diff --git a/gnu/local.mk b/gnu/local.mk index 526756f08e..0e705511e5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -809,6 +809,9 @@ dist_patch_DATA = \ %D%/packages/patches/python-paste-remove-website-test.patch \ %D%/packages/patches/python-paste-remove-timing-test.patch \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ + %D%/packages/patches/qemu-CVE-2016-8576.patch \ + %D%/packages/patches/qemu-CVE-2016-8577.patch \ + %D%/packages/patches/qemu-CVE-2016-8578.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-8576.patch b/gnu/packages/patches/qemu-CVE-2016-8576.patch new file mode 100644 index 0000000000..5031b59d81 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8576.patch @@ -0,0 +1,62 @@ +From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Fri, 7 Oct 2016 10:15:29 +0200 +Subject: [PATCH] xhci: limit the number of link trbs we are willing to process + +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 726435c..ee4fa48 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -54,6 +54,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; +-- +1.8.3.1 + diff --git a/gnu/packages/patches/qemu-CVE-2016-8577.patch b/gnu/packages/patches/qemu-CVE-2016-8577.patch new file mode 100644 index 0000000000..c4132d2fb1 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8577.patch @@ -0,0 +1,36 @@ +Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read +From: Li Qiang + +In 9pfs read dispatch function, it doesn't free two QEMUIOVector +object thus causing potential memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +--- + hw/9pfs/9p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 119ee58..543a791 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) + if (len < 0) { + /* IO error return the error */ + err = len; +- goto out; ++ goto out_free_iovec; + } + } while (count < max_count && len > 0); + err = pdu_marshal(pdu, offset, "d", count); + if (err < 0) { +- goto out; ++ goto out_free_iovec; + } + err += offset + count; ++out_free_iovec: + qemu_iovec_destroy(&qiov); + qemu_iovec_destroy(&qiov_full); + } else if (fidp->fid_type == P9_FID_XATTR) { +-- +1.8.3.1 + diff --git a/gnu/packages/patches/qemu-CVE-2016-8578.patch b/gnu/packages/patches/qemu-CVE-2016-8578.patch new file mode 100644 index 0000000000..92ba365727 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8578.patch @@ -0,0 +1,27 @@ +From: Li Qiang + +In 9pfs function v9fs_iov_vunmarshal, it will not allocate space +for empty string. This will cause several NULL pointer dereference +issues. this patch fix this issue. + +Signed-off-by: Li Qiang +--- + fsdev/9p-iov-marshal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c +index 663cad5..1d16f8d 100644 +--- a/fsdev/9p-iov-marshal.c ++++ b/fsdev/9p-iov-marshal.c +@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, + str->data = g_malloc(str->size + 1); + copied = v9fs_unpack(str->data, out_sg, out_num, offset, + str->size); +- if (copied > 0) { ++ if (copied >= 0) { + str->data[str->size] = 0; + } else { + v9fs_string_free(str); +-- +1.8.3.1 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index aee6a75f0e..9bf8c3afbd 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -76,7 +76,10 @@ version ".tar.bz2")) (sha256 (base32 - "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij")))) + "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij")) + (patches (search-patches "qemu-CVE-2016-8576.patch" + "qemu-CVE-2016-8577.patch" + "qemu-CVE-2016-8578.patch")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: