Rebased to version 2.1.1

CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956)
CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz #1139115)

0001-loader-Add-load_image_gzipped-function.patch

@@ -1,7 +1,7 @@
-From ddf2a3a69486376897ae654c8f1f0aa8cbae6c24 Mon Sep 17 00:00:00 2001
+From 031f135c71ab705914f378d19067d1f1f25e744f Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Mon, 4 Aug 2014 12:25:08 +0100
+Date: Tue, 19 Aug 2014 18:56:28 +0100
-Subject: [PATCH 1/2] loader: Add load_image_gzipped function.
+Subject: [PATCH] loader: Add load_image_gzipped function.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@@ -11,13 +11,20 @@ gzipped.  It is uncompressed before storing it in guest memory.
 
 Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 1407831259-2115-2-git-send-email-rjones@redhat.com
+[PMM: removed stray space before ')']
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+
+(cherry picked from commit 235e74afcb85285a8e35e75f0cb6e6811267bb75)
 ---
  hw/core/loader.c    | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
  include/hw/loader.h |  1 +
  2 files changed, 49 insertions(+)
 
 diff --git a/hw/core/loader.c b/hw/core/loader.c
-index 2bf6b8f..83136e8 100644
+index 2bf6b8f..0fde699 100644
 --- a/hw/core/loader.c
 +++ b/hw/core/loader.c
 @@ -577,6 +577,54 @@ int load_ramdisk(const char *filename, hwaddr addr, uint64_t max_sz)
@@ -47,7 +54,7 @@ index 2bf6b8f..83136e8 100644
 +    /* Is it a gzip-compressed file? */
 +    if (len < 2 ||
 +        compressed_data[0] != 0x1f ||
-+        compressed_data[1] != 0x8b ) {
++        compressed_data[1] != 0x8b) {
 +        goto out;
 +    }
 +
@@ -87,6 +94,3 @@ index 796cbf9..00c9117 100644
  
  #define ELF_LOAD_FAILED       -1
  #define ELF_LOAD_NOT_ELF      -2
--- 
-2.0.4
-

0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch

@@ -1,7 +1,7 @@
-From fc77c3116f7e4b3400e576c51e73ade2edee350a Mon Sep 17 00:00:00 2001
+From 0f688b169496a2f85fe092eae3f385511946bf3f Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
-Date: Tue, 29 Jul 2014 23:32:31 +0100
+Date: Tue, 19 Aug 2014 18:56:28 +0100
-Subject: [PATCH 2/2] aarch64: Allow -kernel option to take a gzip-compressed
+Subject: [PATCH] aarch64: Allow -kernel option to take a gzip-compressed
  kernel.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
@@ -25,36 +25,25 @@ Currently this is only done when emulating aarch64.
 
 Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 1407831259-2115-3-git-send-email-rjones@redhat.com
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+(cherry picked from commit 6f5d3cbe8892367026526a7deed0ceecc700a7ad)
 ---
- hw/arm/boot.c | 9 +++++++++
+ hw/arm/boot.c | 7 +++++++
- 1 file changed, 9 insertions(+)
+ 1 file changed, 7 insertions(+)
 
 diff --git a/hw/arm/boot.c b/hw/arm/boot.c
-index 1241761..c71c4d5 100644
+index 3d1f4a2..b7d60aa 100644
 --- a/hw/arm/boot.c
 +++ b/hw/arm/boot.c
-@@ -448,6 +448,7 @@ static void do_cpu_reset(void *opaque)
+@@ -510,6 +510,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
- void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
- {
-     CPUState *cs = CPU(cpu);
-+    int allow_compressed_kernels = 0;
-     int kernel_size;
-     int initrd_size;
-     int is_linux = 0;
-@@ -469,6 +470,7 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
-         primary_loader = bootloader_aarch64;
-         kernel_load_offset = KERNEL64_LOAD_ADDR;
-         elf_machine = EM_AARCH64;
-+        allow_compressed_kernels = 1;
-     } else {
-         primary_loader = bootloader;
-         kernel_load_offset = KERNEL_LOAD_ADDR;
-@@ -514,6 +516,13 @@ void arm_load_kernel(ARMCPU *cpu, struct arm_boot_info *info)
          kernel_size = load_uimage(info->kernel_filename, &entry, NULL,
                                    &is_linux);
      }
 +    /* On aarch64, it's the bootloader's job to uncompress the kernel. */
-+    if (allow_compressed_kernels && kernel_size < 0) {
++    if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64) && kernel_size < 0) {
 +        entry = info->loader_start + kernel_load_offset;
 +        kernel_size = load_image_gzipped(info->kernel_filename, entry,
 +                                         info->ram_size - kernel_load_offset);
@@ -63,6 +52,3 @@ index 1241761..c71c4d5 100644
      if (kernel_size < 0) {
          entry = info->loader_start + kernel_load_offset;
          kernel_size = load_image_targphys(info->kernel_filename, entry,
--- 
-2.0.4
-

0003-block.curl-adding-timeout-option.patch

@@ -1,4 +1,4 @@
-From 212aefaa53d142baa9a22f5aadd2e72eb916c0c0 Mon Sep 17 00:00:00 2001
+From 04ca8ab4dfca981ab0f1f6744286e8a84e0fccca Mon Sep 17 00:00:00 2001
 From: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
 Date: Wed, 13 Aug 2014 12:44:27 -0300
 Subject: [PATCH] block.curl: adding 'timeout' option
@@ -17,13 +17,14 @@ Signed-off-by: Daniel Henrique Barboza <danielhb@linux.vnet.ibm.com>
 Reviewed-by: Benoit Canet <benoit.canet@nodalink.com>
 Tested-by: Richard W.M. Jones <rjones@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit 212aefaa53d142baa9a22f5aadd2e72eb916c0c0)
 ---
  block/curl.c    | 13 ++++++++++++-
  qemu-options.hx | 10 ++++++++--
  2 files changed, 20 insertions(+), 3 deletions(-)
 
 diff --git a/block/curl.c b/block/curl.c
-index d4b85d2..2698ae3 100644
+index 79ff2f1..6f45547 100644
 --- a/block/curl.c
 +++ b/block/curl.c
 @@ -63,6 +63,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
@@ -82,7 +83,7 @@ index d4b85d2..2698ae3 100644
  
      file = qemu_opt_get(opts, CURL_BLOCK_OPT_URL);
 diff --git a/qemu-options.hx b/qemu-options.hx
-index c573dd8..52d56f4 100644
+index 1549625..dcb008b 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
 @@ -2351,6 +2351,11 @@ multiple of 512 bytes. It defaults to 256k.
@@ -110,6 +111,3 @@ index c573dd8..52d56f4 100644
  
  qemu-system-x86_64 -drive file=/tmp/test.qcow2
  @end example
--- 
-2.0.4
-

0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch

@@ -1,4 +1,4 @@
-From a94f83d94fdf907680f068f1be7ad13d1f697067 Mon Sep 17 00:00:00 2001
+From dde3e0ef0b9f2ffd68b6bd348ccb46d8fb35f84c Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Fri, 29 Aug 2014 16:03:12 +0100
 Subject: [PATCH] curl: Allow a cookie or cookies to be sent with http/https
@@ -24,13 +24,14 @@ disk size: unavailable
 
 Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit a94f83d94fdf907680f068f1be7ad13d1f697067)
 ---
  block/curl.c    | 16 ++++++++++++++++
  qemu-options.hx |  5 +++++
  2 files changed, 21 insertions(+)
 
 diff --git a/block/curl.c b/block/curl.c
-index 2698ae3..9051bc0 100644
+index 6f45547..537e257 100644
 --- a/block/curl.c
 +++ b/block/curl.c
 @@ -73,6 +73,7 @@ static CURLMcode __curl_multi_socket_action(CURLM *multi_handle,
@@ -97,7 +98,7 @@ index 2698ae3..9051bc0 100644
      g_free(s->url);
      qemu_opts_del(opts);
      return -EINVAL;
-@@ -695,6 +710,7 @@ static void curl_close(BlockDriverState *bs)
+@@ -689,6 +704,7 @@ static void curl_close(BlockDriverState *bs)
      DPRINTF("CURL: Close\n");
      curl_detach_aio_context(bs);
  
@@ -106,7 +107,7 @@ index 2698ae3..9051bc0 100644
  }
  
 diff --git a/qemu-options.hx b/qemu-options.hx
-index 52d56f4..5479cf5 100644
+index dcb008b..53b6171 100644
 --- a/qemu-options.hx
 +++ b/qemu-options.hx
 @@ -2352,6 +2352,11 @@ multiple of 512 bytes. It defaults to 256k.
@@ -121,6 +122,3 @@ index 52d56f4..5479cf5 100644
  @item timeout
  Set the timeout in seconds of the CURL connection. This timeout is the time
  that CURL waits for a response from the remote server to get the size of the
--- 
-2.0.4
-

0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch

@@ -1,4 +1,4 @@
-From a2f468e48f8b6559ec9123e94948bc373b788941 Mon Sep 17 00:00:00 2001
+From 1ea3e3a38b5bdb144a7206654c51f8f4768077f3 Mon Sep 17 00:00:00 2001
 From: "Richard W.M. Jones" <rjones@redhat.com>
 Date: Thu, 28 Aug 2014 09:04:21 +0100
 Subject: [PATCH] curl: Don't deref NULL pointer in call to aio_poll.
@@ -30,12 +30,13 @@ Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
 Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Benoît Canet <benoit.canet@nodalink.com>
 Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+(cherry picked from commit a2f468e48f8b6559ec9123e94948bc373b788941)
 ---
  block/curl.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/block/curl.c b/block/curl.c
-index 9051bc0..0258339 100644
+index 537e257..d28b701 100644
 --- a/block/curl.c
 +++ b/block/curl.c
 @@ -357,7 +357,7 @@ static void curl_multi_timeout_do(void *arg)
@@ -74,6 +75,3 @@ index 9051bc0..0258339 100644
      if (!state) {
          acb->common.cb(acb->common.opaque, -EIO);
          qemu_aio_release(acb);
--- 
-2.0.4
-

qemu.spec

@@ -151,8 +151,8 @@
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
-Version: 2.1.0
+Version: 2.1.1
-Release: 6%{?dist}
+Release: 1%{?dist}
 Epoch: 2
 License: GPLv2+ and LGPLv2+ and BSD
 Group: Development/Tools
@@ -192,16 +192,13 @@ Source12: bridge.conf
 # qemu-kvm back compat wrapper
 Source13: qemu-kvm.sh
 
-# Upstream commit: 235e74afcb85285a8e35e75f0cb6e6811267bb75
+# Allow aarch64 to boot compressed kernel
-Patch1: 0001-loader-Add-load_image_gzipped-function.patch
+Patch0001: 0001-loader-Add-load_image_gzipped-function.patch
-# Upstream commit: 6f5d3cbe8892367026526a7deed0ceecc700a7ad
+Patch0002: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
-Patch2: 0002-aarch64-Allow-kernel-option-to-take-a-gzip-compresse.patch
+# Fix crash in curl driver
-# Upstream commit: 212aefaa53d142baa9a22f5aadd2e72eb916c0c0
+Patch0003: 0003-block.curl-adding-timeout-option.patch
-Patch3: 0001-block.curl-adding-timeout-option.patch
+Patch0004: 0004-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
-# Upstream commit: a94f83d94fdf907680f068f1be7ad13d1f697067
+Patch0005: 0005-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
-Patch4: 0001-curl-Allow-a-cookie-or-cookies-to-be-sent-with-http-.patch
-# Upstream commit: a2f468e48f8b6559ec9123e94948bc373b788941
-Patch5: 0001-curl-Don-t-deref-NULL-pointer-in-call-to-aio_poll.patch
 
 BuildRequires: SDL2-devel
 BuildRequires: zlib-devel
@@ -727,11 +724,13 @@ CAC emulation development files.
 %prep
 %setup -q
 
-%patch1 -p1
+# Allow aarch64 to boot compressed kernel
-%patch2 -p1
+%patch0001 -p1
-%patch3 -p1
+%patch0002 -p1
-%patch4 -p1
+# Fix crash in curl driver
-%patch5 -p1
+%patch0003 -p1
+%patch0004 -p1
+%patch0005 -p1
 
 
 %build
@@ -1511,6 +1510,12 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Thu Sep 11 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.1-1
+- Rebased to version 2.1.1
+- CVE-2014-5388: out of bounds memory access (bz #1132962, bz #1132956)
+- CVE-2014-3615 crash when guest sets high resolution (bz #1139121, bz
+  #1139115)
+
 * Wed Sep  3 2014 Richard W.M. Jones <rjones@redhat.com> 2:2.1.0-6
 - Add upstream patches to:
   * Fix crash in curl driver.

sources

@@ -1 +1 @@
-6726977292b448cbc7f89998fac6983b  qemu-2.1.0.tar.bz2
+78b1b51bfa2eee424e1bfdf3b66daa64  qemu-2.1.1.tar.bz2