commit: b054426687f5eccea1873b53afed11100ca1eb8d
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 27 03:18:22 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Mon Mar 27 03:40:37 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0544266
app-emulation/qemu: security patches, bug #612220
CVE-2017-6505, bug #612220
Package-Manager: Portage-2.3.3, Repoman-2.3.2
.../qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 ++++++++++++++++++++++
.../{qemu-2.8.0-r7.ebuild => qemu-2.8.0-r8.ebuild} | 1 +
2 files changed, 53 insertions(+)
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
new file mode 100644
index 00000000000..a15aa96bd56
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
@@ -0,0 +1,52 @@
+From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
+From: Li Qiang <[email protected]>
+Date: Tue, 7 Feb 2017 02:23:33 -0800
+Subject: [PATCH] usb: ohci: limit the number of link eds
+
+The guest may builds an infinite loop with link eds. This patch
+limit the number of linked ed to avoid this.
+
+Signed-off-by: Li Qiang <[email protected]>
+Message-id: [email protected]
+Signed-off-by: Gerd Hoffmann <[email protected]>
+---
+ hw/usb/hcd-ohci.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
+index 2cba3e3..21c93e0 100644
+--- a/hw/usb/hcd-ohci.c
++++ b/hw/usb/hcd-ohci.c
+@@ -42,6 +42,8 @@
+
+ #define OHCI_MAX_PORTS 15
+
++#define ED_LINK_LIMIT 4
++
+ static int64_t usb_frame_time;
+ static int64_t usb_bit_time;
+
+@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci,
uint32_t head, int completion)
+ uint32_t next_ed;
+ uint32_t cur;
+ int active;
+-
++ uint32_t link_cnt = 0;
+ active = 0;
+
+ if (head == 0)
+@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci,
uint32_t head, int completion)
+
+ next_ed = ed.next & OHCI_DPTR_MASK;
+
++ if (++link_cnt > ED_LINK_LIMIT) {
++ ohci_die(ohci);
++ return 0;
++ }
++
+ if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
+ uint32_t addr;
+ /* Cancel pending packets for ED that have been paused. */
+--
+2.10.2
+
diff --git a/app-emulation/qemu/qemu-2.8.0-r7.ebuild
b/app-emulation/qemu/qemu-2.8.0-r8.ebuild
similarity index 99%
rename from app-emulation/qemu/qemu-2.8.0-r7.ebuild
rename to app-emulation/qemu/qemu-2.8.0-r8.ebuild
index 2088438d8e5..8df1a91630a 100644
--- a/app-emulation/qemu/qemu-2.8.0-r7.ebuild
+++ b/app-emulation/qemu/qemu-2.8.0-r8.ebuild
@@ -206,6 +206,7 @@ PATCHES=(
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206
+ "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220
)
STRIP_MASK="/usr/share/qemu/palcode-clipper"
