From 7da6ebdca2d6b30dd6240db73b0c7605c310a4f1 Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 29 Aug 2017 10:29:30 +0200
Subject: qemu: CVE-2017-8309

Qemu built with the Audio subsystem support is vulnerable to
a host memory leakage issue. It could occur if a guest user
was to repeatedly start and stop audio capture.

A privileged user inside guest could use this flaw to exhaust host memory,
resulting in DoS.

Reference:
==========
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8309
Upstream patch:
https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 recipes-devtools/qemu/qemu/CVE-2017-8309.patch | 42 ++++++++++++++++++++++++++
 recipes-devtools/qemu/qemu_%.bbappend          |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 recipes-devtools/qemu/qemu/CVE-2017-8309.patch

diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
new file mode 100644
index 0000000..812e64b
--- /dev/null
+++ b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
@@ -0,0 +1,42 @@
+From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 28 Apr 2017 09:56:12 +0200
+Subject: [PATCH] audio: release capture buffers
+
+AUD_add_capture() allocates two buffers which are never released.
+Add the missing calls to AUD_del_capture().
+
+Impact: Allows vnc clients to exhaust host memory by repeatedly
+starting and stopping audio capture.
+
+Fixes: CVE-2017-8309
+
+CVE-2017-8309
+Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27]
+
+Cc: P J P <ppandit@redhat.com>
+Cc: Huawei PSIRT <PSIRT@huawei.com>
+Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170428075612.9997-1-kraxel@redhat.com
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ audio/audio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/audio/audio.c b/audio/audio.c
+index c8898d8..beafed2 100644
+--- a/audio/audio.c
++++ b/audio/audio.c
+@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
+                     sw = sw1;
+                 }
+                 QLIST_REMOVE (cap, entries);
++                g_free (cap->hw.mix_buf);
++                g_free (cap->buf);
+                 g_free (cap);
+             }
+             return;
+--
+1.9.1
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend
index 8db32c5..3ebff2d 100644
--- a/recipes-devtools/qemu/qemu_%.bbappend
+++ b/recipes-devtools/qemu/qemu_%.bbappend
@@ -5,4 +5,5 @@ SRC_URI += "file://0001-CVE-2017-2620.patch \
             file://0002-CVE-2017-2620.patch \
             file://CVE-2017-7471.patch \
             file://CVE-2017-6505.patch \
+            file://CVE-2017-8309.patch \
            "
-- 
cgit v1.2.3-54-g00ecf