main/qemu: security fix (CVE-2015-8550, xsa-155). Fixes #5159

3 files changed, 101 insertions, 5 deletions

diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index 63e35854902..761e868a5b2 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=qemu
 pkgver=2.5.0
-pkgrel=0
+pkgrel=1
 pkgdesc="QEMU is a generic machine emulator and virtualizer"
 url="http://qemu.org/"
 arch="all"
@@ -120,7 +120,11 @@ source="http://wiki.qemu-project.org/download/$pkgname-$pkgver.tar.bz2
 	fix-sigevent-and-sigval_t.patch
 	$pkgname-guest-agent.confd
 	$pkgname-guest-agent.initd
-	80-kvm.rules"
+	80-kvm.rules
+
+	xsa155-qemu-qdisk-double-access.patch
+	xsa155-qemu-xenfb.patch
+	"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 
@@ -213,6 +217,8 @@ package() {
 	install -Dm644 "$srcdir"/80-kvm.rules \
 		"$pkgdir"/lib/udev/rules.d/80-kvm.rules || return 1
 	paxmark -m "$pkgdir"/usr/bin/qemu-system-* || return 1
+	gzip "$pkgdir"/usr/share/man/man1/*
+	gzip "$pkgdir"/usr/share/man/man8/*
 
 	[ -z "$_arch" ] && return 0
 
@@ -324,7 +330,9 @@ bc5f2e41ed3b6d6d30b672adab82e3e1  musl-F_SHLCK-and-F_EXLCK.patch
 9afbd6c9586229ce64275f012d665e2a  fix-sigevent-and-sigval_t.patch
 1663bc6977f6886a58394155b1bf3676  qemu-guest-agent.confd
 ea972f2fc5505488f68320bf386106bb  qemu-guest-agent.initd
-66660f143235201249dc0648b39b86ee  80-kvm.rules"
+66660f143235201249dc0648b39b86ee  80-kvm.rules
+6240b501f6f8a2b98e993ea471aa3e96  xsa155-qemu-qdisk-double-access.patch
+fad7b109e196f888be9d8a8aaf38452f  xsa155-qemu-xenfb.patch"
 sha256sums="3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4  qemu-2.5.0.tar.bz2
 af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987  0001-elfload-load-PIE-executables-to-right-address.patch
 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac  0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
@@ -332,7 +340,9 @@ eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40  musl-F_SHLCK-a
 9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5  fix-sigevent-and-sigval_t.patch
 d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298  qemu-guest-agent.confd
 5bef90ccab2e743868fd562eee9a3ded35c8d3e01fa387367ed55a0da95570d5  qemu-guest-agent.initd
-37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84  80-kvm.rules"
+37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84  80-kvm.rules
+044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3  xsa155-qemu-qdisk-double-access.patch
+e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6  xsa155-qemu-xenfb.patch"
 sha512sums="12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3  qemu-2.5.0.tar.bz2
 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd  0001-elfload-load-PIE-executables-to-right-address.patch
 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea  0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
@@ -340,4 +350,6 @@ ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606
 e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a  fix-sigevent-and-sigval_t.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 316b40d97587fea717821852859d81039cfdcb276a658bb6e6fb554e321d5856a833ebb3778149c4732cea625bac320b1008d374c88a9aae35c0fb67977c01b7  qemu-guest-agent.initd
-9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules"
+9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules
+7434d7c770c4fb0e3d5fd73798bb60dd07bfc985453696f7167a043cd353ada1bb5471766821401fc20be5978ccb449bbcef40649ffb19041e907e2f49481b2b  xsa155-qemu-qdisk-double-access.patch
+206bd4bbdb2c55afd2272221892da4ea9fb44cdd005a47a1904d061222bcf51f12c8946b9fb11a28d5e589d41a5f739d4ca07c05c1784a70a5465edf44777775  xsa155-qemu-xenfb.patch"
diff --git a/main/qemu/xsa155-qemu-qdisk-double-access.patch b/main/qemu/xsa155-qemu-qdisk-double-access.patch
new file mode 100644
index 00000000000..0549216dcf2
--- /dev/null
+++ b/main/qemu/xsa155-qemu-qdisk-double-access.patch
@@ -0,0 +1,43 @@
+xen/blkif: Avoid double access to src->nr_segments
+
+src is stored in shared memory and src->nr_segments is dereferenced
+twice at the end of the function.  If a compiler decides to compile this
+into two separate memory accesses then the size limitation could be
+bypassed.
+
+Fix it by removing the double access to src->nr_segments.
+
+This is part of XSA-155.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
+index 711b692..9e71e00 100644
+--- a/hw/block/xen_blkif.h
++++ b/hw/block/xen_blkif.h
+@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
+ 		d->nr_sectors = s->nr_sectors;
+ 		return;
+ 	}
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	barrier();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
+@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
+ 		d->nr_sectors = s->nr_sectors;
+ 		return;
+ 	}
+-	if (n > src->nr_segments)
+-		n = src->nr_segments;
++	/* prevent the compiler from optimizing the code and using src->nr_segments instead */
++	barrier();
++	if (n > dst->nr_segments)
++		n = dst->nr_segments;
+ 	for (i = 0; i < n; i++)
+ 		dst->seg[i] = src->seg[i];
+ }
diff --git a/main/qemu/xsa155-qemu-xenfb.patch b/main/qemu/xsa155-qemu-xenfb.patch
new file mode 100644
index 00000000000..dfc871375b6
--- /dev/null
+++ b/main/qemu/xsa155-qemu-xenfb.patch
@@ -0,0 +1,41 @@
+xenfb: avoid reading twice the same fields from the shared page
+
+Reading twice the same field could give the guest an attack of
+opportunity. In the case of event->type, gcc could compile the switch
+statement into a jump table, effectively ending up reading the type
+field multiple times.
+
+This is part of XSA-155.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+
+diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
+index 5e324ef..4e2a27a 100644
+--- a/hw/display/xenfb.c
++++ b/hw/display/xenfb.c
+@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque)
+ 
+ static void xenfb_handle_events(struct XenFB *xenfb)
+ {
+-    uint32_t prod, cons;
++    uint32_t prod, cons, out_cons;
+     struct xenfb_page *page = xenfb->c.page;
+ 
+     prod = page->out_prod;
+-    if (prod == page->out_cons)
++    out_cons = page->out_cons;
++    if (prod == out_cons)
+ 	return;
+     xen_rmb();		/* ensure we see ring contents up to prod */
+-    for (cons = page->out_cons; cons != prod; cons++) {
++    for (cons = out_cons; cons != prod; cons++) {
+ 	union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
++        uint8_t type = event->type;
+ 	int x, y, w, h;
+ 
+-	switch (event->type) {
++	switch (type) {
+ 	case XENFB_TYPE_UPDATE:
+ 	    if (xenfb->up_count == UP_QUEUE)
+ 		xenfb->up_fullscreen = 1;