Fix translation block local denial of service vulnerability

Obtained from:	qemu cvs
Security:	http://www.freebsd.org/ports/portaudit/30f5ca1d-a90b-11dc-bf13-0211060005df.html

2 files changed, 93 insertions, 1 deletions

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index 5578ef2b306..8cadd3d041e 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	qemu
 PORTVERSION=	0.9.0
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	emulators
 MASTER_SITES=	http://fabrice.bellard.free.fr/qemu/:release \
 		http://qemu.org/:release \
diff --git a/emulators/qemu/files/patch-tlb-vuln b/emulators/qemu/files/patch-tlb-vuln
new file mode 100644
index 00000000000..491d88f86ca
--- /dev/null
+++ b/emulators/qemu/files/patch-tlb-vuln
@@ -0,0 +1,92 @@
+Index: qemu/cpu-exec.c
+diff -u qemu/cpu-exec.c:1.128 qemu/cpu-exec.c:1.129
+--- qemu/cpu-exec.c:1.128	Sun Dec  2 06:18:23 2007
++++ qemu/cpu-exec.c	Tue Dec 11 19:35:45 2007
+@@ -133,7 +133,7 @@
+     tb->tc_ptr = tc_ptr;
+     tb->cs_base = cs_base;
+     tb->flags = flags;
+-    cpu_gen_code(env, tb, CODE_GEN_MAX_SIZE, &code_gen_size);
++    cpu_gen_code(env, tb, &code_gen_size);
+     code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
+ 
+     /* check next page if needed */
+Index: qemu/exec-all.h
+diff -u qemu/exec-all.h:1.72 qemu/exec-all.h:1.73
+--- qemu/exec-all.h:1.72	Mon Nov 19 00:38:33 2007
++++ qemu/exec-all.h	Tue Dec 11 19:35:45 2007
+@@ -64,8 +64,9 @@
+ int gen_intermediate_code(CPUState *env, struct TranslationBlock *tb);
+ int gen_intermediate_code_pc(CPUState *env, struct TranslationBlock *tb);
+ void dump_ops(const uint16_t *opc_buf, const uint32_t *opparam_buf);
++unsigned long code_gen_max_block_size(void);
+ int cpu_gen_code(CPUState *env, struct TranslationBlock *tb,
+-                 int max_code_size, int *gen_code_size_ptr);
++                 int *gen_code_size_ptr);
+ int cpu_restore_state(struct TranslationBlock *tb, 
+                       CPUState *env, unsigned long searched_pc,
+                       void *puc);
+@@ -94,7 +95,6 @@
+     return tlb_set_page_exec(env, vaddr, paddr, prot, mmu_idx, is_softmmu);
+ }
+ 
+-#define CODE_GEN_MAX_SIZE        65536
+ #define CODE_GEN_ALIGN           16 /* must be >= of the size of a icache line */
+ 
+ #define CODE_GEN_PHYS_HASH_BITS     15
+Index: qemu/exec.c
+diff -u qemu/exec.c:1.117 qemu/exec.c:1.118
+--- qemu/exec.c:1.117	Sun Dec  9 02:22:56 2007
++++ qemu/exec.c	Tue Dec 11 19:35:45 2007
+@@ -56,7 +56,7 @@
+ #endif
+ 
+ /* threshold to flush the translated code buffer */
+-#define CODE_GEN_BUFFER_MAX_SIZE (CODE_GEN_BUFFER_SIZE - CODE_GEN_MAX_SIZE)
++#define CODE_GEN_BUFFER_MAX_SIZE (CODE_GEN_BUFFER_SIZE - code_gen_max_block_size())
+ 
+ #define SMC_BITMAP_USE_THRESHOLD 10
+ 
+@@ -622,7 +622,7 @@
+     tb->cs_base = cs_base;
+     tb->flags = flags;
+     tb->cflags = cflags;
+-    cpu_gen_code(env, tb, CODE_GEN_MAX_SIZE, &code_gen_size);
++    cpu_gen_code(env, tb, &code_gen_size);
+     code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
+ 
+     /* check next page if needed */
+Index: qemu/translate-all.c
+diff -u qemu/translate-all.c:1.23 qemu/translate-all.c:1.24
+--- qemu/translate-all.c:1.23	Sun Dec  2 06:10:02 2007
++++ qemu/translate-all.c	Tue Dec 11 19:35:45 2007
+@@ -132,14 +132,27 @@
+     }
+ }
+ 
++unsigned long code_gen_max_block_size(void)
++{
++    static unsigned long max;
++
++    if (max == 0) {
++#define DEF(s, n, copy_size) max = copy_size > max? copy_size : max;
++#include "opc.h"
++#undef DEF
++        max *= OPC_MAX_SIZE;
++    }
++
++    return max;
++}
++
+ /* return non zero if the very first instruction is invalid so that
+    the virtual CPU can trigger an exception. 
+ 
+    '*gen_code_size_ptr' contains the size of the generated code (host
+    code).
+ */
+-int cpu_gen_code(CPUState *env, TranslationBlock *tb,
+-                 int max_code_size, int *gen_code_size_ptr)
++int cpu_gen_code(CPUState *env, TranslationBlock *tb, int *gen_code_size_ptr)
+ {
+     uint8_t *gen_code_buf;
+     int gen_code_size;