diff options
| author |   Matthias Maier <tamiko@gentoo.org> | 2017-03-26 22:18:22 -0500 |
|---|---|---|
| committer | Matthias Maier <tamiko@gentoo.org> | 2017-03-26 22:40:37 -0500 |
| commit | b054426687f5eccea1873b53afed11100ca1eb8d (patch) | |
| tree | 76c693bf54d71e28c124856a2c6e8bb889478a9e /app-emulation | |
| parent | net-mail/courier-imap: remove unused version 4.16.0-r1. (diff) | |
| download | gentoo-b054426687f5eccea1873b53afed11100ca1eb8d.tar.gz gentoo-b054426687f5eccea1873b53afed11100ca1eb8d.tar.bz2 gentoo-b054426687f5eccea1873b53afed11100ca1eb8d.zip | |
app-emulation/qemu: security patches, bug #612220
CVE-2017-6505, bug #612220
Package-Manager: Portage-2.3.3, Repoman-2.3.2
Diffstat (limited to 'app-emulation')
| -rw-r--r-- | app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 | ||||
| -rw-r--r-- | app-emulation/qemu/qemu-2.8.0-r8.ebuild (renamed from app-emulation/qemu/qemu-2.8.0-r7.ebuild) | 1 |
2 files changed, 53 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch new file mode 100644 index 000000000000..a15aa96bd56f --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch @@ -0,0 +1,52 @@ +From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 +From: Li Qiang <liqiang6-s@360.cn> +Date: Tue, 7 Feb 2017 02:23:33 -0800 +Subject: [PATCH] usb: ohci: limit the number of link eds + +The guest may builds an infinite loop with link eds. This patch +limit the number of linked ed to avoid this. + +Signed-off-by: Li Qiang <liqiang6-s@360.cn> +Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/hcd-ohci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c +index 2cba3e3..21c93e0 100644 +--- a/hw/usb/hcd-ohci.c ++++ b/hw/usb/hcd-ohci.c +@@ -42,6 +42,8 @@ + + #define OHCI_MAX_PORTS 15 + ++#define ED_LINK_LIMIT 4 ++ + static int64_t usb_frame_time; + static int64_t usb_bit_time; + +@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) + uint32_t next_ed; + uint32_t cur; + int active; +- ++ uint32_t link_cnt = 0; + active = 0; + + if (head == 0) +@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) + + next_ed = ed.next & OHCI_DPTR_MASK; + ++ if (++link_cnt > ED_LINK_LIMIT) { ++ ohci_die(ohci); ++ return 0; ++ } ++ + if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { + uint32_t addr; + /* Cancel pending packets for ED that have been paused. */ +-- +2.10.2 + diff --git a/app-emulation/qemu/qemu-2.8.0-r7.ebuild b/app-emulation/qemu/qemu-2.8.0-r8.ebuild index 2088438d8e58..8df1a91630a9 100644 --- a/app-emulation/qemu/qemu-2.8.0-r7.ebuild +++ b/app-emulation/qemu/qemu-2.8.0-r8.ebuild @@ -206,6 +206,7 @@ PATCHES=( "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638 "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206 + "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220 ) STRIP_MASK="/usr/share/qemu/palcode-clipper" |