qemu: Drop CVE patches

The CVEs have been fixed in upstream poky/rocko. Signed-off-by: Martin Borg <martin.borg@enea.com>
author: Martin Borg <martin.borg@enea.com> 2018-03-01 10:34:33 +0100
committer: Martin Borg <martin.borg@enea.com> 2018-03-01 10:38:09 +0100
commit: 2c0b43b3032f9a55edd395ae37f45fffce44fa9d (patch)
tree: 55c40c584ea4872482dd26290d57f4ac6320e2b6 /recipes-devtools
parent: 4a27c73bb707b3e3952e399286f83968b5d3c093 (diff)
download: meta-el-common-2c0b43b3032f9a55edd395ae37f45fffce44fa9d.tar.gz
7 files changed, 0 insertions, 362 deletions
diff --git a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch
deleted file mode 100644
index 5684062..0000000
--- a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From 2ab8276a1cb2bcd0d14d4e05c193252f370b8251 Mon Sep 17 00:00:00 2001
-From: Bruce Rogers <brogers@suse.com>
-Date: Mon, 9 Jan 2017 13:35:20 -0700
-Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
- blit_is_unsafe
-Commit 4299b90 added a check which is too broad, given that the source
-pitch value is not required to be initialized for solid fill operations.
-This patch refines the blit_is_unsafe() check to ignore source pitch in
-that case. After applying the above commit as a security patch, we
-noticed the SLES 11 SP4 guest gui failed to initialize properly.
-Upstream-Status: Backport [this patch is needed for CVE-2017-2620]
-Signed-off-by: Bruce Rogers <brogers@suse.com>
-Message-id: 20170109203520.5619-1-brogers@suse.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- hw/display/cirrus_vga.c | 11 +++++++----
- 1 file changed, 7 insertions(+), 4 deletions(-)
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index bdb092e..379910d 100644
--- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
-     return false;
- }
- 
-static bool blit_is_unsafe(struct CirrusVGAState *s)
-+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
- {
-     /* should be the case, see cirrus_bitblt_start */
-     assert(s->cirrus_blt_width > 0);
-@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
-                               s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
-         return true;
-     }
-+    if (dst_only) {
-+        return false;
-+    }
-     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
-                               s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
-         return true;
-@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
- 
-     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
- 
-    if (blit_is_unsafe(s))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     (*s->cirrus_rop) (s, dst, src,
-@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
- {
-     cirrus_fill_t rop_func;
- 
-    if (blit_is_unsafe(s)) {
-+    if (blit_is_unsafe(s, true)) {
-         return 0;
-     }
-     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
-@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
- 
- static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
- {
-    if (blit_is_unsafe(s))
-+    if (blit_is_unsafe(s, false))
-         return 0;
- 
-     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
-- 
-1.9.1
diff --git a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch
deleted file mode 100644
index 3910fb9..0000000
--- a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Wed, 8 Feb 2017 11:18:36 +0100
-Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
- (CVE-2017-2620)
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all.  Oops.  Fix it.
-Security impact: high.
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-CVE: CVE-2017-2620
-Upstream-Status: Backport
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 629a5c8..6766349 100644
--- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -873,6 +873,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
-     int w;
- 
-+    if (blit_is_unsafe(s, true)) {
-+        return 0;
-+    }
-+
-     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
-     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
-     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -898,6 +902,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
-        }
-         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
-     }
-+
-+    /* the blit_is_unsafe call above should catch this */
-+    assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
-     s->cirrus_srcptr = s->cirrus_bltbuf;
-     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
-     cirrus_update_memory_access(s);
-- 
-1.9.1
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch
deleted file mode 100644
index 4c35c26..0000000
--- a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From d6f119475d3c9c913f9140771895036be66d5c33 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-Using uint_64 instead of size_t to avoid the integer overflow.
-CVE: CVE-2017-5931
-Upstream-Status: Backport [backport from 2.8.1.1 releases: https://git.qemu.org/?p=qemu.git;a=commit;h=d6f119475d3c9c913f9140771895036be66d5c33]
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-(cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e..c23e1ad 100644
--- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
-     uint32_t hash_start_src_offset = 0, len_to_hash = 0;
-     uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- 
-    size_t max_len, curr_size = 0;
-+    uint64_t max_len, curr_size = 0;
-     size_t s;
- 
-     /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
-         return NULL;
-     }
- 
-    max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+    max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
-     if (unlikely(max_len > vcrypto->conf.max_size)) {
-         virtio_error(vdev, "virtio-crypto too big length");
-         return NULL;
-- 
-1.9.1
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch
deleted file mode 100644
index a939e85..0000000
--- a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 7 Feb 2017 02:23:33 -0800
-Subject: [PATCH] usb: ohci: limit the number of link eds
-The guest may builds an infinite loop with link eds. This patch
-limit the number of linked ed to avoid this.
-CVE: CVE-2017-6505
-Upstream-Status: Backport [backport from v2.9.0-rc0~85^2~8]
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- hw/usb/hcd-ohci.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 2cba3e3..21c93e0 100644
--- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -42,6 +42,8 @@
- 
- #define OHCI_MAX_PORTS 15
- 
-+#define ED_LINK_LIMIT 4
-+
- static int64_t usb_frame_time;
- static int64_t usb_bit_time;
- 
-@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
-     uint32_t next_ed;
-     uint32_t cur;
-     int active;
-
-+    uint32_t link_cnt = 0;
-     active = 0;
- 
-     if (head == 0)
-@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
- 
-         next_ed = ed.next & OHCI_DPTR_MASK;
- 
-+        if (++link_cnt > ED_LINK_LIMIT) {
-+            ohci_die(ohci);
-+            return 0;
-+        }
-+
-         if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
-             uint32_t addr;
-             /* Cancel pending packets for ED that have been paused.  */
-- 
-1.9.1
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch
deleted file mode 100644
index af233d3..0000000
--- a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 96bae145e27d4df62671b4eebd6c735f412016cf Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Mon, 17 Apr 2017 10:53:23 +0200
-Subject: [PATCH] 9pfs: local: set the path of the export root to "."
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-The local backend was recently converted to using "at*()" syscalls in order
-to ensure all accesses happen below the shared directory. This requires that
-we only pass relative paths, otherwise the dirfd argument to the "at*()"
-syscalls is ignored and the path is treated as an absolute path in the host.
-This is actually the case for paths in all fids, with the notable exception
-of the root fid, whose path is "/". This causes the following backend ops to
-act on the "/" directory of the host instead of the virtfs shared directory
-when the export root is involved:
- lstat
- chmod
- chown
- utimensat
-ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
-host for example. This could cause security issues with a privileged QEMU.
-All "*at()" syscalls are being passed an open file descriptor. In the case
-of the export root, this file descriptor points to the path in the host that
-was passed to -fsdev.
-The fix is thus as simple as changing the path of the export root fid to be
-"." instead of "/".
-This is CVE-2017-7471.
-CVE: CVE-2017-7471
-Upstream-Status: Backport
-Cc: qemu-stable@nongnu.org
-Reported-by: Léo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-(cherry picked from commit 9c6b899f7a46893ab3b671e341a2234e9c0c060e)
-Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- hw/9pfs/9p-local.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index 227de61..293e0dc 100644
--- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -1099,8 +1099,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
- {
-     if (dir_path) {
-         v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
-    } else {
-+    } else if (strcmp(name, "/")) {
-         v9fs_path_sprintf(target, "%s", name);
-+    } else {
-+        /* We want the path of the export root to be relative, otherwise
-+         * "*at()" syscalls would treat it as "/" in the host.
-+         */
-+        v9fs_path_sprintf(target, "%s", ".");
-     }
-     return 0;
- }
-- 
-1.9.1
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
deleted file mode 100644
index 812e64b..0000000
--- a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel@redhat.com>
-Date: Fri, 28 Apr 2017 09:56:12 +0200
-Subject: [PATCH] audio: release capture buffers
-AUD_add_capture() allocates two buffers which are never released.
-Add the missing calls to AUD_del_capture().
-Impact: Allows vnc clients to exhaust host memory by repeatedly
-starting and stopping audio capture.
-Fixes: CVE-2017-8309
-CVE-2017-8309
-Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27]
-Cc: P J P <ppandit@redhat.com>
-Cc: Huawei PSIRT <PSIRT@huawei.com>
-Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170428075612.9997-1-kraxel@redhat.com
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- audio/audio.c | 2 ++
- 1 file changed, 2 insertions(+)
-diff --git a/audio/audio.c b/audio/audio.c
-index c8898d8..beafed2 100644
--- a/audio/audio.c
-+++ b/audio/audio.c
-@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
-                     sw = sw1;
-                 }
-                 QLIST_REMOVE (cap, entries);
-+                g_free (cap->hw.mix_buf);
-+                g_free (cap->buf);
-                 g_free (cap);
-             }
-             return;
--
-1.9.1
diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend
deleted file mode 100644
index e27553c..0000000
--- a/recipes-devtools/qemu/qemu_%.bbappend
+++ /dev/null
@@ -1,10 +0,0 @@
-# look for files in the layer first
-FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://0001-CVE-2017-2620.patch \
-            file://0002-CVE-2017-2620.patch \
-            file://CVE-2017-7471.patch \
-            file://CVE-2017-6505.patch \
-            file://CVE-2017-8309.patch \
-            file://CVE-2017-5931.patch \
-           "
author	Martin Borg <martin.borg@enea.com>	2018-03-01 10:34:33 +0100
committer	Martin Borg <martin.borg@enea.com>	2018-03-01 10:38:09 +0100
commit	2c0b43b3032f9a55edd395ae37f45fffce44fa9d (patch)
tree	55c40c584ea4872482dd26290d57f4ac6320e2b6 /recipes-devtools
parent	4a27c73bb707b3e3952e399286f83968b5d3c093 (diff)
download	meta-el-common-2c0b43b3032f9a55edd395ae37f45fffce44fa9d.tar.gz

diff --git a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch deleted file mode 100644 index 5684062..0000000 --- a/recipes-devtools/qemu/qemu/0001-CVE-2017-2620.patch +++ /dev/null
@@ -1,77 +0,0 @@
1	From 2ab8276a1cb2bcd0d14d4e05c193252f370b8251 Mon Sep 17 00:00:00 2001
2	From: Bruce Rogers <brogers@suse.com>
3	Date: Mon, 9 Jan 2017 13:35:20 -0700
4	Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
5	blit_is_unsafe
6
7	Commit 4299b90 added a check which is too broad, given that the source
8	pitch value is not required to be initialized for solid fill operations.
9	This patch refines the blit_is_unsafe() check to ignore source pitch in
10	that case. After applying the above commit as a security patch, we
11	noticed the SLES 11 SP4 guest gui failed to initialize properly.
12
13	Upstream-Status: Backport [this patch is needed for CVE-2017-2620]
14
15	Signed-off-by: Bruce Rogers <brogers@suse.com>
16	Message-id: 20170109203520.5619-1-brogers@suse.com
17	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
18	(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
19	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
21	---
22	hw/display/cirrus_vga.c \| 11 +++++++----
23	1 file changed, 7 insertions(+), 4 deletions(-)
24
25	diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
26	index bdb092e..379910d 100644
27	--- a/hw/display/cirrus_vga.c
28	+++ b/hw/display/cirrus_vga.c
29	@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
30	return false;
31	}
32
33	-static bool blit_is_unsafe(struct CirrusVGAState *s)
34	+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
35	{
36	/* should be the case, see cirrus_bitblt_start */
37	assert(s->cirrus_blt_width > 0);
38	@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
39	s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
40	return true;
41	}
42	+ if (dst_only) {
43	+ return false;
44	+ }
45	if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
46	s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
47	return true;
48	@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
49
50	dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
51
52	- if (blit_is_unsafe(s))
53	+ if (blit_is_unsafe(s, false))
54	return 0;
55
56	(*s->cirrus_rop) (s, dst, src,
57	@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
58	{
59	cirrus_fill_t rop_func;
60
61	- if (blit_is_unsafe(s)) {
62	+ if (blit_is_unsafe(s, true)) {
63	return 0;
64	}
65	rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
66	@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
67
68	static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
69	{
70	- if (blit_is_unsafe(s))
71	+ if (blit_is_unsafe(s, false))
72	return 0;
73
74	return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
75	--
76	1.9.1
77


diff --git a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch b/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch deleted file mode 100644 index 3910fb9..0000000 --- a/recipes-devtools/qemu/qemu/0002-CVE-2017-2620.patch +++ /dev/null
@@ -1,55 +0,0 @@
1	From fc8e94c3e5e74437c4e73a5582f17cfd4cae5ccf Mon Sep 17 00:00:00 2001
2	From: Gerd Hoffmann <kraxel@redhat.com>
3	Date: Wed, 8 Feb 2017 11:18:36 +0100
4	Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
5	(CVE-2017-2620)
6
7	CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
8	and blit width, at all. Oops. Fix it.
9
10	Security impact: high.
11
12	The missing blit destination check allows to write to host memory.
13	Basically same as CVE-2014-8106 for the other blit variants.
14
15	CVE: CVE-2017-2620
16	Upstream-Status: Backport
17
18	Cc: qemu-stable@nongnu.org
19	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
20	(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
21	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23	---
24	hw/display/cirrus_vga.c \| 8 ++++++++
25	1 file changed, 8 insertions(+)
26
27	diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
28	index 629a5c8..6766349 100644
29	--- a/hw/display/cirrus_vga.c
30	+++ b/hw/display/cirrus_vga.c
31	@@ -873,6 +873,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
32	{
33	int w;
34
35	+ if (blit_is_unsafe(s, true)) {
36	+ return 0;
37	+ }
38	+
39	s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
40	s->cirrus_srcptr = &s->cirrus_bltbuf[0];
41	s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
42	@@ -898,6 +902,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
43	}
44	s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
45	}
46	+
47	+ /* the blit_is_unsafe call above should catch this */
48	+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
49	+
50	s->cirrus_srcptr = s->cirrus_bltbuf;
51	s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
52	cirrus_update_memory_access(s);
53	--
54	1.9.1
55


diff --git a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch deleted file mode 100644 index 4c35c26..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch +++ /dev/null
@@ -1,52 +0,0 @@
1	From d6f119475d3c9c913f9140771895036be66d5c33 Mon Sep 17 00:00:00 2001
2	From: Gonglei <arei.gonglei@huawei.com>
3	Date: Tue, 3 Jan 2017 14:50:03 +0800
4	Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
5
6	Because the 'size_t' type is 4 bytes in 32-bit platform, which
7	is the same with 'int'. It's easy to make 'max_len' to zero when
8	integer overflow and then cause heap overflow if 'max_len' is zero.
9
10	Using uint_64 instead of size_t to avoid the integer overflow.
11
12	CVE: CVE-2017-5931
13	Upstream-Status: Backport [backport from 2.8.1.1 releases: https://git.qemu.org/?p=qemu.git;a=commit;h=d6f119475d3c9c913f9140771895036be66d5c33]
14
15	Cc: qemu-stable@nongnu.org
16	Reported-by: Li Qiang <liqiang6-s@360.cn>
17	Signed-off-by: Gonglei <arei.gonglei@huawei.com>
18	Tested-by: Li Qiang <liqiang6-s@360.cn>
19	Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
20	Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
21	(cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4)
22	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
23	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
24	---
25	hw/virtio/virtio-crypto.c \| 4 ++--
26	1 file changed, 2 insertions(+), 2 deletions(-)
27
28	diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
29	index 2f2467e..c23e1ad 100644
30	--- a/hw/virtio/virtio-crypto.c
31	+++ b/hw/virtio/virtio-crypto.c
32	@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
33	uint32_t hash_start_src_offset = 0, len_to_hash = 0;
34	uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
35
36	- size_t max_len, curr_size = 0;
37	+ uint64_t max_len, curr_size = 0;
38	size_t s;
39
40	/* Plain cipher */
41	@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
42	return NULL;
43	}
44
45	- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
46	+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
47	if (unlikely(max_len > vcrypto->conf.max_size)) {
48	virtio_error(vdev, "virtio-crypto too big length");
49	return NULL;
50	--
51	1.9.1
52


diff --git a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch b/recipes-devtools/qemu/qemu/CVE-2017-6505.patch deleted file mode 100644 index a939e85..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-6505.patch +++ /dev/null
@@ -1,56 +0,0 @@
1	From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
2	From: Li Qiang <liqiang6-s@360.cn>
3	Date: Tue, 7 Feb 2017 02:23:33 -0800
4	Subject: [PATCH] usb: ohci: limit the number of link eds
5
6	The guest may builds an infinite loop with link eds. This patch
7	limit the number of linked ed to avoid this.
8
9	CVE: CVE-2017-6505
10	Upstream-Status: Backport [backport from v2.9.0-rc0~85^2~8]
11
12	Signed-off-by: Li Qiang <liqiang6-s@360.cn>
13	Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
14	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
15	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
16	---
17	hw/usb/hcd-ohci.c \| 9 ++++++++-
18	1 file changed, 8 insertions(+), 1 deletion(-)
19
20	diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
21	index 2cba3e3..21c93e0 100644
22	--- a/hw/usb/hcd-ohci.c
23	+++ b/hw/usb/hcd-ohci.c
24	@@ -42,6 +42,8 @@
25
26	#define OHCI_MAX_PORTS 15
27
28	+#define ED_LINK_LIMIT 4
29	+
30	static int64_t usb_frame_time;
31	static int64_t usb_bit_time;
32
33	@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
34	uint32_t next_ed;
35	uint32_t cur;
36	int active;
37	-
38	+ uint32_t link_cnt = 0;
39	active = 0;
40
41	if (head == 0)
42	@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
43
44	next_ed = ed.next & OHCI_DPTR_MASK;
45
46	+ if (++link_cnt > ED_LINK_LIMIT) {
47	+ ohci_die(ohci);
48	+ return 0;
49	+ }
50	+
51	if ((ed.head & OHCI_ED_H) \|\| (ed.flags & OHCI_ED_K)) {
52	uint32_t addr;
53	/* Cancel pending packets for ED that have been paused. */
54	--
55	1.9.1
56


diff --git a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch b/recipes-devtools/qemu/qemu/CVE-2017-7471.patch deleted file mode 100644 index af233d3..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-7471.patch +++ /dev/null
@@ -1,70 +0,0 @@
1	From 96bae145e27d4df62671b4eebd6c735f412016cf Mon Sep 17 00:00:00 2001
2	From: Greg Kurz <groug@kaod.org>
3	Date: Mon, 17 Apr 2017 10:53:23 +0200
4	Subject: [PATCH] 9pfs: local: set the path of the export root to "."
5	MIME-Version: 1.0
6	Content-Type: text/plain; charset=UTF-8
7	Content-Transfer-Encoding: 8bit
8
9	The local backend was recently converted to using "at*()" syscalls in order
10	to ensure all accesses happen below the shared directory. This requires that
11	we only pass relative paths, otherwise the dirfd argument to the "at*()"
12	syscalls is ignored and the path is treated as an absolute path in the host.
13	This is actually the case for paths in all fids, with the notable exception
14	of the root fid, whose path is "/". This causes the following backend ops to
15	act on the "/" directory of the host instead of the virtfs shared directory
16	when the export root is involved:
17	- lstat
18	- chmod
19	- chown
20	- utimensat
21
22	ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
23	host for example. This could cause security issues with a privileged QEMU.
24
25	All "*at()" syscalls are being passed an open file descriptor. In the case
26	of the export root, this file descriptor points to the path in the host that
27	was passed to -fsdev.
28
29	The fix is thus as simple as changing the path of the export root fid to be
30	"." instead of "/".
31
32	This is CVE-2017-7471.
33
34	CVE: CVE-2017-7471
35	Upstream-Status: Backport
36
37	Cc: qemu-stable@nongnu.org
38	Reported-by: Léo Gaspard <leo@gaspard.io>
39	Signed-off-by: Greg Kurz <groug@kaod.org>
40	Reviewed-by: Eric Blake <eblake@redhat.com>
41	Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
42	(cherry picked from commit 9c6b899f7a46893ab3b671e341a2234e9c0c060e)
43	Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
44	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
45	---
46	hw/9pfs/9p-local.c \| 7 ++++++-
47	1 file changed, 6 insertions(+), 1 deletion(-)
48
49	diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
50	index 227de61..293e0dc 100644
51	--- a/hw/9pfs/9p-local.c
52	+++ b/hw/9pfs/9p-local.c
53	@@ -1099,8 +1099,13 @@ static int local_name_to_path(FsContext ctx, V9fsPath dir_path,
54	{
55	if (dir_path) {
56	v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
57	- } else {
58	+ } else if (strcmp(name, "/")) {
59	v9fs_path_sprintf(target, "%s", name);
60	+ } else {
61	+ /* We want the path of the export root to be relative, otherwise
62	+ * "*at()" syscalls would treat it as "/" in the host.
63	+ */
64	+ v9fs_path_sprintf(target, "%s", ".");
65	}
66	return 0;
67	}
68	--
69	1.9.1
70


diff --git a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch b/recipes-devtools/qemu/qemu/CVE-2017-8309.patch deleted file mode 100644 index 812e64b..0000000 --- a/recipes-devtools/qemu/qemu/CVE-2017-8309.patch +++ /dev/null
@@ -1,42 +0,0 @@
1	From 3268a845f41253fb55852a8429c32b50f36f349a Mon Sep 17 00:00:00 2001
2	From: Gerd Hoffmann <kraxel@redhat.com>
3	Date: Fri, 28 Apr 2017 09:56:12 +0200
4	Subject: [PATCH] audio: release capture buffers
5
6	AUD_add_capture() allocates two buffers which are never released.
7	Add the missing calls to AUD_del_capture().
8
9	Impact: Allows vnc clients to exhaust host memory by repeatedly
10	starting and stopping audio capture.
11
12	Fixes: CVE-2017-8309
13
14	CVE-2017-8309
15	Upstream-Status: Backport [backport from master, v2.10.0-rc0~214^2~27]
16
17	Cc: P J P <ppandit@redhat.com>
18	Cc: Huawei PSIRT <PSIRT@huawei.com>
19	Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
20	Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
21	Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
22	Message-id: 20170428075612.9997-1-kraxel@redhat.com
23	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
24	---
25	audio/audio.c \| 2 ++
26	1 file changed, 2 insertions(+)
27
28	diff --git a/audio/audio.c b/audio/audio.c
29	index c8898d8..beafed2 100644
30	--- a/audio/audio.c
31	+++ b/audio/audio.c
32	@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut cap, void cb_opaque)
33	sw = sw1;
34	}
35	QLIST_REMOVE (cap, entries);
36	+ g_free (cap->hw.mix_buf);
37	+ g_free (cap->buf);
38	g_free (cap);
39	}
40	return;
41	--
42	1.9.1


diff --git a/recipes-devtools/qemu/qemu_%.bbappend b/recipes-devtools/qemu/qemu_%.bbappend deleted file mode 100644 index e27553c..0000000 --- a/recipes-devtools/qemu/qemu_%.bbappend +++ /dev/null
@@ -1,10 +0,0 @@
1	# look for files in the layer first
2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4	SRC_URI += "file://0001-CVE-2017-2620.patch \
5	file://0002-CVE-2017-2620.patch \
6	file://CVE-2017-7471.patch \
7	file://CVE-2017-6505.patch \
8	file://CVE-2017-8309.patch \
9	file://CVE-2017-5931.patch \
10	"