diff options
Diffstat (limited to 'pkgs/applications/virtualization/qemu/default.nix')
| -rw-r--r-- | pkgs/applications/virtualization/qemu/default.nix | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix index 7fd01a8ffa9..4df14e030ae 100644 --- a/pkgs/applications/virtualization/qemu/default.nix +++ b/pkgs/applications/virtualization/qemu/default.nix @@ -86,6 +86,16 @@ stdenv.mkDerivation rec { patches = [ ./fix-qemu-ga.patch ./9p-ignore-noatime.patch + (fetchpatch { + name = "CVE-2021-3545.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/121841b25d72d13f8cad554363138c360f1250ea.patch"; + sha256 = "13dgfd8dmxcalh2nvb68iv0kyv4xxrvpdqdxf1h3bjr4451glag1"; + }) + (fetchpatch { + name = "CVE-2021-3546.patch"; + url = "https://gitlab.com/qemu-project/qemu/-/commit/9f22893adcb02580aee5968f32baa2cd109b3ec2.patch"; + sha256 = "1vkhm9vl671y4cra60b6704339qk1h5dyyb3dfvmvpsvfyh2pm7n"; + }) ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch ++ optionals stdenv.hostPlatform.isMusl [ (fetchpatch { @@ -114,6 +124,18 @@ stdenv.mkDerivation rec { # This means `-accel hvf` is broken for now, on aarch64-darwin only. substituteInPlace meson.build \ --replace 'if exe_sign' 'if false' + + # glibc 2.33 compat fix: if `has_statx = true` is set, `tools/virtiofsd/passthrough_ll.c` will + # rely on `stx_mnt_id`[1] which is not part of glibc's `statx`-struct definition. + # + # `has_statx` will be set to `true` if a simple C program which uses a few `statx` + # consts & struct fields successfully compiles. It seems as this only builds on glibc-2.33 + # since most likely[2] and because of that, the problematic code-path will be used. + # + # [1] https://github.com/torvalds/linux/commit/fa2fcf4f1df1559a0a4ee0f46915b496cc2ebf60#diff-64bab5a0a3fcb55e1a6ad77b1dfab89d2c9c71a770a07ecf44e6b82aae76a03a + # [2] https://sourceware.org/git/?p=glibc.git;a=blobdiff;f=io/bits/statx-generic.h;h=c34697e3c1fd79cddd60db294302e461ed8db6e2;hp=7a09e94be2abb92d2df612090c132e686a24d764;hb=88a2cf6c4bab6e94a65e9c0db8813709372e9180;hpb=c4e4b2e149705559d28b16a9b47ba2f6142d6a6c + substituteInPlace meson.build \ + --replace 'has_statx = cc.links(statx_test)' 'has_statx = false' ''; preConfigure = '' |