diff options
Diffstat (limited to 'main/qemu')
-rw-r--r-- | main/qemu/APKBUILD | 22 | ||||
-rw-r--r-- | main/qemu/xsa155-qemu-qdisk-double-access.patch | 43 | ||||
-rw-r--r-- | main/qemu/xsa155-qemu-xenfb.patch | 41 |
3 files changed, 101 insertions, 5 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD index 63e3585490..761e868a5b 100644 --- a/main/qemu/APKBUILD +++ b/main/qemu/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=qemu pkgver=2.5.0 -pkgrel=0 +pkgrel=1 pkgdesc="QEMU is a generic machine emulator and virtualizer" url="http://qemu.org/" arch="all" @@ -120,7 +120,11 @@ source="http://wiki.qemu-project.org/download/$pkgname-$pkgver.tar.bz2 fix-sigevent-and-sigval_t.patch $pkgname-guest-agent.confd $pkgname-guest-agent.initd - 80-kvm.rules" + 80-kvm.rules + + xsa155-qemu-qdisk-double-access.patch + xsa155-qemu-xenfb.patch + " _builddir="$srcdir"/$pkgname-$pkgver @@ -213,6 +217,8 @@ package() { install -Dm644 "$srcdir"/80-kvm.rules \ "$pkgdir"/lib/udev/rules.d/80-kvm.rules || return 1 paxmark -m "$pkgdir"/usr/bin/qemu-system-* || return 1 + gzip "$pkgdir"/usr/share/man/man1/* + gzip "$pkgdir"/usr/share/man/man8/* [ -z "$_arch" ] && return 0 @@ -324,7 +330,9 @@ bc5f2e41ed3b6d6d30b672adab82e3e1 musl-F_SHLCK-and-F_EXLCK.patch 9afbd6c9586229ce64275f012d665e2a fix-sigevent-and-sigval_t.patch 1663bc6977f6886a58394155b1bf3676 qemu-guest-agent.confd ea972f2fc5505488f68320bf386106bb qemu-guest-agent.initd -66660f143235201249dc0648b39b86ee 80-kvm.rules" +66660f143235201249dc0648b39b86ee 80-kvm.rules +6240b501f6f8a2b98e993ea471aa3e96 xsa155-qemu-qdisk-double-access.patch +fad7b109e196f888be9d8a8aaf38452f xsa155-qemu-xenfb.patch" sha256sums="3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 qemu-2.5.0.tar.bz2 af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987 0001-elfload-load-PIE-executables-to-right-address.patch 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch @@ -332,7 +340,9 @@ eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40 musl-F_SHLCK-a 9abdf3410dea742cac3552363950c8a7fbcec8dd2bfd68e3c417a284f4e702f5 fix-sigevent-and-sigval_t.patch d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298 qemu-guest-agent.confd 5bef90ccab2e743868fd562eee9a3ded35c8d3e01fa387367ed55a0da95570d5 qemu-guest-agent.initd -37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules" +37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84 80-kvm.rules +044ff74fa048df820d528f64f2791ec9cb3940bd313c1179020bd49a6cde2ca3 xsa155-qemu-qdisk-double-access.patch +e53b4ac298648cde79344192d5a58ca8d8724344f5105bec7c09eef095c668f6 xsa155-qemu-xenfb.patch" sha512sums="12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 qemu-2.5.0.tar.bz2 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd 0001-elfload-load-PIE-executables-to-right-address.patch ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch @@ -340,4 +350,6 @@ ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606 e3f006c28318669356cd5b778f26774f06b0a40a4ac852573379df63efcc8276869958faec16797a38bf96c6061dfc040309e462d8559984f67eaf4af701ca1a fix-sigevent-and-sigval_t.patch d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 316b40d97587fea717821852859d81039cfdcb276a658bb6e6fb554e321d5856a833ebb3778149c4732cea625bac320b1008d374c88a9aae35c0fb67977c01b7 qemu-guest-agent.initd -9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules" +9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules +7434d7c770c4fb0e3d5fd73798bb60dd07bfc985453696f7167a043cd353ada1bb5471766821401fc20be5978ccb449bbcef40649ffb19041e907e2f49481b2b xsa155-qemu-qdisk-double-access.patch +206bd4bbdb2c55afd2272221892da4ea9fb44cdd005a47a1904d061222bcf51f12c8946b9fb11a28d5e589d41a5f739d4ca07c05c1784a70a5465edf44777775 xsa155-qemu-xenfb.patch" diff --git a/main/qemu/xsa155-qemu-qdisk-double-access.patch b/main/qemu/xsa155-qemu-qdisk-double-access.patch new file mode 100644 index 0000000000..0549216dcf --- /dev/null +++ b/main/qemu/xsa155-qemu-qdisk-double-access.patch @@ -0,0 +1,43 @@ +xen/blkif: Avoid double access to src->nr_segments + +src is stored in shared memory and src->nr_segments is dereferenced +twice at the end of the function. If a compiler decides to compile this +into two separate memory accesses then the size limitation could be +bypassed. + +Fix it by removing the double access to src->nr_segments. + +This is part of XSA-155. + +Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + +diff --git a/hw/block/xen_blkif.h b/hw/block/xen_blkif.h +index 711b692..9e71e00 100644 +--- a/hw/block/xen_blkif.h ++++ b/hw/block/xen_blkif.h +@@ -85,8 +85,10 @@ static inline void blkif_get_x86_32_req(blkif_request_t *dst, blkif_x86_32_reque + d->nr_sectors = s->nr_sectors; + return; + } +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ barrier(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } +@@ -106,8 +108,10 @@ static inline void blkif_get_x86_64_req(blkif_request_t *dst, blkif_x86_64_reque + d->nr_sectors = s->nr_sectors; + return; + } +- if (n > src->nr_segments) +- n = src->nr_segments; ++ /* prevent the compiler from optimizing the code and using src->nr_segments instead */ ++ barrier(); ++ if (n > dst->nr_segments) ++ n = dst->nr_segments; + for (i = 0; i < n; i++) + dst->seg[i] = src->seg[i]; + } diff --git a/main/qemu/xsa155-qemu-xenfb.patch b/main/qemu/xsa155-qemu-xenfb.patch new file mode 100644 index 0000000000..dfc871375b --- /dev/null +++ b/main/qemu/xsa155-qemu-xenfb.patch @@ -0,0 +1,41 @@ +xenfb: avoid reading twice the same fields from the shared page + +Reading twice the same field could give the guest an attack of +opportunity. In the case of event->type, gcc could compile the switch +statement into a jump table, effectively ending up reading the type +field multiple times. + +This is part of XSA-155. + +Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com> + + +diff --git a/hw/display/xenfb.c b/hw/display/xenfb.c +index 5e324ef..4e2a27a 100644 +--- a/hw/display/xenfb.c ++++ b/hw/display/xenfb.c +@@ -784,18 +784,20 @@ static void xenfb_invalidate(void *opaque) + + static void xenfb_handle_events(struct XenFB *xenfb) + { +- uint32_t prod, cons; ++ uint32_t prod, cons, out_cons; + struct xenfb_page *page = xenfb->c.page; + + prod = page->out_prod; +- if (prod == page->out_cons) ++ out_cons = page->out_cons; ++ if (prod == out_cons) + return; + xen_rmb(); /* ensure we see ring contents up to prod */ +- for (cons = page->out_cons; cons != prod; cons++) { ++ for (cons = out_cons; cons != prod; cons++) { + union xenfb_out_event *event = &XENFB_OUT_RING_REF(page, cons); ++ uint8_t type = event->type; + int x, y, w, h; + +- switch (event->type) { ++ switch (type) { + case XENFB_TYPE_UPDATE: + if (xenfb->up_count == UP_QUEUE) + xenfb->up_fullscreen = 1; |