diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-02-02 21:57:43 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-02-03 00:05:22 -0500 |
| commit | fd9a5b0fc3594cf3c62099f01502a150a54823fc (patch) | |
| tree | bd8566f193f9a8921750a49a203395fa75f946bf /gnu/packages/patches/qemu-CVE-2015-8558.patch | |
| parent | 80cc3a0a4a4e3b7deca4d1e3e4533eb400e3fde9 (diff) | |
gnu: qemu: Update to 2.5.0; add fixes for security flaws.
* gnu/packages/patches/qemu-CVE-2015-6855.patch: Delete file.
* gnu/packages/patches/qemu-virtio-9p-use-accessor-to-get-thread-pool.patch,
gnu/packages/patches/qemu-CVE-2015-8558.patch,
gnu/packages/patches/qemu-CVE-2015-8567.patch,
gnu/packages/patches/qemu-CVE-2015-8613.patch,
gnu/packages/patches/qemu-CVE-2015-8701.patch,
gnu/packages/patches/qemu-CVE-2015-8743.patch,
gnu/packages/patches/qemu-CVE-2016-1568.patch,
gnu/packages/patches/qemu-CVE-2016-1922.patch: New files.
* gnu-system.am (dist_patch_DATA): Remove 'qemu-CVE-2015-6855.patch'; add the
new patches.
* gnu/packages/qemu.scm (qemu): Update to 2.5.0.
[source]: Remove old patches and add new ones.
[arguments]: Add 'disable-test-qga' phase.
(%glib-memory-vtable-patch, %glib-duplicate-test-patch): Remove variables.
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2015-8558.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2015-8558.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2015-8558.patch b/gnu/packages/patches/qemu-CVE-2015-8558.patch new file mode 100644 index 0000000000..f755d735cb --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2015-8558.patch @@ -0,0 +1,48 @@ +From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 14 Dec 2015 09:21:23 +0100 +Subject: [PATCH] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: qemu-stable@nongnu.org +Reported-by: Qinghao Tang <luodalongde@gmail.com> +Tested-by: P J P <ppandit@redhat.com> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 4e2161b..d07f228 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp; ++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + +-- +2.6.3 + |