diff options
| author | Efraim Flashner <efraim@flashner.co.il> | 2017-02-03 21:53:14 +0200 |
|---|---|---|
| committer | Efraim Flashner <efraim@flashner.co.il> | 2017-02-03 21:56:35 +0200 |
| commit | b352b57655197d335e4dddcbc837e44a38b646b8 (patch) | |
| tree | f96323950b361f68ed0b44162e91ce55d9afbf9d /gnu/packages/patches/qemu-CVE-2017-2615.patch | |
| parent | 3e9750c368cb2d0b02e3546083273f29b3cdb948 (diff) | |
| download | guix-b352b57655197d335e4dddcbc837e44a38b646b8.tar.gz | |
gnu: qemu: Patch CVE-2017-{2615, 5578, 5579, 5856}.
* gnu/packages/qemu.scm (qemu)[source]: Add patches. * gnu/packages/patches/qemu-CVE-2017-2615, gnu/packages/patches/qemu-CVE-2017-5578, gnu/packages/patches/qemu-CVE-2017-5579, gnu/packages/patches/qemu-CVE-2017-5856: New files. * gnu/local.mk (dist_patch_DATA): Register them.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-2615.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-2615.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-2615.patch b/gnu/packages/patches/qemu-CVE-2017-2615.patch new file mode 100644 index 0000000000..ede1f8c89d --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2615.patch @@ -0,0 +1,52 @@ +http://git.qemu.org/?p=qemu.git;a=patch;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64 +this patch is from qemu-git. + + +From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 1 Feb 2017 09:35:01 +0100 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +Cc: qemu-stable@nongnu.org +Cc: P J P <ppandit@redhat.com> +Cc: Laszlo Ersek <lersek@redhat.com> +Cc: Paolo Bonzini <pbonzini@redhat.com> +Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek <lersek@redhat.com> +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 7db6409dc5..16f27e8ac5 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max > s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +2.11.0 + |