From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kei Kebreau Subject: Re: [PATCH] gnu: qemu: Patch CVE-2016-8910. Date: Tue, 25 Oct 2016 13:44:09 -0400 Message-ID: <87r374728m.fsf@openmailbox.org> References: <87zils72zy.fsf@openmailbox.org> <87vawg72l7.fsf@openmailbox.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:39226) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bz5ly-00033x-Cf for guix-devel@gnu.org; Tue, 25 Oct 2016 13:44:27 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bz5lu-00030F-AG for guix-devel@gnu.org; Tue, 25 Oct 2016 13:44:26 -0400 Received: from smtp25.openmailbox.org ([62.4.1.59]:59912 helo=smtp10.openmailbox.org) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1bz5lu-000307-1i for guix-devel@gnu.org; Tue, 25 Oct 2016 13:44:22 -0400 In-Reply-To: <87vawg72l7.fsf@openmailbox.org> (Kei Kebreau's message of "Tue, 25 Oct 2016 13:36:36 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Kei Kebreau writes: > Kei Kebreau writes: > >> One of the email address was hidden on the list I got this patch from. >> I don't know whether that's a potential problem. >> See: >> http://www.openwall.com/lists/oss-security/2016/10/24/2 and >> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg05495.html > > Also, I just noticed an issue with the patch I submitted. Any advice on > getting valid patches from online mailing list archives? BTW, I just fixed the issue. It appears that inline patches can get messed up in replies. --=-=-= Content-Type: text/plain Content-Disposition: attachment; filename=0001-gnu-qemu-Patch-CVE-2016-8910.patch Content-Transfer-Encoding: quoted-printable From=20a99ba6e18e063c08b0069fd59d98023427cb96aa Mon Sep 17 00:00:00 2001 From: Kei Kebreau Date: Tue, 25 Oct 2016 13:42:23 -0400 Subject: [PATCH] gnu: qemu: Patch CVE-2016-8910. * gnu/packages/qemu.scm (qemu)[source]: Add patch. * gnu/packages/patches/qemu-CVE-2016-8910.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it. =2D-- gnu/local.mk | 1 + gnu/packages/patches/qemu-CVE-2016-8910.patch | 30 +++++++++++++++++++++++= ++++ gnu/packages/qemu.scm | 3 ++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/qemu-CVE-2016-8910.patch diff --git a/gnu/local.mk b/gnu/local.mk index ff2d976..5577b69 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -814,6 +814,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/qemu-CVE-2016-8576.patch \ %D%/packages/patches/qemu-CVE-2016-8577.patch \ %D%/packages/patches/qemu-CVE-2016-8578.patch \ + %D%/packages/patches/qemu-CVE-2016-8910.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-8910.patch b/gnu/packages/p= atches/qemu-CVE-2016-8910.patch new file mode 100644 index 0000000..7033c42 =2D-- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8910.patch @@ -0,0 +1,30 @@ +From: Prasad J Pandit + +RTL8139 ethernet controller in C+ mode supports multiple +descriptor rings, each with maximum of 64 descriptors. While +processing transmit descriptor ring in 'rtl8139_cplus_transmit', +it does not limit the descriptor count and runs forever. Add +check to avoid it. + +Reported-by: Andrew Henderson +Signed-off-by: Prasad J Pandit +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 3345bc6..f05e59c 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) + { + int txcount =3D 0; +=20 +- while (rtl8139_cplus_transmit_one(s)) ++ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) + { + ++txcount; + } +--=20 +2.7.4 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 9bf8c3a..a386426 100644 =2D-- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -79,7 +79,8 @@ "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij")) (patches (search-patches "qemu-CVE-2016-8576.patch" "qemu-CVE-2016-8577.patch" =2D "qemu-CVE-2016-8578.patch")))) + "qemu-CVE-2016-8578.patch" + "qemu-CVE-2016-8910.patch")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, lik= e: =2D-=20 2.10.1 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYD5npAAoJEOal7jwZRnoNUt8P/2v8AOtbVQz5mKELDfcI/xcx SSNiVeGvFqJr5mB6CGzK05f/rBtewv6FFxVvU/HeTjJIlrteW/xymUY1ClODE9CA UFNoQBUiDuKvulATfWDmygdXPVkV99eZl0VhdzNwzOdJaxdv3gy/p/+d2kJ17s6w z9mLgDCC/WZMwgZNAbWFy7kBxMWmGT/VZBcvzavWRS9CHcYJoOWMiG2eebhLUVyi o7ZSDX7LK2ffsbNqfVN6L3hQkrs24XjeFM4qNHZpkuQLRkUAxksJgLZZ+NpDyynu lQTEX3wDEFwPT3kttXHhAEv4ZQ835Y4b2ZfowAFkZrIG2wUpQ2REyVcfu14N8jul iEQc0I9SrbFgdk/K2flL8XYxEJCye86IDZBgJIvzMm6QJ9IJmqoeLbRaq5a6vopx JQe5zoVtn7otrIEhLkIP9acpW9NpYDmpgWke9zfmnEvY87bUDY7xAlT1pJJ+9/as bzoq+ITyiWyiNh6cNmpgm1bc4s7DOMSfYxYnQ5PbhJF8aeQLTeTv9SjT+7/BQZ1o DdDG4gz4h52kK8Bmx7GtmPCC4miGwzhL6XeYJYYVOiizZWxC/GPRKKVron04LzRj 6+6bfKmXnoIy5Yjy/eFjn3KMRWUp9WCX1vYANDdjFjKQ2wusvRnsHD34HoYX43Ya 60JStCWQLsA+nDIooOJi =su3R -----END PGP SIGNATURE----- --==-=-=--