qemu: update to 2.4.0.

2025-07-29 08:52:56 +02:00 · 2015-08-12 08:30:51 +02:00 · 2015-08-12 08:30:51 +02:00 · 945bb70576
commit 945bb70576
parent ef34de2ab2
4 changed files with 3 additions and 287 deletions
--- a/srcpkgs/qemu/patches/CVE-2015-3209-pcnet-tx-buffer-fix.patch
+++ b/srcpkgs/qemu/patches/CVE-2015-3209-pcnet-tx-buffer-fix.patch
@ -1,48 +0,0 @@
 From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
 From: Petr Matousek <pmatouse@redhat.com>
 Date: Sun, 24 May 2015 10:53:44 +0200
 Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
 4096 is the maximum length per TMD and it is also currently the size of
 the relay buffer pcnet driver uses for sending the packet data to QEMU
 for further processing. With packet spanning multiple TMDs it can
 happen that the overall packet size will be bigger than sizeof(buffer),
 which results in memory corruption.
 Fix this by only allowing to queue maximum sizeof(buffer) bytes.
 This is CVE-2015-3209.
 [Fixed 3-space indentation to QEMU's 4-space coding standard.
 --Stefan]
 Signed-off-by: Petr Matousek <pmatouse@redhat.com>
 Reported-by: Matt Tait <matttait@google.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
 ---
 hw/net/pcnet.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
 diff --git hw/net/pcnet.c hw/net/pcnet.c
 index bdfd38f..68b9981 100644
 --- hw/net/pcnet.c
 +++ hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
         }
         bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
 +
 +        /* if multi-tmd packet outsizes s->buffer then skip it silently.
 +           Note: this is not what real hw does */
 +        if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
 +            s->xmit_pos = -1;
 +            goto txdone;
 +        }
 +
         s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
                          s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
         s->xmit_pos += bcnt;
 --
 1.7.0.4
--- a/srcpkgs/qemu/patches/CVE-2015-5154.patch
+++ b/srcpkgs/qemu/patches/CVE-2015-5154.patch
@ -1,175 +0,0 @@
 From a9de14175548c04e0f8be7fae219246509ba46a9 Mon Sep 17 00:00:00 2001
 From: Kevin Wolf <kwolf@redhat.com>
 Date: Wed, 3 Jun 2015 14:13:31 +0200
 Subject: [PATCH 1/3] ide: Check array bounds before writing to io_buffer
 (CVE-2015-5154)
 If the end_transfer_func of a command is called because enough data has
 been read or written for the current PIO transfer, and it fails to
 correctly call the command completion functions, the DRQ bit in the
 status register and s->end_transfer_func may remain set. This allows the
 guest to access further bytes in s->io_buffer beyond s->data_end, and
 eventually overflowing the io_buffer.
 One case where this currently happens is emulation of the ATAPI command
 START STOP UNIT.
 This patch fixes the problem by adding explicit array bounds checks
 before accessing the buffer instead of relying on end_transfer_func to
 function correctly.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
 ---
 hw/ide/core.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 diff --git a/hw/ide/core.c b/hw/ide/core.c
 index 122e955..44fcc23 100644
 --- hw/ide/core.c
 +++ hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
     }
     p = s->data_ptr;
 +    if (p + 2 > s->data_end) {
 +        return;
 +    }
 +
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
     }
     p = s->data_ptr;
 +    if (p + 2 > s->data_end) {
 +        return 0;
 +    }
 +
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
     }
     p = s->data_ptr;
 +    if (p + 4 > s->data_end) {
 +        return;
 +    }
 +
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
     }
     p = s->data_ptr;
 +    if (p + 4 > s->data_end) {
 +        return 0;
 +    }
 +
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
 -- 
 1.8.3.1
 From aa851d30acfbb9580098ac1dc82885530cb8b3c1 Mon Sep 17 00:00:00 2001
 From: Kevin Wolf <kwolf@redhat.com>
 Date: Wed, 3 Jun 2015 14:17:46 +0200
 Subject: [PATCH 2/3] ide/atapi: Fix START STOP UNIT command completion
 The command must be completed on all code paths. START STOP UNIT with
 pwrcnd set should succeed without doing anything.
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
 ---
 hw/ide/atapi.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
 index 950e311..79dd167 100644
 --- hw/ide/atapi.c
 +++ hw/ide/atapi.c
@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
     if (pwrcnd) {
         /* eject/load only happens for power condition == 0 */
 +        ide_atapi_cmd_ok(s);
         return;
     }
 --
 1.8.3.1
 From 1d3c2268f8708126a34064c2e0c1000b40e6f3e5 Mon Sep 17 00:00:00 2001
 From: Kevin Wolf <kwolf@redhat.com>
 Date: Wed, 3 Jun 2015 14:41:27 +0200
 Subject: [PATCH 3/3] ide: Clear DRQ after handling all expected accesses
 This is additional hardening against an end_transfer_func that fails to
 clear the DRQ status bit. The bit must be unset as soon as the PIO
 transfer has completed, so it's better to do this in a central place
 instead of duplicating the code in all commands (and forgetting it in
 some).
 Signed-off-by: Kevin Wolf <kwolf@redhat.com>
 ---
 hw/ide/core.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
 diff --git a/hw/ide/core.c b/hw/ide/core.c
 index 44fcc23..50449ca 100644
 --- hw/ide/core.c
 +++ hw/ide/core.c
@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
     *(uint16_t *)p = le16_to_cpu(val);
     p += 2;
     s->data_ptr = p;
 -    if (p >= s->data_end)
 +    if (p >= s->data_end) {
 +        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
 +    }
 }
 uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
     ret = cpu_to_le16(*(uint16_t *)p);
     p += 2;
     s->data_ptr = p;
 -    if (p >= s->data_end)
 +    if (p >= s->data_end) {
 +        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
 +    }
     return ret;
 }
@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
     *(uint32_t *)p = le32_to_cpu(val);
     p += 4;
     s->data_ptr = p;
 -    if (p >= s->data_end)
 +    if (p >= s->data_end) {
 +        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
 +    }
 }
 uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
     ret = cpu_to_le32(*(uint32_t *)p);
     p += 4;
     s->data_ptr = p;
 -    if (p >= s->data_end)
 +    if (p >= s->data_end) {
 +        s->status &= ~DRQ_STAT;
         s->end_transfer_func(s);
 +    }
     return ret;
 }
 --
 1.8.3.1
--- a/srcpkgs/qemu/patches/qemu-2.3.0-security-fdc.patch
+++ b/srcpkgs/qemu/patches/qemu-2.3.0-security-fdc.patch
@ -1,61 +0,0 @@
 This is a security patch addressing the Venom security issue (CVE-2015-3456)
 Patch pulled from qemu's git repository:
 http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c
 --- hw/block/fdc.c
 +++ hw/block/fdc.c
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
 {
     FDrive *cur_drv;
     uint32_t retval = 0;
 -    int pos;
 +    uint32_t pos;
     cur_drv = get_cur_drv(fdctrl);
     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
         return 0;
     }
     pos = fdctrl->data_pos;
 +    pos %= FD_SECTOR_LEN;
     if (fdctrl->msr & FD_MSR_NONDMA) {
 -        pos %= FD_SECTOR_LEN;
         if (pos == 0) {
             if (fdctrl->data_pos != 0)
                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
 static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
 {
     FDrive *cur_drv = get_cur_drv(fdctrl);
 +    uint32_t pos;
 -    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
 +    pos = fdctrl->data_pos - 1;
 +    pos %= FD_SECTOR_LEN;
 +    if (fdctrl->fifo[pos] & 0x80) {
         /* Command parameters done */
 -        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
 +        if (fdctrl->fifo[pos] & 0x40) {
             fdctrl->fifo[0] = fdctrl->fifo[1];
             fdctrl->fifo[2] = 0;
             fdctrl->fifo[3] = 0;
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
 static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
 {
     FDrive *cur_drv;
 -    int pos;
 +    uint32_t pos;
     /* Reset mode */
     if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
     }
     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
 -    fdctrl->fifo[fdctrl->data_pos++] = value;
 +    pos = fdctrl->data_pos++;
 +    pos %= FD_SECTOR_LEN;
 +    fdctrl->fifo[pos] = value;
     if (fdctrl->data_pos == fdctrl->data_len) {
         /* We now have all parameters
          * and will be able to treat the command
--- a/srcpkgs/qemu/template
+++ b/srcpkgs/qemu/template
@ -1,13 +1,13 @@
 # Template file for 'qemu'
 pkgname=qemu
-version=2.3.0
+version=2.4.0
-revision=7
+revision=1
 short_desc="Open Source Processor Emulator"
 maintainer="Juan RP <xtraeme@voidlinux.eu>"
 homepage="http://qemu.org"
 license="GPL-2, LGPL-2.1"
 distfiles="http://wiki.qemu.org/download/qemu-${version}.tar.bz2"
-checksum=b6bab7f763d5be73e7cb5ee7d4c8365b7a8df2972c52fa5ded18893bd8281588
+checksum=72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620
 nostrip=yes
 hostmakedepends="pkg-config perl python automake libtool flex"