aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSergei Lukin <sergej.lukin@gmail.com>2017-04-18 12:55:12 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2017-04-21 12:52:14 +0000
commit251f7b99aba7d81c9ef398c6f3ec41f06c2ba661 (patch)
tree980a1728084ee290a631b716d1697125994dfe48
parent6e43b8e910ddb974b60364e4a18c31ff9c22b9e8 (diff)
downloadaports-251f7b99aba7d81c9ef398c6f3ec41f06c2ba661.tar.bz2
main/qemu: security fixes #6921
CVE-2016-7994: Qemu virtio-gpu: memory leak in virtio_gpu_resource_create_2d CVE-2016-7995: Qemu: usb: hcd-ehci: memory leak in ehci_process_itd CVE-2016-8576: Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch CVE-2016-8577: Qemu: 9pfs: host memory leakage in v9fs_read CVE-2016-8578: Qemu: 9pfs: potential NULL dereferencein 9pfs routines CVE-2016-8668: Qemu: net: OOB buffer access in rocker switch emulation CVE-2016-8909: Qemu: audio: intel-hda: infinite loop in processing dma buffer stream CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode CVE-2016-9101: Qemu: net: eepro100 memory leakage at device unplug CVE-2016-9102: Qemu: 9pfs: memory leakage when creating extended attribute CVE-2016-9103: Qemu: 9pfs: information leakage via xattribute CVE-2016-9104: Qemu: 9pfs: integer overflow leading to OOB access CVE-2016-9105: Qemu: memory leakage in v9fs_link CVE-2016-9106: Qemu: 9pfs: memory leakage in v9fs_write CVE-2017-5525: Qemu: audio: memory leakage in ac97 device CVE-2017-5552: Qemu: display: virtio-gpu-3d: memory leakage in virgl_resource_attach_backing CVE-2017-5578: Qemu: display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing CVE-2017-5579: Qemu: serial: host memory leakage in 16550A UART emulation CVE-2017-5667: Qemu: sd: sdhci OOB access during multi block SDMA transfer CVE-2017-5856: Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd CVE-2017-5857: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref CVE-2017-5898: Qemu: usb: integer overflow in emulated_apdu_from_guest CVE-2017-5931: virtio: integer overflow in handling virtio-crypto requests CVE-2017-2615: Qemu: display: cirrus: oob access while doing bitblt copy backward mode CVE-2017-2620: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list
-rw-r--r--main/qemu/APKBUILD49
-rwxr-xr-xmain/qemu/CVE-2016-9102.patch34
-rwxr-xr-xmain/qemu/CVE-2017-5525.patch52
-rwxr-xr-xmain/qemu/CVE-2017-5552.patch41
-rwxr-xr-xmain/qemu/CVE-2017-5578.patch35
-rwxr-xr-xmain/qemu/CVE-2017-5579.patch40
-rwxr-xr-xmain/qemu/CVE-2017-5856.patch64
-rwxr-xr-xmain/qemu/CVE-2017-5857.patch38
-rwxr-xr-xmain/qemu/CVE-2017-5898.patch35
9 files changed, 386 insertions, 2 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index 0cdc70a..5b343f6 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -1,9 +1,10 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Contributor: Valery Kartel <valery.kartel@gmail.com>
# Contributor: Jakub Jirutka <jakub@jirutka.cz>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=qemu
pkgver=2.8.1
-pkgrel=0
+pkgrel=1
pkgdesc="QEMU is a generic machine emulator and virtualizer"
url="http://qemu.org/"
arch="all"
@@ -131,8 +132,44 @@ source="http://wiki.qemu-project.org/download/$pkgname-$pkgver.tar.bz2
$pkgname-guest-agent.initd
80-kvm.rules
bridge.conf
+ CVE-2016-9102.patch
+ CVE-2017-5525.patch
+ CVE-2017-5552.patch
+ CVE-2017-5578.patch
+ CVE-2017-5579.patch
+ CVE-2017-5856.patch
+ CVE-2017-5857.patch
+ CVE-2017-5898.patch
"
+# secfixes:
+# 2.8.1-r1:
+# - CVE-2016-7994
+# - CVE-2016-7995
+# - CVE-2016-8576
+# - CVE-2016-8577
+# - CVE-2016-8578
+# - CVE-2016-8668
+# - CVE-2016-8909
+# - CVE-2016-8910
+# - CVE-2016-9101
+# - CVE-2016-9102
+# - CVE-2016-9103
+# - CVE-2016-9104
+# - CVE-2016-9105
+# - CVE-2016-9106
+# - CVE-2017-2615
+# - CVE-2017-2620
+# - CVE-2017-5525
+# - CVE-2017-5552
+# - CVE-2017-5578
+# - CVE-2017-5579
+# - CVE-2017-5667
+# - CVE-2017-5856
+# - CVE-2017-5857
+# - CVE-2017-5898
+# - CVE-2017-5931
+
builddir="$srcdir"/$pkgname-$pkgver
prepare() {
@@ -317,4 +354,12 @@ dd7a4616e22d9d6b04c6d81d95d17af0d638645c1aa306306fb0ed3a12b2de0fdd32d55c8142960c
d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd
316b40d97587fea717821852859d81039cfdcb276a658bb6e6fb554e321d5856a833ebb3778149c4732cea625bac320b1008d374c88a9aae35c0fb67977c01b7 qemu-guest-agent.initd
9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules
-749efa2e764006555b4fd3a8e2f6d1118ad2ea4d45acf99104a41a93cfe66dc9685f72027c17d8211e5716246c2a52322c962cf4b73b27541b69393cd57f53bb bridge.conf"
+749efa2e764006555b4fd3a8e2f6d1118ad2ea4d45acf99104a41a93cfe66dc9685f72027c17d8211e5716246c2a52322c962cf4b73b27541b69393cd57f53bb bridge.conf
+c605c658f6a15467b9c21fb89995497a24ee8093f1c7eb68e17d89cc106dc7f3473195287ab349e822a5a287b08845f817ac9087bc4a8293707a2b9fa8264683 CVE-2016-9102.patch
+a633ffdbd6eb58b1f091553db7944b72f6c5ea412b82f8162b4ece4b3c98aa550246bb8ab865b24468455f92bbb4908d842e03e84b9fb1fb0f1084a4e6097288 CVE-2017-5525.patch
+1a17a4c9c5c2bb724735dade20c196bf90f5ab419b0dc5ca3ce771ac68d493d1f831722fe1aac8636f2c22ebecaa4560693aad98a87bd4e45c9fa529a1549546 CVE-2017-5552.patch
+5f104e05e904a1392ca31203f02b7b546aeb91f1a438631c8a5f0fb5c6c051b19d8d0219b2c71aadd5d5404222d5dbc8e80127d2afaea6ed2bf918007d613a8a CVE-2017-5578.patch
+74415ea5e6f6bfa787a2515da86c3ead87b0a9694d6adbdd390cbb3be43e1c88b4be4a8891f46bc6af520d3d5582c9ebe70572e2bb78d13c29d5ca12695d33ed CVE-2017-5579.patch
+2b051f9d9265f9039e2cfed0bbdc93360f1660ea5b4129ec01f6faa3c1b6b135f5c949ddc26fe05a91a95a3ac558e8844ec292558c1dd66552868cbbc6aa8744 CVE-2017-5856.patch
+d6d000b57f1fb194f9554165621109b364ebdb61416bc07e2283f2d493c33e770d1b63002d62565aae1ac19ed0ad9e572c207341aa1ad023581f349f62158d30 CVE-2017-5857.patch
+80f89d75970345fbf6771cb16ed0d48c91c52b6b63ac967b3dbef56c16b654df432fa7ada0549c1b812d3d641f831fe20cb8b0eb52c46b8e73ade2801a563a8d CVE-2017-5898.patch"
diff --git a/main/qemu/CVE-2016-9102.patch b/main/qemu/CVE-2016-9102.patch
new file mode 100755
index 0000000..b6cfa02
--- /dev/null
+++ b/main/qemu/CVE-2016-9102.patch
@@ -0,0 +1,34 @@
+From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index bf23b01..66135cf 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
+ xattr_fidp->fs.xattr.flags = flags;
+ v9fs_string_init(&xattr_fidp->fs.xattr.name);
+ v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++ g_free(xattr_fidp->fs.xattr.value);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
+ err = offset;
+ put_fid(pdu, file_fidp);
+--
+1.8.3.1
+
diff --git a/main/qemu/CVE-2017-5525.patch b/main/qemu/CVE-2017-5525.patch
new file mode 100755
index 0000000..00be741
--- /dev/null
+++ b/main/qemu/CVE-2017-5525.patch
@@ -0,0 +1,52 @@
+From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 14 Dec 2016 18:30:21 -0800
+Subject: [PATCH] audio: ac97: add exit function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Currently the ac97 device emulation doesn't have a exit function,
+hot unplug this device will leak some memory. Add a exit function to
+avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/ac97.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
+index cbd959e..c306575 100644
+--- a/hw/audio/ac97.c
++++ b/hw/audio/ac97.c
+@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
+ ac97_on_reset (&s->dev.qdev);
+ }
+
++static void ac97_exit(PCIDevice *dev)
++{
++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
++
++ AUD_close_in(&s->card, s->voice_pi);
++ AUD_close_out(&s->card, s->voice_po);
++ AUD_close_in(&s->card, s->voice_mc);
++ AUD_remove_card(&s->card);
++}
++
+ static int ac97_init (PCIBus *bus)
+ {
+ pci_create_simple (bus, -1, "AC97");
+@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
+ PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
+
+ k->realize = ac97_realize;
++ k->exit = ac97_exit;
+ k->vendor_id = PCI_VENDOR_ID_INTEL;
+ k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
+ k->revision = 0x01;
+--
+1.8.3.1
+
diff --git a/main/qemu/CVE-2017-5552.patch b/main/qemu/CVE-2017-5552.patch
new file mode 100755
index 0000000..b6b12ec
--- /dev/null
+++ b/main/qemu/CVE-2017-5552.patch
@@ -0,0 +1,41 @@
+From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Thu, 29 Dec 2016 03:11:26 -0500
+Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+If the virgl_renderer_resource_attach_iov function fails the
+'res_iovs' will be leaked. Add check of the return value to
+free the 'res_iovs' when failing.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu-3d.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index e29f099..b13ced3 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
+ return;
+ }
+
+- virgl_renderer_resource_attach_iov(att_rb.resource_id,
+- res_iovs, att_rb.nr_entries);
++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
++ res_iovs, att_rb.nr_entries);
++
++ if (ret != 0)
++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
+ }
+
+ static void virgl_resource_detach_backing(VirtIOGPU *g,
+--
+1.8.3.1
+
diff --git a/main/qemu/CVE-2017-5578.patch b/main/qemu/CVE-2017-5578.patch
new file mode 100755
index 0000000..22e778e
--- /dev/null
+++ b/main/qemu/CVE-2017-5578.patch
@@ -0,0 +1,35 @@
+From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liq3ea@gmail.com>
+Date: Thu, 29 Dec 2016 04:28:41 -0500
+Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
+
+In the resource attach backing function, everytime it will
+allocate 'res->iov' thus can leading a memory leak. This
+patch avoid this.
+
+Signed-off-by: Li Qiang <liq3ea@gmail.com>
+Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/virtio-gpu.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
+index 6a26258..ca88cf4 100644
+--- a/hw/display/virtio-gpu.c
++++ b/hw/display/virtio-gpu.c
+@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
+ return;
+ }
+
++ if (res->iov) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
++ return;
++ }
++
+ ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
+ if (ret != 0) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+--
+1.8.3.1
+
diff --git a/main/qemu/CVE-2017-5579.patch b/main/qemu/CVE-2017-5579.patch
new file mode 100755
index 0000000..120e88d
--- /dev/null
+++ b/main/qemu/CVE-2017-5579.patch
@@ -0,0 +1,40 @@
+From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 4 Jan 2017 00:43:16 -0800
+Subject: [PATCH] serial: fix memory leak in serial exit
+
+The serial_exit_core function doesn't free some resources.
+This can lead memory leak when hotplug and unplug. This
+patch avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/char/serial.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/hw/char/serial.c b/hw/char/serial.c
+index ffbacd8..67b18ed 100644
+--- a/hw/char/serial.c
++++ b/hw/char/serial.c
+@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
+ void serial_exit_core(SerialState *s)
+ {
+ qemu_chr_fe_deinit(&s->chr);
++
++ timer_del(s->modem_status_poll);
++ timer_free(s->modem_status_poll);
++
++ timer_del(s->fifo_timeout_timer);
++ timer_free(s->fifo_timeout_timer);
++
++ fifo8_destroy(&s->recv_fifo);
++ fifo8_destroy(&s->xmit_fifo);
++
+ qemu_unregister_reset(serial_reset, s);
+ }
+
+--
+1.8.3.1
+
diff --git a/main/qemu/CVE-2017-5856.patch b/main/qemu/CVE-2017-5856.patch
new file mode 100755
index 0000000..967ce7e
--- /dev/null
+++ b/main/qemu/CVE-2017-5856.patch
@@ -0,0 +1,64 @@
+From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 2 Jan 2017 11:03:33 +0100
+Subject: [PATCH] megasas: fix guest-triggered memory leak
+
+If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
+will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
+Avoid this by returning only the status from map_dcmd, and loading
+cmd->iov_size in the caller.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+ hw/scsi/megasas.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index 67fc1e7..6233865 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
+ trace_megasas_dcmd_invalid_sge(cmd->index,
+ cmd->frame->header.sge_count);
+ cmd->iov_size = 0;
+- return -1;
++ return -EINVAL;
+ }
+ iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
+ iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
+ pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
+ qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
+ cmd->iov_size = iov_size;
+- return cmd->iov_size;
++ return 0;
+ }
+
+ static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
+@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
+
+ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
+ {
+- int opcode, len;
++ int opcode;
+ int retval = 0;
++ size_t len;
+ const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
+
+ opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
+ trace_megasas_handle_dcmd(cmd->index, opcode);
+- len = megasas_map_dcmd(s, cmd);
+- if (len < 0) {
++ if (megasas_map_dcmd(s, cmd) < 0) {
+ return MFI_STAT_MEMORY_NOT_AVAILABLE;
+ }
+ while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
+ cmdptr++;
+ }
++ len = cmd->iov_size;
+ if (cmdptr->opcode == -1) {
+ trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
+ retval = megasas_dcmd_dummy(s, cmd);
+--
+1.8.3.1
+
diff --git a/main/qemu/CVE-2017-5857.patch b/main/qemu/CVE-2017-5857.patch
new file mode 100755
index 0000000..664a669
--- /dev/null
+++ b/main/qemu/CVE-2017-5857.patch
@@ -0,0 +1,38 @@
+When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
+backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
+we'll leak memory.
+
+This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
+"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
+
+Reported-by: 李强 <address@hidden>
+Signed-off-by: Gerd Hoffmann <address@hidden>
+---
+ hw/display/virtio-gpu-3d.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index f96a0c2..ecb09d1 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
+ struct virtio_gpu_ctrl_command *cmd)
+ {
+ struct virtio_gpu_resource_unref unref;
++ struct iovec *res_iovs = NULL;
++ int num_iovs = 0;
+
+ VIRTIO_GPU_FILL_CMD(unref);
+ trace_virtio_gpu_cmd_res_unref(unref.resource_id);
+
++ virgl_renderer_resource_detach_iov(unref.resource_id,
++ &res_iovs,
++ &num_iovs);
++ if (res_iovs != NULL && num_iovs != 0) {
++ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
++ }
+ virgl_renderer_resource_unref(unref.resource_id);
+ }
+
+--
+1.8.3.1
diff --git a/main/qemu/CVE-2017-5898.patch b/main/qemu/CVE-2017-5898.patch
new file mode 100755
index 0000000..67bd4d6
--- /dev/null
+++ b/main/qemu/CVE-2017-5898.patch
@@ -0,0 +1,35 @@
+From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Fri, 3 Feb 2017 00:52:28 +0530
+Subject: [PATCH] usb: ccid: check ccid apdu length
+
+CCID device emulator uses Application Protocol Data Units(APDU)
+to exchange command and responses to and from the host.
+The length in these units couldn't be greater than 65536. Add
+check to ensure the same. It'd also avoid potential integer
+overflow in emulated_apdu_from_guest.
+
+Reported-by: Li Qiang <liqiang6-s@360.cn>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20170202192228.10847-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/dev-smartcard-reader.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
+index 89e11b6..1325ea1 100644
+--- a/hw/usb/dev-smartcard-reader.c
++++ b/hw/usb/dev-smartcard-reader.c
+@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
+ DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
+ recv->hdr.bSeq, len);
+ ccid_add_pending_answer(s, (CCID_Header *)recv);
+- if (s->card) {
++ if (s->card && len <= BULK_OUT_DATA_SIZE) {
+ ccid_card_apdu_from_guest(s->card, recv->abData, len);
+ } else {
+ DPRINTF(s, D_WARN, "warning: discarded apdu\n");
+--
+1.8.3.1
+