[gentoo-commits] proj/hardened-dev:musl commit in: app-emulation/qemu/, app-emulation/qemu/files/

["Anthony G. Basile" <blueness@gentoo.org>]

commit:     cb62f9fd061fbf7feed13831bd12d19e8636b0af
Author:     Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Thu Oct 30 21:02:28 2014 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Sat Nov  1 16:15:20 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=commit;h=cb62f9fd

app-emulation/qemu: bump to 2.1.1

Signed-off-by: Anthony G. Basile <blueness <AT> gentoo.org>

---
 .../qemu/files/qemu-2.1.1-readlink-self.patch      | 81 ++++++++++++++++++++++
 ...qemu-2.1.0-r99.ebuild => qemu-2.1.1-r99.ebuild} |  8 +--
 2 files changed, 85 insertions(+), 4 deletions(-)

diff --git a/app-emulation/qemu/files/qemu-2.1.1-readlink-self.patch b/app-emulation/qemu/files/qemu-2.1.1-readlink-self.patch
new file mode 100644
index 0000000..451a968
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.1.1-readlink-self.patch
@@ -0,0 +1,81 @@
+fix already in upstream
+
+From f17f4989fa193fa8279474c5462289a3cfe69aea Mon Sep 17 00:00:00 2001
+From: Mike Frysinger <vapier@chromium.org>
+Date: Fri, 8 Aug 2014 09:40:25 +0900
+Subject: [PATCH] linux-user: fix readlink handling with magic exe symlink
+
+The current code always returns the length of the path when it should
+be returning the number of bytes it wrote to the output string.
+
+Further, readlink is not supposed to append a NUL byte, but the current
+snprintf logic will always do just that.
+
+Even further, if you pass in a length of 0, you're suppoesd to get back
+an error (EINVAL), but the current logic just returns 0.
+
+Further still, if there was an error reading the symlink, we should not
+go ahead and try to read the target buffer as it is garbage.
+
+Simple test for the first two issues:
+$ cat test.c
+int main() {
+    char buf[50];
+    size_t len;
+    for (len = 0; len < 10; ++len) {
+        memset(buf, '!', sizeof(buf));
+        ssize_t ret = readlink("/proc/self/exe", buf, len);
+        buf[20] = '\0';
+        printf("readlink(/proc/self/exe, {%s}, %zu) = %zi\n", buf, len, ret);
+    }
+    return 0;
+}
+
+Now compare the output of the native:
+$ gcc test.c -o /tmp/x
+$ /tmp/x
+$ strace /tmp/x
+
+With what qemu does:
+$ armv7a-cros-linux-gnueabi-gcc test.c -o /tmp/x -static
+$ qemu-arm /tmp/x
+$ qemu-arm -strace /tmp/x
+
+Signed-off-by: Mike Frysinger <vapier@chromium.org>
+Signed-off-by: Riku Voipio <riku.voipio@linaro.org>
+---
+ linux-user/syscall.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index fccf9f0..7c108ab 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -6636,11 +6636,22 @@ abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
+             p2 = lock_user(VERIFY_WRITE, arg2, arg3, 0);
+             if (!p || !p2) {
+                 ret = -TARGET_EFAULT;
++            } else if (!arg3) {
++                /* Short circuit this for the magic exe check. */
++                ret = -TARGET_EINVAL;
+             } else if (is_proc_myself((const char *)p, "exe")) {
+                 char real[PATH_MAX], *temp;
+                 temp = realpath(exec_path, real);
+-                ret = temp == NULL ? get_errno(-1) : strlen(real) ;
+-                snprintf((char *)p2, arg3, "%s", real);
++                /* Return value is # of bytes that we wrote to the buffer. */
++                if (temp == NULL) {
++                    ret = get_errno(-1);
++                } else {
++                    /* Don't worry about sign mismatch as earlier mapping
++                     * logic would have thrown a bad address error. */
++                    ret = MIN(strlen(real), arg3);
++                    /* We cannot NUL terminate the string. */
++                    memcpy(p2, real, ret);
++                }
+             } else {
+                 ret = get_errno(readlink(path(p), p2, arg3));
+             }
+-- 
+2.0.0
+

diff --git a/app-emulation/qemu/qemu-2.1.0-r99.ebuild b/app-emulation/qemu/qemu-2.1.1-r99.ebuild
similarity index 98%
rename from app-emulation/qemu/qemu-2.1.0-r99.ebuild
rename to app-emulation/qemu/qemu-2.1.1-r99.ebuild
index d885d11..8509734 100644
--- a/app-emulation/qemu/qemu-2.1.0-r99.ebuild
+++ b/app-emulation/qemu/qemu-2.1.1-r99.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.1.0-r1.ebuild,v 1.6 2014/09/13 17:07:04 ago Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.1.1.ebuild,v 1.4 2014/10/23 14:53:45 ago Exp $
 
 EAPI=5
 
@@ -52,7 +52,7 @@ IUSE+=" ${use_targets}"
 # Require at least one softmmu or user target.
 # Block USE flag configurations known to not work.
 REQUIRED_USE="|| ( ${use_targets} )
-	python? ( ${PYTHON_REQUIRED_USE} )
+	${PYTHON_REQUIRED_USE}
 	qemu_softmmu_targets_arm? ( fdt )
 	qemu_softmmu_targets_microblaze? ( fdt )
 	qemu_softmmu_targets_ppc? ( fdt )
@@ -255,9 +255,9 @@ src_prepare() {
 	use nls || rm -f po/*.po
 
 	epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch
-	epatch "${FILESDIR}"/${P}-CVE-2014-5388.patch #520688
+	epatch "${FILESDIR}"/${PN}-2.1.1-readlink-self.patch
 	epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch #for musl
-	epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch #for musl
+	epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch #for musl                                                                                                       
 	[[ -n ${BACKPORTS} ]] && \
 		EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
 			epatch