aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeonardo Arena <rnalrd@alpinelinux.org>2016-02-24 09:25:07 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2016-02-24 10:12:35 +0000
commit7e224e4ae1720e18573440dfbecc06d0b2fdee56 (patch)
tree0a8295283bf45214a6d0f49ab28575902ac0caa0
parent88cebe5b4fb6780c496cfce923046c833b0237ff (diff)
downloadaports-7e224e4ae1720e18573440dfbecc06d0b2fdee56.tar.gz
aports-7e224e4ae1720e18573440dfbecc06d0b2fdee56.tar.bz2
aports-7e224e4ae1720e18573440dfbecc06d0b2fdee56.tar.xz
main/qemu: security fix (CVE-2015-8550, xsa-155). Fixes #5160
(cherry picked from commit 561bee69490ba198a8875f13eeba68964043ad1d)
-rw-r--r--main/qemu/APKBUILD13
-rw-r--r--main/qemu/xsa155-qemu-qdisk-double-access.patch43
-rw-r--r--main/qemu/xsa155-qemu-xenfb.patch41
3 files changed, 95 insertions, 2 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index e3263e663b..01a0fccef9 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=qemu
pkgver=2.4.1
-pkgrel=3
+pkgrel=4
pkgdesc="QEMU is a generic machine emulator and virtualizer"
url="http://qemu.org/"
arch="all"
@@ -118,10 +118,13 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
musl-F_SHLCK-and-F_EXLCK.patch
fix-sigevent-and-sigval_t.patch
+ xsa155-qemu-qdisk-double-access.patch
+ xsa155-qemu-xenfb.patch
qemu-guest-agent.confd
qemu-guest-agent.initd
- 80-kvm.rules"
+ 80-kvm.rules
+ "
prepare() {
cd "$srcdir"/$pkgname-$pkgver
@@ -325,6 +328,8 @@ md5sums="a895e93ec1dafc34bc64ed676f0d55a6 qemu-2.4.1.tar.bz2
d364208c4847ad2baeb237900befecd1 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
bc5f2e41ed3b6d6d30b672adab82e3e1 musl-F_SHLCK-and-F_EXLCK.patch
9afbd6c9586229ce64275f012d665e2a fix-sigevent-and-sigval_t.patch
+6240b501f6f8a2b98e993ea471aa3e96 xsa155-qemu-qdisk-double-access.patch
+fad7b109e196f888be9d8a8aaf38452f xsa155-qemu-xenfb.patch
1663bc6977f6886a58394155b1bf3676 qemu-guest-agent.confd
4cb15a1c3de2691dd65842f2325dfe22 qemu-guest-agent.initd
66660f143235201249dc0648b39b86ee 80-kvm.rules"
@@ -333,6 +338,8 @@ af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987 0001-elfload-l
6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40 musl-F_SHLCK-and-F_EXLCK.patch
9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5 fix-sigevent-and-sigval_t.patch
+044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3 xsa155-qemu-qdisk-double-access.patch
+e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6 xsa155-qemu-xenfb.patch
d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298 qemu-guest-agent.confd
91f5ba66b56bb9a3e0d134de3ea756794d5f09fe8a14a4b0d3d95f69a9245c60 qemu-guest-agent.initd
37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules"
@@ -341,6 +348,8 @@ sha512sums="fde32b71a50d888c1055e61f4e6dfc45bb97e8e9ebee490c545965fbdcbd5ffd859f
ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5 musl-F_SHLCK-and-F_EXLCK.patch
e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a fix-sigevent-and-sigval_t.patch
+7434d7c770c4fb0e3d5fd73798bb60dd07bfc985453696f7167a043cd353ada1bb5471766821401fc20be5978ccb449bbcef40649ffb19041e907e2f49481b2b xsa155-qemu-qdisk-double-access.patch
+206bd4bbdb2c55afd2272221892da4ea9fb44cdd005a47a1904d061222bcf51f12c8946b9fb11a28d5e589d41a5f739d4ca07c05c1784a70a5465edf44777775 xsa155-qemu-xenfb.patch
d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
69457d757909b990f4fdfaef621696e5a5d287b42bc58e553cb52d85191788a269e91c0475bfb7223d3a9120c19cdf4d749b4d54013a644f33d0551517cdf094 qemu-guest-agent.initd
9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules"
diff --git a/main/qemu/xsa155-qemu-qdisk-double-access.patch b/main/qemu/xsa155-qemu-qdisk-double-access.patch
new file mode 100644
index 0000000000..0549216dcf
--- /dev/null
+++ b/main/qemu/xsa155-qemu-qdisk-double-access.patch
@@ -0,0 +1,43 @@
+xen/blkif: Avoid double access to src->nr_segments
+
+src is stored in shared memory and src->nr_segments is dereferenced
+twice at the end of the function. If a compiler decides to compile this
+into two separate memory accesses then the size limitation could be
+bypassed.
+
+Fix it by removing the double access to src->nr_segments.
+
+This is part of XSA-155.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h
+index 711b692..9e71e00 100644
+--- a/hw/block/xen_blkif.h
++++ b/hw/block/xen_blkif.h
+@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque
+ d->nr_sectors = s->nr_sectors;
+ return;
+ }
+- if (n > src->nr_segments)
+- n = src->nr_segments;
++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
++ barrier();
++ if (n > dst->nr_segments)
++ n = dst->nr_segments;
+ for (i = 0; i < n; i++)
+ dst->seg[i] = src->seg[i];
+ }
+@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque
+ d->nr_sectors = s->nr_sectors;
+ return;
+ }
+- if (n > src->nr_segments)
+- n = src->nr_segments;
++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */
++ barrier();
++ if (n > dst->nr_segments)
++ n = dst->nr_segments;
+ for (i = 0; i < n; i++)
+ dst->seg[i] = src->seg[i];
+ }
diff --git a/main/qemu/xsa155-qemu-xenfb.patch b/main/qemu/xsa155-qemu-xenfb.patch
new file mode 100644
index 0000000000..dfc871375b
--- /dev/null
+++ b/main/qemu/xsa155-qemu-xenfb.patch
@@ -0,0 +1,41 @@
+xenfb: avoid reading twice the same fields from the shared page
+
+Reading twice the same field could give the guest an attack of
+opportunity. In the case of event->type, gcc could compile the switch
+statement into a jump table, effectively ending up reading the type
+field multiple times.
+
+This is part of XSA-155.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+
+diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c
+index 5e324ef..4e2a27a 100644
+--- a/hw/display/xenfb.c
++++ b/hw/display/xenfb.c
+@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque)
+
+ static void xenfb_handle_events(struct XenFB *xenfb)
+ {
+- uint32_t prod, cons;
++ uint32_t prod, cons, out_cons;
+ struct xenfb_page *page = xenfb->c.page;
+
+ prod = page->out_prod;
+- if (prod == page->out_cons)
++ out_cons = page->out_cons;
++ if (prod == out_cons)
+ return;
+ xen_rmb(); /* ensure we see ring contents up to prod */
+- for (cons = page->out_cons; cons != prod; cons++) {
++ for (cons = out_cons; cons != prod; cons++) {
+ union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons);
++ uint8_t type = event->type;
+ int x, y, w, h;
+
+- switch (event->type) {
++ switch (type) {
+ case XENFB_TYPE_UPDATE:
+ if (xenfb->up_count == UP_QUEUE)
+ xenfb->up_fullscreen = 1;