Sun Oct 30 14:48:01 2016 UTC ()
add patches for CVE-2016-7423 and CVE-2016-790[789] from upstream
(spz)
diff -r1.155 -r1.156 pkgsrc/emulators/qemu/Makefile
diff -r1.117 -r1.118 pkgsrc/emulators/qemu/distinfo
diff -r0 -r1.1 pkgsrc/emulators/qemu/patches/patch-CVE-2016-7423
diff -r0 -r1.1 pkgsrc/emulators/qemu/patches/patch-CVE-2016-7907
diff -r0 -r1.1 pkgsrc/emulators/qemu/patches/patch-CVE-2016-7908
diff -r0 -r1.1 pkgsrc/emulators/qemu/patches/patch-CVE-2016-7909
--- pkgsrc/emulators/qemu/Makefile 2016/10/04 15:00:08 1.155
+++ pkgsrc/emulators/qemu/Makefile 2016/10/30 14:48:00 1.156
| @@ -1,19 +1,20 @@ | | | @@ -1,19 +1,20 @@ |
1 | # $NetBSD: Makefile,v 1.155 2016/10/04 15:00:08 kamil Exp $ | | 1 | # $NetBSD: Makefile,v 1.156 2016/10/30 14:48:00 spz Exp $ |
2 | | | 2 | |
3 | DISTNAME= qemu-2.7.0 | | 3 | DISTNAME= qemu-2.7.0 |
4 | CATEGORIES= emulators | | 4 | CATEGORIES= emulators |
5 | MASTER_SITES= http://wiki.qemu.org/download/ | | 5 | MASTER_SITES= http://wiki.qemu.org/download/ |
6 | EXTRACT_SUFX= .tar.bz2 | | 6 | EXTRACT_SUFX= .tar.bz2 |
| | | 7 | PKGREVISION= 1 |
7 | | | 8 | |
8 | MAINTAINER= pkgsrc-users@NetBSD.org | | 9 | MAINTAINER= pkgsrc-users@NetBSD.org |
9 | HOMEPAGE= http://www.qemu.org/ | | 10 | HOMEPAGE= http://www.qemu.org/ |
10 | COMMENT= CPU emulator using dynamic translation | | 11 | COMMENT= CPU emulator using dynamic translation |
11 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2.1 AND mit AND modified-bsd | | 12 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2.1 AND mit AND modified-bsd |
12 | | | 13 | |
13 | CONFLICTS+= qemu-bin-[0-9]* | | 14 | CONFLICTS+= qemu-bin-[0-9]* |
14 | NOT_FOR_PLATFORM+= NetBSD-1.[0-6]*-* | | 15 | NOT_FOR_PLATFORM+= NetBSD-1.[0-6]*-* |
15 | # qemu 1 does not work on NetBSD-5; see http://gnats.netbsd.org/46565. | | 16 | # qemu 1 does not work on NetBSD-5; see http://gnats.netbsd.org/46565. |
16 | NOT_FOR_PLATFORM+= NetBSD-5*-* | | 17 | NOT_FOR_PLATFORM+= NetBSD-5*-* |
17 | | | 18 | |
18 | USE_TOOLS+= bison gmake makeinfo perl:build pkg-config | | 19 | USE_TOOLS+= bison gmake makeinfo perl:build pkg-config |
19 | USE_NCURSES= yes # requires resize_term() | | 20 | USE_NCURSES= yes # requires resize_term() |
--- pkgsrc/emulators/qemu/distinfo 2016/09/04 09:21:04 1.117
+++ pkgsrc/emulators/qemu/distinfo 2016/10/30 14:48:00 1.118
| @@ -1,19 +1,23 @@ | | | @@ -1,19 +1,23 @@ |
1 | $NetBSD: distinfo,v 1.117 2016/09/04 09:21:04 ryoon Exp $ | | 1 | $NetBSD: distinfo,v 1.118 2016/10/30 14:48:00 spz Exp $ |
2 | | | 2 | |
3 | SHA1 (qemu-2.7.0.tar.bz2) = 96737d31a2fb74553dacbd0ddaa93014858dc986 | | 3 | SHA1 (qemu-2.7.0.tar.bz2) = 96737d31a2fb74553dacbd0ddaa93014858dc986 |
4 | RMD160 (qemu-2.7.0.tar.bz2) = cc962261a4f7b05ace8c16027bda770a89322cd3 | | 4 | RMD160 (qemu-2.7.0.tar.bz2) = cc962261a4f7b05ace8c16027bda770a89322cd3 |
5 | SHA512 (qemu-2.7.0.tar.bz2) = 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db | | 5 | SHA512 (qemu-2.7.0.tar.bz2) = 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db |
6 | Size (qemu-2.7.0.tar.bz2) = 26867760 bytes | | 6 | Size (qemu-2.7.0.tar.bz2) = 26867760 bytes |
| | | 7 | SHA1 (patch-CVE-2016-7423) = 1e126226adb90bfc335fa4dfbdb0365271ca1db3 |
| | | 8 | SHA1 (patch-CVE-2016-7907) = 3645de0cc1685966261be1847bad14a354c75326 |
| | | 9 | SHA1 (patch-CVE-2016-7908) = 09c1a30af90a1b9cb2b381401b760a861ce10765 |
| | | 10 | SHA1 (patch-CVE-2016-7909) = 26ed8d3bbcb8463d4d2c7e28c76aa75518a8c528 |
7 | SHA1 (patch-Makefile.objs) = f40deeed5482a24369e898411bb611be418dc3ca | | 11 | SHA1 (patch-Makefile.objs) = f40deeed5482a24369e898411bb611be418dc3ca |
8 | SHA1 (patch-configure) = 9eb469dc5be1d7c6b4ee69e8ee61e6ab8d542112 | | 12 | SHA1 (patch-configure) = 9eb469dc5be1d7c6b4ee69e8ee61e6ab8d542112 |
9 | SHA1 (patch-default-configs_pci.mak) = 2162550a68de514c8fe9e255df88f8a0a07ee6c7 | | 13 | SHA1 (patch-default-configs_pci.mak) = 2162550a68de514c8fe9e255df88f8a0a07ee6c7 |
10 | SHA1 (patch-ef) = 98a1de2fd48638886b5d16f6a61dc72910e98b41 | | 14 | SHA1 (patch-ef) = 98a1de2fd48638886b5d16f6a61dc72910e98b41 |
11 | SHA1 (patch-et) = e9b850ac5985cbe934b541acbfdb330cce421d50 | | 15 | SHA1 (patch-et) = e9b850ac5985cbe934b541acbfdb330cce421d50 |
12 | SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420 | | 16 | SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420 |
13 | SHA1 (patch-hw_misc_ivshmem.c) = c1fdc8111286f2c760512189db4a854bfc6129d0 | | 17 | SHA1 (patch-hw_misc_ivshmem.c) = c1fdc8111286f2c760512189db4a854bfc6129d0 |
14 | SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc | | 18 | SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc |
15 | SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7 | | 19 | SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7 |
16 | SHA1 (patch-hw_ppc_mac__newworld.c) = 5131bb6edf8b0acf6e7ed3b6bc7be962dc71eca6 | | 20 | SHA1 (patch-hw_ppc_mac__newworld.c) = 5131bb6edf8b0acf6e7ed3b6bc7be962dc71eca6 |
17 | SHA1 (patch-hw_ppc_mac__oldworld.c) = b71667ab281dc23c9d971dc8754eeefc879bd1d7 | | 21 | SHA1 (patch-hw_ppc_mac__oldworld.c) = b71667ab281dc23c9d971dc8754eeefc879bd1d7 |
18 | SHA1 (patch-memory.c) = 9f94de7799ef80931fb1de572e5603894f3fb328 | | 22 | SHA1 (patch-memory.c) = 9f94de7799ef80931fb1de572e5603894f3fb328 |
19 | SHA1 (patch-scripts_qemu-binfmt-conf.sh) = a59c227e5891efe201eb2b8af15fb0832a1b20d0 | | 23 | SHA1 (patch-scripts_qemu-binfmt-conf.sh) = a59c227e5891efe201eb2b8af15fb0832a1b20d0 |
$NetBSD: patch-CVE-2016-7423,v 1.1 2016/10/30 14:48:00 spz Exp $
from:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=670e56d3ed2918b3861d9216f2c0540d9e9ae0d5
scsi: mptsas: use g_new0 to allocate MPTSASRequest object
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
--- hw/scsi/mptsas.c.orig 2016-09-02 15:34:20.000000000 +0000
+++ hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_reques
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;
$NetBSD: patch-CVE-2016-7907,v 1.1 2016/10/30 14:48:00 spz Exp $
from:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05556.html
From: Prasad J Pandit <address@hidden>
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <address@hidden>
--- hw/net/imx_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
+++ hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_
#define PHY_INT_PARFAULT (1 << 2)
#define PHY_INT_AUTONEG_PAGE (1 << 1)
+#define IMX_MAX_DESC 1024
+
static void imx_eth_update(IMXFECState *s);
/*
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;
$NetBSD: patch-CVE-2016-7908,v 1.1 2016/10/30 14:48:00 spz Exp $
from:
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=070c4b92b8cd5390889716677a0b92444d6e087a
net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
--- hw/net/mcf_fec.c.orig 2016-09-02 15:34:19.000000000 +0000
+++ hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_AR
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);
$NetBSD: patch-CVE-2016-7909,v 1.1 2016/10/30 14:48:00 spz Exp $
from:
https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg07942.html
From: Prasad J Pandit <address@hidden>
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
--- hw/net/pcnet.c.orig 2016-09-02 15:34:19.000000000 +0000
+++ hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;