From b8a9a812fbc9ecfd48ffb46c19804b42c39c16c7 Mon Sep 17 00:00:00 2001 From: tron Date: Fri, 16 May 2014 16:01:22 +0000 Subject: Pullup ticket #4408 - requested by wiz emulators/qemu: security update Revisions pulled up: - emulators/qemu/Makefile patch - emulators/qemu/PLIST patch - emulators/qemu/distinfo patch - emulators/qemu/patches/patch-hw_virtio_virtio.c patch - emulators/qemu/patches/patch-include_exec_softmmu__template.h patch --- Apply patch to update qemu package to version 2.0.0nb2 which fixes multiple security vulnerabilities. --- emulators/qemu/Makefile | 9 +-- emulators/qemu/PLIST | 5 +- emulators/qemu/distinfo | 10 ++-- emulators/qemu/patches/patch-hw_virtio_virtio.c | 69 ++++++++++++++++++++++ .../patches/patch-include_exec_softmmu__template.h | 36 ----------- 5 files changed, 83 insertions(+), 46 deletions(-) create mode 100644 emulators/qemu/patches/patch-hw_virtio_virtio.c diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile index 7319507b96c..2ac07cbb87a 100644 --- a/emulators/qemu/Makefile +++ b/emulators/qemu/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.122 2014/01/25 10:30:07 wiz Exp $ +# $NetBSD: Makefile,v 1.122.2.1 2014/05/16 16:01:22 tron Exp $ -DISTNAME= qemu-1.7.0 +DISTNAME= qemu-2.0.0 +PKGREVISION= 2 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/ EXTRACT_SUFX= .tar.bz2 @@ -11,10 +12,10 @@ COMMENT= CPU emulator using dynamic translation LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2.1 AND mit AND modified-bsd CONFLICTS+= qemu-bin-[0-9]* -NOT_FOR_PLATFORM= NetBSD-1.[0-6]*-* +NOT_FOR_PLATFORM+= NetBSD-1.[0-6]*-* # qemu 1 does not work on NetBSD-5; see http://gnats.netbsd.org/46565. # As a workaround, use emulators/qemu0. -NOT_FOR_PLATFORM= NetBSD-5*-* +NOT_FOR_PLATFORM+= NetBSD-5*-* USE_TOOLS+= bison gmake makeinfo perl:build pkg-config USE_NCURSES= yes # requires resize_term() diff --git a/emulators/qemu/PLIST b/emulators/qemu/PLIST index aafb70949a0..469837e8c27 100644 --- a/emulators/qemu/PLIST +++ b/emulators/qemu/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.37 2014/01/15 18:26:20 wiz Exp $ +@comment $NetBSD: PLIST,v 1.37.2.1 2014/05/16 16:01:22 tron Exp $ ${PLIST.alpha}bin/qemu-alpha ${PLIST.arm}bin/qemu-arm ${PLIST.armeb}bin/qemu-armeb @@ -24,6 +24,7 @@ ${PLIST.sparc}bin/qemu-sparc ${PLIST.sparc32plus}bin/qemu-sparc32plus ${PLIST.sparc64}bin/qemu-sparc64 ${PLIST.unicore32}bin/qemu-unicore32 +bin/qemu-system-aarch64 bin/qemu-system-alpha bin/qemu-system-arm bin/qemu-system-cris @@ -59,9 +60,11 @@ share/doc/qemu/qemu-doc.html share/doc/qemu/qemu-tech.html share/doc/qemu/qmp-commands.txt share/examples/qemu/target-x86_64.conf +share/qemu/QEMU,cgthree.bin share/qemu/QEMU,tcx.bin share/qemu/acpi-dsdt.aml share/qemu/bamboo.dtb +share/qemu/bios-256k.bin share/qemu/bios.bin share/qemu/efi-e1000.rom share/qemu/efi-eepro100.rom diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo index 03dbd620c68..21c3efdba1f 100644 --- a/emulators/qemu/distinfo +++ b/emulators/qemu/distinfo @@ -1,8 +1,8 @@ -$NetBSD: distinfo,v 1.92 2014/01/15 18:26:20 wiz Exp $ +$NetBSD: distinfo,v 1.92.2.1 2014/05/16 16:01:22 tron Exp $ -SHA1 (qemu-1.7.0.tar.bz2) = 4b5a21a614207e74a61659f7a6edecad6c31be95 -RMD160 (qemu-1.7.0.tar.bz2) = 0d16f3e59219ebd88177b827ba3d4874cbe9aff2 -Size (qemu-1.7.0.tar.bz2) = 12248954 bytes +SHA1 (qemu-2.0.0.tar.bz2) = cc24a60a93ba697057a67b6a7224b95627eaf1a6 +RMD160 (qemu-2.0.0.tar.bz2) = ecd05e036431c14930ae2455a032495dd7ebaf85 +Size (qemu-2.0.0.tar.bz2) = 12839647 bytes SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127 SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420 @@ -10,7 +10,7 @@ SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7 SHA1 (patch-hw_ppc_mac__newworld.c) = 9a0ec3ba0b6da2879fdaba6a7937fb16a02685f5 SHA1 (patch-hw_ppc_mac__oldworld.c) = 46322c77c87be6d517c43466325c344db99cd463 -SHA1 (patch-include_exec_softmmu__template.h) = 65f5ab7c3c66bb28323769974cb3d65170d0e70d +SHA1 (patch-hw_virtio_virtio.c) = 9aa4553a4eda81fb014b116c2207ec4b59265fca SHA1 (patch-memory.c) = 14df9c835ca318fc79a8d3a46bb94d2f229277cc SHA1 (patch-slirp_tcp__subr.c) = cfc8289384fa987289e32b64532c13a83a890820 SHA1 (patch-user-exec.c) = eb83832c7c9e5f69313f8cad2c2f77b304072556 diff --git a/emulators/qemu/patches/patch-hw_virtio_virtio.c b/emulators/qemu/patches/patch-hw_virtio_virtio.c new file mode 100644 index 00000000000..29b7eb2f8fd --- /dev/null +++ b/emulators/qemu/patches/patch-hw_virtio_virtio.c @@ -0,0 +1,69 @@ +$NetBSD: patch-hw_virtio_virtio.c,v 1.1.2.2 2014/05/16 16:01:22 tron Exp $ + +Fixes for +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4151 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4535 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4536 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6399 +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0182 +from upstream git. + +--- hw/virtio/virtio.c.orig 2014-04-17 13:44:44.000000000 +0000 ++++ hw/virtio/virtio.c +@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, + unsigned int i; + hwaddr len; + ++ if (num_sg >= VIRTQUEUE_MAX_SIZE) { ++ error_report("virtio: map attempt out of bounds: %zd > %d", ++ num_sg, VIRTQUEUE_MAX_SIZE); ++ exit(1); ++ } ++ + for (i = 0; i < num_sg; i++) { + len = sg[i].iov_len; + sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write); +@@ -891,7 +897,9 @@ int virtio_set_features(VirtIODevice *vd + + int virtio_load(VirtIODevice *vdev, QEMUFile *f) + { +- int num, i, ret; ++ int i, ret; ++ int32_t config_len; ++ uint32_t num; + uint32_t features; + uint32_t supported_features; + BusState *qbus = qdev_get_parent_bus(DEVICE(vdev)); +@@ -906,6 +914,9 @@ int virtio_load(VirtIODevice *vdev, QEMU + qemu_get_8s(f, &vdev->status); + qemu_get_8s(f, &vdev->isr); + qemu_get_be16s(f, &vdev->queue_sel); ++ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) { ++ return -1; ++ } + qemu_get_be32s(f, &features); + + if (virtio_set_features(vdev, features) < 0) { +@@ -914,11 +925,21 @@ int virtio_load(VirtIODevice *vdev, QEMU + features, supported_features); + return -1; + } +- vdev->config_len = qemu_get_be32(f); ++ config_len = qemu_get_be32(f); ++ if (config_len != vdev->config_len) { ++ error_report("Unexpected config length 0x%x. Expected 0x%zx", ++ config_len, vdev->config_len); ++ return -1; ++ } + qemu_get_buffer(f, vdev->config, vdev->config_len); + + num = qemu_get_be32(f); + ++ if (num > VIRTIO_PCI_QUEUE_MAX) { ++ error_report("Invalid number of PCI queues: 0x%x", num); ++ return -1; ++ } ++ + for (i = 0; i < num; i++) { + vdev->vq[i].vring.num = qemu_get_be32(f); + if (k->has_variable_vring_alignment) { diff --git a/emulators/qemu/patches/patch-include_exec_softmmu__template.h b/emulators/qemu/patches/patch-include_exec_softmmu__template.h index d054d2730b2..e69de29bb2d 100644 --- a/emulators/qemu/patches/patch-include_exec_softmmu__template.h +++ b/emulators/qemu/patches/patch-include_exec_softmmu__template.h @@ -1,36 +0,0 @@ -$NetBSD: patch-include_exec_softmmu__template.h,v 1.1 2014/01/15 18:26:20 wiz Exp $ - -On NetBSD, uintNN_t types are defined as __uintNN_t -so concatenations "u ## intNN_t" won't work as expected. - ---- include/exec/softmmu_template.h.orig 2013-11-27 22:15:55.000000000 +0000 -+++ include/exec/softmmu_template.h -@@ -30,24 +30,26 @@ - #define SUFFIX q - #define LSUFFIX q - #define SDATA_TYPE int64_t -+#define DATA_TYPE uint64_t - #elif DATA_SIZE == 4 - #define SUFFIX l - #define LSUFFIX l - #define SDATA_TYPE int32_t -+#define DATA_TYPE uint32_t - #elif DATA_SIZE == 2 - #define SUFFIX w - #define LSUFFIX uw - #define SDATA_TYPE int16_t -+#define DATA_TYPE uint16_t - #elif DATA_SIZE == 1 - #define SUFFIX b - #define LSUFFIX ub - #define SDATA_TYPE int8_t -+#define DATA_TYPE uint8_t - #else - #error unsupported data size - #endif - --#define DATA_TYPE glue(u, SDATA_TYPE) -- - /* For the benefit of TCG generated code, we want to avoid the complication - of ABI-specific return type promotion and always return a value extended - to the register size of the host. This is tcg_target_long, except in the -- cgit v1.2.3