From a55c1556cf2df4145f2821c1b9eb6836dc853f26adaaeb7d3209345eb70c3b5a Mon Sep 17 00:00:00 2001
From: Bruce Rogers <brogers@suse.com>
Date: Thu, 5 Apr 2018 22:27:33 +0000
Subject: [PATCH] Accepting request 593874 from
 home:bfrogers:branches:Virtualization

- Be more specific about python version used in building package.
  Other minor spec file tweaks.
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
* Patches added:
  0080-vga-fix-region-calculation.patch
- Fix OOB access in VGA emulation (CVE-2018-7858 bsc#1084604)
  0080-vga-fix-region-calculation.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
- Fix OOB access in VGA emulation (CVE-2018-7858 bsc#1084604)
  0080-vga-fix-region-calculation.patch
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11

OBS-URL: https://build.opensuse.org/request/show/593874
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=403
---
 0080-vga-fix-region-calculation.patch | 37 +++++++++++++++++++++++++++
 qemu-linux-user.changes               |  9 +++++++
 qemu-linux-user.spec                  | 15 ++++++-----
 qemu-linux-user.spec.in               | 13 +++++-----
 qemu-testsuite.changes                |  7 +++++
 qemu-testsuite.spec                   |  2 ++
 qemu.changes                          |  7 +++++
 qemu.spec                             |  2 ++
 8 files changed, 80 insertions(+), 12 deletions(-)
 create mode 100644 0080-vga-fix-region-calculation.patch

diff --git a/0080-vga-fix-region-calculation.patch b/0080-vga-fix-region-calculation.patch
new file mode 100644
index 00000000..08610f8a
--- /dev/null
+++ b/0080-vga-fix-region-calculation.patch
@@ -0,0 +1,37 @@
+From e5bdf248c24feab41fc7b8245e37277f1ae60e3e Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Fri, 9 Mar 2018 15:37:04 +0100
+Subject: [PATCH] vga: fix region calculation
+
+Typically the scanline length and the line offset are identical.  But
+in case they are not our calculation for region_end is incorrect.  Using
+line_offset is fine for all scanlines, except the last one where we have
+to use the actual scanline length.
+
+Fixes: CVE-2018-7858
+Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
+Tested-by: Ross Lagerwall <ross.lagerwall@citrix.com>
+Message-id: 20180309143704.13420-1-kraxel@redhat.com
+(cherry picked from commit 7cdc61becd095b64a786b2625f321624e7111f3d)
+[BR: BSC#1084604 CVE-2018-7858 (NOTE: Above CVE reference was modified
+by me, because it was incorrect)]
+Signed-off-by: Bruce Rogers <brogers@suse.com>
+---
+ hw/display/vga.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/hw/display/vga.c b/hw/display/vga.c
+index d150a3a3eb..1fa66d597d 100644
+--- a/hw/display/vga.c
++++ b/hw/display/vga.c
+@@ -1489,6 +1489,8 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
+ 
+     region_start = (s->start_addr * 4);
+     region_end = region_start + (ram_addr_t)s->line_offset * height;
++    region_end += width * s->get_bpp(s) / 8; /* scanline length */
++    region_end -= s->line_offset;
+     if (region_end > s->vbe_size) {
+         /* wraps around (can happen with cirrus vbe modes) */
+         region_start = 0;
diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes
index c6cb324a..609831e7 100644
--- a/qemu-linux-user.changes
+++ b/qemu-linux-user.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Thu Apr  5 21:33:40 UTC 2018 - brogers@suse.com
+
+- Be more specific about python version used in building package.
+  Other minor spec file tweaks.
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
+* Patches added:
+  0080-vga-fix-region-calculation.patch
+
 -------------------------------------------------------------------
 Thu Apr  5 18:18:59 UTC 2018 - lyan@suse.com
 
diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec
index 69a28f89..93842170 100644
--- a/qemu-linux-user.spec
+++ b/qemu-linux-user.spec
@@ -105,6 +105,7 @@ Patch0076:      0076-smbios-support-setting-OEM-strings-.patch
 Patch0077:      0077-smbios-Add-1-terminator-if-any-stri.patch
 Patch0078:      0078-Remove-problematic-evdev-86-key-fro.patch
 Patch0079:      0079-tpm-lookup-cancel-path-under-tpm-de.patch
+Patch0080:      0080-vga-fix-region-calculation.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 Source400:      update_git.sh
@@ -119,7 +120,11 @@ BuildRequires:  glibc-devel-static
 BuildRequires:  libattr-devel-static
 BuildRequires:  makeinfo
 BuildRequires:  pcre-devel-static
-BuildRequires:  python
+%if 0%{?suse_version} > 1320
+BuildRequires:  python3-base
+%else
+BuildRequires:  python-base
+%endif
 BuildRequires:  zlib-devel-static
 # we must not install the qemu-linux-user package when under QEMU build
 %if 0%{?qemu_user_space_build:1}
@@ -213,6 +218,7 @@ syscall layer occurs on the native hardware and operating system.
 %patch0077 -p1
 %patch0078 -p1
 %patch0079 -p1
+%patch0080 -p1
 
 %build
 ./configure \
@@ -222,9 +228,9 @@ syscall layer occurs on the native hardware and operating system.
 	--libexecdir=%_libexecdir \
 	--localstatedir=%_localstatedir \
 %if 0%{?suse_version} > 1320
-        --python=%_bindir/python3 \
+	--python=%_bindir/python3 \
 %else
-        --python=%_bindir/python \
+	--python=%_bindir/python2 \
 %endif
 	--extra-cflags="%{optflags}" \
 	--disable-stack-protector \
@@ -328,9 +334,6 @@ install -d -m 755 %{buildroot}%_sbindir
 install -m 755 scripts/qemu-binfmt-conf.sh %{buildroot}%_sbindir
 %fdupes -s %{buildroot}
 
-%clean
-rm -rf %{buildroot}
-
 %files
 %defattr(-, root, root)
 %doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE
diff --git a/qemu-linux-user.spec.in b/qemu-linux-user.spec.in
index 25406d74..a27bb380 100644
--- a/qemu-linux-user.spec.in
+++ b/qemu-linux-user.spec.in
@@ -41,7 +41,11 @@ BuildRequires:  glibc-devel-static
 BuildRequires:  libattr-devel-static
 BuildRequires:  makeinfo
 BuildRequires:  pcre-devel-static
-BuildRequires:  python
+%if 0%{?suse_version} > 1320
+BuildRequires:  python3-base
+%else
+BuildRequires:  python-base
+%endif
 BuildRequires:  zlib-devel-static
 # we must not install the qemu-linux-user package when under QEMU build
 %if 0%{?qemu_user_space_build:1}
@@ -66,9 +70,9 @@ PATCH_EXEC
 	--libexecdir=%_libexecdir \
 	--localstatedir=%_localstatedir \
 %if 0%{?suse_version} > 1320
-        --python=%_bindir/python3 \
+	--python=%_bindir/python3 \
 %else
-        --python=%_bindir/python \
+	--python=%_bindir/python2 \
 %endif
 	--extra-cflags="%{optflags}" \
 	--disable-stack-protector \
@@ -172,9 +176,6 @@ install -d -m 755 %{buildroot}%_sbindir
 install -m 755 scripts/qemu-binfmt-conf.sh %{buildroot}%_sbindir
 %fdupes -s %{buildroot}
 
-%clean
-rm -rf %{buildroot}
-
 %files
 %defattr(-, root, root)
 %doc COPYING COPYING.LIB COPYING.PYTHON Changelog README VERSION LICENSE
diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes
index 179b7d09..63da1321 100644
--- a/qemu-testsuite.changes
+++ b/qemu-testsuite.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Apr  5 21:33:37 UTC 2018 - brogers@suse.com
+
+- Fix OOB access in VGA emulation (CVE-2018-7858 bsc#1084604)
+  0080-vga-fix-region-calculation.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
+
 -------------------------------------------------------------------
 Thu Apr  5 18:18:57 UTC 2018 - lyan@suse.com
 
diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec
index 1263a0c4..f8a5d2d6 100644
--- a/qemu-testsuite.spec
+++ b/qemu-testsuite.spec
@@ -209,6 +209,7 @@ Patch0076:      0076-smbios-support-setting-OEM-strings-.patch
 Patch0077:      0077-smbios-Add-1-terminator-if-any-stri.patch
 Patch0078:      0078-Remove-problematic-evdev-86-key-fro.patch
 Patch0079:      0079-tpm-lookup-cancel-path-under-tpm-de.patch
+Patch0080:      0080-vga-fix-region-calculation.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -887,6 +888,7 @@ This package provides a service file for starting and stopping KSM.
 %patch0077 -p1
 %patch0078 -p1
 %patch0079 -p1
+%patch0080 -p1
 
 %if 0%{?suse_version} > 1320
 %patch1000 -p1
diff --git a/qemu.changes b/qemu.changes
index 179b7d09..63da1321 100644
--- a/qemu.changes
+++ b/qemu.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Apr  5 21:33:37 UTC 2018 - brogers@suse.com
+
+- Fix OOB access in VGA emulation (CVE-2018-7858 bsc#1084604)
+  0080-vga-fix-region-calculation.patch
+- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
+
 -------------------------------------------------------------------
 Thu Apr  5 18:18:57 UTC 2018 - lyan@suse.com
 
diff --git a/qemu.spec b/qemu.spec
index ce8e6d5b..b29d0974 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -209,6 +209,7 @@ Patch0076:      0076-smbios-support-setting-OEM-strings-.patch
 Patch0077:      0077-smbios-Add-1-terminator-if-any-stri.patch
 Patch0078:      0078-Remove-problematic-evdev-86-key-fro.patch
 Patch0079:      0079-tpm-lookup-cancel-path-under-tpm-de.patch
+Patch0080:      0080-vga-fix-region-calculation.patch
 # Please do not add QEMU patches manually here.
 # Run update_git.sh to regenerate this queue.
 
@@ -887,6 +888,7 @@ This package provides a service file for starting and stopping KSM.
 %patch0077 -p1
 %patch0078 -p1
 %patch0079 -p1
+%patch0080 -p1
 
 %if 0%{?suse_version} > 1320
 %patch1000 -p1