5 files changed, 132 insertions(+), 1 deletions(-)

M gnu/local.mk
A gnu/packages/patches/qemu-CVE-2016-8576.patch
A gnu/packages/patches/qemu-CVE-2016-8577.patch
A gnu/packages/patches/qemu-CVE-2016-8578.patch
M gnu/packages/qemu.scm

@@ 809,6 809,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-paste-remove-website-test.patch	\
   %D%/packages/patches/python-paste-remove-timing-test.patch	\
   %D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
+  %D%/packages/patches/qemu-CVE-2016-8576.patch			\
+  %D%/packages/patches/qemu-CVE-2016-8577.patch			\
+  %D%/packages/patches/qemu-CVE-2016-8578.patch			\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/quickswitch-fix-dmenu-check.patch	\
   %D%/packages/patches/rapicorn-isnan.patch			\

@@ 0,0 1,62 @@
+From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 7 Oct 2016 10:15:29 +0200
+Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 726435c..ee4fa48 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -54,6 +54,8 @@
+  * to the specs when it gets them */
+ #define ER_FULL_HACK
+ 
++#define TRB_LINK_LIMIT  4
++
+ #define LEN_CAP         0x40
+ #define LEN_OPER        (0x400 + 0x10 * MAXPORTS)
+ #define LEN_RUNTIME     ((MAXINTRS + 1) * 0x20)
+@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+                                dma_addr_t *addr)
+ {
+     PCIDevice *pci_dev = PCI_DEVICE(xhci);
++    uint32_t link_cnt = 0;
+ 
+     while (1) {
+         TRBType type;
+@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
+             ring->dequeue += TRB_SIZE;
+             return type;
+         } else {
++            if (++link_cnt > TRB_LINK_LIMIT) {
++                return 0;
++            }
+             ring->dequeue = xhci_mask64(trb->parameter);
+             if (trb->control & TRB_LK_TC) {
+                 ring->ccs = !ring->ccs;
+@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+     bool ccs = ring->ccs;
+     /* hack to bundle together the two/three TDs that make a setup transfer */
+     bool control_td_set = 0;
++    uint32_t link_cnt = 0;
+ 
+     while (1) {
+         TRBType type;
+@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+         type = TRB_TYPE(trb);
+ 
+         if (type == TR_LINK) {
++            if (++link_cnt > TRB_LINK_LIMIT) {
++                return -length;
++            }
+             dequeue = xhci_mask64(trb.parameter);
+             if (trb.control & TRB_LK_TC) {
+                 ccs = !ccs;
+-- 
+1.8.3.1
+

@@ 0,0 1,36 @@
+Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read
+From: Li Qiang <liq3ea@gmail.com>
+
+In 9pfs read dispatch function, it doesn't free two QEMUIOVector
+object thus causing potential memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+---
+ hw/9pfs/9p.c | 5 +++--
+  1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index 119ee58..543a791 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
+             if (len < 0) {
+                 /* IO error return the error */
+                 err = len;
+-                goto out;
++                goto out_free_iovec;
+             }
+         } while (count < max_count && len > 0);
+         err = pdu_marshal(pdu, offset, "d", count);
+         if (err < 0) {
+-            goto out;
++            goto out_free_iovec;
+         }
+         err += offset + count;
++out_free_iovec:
+         qemu_iovec_destroy(&qiov);
+         qemu_iovec_destroy(&qiov_full);
+     } else if (fidp->fid_type == P9_FID_XATTR) {
+-- 
+1.8.3.1
+

@@ 0,0 1,27 @@
+From: Li Qiang <liq3ea@gmail.com>
+
+In 9pfs function v9fs_iov_vunmarshal, it will not allocate space
+for empty string. This will cause several NULL pointer dereference
+issues. this patch fix this issue.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+---
+ fsdev/9p-iov-marshal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
+index 663cad5..1d16f8d 100644
+--- a/fsdev/9p-iov-marshal.c
++++ b/fsdev/9p-iov-marshal.c
+@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
+                 str->data = g_malloc(str->size + 1);
+                 copied = v9fs_unpack(str->data, out_sg, out_num, offset,
+                                      str->size);
+-                if (copied > 0) {
++                if (copied >= 0) {
+                     str->data[str->size] = 0;
+                 } else {
+                     v9fs_string_free(str);
+-- 
+1.8.3.1
+

@@ 76,7 76,10 @@
                                  version ".tar.bz2"))
              (sha256
               (base32
-               "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij"))))
+               "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij"))
+             (patches (search-patches "qemu-CVE-2016-8576.patch"
+                                      "qemu-CVE-2016-8577.patch"
+                                      "qemu-CVE-2016-8578.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Running tests in parallel can occasionally lead to failures, like: