5 files changed, 5 insertions(+), 134 deletions(-)
M gnu/local.mk
D gnu/packages/patches/qemu-CVE-2016-8576.patch
D gnu/packages/patches/qemu-CVE-2016-8577.patch
D gnu/packages/patches/qemu-CVE-2016-8578.patch
M gnu/packages/qemu.scm
M gnu/local.mk => gnu/local.mk +0 -3
@@ 819,9 819,6 @@ dist_patch_DATA = \
%D%/packages/patches/python-paste-remove-website-test.patch \
%D%/packages/patches/python-paste-remove-timing-test.patch \
%D%/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \
- %D%/packages/patches/qemu-CVE-2016-8576.patch \
- %D%/packages/patches/qemu-CVE-2016-8577.patch \
- %D%/packages/patches/qemu-CVE-2016-8578.patch \
%D%/packages/patches/qt4-ldflags.patch \
%D%/packages/patches/quickswitch-fix-dmenu-check.patch \
%D%/packages/patches/rapicorn-isnan.patch \
D gnu/packages/patches/qemu-CVE-2016-8576.patch => gnu/packages/patches/qemu-CVE-2016-8576.patch +0 -62
@@ 1,62 0,0 @@
-From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Fri, 7 Oct 2016 10:15:29 +0200
-Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-xhci.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index 726435c..ee4fa48 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -54,6 +54,8 @@
- * to the specs when it gets them */
- #define ER_FULL_HACK
-
-+#define TRB_LINK_LIMIT 4
-+
- #define LEN_CAP 0x40
- #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
- #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
-@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
- dma_addr_t *addr)
- {
- PCIDevice *pci_dev = PCI_DEVICE(xhci);
-+ uint32_t link_cnt = 0;
-
- while (1) {
- TRBType type;
-@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
- ring->dequeue += TRB_SIZE;
- return type;
- } else {
-+ if (++link_cnt > TRB_LINK_LIMIT) {
-+ return 0;
-+ }
- ring->dequeue = xhci_mask64(trb->parameter);
- if (trb->control & TRB_LK_TC) {
- ring->ccs = !ring->ccs;
-@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
- bool ccs = ring->ccs;
- /* hack to bundle together the two/three TDs that make a setup transfer */
- bool control_td_set = 0;
-+ uint32_t link_cnt = 0;
-
- while (1) {
- TRBType type;
-@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
- type = TRB_TYPE(trb);
-
- if (type == TR_LINK) {
-+ if (++link_cnt > TRB_LINK_LIMIT) {
-+ return -length;
-+ }
- dequeue = xhci_mask64(trb.parameter);
- if (trb.control & TRB_LK_TC) {
- ccs = !ccs;
---
-1.8.3.1
-
D gnu/packages/patches/qemu-CVE-2016-8577.patch => gnu/packages/patches/qemu-CVE-2016-8577.patch +0 -36
@@ 1,36 0,0 @@
-Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read
-From: Li Qiang <liq3ea@gmail.com>
-
-In 9pfs read dispatch function, it doesn't free two QEMUIOVector
-object thus causing potential memory leak. This patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
----
- hw/9pfs/9p.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index 119ee58..543a791 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
- if (len < 0) {
- /* IO error return the error */
- err = len;
-- goto out;
-+ goto out_free_iovec;
- }
- } while (count < max_count && len > 0);
- err = pdu_marshal(pdu, offset, "d", count);
- if (err < 0) {
-- goto out;
-+ goto out_free_iovec;
- }
- err += offset + count;
-+out_free_iovec:
- qemu_iovec_destroy(&qiov);
- qemu_iovec_destroy(&qiov_full);
- } else if (fidp->fid_type == P9_FID_XATTR) {
---
-1.8.3.1
-
D gnu/packages/patches/qemu-CVE-2016-8578.patch => gnu/packages/patches/qemu-CVE-2016-8578.patch +0 -27
@@ 1,27 0,0 @@
-From: Li Qiang <liq3ea@gmail.com>
-
-In 9pfs function v9fs_iov_vunmarshal, it will not allocate space
-for empty string. This will cause several NULL pointer dereference
-issues. this patch fix this issue.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
----
- fsdev/9p-iov-marshal.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
-index 663cad5..1d16f8d 100644
---- a/fsdev/9p-iov-marshal.c
-+++ b/fsdev/9p-iov-marshal.c
-@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
- str->data = g_malloc(str->size + 1);
- copied = v9fs_unpack(str->data, out_sg, out_num, offset,
- str->size);
-- if (copied > 0) {
-+ if (copied >= 0) {
- str->data[str->size] = 0;
- } else {
- v9fs_string_free(str);
---
-1.8.3.1
-
M gnu/packages/qemu.scm => gnu/packages/qemu.scm +5 -6
@@ 69,17 69,14 @@
(define-public qemu
(package
(name "qemu")
- (version "2.7.0")
+ (version "2.8.0")
(source (origin
(method url-fetch)
(uri (string-append "http://wiki.qemu-project.org/download/qemu-"
version ".tar.bz2"))
(sha256
(base32
- "0lqyz01z90nvxpc3nx4djbci7hx62cwvs5zwd6phssds0sap6vij"))
- (patches (search-patches "qemu-CVE-2016-8576.patch"
- "qemu-CVE-2016-8577.patch"
- "qemu-CVE-2016-8578.patch"))))
+ "0qjy3rcrn89n42y5iz60kgr0rrl29hpnj8mq2yvbc1wrcizmvzfs"))))
(build-system gnu-build-system)
(arguments
'(;; Running tests in parallel can occasionally lead to failures, like:
@@ 106,6 103,8 @@
(apply system*
`("./configure"
,(string-append "--cc=" (which "gcc"))
+ ;; Some architectures insist on using HOST_CC
+ ,(string-append "--host-cc=" (which "gcc"))
"--disable-debug-info" ; save build space
"--enable-virtfs" ; just to be sure
,(string-append "--prefix=" out)
@@ 124,7 123,7 @@
(add-before 'check 'make-gtester-verbose
(lambda _
;; Make GTester verbose to facilitate investigation upon failure.
- (setenv "V" "1")))
+ (setenv "V" "1") #t))
(add-before 'check 'disable-test-qga
(lambda _
(substitute* "tests/Makefile.include"