commit: eaeffb27d67769a089170dcc45ea3e8a4efb645b
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Sat Sep 10 02:23:22 2016 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Sat Sep 10 02:23:22 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaeffb27
app-emulation/qemu: apply fix for CVE-2016-7170, bug #593284
Package-Manager: portage-2.2.28
.../qemu/files/qemu-2.7.0-CVE-2016-7170.patch | 40 ++++++++++++++++++++++
.../{qemu-2.7.0-r1.ebuild => qemu-2.7.0-r2.ebuild} | 1 +
2 files changed, 41 insertions(+)
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
new file mode 100644
index 00000000..7eb5f76
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
@@ -0,0 +1,40 @@
+From: Prasad J Pandit <address@hidden>
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang <address@hidden>
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/display/vmware_vga.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ cursor.bpp = vmsvga_fifo_read(s);
+
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y,
cursor.bpp);
+- if (cursor.width > 256 ||
+- cursor.height > 256 ||
+- cursor.bpp > 32 ||
+- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++ if (cursor.width > 256
++ || cursor.height > 256
++ || cursor.bpp > 32
++ || SVGA_BITMAP_SIZE(x, y)
++ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
+ goto badcmd;
+ }
+
+--
+2.5.5
+
diff --git a/app-emulation/qemu/qemu-2.7.0-r1.ebuild
b/app-emulation/qemu/qemu-2.7.0-r2.ebuild
similarity index 99%
rename from app-emulation/qemu/qemu-2.7.0-r1.ebuild
rename to app-emulation/qemu/qemu-2.7.0-r2.ebuild
index c75b7b6..42a669e 100644
--- a/app-emulation/qemu/qemu-2.7.0-r1.ebuild
+++ b/app-emulation/qemu/qemu-2.7.0-r2.ebuild
@@ -340,6 +340,7 @@ src_prepare() {
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
+ epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
# Fix ld and objcopy being called directly
tc-export AR LD OBJCOPY
