main/qemu: security fixes #6921

CVE-2016-7994: Qemu virtio-gpu: memory leak in virtio_gpu_resource_create_2d
CVE-2016-7995: Qemu: usb: hcd-ehci: memory leak in ehci_process_itd
CVE-2016-8576: Qemu: usb: xHCI: infinite loop vulnerability in xhci_ring_fetch
CVE-2016-8577: Qemu: 9pfs: host memory leakage in v9fs_read
CVE-2016-8578: Qemu: 9pfs: potential NULL dereferencein 9pfs routines
CVE-2016-8668: Qemu: net: OOB buffer access in rocker switch emulation
CVE-2016-8909: Qemu: audio: intel-hda: infinite loop in processing dma buffer stream
CVE-2016-8910: Qemu: net: rtl8139: infinite loop while transmit in C+ mode
CVE-2016-9101: Qemu: net: eepro100 memory leakage at device unplug
CVE-2016-9102: Qemu: 9pfs: memory leakage when creating extended attribute
CVE-2016-9103: Qemu: 9pfs: information leakage via xattribute
CVE-2016-9104: Qemu: 9pfs: integer overflow leading to OOB access
CVE-2016-9105: Qemu: memory leakage in v9fs_link
CVE-2016-9106: Qemu: 9pfs: memory leakage in v9fs_write
CVE-2017-5525: Qemu: audio: memory leakage in ac97 device
CVE-2017-5552: Qemu: display: virtio-gpu-3d: memory leakage in virgl_resource_attach_backing
CVE-2017-5578: Qemu: display: virtio-gpu: host memory leakage in virtio_gpu_resource_attach_backing
CVE-2017-5579: Qemu: serial: host memory leakage in 16550A UART emulation
CVE-2017-5667: Qemu: sd: sdhci OOB access during multi block SDMA transfer
CVE-2017-5856: Qemu: scsi: megasas: host memory leakage in megasas_handle_dcmd
CVE-2017-5857: display: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref
CVE-2017-5898: Qemu: usb: integer overflow in emulated_apdu_from_guest
CVE-2017-5931: virtio: integer overflow in handling virtio-crypto requests
CVE-2017-2615: Qemu: display: cirrus: oob access while doing bitblt copy backward mode
CVE-2017-2620: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo
CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list

1 files changed, 34 insertions, 0 deletions

diff --git a/main/qemu/CVE-2016-9102.patch b/main/qemu/CVE-2016-9102.patch
new file mode 100755
index 0000000000..b6cfa02efe
--- /dev/null
+++ b/main/qemu/CVE-2016-9102.patch
@@ -0,0 +1,34 @@
+From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 17 Oct 2016 14:13:58 +0200
+Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
+
+The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
+situation that this field has been allocated previously. Every time, it
+will be allocated directly. This leads to a host memory leak issue if
+the client sends another Txattrcreate message with the same fid number
+before the fid from the previous time got clunked.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Reviewed-by: Greg Kurz <groug@kaod.org>
+[groug, updated the changelog to indicate how the leak can occur]
+Signed-off-by: Greg Kurz <groug@kaod.org>
+---
+ hw/9pfs/9p.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
+index bf23b01..66135cf 100644
+--- a/hw/9pfs/9p.c
++++ b/hw/9pfs/9p.c
+@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
+     xattr_fidp->fs.xattr.flags = flags;
+     v9fs_string_init(&xattr_fidp->fs.xattr.name);
+     v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
++    g_free(xattr_fidp->fs.xattr.value);
+     xattr_fidp->fs.xattr.value = g_malloc0(size);
+     err = offset;
+     put_fid(pdu, file_fidp);
+-- 
+1.8.3.1
+