Pullup ticket #4408 - requested by wiz

emulators/qemu: security update

Revisions pulled up:
- emulators/qemu/Makefile					patch
- emulators/qemu/PLIST						patch
- emulators/qemu/distinfo					patch
- emulators/qemu/patches/patch-hw_virtio_virtio.c		patch
- emulators/qemu/patches/patch-include_exec_softmmu__template.h	patch

---
   Apply patch to update qemu package to version 2.0.0nb2 which
   fixes multiple security vulnerabilities.

5 files changed, 83 insertions, 46 deletions

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index 7319507b96c..2ac07cbb87a 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.122 2014/01/25 10:30:07 wiz Exp $
+# $NetBSD: Makefile,v 1.122.2.1 2014/05/16 16:01:22 tron Exp $
 
-DISTNAME=	qemu-1.7.0
+DISTNAME=	qemu-2.0.0
+PKGREVISION=	2
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
@@ -11,10 +12,10 @@ COMMENT=	CPU emulator using dynamic translation
 LICENSE=	gnu-gpl-v2 AND gnu-lgpl-v2.1 AND mit AND modified-bsd
 
 CONFLICTS+=		qemu-bin-[0-9]*
-NOT_FOR_PLATFORM=	NetBSD-1.[0-6]*-*
+NOT_FOR_PLATFORM+=	NetBSD-1.[0-6]*-*
 # qemu 1 does not work on NetBSD-5; see http://gnats.netbsd.org/46565.
 # As a workaround, use emulators/qemu0.
-NOT_FOR_PLATFORM=	NetBSD-5*-*
+NOT_FOR_PLATFORM+=	NetBSD-5*-*
 
 USE_TOOLS+=		bison gmake makeinfo perl:build pkg-config
 USE_NCURSES=		yes			# requires resize_term()
diff --git a/emulators/qemu/PLIST b/emulators/qemu/PLIST
index aafb70949a0..469837e8c27 100644
--- a/emulators/qemu/PLIST
+++ b/emulators/qemu/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.37 2014/01/15 18:26:20 wiz Exp $
+@comment $NetBSD: PLIST,v 1.37.2.1 2014/05/16 16:01:22 tron Exp $
 ${PLIST.alpha}bin/qemu-alpha
 ${PLIST.arm}bin/qemu-arm
 ${PLIST.armeb}bin/qemu-armeb
@@ -24,6 +24,7 @@ ${PLIST.sparc}bin/qemu-sparc
 ${PLIST.sparc32plus}bin/qemu-sparc32plus
 ${PLIST.sparc64}bin/qemu-sparc64
 ${PLIST.unicore32}bin/qemu-unicore32
+bin/qemu-system-aarch64
 bin/qemu-system-alpha
 bin/qemu-system-arm
 bin/qemu-system-cris
@@ -59,9 +60,11 @@ share/doc/qemu/qemu-doc.html
 share/doc/qemu/qemu-tech.html
 share/doc/qemu/qmp-commands.txt
 share/examples/qemu/target-x86_64.conf
+share/qemu/QEMU,cgthree.bin
 share/qemu/QEMU,tcx.bin
 share/qemu/acpi-dsdt.aml
 share/qemu/bamboo.dtb
+share/qemu/bios-256k.bin
 share/qemu/bios.bin
 share/qemu/efi-e1000.rom
 share/qemu/efi-eepro100.rom
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index 03dbd620c68..21c3efdba1f 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.92 2014/01/15 18:26:20 wiz Exp $
+$NetBSD: distinfo,v 1.92.2.1 2014/05/16 16:01:22 tron Exp $
 
-SHA1 (qemu-1.7.0.tar.bz2) = 4b5a21a614207e74a61659f7a6edecad6c31be95
-RMD160 (qemu-1.7.0.tar.bz2) = 0d16f3e59219ebd88177b827ba3d4874cbe9aff2
-Size (qemu-1.7.0.tar.bz2) = 12248954 bytes
+SHA1 (qemu-2.0.0.tar.bz2) = cc24a60a93ba697057a67b6a7224b95627eaf1a6
+RMD160 (qemu-2.0.0.tar.bz2) = ecd05e036431c14930ae2455a032495dd7ebaf85
+Size (qemu-2.0.0.tar.bz2) = 12839647 bytes
 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a
 SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127
 SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420
@@ -10,7 +10,7 @@ SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc
 SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7
 SHA1 (patch-hw_ppc_mac__newworld.c) = 9a0ec3ba0b6da2879fdaba6a7937fb16a02685f5
 SHA1 (patch-hw_ppc_mac__oldworld.c) = 46322c77c87be6d517c43466325c344db99cd463
-SHA1 (patch-include_exec_softmmu__template.h) = 65f5ab7c3c66bb28323769974cb3d65170d0e70d
+SHA1 (patch-hw_virtio_virtio.c) = 9aa4553a4eda81fb014b116c2207ec4b59265fca
 SHA1 (patch-memory.c) = 14df9c835ca318fc79a8d3a46bb94d2f229277cc
 SHA1 (patch-slirp_tcp__subr.c) = cfc8289384fa987289e32b64532c13a83a890820
 SHA1 (patch-user-exec.c) = eb83832c7c9e5f69313f8cad2c2f77b304072556
diff --git a/emulators/qemu/patches/patch-hw_virtio_virtio.c b/emulators/qemu/patches/patch-hw_virtio_virtio.c
new file mode 100644
index 00000000000..29b7eb2f8fd
--- /dev/null
+++ b/emulators/qemu/patches/patch-hw_virtio_virtio.c
@@ -0,0 +1,69 @@
+$NetBSD: patch-hw_virtio_virtio.c,v 1.1.2.2 2014/05/16 16:01:22 tron Exp $
+
+Fixes for
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4151
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4535
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4536
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6399
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0182
+from upstream git.
+
+--- hw/virtio/virtio.c.orig	2014-04-17 13:44:44.000000000 +0000
++++ hw/virtio/virtio.c
+@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, 
+     unsigned int i;
+     hwaddr len;
+ 
++    if (num_sg >= VIRTQUEUE_MAX_SIZE) {
++        error_report("virtio: map attempt out of bounds: %zd > %d",
++                     num_sg, VIRTQUEUE_MAX_SIZE);
++        exit(1);
++    }
++
+     for (i = 0; i < num_sg; i++) {
+         len = sg[i].iov_len;
+         sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);
+@@ -891,7 +897,9 @@ int virtio_set_features(VirtIODevice *vd
+ 
+ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
+ {
+-    int num, i, ret;
++    int i, ret;
++    int32_t config_len;
++    uint32_t num;
+     uint32_t features;
+     uint32_t supported_features;
+     BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
+@@ -906,6 +914,9 @@ int virtio_load(VirtIODevice *vdev, QEMU
+     qemu_get_8s(f, &vdev->status);
+     qemu_get_8s(f, &vdev->isr);
+     qemu_get_be16s(f, &vdev->queue_sel);
++    if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
++        return -1;
++    }
+     qemu_get_be32s(f, &features);
+ 
+     if (virtio_set_features(vdev, features) < 0) {
+@@ -914,11 +925,21 @@ int virtio_load(VirtIODevice *vdev, QEMU
+                      features, supported_features);
+         return -1;
+     }
+-    vdev->config_len = qemu_get_be32(f);
++    config_len = qemu_get_be32(f);
++    if (config_len != vdev->config_len) {
++        error_report("Unexpected config length 0x%x. Expected 0x%zx",
++                     config_len, vdev->config_len);
++        return -1;
++    }
+     qemu_get_buffer(f, vdev->config, vdev->config_len);
+ 
+     num = qemu_get_be32(f);
+ 
++    if (num > VIRTIO_PCI_QUEUE_MAX) {
++        error_report("Invalid number of PCI queues: 0x%x", num);
++        return -1;
++    }
++
+     for (i = 0; i < num; i++) {
+         vdev->vq[i].vring.num = qemu_get_be32(f);
+         if (k->has_variable_vring_alignment) {
diff --git a/emulators/qemu/patches/patch-include_exec_softmmu__template.h b/emulators/qemu/patches/patch-include_exec_softmmu__template.h
index d054d2730b2..e69de29bb2d 100644
--- a/emulators/qemu/patches/patch-include_exec_softmmu__template.h
+++ b/emulators/qemu/patches/patch-include_exec_softmmu__template.h
@@ -1,36 +0,0 @@
-$NetBSD: patch-include_exec_softmmu__template.h,v 1.1 2014/01/15 18:26:20 wiz Exp $
-
-On NetBSD, uintNN_t types are defined as __uintNN_t
-so concatenations "u ## intNN_t" won't work as expected.
-
---- include/exec/softmmu_template.h.orig	2013-11-27 22:15:55.000000000 +0000
-+++ include/exec/softmmu_template.h
-@@ -30,24 +30,26 @@
- #define SUFFIX q
- #define LSUFFIX q
- #define SDATA_TYPE  int64_t
-+#define DATA_TYPE  uint64_t
- #elif DATA_SIZE == 4
- #define SUFFIX l
- #define LSUFFIX l
- #define SDATA_TYPE  int32_t
-+#define DATA_TYPE  uint32_t
- #elif DATA_SIZE == 2
- #define SUFFIX w
- #define LSUFFIX uw
- #define SDATA_TYPE  int16_t
-+#define DATA_TYPE  uint16_t
- #elif DATA_SIZE == 1
- #define SUFFIX b
- #define LSUFFIX ub
- #define SDATA_TYPE  int8_t
-+#define DATA_TYPE  uint8_t
- #else
- #error unsupported data size
- #endif
- 
--#define DATA_TYPE   glue(u, SDATA_TYPE)
--
- /* For the benefit of TCG generated code, we want to avoid the complication
-    of ABI-specific return type promotion and always return a value extended
-    to the register size of the host.  This is tcg_target_long, except in the