qemu: fixed multiple CVEs

CVE-2015-3456, fdc: out-of-bounds fifo buffer memory access
CVE-2014-5263, missing field list terminator in vmstate_xhci_event
CVE-2014-3689, vmware_vga: insufficient parameter validation in rectangle
functions
CVE-2014-7815, vnc: insufficient bits_per_pixel from the client sanitization

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3689
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7815

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

1 files changed, 53 insertions, 0 deletions

diff --git a/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
new file mode 100644
index 0000000000..ef70c16423
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/vmstate_xhci_event-CVE-2014-5263.patch
@@ -0,0 +1,53 @@
+From 2ad23e10869f1b54c5c92fc21af453896ebb5c92 Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Tue, 22 Jul 2014 17:26:41 +0200
+Subject: [PATCH] vmstate_xhci_event: fix unterminated field list
+
+"vmstate_xhci_event" was introduced in commit 37352df3 ("xhci: add live
+migration support"), and first released in v1.6.0. The field list in this
+VMSD is not terminated with the VMSTATE_END_OF_LIST() macro.
+
+During normal use (ie. migration), the issue is practically invisible,
+because the "vmstate_xhci_event" object (with the unterminated field list)
+is only ever referenced -- via "vmstate_xhci_intr" -- if xhci_er_full()
+returns true, for the "ev_buffer" test. Since that field_exists() check
+(apparently) almost always returns false, we almost never traverse
+"vmstate_xhci_event" during migration, which hides the bug.
+
+However, Amit's vmstate checker forces recursion into this VMSD as well,
+and the lack of VMSTATE_END_OF_LIST() breaks the field list terminator
+check (field->name != NULL) in dump_vmstate_vmsd(). The result is
+undefined behavior, which in my case translates to infinite recursion
+(because the loop happens to overflow into "vmstate_xhci_intr", which then
+links back to "vmstate_xhci_event").
+
+Add the missing terminator.
+
+Fixes CVE-2014-5263.
+Upstream-Status: Backport
+
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ hw/usb/hcd-xhci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 835f65e..745617e 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3571,6 +3571,7 @@ static const VMStateDescription vmstate_xhci_event = {
+         VMSTATE_UINT32(flags,  XHCIEvent),
+         VMSTATE_UINT8(slotid,  XHCIEvent),
+         VMSTATE_UINT8(epid,    XHCIEvent),
++        VMSTATE_END_OF_LIST()
+     }
+ };
+ 
+-- 
+1.9.1
+