From 8ba237a280cf4a16e6ae41e9ba5d42cab852f1b4 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Sun, 22 Jan 2017 13:40:44 +0200 Subject: gnu: qemu: Patch CVE-2016-10155, CVE-2017-5552. * gnu/packages/qemu.scm (qemu)[source]: Add patches. * gnu/packages/patches/qemu-CVE-2016-10155.patch, gnu/packages/patches/qemu-CVE-2017-5552.patch: New files. * gnu/local.mk (dist_patch_DATA): Register them. --- gnu/local.mk | 2 ++ gnu/packages/patches/qemu-CVE-2016-10155.patch | 49 ++++++++++++++++++++++++++ gnu/packages/patches/qemu-CVE-2017-5552.patch | 44 +++++++++++++++++++++++ gnu/packages/qemu.scm | 6 ++-- 4 files changed, 99 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/qemu-CVE-2016-10155.patch create mode 100644 gnu/packages/patches/qemu-CVE-2017-5552.patch diff --git a/gnu/local.mk b/gnu/local.mk index c2e7d49fb9..d321824ece 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -853,8 +853,10 @@ dist_patch_DATA = \ %D%/packages/patches/python-pycrypto-CVE-2013-7459.patch \ %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ %D%/packages/patches/python-pygpgme-fix-pinentry-tests.patch \ + %D%/packages/patches/qemu-CVE-2016-10155.patch \ %D%/packages/patches/qemu-CVE-2017-5525.patch \ %D%/packages/patches/qemu-CVE-2017-5526.patch \ + %D%/packages/patches/qemu-CVE-2017-5552.patch \ %D%/packages/patches/qt4-ldflags.patch \ %D%/packages/patches/quickswitch-fix-dmenu-check.patch \ %D%/packages/patches/rapicorn-isnan.patch \ diff --git a/gnu/packages/patches/qemu-CVE-2016-10155.patch b/gnu/packages/patches/qemu-CVE-2016-10155.patch new file mode 100644 index 0000000000..825edaa815 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-10155.patch @@ -0,0 +1,49 @@ +From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 28 Nov 2016 17:49:04 -0800 +Subject: [PATCH] watchdog: 6300esb: add exit function + +When the Intel 6300ESB watchdog is hot unplug. The timer allocated +in realize isn't freed thus leaking memory leak. This patch avoid +this through adding the exit function. + +http://git.qemu.org/?p=qemu.git;a=patch;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e +this patch is from qemu-git. + +Signed-off-by: Li Qiang +Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> +Signed-off-by: Paolo Bonzini +--- + hw/watchdog/wdt_i6300esb.c | 9 +++++++++ + 1 files changed, 9 insertions(+), 0 deletions(-) + +diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c +index a83d951..49b3cd1 100644 +--- a/hw/watchdog/wdt_i6300esb.c ++++ b/hw/watchdog/wdt_i6300esb.c +@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) + /* qemu_register_coalesced_mmio (addr, 0x10); ? */ + } + ++static void i6300esb_exit(PCIDevice *dev) ++{ ++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); ++ ++ timer_del(d->timer); ++ timer_free(d->timer); ++} ++ + static WatchdogTimerModel model = { + .wdt_name = "i6300esb", + .wdt_description = "Intel 6300ESB", +@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) + k->config_read = i6300esb_config_read; + k->config_write = i6300esb_config_write; + k->realize = i6300esb_realize; ++ k->exit = i6300esb_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; + k->class_id = PCI_CLASS_SYSTEM_OTHER; +-- +1.7.0.4 + diff --git a/gnu/packages/patches/qemu-CVE-2017-5552.patch b/gnu/packages/patches/qemu-CVE-2017-5552.patch new file mode 100644 index 0000000000..50911f4f36 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-5552.patch @@ -0,0 +1,44 @@ +From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Thu, 29 Dec 2016 03:11:26 -0500 +Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the virgl_renderer_resource_attach_iov function fails the +'res_iovs' will be leaked. Add check of the return value to +free the 'res_iovs' when failing. + +http://git.qemu.org/?p=qemu.git;a=patch;h=33243031dad02d161225ba99d782616da133f689 +this patch is from qemu-git. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu-3d.c | 7 +++++-- + 1 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index e29f099..b13ced3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ res_iovs, att_rb.nr_entries); ++ ++ if (ret != 0) ++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +-- +1.7.0.4 + diff --git a/gnu/packages/qemu.scm b/gnu/packages/qemu.scm index 693864f7d8..1c10ab9aee 100644 --- a/gnu/packages/qemu.scm +++ b/gnu/packages/qemu.scm @@ -77,8 +77,10 @@ (sha256 (base32 "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs")) - (patches (search-patches "qemu-CVE-2017-5525.patch" - "qemu-CVE-2017-5526.patch")))) + (patches (search-patches "qemu-CVE-2016-10155.patch" + "qemu-CVE-2017-5525.patch" + "qemu-CVE-2017-5526.patch" + "qemu-CVE-2017-5552.patch")))) (build-system gnu-build-system) (arguments '(;; Running tests in parallel can occasionally lead to failures, like: -- cgit 1.4.1