From a71ba5142cd82c4d9390b726773ef75d92ef672a Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 16 May 2017 13:05:35 +0200
Subject: qemu: display: CVE-2016-9908

virtio-gpu: information leakage in virgl_cmd_get_capset

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9908

(From OE-Core rev: f5f4a08baeb4864984fcb9a837a3a8c51274df2b)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 .../recipes-devtools/qemu/qemu/CVE-2016-9908.patch | 44 ++++++++++++++++++++++
 meta/recipes-devtools/qemu/qemu_2.8.0.bb           |  1 +
 2 files changed, 45 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch
new file mode 100644
index 0000000000..e0f7a1a3fd
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-9908.patch
@@ -0,0 +1,44 @@
+From 7139ccbc907441337b4b59cde2c5b5a54cb5b2cc Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+
+virtio-gpu: fix information leak in capset get dispatch
+
+In virgl_cmd_get_capset function, it uses g_malloc to allocate
+a response struct to the guest. As the 'resp'struct hasn't been full
+initialized it will lead the 'resp->padding' field to the guest.
+Use g_malloc0 to avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
+
+[Sona: backported from master to v2.8.0 and resolved conflict]
+
+Reference to upstream patch:
+http://git.qemu-project.org/?p=qemu.git;a=commit;h=85d9d044471f93c48c5c396f7e217b4ef12f69f8
+
+CVE: CVE-2016-9908
+Upstream-Status: Backport
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ hw/display/virtio-gpu-3d.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index 23f39de..d98b140 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+ 
+     virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+                                &max_size);
+-    resp = g_malloc(sizeof(*resp) + max_size);
++    resp = g_malloc0(sizeof(*resp) + max_size);
+ 
+     resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+     virgl_renderer_fill_caps(gc.capset_id,
+-- 
+1.9.1
+
diff --git a/meta/recipes-devtools/qemu/qemu_2.8.0.bb b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
index e0527a8fd9..69d4f28b14 100644
--- a/meta/recipes-devtools/qemu/qemu_2.8.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.8.0.bb
@@ -9,6 +9,7 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
             file://pathlimit.patch \
             file://qemu-2.5.0-cflags.patch \
             file://target-ppc-fix-user-mode.patch \
+            file://CVE-2016-9908.patch \
 "
 
 SRC_URI =+ "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
-- 
cgit v1.2.3-54-g00ecf