From f152208b0da26ab9d3f85baaf74e1356699f8aea Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Sun, 13 Aug 2017 19:42:59 +0800
Subject: gnu: qemu: Fix CVE-2017-{10664,10806,10911,11434}.

* gnu/packages/patches/qemu-CVE-2017-10664.patch,
gnu/packages/patches/qemu-CVE-2017-10806.patch,
gnu/packages/patches/qemu-CVE-2017-10911.patch,
gnu/packages/patches/qemu-CVE-2017-11434.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/virtualization.scm (qemu)[source]: Use them.

Signed-off-by: Marius Bakke <mbakke@fastmail.com>
---
 gnu/packages/patches/qemu-CVE-2017-10664.patch |  27 +++++++
 gnu/packages/patches/qemu-CVE-2017-10806.patch |  38 +++++++++
 gnu/packages/patches/qemu-CVE-2017-10911.patch | 106 +++++++++++++++++++++++++
 gnu/packages/patches/qemu-CVE-2017-11434.patch |  25 ++++++
 4 files changed, 196 insertions(+)
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-10664.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-10806.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-10911.patch
 create mode 100644 gnu/packages/patches/qemu-CVE-2017-11434.patch

(limited to 'gnu/packages/patches')

diff --git a/gnu/packages/patches/qemu-CVE-2017-10664.patch b/gnu/packages/patches/qemu-CVE-2017-10664.patch
new file mode 100644
index 0000000000..2b60de3dca
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10664.patch
@@ -0,0 +1,27 @@
+Fix CVE-2017-10664:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1466190
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10664
+https://security-tracker.debian.org/tracker/CVE-2017-10664
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
+
+diff --git a/qemu-nbd.c b/qemu-nbd.c
+index 9464a0461c..4dd3fd4732 100644
+--- a/qemu-nbd.c
++++ b/qemu-nbd.c
+@@ -581,6 +581,10 @@ int main(int argc, char **argv)
+     sa_sigterm.sa_handler = termsig_handler;
+     sigaction(SIGTERM, &sa_sigterm, NULL);
+ 
++#ifdef CONFIG_POSIX
++    signal(SIGPIPE, SIG_IGN);
++#endif
++
+     module_call_init(MODULE_INIT_TRACE);
+     qcrypto_init(&error_fatal);
+ 
+
diff --git a/gnu/packages/patches/qemu-CVE-2017-10806.patch b/gnu/packages/patches/qemu-CVE-2017-10806.patch
new file mode 100644
index 0000000000..ebf782fe7b
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10806.patch
@@ -0,0 +1,38 @@
+Fix CVE-2017-10806:
+
+https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1468496
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10806
+https://security-tracker.debian.org/tracker/CVE-2017-10806
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=bd4a683505b27adc1ac809f71e918e58573d851d
+
+diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
+index b001a27f05..ad5ef783a6 100644
+--- a/hw/usb/redirect.c
++++ b/hw/usb/redirect.c
+@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
+ static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
+     const uint8_t *data, int len)
+ {
+-    int i, j, n;
+-
+     if (dev->debug < usbredirparser_debug_data) {
+         return;
+     }
+-
+-    for (i = 0; i < len; i += j) {
+-        char buf[128];
+-
+-        n = sprintf(buf, "%s", desc);
+-        for (j = 0; j < 8 && i + j < len; j++) {
+-            n += sprintf(buf + n, " %02X", data[i + j]);
+-        }
+-        error_report("%s", buf);
+-    }
++    qemu_hexdump((char *)data, stderr, desc, len);
+ }
+ 
+ /*
diff --git a/gnu/packages/patches/qemu-CVE-2017-10911.patch b/gnu/packages/patches/qemu-CVE-2017-10911.patch
new file mode 100644
index 0000000000..1dcb860a2d
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-10911.patch
@@ -0,0 +1,106 @@
+Fix CVE-2017-10911:
+
+https://xenbits.xen.org/xsa/advisory-216.html
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10911
+https://security-tracker.debian.org/tracker/CVE-2017-10911
+
+Patch copied from Xen Security Advisory:
+
+https://xenbits.xen.org/xsa/xsa216-qemuu.patch
+
+--- a/hw/block/xen_blkif.h
++++ b/hw/block/xen_blkif.h
+@@ -14,9 +14,6 @@
+ struct blkif_common_request {
+     char dummy;
+ };
+-struct blkif_common_response {
+-    char dummy;
+-};
+ 
+ /* i386 protocol version */
+ #pragma pack(push, 4)
+@@ -36,13 +33,7 @@ struct blkif_x86_32_request_discard {
+     blkif_sector_t sector_number;    /* start sector idx on disk (r/w only)  */
+     uint64_t       nr_sectors;       /* # of contiguous sectors to discard   */
+ };
+-struct blkif_x86_32_response {
+-    uint64_t        id;              /* copied from request */
+-    uint8_t         operation;       /* copied from request */
+-    int16_t         status;          /* BLKIF_RSP_???       */
+-};
+ typedef struct blkif_x86_32_request blkif_x86_32_request_t;
+-typedef struct blkif_x86_32_response blkif_x86_32_response_t;
+ #pragma pack(pop)
+ 
+ /* x86_64 protocol version */
+@@ -62,20 +53,14 @@ struct blkif_x86_64_request_discard {
+     blkif_sector_t sector_number;    /* start sector idx on disk (r/w only)  */
+     uint64_t       nr_sectors;       /* # of contiguous sectors to discard   */
+ };
+-struct blkif_x86_64_response {
+-    uint64_t       __attribute__((__aligned__(8))) id;
+-    uint8_t         operation;       /* copied from request */
+-    int16_t         status;          /* BLKIF_RSP_???       */
+-};
+ typedef struct blkif_x86_64_request blkif_x86_64_request_t;
+-typedef struct blkif_x86_64_response blkif_x86_64_response_t;
+ 
+ DEFINE_RING_TYPES(blkif_common, struct blkif_common_request,
+-                  struct blkif_common_response);
++                  struct blkif_response);
+ DEFINE_RING_TYPES(blkif_x86_32, struct blkif_x86_32_request,
+-                  struct blkif_x86_32_response);
++                  struct blkif_response QEMU_PACKED);
+ DEFINE_RING_TYPES(blkif_x86_64, struct blkif_x86_64_request,
+-                  struct blkif_x86_64_response);
++                  struct blkif_response);
+ 
+ union blkif_back_rings {
+     blkif_back_ring_t        native;
+--- a/hw/block/xen_disk.c
++++ b/hw/block/xen_disk.c
+@@ -769,31 +769,30 @@ static int blk_send_response_one(struct
+     struct XenBlkDev  *blkdev = ioreq->blkdev;
+     int               send_notify   = 0;
+     int               have_requests = 0;
+-    blkif_response_t  resp;
+-    void              *dst;
+-
+-    resp.id        = ioreq->req.id;
+-    resp.operation = ioreq->req.operation;
+-    resp.status    = ioreq->status;
++    blkif_response_t  *resp;
+ 
+     /* Place on the response ring for the relevant domain. */
+     switch (blkdev->protocol) {
+     case BLKIF_PROTOCOL_NATIVE:
+-        dst = RING_GET_RESPONSE(&blkdev->rings.native, blkdev->rings.native.rsp_prod_pvt);
++        resp = RING_GET_RESPONSE(&blkdev->rings.native,
++                                 blkdev->rings.native.rsp_prod_pvt);
+         break;
+     case BLKIF_PROTOCOL_X86_32:
+-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
+-                                blkdev->rings.x86_32_part.rsp_prod_pvt);
++        resp = RING_GET_RESPONSE(&blkdev->rings.x86_32_part,
++                                 blkdev->rings.x86_32_part.rsp_prod_pvt);
+         break;
+     case BLKIF_PROTOCOL_X86_64:
+-        dst = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
+-                                blkdev->rings.x86_64_part.rsp_prod_pvt);
++        resp = RING_GET_RESPONSE(&blkdev->rings.x86_64_part,
++                                 blkdev->rings.x86_64_part.rsp_prod_pvt);
+         break;
+     default:
+-        dst = NULL;
+         return 0;
+     }
+-    memcpy(dst, &resp, sizeof(resp));
++
++    resp->id        = ioreq->req.id;
++    resp->operation = ioreq->req.operation;
++    resp->status    = ioreq->status;
++
+     blkdev->rings.common.rsp_prod_pvt++;
+ 
+     RING_PUSH_RESPONSES_AND_CHECK_NOTIFY(&blkdev->rings.common, send_notify);
diff --git a/gnu/packages/patches/qemu-CVE-2017-11434.patch b/gnu/packages/patches/qemu-CVE-2017-11434.patch
new file mode 100644
index 0000000000..4da701a73d
--- /dev/null
+++ b/gnu/packages/patches/qemu-CVE-2017-11434.patch
@@ -0,0 +1,25 @@
+Fix CVE-2017-11434:
+
+https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html
+https://bugzilla.redhat.com/show_bug.cgi?id=1472611
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11434
+https://security-tracker.debian.org/tracker/CVE-2017-11434
+
+Patch copied from upstream source repository:
+
+https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=413d463f43fbc4dd3a601e80a5724aa384a265a0
+
+diff --git a/slirp/bootp.c b/slirp/bootp.c
+index 5a4646c182..5dd1a415b5 100644
+--- a/slirp/bootp.c
++++ b/slirp/bootp.c
+@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
+             if (p >= p_end)
+                 break;
+             len = *p++;
++            if (p + len > p_end) {
++                break;
++            }
+             DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
+ 
+             switch(tag) {
-- 
cgit v1.2.3