Sergei Lukin: 1 main/qemu: security fixes #6921 9 files changed, 386 insertions(+), 2 deletions(-)
Copy & paste the following snippet into your terminal to import this patchset into git:
curl -s https://lists.alpinelinux.org/~alpine/aports/patches/1903/mbox | git am -3Learn more about email & git
CVE-2016-7994: Qemu virtio-gpu: memory leak in virtio_gpu_resource_create_2d CVE-2016-7995: Qemu: usb: hcd-ehci: memory leak in ehci_process_itd CVE-2016-8576: Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch CVE-2016-8577: Qemu: 9pfs: host memory leakage in v9fs_read CVE-2016-8578: Qemu: 9pfs: potential NULL dereferencein 9pfs routines CVE-2016-8668: Qemu: net: OOB buffer access in rocker switch emulation CVE-2016-8909: Qemu: audio: intel-hda: infinite loop in processing dma buffer stream CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode CVE-2016-9101: Qemu: net: eepro100 memory leakage at device unplug CVE-2016-9102: Qemu: 9pfs: memory leakage when creating extended attribute CVE-2016-9103: Qemu: 9pfs: information leakage via xattribute CVE-2016-9104: Qemu: 9pfs: integer overflow leading to OOB access CVE-2016-9105: Qemu: memory leakage in v9fs_link CVE-2016-9106: Qemu: 9pfs: memory leakage in v9fs_write CVE-2017-5525: Qemu: audio: memory leakage in ac97 device CVE-2017-5552: Qemu: display: virtio-gpu-3d: memory leakage in virgl_resource_attach_backing CVE-2017-5578: Qemu: display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing CVE-2017-5579: Qemu: serial: host memory leakage in 16550A UART emulation CVE-2017-5667: Qemu: sd: sdhci OOB access during multi block SDMA transfer CVE-2017-5856: Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd CVE-2017-5857: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref CVE-2017-5898: Qemu: usb: integer overflow in emulated_apdu_from_guest CVE-2017-5931: virtio: integer overflow in handling virtio-crypto requests CVE-2017-2615: Qemu: display: cirrus: oob access while doing bitblt copy backward mode CVE-2017-2620: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list --- source code of qemu 2.8.1 already contained fixes for: CVE-2017-2615 CVE-2017-2620 CVE-2017-5667 CVE-2017-5931 CVE-2016-9101 CVE-2016-8910 CVE-2016-8909 CVE-2016-7994 CVE-2016-7995 CVE-2016-8576 CVE-2016-8577 CVE-2016-8578 CVE-2016-8668 CVE-2016-9103 CVE-2016-9104 CVE-2016-9105 CVE-2016-9106 (fix patches for these CVEs were not accepted) Patches that were accepted and applied: CVE-2016-9102.patch CVE-2017-5525.patch CVE-2017-5552.patch CVE-2017-5578.patch CVE-2017-5579.patch CVE-2017-5856.patch CVE-2017-5857.patch CVE-2017-5898.patch main/qemu/APKBUILD | 49 +++++++++++++++++++++++++++++++-- main/qemu/CVE-2016-9102.patch | 34 +++++++++++++++++++++++ main/qemu/CVE-2017-5525.patch | 52 +++++++++++++++++++++++++++++++++++ main/qemu/CVE-2017-5552.patch | 41 +++++++++++++++++++++++++++ main/qemu/CVE-2017-5578.patch | 35 +++++++++++++++++++++++ main/qemu/CVE-2017-5579.patch | 40 +++++++++++++++++++++++++++ main/qemu/CVE-2017-5856.patch | 64 +++++++++++++++++++++++++++++++++++++++++++ main/qemu/CVE-2017-5857.patch | 38 +++++++++++++++++++++++++ main/qemu/CVE-2017-5898.patch | 35 +++++++++++++++++++++++ 9 files changed, 386 insertions(+), 2 deletions(-) create mode 100755 main/qemu/CVE-2016-9102.patch create mode 100755 main/qemu/CVE-2017-5525.patch create mode 100755 main/qemu/CVE-2017-5552.patch create mode 100755 main/qemu/CVE-2017-5578.patch create mode 100755 main/qemu/CVE-2017-5579.patch create mode 100755 main/qemu/CVE-2017-5856.patch create mode 100755 main/qemu/CVE-2017-5857.patch create mode 100755 main/qemu/CVE-2017-5898.patch diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD index 0cdc70a917..5b343f66da 100644 --- a/main/qemu/APKBUILD +++ b/main/qemu/APKBUILD @@ -1,9 +1,10 @@ +# Contributor: Sergei Lukin <sergej.lukin@gmail.com> # Contributor: Valery Kartel <valery.kartel@gmail.com> # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=qemu pkgver=2.8.1 -pkgrel=0 +pkgrel=1 pkgdesc="QEMU is a generic machine emulator and virtualizer" url="http://qemu.org/" arch="all" @@ -131,8 +132,44 @@ source="http://wiki.qemu-project.org/download/$pkgname-$pkgver.tar.bz2 $pkgname-guest-agent.initd 80-kvm.rules bridge.conf + CVE-2016-9102.patch + CVE-2017-5525.patch + CVE-2017-5552.patch + CVE-2017-5578.patch + CVE-2017-5579.patch + CVE-2017-5856.patch + CVE-2017-5857.patch + CVE-2017-5898.patch " +# secfixes: +# 2.8.1-r1: +# - CVE-2016-7994 +# - CVE-2016-7995 +# - CVE-2016-8576 +# - CVE-2016-8577 +# - CVE-2016-8578 +# - CVE-2016-8668 +# - CVE-2016-8909 +# - CVE-2016-8910 +# - CVE-2016-9101 +# - CVE-2016-9102 +# - CVE-2016-9103 +# - CVE-2016-9104 +# - CVE-2016-9105 +# - CVE-2016-9106 +# - CVE-2017-2615 +# - CVE-2017-2620 +# - CVE-2017-5525 +# - CVE-2017-5552 +# - CVE-2017-5578 +# - CVE-2017-5579 +# - CVE-2017-5667 +# - CVE-2017-5856 +# - CVE-2017-5857 +# - CVE-2017-5898 +# - CVE-2017-5931 + builddir="$srcdir"/$pkgname-$pkgver prepare() { @@ -317,4 +354,12 @@ dd7a4616e22d9d6b04c6d81d95d17af0d638645c1aa306306fb0ed3a12b2de0fdd32d55c8142960c d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 316b40d97587fea717821852859d81039cfdcb276a658bb6e6fb554e321d5856a833ebb3778149c4732cea625bac320b1008d374c88a9aae35c0fb67977c01b7 qemu-guest-agent.initd 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules -749efa2e764006555b4fd3a8e2f6d1118ad2ea4d45acf99104a41a93cfe66dc9685f72027c17d8211e5716246c2a52322c962cf4b73b27541b69393cd57f53bb bridge.conf" +749efa2e764006555b4fd3a8e2f6d1118ad2ea4d45acf99104a41a93cfe66dc9685f72027c17d8211e5716246c2a52322c962cf4b73b27541b69393cd57f53bb bridge.conf +c605c658f6a15467b9c21fb89995497a24ee8093f1c7eb68e17d89cc106dc7f3473195287ab349e822a5a287b08845f817ac9087bc4a8293707a2b9fa8264683 CVE-2016-9102.patch +a633ffdbd6eb58b1f091553db7944b72f6c5ea412b82f8162b4ece4b3c98aa550246bb8ab865b24468455f92bbb4908d842e03e84b9fb1fb0f1084a4e6097288 CVE-2017-5525.patch +1a17a4c9c5c2bb724735dade20c196bf90f5ab419b0dc5ca3ce771ac68d493d1f831722fe1aac8636f2c22ebecaa4560693aad98a87bd4e45c9fa529a1549546 CVE-2017-5552.patch +5f104e05e904a1392ca31203f02b7b546aeb91f1a438631c8a5f0fb5c6c051b19d8d0219b2c71aadd5d5404222d5dbc8e80127d2afaea6ed2bf918007d613a8a CVE-2017-5578.patch +74415ea5e6f6bfa787a2515da86c3ead87b0a9694d6adbdd390cbb3be43e1c88b4be4a8891f46bc6af520d3d5582c9ebe70572e2bb78d13c29d5ca12695d33ed CVE-2017-5579.patch +2b051f9d9265f9039e2cfed0bbdc93360f1660ea5b4129ec01f6faa3c1b6b135f5c949ddc26fe05a91a95a3ac558e8844ec292558c1dd66552868cbbc6aa8744 CVE-2017-5856.patch +d6d000b57f1fb194f9554165621109b364ebdb61416bc07e2283f2d493c33e770d1b63002d62565aae1ac19ed0ad9e572c207341aa1ad023581f349f62158d30 CVE-2017-5857.patch +80f89d75970345fbf6771cb16ed0d48c91c52b6b63ac967b3dbef56c16b654df432fa7ada0549c1b812d3d641f831fe20cb8b0eb52c46b8e73ade2801a563a8d CVE-2017-5898.patch" diff --git a/main/qemu/CVE-2016-9102.patch b/main/qemu/CVE-2016-9102.patch new file mode 100755 index 0000000000..b6cfa02efe --- /dev/null +++ b/main/qemu/CVE-2016-9102.patch @@ -0,0 +1,34 @@ +From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate + +The 'fs.xattr.value' field in V9fsFidState object doesn't consider the +situation that this field has been allocated previously. Every time, it +will be allocated directly. This leads to a host memory leak issue if +the client sends another Txattrcreate message with the same fid number +before the fid from the previous time got clunked. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Greg Kurz <groug@kaod.org> +[groug, updated the changelog to indicate how the leak can occur] +Signed-off-by: Greg Kurz <groug@kaod.org> +--- + hw/9pfs/9p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index bf23b01..66135cf 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); ++ g_free(xattr_fidp->fs.xattr.value); + xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); +-- +1.8.3.1 + diff --git a/main/qemu/CVE-2017-5525.patch b/main/qemu/CVE-2017-5525.patch new file mode 100755 index 0000000000..00be7417a9 --- /dev/null +++ b/main/qemu/CVE-2017-5525.patch @@ -0,0 +1,52 @@ +From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 14 Dec 2016 18:30:21 -0800 +Subject: [PATCH] audio: ac97: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Currently the ac97 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/audio/ac97.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c +index cbd959e..c306575 100644 +--- a/hw/audio/ac97.c ++++ b/hw/audio/ac97.c +@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) + ac97_on_reset (&s->dev.qdev); + } + ++static void ac97_exit(PCIDevice *dev) ++{ ++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); ++ ++ AUD_close_in(&s->card, s->voice_pi); ++ AUD_close_out(&s->card, s->voice_po); ++ AUD_close_in(&s->card, s->voice_mc); ++ AUD_remove_card(&s->card); ++} ++ + static int ac97_init (PCIBus *bus) + { + pci_create_simple (bus, -1, "AC97"); +@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = ac97_realize; ++ k->exit = ac97_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; + k->revision = 0x01; +-- +1.8.3.1 + diff --git a/main/qemu/CVE-2017-5552.patch b/main/qemu/CVE-2017-5552.patch new file mode 100755 index 0000000000..b6b12ec55d --- /dev/null +++ b/main/qemu/CVE-2017-5552.patch @@ -0,0 +1,41 @@ +From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@gmail.com> +Date: Thu, 29 Dec 2016 03:11:26 -0500 +Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +If the virgl_renderer_resource_attach_iov function fails the +'res_iovs' will be leaked. Add check of the return value to +free the 'res_iovs' when failing. + +Signed-off-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/virtio-gpu-3d.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index e29f099..b13ced3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ res_iovs, att_rb.nr_entries); ++ ++ if (ret != 0) ++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +-- +1.8.3.1 + diff --git a/main/qemu/CVE-2017-5578.patch b/main/qemu/CVE-2017-5578.patch new file mode 100755 index 0000000000..22e778e4ba --- /dev/null +++ b/main/qemu/CVE-2017-5578.patch @@ -0,0 +1,35 @@ +From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 +From: Li Qiang <liq3ea@gmail.com> +Date: Thu, 29 Dec 2016 04:28:41 -0500 +Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing + +In the resource attach backing function, everytime it will +allocate 'res->iov' thus can leading a memory leak. This +patch avoid this. + +Signed-off-by: Li Qiang <liq3ea@gmail.com> +Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/virtio-gpu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index 6a26258..ca88cf4 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +1.8.3.1 + diff --git a/main/qemu/CVE-2017-5579.patch b/main/qemu/CVE-2017-5579.patch new file mode 100755 index 0000000000..120e88d72c --- /dev/null +++ b/main/qemu/CVE-2017-5579.patch @@ -0,0 +1,40 @@ +From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Wed, 4 Jan 2017 00:43:16 -0800 +Subject: [PATCH] serial: fix memory leak in serial exit + +The serial_exit_core function doesn't free some resources. +This can lead memory leak when hotplug and unplug. This +patch avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/char/serial.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index ffbacd8..67b18ed 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) + void serial_exit_core(SerialState *s) + { + qemu_chr_fe_deinit(&s->chr); ++ ++ timer_del(s->modem_status_poll); ++ timer_free(s->modem_status_poll); ++ ++ timer_del(s->fifo_timeout_timer); ++ timer_free(s->fifo_timeout_timer); ++ ++ fifo8_destroy(&s->recv_fifo); ++ fifo8_destroy(&s->xmit_fifo); ++ + qemu_unregister_reset(serial_reset, s); + } + +-- +1.8.3.1 + diff --git a/main/qemu/CVE-2017-5856.patch b/main/qemu/CVE-2017-5856.patch new file mode 100755 index 0000000000..967ce7e088 --- /dev/null +++ b/main/qemu/CVE-2017-5856.patch @@ -0,0 +1,64 @@ +From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Mon, 2 Jan 2017 11:03:33 +0100 +Subject: [PATCH] megasas: fix guest-triggered memory leak + +If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd +will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. +Avoid this by returning only the status from map_dcmd, and loading +cmd->iov_size in the caller. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/scsi/megasas.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 67fc1e7..6233865 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) + trace_megasas_dcmd_invalid_sge(cmd->index, + cmd->frame->header.sge_count); + cmd->iov_size = 0; +- return -1; ++ return -EINVAL; + } + iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); + iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); + pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); + qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); + cmd->iov_size = iov_size; +- return cmd->iov_size; ++ return 0; + } + + static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) +@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { + + static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) + { +- int opcode, len; ++ int opcode; + int retval = 0; ++ size_t len; + const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; + + opcode = le32_to_cpu(cmd->frame->dcmd.opcode); + trace_megasas_handle_dcmd(cmd->index, opcode); +- len = megasas_map_dcmd(s, cmd); +- if (len < 0) { ++ if (megasas_map_dcmd(s, cmd) < 0) { + return MFI_STAT_MEMORY_NOT_AVAILABLE; + } + while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { + cmdptr++; + } ++ len = cmd->iov_size; + if (cmdptr->opcode == -1) { + trace_megasas_dcmd_unhandled(cmd->index, opcode, len); + retval = megasas_dcmd_dummy(s, cmd); +-- +1.8.3.1 + diff --git a/main/qemu/CVE-2017-5857.patch b/main/qemu/CVE-2017-5857.patch new file mode 100755 index 0000000000..664a669ffa --- /dev/null +++ b/main/qemu/CVE-2017-5857.patch @@ -0,0 +1,38 @@ +When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the +backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) +we'll leak memory. + +This patch fixes it for 3d mode, simliar to the 2d mode fix in commit +"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". + +Reported-by: 李强 <address@hidden> +Signed-off-by: Gerd Hoffmann <address@hidden> +--- + hw/display/virtio-gpu-3d.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index f96a0c2..ecb09d1 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VIRTIO_GPU_FILL_CMD(unref); + trace_virtio_gpu_cmd_res_unref(unref.resource_id); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ if (res_iovs != NULL && num_iovs != 0) { ++ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); ++ } + virgl_renderer_resource_unref(unref.resource_id); + } + +-- +1.8.3.1 diff --git a/main/qemu/CVE-2017-5898.patch b/main/qemu/CVE-2017-5898.patch new file mode 100755 index 0000000000..67bd4d65b3 --- /dev/null +++ b/main/qemu/CVE-2017-5898.patch @@ -0,0 +1,35 @@ +From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Fri, 3 Feb 2017 00:52:28 +0530 +Subject: [PATCH] usb: ccid: check ccid apdu length + +CCID device emulator uses Application Protocol Data Units(APDU) +to exchange command and responses to and from the host. +The length in these units couldn't be greater than 65536. Add +check to ensure the same. It'd also avoid potential integer +overflow in emulated_apdu_from_guest. + +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20170202192228.10847-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/dev-smartcard-reader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 89e11b6..1325ea1 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) + DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, + recv->hdr.bSeq, len); + ccid_add_pending_answer(s, (CCID_Header *)recv); +- if (s->card) { ++ if (s->card && len <= BULK_OUT_DATA_SIZE) { + ccid_card_apdu_from_guest(s->card, recv->abData, len); + } else { + DPRINTF(s, D_WARN, "warning: discarded apdu\n"); +-- +1.8.3.1 + -- 2.12.2 --- Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org Help: alpine-aports+help@lists.alpinelinux.org ---