Pullup ticket #5146 - requested by spz

emulators/qemu: security fix

Revisions pulled up:
- emulators/qemu/Makefile                                       1.156
- emulators/qemu/distinfo                                       1.118
- emulators/qemu/patches/patch-CVE-2016-7423                    1.1
- emulators/qemu/patches/patch-CVE-2016-7907                    1.1
- emulators/qemu/patches/patch-CVE-2016-7908                    1.1
- emulators/qemu/patches/patch-CVE-2016-7909                    1.1

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Sun Oct 30 14:48:01 UTC 2016

   Modified Files:
   	pkgsrc/emulators/qemu: Makefile distinfo
   Added Files:
   	pkgsrc/emulators/qemu/patches: patch-CVE-2016-7423 patch-CVE-2016-7907
   	    patch-CVE-2016-7908 patch-CVE-2016-7909

   Log Message:
   add patches for CVE-2016-7423 and CVE-2016-790[789] from upstream

6 files changed, 145 insertions, 2 deletions

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index e0c2c4a4cf8..0367fddf4b9 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.154 2016/09/04 09:21:04 ryoon Exp $
+# $NetBSD: Makefile,v 1.154.2.1 2016/11/07 19:11:35 bsiegert Exp $
 
 DISTNAME=	qemu-2.7.0
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
+PKGREVISION=	1
 
 MAINTAINER=	pkgsrc-users@NetBSD.org
 HOMEPAGE=	http://www.qemu.org/
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index 7eca250bd5c..cceb52de252 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,9 +1,13 @@
-$NetBSD: distinfo,v 1.117 2016/09/04 09:21:04 ryoon Exp $
+$NetBSD: distinfo,v 1.117.2.1 2016/11/07 19:11:35 bsiegert Exp $
 
 SHA1 (qemu-2.7.0.tar.bz2) = 96737d31a2fb74553dacbd0ddaa93014858dc986
 RMD160 (qemu-2.7.0.tar.bz2) = cc962261a4f7b05ace8c16027bda770a89322cd3
 SHA512 (qemu-2.7.0.tar.bz2) = 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db
 Size (qemu-2.7.0.tar.bz2) = 26867760 bytes
+SHA1 (patch-CVE-2016-7423) = 1e126226adb90bfc335fa4dfbdb0365271ca1db3
+SHA1 (patch-CVE-2016-7907) = 3645de0cc1685966261be1847bad14a354c75326
+SHA1 (patch-CVE-2016-7908) = 09c1a30af90a1b9cb2b381401b760a861ce10765
+SHA1 (patch-CVE-2016-7909) = 26ed8d3bbcb8463d4d2c7e28c76aa75518a8c528
 SHA1 (patch-Makefile.objs) = f40deeed5482a24369e898411bb611be418dc3ca
 SHA1 (patch-configure) = 9eb469dc5be1d7c6b4ee69e8ee61e6ab8d542112
 SHA1 (patch-default-configs_pci.mak) = 2162550a68de514c8fe9e255df88f8a0a07ee6c7
diff --git a/emulators/qemu/patches/patch-CVE-2016-7423 b/emulators/qemu/patches/patch-CVE-2016-7423
new file mode 100644
index 00000000000..c4d42627700
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7423
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2016-7423,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
+
+scsi: mptsas: use g_new0 to allocate MPTSASRequest object
+
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+
+--- hw/scsi/mptsas.c.orig	2016-09-02 15:34:20.000000000 +0000
++++ hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_reques
+         goto bad;
+     }
+ 
+-    req = g_new(MPTSASRequest, 1);
++    req = g_new0(MPTSASRequest, 1);
+     QTAILQ_INSERT_TAIL(&s->pending, req, next);
+     req->scsi_io = *scsi_io;
+     req->dev = s;
diff --git a/emulators/qemu/patches/patch-CVE-2016-7907 b/emulators/qemu/patches/patch-CVE-2016-7907
new file mode 100644
index 00000000000..578385948a5
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7907
@@ -0,0 +1,41 @@
+$NetBSD: patch-CVE-2016-7907,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
+
+From: Prasad J Pandit <address@hidden>
+
+i.MX Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set an upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <address@hidden>
+
+--- hw/net/imx_fec.c.orig	2016-09-02 15:34:19.000000000 +0000
++++ hw/net/imx_fec.c
+@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_
+ #define PHY_INT_PARFAULT            (1 << 2)
+ #define PHY_INT_AUTONEG_PAGE        (1 << 1)
+ 
++#define IMX_MAX_DESC                1024
++
+ static void imx_eth_update(IMXFECState *s);
+ 
+ /*
+@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *
+ 
+ static void imx_fec_do_tx(IMXFECState *s)
+ {
+-    int frame_size = 0;
++    int frame_size = 0, descnt = 0;
+     uint8_t frame[ENET_MAX_FRAME_SIZE];
+     uint8_t *ptr = frame;
+     uint32_t addr = s->tx_descriptor;
+ 
+-    while (1) {
++    while (descnt++ < IMX_MAX_DESC) {
+         IMXFECBufDesc bd;
+         int len;
+ 
diff --git a/emulators/qemu/patches/patch-CVE-2016-7908 b/emulators/qemu/patches/patch-CVE-2016-7908
new file mode 100644
index 00000000000..c88d5c33712
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7908
@@ -0,0 +1,43 @@
+$NetBSD: patch-CVE-2016-7908,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=070c4b92b8cd5390889716677a0b92444d6e087a
+
+net: mcf: limit buffer descriptor count
+
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+
+--- hw/net/mcf_fec.c.orig	2016-09-02 15:34:19.000000000 +0000
++++ hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_AR
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+ 
++#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+ 
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state 
+     uint32_t addr;
+     mcf_fec_bd bd;
+     int frame_size;
+-    int len;
++    int len, descnt = 0;
+     uint8_t frame[FEC_MAX_FRAME_SIZE];
+     uint8_t *ptr;
+ 
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state 
+     ptr = frame;
+     frame_size = 0;
+     addr = s->tx_descriptor;
+-    while (1) {
++    while (descnt++ < FEC_MAX_DESC) {
+         mcf_fec_read_bd(&bd, addr);
+         DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+                 addr, bd.flags, bd.length, bd.data);
diff --git a/emulators/qemu/patches/patch-CVE-2016-7909 b/emulators/qemu/patches/patch-CVE-2016-7909
new file mode 100644
index 00000000000..8a645fdf8b8
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7909
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2016-7909,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html
+
+From: Prasad J Pandit <address@hidden>
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr. Add check to avoid it.
+
+Reported-by: Li Qiang <address@hidden>
+
+--- hw/net/pcnet.c.orig	2016-09-02 15:34:19.000000000 +0000
++++ hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState 
+     case 47: /* POLLINT */
+     case 72:
+     case 74:
++        break;
+     case 76: /* RCVRL */
+     case 78: /* XMTRL */
++        val = (val > 0) ? val : 512;
++        break;
+     case 112:
+        if (CSR_STOP(s) || CSR_SPND(s))
+            break;