From 8d82f31c8b4c7249b82314d4354e5973cb04c2c2 Mon Sep 17 00:00:00 2001
From: Rutger Helling <address@hidden>
Date: Wed, 12 Dec 2018 11:57:36 +0100
Subject: [PATCH] gnu: qemu: Update to 3.1.0.

* gnu/local.mk: Remove qemu-CVE-2018-16847.patch and
qemu-CVE-2018-16867.patch.
* gnu/packages/patches/qemu-CVE-2018-16847.patch: Remove file.
* gnu/packages/patches/qemu-CVE-2018-16867.patch: Remove file.
* gnu/packages/virtualization.scm (qemu): Update to 3.1.0.
[source]: Remove removed patches.
---
 gnu/local.mk                                  |   2 -
 .../patches/qemu-CVE-2018-16847.patch         | 158 ------------------
 .../patches/qemu-CVE-2018-16867.patch         |  49 ------
 gnu/packages/virtualization.scm               |   6 +-
 4 files changed, 2 insertions(+), 213 deletions(-)
 delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16847.patch
 delete mode 100644 gnu/packages/patches/qemu-CVE-2018-16867.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e566c221f..47217a8c1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1110,8 +1110,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/python-unittest2-remove-argparse.patch	\
   %D%/packages/patches/python-waitress-fix-tests.patch		\
   %D%/packages/patches/qemu-glibc-2.27.patch 			\
-  %D%/packages/patches/qemu-CVE-2018-16847.patch 		\
-  %D%/packages/patches/qemu-CVE-2018-16867.patch 		\
   %D%/packages/patches/qt4-ldflags.patch			\
   %D%/packages/patches/qtbase-use-TZDIR.patch			\
   %D%/packages/patches/qtscript-disable-tests.patch		\
diff --git a/gnu/packages/patches/qemu-CVE-2018-16847.patch b/gnu/packages/patches/qemu-CVE-2018-16847.patch
deleted file mode 100644
index c76bdf764..000000000
--- a/gnu/packages/patches/qemu-CVE-2018-16847.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-Fix CVE-2018-16847:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16847
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=87ad860c622cc8f8916b5232bd8728c08f938fce
-
-From 87ad860c622cc8f8916b5232bd8728c08f938fce Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <address@hidden>
-Date: Tue, 20 Nov 2018 19:41:48 +0100
-Subject: [PATCH] nvme: fix out-of-bounds access to the CMB
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Because the CMB BAR has a min_access_size of 2, if you read the last
-byte it will try to memcpy *2* bytes from n->cmbuf, causing an off-by-one
-error.  This is CVE-2018-16847.
-
-Another way to fix this might be to register the CMB as a RAM memory
-region, which would also be more efficient.  However, that might be a
-change for big-endian machines; I didn't think this through and I don't
-know how real hardware works.  Add a basic testcase for the CMB in case
-somebody does this change later on.
-
-Cc: Keith Busch <address@hidden>
-Cc: address@hidden
-Reported-by: Li Qiang <address@hidden>
-Reviewed-by: Li Qiang <address@hidden>
-Tested-by: Li Qiang <address@hidden>
-Signed-off-by: Paolo Bonzini <address@hidden>
-Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
-Tested-by: Philippe Mathieu-Daudé <address@hidden>
-Signed-off-by: Kevin Wolf <address@hidden>
----
- hw/block/nvme.c        |  2 +-
- tests/Makefile.include |  2 +-
- tests/nvme-test.c      | 68 +++++++++++++++++++++++++++++++++++-------
- 3 files changed, 60 insertions(+), 12 deletions(-)
-
-diff --git a/hw/block/nvme.c b/hw/block/nvme.c
-index 28d284346dd..8c35cab2b43 100644
---- a/hw/block/nvme.c
-+++ b/hw/block/nvme.c
-@@ -1201,7 +1201,7 @@ static const MemoryRegionOps nvme_cmb_ops = {
-     .write = nvme_cmb_write,
-     .endianness = DEVICE_LITTLE_ENDIAN,
-     .impl = {
--        .min_access_size = 2,
-+        .min_access_size = 1,
-         .max_access_size = 8,
-     },
- };
-diff --git a/tests/Makefile.include b/tests/Makefile.include
-index 613242bc6ef..fb0b449c02a 100644
---- a/tests/Makefile.include
-+++ b/tests/Makefile.include
-@@ -730,7 +730,7 @@ tests/test-hmp$(EXESUF): tests/test-hmp.o
- tests/machine-none-test$(EXESUF): tests/machine-none-test.o
- tests/drive_del-test$(EXESUF): tests/drive_del-test.o $(libqos-virtio-obj-y)
- tests/qdev-monitor-test$(EXESUF): tests/qdev-monitor-test.o $(libqos-pc-obj-y)
--tests/nvme-test$(EXESUF): tests/nvme-test.o
-+tests/nvme-test$(EXESUF): tests/nvme-test.o $(libqos-pc-obj-y)
- tests/pvpanic-test$(EXESUF): tests/pvpanic-test.o
- tests/i82801b11-test$(EXESUF): tests/i82801b11-test.o
- tests/ac97-test$(EXESUF): tests/ac97-test.o
-diff --git a/tests/nvme-test.c b/tests/nvme-test.c
-index 7674a446e4f..2700ba838aa 100644
---- a/tests/nvme-test.c
-+++ b/tests/nvme-test.c
-@@ -8,25 +8,73 @@
-  */
- 
- #include "qemu/osdep.h"
-+#include "qemu/units.h"
- #include "libqtest.h"
-+#include "libqos/libqos-pc.h"
-+
-+static QOSState *qnvme_start(const char *extra_opts)
-+{
-+    QOSState *qs;
-+    const char *arch = qtest_get_arch();
-+    const char *cmd = "-drive id=drv0,if=none,file=null-co://,format=raw "
-+                      "-device nvme,addr=0x4.0,serial=foo,drive=drv0 %s";
-+
-+    if (strcmp(arch, "i386") == 0 || strcmp(arch, "x86_64") == 0) {
-+        qs = qtest_pc_boot(cmd, extra_opts ? : "");
-+        global_qtest = qs->qts;
-+        return qs;
-+    }
-+
-+    g_printerr("nvme tests are only available on x86\n");
-+    exit(EXIT_FAILURE);
-+}
-+
-+static void qnvme_stop(QOSState *qs)
-+{
-+    qtest_shutdown(qs);
-+}
- 
--/* Tests only initialization so far. TODO: Replace with functional tests */
- static void nop(void)
- {
-+    QOSState *qs;
-+
-+    qs = qnvme_start(NULL);
-+    qnvme_stop(qs);
- }
- 
--int main(int argc, char **argv)
-+static void nvmetest_cmb_test(void)
- {
--    int ret;
-+    const int cmb_bar_size = 2 * MiB;
-+    QOSState *qs;
-+    QPCIDevice *pdev;
-+    QPCIBar bar;
- 
--    g_test_init(&argc, &argv, NULL);
--    qtest_add_func("/nvme/nop", nop);
-+    qs = qnvme_start("-global nvme.cmb_size_mb=2");
-+    pdev = qpci_device_find(qs->pcibus, QPCI_DEVFN(4,0));
-+    g_assert(pdev != NULL);
-+
-+    qpci_device_enable(pdev);
-+    bar = qpci_iomap(pdev, 2, NULL);
-+
-+    qpci_io_writel(pdev, bar, 0, 0xccbbaa99);
-+    g_assert_cmpint(qpci_io_readb(pdev, bar, 0), ==, 0x99);
-+    g_assert_cmpint(qpci_io_readw(pdev, bar, 0), ==, 0xaa99);
-+
-+    /* Test partially out-of-bounds accesses.  */
-+    qpci_io_writel(pdev, bar, cmb_bar_size - 1, 0x44332211);
-+    g_assert_cmpint(qpci_io_readb(pdev, bar, cmb_bar_size - 1), ==, 0x11);
-+    g_assert_cmpint(qpci_io_readw(pdev, bar, cmb_bar_size - 1), !=, 0x2211);
-+    g_assert_cmpint(qpci_io_readl(pdev, bar, cmb_bar_size - 1), !=, 0x44332211);
-+    g_free(pdev);
- 
--    qtest_start("-drive id=drv0,if=none,file=null-co://,format=raw "
--                "-device nvme,drive=drv0,serial=foo");
--    ret = g_test_run();
-+    qnvme_stop(qs);
-+}
- 
--    qtest_end();
-+int main(int argc, char **argv)
-+{
-+    g_test_init(&argc, &argv, NULL);
-+    qtest_add_func("/nvme/nop", nop);
-+    qtest_add_func("/nvme/cmb_test", nvmetest_cmb_test);
- 
--    return ret;
-+    return g_test_run();
- }
--- 
-2.19.2
-
diff --git a/gnu/packages/patches/qemu-CVE-2018-16867.patch b/gnu/packages/patches/qemu-CVE-2018-16867.patch
deleted file mode 100644
index 1403d8e0f..000000000
--- a/gnu/packages/patches/qemu-CVE-2018-16867.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-Fix CVE-2018-16867:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
-https://seclists.org/oss-sec/2018/q4/202
-
-Patch copied from upstream source repository:
-
-https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c52d46e041b42bb1ee6f692e00a0abe37a9659f6
-
-From c52d46e041b42bb1ee6f692e00a0abe37a9659f6 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <address@hidden>
-Date: Mon, 3 Dec 2018 11:10:45 +0100
-Subject: [PATCH] usb-mtp: outlaw slashes in filenames
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Slash is unix directory separator, so they are not allowed in filenames.
-Note this also stops the classic escape via "../".
-
-Fixes: CVE-2018-16867
-Reported-by: Michael Hanselmann <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
-Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
-Message-id: address@hidden
----
- hw/usb/dev-mtp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
-index 0f6a9702ef1..100b7171f4e 100644
---- a/hw/usb/dev-mtp.c
-+++ b/hw/usb/dev-mtp.c
-@@ -1719,6 +1719,12 @@ static void usb_mtp_write_metadata(MTPState *s)
- 
-     filename = utf16_to_str(dataset->length, dataset->filename);
- 
-+    if (strchr(filename, '/')) {
-+        usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans,
-+                             0, 0, 0, 0);
-+        return;
-+    }
-+
-     o = usb_mtp_object_lookup_name(p, filename, dataset->length);
-     if (o != NULL) {
-         next_handle = o->handle;
--- 
-2.19.2
-
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index 0502bb38c..8e361558b 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -95,16 +95,14 @@
 (define-public qemu
   (package
     (name "qemu")
-    (version "3.0.0")
+    (version "3.1.0")
     (source (origin
              (method url-fetch)
              (uri (string-append "https://download.qemu.org/qemu-"
                                  version ".tar.xz"))
-             (patches (search-patches "qemu-CVE-2018-16847.patch"
-                                      "qemu-CVE-2018-16867.patch"))
              (sha256
               (base32
-               "04sp3f1gp4bdb913jf7fw761njaqp2l32wgipp1sapmxx17zcyld"))))
+               "1z5bd5nfyjvhfi1s95labc82y4hjdjjkdabw931362ls0zghh1ba"))))
     (build-system gnu-build-system)
     (arguments
      '(;; Running tests in parallel can occasionally lead to failures, like:
-- 
2.20.0