summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu-system.am6
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-3456.patch85
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch76
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch28
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch71
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5158.patch45
-rw-r--r--gnu/packages/patches/qemu-CVE-2015-5745.patch32
-rw-r--r--gnu/packages/qemu.scm10
8 files changed, 36 insertions, 317 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 9f46f7b7e4..147abfc0d6 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -607,7 +607,6 @@ dist_patch_DATA =						\
   gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch	\
   gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
   gnu/packages/patches/qemu-CVE-2015-3209.patch			\
-  gnu/packages/patches/qemu-CVE-2015-3456.patch			\
   gnu/packages/patches/qemu-CVE-2015-4037.patch			\
   gnu/packages/patches/qemu-CVE-2015-4103.patch			\
   gnu/packages/patches/qemu-CVE-2015-4104.patch			\
@@ -620,10 +619,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/qemu-CVE-2015-4106-pt6.patch		\
   gnu/packages/patches/qemu-CVE-2015-4106-pt7.patch		\
   gnu/packages/patches/qemu-CVE-2015-4106-pt8.patch		\
-  gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch		\
-  gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch		\
-  gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch		\
-  gnu/packages/patches/qemu-CVE-2015-5158.patch			\
+  gnu/packages/patches/qemu-CVE-2015-5745.patch			\
   gnu/packages/patches/qt4-ldflags.patch			\
   gnu/packages/patches/qt4-tests.patch				\
   gnu/packages/patches/qt5-runpath.patch			\
diff --git a/gnu/packages/patches/qemu-CVE-2015-3456.patch b/gnu/packages/patches/qemu-CVE-2015-3456.patch
deleted file mode 100644
index 9514f7c3e5..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-3456.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Wed, 6 May 2015 09:48:59 +0200
-Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated
- buffer
-
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-
-This is CVE-2015-3456.
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
----
- hw/block/fdc.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index f72a392..d8a8edd 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- {
-     FDrive *cur_drv;
-     uint32_t retval = 0;
--    int pos;
-+    uint32_t pos;
- 
-     cur_drv = get_cur_drv(fdctrl);
-     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
-         return 0;
-     }
-     pos = fdctrl->data_pos;
-+    pos %= FD_SECTOR_LEN;
-     if (fdctrl->msr & FD_MSR_NONDMA) {
--        pos %= FD_SECTOR_LEN;
-         if (pos == 0) {
-             if (fdctrl->data_pos != 0)
-                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
-     FDrive *cur_drv = get_cur_drv(fdctrl);
-+    uint32_t pos;
- 
--    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+    pos = fdctrl->data_pos - 1;
-+    pos %= FD_SECTOR_LEN;
-+    if (fdctrl->fifo[pos] & 0x80) {
-         /* Command parameters done */
--        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+        if (fdctrl->fifo[pos] & 0x40) {
-             fdctrl->fifo[0] = fdctrl->fifo[1];
-             fdctrl->fifo[2] = 0;
-             fdctrl->fifo[3] = 0;
-@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
-     FDrive *cur_drv;
--    int pos;
-+    uint32_t pos;
- 
-     /* Reset mode */
-     if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
-     }
- 
-     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
--    fdctrl->fifo[fdctrl->data_pos++] = value;
-+    pos = fdctrl->data_pos++;
-+    pos %= FD_SECTOR_LEN;
-+    fdctrl->fifo[pos] = value;
-     if (fdctrl->data_pos == fdctrl->data_len) {
-         /* We now have all parameters
-          * and will be able to treat the command
--- 
-2.2.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch
deleted file mode 100644
index 8a41848ddf..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5154-pt1.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 3 Jun 2015 14:13:31 +0200
-Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
- (CVE-2015-5154)
-
-If the end_transfer_func of a command is called because enough data has
-been read or written for the current PIO transfer, and it fails to
-correctly call the command completion functions, the DRQ bit in the
-status register and s->end_transfer_func may remain set. This allows the
-guest to access further bytes in s->io_buffer beyond s->data_end, and
-eventually overflowing the io_buffer.
-
-One case where this currently happens is emulation of the ATAPI command
-START STOP UNIT.
-
-This patch fixes the problem by adding explicit array bounds checks
-before accessing the buffer instead of relying on end_transfer_func to
-function correctly.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/ide/core.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 122e955..44fcc23 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
-     }
- 
-     p = s->data_ptr;
-+    if (p + 2 > s->data_end) {
-+        return;
-+    }
-+
-     *(uint16_t *)p = le16_to_cpu(val);
-     p += 2;
-     s->data_ptr = p;
-@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
-     }
- 
-     p = s->data_ptr;
-+    if (p + 2 > s->data_end) {
-+        return 0;
-+    }
-+
-     ret = cpu_to_le16(*(uint16_t *)p);
-     p += 2;
-     s->data_ptr = p;
-@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
-     }
- 
-     p = s->data_ptr;
-+    if (p + 4 > s->data_end) {
-+        return;
-+    }
-+
-     *(uint32_t *)p = le32_to_cpu(val);
-     p += 4;
-     s->data_ptr = p;
-@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
-     }
- 
-     p = s->data_ptr;
-+    if (p + 4 > s->data_end) {
-+        return 0;
-+    }
-+
-     ret = cpu_to_le32(*(uint32_t *)p);
-     p += 4;
-     s->data_ptr = p;
--- 
-1.8.3.1
diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch
deleted file mode 100644
index f860cfa3db..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5154-pt2.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 3 Jun 2015 14:17:46 +0200
-Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
-
-The command must be completed on all code paths. START STOP UNIT with
-pwrcnd set should succeed without doing anything.
-
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/ide/atapi.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
-index 950e311..79dd167 100644
---- a/hw/ide/atapi.c
-+++ b/hw/ide/atapi.c
-@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
-
-     if (pwrcnd) {
-         /* eject/load only happens for power condition == 0 */
-+        ide_atapi_cmd_ok(s);
-         return;
-     }
-
---
-1.8.3.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch b/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch
deleted file mode 100644
index 3ade9b1600..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5154-pt3.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 3 Jun 2015 14:41:27 +0200
-Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
-
-This is additional hardening against an end_transfer_func that fails to
-clear the DRQ status bit. The bit must be unset as soon as the PIO
-transfer has completed, so it's better to do this in a central place
-instead of duplicating the code in all commands (and forgetting it in
-some).
-
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- hw/ide/core.c | 16 ++++++++++++----
- 1 file changed, 12 insertions(+), 4 deletions(-)
-
-diff --git a/hw/ide/core.c b/hw/ide/core.c
-index 44fcc23..50449ca 100644
---- a/hw/ide/core.c
-+++ b/hw/ide/core.c
-@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
-     *(uint16_t *)p = le16_to_cpu(val);
-     p += 2;
-     s->data_ptr = p;
--    if (p >= s->data_end)
-+    if (p >= s->data_end) {
-+        s->status &= ~DRQ_STAT;
-         s->end_transfer_func(s);
-+    }
- }
-
- uint32_t ide_data_readw(void *opaque, uint32_t addr)
-@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
-     ret = cpu_to_le16(*(uint16_t *)p);
-     p += 2;
-     s->data_ptr = p;
--    if (p >= s->data_end)
-+    if (p >= s->data_end) {
-+        s->status &= ~DRQ_STAT;
-         s->end_transfer_func(s);
-+    }
-     return ret;
- }
-
-@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
-     *(uint32_t *)p = le32_to_cpu(val);
-     p += 4;
-     s->data_ptr = p;
--    if (p >= s->data_end)
-+    if (p >= s->data_end) {
-+        s->status &= ~DRQ_STAT;
-         s->end_transfer_func(s);
-+    }
- }
-
- uint32_t ide_data_readl(void *opaque, uint32_t addr)
-@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
-     ret = cpu_to_le32(*(uint32_t *)p);
-     p += 4;
-     s->data_ptr = p;
--    if (p >= s->data_end)
-+    if (p >= s->data_end) {
-+        s->status &= ~DRQ_STAT;
-         s->end_transfer_func(s);
-+    }
-     return ret;
- }
-
---
-1.8.3.1
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5158.patch b/gnu/packages/patches/qemu-CVE-2015-5158.patch
deleted file mode 100644
index bedbfc8fa4..0000000000
--- a/gnu/packages/patches/qemu-CVE-2015-5158.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-c170aad8b057223b1139d72e5ce7acceafab4fa9
-Author: Paolo Bonzini <pbonzini@redhat.com>
-Date:   Tue Jul 21 08:59:39 2015 +0200
-
-    scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
-    
-    This is a guest-triggerable buffer overflow present in QEMU 2.2.0
-    and newer.  scsi_cdb_length returns -1 as an error value, but the
-    caller does not check it.
-    
-    Luckily, the massive overflow means that QEMU will just SIGSEGV,
-    making the impact much smaller.
-    
-    Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
-    Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
-    Reviewed-by: Fam Zheng <famz@redhat.com>
-    Cc: qemu-stable@nongnu.org
-    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-1 file changed, 6 insertions(+), 1 deletion(-)
- hw/scsi/scsi-bus.c | 7 ++++++-
-
-	Modified   hw/scsi/scsi-bus.c
-diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
-index f50b2f0..f0ae462 100644
---- a/hw/scsi/scsi-bus.c
-+++ b/hw/scsi/scsi-bus.c
-@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
- int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
- {
-     int rc;
-+    int len;
- 
-     cmd->lba = -1;
--    cmd->len = scsi_cdb_length(buf);
-+    len = scsi_cdb_length(buf);
-+    if (len < 0) {
-+        return -1;
-+    }
- 
-+    cmd->len = len;
-     switch (dev->type) {
-     case TYPE_TAPE:
-         rc = scsi_req_stream_xfer(cmd, dev, buf);
-
diff --git a/gnu/packages/patches/qemu-CVE-2015-5745.patch b/gnu/packages/patches/qemu-CVE-2015-5745.patch
new file mode 100644
index 0000000000..2326279026
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2015-5745.patch
@@ -0,0 +1,32 @@
+From 7882080388be5088e72c425b02223c02e6cb4295 Mon Sep 17 00:00:00 2001
+From: "Michael S. Tsirkin" <mst@redhat.com>
+Date: Thu, 23 Jul 2015 17:52:02 +0300
+Subject: [PATCH] virtio-serial: fix ANY_LAYOUT
+
+Don't assume a specific layout for control messages.
+Required by virtio 1.
+
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Reviewed-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/char/virtio-serial-bus.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/char/virtio-serial-bus.c b/hw/char/virtio-serial-bus.c
+index 78c73e5..929e49c 100644
+--- a/hw/char/virtio-serial-bus.c
++++ b/hw/char/virtio-serial-bus.c
+@@ -195,7 +195,8 @@ static size_t send_control_msg(VirtIOSerial *vser, void *buf, size_t len)
+         return 0;
+     }
+ 
+-    memcpy(elem.in_sg[0].iov_base, buf, len);
++    /* TODO: detect a buffer that's too short, set NEEDS_RESET */
++    iov_from_buf(elem.in_sg, elem.in_num, 0, buf, len);
+ 
+     virtqueue_push(vq, &elem, len);
+     virtio_notify(VIRTIO_DEVICE(vser), vq);
+-- 
+2.4.3
+
diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm
index 6979655122..b2ef95d03b 100644
--- a/gnu/packages/qemu.scm
+++ b/gnu/packages/qemu.scm
@@ -44,16 +44,15 @@
   ;; This is QEMU without GUI support.
   (package
     (name "qemu-headless")
-    (version "2.3.0")
+    (version "2.3.1")
     (source (origin
              (method url-fetch)
              (uri (string-append "http://wiki.qemu-project.org/download/qemu-"
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "120m53c3p28qxmfzllicjzr8syjv6v4d9rsyrgkp7gnmcgvvgfmn"))
+               "0px1vhkglxzjdxkkqln98znv832n1sn79g5inh3aw72216c047b6"))
              (patches (map search-patch '("qemu-CVE-2015-3209.patch"
-                                          "qemu-CVE-2015-3456.patch"
                                           "qemu-CVE-2015-4037.patch"
                                           "qemu-CVE-2015-4103.patch"
                                           "qemu-CVE-2015-4104.patch"
@@ -66,10 +65,7 @@
                                           "qemu-CVE-2015-4106-pt6.patch"
                                           "qemu-CVE-2015-4106-pt7.patch"
                                           "qemu-CVE-2015-4106-pt8.patch"
-                                          "qemu-CVE-2015-5154-pt1.patch"
-                                          "qemu-CVE-2015-5154-pt2.patch"
-                                          "qemu-CVE-2015-5154-pt3.patch"
-                                          "qemu-CVE-2015-5158.patch")))))
+                                          "qemu-CVE-2015-5745.patch")))))
     (build-system gnu-build-system)
     (arguments
      '(#:phases (alist-replace