From 39faed1f2f1b0bbb767785d916712790e78fcb5b Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Mon, 28 Apr 2014 14:37:46 +0200
Subject: [PATCH] qemu: Apply patch for CVE-2014-0150, CVE-2014-2894

---
 .../virtualization/qemu/cve-2014-0150.patch        | 14 ++++++++++++++
 .../virtualization/qemu/cve-2014-2894.patch        | 14 ++++++++++++++
 pkgs/applications/virtualization/qemu/default.nix  |  2 ++
 3 files changed, 30 insertions(+)
 create mode 100644 pkgs/applications/virtualization/qemu/cve-2014-0150.patch
 create mode 100644 pkgs/applications/virtualization/qemu/cve-2014-2894.patch

diff --git a/pkgs/applications/virtualization/qemu/cve-2014-0150.patch b/pkgs/applications/virtualization/qemu/cve-2014-0150.patch
new file mode 100644
index 00000000000..a086b369321
--- /dev/null
+++ b/pkgs/applications/virtualization/qemu/cve-2014-0150.patch
@@ -0,0 +1,14 @@
+
+diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
+index 439477b..33bd233 100644
+--- a/hw/net/virtio-net.c
++++ b/hw/net/virtio-net.c
+ <at>  <at>  -677,7 +677,7  <at>  <at>  static int virtio_net_handle_mac(VirtIONet *n, uint8_t cmd,
+         goto error;
+     }
+
+-    if (in_use + mac_data.entries <= MAC_TABLE_ENTRIES) {
++    if (mac_data.entries <= MAC_TABLE_ENTRIES - in_use) {
+         s = iov_to_buf(iov, iov_cnt, 0, &macs[in_use * ETH_ALEN],
+                        mac_data.entries * ETH_ALEN);
+         if (s != mac_data.entries * ETH_ALEN) {
diff --git a/pkgs/applications/virtualization/qemu/cve-2014-2894.patch b/pkgs/applications/virtualization/qemu/cve-2014-2894.patch
new file mode 100644
index 00000000000..4f4bcfc06ad
--- /dev/null
+++ b/pkgs/applications/virtualization/qemu/cve-2014-2894.patch
@@ -0,0 +1,14 @@
+
+diff --git a/hw/ide/core.c b/hw/ide/core.c
+index e1dfe54..c943a4d 100644
+--- a/hw/ide/core.c
++++ b/hw/ide/core.c
+@@ -1602,7 +1602,7 @@ static bool cmd_smart(IDEState *s, uint8_t cmd)
+         case 2: /* extended self test */
+             s->smart_selftest_count++;
+             if (s->smart_selftest_count > 21) {
+-                s->smart_selftest_count = 0;
++                s->smart_selftest_count = 1;
+             }
+             n = 2 + (s->smart_selftest_count - 1) * 24;
+             s->smart_selftest_data[n] = s->sector;
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index b6e28d44411..ac9b3448a14 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -17,6 +17,8 @@ stdenv.mkDerivation rec {
     sha256 = "1x5y06zhp0gc97g1sb98vf7dkawg63xywv0mbnpfnbi20jh452fn";
   };
 
+  patches = [ ./cve-2014-0150.patch ./cve-2014-2894.patch ];
+
   buildInputs =
     [ python zlib pkgconfig glib ncurses perl pixman attr libcap
       vde2 alsaLib texinfo libuuid flex bison makeWrapper