* [PATCH 0/1] QEMU 2.9.0-rc1
@ 2017-03-28 8:06 Leo Famulari
2017-03-28 8:06 ` [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes] Leo Famulari
2017-03-30 19:27 ` [PATCH 0/1] QEMU 2.9.0-rc1 Marius Bakke
0 siblings, 2 replies; 7+ messages in thread
From: Leo Famulari @ 2017-03-28 8:06 UTC (permalink / raw)
To: guix-devel
This is just a release candidate, but it does boot the GuixSD release
image.
I'm sharing it so that people can get early access to the bug fixes it
includes.
Leo Famulari (1):
gnu: qemu: Update to 2.9.0-rc1 [security fixes].
gnu/local.mk | 13 ---
gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 ---------
gnu/packages/patches/qemu-CVE-2017-2615.patch | 52 ----------
gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 -------------------------
gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 ---------
gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 ----------
gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 -----------
gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5578.patch | 39 -------
gnu/packages/patches/qemu-CVE-2017-5579.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5667.patch | 46 ---------
gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 -------------
gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 ----------
gnu/packages/qemu.scm | 19 +---
15 files changed, 3 insertions(+), 764 deletions(-)
delete mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2615.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2620.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2630.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5578.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5579.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5667.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5856.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5931.patch
--
2.12.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes].
2017-03-28 8:06 [PATCH 0/1] QEMU 2.9.0-rc1 Leo Famulari
@ 2017-03-28 8:06 ` Leo Famulari
2017-04-07 13:12 ` Leo Famulari
2017-03-30 19:27 ` [PATCH 0/1] QEMU 2.9.0-rc1 Marius Bakke
1 sibling, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2017-03-28 8:06 UTC (permalink / raw)
To: guix-devel
Fixes CVE-2016-9602 and CVE-2017-{5857,5973,5987,6058,6505}.
* gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc1.
[source]: Remove obsolete patches.
* gnu/packages/patches/qemu-CVE-2016-10155.patch,
gnu/packages/patches/qemu-CVE-2017-2615.patch,
gnu/packages/patches/qemu-CVE-2017-2620.patch,
gnu/packages/patches/qemu-CVE-2017-2630.patch,
gnu/packages/patches/qemu-CVE-2017-5525.patch,
gnu/packages/patches/qemu-CVE-2017-5526.patch,
gnu/packages/patches/qemu-CVE-2017-5552.patch,
gnu/packages/patches/qemu-CVE-2017-5578.patch,
gnu/packages/patches/qemu-CVE-2017-5579.patch,
gnu/packages/patches/qemu-CVE-2017-5667.patch,
gnu/packages/patches/qemu-CVE-2017-5856.patch,
gnu/packages/patches/qemu-CVE-2017-5898.patch,
gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
gnu/local.mk | 13 ---
gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 ---------
gnu/packages/patches/qemu-CVE-2017-2615.patch | 52 ----------
gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 -------------------------
gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 ---------
gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 ----------
gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 -----------
gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5578.patch | 39 -------
gnu/packages/patches/qemu-CVE-2017-5579.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5667.patch | 46 ---------
gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 -------------
gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 --------
gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 ----------
gnu/packages/qemu.scm | 19 +---
15 files changed, 3 insertions(+), 764 deletions(-)
delete mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2615.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2620.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-2630.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5578.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5579.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5667.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5856.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5931.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index cc187e2d2..b9ce02ac6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -877,19 +877,6 @@ dist_patch_DATA = \
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
- %D%/packages/patches/qemu-CVE-2016-10155.patch \
- %D%/packages/patches/qemu-CVE-2017-2615.patch \
- %D%/packages/patches/qemu-CVE-2017-2620.patch \
- %D%/packages/patches/qemu-CVE-2017-2630.patch \
- %D%/packages/patches/qemu-CVE-2017-5525.patch \
- %D%/packages/patches/qemu-CVE-2017-5526.patch \
- %D%/packages/patches/qemu-CVE-2017-5552.patch \
- %D%/packages/patches/qemu-CVE-2017-5578.patch \
- %D%/packages/patches/qemu-CVE-2017-5579.patch \
- %D%/packages/patches/qemu-CVE-2017-5667.patch \
- %D%/packages/patches/qemu-CVE-2017-5856.patch \
- %D%/packages/patches/qemu-CVE-2017-5898.patch \
- %D%/packages/patches/qemu-CVE-2017-5931.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch
deleted file mode 100644
index 825edaa81..000000000
--- a/gnu/packages/patches/qemu-CVE-2016-10155.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
-this patch is from qemu-git.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
- /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
-
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+ timer_del(d->timer);
-+ timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
- .wdt_name = "i6300esb",
- .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
- k->config_read = i6300esb_config_read;
- k->config_write = i6300esb_config_write;
- k->realize = i6300esb_realize;
-+ k->exit = i6300esb_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
- k->class_id = PCI_CLASS_SYSTEM_OTHER;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-2615.patch b/gnu/packages/patches/qemu-CVE-2017-2615.patch
deleted file mode 100644
index ede1f8c89..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-2615.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64
-this patch is from qemu-git.
-
-
-From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
- address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409dc5..16f27e8ac5 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
- if (pitch < 0) {
- int64_t min = addr
-- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-- int32_t max = addr
-- + s->cirrus_blt_width;
-- if (min < 0 || max > s->vga.vram_size) {
-+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+ - s->cirrus_blt_width;
-+ if (min < -1 || addr >= s->vga.vram_size) {
- return true;
- }
- } else {
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch
deleted file mode 100644
index d3111827b..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-2620.patch
+++ /dev/null
@@ -1,134 +0,0 @@
-Fix CVE-2017-2620:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620
-https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html
-
-Both patches copied from upstream source repository:
-
-Fixes CVE-2017-2620:
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298
-
-The CVE-2017-2620 bug-fix depends on this earlier patch:
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061
-
-From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 8 Feb 2017 11:18:36 +0100
-Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
- (CVE-2017-2620)
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all. Oops. Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 1deb52070a..b9e7cb1df1 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
- int w;
-
-+ if (blit_is_unsafe(s, true)) {
-+ return 0;
-+ }
-+
- s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
- s->cirrus_srcptr = &s->cirrus_bltbuf[0];
- s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- }
- s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
- }
-+
-+ /* the blit_is_unsafe call above should catch this */
-+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
- s->cirrus_srcptr = s->cirrus_bltbuf;
- s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
- cirrus_update_memory_access(s);
---
-2.12.0
-
-From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 9 Jan 2017 13:35:20 -0700
-Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
- blit_is_unsafe
-
-Commit 4299b90 added a check which is too broad, given that the source
-pitch value is not required to be initialized for solid fill operations.
-This patch refines the blit_is_unsafe() check to ignore source pitch in
-that case. After applying the above commit as a security patch, we
-noticed the SLES 11 SP4 guest gui failed to initialize properly.
-
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Message-id: 20170109203520.5619-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index bdb092ee9d..379910db2d 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- return false;
- }
-
--static bool blit_is_unsafe(struct CirrusVGAState *s)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
- /* should be the case, see cirrus_bitblt_start */
- assert(s->cirrus_blt_width > 0);
-@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
- return true;
- }
-+ if (dst_only) {
-+ return false;
-+ }
- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
- return true;
-@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
-
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
-
-- if (blit_is_unsafe(s))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- (*s->cirrus_rop) (s, dst, src,
-@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
- cirrus_fill_t rop_func;
-
-- if (blit_is_unsafe(s)) {
-+ if (blit_is_unsafe(s, true)) {
- return 0;
- }
- rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
-
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
-- if (blit_is_unsafe(s))
-+ if (blit_is_unsafe(s, false))
- return 0;
-
- return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
---
-2.12.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch
deleted file mode 100644
index b154d171f..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-2630.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-Fix CVE-2017-2630:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630
-https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85
-
-From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001
-From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Date: Tue, 7 Mar 2017 09:16:27 -0600
-Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630]
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Comparison symbol is misused. It may lead to memory corruption.
-Introduced in commit 7d3123e.
-
-Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
-Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com>
-[eblake: add CVE details, update conditional]
-Signed-off-by: Eric Blake <eblake@redhat.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-Id: <20170307151627.27212-1-eblake@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- nbd/client.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nbd/client.c b/nbd/client.c
-index 5c9dee37fa..3dc2564cd0 100644
---- a/nbd/client.c
-+++ b/nbd/client.c
-@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
- char small[1024];
- char *buffer;
-
-- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
-+ buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size));
- while (size > 0) {
- ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
-
---
-2.12.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch
deleted file mode 100644
index d0c0c82a4..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5525.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401
-this patch is from qemu-git
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
- ac97_on_reset (&s->dev.qdev);
- }
-
-+static void ac97_exit(PCIDevice *dev)
-+{
-+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+ AUD_close_in(&s->card, s->voice_pi);
-+ AUD_close_out(&s->card, s->voice_po);
-+ AUD_close_in(&s->card, s->voice_mc);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = ac97_realize;
-+ k->exit = ac97_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
- k->revision = 0x01;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch
deleted file mode 100644
index 5a6d79645..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5526.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
-this patch is from qemu-git.
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 files changed, 14 insertions(+), 0 deletions(-)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
- es1370_reset (s);
- }
-
-+static void es1370_exit(PCIDevice *dev)
-+{
-+ ES1370State *s = ES1370(dev);
-+ int i;
-+
-+ for (i = 0; i < 2; ++i) {
-+ AUD_close_out(&s->card, s->dac_voice[i]);
-+ }
-+
-+ AUD_close_in(&s->card, s->adc_voice);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = es1370_realize;
-+ k->exit = es1370_exit;
- k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
- k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
- k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch
deleted file mode 100644
index 50911f4f3..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5552.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689
-this patch is from qemu-git.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index e29f099..b13ced3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-- res_iovs, att_rb.nr_entries);
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ res_iovs, att_rb.nr_entries);
-+
-+ if (ret != 0)
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
-
- static void virgl_resource_detach_backing(VirtIOGPU *g,
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5578.patch b/gnu/packages/patches/qemu-CVE-2017-5578.patch
deleted file mode 100644
index 05655bcd9..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5578.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b
-this patch is from qemu-git.
-
-
-From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 04:28:41 -0500
-Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
-
-In the resource attach backing function, everytime it will
-allocate 'res->iov' thus can leading a memory leak. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 6a26258cac..ca88cf478d 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5579.patch b/gnu/packages/patches/qemu-CVE-2017-5579.patch
deleted file mode 100644
index 7630012d5..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5579.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
-this patch is from qemu-git.
-
-
-From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index ffbacd8227..67b18eda12 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
- qemu_chr_fe_deinit(&s->chr);
-+
-+ timer_del(s->modem_status_poll);
-+ timer_free(s->modem_status_poll);
-+
-+ timer_del(s->fifo_timeout_timer);
-+ timer_free(s->fifo_timeout_timer);
-+
-+ fifo8_destroy(&s->recv_fifo);
-+ fifo8_destroy(&s->xmit_fifo);
-+
- qemu_unregister_reset(serial_reset, s);
- }
-
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5667.patch b/gnu/packages/patches/qemu-CVE-2017-5667.patch
deleted file mode 100644
index 5adea0d27..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5667.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-Fix CVE-2017-5667 (sdhci OOB access during multi block SDMA transfer):
-
-http://seclists.org/oss-sec/2017/q1/243
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5667
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=42922105beb14c2fc58185ea022b9f72fb5465e9
-
-From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Feb 2017 18:29:59 +0000
-Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
-
-While doing multi block SDMA transfer in routine
-'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
-index 'begin' and data length 's->data_count' could end up to be same.
-This could lead to an OOB access issue. Correct transfer data length
-to avoid it.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20170130064736.9236-1-ppandit@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 01fbf228be..5bd5ab6319 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- boundary_count -= block_size - begin;
- }
- dma_memory_read(&address_space_memory, s->sdmasysad,
-- &s->fifo_buffer[begin], s->data_count);
-+ &s->fifo_buffer[begin], s->data_count - begin);
- s->sdmasysad += s->data_count - begin;
- if (s->data_count == block_size) {
- for (n = 0; n < block_size; n++) {
---
-2.11.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/patches/qemu-CVE-2017-5856.patch
deleted file mode 100644
index bee0824c0..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5856.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
-this patch is from qemu-git.
-
-
-From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 67fc1e7..6233865 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
- trace_megasas_dcmd_invalid_sge(cmd->index,
- cmd->frame->header.sge_count);
- cmd->iov_size = 0;
-- return -1;
-+ return -EINVAL;
- }
- iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
- iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
- pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
- qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
- cmd->iov_size = iov_size;
-- return cmd->iov_size;
-+ return 0;
- }
-
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
-
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
-- int opcode, len;
-+ int opcode;
- int retval = 0;
-+ size_t len;
- const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
-
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
-- len = megasas_map_dcmd(s, cmd);
-- if (len < 0) {
-+ if (megasas_map_dcmd(s, cmd) < 0) {
- return MFI_STAT_MEMORY_NOT_AVAILABLE;
- }
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
- cmdptr++;
- }
-+ len = cmd->iov_size;
- if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
- retval = megasas_dcmd_dummy(s, cmd);
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch
deleted file mode 100644
index 5a94bb1ae..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5898.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
-
-http://seclists.org/oss-sec/2017/q1/328
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
-
-From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index 89e11b68c4..1325ea1659 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
- DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
- recv->hdr.bSeq, len);
- ccid_add_pending_answer(s, (CCID_Header *)recv);
-- if (s->card) {
-+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
- ccid_card_apdu_from_guest(s->card, recv->abData, len);
- } else {
- DPRINTF(s, D_WARN, "warning: discarded apdu\n");
---
-2.11.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch
deleted file mode 100644
index 08910e5fa..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5931.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
-
-http://seclists.org/oss-sec/2017/q1/337
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
-
-From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-
-Using uint_64 instead of size_t to avoid the integer overflow.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e859..c23e1ad458 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- uint32_t hash_start_src_offset = 0, len_to_hash = 0;
- uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
-
-- size_t max_len, curr_size = 0;
-+ uint64_t max_len, curr_size = 0;
- size_t s;
-
- /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- return NULL;
- }
-
-- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
- if (unlikely(max_len > vcrypto->conf.max_size)) {
- virtio_error(vdev, "virtio-crypto too big length");
- return NULL;
---
-2.11.1
-
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 07ab871fa..758d1e988 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -69,27 +69,14 @@
(define-public qemu
(package
(name "qemu")
- (version "2.8.0")
+ (version "2.9.0-rc1")
(source (origin
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
- version ".tar.bz2"))
+ version ".tar.xz"))
(sha256
(base32
- "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs"))
- (patches (search-patches "qemu-CVE-2016-10155.patch"
- "qemu-CVE-2017-2615.patch"
- "qemu-CVE-2017-2620.patch"
- "qemu-CVE-2017-2630.patch"
- "qemu-CVE-2017-5525.patch"
- "qemu-CVE-2017-5526.patch"
- "qemu-CVE-2017-5552.patch"
- "qemu-CVE-2017-5578.patch"
- "qemu-CVE-2017-5579.patch"
- "qemu-CVE-2017-5667.patch"
- "qemu-CVE-2017-5856.patch"
- "qemu-CVE-2017-5898.patch"
- "qemu-CVE-2017-5931.patch"))))
+ "07p0qk090a7444j31wf8fp02bg19mrai8a7awszp04y9jjd1ziwc"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.12.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] QEMU 2.9.0-rc1
2017-03-28 8:06 [PATCH 0/1] QEMU 2.9.0-rc1 Leo Famulari
2017-03-28 8:06 ` [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes] Leo Famulari
@ 2017-03-30 19:27 ` Marius Bakke
2017-03-30 23:37 ` Leo Famulari
1 sibling, 1 reply; 7+ messages in thread
From: Marius Bakke @ 2017-03-30 19:27 UTC (permalink / raw)
To: Leo Famulari, guix-devel
[-- Attachment #1: Type: text/plain, Size: 626 bytes --]
Leo Famulari <leo@famulari.name> writes:
> This is just a release candidate, but it does boot the GuixSD release
> image.
>
> I'm sharing it so that people can get early access to the bug fixes it
> includes.
>
> Leo Famulari (1):
> gnu: qemu: Update to 2.9.0-rc1 [security fixes].
I think it would be nice to have this in Guix proper (as a separate
variable), so users don't have to apply this patch and build it
manually. The downside is that it would land in users' profiles unless
they take steps to prevent it, but I'm not sure how much of a problem
that is given how easy it is to roll-back or exclude it. Thoughts?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] QEMU 2.9.0-rc1
2017-03-30 19:27 ` [PATCH 0/1] QEMU 2.9.0-rc1 Marius Bakke
@ 2017-03-30 23:37 ` Leo Famulari
2017-03-31 8:03 ` Ludovic Courtès
0 siblings, 1 reply; 7+ messages in thread
From: Leo Famulari @ 2017-03-30 23:37 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 737 bytes --]
On Thu, Mar 30, 2017 at 09:27:54PM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> > gnu: qemu: Update to 2.9.0-rc1 [security fixes].
>
> I think it would be nice to have this in Guix proper (as a separate
> variable), so users don't have to apply this patch and build it
> manually. The downside is that it would land in users' profiles unless
> they take steps to prevent it, but I'm not sure how much of a problem
> that is given how easy it is to roll-back or exclude it. Thoughts?
I'm unsure if we should add it. QEMU usually goes through 4 or 5 release
candidates.
Does anyone have experience using these heavily? Are they stable or can
we expect them to be buggier than a real release?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] QEMU 2.9.0-rc1
2017-03-30 23:37 ` Leo Famulari
@ 2017-03-31 8:03 ` Ludovic Courtès
2017-04-01 0:01 ` Leo Famulari
0 siblings, 1 reply; 7+ messages in thread
From: Ludovic Courtès @ 2017-03-31 8:03 UTC (permalink / raw)
To: Leo Famulari; +Cc: guix-devel
Leo Famulari <leo@famulari.name> skribis:
> On Thu, Mar 30, 2017 at 09:27:54PM +0200, Marius Bakke wrote:
>> Leo Famulari <leo@famulari.name> writes:
>> > gnu: qemu: Update to 2.9.0-rc1 [security fixes].
>>
>> I think it would be nice to have this in Guix proper (as a separate
>> variable), so users don't have to apply this patch and build it
>> manually. The downside is that it would land in users' profiles unless
>> they take steps to prevent it, but I'm not sure how much of a problem
>> that is given how easy it is to roll-back or exclude it. Thoughts?
>
> I'm unsure if we should add it. QEMU usually goes through 4 or 5 release
> candidates.
If the release candidates quickly turn into a release, as one would
expect, then perhaps we can just wait for a few more days?
Thoughts?
Ludo’.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 0/1] QEMU 2.9.0-rc1
2017-03-31 8:03 ` Ludovic Courtès
@ 2017-04-01 0:01 ` Leo Famulari
0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-04-01 0:01 UTC (permalink / raw)
To: Ludovic Courtès; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 762 bytes --]
On Fri, Mar 31, 2017 at 10:03:11AM +0200, Ludovic Courtès wrote:
> Leo Famulari <leo@famulari.name> skribis:
> > I'm unsure if we should add it. QEMU usually goes through 4 or 5 release
> > candidates.
>
> If the release candidates quickly turn into a release, as one would
> expect, then perhaps we can just wait for a few more days?
It usually takes 1 or 2 months:
http://wiki.qemu-project.org/Main_Page#News
I didn't mean to add this release candidate to Guix, but I wanted to
make it available to whoever is interested — especially since I spent a
lot of time comparing my collection of bug reports against the 2.9.0-rc1
code to check what was and was not fixed :)
I think having it here in the mailing list archives is sufficient.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes].
2017-03-28 8:06 ` [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes] Leo Famulari
@ 2017-04-07 13:12 ` Leo Famulari
0 siblings, 0 replies; 7+ messages in thread
From: Leo Famulari @ 2017-04-07 13:12 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 1009 bytes --]
On Tue, Mar 28, 2017 at 04:06:37AM -0400, Leo Famulari wrote:
> Fixes CVE-2016-9602 and CVE-2017-{5857,5973,5987,6058,6505}.
>
> * gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc1.
> [source]: Remove obsolete patches.
> * gnu/packages/patches/qemu-CVE-2016-10155.patch,
> gnu/packages/patches/qemu-CVE-2017-2615.patch,
> gnu/packages/patches/qemu-CVE-2017-2620.patch,
> gnu/packages/patches/qemu-CVE-2017-2630.patch,
> gnu/packages/patches/qemu-CVE-2017-5525.patch,
> gnu/packages/patches/qemu-CVE-2017-5526.patch,
> gnu/packages/patches/qemu-CVE-2017-5552.patch,
> gnu/packages/patches/qemu-CVE-2017-5578.patch,
> gnu/packages/patches/qemu-CVE-2017-5579.patch,
> gnu/packages/patches/qemu-CVE-2017-5667.patch,
> gnu/packages/patches/qemu-CVE-2017-5856.patch,
> gnu/packages/patches/qemu-CVE-2017-5898.patch,
> gnu/packages/patches/qemu-CVE-2017-5931.patch: Delete files.
> * gnu/local.mk (dist_patch_DATA): Remove them.
Here's an updated version of this patchset, for your reference.
[-- Attachment #1.2: 0001-gnu-qemu-Update-to-2.9.0-rc3-fixes-CVE-2017-5857-597.patch --]
[-- Type: text/plain, Size: 20637 bytes --]
From 6c71528b64c15e4aa85e7d22957ff754165d6e30 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Fri, 7 Apr 2017 09:03:28 -0400
Subject: [PATCH] gnu: qemu: Update to 2.9.0-rc3 [fixes
CVE-2017-{5857,5973,5987,6058,6505,7377}].
* gnu/packages/qemu.scm (qemu): Update to 2.9.0-rc3.
[source]: Remove obsolete patches.
* gnu/packages/patches/qemu-CVE-2016-10155.patch,
gnu/packages/patches/qemu-CVE-2017-5525.patch,
gnu/packages/patches/qemu-CVE-2017-5526.patch,
gnu/packages/patches/qemu-CVE-2017-5552.patch,
gnu/packages/patches/qemu-CVE-2017-5578.patch,
gnu/packages/patches/qemu-CVE-2017-5579.patch,
gnu/packages/patches/qemu-CVE-2017-5856.patch,
gnu/packages/patches/qemu-CVE-2017-5898.patch: Delete files.
* gnu/local.mk (dist_patch_DATA): Remove them.
---
gnu/local.mk | 8 ---
gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 -------------------
gnu/packages/patches/qemu-CVE-2017-5525.patch | 55 ---------------------
gnu/packages/patches/qemu-CVE-2017-5526.patch | 58 ----------------------
gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 -----------------
gnu/packages/patches/qemu-CVE-2017-5578.patch | 39 ---------------
gnu/packages/patches/qemu-CVE-2017-5579.patch | 44 -----------------
gnu/packages/patches/qemu-CVE-2017-5856.patch | 68 --------------------------
gnu/packages/patches/qemu-CVE-2017-5898.patch | 44 -----------------
gnu/packages/qemu.scm | 13 +----
10 files changed, 2 insertions(+), 420 deletions(-)
delete mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5525.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5526.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5578.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5579.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5856.patch
delete mode 100644 gnu/packages/patches/qemu-CVE-2017-5898.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 93bafa282..255f7610e 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -889,14 +889,6 @@ dist_patch_DATA = \
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
%D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \
%D%/packages/patches/python2-subprocess32-disable-input-test.patch \
- %D%/packages/patches/qemu-CVE-2016-10155.patch \
- %D%/packages/patches/qemu-CVE-2017-5525.patch \
- %D%/packages/patches/qemu-CVE-2017-5526.patch \
- %D%/packages/patches/qemu-CVE-2017-5552.patch \
- %D%/packages/patches/qemu-CVE-2017-5578.patch \
- %D%/packages/patches/qemu-CVE-2017-5579.patch \
- %D%/packages/patches/qemu-CVE-2017-5856.patch \
- %D%/packages/patches/qemu-CVE-2017-5898.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \
diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch
deleted file mode 100644
index 825edaa81..000000000
--- a/gnu/packages/patches/qemu-CVE-2016-10155.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
-this patch is from qemu-git.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
- /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
-
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+ timer_del(d->timer);
-+ timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
- .wdt_name = "i6300esb",
- .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
- k->config_read = i6300esb_config_read;
- k->config_write = i6300esb_config_write;
- k->realize = i6300esb_realize;
-+ k->exit = i6300esb_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
- k->class_id = PCI_CLASS_SYSTEM_OTHER;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5525.patch b/gnu/packages/patches/qemu-CVE-2017-5525.patch
deleted file mode 100644
index d0c0c82a4..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5525.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=12351a91da97b414eec8cdb09f1d9f41e535a401
-this patch is from qemu-git
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 files changed, 11 insertions(+), 0 deletions(-)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
- ac97_on_reset (&s->dev.qdev);
- }
-
-+static void ac97_exit(PCIDevice *dev)
-+{
-+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+ AUD_close_in(&s->card, s->voice_pi);
-+ AUD_close_out(&s->card, s->voice_po);
-+ AUD_close_in(&s->card, s->voice_mc);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = ac97_realize;
-+ k->exit = ac97_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
- k->revision = 0x01;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5526.patch b/gnu/packages/patches/qemu-CVE-2017-5526.patch
deleted file mode 100644
index 5a6d79645..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5526.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da
-this patch is from qemu-git.
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 files changed, 14 insertions(+), 0 deletions(-)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
- es1370_reset (s);
- }
-
-+static void es1370_exit(PCIDevice *dev)
-+{
-+ ES1370State *s = ES1370(dev);
-+ int i;
-+
-+ for (i = 0; i < 2; ++i) {
-+ AUD_close_out(&s->card, s->dac_voice[i]);
-+ }
-+
-+ AUD_close_in(&s->card, s->adc_voice);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = es1370_realize;
-+ k->exit = es1370_exit;
- k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
- k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
- k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch
deleted file mode 100644
index 50911f4f3..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5552.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689
-this patch is from qemu-git.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 files changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index e29f099..b13ced3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-- res_iovs, att_rb.nr_entries);
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ res_iovs, att_rb.nr_entries);
-+
-+ if (ret != 0)
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
-
- static void virgl_resource_detach_backing(VirtIOGPU *g,
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5578.patch b/gnu/packages/patches/qemu-CVE-2017-5578.patch
deleted file mode 100644
index 05655bcd9..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5578.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=204f01b30975923c64006f8067f0937b91eea68b
-this patch is from qemu-git.
-
-
-From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 04:28:41 -0500
-Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
-
-In the resource attach backing function, everytime it will
-allocate 'res->iov' thus can leading a memory leak. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 6a26258cac..ca88cf478d 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5579.patch b/gnu/packages/patches/qemu-CVE-2017-5579.patch
deleted file mode 100644
index 7630012d5..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5579.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b
-this patch is from qemu-git.
-
-
-From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index ffbacd8227..67b18eda12 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
- qemu_chr_fe_deinit(&s->chr);
-+
-+ timer_del(s->modem_status_poll);
-+ timer_free(s->modem_status_poll);
-+
-+ timer_del(s->fifo_timeout_timer);
-+ timer_free(s->fifo_timeout_timer);
-+
-+ fifo8_destroy(&s->recv_fifo);
-+ fifo8_destroy(&s->xmit_fifo);
-+
- qemu_unregister_reset(serial_reset, s);
- }
-
---
-2.11.0
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5856.patch b/gnu/packages/patches/qemu-CVE-2017-5856.patch
deleted file mode 100644
index bee0824c0..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5856.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-http://git.qemu.org/?p=qemu.git;a=patch;h=765a707000e838c30b18d712fe6cb3dd8e0435f3
-this patch is from qemu-git.
-
-
-From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 files changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 67fc1e7..6233865 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
- trace_megasas_dcmd_invalid_sge(cmd->index,
- cmd->frame->header.sge_count);
- cmd->iov_size = 0;
-- return -1;
-+ return -EINVAL;
- }
- iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
- iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
- pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
- qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
- cmd->iov_size = iov_size;
-- return cmd->iov_size;
-+ return 0;
- }
-
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
-
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
-- int opcode, len;
-+ int opcode;
- int retval = 0;
-+ size_t len;
- const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
-
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
-- len = megasas_map_dcmd(s, cmd);
-- if (len < 0) {
-+ if (megasas_map_dcmd(s, cmd) < 0) {
- return MFI_STAT_MEMORY_NOT_AVAILABLE;
- }
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
- cmdptr++;
- }
-+ len = cmd->iov_size;
- if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
- retval = megasas_dcmd_dummy(s, cmd);
---
-1.7.0.4
-
diff --git a/gnu/packages/patches/qemu-CVE-2017-5898.patch b/gnu/packages/patches/qemu-CVE-2017-5898.patch
deleted file mode 100644
index 5a94bb1ae..000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5898.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-Fix CVE-2017-5898 (integer overflow in emulated_apdu_from_guest):
-
-http://seclists.org/oss-sec/2017/q1/328
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5898
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a
-
-From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index 89e11b68c4..1325ea1659 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
- DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
- recv->hdr.bSeq, len);
- ccid_add_pending_answer(s, (CCID_Header *)recv);
-- if (s->card) {
-+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
- ccid_card_apdu_from_guest(s->card, recv->abData, len);
- } else {
- DPRINTF(s, D_WARN, "warning: discarded apdu\n");
---
-2.11.1
-
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index e0b4695f3..6be23eb62 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -69,23 +69,14 @@
(define-public qemu
(package
(name "qemu")
- (version "2.8.1")
+ (version "2.9.0-rc3")
(source (origin
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
version ".tar.xz"))
(sha256
(base32
- "0h342v4n44kh89yyfas4iazvhhsy5m5qk94vsjqpz5zpq1i2ykad"))
- (patches (search-patches "qemu-CVE-2016-10155.patch"
- "qemu-CVE-2017-5525.patch"
- "qemu-CVE-2017-5526.patch"
- "qemu-CVE-2017-5552.patch"
- "qemu-CVE-2017-5578.patch"
- "qemu-CVE-2017-5579.patch"
- "qemu-CVE-2017-5856.patch"
- "qemu-CVE-2017-5898.patch"
- ))))
+ "00dzw3j2fykm98wvfpb79fyd4rjffnsxrwbs4fvr1v8kxbyqy3ab"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
--
2.12.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-04-07 13:12 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-28 8:06 [PATCH 0/1] QEMU 2.9.0-rc1 Leo Famulari
2017-03-28 8:06 ` [PATCH 1/1] gnu: qemu: Update to 2.9.0-rc1 [security fixes] Leo Famulari
2017-04-07 13:12 ` Leo Famulari
2017-03-30 19:27 ` [PATCH 0/1] QEMU 2.9.0-rc1 Marius Bakke
2017-03-30 23:37 ` Leo Famulari
2017-03-31 8:03 ` Ludovic Courtès
2017-04-01 0:01 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).