bug#27221: [PATCH] gnu: qemu: Fix CVE-2017-{8112,8309,8379,8380}.

bug#27221: [PATCH] gnu: qemu: Fix CVE-2017-{8112,8309,8379,8380}.

[Leo Famulari]

* gnu/packages/patches/qemu-CVE-2017-8112.patch,
gnu/packages/patches/qemu-CVE-2017-8309.patch,
gnu/packages/patches/qemu-CVE-2017-8379.patch,
gnu/packages/patches/qemu-CVE-2017-8380.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/qemu.scm (qemu)[source]: Use them.
---
 gnu/local.mk                                  |  4 ++
 gnu/packages/patches/qemu-CVE-2017-8112.patch | 41 +++++++++++
 gnu/packages/patches/qemu-CVE-2017-8309.patch | 46 +++++++++++++
 gnu/packages/patches/qemu-CVE-2017-8379.patch | 98 +++++++++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-8380.patch | 53 +++++++++++++++
 gnu/packages/qemu.scm                         |  6 +-
 6 files changed, 247 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-8112.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-8309.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-8379.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-8380.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e7d5ee2f4..85bcbd632 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -953,6 +953,10 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch	\
   %D%/packages/patches/python2-subprocess32-disable-input-test.patch	\
   %D%/packages/patches/qemu-CVE-2017-7493.patch			\
+  %D%/packages/patches/qemu-CVE-2017-8112.patch			\
+  %D%/packages/patches/qemu-CVE-2017-8309.patch			\
+  %D%/packages/patches/qemu-CVE-2017-8379.patch			\
+  %D%/packages/patches/qemu-CVE-2017-8380.patch			\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
   %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch
new file mode 100644
index 000000000..88b33aa2f
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8112.patch
@@ -0,0 +1,41 @@
+Fix CVE-2017-8112:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e
+
+From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 25 Apr 2017 18:36:23 +0530
+Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
+
+A guest could set the message ring page count to zero, resulting in
+infinite loop. Add check to avoid it.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: P J P <ppandit@redhat.com>
+Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/vmw_pvscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 75575461e2..4a106da856 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
+     uint32_t len_log2;
+     uint32_t ring_size;
+ 
+-    if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
++    if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+         return -1;
+     }
+     ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch
new file mode 100644
index 000000000..dc4b4006b
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8309.patch
@@ -0,0 +1,46 @@
+Fix CVE-2017-8309:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a
+
+From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+
+Fixes: CVE-2017-8309
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel@redhat.com
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8422..beafed209b 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+                     sw = sw1;
+                 }
+                 QLIST_REMOVE (cap, entries);
++                g_free (cap->hw.mix_buf);
++                g_free (cap->buf);
+                 g_free (cap);
+             }
+             return;
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch
new file mode 100644
index 000000000..200b133d3
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8379.patch
@@ -0,0 +1,98 @@
+Fix CVE-2017-8379:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
+
+From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 10:42:37 +0200
+Subject: [PATCH] input: limit kbd queue depth
+
+Apply a limit to the number of items we accept into the keyboard queue.
+
+Impact: Without this limit vnc clients can exhaust host memory by
+sending keyboard events faster than qemu feeds them to the guest.
+
+Fixes: CVE-2017-8379
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: jiangxin1@huawei.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Message-id: 20170428084237.23960-1-kraxel@redhat.com
+---
+ ui/input.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ui/input.c b/ui/input.c
+index ed88cda6d6..fb1f404095 100644
+--- a/ui/input.c
++++ b/ui/input.c
+@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
+     QTAILQ_HEAD_INITIALIZER(kbd_queue);
+ static QEMUTimer *kbd_timer;
+ static uint32_t kbd_default_delay_ms = 10;
++static uint32_t queue_count;
++static uint32_t queue_limit = 1024;
+ 
+ QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
+                                                    QemuInputHandler *handler)
+@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
+             break;
+         }
+         QTAILQ_REMOVE(queue, item, node);
++        queue_count--;
+         g_free(item);
+     }
+ }
+@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
+     item->delay_ms = delay_ms;
+     item->timer = timer;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ 
+     if (start_timer) {
+         timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
+@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
+     item->src = src;
+     item->evt = evt;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ }
+ 
+ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
+ 
+     item->type = QEMU_INPUT_QUEUE_SYNC;
+     QTAILQ_INSERT_TAIL(queue, item, node);
++    queue_count++;
+ }
+ 
+ void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
+@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
+         qemu_input_event_send(src, evt);
+         qemu_input_event_sync();
+         qapi_free_InputEvent(evt);
+-    } else {
++    } else if (queue_count < queue_limit) {
+         qemu_input_queue_event(&kbd_queue, src, evt);
+         qemu_input_queue_sync(&kbd_queue);
+     }
+@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
+         kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
+                                  &kbd_queue);
+     }
+-    qemu_input_queue_delay(&kbd_queue, kbd_timer,
+-                           delay_ms ? delay_ms : kbd_default_delay_ms);
++    if (queue_count < queue_limit) {
++        qemu_input_queue_delay(&kbd_queue, kbd_timer,
++                               delay_ms ? delay_ms : kbd_default_delay_ms);
++    }
+ }
+ 
+ InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
+-- 
+2.13.0
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch
new file mode 100644
index 000000000..65e49fc88
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-8380.patch
@@ -0,0 +1,53 @@
+Fix CVE-2017-8380:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380
+
+Patch copied from upstream source repository:
+
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f
+
+From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 24 Apr 2017 17:36:34 +0530
+Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
+
+While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
+an off-by-one error could occur as 's->adp_reset' index is not
+reset after reading the last sequence.
+
+Reported-by: YY Z <bigbird475958471@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/megasas.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 84b8caf901..804122ab05 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
+     case MFI_SEQ:
+         trace_megasas_mmio_writel("MFI_SEQ", val);
+         /* Magic sequence to start ADP reset */
+-        if (adp_reset_seq[s->adp_reset] == val) {
+-            s->adp_reset++;
++        if (adp_reset_seq[s->adp_reset++] == val) {
++            if (s->adp_reset == 6) {
++                s->adp_reset = 0;
++                s->diag = MFI_DIAG_WRITE_ENABLE;
++            }
+         } else {
+             s->adp_reset = 0;
+             s->diag = 0;
+         }
+-        if (s->adp_reset == 6) {
+-            s->diag = MFI_DIAG_WRITE_ENABLE;
+-        }
+         break;
+     case MFI_DIAG:
+         trace_megasas_mmio_writel("MFI_DIAG", val);
+-- 
+2.13.0
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 0734b6d0f..31354b25d 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -74,7 +74,11 @@
              (method url-fetch)
              (uri (string-append "http://wiki.qemu-project.org/download/qemu-"
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2017-7493.patch"))
+             (patches (search-patches "qemu-CVE-2017-7493.patch"
+                                      "qemu-CVE-2017-8112.patch"
+                                      "qemu-CVE-2017-8309.patch"
+                                      "qemu-CVE-2017-8379.patch"
+                                      "qemu-CVE-2017-8380.patch"))
              (sha256
               (base32
                "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h"))))
-- 
2.13.0

bug#27221: [PATCH] gnu: qemu: Fix CVE-2017-{8112, 8309, 8379, 8380}.

[Marius Bakke]

[-- Attachment #1: Type: text/plain, Size: 389 bytes --]

Leo Famulari <leo@famulari.name> writes:

> * gnu/packages/patches/qemu-CVE-2017-8112.patch,
> gnu/packages/patches/qemu-CVE-2017-8309.patch,
> gnu/packages/patches/qemu-CVE-2017-8379.patch,
> gnu/packages/patches/qemu-CVE-2017-8380.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/qemu.scm (qemu)[source]: Use them.

LGTM. Thanks for keeping up with this.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

bug#27221: [PATCH] gnu: qemu: Fix CVE-2017-{8112, 8309, 8379, 8380}.

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 545 bytes --]

On Sun, Jun 04, 2017 at 01:51:00AM +0200, Marius Bakke wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> > * gnu/packages/patches/qemu-CVE-2017-8112.patch,
> > gnu/packages/patches/qemu-CVE-2017-8309.patch,
> > gnu/packages/patches/qemu-CVE-2017-8379.patch,
> > gnu/packages/patches/qemu-CVE-2017-8380.patch: New files.
> > * gnu/local.mk (dist_patch_DATA): Add them.
> > * gnu/packages/qemu.scm (qemu)[source]: Use them.
> 
> LGTM. Thanks for keeping up with this.

Thanks! Pushed as 8b5cb8d0542115b840b0086be1dbc00c116c7877.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]