summaryrefslogtreecommitdiff
path: root/emulators
diff options
context:
space:
mode:
authorspz <spz@pkgsrc.org>2016-10-30 14:48:00 +0000
committerspz <spz@pkgsrc.org>2016-10-30 14:48:00 +0000
commit7554d771c089b663ac6904fe70084f04df423b00 (patch)
tree7d1dfcf224846f2dd1927eefdd9dbc969dca198d /emulators
parent143864733c84055128734ff068c3937c60d11700 (diff)
downloadpkgsrc-7554d771c089b663ac6904fe70084f04df423b00.tar.gz
add patches for CVE-2016-7423 and CVE-2016-790[789] from upstream
Diffstat (limited to 'emulators')
-rw-r--r--emulators/qemu/Makefile3
-rw-r--r--emulators/qemu/distinfo6
-rw-r--r--emulators/qemu/patches/patch-CVE-2016-742325
-rw-r--r--emulators/qemu/patches/patch-CVE-2016-790741
-rw-r--r--emulators/qemu/patches/patch-CVE-2016-790843
-rw-r--r--emulators/qemu/patches/patch-CVE-2016-790929
6 files changed, 145 insertions, 2 deletions
diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index df8602c4b19..a3627ad7f57 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.155 2016/10/04 15:00:08 kamil Exp $
+# $NetBSD: Makefile,v 1.156 2016/10/30 14:48:00 spz Exp $
DISTNAME= qemu-2.7.0
CATEGORIES= emulators
MASTER_SITES= http://wiki.qemu.org/download/
EXTRACT_SUFX= .tar.bz2
+PKGREVISION= 1
MAINTAINER= pkgsrc-users@NetBSD.org
HOMEPAGE= http://www.qemu.org/
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index 7eca250bd5c..4f089d64744 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,9 +1,13 @@
-$NetBSD: distinfo,v 1.117 2016/09/04 09:21:04 ryoon Exp $
+$NetBSD: distinfo,v 1.118 2016/10/30 14:48:00 spz Exp $
SHA1 (qemu-2.7.0.tar.bz2) = 96737d31a2fb74553dacbd0ddaa93014858dc986
RMD160 (qemu-2.7.0.tar.bz2) = cc962261a4f7b05ace8c16027bda770a89322cd3
SHA512 (qemu-2.7.0.tar.bz2) = 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db
Size (qemu-2.7.0.tar.bz2) = 26867760 bytes
+SHA1 (patch-CVE-2016-7423) = 1e126226adb90bfc335fa4dfbdb0365271ca1db3
+SHA1 (patch-CVE-2016-7907) = 3645de0cc1685966261be1847bad14a354c75326
+SHA1 (patch-CVE-2016-7908) = 09c1a30af90a1b9cb2b381401b760a861ce10765
+SHA1 (patch-CVE-2016-7909) = 26ed8d3bbcb8463d4d2c7e28c76aa75518a8c528
SHA1 (patch-Makefile.objs) = f40deeed5482a24369e898411bb611be418dc3ca
SHA1 (patch-configure) = 9eb469dc5be1d7c6b4ee69e8ee61e6ab8d542112
SHA1 (patch-default-configs_pci.mak) = 2162550a68de514c8fe9e255df88f8a0a07ee6c7
diff --git a/emulators/qemu/patches/patch-CVE-2016-7423 b/emulators/qemu/patches/patch-CVE-2016-7423
new file mode 100644
index 00000000000..00e66581ec7
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7423
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2016-7423,v 1.1 2016/10/30 14:48:00 spz Exp $
+
+from:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
+
+scsi: mptsas: use g_new0 to allocate MPTSASRequest object
+
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+
+--- hw/scsi/mptsas.c.orig 2016-09-02 15:34:20.000000000 +0000
++++ hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_reques
+ goto bad;
+ }
+
+- req = g_new(MPTSASRequest, 1);
++ req = g_new0(MPTSASRequest, 1);
+ QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
diff --git a/emulators/qemu/patches/patch-CVE-2016-7907 b/emulators/qemu/patches/patch-CVE-2016-7907
new file mode 100644
index 00000000000..cdffc685634
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7907
@@ -0,0 +1,41 @@
+$NetBSD: patch-CVE-2016-7907,v 1.1 2016/10/30 14:48:00 spz Exp $
+
+from:
+https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
+
+From: Prasad J Pandit <address@hidden>
+
+i.MX Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set an upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <address@hidden>
+
+--- hw/net/imx_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
++++ hw/net/imx_fec.c
+@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_
+ #define PHY_INT_PARFAULT (1 << 2)
+ #define PHY_INT_AUTONEG_PAGE (1 << 1)
+
++#define IMX_MAX_DESC 1024
++
+ static void imx_eth_update(IMXFECState *s);
+
+ /*
+@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *
+
+ static void imx_fec_do_tx(IMXFECState *s)
+ {
+- int frame_size = 0;
++ int frame_size = 0, descnt = 0;
+ uint8_t frame[ENET_MAX_FRAME_SIZE];
+ uint8_t *ptr = frame;
+ uint32_t addr = s->tx_descriptor;
+
+- while (1) {
++ while (descnt++ < IMX_MAX_DESC) {
+ IMXFECBufDesc bd;
+ int len;
+
diff --git a/emulators/qemu/patches/patch-CVE-2016-7908 b/emulators/qemu/patches/patch-CVE-2016-7908
new file mode 100644
index 00000000000..a0b0a47158b
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7908
@@ -0,0 +1,43 @@
+$NetBSD: patch-CVE-2016-7908,v 1.1 2016/10/30 14:48:00 spz Exp $
+
+from:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=070c4b92b8cd5390889716677a0b92444d6e087a
+
+net: mcf: limit buffer descriptor count
+
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+
+--- hw/net/mcf_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
++++ hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_AR
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+
++#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state
+ uint32_t addr;
+ mcf_fec_bd bd;
+ int frame_size;
+- int len;
++ int len, descnt = 0;
+ uint8_t frame[FEC_MAX_FRAME_SIZE];
+ uint8_t *ptr;
+
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state
+ ptr = frame;
+ frame_size = 0;
+ addr = s->tx_descriptor;
+- while (1) {
++ while (descnt++ < FEC_MAX_DESC) {
+ mcf_fec_read_bd(&bd, addr);
+ DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+ addr, bd.flags, bd.length, bd.data);
diff --git a/emulators/qemu/patches/patch-CVE-2016-7909 b/emulators/qemu/patches/patch-CVE-2016-7909
new file mode 100644
index 00000000000..65042aa0d05
--- /dev/null
+++ b/emulators/qemu/patches/patch-CVE-2016-7909
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2016-7909,v 1.1 2016/10/30 14:48:00 spz Exp $
+
+from:
+https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html
+
+From: Prasad J Pandit <address@hidden>
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr. Add check to avoid it.
+
+Reported-by: Li Qiang <address@hidden>
+
+--- hw/net/pcnet.c.orig 2016-09-02 15:34:19.000000000 +0000
++++ hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState
+ case 47: /* POLLINT */
+ case 72:
+ case 74:
++ break;
+ case 76: /* RCVRL */
+ case 78: /* XMTRL */
++ val = (val > 0) ? val : 512;
++ break;
+ case 112:
+ if (CSR_STOP(s) || CSR_SPND(s))
+ break;