* [gentoo-commits] proj/hardened-dev:musl commit in: app-emulation/qemu/files/, app-emulation/qemu/
@ 2014-10-10 18:20 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2014-10-10 18:20 UTC (permalink / raw
To: gentoo-commits
commit: d69ceecaa2909f2a48f5144c514fd0d44a04eb79
Author: Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Fri Sep 19 21:49:30 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Fri Oct 10 18:20:17 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=d69ceeca
app-emulation/qemu: bump to 2.1.0
---
.../qemu/files/qemu-2.0.0-CVE-2013-4541.patch | 40 ----
.../qemu/files/qemu-2.0.0-CVE-2014-0222.patch | 48 -----
.../qemu/files/qemu-2.0.0-CVE-2014-0223.patch | 57 -----
.../files/qemu-2.0.0-qcow-check-max-sizes.patch | 52 -----
app-emulation/qemu/files/qemu-2.0.0-sigset.patch | 63 ------
.../files/qemu-2.0.0-usb-post-load-checks.patch | 41 ----
.../qemu/files/qemu-2.1.0-CVE-2014-5388.patch | 36 ++++
...qemu-2.0.0-r99.ebuild => qemu-2.1.0-r99.ebuild} | 231 +++++++++++----------
8 files changed, 161 insertions(+), 407 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch b/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch
deleted file mode 100644
index c4e0d81..0000000
--- a/app-emulation/qemu/files/qemu-2.0.0-CVE-2013-4541.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Thu, 3 Apr 2014 19:52:25 +0300
-Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
-
-CVE-2013-4541
-
-s->setup_len and s->setup_index are fed into usb_packet_copy as
-size/offset into s->data_buf, it's possible for invalid state to exploit
-this to load arbitrary data.
-
-setup_len and setup_index should be checked to make sure
-they are not negative.
-
-Cc: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
----
- hw/usb/bus.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/bus.c b/hw/usb/bus.c
-index fe70429..e48b19f 100644
---- a/hw/usb/bus.c
-+++ b/hw/usb/bus.c
-@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
- } else {
- dev->attached = 1;
- }
-- if (dev->setup_index >= sizeof(dev->data_buf) ||
-+ if (dev->setup_index < 0 ||
-+ dev->setup_len < 0 ||
-+ dev->setup_index >= sizeof(dev->data_buf) ||
- dev->setup_len >= sizeof(dev->data_buf)) {
- return -EINVAL;
- }
---
-1.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch b/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch
deleted file mode 100644
index 754ad48..0000000
--- a/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0222.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 42eb58179b3b215bb507da3262b682b8a2ec10b5 Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Thu, 15 May 2014 16:10:11 +0200
-Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222)
-
-Too large L2 table sizes cause unbounded allocations. Images actually
-created by qemu-img only have 512 byte or 4k L2 tables.
-
-To keep things consistent with cluster sizes, allow ranges between 512
-bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
-working, but L2 table sizes smaller than a cluster don't make a lot of
-sense).
-
-This also means that the number of bytes on the virtual disk that are
-described by the same L2 table is limited to at most 8k * 64k or 2^29,
-preventively avoiding any integer overflows.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Benoit Canet <benoit@irqsave.net>
----
- block/qcow.c | 8 ++++++++
- tests/qemu-iotests/092 | 15 +++++++++++++++
- tests/qemu-iotests/092.out | 11 +++++++++++
- 3 files changed, 34 insertions(+)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index e60df23..e8038e5 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -139,6 +139,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
- goto fail;
- }
-
-+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
-+ * so bytes = num_entries << 3. */
-+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
-+ error_setg(errp, "L2 table size must be between 512 and 64k");
-+ ret = -EINVAL;
-+ goto fail;
-+ }
-+
- if (header.crypt_method > QCOW_CRYPT_AES) {
- error_setg(errp, "invalid encryption method in qcow header");
- ret = -EINVAL;
---
-1.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch b/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch
deleted file mode 100644
index a5b20a4..0000000
--- a/app-emulation/qemu/files/qemu-2.0.0-CVE-2014-0223.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 46485de0cb357b57373e1ca895adedf1f3ed46ec Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Thu, 8 May 2014 13:08:20 +0200
-Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223)
-
-A huge image size could cause s->l1_size to overflow. Make sure that
-images never require a L1 table larger than what fits in s->l1_size.
-
-This cannot only cause unbounded allocations, but also the allocation of
-a too small L1 table, resulting in out-of-bounds array accesses (both
-reads and writes).
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
----
- block/qcow.c | 16 ++++++++++++++--
- tests/qemu-iotests/092 | 9 +++++++++
- tests/qemu-iotests/092.out | 7 +++++++
- 3 files changed, 30 insertions(+), 2 deletions(-)
-
-diff --git a/block/qcow.c b/block/qcow.c
-index e8038e5..3566c05 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
- int cluster_sectors;
- int l2_bits;
- int l2_size;
-- int l1_size;
-+ unsigned int l1_size;
- uint64_t cluster_offset_mask;
- uint64_t l1_table_offset;
- uint64_t *l1_table;
-@@ -166,7 +166,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
-
- /* read the level 1 table */
- shift = s->cluster_bits + s->l2_bits;
-- s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
-+ if (header.size > UINT64_MAX - (1LL << shift)) {
-+ error_setg(errp, "Image too large");
-+ ret = -EINVAL;
-+ goto fail;
-+ } else {
-+ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
-+ if (l1_size > INT_MAX / sizeof(uint64_t)) {
-+ error_setg(errp, "Image too large");
-+ ret = -EINVAL;
-+ goto fail;
-+ }
-+ s->l1_size = l1_size;
-+ }
-
- s->l1_table_offset = header.l1_table_offset;
- s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));
---
-1.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch b/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch
deleted file mode 100644
index 54fdd79..0000000
--- a/app-emulation/qemu/files/qemu-2.0.0-qcow-check-max-sizes.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f Mon Sep 17 00:00:00 2001
-From: Kevin Wolf <kwolf@redhat.com>
-Date: Wed, 7 May 2014 17:30:30 +0200
-Subject: [PATCH] qcow1: Check maximum cluster size
-
-Huge values for header.cluster_bits cause unbounded allocations (e.g.
-for s->cluster_cache) and crash qemu this way. Less huge values may
-survive those allocations, but can cause integer overflows later on.
-
-The only cluster sizes that qemu can create are 4k (for standalone
-images) and 512 (for images with backing files), so we can limit it
-to 64k.
-
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-Reviewed-by: Benoit Canet <benoit@irqsave.net>
----
- block/qcow.c | 10 ++++++--
- tests/qemu-iotests/092 | 63 ++++++++++++++++++++++++++++++++++++++++++++++
- tests/qemu-iotests/092.out | 13 ++++++++++
- tests/qemu-iotests/group | 1 +
- 4 files changed, 85 insertions(+), 2 deletions(-)
- create mode 100755 tests/qemu-iotests/092
- create mode 100644 tests/qemu-iotests/092.out
-
-diff --git a/block/qcow.c b/block/qcow.c
-index 3684794..e60df23 100644
---- a/block/qcow.c
-+++ b/block/qcow.c
-@@ -128,11 +128,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
- goto fail;
- }
-
-- if (header.size <= 1 || header.cluster_bits < 9) {
-- error_setg(errp, "invalid value in qcow header");
-+ if (header.size <= 1) {
-+ error_setg(errp, "Image size is too small (must be at least 2 bytes)");
- ret = -EINVAL;
- goto fail;
- }
-+ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
-+ error_setg(errp, "Cluster size must be between 512 and 64k");
-+ ret = -EINVAL;
-+ goto fail;
-+ }
-+
- if (header.crypt_method > QCOW_CRYPT_AES) {
- error_setg(errp, "invalid encryption method in qcow header");
- ret = -EINVAL;
---
-1.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.0.0-sigset.patch b/app-emulation/qemu/files/qemu-2.0.0-sigset.patch
deleted file mode 100644
index e335b67..0000000
--- a/app-emulation/qemu/files/qemu-2.0.0-sigset.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-commit 34d6086236baeb59f4b46e2380f2b271acd6f6cf
-Author: Natanael Copa <ncopa@alpinelinux.org>
-Date: Tue Apr 29 13:11:20 2014 +0200
-
- linux-user: avoid using glibc internals in _syscall5 and in definition of target_sigevent struct
-
- Use the public sigset_t instead of the glibc specific internal
- __sigset_t in _syscall.
-
- Calculate the sigevent pad size is calculated in similar way as kernel
- does it instead of using glibc internal field _pad.
-
- This is needed for building with musl libc.
-
- Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
- Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
- Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-
-diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 15de6f8..af0bb35 100644
---- a/linux-user/syscall.c
-+++ b/linux-user/syscall.c
-@@ -411,7 +411,7 @@ static int sys_inotify_init1(int flags)
- #endif
- #define __NR_sys_ppoll __NR_ppoll
- _syscall5(int, sys_ppoll, struct pollfd *, fds, nfds_t, nfds,
-- struct timespec *, timeout, const __sigset_t *, sigmask,
-+ struct timespec *, timeout, const sigset_t *, sigmask,
- size_t, sigsetsize)
- #endif
-
-diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h
-index fdf9a47..69c3982 100644
---- a/linux-user/syscall_defs.h
-+++ b/linux-user/syscall_defs.h
-@@ -2552,12 +2552,26 @@ struct target_timer_t {
- abi_ulong ptr;
- };
-
-+#define TARGET_SIGEV_MAX_SIZE 64
-+
-+/* This is architecture-specific but most architectures use the default */
-+#ifdef TARGET_MIPS
-+#define TARGET_SIGEV_PREAMBLE_SIZE (sizeof(int32_t) * 2 + sizeof(abi_long))
-+#else
-+#define TARGET_SIGEV_PREAMBLE_SIZE (sizeof(int32_t) * 2 \
-+ + sizeof(target_sigval_t))
-+#endif
-+
-+#define TARGET_SIGEV_PAD_SIZE ((TARGET_SIGEV_MAX_SIZE \
-+ - TARGET_SIGEV_PREAMBLE_SIZE) \
-+ / sizeof(int32_t))
-+
- struct target_sigevent {
- target_sigval_t sigev_value;
- int32_t sigev_signo;
- int32_t sigev_notify;
- union {
-- int32_t _pad[ARRAY_SIZE(((struct sigevent *)0)->_sigev_un._pad)];
-+ int32_t _pad[TARGET_SIGEV_PAD_SIZE];
- int32_t _tid;
-
- struct {
diff --git a/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch b/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch
deleted file mode 100644
index 4e85c59..0000000
--- a/app-emulation/qemu/files/qemu-2.0.0-usb-post-load-checks.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-https://bugs.gentoo.org/510208
-
-From 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e Mon Sep 17 00:00:00 2001
-From: "Michael S. Tsirkin" <mst@redhat.com>
-Date: Tue, 13 May 2014 12:33:16 +0300
-Subject: [PATCH] usb: fix up post load checks
-
-Correct post load checks:
-1. dev->setup_len == sizeof(dev->data_buf)
- seems fine, no need to fail migration
-2. When state is DATA, passing index > len
- will cause memcpy with negative length,
- resulting in heap overflow
-
-First of the issues was reported by dgilbert.
-
-Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Juan Quintela <quintela@redhat.com>
----
- hw/usb/bus.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/usb/bus.c b/hw/usb/bus.c
-index 699aa10..927a47b 100644
---- a/hw/usb/bus.c
-+++ b/hw/usb/bus.c
-@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
- }
- if (dev->setup_index < 0 ||
- dev->setup_len < 0 ||
-- dev->setup_index >= sizeof(dev->data_buf) ||
-- dev->setup_len >= sizeof(dev->data_buf)) {
-+ dev->setup_index > dev->setup_len ||
-+ dev->setup_len > sizeof(dev->data_buf)) {
- return -EINVAL;
- }
- return 0;
---
-1.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.1.0-CVE-2014-5388.patch b/app-emulation/qemu/files/qemu-2.1.0-CVE-2014-5388.patch
new file mode 100644
index 0000000..26a012b
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.1.0-CVE-2014-5388.patch
@@ -0,0 +1,36 @@
+https://bugs.gentoo.org/520688
+
+From fa365d7cd11185237471823a5a33d36765454e16 Mon Sep 17 00:00:00 2001
+From: Gonglei <arei.gonglei@huawei.com>
+Date: Wed, 20 Aug 2014 13:52:30 +0800
+Subject: [PATCH] pcihp: fix possible array out of bounds
+
+Prevent out-of-bounds array access on
+acpi_pcihp_pci_status.
+
+Signed-off-by: Gonglei <arei.gonglei@huawei.com>
+Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Cc: qemu-stable@nongnu.org
+Reviewed-by: Marcel Apfelbaum <marcel@redhat.com>
+---
+ hw/acpi/pcihp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
+index fae663a..34dedf1 100644
+--- a/hw/acpi/pcihp.c
++++ b/hw/acpi/pcihp.c
+@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size)
+ uint32_t val = 0;
+ int bsel = s->hotplug_select;
+
+- if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) {
++ if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) {
+ return 0;
+ }
+
+--
+2.0.0
+
diff --git a/app-emulation/qemu/qemu-2.0.0-r99.ebuild b/app-emulation/qemu/qemu-2.1.0-r99.ebuild
similarity index 74%
rename from app-emulation/qemu/qemu-2.0.0-r99.ebuild
rename to app-emulation/qemu/qemu-2.1.0-r99.ebuild
index efbdd23..d885d11 100644
--- a/app-emulation/qemu/qemu-2.0.0-r99.ebuild
+++ b/app-emulation/qemu/qemu-2.1.0-r99.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.0.0-r1.ebuild,v 1.5 2014/06/06 01:42:41 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.1.0-r1.ebuild,v 1.6 2014/09/13 17:07:04 ago Exp $
EAPI=5
@@ -30,9 +30,10 @@ HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org"
LICENSE="GPL-2 LGPL-2 BSD-2"
SLOT="0"
IUSE="accessibility +aio alsa bluetooth +caps +curl debug +fdt glusterfs \
-gtk iscsi +jpeg \
-kernel_linux kernel_FreeBSD ncurses opengl +png pulseaudio python \
-rbd sasl +seccomp sdl selinux smartcard spice ssh static static-softmmu \
+gtk infiniband iscsi +jpeg \
+kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs
++png pulseaudio python \
+rbd sasl +seccomp sdl selinux smartcard snappy spice ssh static static-softmmu \
static-user systemtap tci test +threads tls usb usbredir +uuid vde +vhost-net \
virtfs +vnc xattr xen xfs"
@@ -61,8 +62,13 @@ REQUIRED_USE="|| ( ${use_targets} )
virtfs? ( xattr )"
# Yep, you need both libcap and libcap-ng since virtfs only uses libcap.
+#
+# The attr lib isn't always linked in (although the USE flag is always
+# respected). This is because qemu supports using the C library's API
+# when available rather than always using the extranl library.
COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)]
- sys-libs/zlib[static-libs(+)]"
+ sys-libs/zlib[static-libs(+)]
+ xattr? ( sys-apps/attr[static-libs(+)] )"
SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
>=x11-libs/pixman-0.28.0[static-libs(+)]
aio? ( dev-libs/libaio[static-libs(+)] )
@@ -70,36 +76,42 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
curl? ( >=net-misc/curl-7.15.4[static-libs(+)] )
fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] )
+ infiniband? ( sys-infiniband/librdmacm[static-libs(+)] )
jpeg? ( virtual/jpeg[static-libs(+)] )
+ lzo? ( dev-libs/lzo:2[static-libs(+)] )
ncurses? ( sys-libs/ncurses[static-libs(+)] )
+ nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] )
+ numa? ( sys-process/numactl[static-libs(+)] )
png? ( media-libs/libpng[static-libs(+)] )
rbd? ( sys-cluster/ceph[static-libs(+)] )
sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
sdl? ( >=media-libs/libsdl-1.2.11[static-libs(+)] )
seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] )
+ snappy? ( app-arch/snappy[static-libs(+)] )
spice? ( >=app-emulation/spice-0.12.0[static-libs(+)] )
ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] )
tls? ( net-libs/gnutls[static-libs(+)] )
usb? ( >=dev-libs/libusb-1.0.18[static-libs(+)] )
uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] )
vde? ( net-misc/vde[static-libs(+)] )
- xattr? ( sys-apps/attr[static-libs(+)] )
xfs? ( sys-fs/xfsprogs[static-libs(+)] )"
USER_LIB_DEPEND="${COMMON_LIB_DEPEND}"
-RDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} )
- !static-user? ( ${USER_LIB_DEPEND//\[static-libs(+)]} )
- qemu_softmmu_targets_i386? (
- >=sys-firmware/ipxe-1.0.0_p20130624
- ~sys-firmware/seabios-1.7.4
- ~sys-firmware/sgabios-0.1_pre8
- ~sys-firmware/vgabios-0.7a
- )
- qemu_softmmu_targets_x86_64? (
- >=sys-firmware/ipxe-1.0.0_p20130624
- ~sys-firmware/seabios-1.7.4
+X86_FIRMWARE_DEPEND="
+ >=sys-firmware/ipxe-1.0.0_p20130624
+ pin-upstream-blobs? (
+ ~sys-firmware/seabios-1.7.5
~sys-firmware/sgabios-0.1_pre8
~sys-firmware/vgabios-0.7a
)
+ !pin-upstream-blobs? (
+ sys-firmware/seabios
+ sys-firmware/sgabios
+ sys-firmware/vgabios
+ )"
+RDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} )
+ !static-user? ( ${USER_LIB_DEPEND//\[static-libs(+)]} )
+ qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} )
+ qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )
accessibility? ( app-accessibility/brltty )
alsa? ( >=media-libs/alsa-lib-1.0.13 )
bluetooth? ( net-wireless/bluez )
@@ -125,6 +137,7 @@ DEPEND="${RDEPEND}
sys-apps/texinfo
virtual/pkgconfig
kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 )
+ gtk? ( nls? ( sys-devel/gettext ) )
static-softmmu? ( ${SOFTMMU_LIB_DEPEND} )
static-user? ( ${USER_LIB_DEPEND} )
test? (
@@ -139,7 +152,9 @@ QA_PREBUILT="
usr/share/qemu/openbios-sparc64
usr/share/qemu/openbios-sparc32
usr/share/qemu/palcode-clipper
- usr/share/qemu/s390-ccw.img"
+ usr/share/qemu/s390-ccw.img
+ usr/share/qemu/u-boot.e500
+"
QA_WX_LOAD="usr/bin/qemu-i386
usr/bin/qemu-x86_64
@@ -236,17 +251,13 @@ src_prepare() {
-e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \
Makefile Makefile.target || die
+ # Cheap hack to disable gettext .mo generation.
+ use nls || rm -f po/*.po
+
epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
- epatch "${FILESDIR}"/qemu-9999-virtfs-proxy-helper-accept.patch #486714
- epatch "${FILESDIR}"/${P}-CVE-2013-4541.patch #510208
- epatch "${FILESDIR}"/${P}-usb-post-load-checks.patch #510208
- epatch "${FILESDIR}"/${P}-qcow-check-max-sizes.patch #510234
- epatch "${FILESDIR}"/${P}-CVE-2014-0222.patch #510234
- epatch "${FILESDIR}"/${P}-CVE-2014-0223.patch #510234
- epatch "${FILESDIR}"/${PN}-1.5.3-openpty.patch #musl
- epatch "${FILESDIR}"/${P}-sigset.patch #musl
- epatch "${FILESDIR}"/${P}-F_SHLCK-and-F_EXLCK.patch #musl
- epatch "${FILESDIR}"/${P}-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch #musl
+ epatch "${FILESDIR}"/${P}-CVE-2014-5388.patch #520688
+ epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch #for musl
+ epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch #for musl
[[ -n ${BACKPORTS} ]] && \
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
epatch
@@ -294,6 +305,58 @@ qemu_src_configure() {
$(use_enable debug debug-tcg)
--enable-docs
$(use_enable tci tcg-interpreter)
+ $(use_enable xattr attr)
+ )
+
+ # Disable options not used by user targets as the default configure
+ # options will autoprobe and try to link in a bunch of unused junk.
+ conf_softmmu() {
+ if [[ ${buildtype} == "user" ]] ; then
+ echo "--disable-${2:-$1}"
+ else
+ use_enable "$@"
+ fi
+ }
+ conf_opts+=(
+ $(conf_softmmu accessibility brlapi)
+ $(conf_softmmu aio linux-aio)
+ $(conf_softmmu bluetooth bluez)
+ $(conf_softmmu caps cap-ng)
+ $(conf_softmmu curl)
+ $(conf_softmmu fdt)
+ $(conf_softmmu glusterfs)
+ $(conf_softmmu gtk)
+ $(conf_softmmu infiniband rdma)
+ $(conf_softmmu iscsi libiscsi)
+ $(conf_softmmu jpeg vnc-jpeg)
+ $(conf_softmmu kernel_linux kvm)
+ $(conf_softmmu lzo)
+ $(conf_softmmu ncurses curses)
+ $(conf_softmmu nfs libnfs)
+ $(conf_softmmu numa)
+ $(conf_softmmu opengl glx)
+ $(conf_softmmu png vnc-png)
+ $(conf_softmmu rbd)
+ $(conf_softmmu sasl vnc-sasl)
+ $(conf_softmmu sdl)
+ $(conf_softmmu seccomp)
+ $(conf_softmmu smartcard smartcard-nss)
+ $(conf_softmmu snappy)
+ $(conf_softmmu spice)
+ $(conf_softmmu ssh libssh2)
+ $(conf_softmmu tls quorum)
+ $(conf_softmmu tls vnc-tls)
+ $(conf_softmmu tls vnc-ws)
+ $(conf_softmmu usb libusb)
+ $(conf_softmmu usbredir usb-redir)
+ $(conf_softmmu uuid)
+ $(conf_softmmu vde)
+ $(conf_softmmu vhost-net)
+ $(conf_softmmu virtfs)
+ $(conf_softmmu vnc)
+ $(conf_softmmu xen)
+ $(conf_softmmu xen xen-pci-passthrough)
+ $(conf_softmmu xfs xfsctl)
)
case ${buildtype} in
@@ -303,60 +366,15 @@ qemu_src_configure() {
--disable-system
--target-list="${user_targets}"
--disable-blobs
- --disable-bluez
- --disable-curses
- --disable-kvm
- --disable-libiscsi
- --disable-glusterfs
- --disable-seccomp
- --disable-sdl
- --disable-smartcard-nss
--disable-tools
- --disable-vde
- --disable-libssh2
- --disable-libusb
)
;;
softmmu)
conf_opts+=(
--disable-linux-user
--enable-system
- --with-system-pixman
--target-list="${softmmu_targets}"
- $(use_enable bluetooth bluez)
- $(use_enable gtk)
- $(use_enable sdl)
- $(use_enable aio linux-aio)
- $(use_enable accessibility brlapi)
- $(use_enable caps cap-ng)
- $(use_enable curl)
- $(use_enable fdt)
- $(use_enable glusterfs)
- $(use_enable iscsi libiscsi)
- $(use_enable jpeg vnc-jpeg)
- $(use_enable kernel_linux kvm)
- $(use_enable ncurses curses)
- $(use_enable opengl glx)
- $(use_enable png vnc-png)
- $(use_enable rbd)
- $(use_enable sasl vnc-sasl)
- $(use_enable seccomp)
- $(use_enable smartcard smartcard-nss)
- $(use_enable spice)
- $(use_enable ssh libssh2)
- $(use_enable tls vnc-tls)
- $(use_enable tls vnc-ws)
- $(use_enable usb libusb)
- $(use_enable usbredir usb-redir)
- $(use_enable uuid)
- $(use_enable vde)
- $(use_enable vhost-net)
- $(use_enable virtfs)
- $(use_enable vnc)
- $(use_enable xattr attr)
- $(use_enable xen)
- $(use_enable xen xen-pci-passthrough)
- $(use_enable xfs xfsctl)
+ --with-system-pixman
--audio-drv-list="${audio_opts}"
)
use gtk && conf_opts+=( --with-gtkabi=3.0 )
@@ -439,6 +457,7 @@ src_compile() {
src_test() {
if [[ -n ${softmmu_targets} ]]; then
cd "${S}/softmmu-build"
+ pax-mark m */qemu-system-* #515550
emake -j1 check
emake -j1 check-report.html
fi
@@ -502,42 +521,42 @@ src_install() {
fi
# Remove vgabios since we're using the vgabios packaged one
- rm "${ED}/usr/share/qemu/vgabios.bin"
- rm "${ED}/usr/share/qemu/vgabios-cirrus.bin"
- rm "${ED}/usr/share/qemu/vgabios-qxl.bin"
- rm "${ED}/usr/share/qemu/vgabios-stdvga.bin"
- rm "${ED}/usr/share/qemu/vgabios-vmware.bin"
- if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then
- dosym ../vgabios/vgabios.bin /usr/share/qemu/vgabios.bin
- dosym ../vgabios/vgabios-cirrus.bin /usr/share/qemu/vgabios-cirrus.bin
- dosym ../vgabios/vgabios-qxl.bin /usr/share/qemu/vgabios-qxl.bin
- dosym ../vgabios/vgabios-stdvga.bin /usr/share/qemu/vgabios-stdvga.bin
- dosym ../vgabios/vgabios-vmware.bin /usr/share/qemu/vgabios-vmware.bin
- fi
+ if [[ -n ${softmmu_targets} ]]; then
+ rm "${ED}/usr/share/qemu/vgabios.bin"
+ rm "${ED}/usr/share/qemu/vgabios-cirrus.bin"
+ rm "${ED}/usr/share/qemu/vgabios-qxl.bin"
+ rm "${ED}/usr/share/qemu/vgabios-stdvga.bin"
+ rm "${ED}/usr/share/qemu/vgabios-vmware.bin"
+ if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then
+ dosym ../vgabios/vgabios.bin /usr/share/qemu/vgabios.bin
+ dosym ../vgabios/vgabios-cirrus.bin /usr/share/qemu/vgabios-cirrus.bin
+ dosym ../vgabios/vgabios-qxl.bin /usr/share/qemu/vgabios-qxl.bin
+ dosym ../vgabios/vgabios-stdvga.bin /usr/share/qemu/vgabios-stdvga.bin
+ dosym ../vgabios/vgabios-vmware.bin /usr/share/qemu/vgabios-vmware.bin
+ fi
- # Remove sgabios since we're using the sgabios packaged one
- rm "${ED}/usr/share/qemu/sgabios.bin"
- if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then
- dosym ../sgabios/sgabios.bin /usr/share/qemu/sgabios.bin
- fi
+ # Remove sgabios since we're using the sgabios packaged one
+ rm "${ED}/usr/share/qemu/sgabios.bin"
+ if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then
+ dosym ../sgabios/sgabios.bin /usr/share/qemu/sgabios.bin
+ fi
- # Remove iPXE since we're using the iPXE packaged one
- rm "${ED}"/usr/share/qemu/pxe-*.rom
- if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then
- dosym ../ipxe/8086100e.rom /usr/share/qemu/pxe-e1000.rom
- dosym ../ipxe/80861209.rom /usr/share/qemu/pxe-eepro100.rom
- dosym ../ipxe/10500940.rom /usr/share/qemu/pxe-ne2k_pci.rom
- dosym ../ipxe/10222000.rom /usr/share/qemu/pxe-pcnet.rom
- dosym ../ipxe/10ec8139.rom /usr/share/qemu/pxe-rtl8139.rom
- dosym ../ipxe/1af41000.rom /usr/share/qemu/pxe-virtio.rom
+ # Remove iPXE since we're using the iPXE packaged one
+ rm "${ED}"/usr/share/qemu/pxe-*.rom
+ if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then
+ dosym ../ipxe/8086100e.rom /usr/share/qemu/pxe-e1000.rom
+ dosym ../ipxe/80861209.rom /usr/share/qemu/pxe-eepro100.rom
+ dosym ../ipxe/10500940.rom /usr/share/qemu/pxe-ne2k_pci.rom
+ dosym ../ipxe/10222000.rom /usr/share/qemu/pxe-pcnet.rom
+ dosym ../ipxe/10ec8139.rom /usr/share/qemu/pxe-rtl8139.rom
+ dosym ../ipxe/1af41000.rom /usr/share/qemu/pxe-virtio.rom
+ fi
fi
qemu_support_kvm && readme.gentoo_create_doc
}
pkg_postinst() {
- local virtfs_caps=
-
if qemu_support_kvm; then
readme.gentoo_print_elog
ewarn "Migration from qemu-kvm instances and loading qemu-kvm created"
@@ -557,11 +576,11 @@ pkg_postinst() {
fi
fi
- virtfs_caps+="cap_chown,cap_dac_override,cap_fowner,cap_fsetid,"
- virtfs_caps+="cap_setgid,cap_mknod,cap_setuid"
-
fcaps cap_net_admin /usr/libexec/qemu-bridge-helper
- use virtfs && fcaps ${virtfs_caps} /usr/bin/virtfs-proxy-helper
+ if use virtfs && [ -n "${softmmu_targets}" ]; then
+ local virtfs_caps="cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setgid,cap_mknod,cap_setuid"
+ fcaps ${virtfs_caps} /usr/bin/virtfs-proxy-helper
+ fi
}
pkg_info() {
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-dev:musl commit in: app-emulation/qemu/files/, app-emulation/qemu/
@ 2014-11-18 21:57 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2014-11-18 21:57 UTC (permalink / raw
To: gentoo-commits
commit: df65719acd9be2df4ca8599231667aaab051f0a1
Author: Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Sun Nov 9 20:20:34 2014 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Nov 18 21:59:05 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=df65719a
app-emulation/qemu: bump to 2.1.2
Signed-off-by: Anthony G. Basile <blueness <AT> gentoo.org>
---
.../qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch | 50 ++++++++++++++++++++++
...qemu-2.1.1-r99.ebuild => qemu-2.1.2-r99.ebuild} | 15 ++++---
2 files changed, 59 insertions(+), 6 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch b/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch
new file mode 100644
index 0000000..34f136f
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.1.2-vnc-sanitize-bits.patch
@@ -0,0 +1,50 @@
+https://bugs.gentoo.org/527088
+
+From e6908bfe8e07f2b452e78e677da1b45b1c0f6829 Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Mon, 27 Oct 2014 12:41:44 +0100
+Subject: [PATCH] vnc: sanitize bits_per_pixel from the client
+
+bits_per_pixel that are less than 8 could result in accessing
+non-initialized buffers later in the code due to the expectation
+that bytes_per_pixel value that is used to initialize these buffers is
+never zero.
+
+To fix this check that bits_per_pixel from the client is one of the
+values that the rfb protocol specification allows.
+
+This is CVE-2014-7815.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+
+[ kraxel: apply codestyle fix ]
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/ui/vnc.c b/ui/vnc.c
+index 0fe6eff..8bca597 100644
+--- a/ui/vnc.c
++++ b/ui/vnc.c
+@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs,
+ return;
+ }
+
++ switch (bits_per_pixel) {
++ case 8:
++ case 16:
++ case 32:
++ break;
++ default:
++ vnc_client_error(vs);
++ return;
++ }
++
+ vs->client_pf.rmax = red_max;
+ vs->client_pf.rbits = hweight_long(red_max);
+ vs->client_pf.rshift = red_shift;
+--
+2.1.2
+
diff --git a/app-emulation/qemu/qemu-2.1.1-r99.ebuild b/app-emulation/qemu/qemu-2.1.2-r99.ebuild
similarity index 98%
rename from app-emulation/qemu/qemu-2.1.1-r99.ebuild
rename to app-emulation/qemu/qemu-2.1.2-r99.ebuild
index 8509734..4a1c813 100644
--- a/app-emulation/qemu/qemu-2.1.1-r99.ebuild
+++ b/app-emulation/qemu/qemu-2.1.2-r99.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.1.1.ebuild,v 1.4 2014/10/23 14:53:45 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.1.2-r1.ebuild,v 1.4 2014/11/08 18:09:33 ago Exp $
EAPI=5
@@ -21,7 +21,7 @@ else
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
${BACKPORTS:+
http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
- KEYWORDS="amd64 x86"
+ KEYWORDS="amd64 ~ppc ~ppc64 x86 ~x86-fbsd"
fi
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
@@ -108,7 +108,7 @@ X86_FIRMWARE_DEPEND="
sys-firmware/sgabios
sys-firmware/vgabios
)"
-RDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} )
+CDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} )
!static-user? ( ${USER_LIB_DEPEND//\[static-libs(+)]} )
qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} )
qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )
@@ -124,14 +124,13 @@ RDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} )
pulseaudio? ( media-sound/pulseaudio )
python? ( ${PYTHON_DEPS} )
sdl? ( media-libs/libsdl[X] )
- selinux? ( sec-policy/selinux-qemu )
smartcard? ( dev-libs/nss !app-emulation/libcacard )
spice? ( >=app-emulation/spice-protocol-0.12.3 )
systemtap? ( dev-util/systemtap )
usbredir? ( >=sys-apps/usbredir-0.6 )
virtfs? ( sys-libs/libcap )
xen? ( app-emulation/xen-tools )"
-DEPEND="${RDEPEND}
+DEPEND="${CDEPEND}
dev-lang/perl
=dev-lang/python-2*
sys-apps/texinfo
@@ -144,6 +143,9 @@ DEPEND="${RDEPEND}
dev-libs/glib[utils]
sys-devel/bc
)"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-qemu )
+"
STRIP_MASK="/usr/share/qemu/palcode-clipper"
@@ -256,8 +258,9 @@ src_prepare() {
epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
epatch "${FILESDIR}"/${PN}-2.1.1-readlink-self.patch
+ epatch "${FILESDIR}"/${PN}-2.1.2-vnc-sanitize-bits.patch #527088
epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch #for musl
- epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch #for musl
+ epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch #for musl
[[ -n ${BACKPORTS} ]] && \
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
epatch
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-dev:musl commit in: app-emulation/qemu/files/, app-emulation/qemu/
@ 2015-06-08 12:26 Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2015-06-08 12:26 UTC (permalink / raw
To: gentoo-commits
commit: dd8f541bb891cc198527837f2eedb81594efb1f3
Author: Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Sun Jun 7 19:17:51 2015 +0000
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Mon Jun 8 12:27:39 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-dev.git/commit/?id=dd8f541b
app-emulation/qemu: Bump to 2.2.0
.../qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch | 241 +++++++++++++++++++++
.../qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch | 58 +++++
.../qemu/files/qemu-2.3.0-CVE-2015-3456.patch | 86 ++++++++
...qemu-2.2.0-r99.ebuild => qemu-2.2.1-r99.ebuild} | 21 +-
4 files changed, 397 insertions(+), 9 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
new file mode 100644
index 0000000..35ef8fd
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
@@ -0,0 +1,241 @@
+From a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Mar 2015 22:58:21 +0000
+Subject: [PATCH] CVE-2015-1779: incrementally decode websocket frames
+
+The logic for decoding websocket frames wants to fully
+decode the frame header and payload, before allowing the
+VNC server to see any of the payload data. There is no
+size limit on websocket payloads, so this allows a
+malicious network client to consume 2^64 bytes in memory
+in QEMU. It can trigger this denial of service before
+the VNC server even performs any authentication.
+
+The fix is to decode the header, and then incrementally
+decode the payload data as it is needed. With this fix
+the websocket decoder will allow at most 4k of data to
+be buffered before decoding and processing payload.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+
+[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]
+
+ @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
+ - *payload_size = input->offset;
+ + *payload_size = *payload_remain;
+
+[ kraxel: fix 32bit build ]
+
+ @@ -306,7 +306,7 @@ struct VncState
+ - uint64_t ws_payload_remain;
+ + size_t ws_payload_remain;
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc-ws.c | 105 ++++++++++++++++++++++++++++++++++++++++--------------------
+ ui/vnc-ws.h | 9 ++++--
+ ui/vnc.h | 2 ++
+ 3 files changed, 80 insertions(+), 36 deletions(-)
+
+diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
+index 85dbb7e..0b7de4e 100644
+--- a/ui/vnc-ws.c
++++ b/ui/vnc-ws.c
+@@ -107,7 +107,7 @@ long vnc_client_read_ws(VncState *vs)
+ {
+ int ret, err;
+ uint8_t *payload;
+- size_t payload_size, frame_size;
++ size_t payload_size, header_size;
+ VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer,
+ vs->ws_input.capacity, vs->ws_input.offset);
+ buffer_reserve(&vs->ws_input, 4096);
+@@ -117,18 +117,39 @@ long vnc_client_read_ws(VncState *vs)
+ }
+ vs->ws_input.offset += ret;
+
+- /* make sure that nothing is left in the ws_input buffer */
++ ret = 0;
++ /* consume as much of ws_input buffer as possible */
+ do {
+- err = vncws_decode_frame(&vs->ws_input, &payload,
+- &payload_size, &frame_size);
+- if (err <= 0) {
+- return err;
++ if (vs->ws_payload_remain == 0) {
++ err = vncws_decode_frame_header(&vs->ws_input,
++ &header_size,
++ &vs->ws_payload_remain,
++ &vs->ws_payload_mask);
++ if (err <= 0) {
++ return err;
++ }
++
++ buffer_advance(&vs->ws_input, header_size);
+ }
++ if (vs->ws_payload_remain != 0) {
++ err = vncws_decode_frame_payload(&vs->ws_input,
++ &vs->ws_payload_remain,
++ &vs->ws_payload_mask,
++ &payload,
++ &payload_size);
++ if (err < 0) {
++ return err;
++ }
++ if (err == 0) {
++ return ret;
++ }
++ ret += err;
+
+- buffer_reserve(&vs->input, payload_size);
+- buffer_append(&vs->input, payload, payload_size);
++ buffer_reserve(&vs->input, payload_size);
++ buffer_append(&vs->input, payload, payload_size);
+
+- buffer_advance(&vs->ws_input, frame_size);
++ buffer_advance(&vs->ws_input, payload_size);
++ }
+ } while (vs->ws_input.offset > 0);
+
+ return ret;
+@@ -265,15 +286,14 @@ void vncws_encode_frame(Buffer *output, const void *payload,
+ buffer_append(output, payload, payload_size);
+ }
+
+-int vncws_decode_frame(Buffer *input, uint8_t **payload,
+- size_t *payload_size, size_t *frame_size)
++int vncws_decode_frame_header(Buffer *input,
++ size_t *header_size,
++ size_t *payload_remain,
++ WsMask *payload_mask)
+ {
+ unsigned char opcode = 0, fin = 0, has_mask = 0;
+- size_t header_size = 0;
+- uint32_t *payload32;
++ size_t payload_len;
+ WsHeader *header = (WsHeader *)input->buffer;
+- WsMask mask;
+- int i;
+
+ if (input->offset < WS_HEAD_MIN_LEN + 4) {
+ /* header not complete */
+@@ -283,7 +303,7 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
+ fin = (header->b0 & 0x80) >> 7;
+ opcode = header->b0 & 0x0f;
+ has_mask = (header->b1 & 0x80) >> 7;
+- *payload_size = header->b1 & 0x7f;
++ payload_len = header->b1 & 0x7f;
+
+ if (opcode == WS_OPCODE_CLOSE) {
+ /* disconnect */
+@@ -300,40 +320,57 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
+ return -2;
+ }
+
+- if (*payload_size < 126) {
+- header_size = 6;
+- mask = header->u.m;
+- } else if (*payload_size == 126 && input->offset >= 8) {
+- *payload_size = be16_to_cpu(header->u.s16.l16);
+- header_size = 8;
+- mask = header->u.s16.m16;
+- } else if (*payload_size == 127 && input->offset >= 14) {
+- *payload_size = be64_to_cpu(header->u.s64.l64);
+- header_size = 14;
+- mask = header->u.s64.m64;
++ if (payload_len < 126) {
++ *payload_remain = payload_len;
++ *header_size = 6;
++ *payload_mask = header->u.m;
++ } else if (payload_len == 126 && input->offset >= 8) {
++ *payload_remain = be16_to_cpu(header->u.s16.l16);
++ *header_size = 8;
++ *payload_mask = header->u.s16.m16;
++ } else if (payload_len == 127 && input->offset >= 14) {
++ *payload_remain = be64_to_cpu(header->u.s64.l64);
++ *header_size = 14;
++ *payload_mask = header->u.s64.m64;
+ } else {
+ /* header not complete */
+ return 0;
+ }
+
+- *frame_size = header_size + *payload_size;
++ return 1;
++}
++
++int vncws_decode_frame_payload(Buffer *input,
++ size_t *payload_remain, WsMask *payload_mask,
++ uint8_t **payload, size_t *payload_size)
++{
++ size_t i;
++ uint32_t *payload32;
+
+- if (input->offset < *frame_size) {
+- /* frame not complete */
++ *payload = input->buffer;
++ /* If we aren't at the end of the payload, then drop
++ * off the last bytes, so we're always multiple of 4
++ * for purpose of unmasking, except at end of payload
++ */
++ if (input->offset < *payload_remain) {
++ *payload_size = input->offset - (input->offset % 4);
++ } else {
++ *payload_size = *payload_remain;
++ }
++ if (*payload_size == 0) {
+ return 0;
+ }
+-
+- *payload = input->buffer + header_size;
++ *payload_remain -= *payload_size;
+
+ /* unmask frame */
+ /* process 1 frame (32 bit op) */
+ payload32 = (uint32_t *)(*payload);
+ for (i = 0; i < *payload_size / 4; i++) {
+- payload32[i] ^= mask.u;
++ payload32[i] ^= payload_mask->u;
+ }
+ /* process the remaining bytes (if any) */
+ for (i *= 4; i < *payload_size; i++) {
+- (*payload)[i] ^= mask.c[i % 4];
++ (*payload)[i] ^= payload_mask->c[i % 4];
+ }
+
+ return 1;
+diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h
+index ef229b7..14d4230 100644
+--- a/ui/vnc-ws.h
++++ b/ui/vnc-ws.h
+@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs);
+ void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
+ void vncws_encode_frame(Buffer *output, const void *payload,
+ const size_t payload_size);
+-int vncws_decode_frame(Buffer *input, uint8_t **payload,
+- size_t *payload_size, size_t *frame_size);
++int vncws_decode_frame_header(Buffer *input,
++ size_t *header_size,
++ size_t *payload_remain,
++ WsMask *payload_mask);
++int vncws_decode_frame_payload(Buffer *input,
++ size_t *payload_remain, WsMask *payload_mask,
++ uint8_t **payload, size_t *payload_size);
+
+ #endif /* __QEMU_UI_VNC_WS_H */
+diff --git a/ui/vnc.h b/ui/vnc.h
+index e19ac39..3f7c6a9 100644
+--- a/ui/vnc.h
++++ b/ui/vnc.h
+@@ -306,6 +306,8 @@ struct VncState
+ #ifdef CONFIG_VNC_WS
+ Buffer ws_input;
+ Buffer ws_output;
++ size_t ws_payload_remain;
++ WsMask ws_payload_mask;
+ #endif
+ /* current output mode information */
+ VncWritePixels *write_pixels;
+--
+2.3.5
+
diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
new file mode 100644
index 0000000..c7a8c8b
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
@@ -0,0 +1,58 @@
+From 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 Mon Sep 17 00:00:00 2001
+From: "Daniel P. Berrange" <berrange@redhat.com>
+Date: Mon, 23 Mar 2015 22:58:22 +0000
+Subject: [PATCH] CVE-2015-1779: limit size of HTTP headers from websockets
+ clients
+
+The VNC server websockets decoder will read and buffer data from
+websockets clients until it sees the end of the HTTP headers,
+as indicated by \r\n\r\n. In theory this allows a malicious to
+trick QEMU into consuming an arbitrary amount of RAM. In practice,
+because QEMU runs g_strstr_len() across the buffered header data,
+it will spend increasingly long burning CPU time searching for
+the substring match and less & less time reading data. So while
+this does cause arbitrary memory growth, the bigger problem is
+that QEMU will be burning 100% of available CPU time.
+
+A novnc websockets client typically sends headers of around
+512 bytes in length. As such it is reasonable to place a 4096
+byte limit on the amount of data buffered while searching for
+the end of HTTP headers.
+
+Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ ui/vnc-ws.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
+index 0b7de4e..62eb97f 100644
+--- a/ui/vnc-ws.c
++++ b/ui/vnc-ws.c
+@@ -81,8 +81,11 @@ void vncws_handshake_read(void *opaque)
+ VncState *vs = opaque;
+ uint8_t *handshake_end;
+ long ret;
+- buffer_reserve(&vs->ws_input, 4096);
+- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096);
++ /* Typical HTTP headers from novnc are 512 bytes, so limiting
++ * total header size to 4096 is easily enough. */
++ size_t want = 4096 - vs->ws_input.offset;
++ buffer_reserve(&vs->ws_input, want);
++ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want);
+
+ if (!ret) {
+ if (vs->csock == -1) {
+@@ -99,6 +102,9 @@ void vncws_handshake_read(void *opaque)
+ vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset);
+ buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer +
+ strlen(WS_HANDSHAKE_END));
++ } else if (vs->ws_input.offset >= 4096) {
++ VNC_DEBUG("End of headers not found in first 4096 bytes\n");
++ vnc_client_error(vs);
+ }
+ }
+
+--
+2.3.5
+
diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
new file mode 100644
index 0000000..87697d0
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
@@ -0,0 +1,86 @@
+https://bugs.gentoo.org/549404
+
+From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
+From: Petr Matousek <pmatouse@redhat.com>
+Date: Wed, 6 May 2015 09:48:59 +0200
+Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
+
+During processing of certain commands such as FD_CMD_READ_ID and
+FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
+get out of bounds leading to memory corruption with values coming
+from the guest.
+
+Fix this by making sure that the index is always bounded by the
+allocated memory.
+
+This is CVE-2015-3456.
+
+Signed-off-by: Petr Matousek <pmatouse@redhat.com>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/block/fdc.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/hw/block/fdc.c b/hw/block/fdc.c
+index f72a392..d8a8edd 100644
+--- a/hw/block/fdc.c
++++ b/hw/block/fdc.c
+@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ {
+ FDrive *cur_drv;
+ uint32_t retval = 0;
+- int pos;
++ uint32_t pos;
+
+ cur_drv = get_cur_drv(fdctrl);
+ fdctrl->dsr &= ~FD_DSR_PWRDOWN;
+@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
+ return 0;
+ }
+ pos = fdctrl->data_pos;
++ pos %= FD_SECTOR_LEN;
+ if (fdctrl->msr & FD_MSR_NONDMA) {
+- pos %= FD_SECTOR_LEN;
+ if (pos == 0) {
+ if (fdctrl->data_pos != 0)
+ if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
+@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
+ static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
+ {
+ FDrive *cur_drv = get_cur_drv(fdctrl);
++ uint32_t pos;
+
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
++ pos = fdctrl->data_pos - 1;
++ pos %= FD_SECTOR_LEN;
++ if (fdctrl->fifo[pos] & 0x80) {
+ /* Command parameters done */
+- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
++ if (fdctrl->fifo[pos] & 0x40) {
+ fdctrl->fifo[0] = fdctrl->fifo[1];
+ fdctrl->fifo[2] = 0;
+ fdctrl->fifo[3] = 0;
+@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
+ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ {
+ FDrive *cur_drv;
+- int pos;
++ uint32_t pos;
+
+ /* Reset mode */
+ if (!(fdctrl->dor & FD_DOR_nRESET)) {
+@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
+ }
+
+ FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
+- fdctrl->fifo[fdctrl->data_pos++] = value;
++ pos = fdctrl->data_pos++;
++ pos %= FD_SECTOR_LEN;
++ fdctrl->fifo[pos] = value;
+ if (fdctrl->data_pos == fdctrl->data_len) {
+ /* We now have all parameters
+ * and will be able to treat the command
+--
+1.7.0.4
+
diff --git a/app-emulation/qemu/qemu-2.2.0-r99.ebuild b/app-emulation/qemu/qemu-2.2.1-r99.ebuild
similarity index 97%
rename from app-emulation/qemu/qemu-2.2.0-r99.ebuild
rename to app-emulation/qemu/qemu-2.2.1-r99.ebuild
index 8bdbc95..5b8baf1 100644
--- a/app-emulation/qemu/qemu-2.2.0-r99.ebuild
+++ b/app-emulation/qemu/qemu-2.2.1-r99.ebuild
@@ -1,10 +1,10 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.2.0.ebuild,v 1.3 2015/03/12 10:06:51 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.2.1-r2.ebuild,v 1.3 2015/05/14 07:09:58 ago Exp $
EAPI=5
-PYTHON_COMPAT=( python{2_6,2_7} )
+PYTHON_COMPAT=( python2_7 )
PYTHON_REQ_USE="ncurses,readline"
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
@@ -20,9 +20,8 @@ if [[ ${PV} = *9999* ]]; then
else
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
${BACKPORTS:+
- http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz
- http://dev.gentoo.org/~tamiko/distfiles/${P}-${BACKPORTS}.tar.xz}"
- KEYWORDS="amd64 ~ppc ~x86"
+ http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
+ KEYWORDS="amd64 ~ppc ~ppc64 x86 ~x86-fbsd"
fi
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
@@ -77,13 +76,13 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
curl? ( >=net-misc/curl-7.15.4[static-libs(+)] )
fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] )
- infiniband? ( sys-infiniband/librdmacm[static-libs(+)] )
- jpeg? ( virtual/jpeg[static-libs(+)] )
+ infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] )
+ jpeg? ( virtual/jpeg:=[static-libs(+)] )
lzo? ( dev-libs/lzo:2[static-libs(+)] )
ncurses? ( sys-libs/ncurses[static-libs(+)] )
nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] )
numa? ( sys-process/numactl[static-libs(+)] )
- png? ( media-libs/libpng[static-libs(+)] )
+ png? ( media-libs/libpng:0=[static-libs(+)] )
rbd? ( sys-cluster/ceph[static-libs(+)] )
sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
sdl? ( >=media-libs/libsdl-1.2.11[static-libs(+)] )
@@ -246,6 +245,7 @@ pkg_pretend() {
pkg_setup() {
enewgroup kvm 78
+ python_setup
}
src_prepare() {
@@ -258,6 +258,9 @@ src_prepare() {
use nls || rm -f po/*.po
epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
+ epatch "${FILESDIR}"/${P}-CVE-2015-1779-1.patch #544328
+ epatch "${FILESDIR}"/${P}-CVE-2015-1779-2.patch #544328
+ epatch "${FILESDIR}"/${PN}-2.3.0-CVE-2015-3456.patch #549404
# Patching for musl
epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch
@@ -399,7 +402,7 @@ qemu_src_configure() {
gcc-specs-pie && conf_opts+=( --enable-pie )
fi
- einfo "./configure ${conf_opts[*]}"
+ einfo "../configure ${conf_opts[*]}"
cd "${builddir}"
../configure "${conf_opts[@]}" || die "configure failed"
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-06-08 12:26 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-10 18:20 [gentoo-commits] proj/hardened-dev:musl commit in: app-emulation/qemu/files/, app-emulation/qemu/ Anthony G. Basile
-- strict thread matches above, loose matches on Subject: below --
2014-11-18 21:57 Anthony G. Basile
2015-06-08 12:26 Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox