diff options
author | spz <spz@pkgsrc.org> | 2016-10-30 14:48:00 +0000 |
---|---|---|
committer | spz <spz@pkgsrc.org> | 2016-10-30 14:48:00 +0000 |
commit | 7554d771c089b663ac6904fe70084f04df423b00 (patch) | |
tree | 7d1dfcf224846f2dd1927eefdd9dbc969dca198d /emulators/qemu | |
parent | 143864733c84055128734ff068c3937c60d11700 (diff) | |
download | pkgsrc-7554d771c089b663ac6904fe70084f04df423b00.tar.gz |
add patches for CVE-2016-7423 and CVE-2016-790[789] from upstream
Diffstat (limited to 'emulators/qemu')
-rw-r--r-- | emulators/qemu/Makefile | 3 | ||||
-rw-r--r-- | emulators/qemu/distinfo | 6 | ||||
-rw-r--r-- | emulators/qemu/patches/patch-CVE-2016-7423 | 25 | ||||
-rw-r--r-- | emulators/qemu/patches/patch-CVE-2016-7907 | 41 | ||||
-rw-r--r-- | emulators/qemu/patches/patch-CVE-2016-7908 | 43 | ||||
-rw-r--r-- | emulators/qemu/patches/patch-CVE-2016-7909 | 29 |
6 files changed, 145 insertions, 2 deletions
diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile index df8602c4b19..a3627ad7f57 100644 --- a/emulators/qemu/Makefile +++ b/emulators/qemu/Makefile @@ -1,9 +1,10 @@ -# $NetBSD: Makefile,v 1.155 2016/10/04 15:00:08 kamil Exp $ +# $NetBSD: Makefile,v 1.156 2016/10/30 14:48:00 spz Exp $ DISTNAME= qemu-2.7.0 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/ EXTRACT_SUFX= .tar.bz2 +PKGREVISION= 1 MAINTAINER= pkgsrc-users@NetBSD.org HOMEPAGE= http://www.qemu.org/ diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo index 7eca250bd5c..4f089d64744 100644 --- a/emulators/qemu/distinfo +++ b/emulators/qemu/distinfo @@ -1,9 +1,13 @@ -$NetBSD: distinfo,v 1.117 2016/09/04 09:21:04 ryoon Exp $ +$NetBSD: distinfo,v 1.118 2016/10/30 14:48:00 spz Exp $ SHA1 (qemu-2.7.0.tar.bz2) = 96737d31a2fb74553dacbd0ddaa93014858dc986 RMD160 (qemu-2.7.0.tar.bz2) = cc962261a4f7b05ace8c16027bda770a89322cd3 SHA512 (qemu-2.7.0.tar.bz2) = 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db Size (qemu-2.7.0.tar.bz2) = 26867760 bytes +SHA1 (patch-CVE-2016-7423) = 1e126226adb90bfc335fa4dfbdb0365271ca1db3 +SHA1 (patch-CVE-2016-7907) = 3645de0cc1685966261be1847bad14a354c75326 +SHA1 (patch-CVE-2016-7908) = 09c1a30af90a1b9cb2b381401b760a861ce10765 +SHA1 (patch-CVE-2016-7909) = 26ed8d3bbcb8463d4d2c7e28c76aa75518a8c528 SHA1 (patch-Makefile.objs) = f40deeed5482a24369e898411bb611be418dc3ca SHA1 (patch-configure) = 9eb469dc5be1d7c6b4ee69e8ee61e6ab8d542112 SHA1 (patch-default-configs_pci.mak) = 2162550a68de514c8fe9e255df88f8a0a07ee6c7 diff --git a/emulators/qemu/patches/patch-CVE-2016-7423 b/emulators/qemu/patches/patch-CVE-2016-7423 new file mode 100644 index 00000000000..00e66581ec7 --- /dev/null +++ b/emulators/qemu/patches/patch-CVE-2016-7423 @@ -0,0 +1,25 @@ +$NetBSD: patch-CVE-2016-7423,v 1.1 2016/10/30 14:48:00 spz Exp $ + +from: +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5 + +scsi: mptsas: use g_new0 to allocate MPTSASRequest object + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang <liqiang6-s@360.cn> + +--- hw/scsi/mptsas.c.orig 2016-09-02 15:34:20.000000000 +0000 ++++ hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_reques + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; diff --git a/emulators/qemu/patches/patch-CVE-2016-7907 b/emulators/qemu/patches/patch-CVE-2016-7907 new file mode 100644 index 00000000000..cdffc685634 --- /dev/null +++ b/emulators/qemu/patches/patch-CVE-2016-7907 @@ -0,0 +1,41 @@ +$NetBSD: patch-CVE-2016-7907,v 1.1 2016/10/30 14:48:00 spz Exp $ + +from: +https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html + +From: Prasad J Pandit <address@hidden> + +i.MX Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set an upper limit to number of buffer descriptors. + +Reported-by: Li Qiang <address@hidden> + +--- hw/net/imx_fec.c.orig 2016-09-02 15:34:19.000000000 +0000 ++++ hw/net/imx_fec.c +@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_ + #define PHY_INT_PARFAULT (1 << 2) + #define PHY_INT_AUTONEG_PAGE (1 << 1) + ++#define IMX_MAX_DESC 1024 ++ + static void imx_eth_update(IMXFECState *s); + + /* +@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState * + + static void imx_fec_do_tx(IMXFECState *s) + { +- int frame_size = 0; ++ int frame_size = 0, descnt = 0; + uint8_t frame[ENET_MAX_FRAME_SIZE]; + uint8_t *ptr = frame; + uint32_t addr = s->tx_descriptor; + +- while (1) { ++ while (descnt++ < IMX_MAX_DESC) { + IMXFECBufDesc bd; + int len; + diff --git a/emulators/qemu/patches/patch-CVE-2016-7908 b/emulators/qemu/patches/patch-CVE-2016-7908 new file mode 100644 index 00000000000..a0b0a47158b --- /dev/null +++ b/emulators/qemu/patches/patch-CVE-2016-7908 @@ -0,0 +1,43 @@ +$NetBSD: patch-CVE-2016-7908,v 1.1 2016/10/30 14:48:00 spz Exp $ + +from: +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=070c4b92b8cd5390889716677a0b92444d6e087a + +net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang <liqiang6-s@360.cn> + +--- hw/net/mcf_fec.c.orig 2016-09-02 15:34:19.000000000 +0000 ++++ hw/net/mcf_fec.c +@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_AR + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); diff --git a/emulators/qemu/patches/patch-CVE-2016-7909 b/emulators/qemu/patches/patch-CVE-2016-7909 new file mode 100644 index 00000000000..65042aa0d05 --- /dev/null +++ b/emulators/qemu/patches/patch-CVE-2016-7909 @@ -0,0 +1,29 @@ +$NetBSD: patch-CVE-2016-7909,v 1.1 2016/10/30 14:48:00 spz Exp $ + +from: +https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html + +From: Prasad J Pandit <address@hidden> + +The AMD PC-Net II emulator has set of control and status(CSR) +registers. Of these, CSR76 and CSR78 hold receive and transmit +descriptor ring length respectively. This ring length could range +from 1 to 65535. Setting ring length to zero leads to an infinite +loop in pcnet_rdra_addr. Add check to avoid it. + +Reported-by: Li Qiang <address@hidden> + +--- hw/net/pcnet.c.orig 2016-09-02 15:34:19.000000000 +0000 ++++ hw/net/pcnet.c +@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState + case 47: /* POLLINT */ + case 72: + case 74: ++ break; + case 76: /* RCVRL */ + case 78: /* XMTRL */ ++ val = (val > 0) ? val : 512; ++ break; + case 112: + if (CSR_STOP(s) || CSR_SPND(s)) + break; |