diff options
author | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-05-16 04:10:38 +0000 |
---|---|---|
committer | Nicolás Reynolds <fauno@endefensadelsl.org> | 2014-05-16 04:10:38 +0000 |
commit | 4f73192c45f7b9615f06144dcb71f8450d39b7fb (patch) | |
tree | cf3d6e41a808634a6b55e09464f37bea02cf4e7f /extra/qemu | |
parent | 85be6f08e6368a31e9f971c043b11e8c12ce6545 (diff) |
Fri May 16 04:04:53 UTC 2014
Diffstat (limited to 'extra/qemu')
-rw-r--r-- | extra/qemu/2.0.0-usb-stack.patch | 36 | ||||
-rw-r--r-- | extra/qemu/PKGBUILD | 17 |
2 files changed, 49 insertions, 4 deletions
diff --git a/extra/qemu/2.0.0-usb-stack.patch b/extra/qemu/2.0.0-usb-stack.patch new file mode 100644 index 000000000..8829df92c --- /dev/null +++ b/extra/qemu/2.0.0-usb-stack.patch @@ -0,0 +1,36 @@ +Correct post load checks: +1. dev->setup_len == sizeof(dev->data_buf) + seems fine, no need to fail migration +2. When state is DATA, passing index > len + will cause memcpy with negative length, + resulting in heap overflow + +First of the issues was reported by dgilbert. + +Reported-by: "Dr. David Alan Gilbert" <dgilbert <at> redhat.com> +Signed-off-by: Michael S. Tsirkin <mst <at> redhat.com> +--- + +changes from v1: +- drop state check +- lightly tested + + hw/usb/bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/bus.c b/hw/usb/bus.c +index e48b19f..ff1dfe6 100644 +--- a/hw/usb/bus.c ++++ b/hw/usb/bus.c + <at> <at> -51,8 +51,8 <at> <at> static int usb_device_post_load(void *opaque, int version_id) + } + if (dev->setup_index < 0 || + dev->setup_len < 0 || +- dev->setup_index >= sizeof(dev->data_buf) || +- dev->setup_len >= sizeof(dev->data_buf)) { ++ dev->setup_index > dev->setup_len || ++ dev->setup_len > sizeof(dev->data_buf)) { + return -EINVAL; + } + return 0; + diff --git a/extra/qemu/PKGBUILD b/extra/qemu/PKGBUILD index 21cbd7e1d..ab5b8a8ab 100644 --- a/extra/qemu/PKGBUILD +++ b/extra/qemu/PKGBUILD @@ -1,8 +1,8 @@ -# $Id: PKGBUILD 212224 2014-05-11 08:54:01Z tpowa $ +# $Id: PKGBUILD 212784 2014-05-15 06:48:51Z tpowa $ # Maintainer: Tobias Powalowski <tpowa@archlinux.org> pkgname=('qemu' 'libcacard') pkgver=2.0.0 -pkgrel=2 +pkgrel=3 arch=('i686' 'x86_64') license=('GPL2' 'LGPL2.1') url="http://wiki.qemu.org/Index.html" @@ -14,7 +14,14 @@ makedepends=('pixman' 'libjpeg' 'libpng' 'sdl' 'alsa-lib' 'nss' 'glib2' replaces=('qemu-kvm') options=(!strip) source=(http://wiki.qemu.org/download/${pkgname}-${pkgver}.tar.bz2 - 65-kvm.rules) + 65-kvm.rules + 2.0.0-usb-stack.patch) + +prepare () +{ + cd "${srcdir}/${pkgname}-${pkgver}" + patch -Np1 -i "${srcdir}/2.0.0-usb-stack.patch" +} build () { @@ -22,6 +29,7 @@ build () # qemu vs. make 4 == bad export ARFLAGS="rv" # http://permalink.gmane.org/gmane.comp.emulators.qemu/238740 + # gtk gui breaks keymappings at the moment ./configure --prefix=/usr --sysconfdir=/etc --audio-drv-list='pa alsa sdl' \ --python=/usr/bin/python2 --smbd=/usr/bin/smbd \ @@ -82,4 +90,5 @@ package_libcacard() { cp -a ${srcdir}/qemu-${pkgver}/.libs/vscclient ${pkgdir}/usr/bin/ } md5sums=('2790f44fd76da5de5024b4aafeb594c2' - '33ab286a20242dda7743a900f369d68a') + '33ab286a20242dda7743a900f369d68a' + 'f98a479ec4e656403f5f05b1914f7f1f') |