5579.patch b/gnu/packages/patches/qemu-CVE-2017-5579.patch deleted file mode 100644 index 7630012d5..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5579.patch +++ /dev/null @@ -1,44 +0,0 @@ -http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b -this patch is from qemu-git. - - -From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 4 Jan 2017 00:43:16 -0800 -Subject: [PATCH] serial: fix memory leak in serial exit - -The serial_exit_core function doesn't free some resources. -This can lead memory leak when hotplug and unplug. This -patch avoid this. - -Signed-off-by: Li Qiang -Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - hw/char/serial.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index ffbacd8227..67b18eda12 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) - void serial_exit_core(SerialState *s) - { - qemu_chr_fe_deinit(&s->chr); -+ -+ timer_del(s->modem_status_poll); -+ timer_free(s->modem_status_poll); -+ -+ timer_del(s->fifo_timeout_timer); -+ timer_free(s->fifo_timeout_timer); -+ -+ fifo8_destroy(&s->recv_fifo); -+ fifo8_destroy(&s->xmit_fifo); -+ - qemu_unregister_reset(serial_reset, s); - } - --- -2.11.0 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch b/gnu/packages/patches/qemu-CVE-2017-5667.patch deleted file mode 100644 index 5adea0d27..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5667.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer): - -http://seclists.org/oss-sec/2017/q1/243 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667 - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9 - -From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 7 Feb 2017 18:29:59 +0000 -Subject: [PATCH] sd: sdhci: check data length during dma_memory_read - -While doing multi block SDMA transfer in routine -'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting -index 'begin' and data length 's->data_count' could end up to be same. -This could lead to an OOB access issue. Correct transfer data length -to avoid it. - -Cc: qemu-stable@nongnu.org -Reported-by: Jiang Xin -Signed-off-by: Prasad J Pandit -Reviewed-by: Peter Maydell -Message-id: 20170130064736.9236-1-ppandit@redhat.com -Signed-off-by: Peter Maydell ---- - hw/sd/sdhci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 01fbf228be..5bd5ab6319 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - boundary_count -= block_size - begin; - } - dma_memory_read(&address_space_memory, s->sdmasysad, -- &s->fifo_buffer[begin], s->data_count); -+ &s->fifo_buffer[begin], s->data_count - begin); - s->sdmasysad += s->data_count - begin; - if (s->data_count == block_size) { - for (n = 0; n < block_size; n++) { --- -2.11.1 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/patches/qemu-CVE-2017-5856.patch deleted file mode 100644 index bee0824c0..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5856.patch +++ /dev/null @@ -1,68 +0,0 @@ -http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3 -this patch is from qemu-git. - - -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang -Signed-off-by: Paolo Bonzini ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size = 0; -- return -1; -+ return -EINVAL; - } - iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size = iov_size; -- return cmd->iov_size; -+ return 0; - } - - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval = 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len = megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { - cmdptr++; - } -+ len = cmd->iov_size; - if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval = megasas_dcmd_dummy(s, cmd); --- -1.7.0.4 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch deleted file mode 100644 index 5a94bb1ae..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5898.patch +++ /dev/null @@ -1,44 +0,0 @@ -Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest): - -http://seclists.org/oss-sec/2017/q1/328 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898 - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a - -From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 3 Feb 2017 00:52:28 +0530 -Subject: [PATCH] usb: ccid: check ccid apdu length - -CCID device emulator uses Application Protocol Data Units(APDU) -to exchange command and responses to and from the host. -The length in these units couldn't be greater than 65536. Add -check to ensure the same. It'd also avoid potential integer -overflow in emulated_apdu_from_guest. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-id: 20170202192228.10847-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-smartcard-reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index 89e11b68c4..1325ea1659 100644 ---- a/hw/usb/dev-smartcard-reader.c -+++ b/hw/usb/dev-smartcard-reader.c -@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) - DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, - recv->hdr.bSeq, len); - ccid_add_pending_answer(s, (CCID_Header *)recv); -- if (s->card) { -+ if (s->card && len <= BULK_OUT_DATA_SIZE) { - ccid_card_apdu_from_guest(s->card, recv->abData, len); - } else { - DPRINTF(s, D_WARN, "warning: discarded apdu\n"); --- -2.11.1 - diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch deleted file mode 100644 index 08910e5fa..000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5931.patch +++ /dev/null @@ -1,55 +0,0 @@ -Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests): - -http://seclists.org/oss-sec/2017/q1/337 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4 - -From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 -From: Gonglei -Date: Tue, 3 Jan 2017 14:50:03 +0800 -Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow - -Because the 'size_t' type is 4 bytes in 32-bit platform, which -is the same with 'int'. It's easy to make 'max_len' to zero when -integer overflow and then cause heap overflow if 'max_len' is zero. - -Using uint_64 instead of size_t to avoid the integer overflow. - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang -Signed-off-by: Gonglei -Tested-by: Li Qiang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin ---- - hw/virtio/virtio-crypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c -index 2f2467e859..c23e1ad458 100644 ---- a/hw/virtio/virtio-crypto.c -+++ b/hw/virtio/virtio-crypto.c -@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - uint32_t hash_start_src_offset = 0, len_to_hash = 0; - uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - -- size_t max_len, curr_size = 0; -+ uint64_t max_len, curr_size = 0; - size_t s; - - /* Plain cipher */ -@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - return NULL; - } - -- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; -+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; - if (unlikely(max_len > vcrypto->conf.max_size)) { - virtio_error(vdev, "virtio-crypto too big length"); - return NULL; --- -2.11.1 - diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 07ab871fa..758d1e988 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -69,27 +69,14 @@ (define-public qemu (package (name "qemu") - (version "2.8.0") + (version "2.9.0-rc1") (source (origin (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" - version ".tar.bz2")) + version ".tar.xz")) (sha256 (base32 - "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")) - (patches (search-patches "qemu-CVE-2016-10155.patch" - "qemu-CVE-2017-2615.patch" - "qemu-CVE-2017-2620.patch" - "qemu-CVE-2017-2630.patch" - "qemu-CVE-2017-5525.patch" - "qemu-CVE-2017-5526.patch" - "qemu-CVE-2017-5552.patch" - "qemu-CVE-2017-5578.patch" - "qemu-CVE-2017-5579.patch" - "qemu-CVE-2017-5667.patch" - "qemu-CVE-2017-5856.patch" - "qemu-CVE-2017-5898.patch" - "qemu-CVE-2017-5931.patch")))) + "07p0qk090a7444j31wf8fp02bg19mrai8a7awszp04y9jjd1ziwc")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- 2.12.0