diff options
author | Leo Famulari <leo@famulari.name> | 2017-06-03 18:32:57 -0400 |
---|---|---|
committer | Leo Famulari <leo@famulari.name> | 2017-06-03 20:50:10 -0400 |
commit | 8b5cb8d0542115b840b0086be1dbc00c116c7877 (patch) | |
tree | deb9d816351268c2d53f85c2f521a86f3be828cb | |
parent | 34cfeca84e62b92e4f2b32c5bf33fe4982253f48 (diff) | |
download | guix-8b5cb8d0542115b840b0086be1dbc00c116c7877.tar.gz guix-8b5cb8d0542115b840b0086be1dbc00c116c7877.zip |
gnu: qemu: Fix CVE-2017-{8112,8309,8379,8380}.
* gnu/packages/patches/qemu-CVE-2017-8112.patch,
gnu/packages/patches/qemu-CVE-2017-8309.patch,
gnu/packages/patches/qemu-CVE-2017-8379.patch,
gnu/packages/patches/qemu-CVE-2017-8380.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/qemu.scm (qemu)[source]: Use them.
-rw-r--r-- | gnu/local.mk | 4 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8112.patch | 41 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8309.patch | 46 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8379.patch | 98 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-8380.patch | 53 | ||||
-rw-r--r-- | gnu/packages/qemu.scm | 6 |
6 files changed, 247 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index c94291f435..0449e8adc6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -954,6 +954,10 @@ dist_patch_DATA = \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ %D%/packages/patches/python2-subprocess32-disable-input-test.patch \ %D%/packages/patches/qemu-CVE-2017-7493.patch \ + %D%/packages/patches/qemu-CVE-2017-8112.patch \ + %D%/packages/patches/qemu-CVE-2017-8309.patch \ + %D%/packages/patches/qemu-CVE-2017-8379.patch \ + %D%/packages/patches/qemu-CVE-2017-8380.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/qtscript-disable-tests.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2017-8112.patch b/gnu/packages/patches/qemu-CVE-2017-8112.patch new file mode 100644 index 0000000000..88b33aa2f0 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-8112.patch @@ -0,0 +1,41 @@ +Fix CVE-2017-8112: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8112 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f68826989cd4d1217797251339579c57b3c0934e + +From f68826989cd4d1217797251339579c57b3c0934e Mon Sep 17 00:00:00 2001 +From: P J P <ppandit@redhat.com> +Date: Tue, 25 Apr 2017 18:36:23 +0530 +Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation + +A guest could set the message ring page count to zero, resulting in +infinite loop. Add check to avoid it. + +Reported-by: YY Z <bigbird475958471@gmail.com> +Signed-off-by: P J P <ppandit@redhat.com> +Message-Id: <20170425130623.3649-1-ppandit@redhat.com> +Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/scsi/vmw_pvscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 75575461e2..4a106da856 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + uint32_t len_log2; + uint32_t ring_size; + +- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { + return -1; + } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; +-- +2.13.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-8309.patch b/gnu/packages/patches/qemu-CVE-2017-8309.patch new file mode 100644 index 0000000000..dc4b4006b7 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-8309.patch @@ -0,0 +1,46 @@ +Fix CVE-2017-8309: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8309 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=3268a845f41253fb55852a8429c32b50f36f349a + +From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 28 Apr 2017 09:56:12 +0200 +Subject: [PATCH] audio: release capture buffers + +AUD_add_capture() allocates two buffers which are never released. +Add the missing calls to AUD_del_capture(). + +Impact: Allows vnc clients to exhaust host memory by repeatedly +starting and stopping audio capture. + +Fixes: CVE-2017-8309 +Cc: P J P <ppandit@redhat.com> +Cc: Huawei PSIRT <PSIRT@huawei.com> +Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20170428075612.9997-1-kraxel@redhat.com +--- + audio/audio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/audio/audio.c b/audio/audio.c +index c8898d8422..beafed209b 100644 +--- a/audio/audio.c ++++ b/audio/audio.c +@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) + sw = sw1; + } + QLIST_REMOVE (cap, entries); ++ g_free (cap->hw.mix_buf); ++ g_free (cap->buf); + g_free (cap); + } + return; +-- +2.13.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-8379.patch b/gnu/packages/patches/qemu-CVE-2017-8379.patch new file mode 100644 index 0000000000..200b133d3e --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-8379.patch @@ -0,0 +1,98 @@ +Fix CVE-2017-8379: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8379 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=fa18f36a461984eae50ab957e47ec78dae3c14fc + +From fa18f36a461984eae50ab957e47ec78dae3c14fc Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 28 Apr 2017 10:42:37 +0200 +Subject: [PATCH] input: limit kbd queue depth + +Apply a limit to the number of items we accept into the keyboard queue. + +Impact: Without this limit vnc clients can exhaust host memory by +sending keyboard events faster than qemu feeds them to the guest. + +Fixes: CVE-2017-8379 +Cc: P J P <ppandit@redhat.com> +Cc: Huawei PSIRT <PSIRT@huawei.com> +Reported-by: jiangxin1@huawei.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 20170428084237.23960-1-kraxel@redhat.com +--- + ui/input.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ui/input.c b/ui/input.c +index ed88cda6d6..fb1f404095 100644 +--- a/ui/input.c ++++ b/ui/input.c +@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = + QTAILQ_HEAD_INITIALIZER(kbd_queue); + static QEMUTimer *kbd_timer; + static uint32_t kbd_default_delay_ms = 10; ++static uint32_t queue_count; ++static uint32_t queue_limit = 1024; + + QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, + QemuInputHandler *handler) +@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) + break; + } + QTAILQ_REMOVE(queue, item, node); ++ queue_count--; + g_free(item); + } + } +@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, + item->delay_ms = delay_ms; + item->timer = timer; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + + if (start_timer) { + timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, + item->src = src; + item->evt = evt; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) +@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) + + item->type = QEMU_INPUT_QUEUE_SYNC; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) +@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) + qemu_input_event_send(src, evt); + qemu_input_event_sync(); + qapi_free_InputEvent(evt); +- } else { ++ } else if (queue_count < queue_limit) { + qemu_input_queue_event(&kbd_queue, src, evt); + qemu_input_queue_sync(&kbd_queue); + } +@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) + kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, + &kbd_queue); + } +- qemu_input_queue_delay(&kbd_queue, kbd_timer, +- delay_ms ? delay_ms : kbd_default_delay_ms); ++ if (queue_count < queue_limit) { ++ qemu_input_queue_delay(&kbd_queue, kbd_timer, ++ delay_ms ? delay_ms : kbd_default_delay_ms); ++ } + } + + InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) +-- +2.13.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-8380.patch b/gnu/packages/patches/qemu-CVE-2017-8380.patch new file mode 100644 index 0000000000..65e49fc885 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-8380.patch @@ -0,0 +1,53 @@ +Fix CVE-2017-8380: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8380 + +Patch copied from upstream source repository: + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f + +From 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 24 Apr 2017 17:36:34 +0530 +Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write + +While reading magic sequence(MFI_SEQ) in megasas_mmio_write, +an off-by-one error could occur as 's->adp_reset' index is not +reset after reading the last sequence. + +Reported-by: YY Z <bigbird475958471@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20170424120634.12268-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/scsi/megasas.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 84b8caf901..804122ab05 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, + case MFI_SEQ: + trace_megasas_mmio_writel("MFI_SEQ", val); + /* Magic sequence to start ADP reset */ +- if (adp_reset_seq[s->adp_reset] == val) { +- s->adp_reset++; ++ if (adp_reset_seq[s->adp_reset++] == val) { ++ if (s->adp_reset == 6) { ++ s->adp_reset = 0; ++ s->diag = MFI_DIAG_WRITE_ENABLE; ++ } + } else { + s->adp_reset = 0; + s->diag = 0; + } +- if (s->adp_reset == 6) { +- s->diag = MFI_DIAG_WRITE_ENABLE; +- } + break; + case MFI_DIAG: + trace_megasas_mmio_writel("MFI_DIAG", val); +-- +2.13.0 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 0734b6d0f7..31354b25d7 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -74,7 +74,11 @@ (method url-fetch) (uri (string-append "http://wiki.qemu-project.org/download/qemu-" version ".tar.xz")) - (patches (search-patches "qemu-CVE-2017-7493.patch")) + (patches (search-patches "qemu-CVE-2017-7493.patch" + "qemu-CVE-2017-8112.patch" + "qemu-CVE-2017-8309.patch" + "qemu-CVE-2017-8379.patch" + "qemu-CVE-2017-8380.patch")) (sha256 (base32 "08mhfs0ndbkyqgw7fjaa9vjxf4dinrly656f6hjzvmaz7hzc677h")))) |