pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2016Q3]: pkgsrc/emulators/qemu Pullup ticket #5146 - requested...
details: https://anonhg.NetBSD.org/pkgsrc/rev/367fe8c50ed1
branches: pkgsrc-2016Q3
changeset: 408812:367fe8c50ed1
user: bsiegert <bsiegert%pkgsrc.org@localhost>
date: Mon Nov 07 19:11:35 2016 +0000
description:
Pullup ticket #5146 - requested by spz
emulators/qemu: security fix
Revisions pulled up:
- emulators/qemu/Makefile 1.156
- emulators/qemu/distinfo 1.118
- emulators/qemu/patches/patch-CVE-2016-7423 1.1
- emulators/qemu/patches/patch-CVE-2016-7907 1.1
- emulators/qemu/patches/patch-CVE-2016-7908 1.1
- emulators/qemu/patches/patch-CVE-2016-7909 1.1
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Oct 30 14:48:01 UTC 2016
Modified Files:
pkgsrc/emulators/qemu: Makefile distinfo
Added Files:
pkgsrc/emulators/qemu/patches: patch-CVE-2016-7423 patch-CVE-2016-7907
patch-CVE-2016-7908 patch-CVE-2016-7909
Log Message:
add patches for CVE-2016-7423 and CVE-2016-790[789] from upstream
diffstat:
emulators/qemu/Makefile | 3 +-
emulators/qemu/distinfo | 6 +++-
emulators/qemu/patches/patch-CVE-2016-7423 | 25 +++++++++++++++++
emulators/qemu/patches/patch-CVE-2016-7907 | 41 ++++++++++++++++++++++++++++
emulators/qemu/patches/patch-CVE-2016-7908 | 43 ++++++++++++++++++++++++++++++
emulators/qemu/patches/patch-CVE-2016-7909 | 29 ++++++++++++++++++++
6 files changed, 145 insertions(+), 2 deletions(-)
diffs (187 lines):
diff -r 1fde57cdd24f -r 367fe8c50ed1 emulators/qemu/Makefile
--- a/emulators/qemu/Makefile Sat Nov 05 10:25:09 2016 +0000
+++ b/emulators/qemu/Makefile Mon Nov 07 19:11:35 2016 +0000
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.154 2016/09/04 09:21:04 ryoon Exp $
+# $NetBSD: Makefile,v 1.154.2.1 2016/11/07 19:11:35 bsiegert Exp $
DISTNAME= qemu-2.7.0
CATEGORIES= emulators
MASTER_SITES= http://wiki.qemu.org/download/
EXTRACT_SUFX= .tar.bz2
+PKGREVISION= 1
MAINTAINER= pkgsrc-users%NetBSD.org@localhost
HOMEPAGE= http://www.qemu.org/
diff -r 1fde57cdd24f -r 367fe8c50ed1 emulators/qemu/distinfo
--- a/emulators/qemu/distinfo Sat Nov 05 10:25:09 2016 +0000
+++ b/emulators/qemu/distinfo Mon Nov 07 19:11:35 2016 +0000
@@ -1,9 +1,13 @@
-$NetBSD: distinfo,v 1.117 2016/09/04 09:21:04 ryoon Exp $
+$NetBSD: distinfo,v 1.117.2.1 2016/11/07 19:11:35 bsiegert Exp $
SHA1 (qemu-2.7.0.tar.bz2) = 96737d31a2fb74553dacbd0ddaa93014858dc986
RMD160 (qemu-2.7.0.tar.bz2) = cc962261a4f7b05ace8c16027bda770a89322cd3
SHA512 (qemu-2.7.0.tar.bz2) = 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db
Size (qemu-2.7.0.tar.bz2) = 26867760 bytes
+SHA1 (patch-CVE-2016-7423) = 1e126226adb90bfc335fa4dfbdb0365271ca1db3
+SHA1 (patch-CVE-2016-7907) = 3645de0cc1685966261be1847bad14a354c75326
+SHA1 (patch-CVE-2016-7908) = 09c1a30af90a1b9cb2b381401b760a861ce10765
+SHA1 (patch-CVE-2016-7909) = 26ed8d3bbcb8463d4d2c7e28c76aa75518a8c528
SHA1 (patch-Makefile.objs) = f40deeed5482a24369e898411bb611be418dc3ca
SHA1 (patch-configure) = 9eb469dc5be1d7c6b4ee69e8ee61e6ab8d542112
SHA1 (patch-default-configs_pci.mak) = 2162550a68de514c8fe9e255df88f8a0a07ee6c7
diff -r 1fde57cdd24f -r 367fe8c50ed1 emulators/qemu/patches/patch-CVE-2016-7423
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/emulators/qemu/patches/patch-CVE-2016-7423 Mon Nov 07 19:11:35 2016 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-CVE-2016-7423,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
+
+scsi: mptsas: use g_new0 to allocate MPTSASRequest object
+
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+
+Reported-by: Li Qiang <liqiang6-s%360.cn@localhost>
+
+--- hw/scsi/mptsas.c.orig 2016-09-02 15:34:20.000000000 +0000
++++ hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_reques
+ goto bad;
+ }
+
+- req = g_new(MPTSASRequest, 1);
++ req = g_new0(MPTSASRequest, 1);
+ QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
diff -r 1fde57cdd24f -r 367fe8c50ed1 emulators/qemu/patches/patch-CVE-2016-7907
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/emulators/qemu/patches/patch-CVE-2016-7907 Mon Nov 07 19:11:35 2016 +0000
@@ -0,0 +1,41 @@
+$NetBSD: patch-CVE-2016-7907,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
+
+From: Prasad J Pandit <address@hidden>
+
+i.MX Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set an upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <address@hidden>
+
+--- hw/net/imx_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
++++ hw/net/imx_fec.c
+@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_
+ #define PHY_INT_PARFAULT (1 << 2)
+ #define PHY_INT_AUTONEG_PAGE (1 << 1)
+
++#define IMX_MAX_DESC 1024
++
+ static void imx_eth_update(IMXFECState *s);
+
+ /*
+@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *
+
+ static void imx_fec_do_tx(IMXFECState *s)
+ {
+- int frame_size = 0;
++ int frame_size = 0, descnt = 0;
+ uint8_t frame[ENET_MAX_FRAME_SIZE];
+ uint8_t *ptr = frame;
+ uint32_t addr = s->tx_descriptor;
+
+- while (1) {
++ while (descnt++ < IMX_MAX_DESC) {
+ IMXFECBufDesc bd;
+ int len;
+
diff -r 1fde57cdd24f -r 367fe8c50ed1 emulators/qemu/patches/patch-CVE-2016-7908
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/emulators/qemu/patches/patch-CVE-2016-7908 Mon Nov 07 19:11:35 2016 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-CVE-2016-7908,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+http://git.qemu.org/?p=qemu.git;a=commitdiff;h=070c4b92b8cd5390889716677a0b92444d6e087a
+
+net: mcf: limit buffer descriptor count
+
+ColdFire Fast Ethernet Controller uses buffer descriptors to manage
+data flow to/fro receive & transmit queues. While transmitting
+packets, it could continue to read buffer descriptors if a buffer
+descriptor has length of zero and has crafted values in bd.flags.
+Set upper limit to number of buffer descriptors.
+
+Reported-by: Li Qiang <liqiang6-s%360.cn@localhost>
+
+--- hw/net/mcf_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
++++ hw/net/mcf_fec.c
+@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_AR
+ #define DPRINTF(fmt, ...) do {} while(0)
+ #endif
+
++#define FEC_MAX_DESC 1024
+ #define FEC_MAX_FRAME_SIZE 2032
+
+ typedef struct {
+@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state
+ uint32_t addr;
+ mcf_fec_bd bd;
+ int frame_size;
+- int len;
++ int len, descnt = 0;
+ uint8_t frame[FEC_MAX_FRAME_SIZE];
+ uint8_t *ptr;
+
+@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state
+ ptr = frame;
+ frame_size = 0;
+ addr = s->tx_descriptor;
+- while (1) {
++ while (descnt++ < FEC_MAX_DESC) {
+ mcf_fec_read_bd(&bd, addr);
+ DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
+ addr, bd.flags, bd.length, bd.data);
diff -r 1fde57cdd24f -r 367fe8c50ed1 emulators/qemu/patches/patch-CVE-2016-7909
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/emulators/qemu/patches/patch-CVE-2016-7909 Mon Nov 07 19:11:35 2016 +0000
@@ -0,0 +1,29 @@
+$NetBSD: patch-CVE-2016-7909,v 1.1.2.2 2016/11/07 19:11:35 bsiegert Exp $
+
+from:
+https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html
+
+From: Prasad J Pandit <address@hidden>
+
+The AMD PC-Net II emulator has set of control and status(CSR)
+registers. Of these, CSR76 and CSR78 hold receive and transmit
+descriptor ring length respectively. This ring length could range
+from 1 to 65535. Setting ring length to zero leads to an infinite
+loop in pcnet_rdra_addr. Add check to avoid it.
+
+Reported-by: Li Qiang <address@hidden>
+
+--- hw/net/pcnet.c.orig 2016-09-02 15:34:19.000000000 +0000
++++ hw/net/pcnet.c
+@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState
+ case 47: /* POLLINT */
+ case 72:
+ case 74:
++ break;
+ case 76: /* RCVRL */
+ case 78: /* XMTRL */
++ val = (val > 0) ? val : 512;
++ break;
+ case 112:
+ if (CSR_STOP(s) || CSR_SPND(s))
+ break;
Home |
Main Index |
Thread Index |
Old Index