main/qemu: security fixes #6921

CVE-2016-7994: Qemu virtio-gpu: memory leak in virtio_gpu_resource_create_2d
CVE-2016-7995: Qemu: usb: hcd-ehci: memory leak in ehci_process_itd
CVE-2016-8576: Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch
CVE-2016-8577: Qemu: 9pfs: host memory leakage in v9fs_read
CVE-2016-8578: Qemu: 9pfs: potential NULL dereferencein 9pfs routines
CVE-2016-8668: Qemu: net: OOB buffer access in rocker switch emulation
CVE-2016-8909: Qemu: audio: intel-hda: infinite loop in processing dma buffer stream
CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode
CVE-2016-9101: Qemu: net: eepro100 memory leakage at device unplug
CVE-2016-9102: Qemu: 9pfs: memory leakage when creating extended attribute
CVE-2016-9103: Qemu: 9pfs: information leakage via xattribute
CVE-2016-9104: Qemu: 9pfs: integer overflow leading to OOB access
CVE-2016-9105: Qemu: memory leakage in v9fs_link
CVE-2016-9106: Qemu: 9pfs: memory leakage in v9fs_write
CVE-2017-5525: Qemu: audio: memory leakage in ac97 device
CVE-2017-5552: Qemu: display: virtio-gpu-3d: memory leakage in virgl_resource_attach_backing
CVE-2017-5578: Qemu: display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing
CVE-2017-5579: Qemu: serial: host memory leakage in 16550A UART emulation
CVE-2017-5667: Qemu: sd: sdhci OOB access during multi block SDMA transfer
CVE-2017-5856: Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd
CVE-2017-5857: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref
CVE-2017-5898: Qemu: usb: integer overflow in emulated_apdu_from_guest
CVE-2017-5931: virtio: integer overflow in handling virtio-crypto requests
CVE-2017-2615: Qemu: display: cirrus: oob access while doing bitblt copy backward mode
CVE-2017-2620: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo
CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list

1 files changed, 52 insertions, 0 deletions

diff --git a/main/qemu/CVE-2017-5525.patch b/main/qemu/CVE-2017-5525.patch
new file mode 100755
index 0000000000..00be7417a9
--- /dev/null
+++ b/main/qemu/CVE-2017-5525.patch
@@ -0,0 +1,52 @@
+From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Wed, 14 Dec 2016 18:30:21 -0800
+Subject: [PATCH] audio: ac97: add exit function
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+Currently the ac97 device emulation doesn't have a exit function,
+hot unplug this device will leak some memory. Add a exit function to
+avoid this.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/audio/ac97.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
+index cbd959e..c306575 100644
+--- a/hw/audio/ac97.c
++++ b/hw/audio/ac97.c
+@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
+     ac97_on_reset (&s->dev.qdev);
+ }
+ 
++static void ac97_exit(PCIDevice *dev)
++{
++    AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
++
++    AUD_close_in(&s->card, s->voice_pi);
++    AUD_close_out(&s->card, s->voice_po);
++    AUD_close_in(&s->card, s->voice_mc);
++    AUD_remove_card(&s->card);
++}
++
+ static int ac97_init (PCIBus *bus)
+ {
+     pci_create_simple (bus, -1, "AC97");
+@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
+     PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
+ 
+     k->realize = ac97_realize;
++    k->exit = ac97_exit;
+     k->vendor_id = PCI_VENDOR_ID_INTEL;
+     k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
+     k->revision = 0x01;
+-- 
+1.8.3.1
+