main/qemu: security fix for CVE-2014-8106

fixes #3778 (cherry picked from commit 637ed149e5b0f0c9b01d9dfcd233c981233ee4dd)
author: Natanael Copa <ncopa@alpinelinux.org> 2015-01-29 12:28:52 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2015-01-29 12:47:54 +0000
commit: e104153e187201293f6ad37eed30529a7002f66b (patch)
tree: ffd3fd8ad318729db10f84bd707e5a0b02a4304d
parent: a1e7bc74cdeac8520b201eb810464e43ed7fcd91 (diff)
download: aports-e104153e187201293f6ad37eed30529a7002f66b.tar.bz2
aports-e104153e187201293f6ad37eed30529a7002f66b.tar.xz
2 files changed, 111 insertions, 2 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD
index a1cc9cdf4..fb145745b 100644
--- a/main/qemu/APKBUILD
+++ b/main/qemu/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=qemu
 pkgver=2.1.2
-pkgrel=1
+pkgrel=2
 pkgdesc="QEMU is a generic machine emulator and virtualizer"
 url="http://qemu.org/"
 arch="all"
@@ -9,7 +9,7 @@ license="GPL-2 LGPL-2"
 makedepends="zlib-dev alsa-lib-dev gnutls-dev ncurses-dev glib-dev
 	libjpeg-turbo-dev libpng-dev vde2-dev spice-dev paxctl curl-dev
 	libcap-dev libcap-ng-dev libaio-dev usbredir-dev util-linux-dev
-	libusb-dev flex bison"
+	libusb-dev flex bison linux-headers"
 depends=
 install="qemu.pre-install"
 subpackages="
@@ -77,6 +77,7 @@ source="http://wiki.qemu-project.org/download/qemu-$pkgver.tar.bz2
 	0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
 
 	musl-F_SHLCK-and-F_EXLCK.patch
+	CVE-2014-8106.patch
 
 	qemu-guest-agent.confd
 	qemu-guest-agent.initd
@@ -255,6 +256,7 @@ md5sums="0ff197c4ed4b695620bc4734e77c888f  qemu-2.1.2.tar.bz2
 672727bb1d8c8ab7b5def65dd1793c33  0001-elfload-load-PIE-executables-to-right-address.patch
 d364208c4847ad2baeb237900befecd1  0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
 bc5f2e41ed3b6d6d30b672adab82e3e1  musl-F_SHLCK-and-F_EXLCK.patch
+39bd2ae6aa6a45519fc5f76138ec8a8b  CVE-2014-8106.patch
 1663bc6977f6886a58394155b1bf3676  qemu-guest-agent.confd
 2035cd781ea810e94bda250c609d8d90  qemu-guest-agent.initd
 66660f143235201249dc0648b39b86ee  80-kvm.rules"
@@ -262,6 +264,7 @@ sha256sums="fd10f5e45cf5a736fa5a3e1c279ae9821534e700beb7d1aab88a07648a394885  qe
 af35304b165622a53f7557b59ffd8da5030f5fd444e669c862f9410131f3b987  0001-elfload-load-PIE-executables-to-right-address.patch
 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac  0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
 eefd597197223899d3b12d8274af493153e270fd06ea8622e33d6eaeae063d40  musl-F_SHLCK-and-F_EXLCK.patch
+de64781b2ef71e53c94f3f411bc26ad39e2b6cb581217dbb2739c251e253996f  CVE-2014-8106.patch
 d84e53a94584f37f3bd1b21f44077b5de0d07094c6729f26ae20ab1f7b9cc298  qemu-guest-agent.confd
 982fa8ba67c728405305e4cf5a36a41a780b3d1f388ebd6377e7964c271a1c92  qemu-guest-agent.initd
 37f666f1cdb7d8a62171de69b531681dcb0fba74236729dac8b6c019232eba84  80-kvm.rules"
@@ -269,6 +272,7 @@ sha512sums="73ef758c82b23eec649c807bee8937d7fbf267278f7777adbdb22b738672543b826d
 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd  0001-elfload-load-PIE-executables-to-right-address.patch
 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea  0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
 5de10f7e8abae16d1d7521e5ca1bfb62a8f295b324bea84f122f882b7b9354c21e5a00b20a1c5484c1b737b937e53c4ca6979e55705522f0779a5669725369f5  musl-F_SHLCK-and-F_EXLCK.patch
+afa6643a1a474a609f2c7446c3cf13cd89ecc3a6a0192ba967503a569512ad043f6e6fbaef1e5cc6b235b439612de55986a9d83b0a6fb689dfa726369cfbda64  CVE-2014-8106.patch
 d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f  qemu-guest-agent.confd
 761b4e2397569dae45ae3bb9e46e28746275297f629af9e9065525497fd26a48b65d8abcf4282727afd35309e338967acf6a1b14c3169577bdc16c1f42e618b3  qemu-guest-agent.initd
 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2  80-kvm.rules"
diff --git a/main/qemu/CVE-2014-8106.patch b/main/qemu/CVE-2014-8106.patch
new file mode 100644
index 000000000..1bf83fd38
--- /dev/null
+++ b/main/qemu/CVE-2014-8106.patch
@@ -0,0 +1,105 @@
+http://bugs.alpinelinux.org/issues/3774
+
+--- ./hw/display/cirrus_vga.c.orig
++++ ./hw/display/cirrus_vga.c
+@@ -172,20 +172,6 @@
+ 
+ #define CIRRUS_PNPMMIO_SIZE         0x1000
+ 
+-#define BLTUNSAFE(s) \
+-    ( \
+-        ( /* check dst is within bounds */ \
+-            (s)->cirrus_blt_height * ABS((s)->cirrus_blt_dstpitch) \
+-                + ((s)->cirrus_blt_dstaddr & (s)->cirrus_addr_mask) > \
+-                    (s)->vga.vram_size \
+-        ) || \
+-        ( /* check src is within bounds */ \
+-            (s)->cirrus_blt_height * ABS((s)->cirrus_blt_srcpitch) \
+-                + ((s)->cirrus_blt_srcaddr & (s)->cirrus_addr_mask) > \
+-                    (s)->vga.vram_size \
+-        ) \
+-    )
+-
+ struct CirrusVGAState;
+ typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
+                                      uint8_t * dst, const uint8_t * src,
+@@ -278,6 +264,50 @@
+  *
+  ***************************************/
+ 
++static bool blit_region_is_unsafe(struct CirrusVGAState *s,
++                                  int32_t pitch, int32_t addr)
++{
++    if (pitch < 0) {
++        int64_t min = addr
++            + ((int64_t)s->cirrus_blt_height-1) * pitch;
++        int32_t max = addr
++            + s->cirrus_blt_width;
++        if (min < 0 || max >= s->vga.vram_size) {
++            return true;
++        }
++    } else {
++        int64_t max = addr
++            + ((int64_t)s->cirrus_blt_height-1) * pitch
++            + s->cirrus_blt_width;
++        if (max >= s->vga.vram_size) {
++            return true;
++        }
++    }
++    return false;
++}
++
++static bool blit_is_unsafe(struct CirrusVGAState *s)
++{
++    /* should be the case, see cirrus_bitblt_start */
++    assert(s->cirrus_blt_width > 0);
++    assert(s->cirrus_blt_height > 0);
++
++    if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
++        return true;
++    }
++
++    if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
++                              s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
++        return true;
++    }
++    if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
++                              s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
++        return true;
++    }
++
++    return false;
++}
++
+ static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
+                                   uint8_t *dst,const uint8_t *src,
+                                   int dstpitch,int srcpitch,
+@@ -635,7 +665,7 @@
+ 
+     dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
+ 
+-    if (BLTUNSAFE(s))
++    if (blit_is_unsafe(s))
+         return 0;
+ 
+     (*s->cirrus_rop) (s, dst, src,
+@@ -653,8 +683,9 @@
+ {
+     cirrus_fill_t rop_func;
+ 
+-    if (BLTUNSAFE(s))
++    if (blit_is_unsafe(s)) {
+         return 0;
++    }
+     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
+     rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
+              s->cirrus_blt_dstpitch,
+@@ -751,7 +782,7 @@
+ 
+ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
+ {
+-    if (BLTUNSAFE(s))
++    if (blit_is_unsafe(s))
+         return 0;
+ 
+     cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
author	Natanael Copa <ncopa@alpinelinux.org>	2015-01-29 12:28:52 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2015-01-29 12:47:54 +0000
commit	e104153e187201293f6ad37eed30529a7002f66b (patch)
tree	ffd3fd8ad318729db10f84bd707e5a0b02a4304d
parent	a1e7bc74cdeac8520b201eb810464e43ed7fcd91 (diff)
download	aports-e104153e187201293f6ad37eed30529a7002f66b.tar.bz2 aports-e104153e187201293f6ad37eed30529a7002f66b.tar.xz