From 564d025a2c03538779c0f01c6ac6e6e48de956ac Mon Sep 17 00:00:00 2001
From: Drew Risinger <drewrisinger@users.noreply.github.com>
Date: Tue, 15 Dec 2020 13:25:55 -0500
Subject: [PATCH 1/9] qemu: 5.1.0 -> 5.2.0

Updates to latest version of QEMU.
The build system has changed to ninja.
There are several configuration flags that aren't enabled. I will
defer to maintainers on those.

Adds autoPatchelfHook for patching output dynamically linked binaries.

qemu: use Nix's meson vs bundled

qemu: remove custom directory locations

It appears that these directories are no longer automatically prefixed
with $out/, so they are now trying to write to the system /etc/, /var/
directories, which is not permitted in sandbox.
The default directories seem to work OK, so using those.

(cherry picked from commit 9e403b19a1444b373874b6e9efdd728613c6badc)
---
 .../virtualization/qemu/CVE-2020-27617.patch  | 43 -------------------
 .../virtualization/qemu/default.nix           | 38 ++++++----------
 .../virtualization/qemu/no-etc-install.patch  | 12 ------
 3 files changed, 12 insertions(+), 81 deletions(-)
 delete mode 100644 pkgs/applications/virtualization/qemu/CVE-2020-27617.patch
 delete mode 100644 pkgs/applications/virtualization/qemu/no-etc-install.patch

diff --git a/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch b/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch
deleted file mode 100644
index fa708b29836515..00000000000000
--- a/pkgs/applications/virtualization/qemu/CVE-2020-27617.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 6d19c0cc6c5a9bba308fc29d7c0edc2dc372c41b Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Wed, 21 Oct 2020 11:35:50 +0530
-Subject: [PATCH] net: remove an assert call in eth_get_gso_type
-
-eth_get_gso_type() routine returns segmentation offload type based on
-L3 protocol type. It calls g_assert_not_reached if L3 protocol is
-unknown, making the following return statement unreachable. Remove the
-g_assert call, it maybe triggered by a guest user.
-
-Reported-by: Gaoning Pan <pgn@zju.edu.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
----
- net/eth.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/net/eth.c b/net/eth.c
-index 0c1d413ee2..eee77071f9 100644
---- a/net/eth.c
-+++ b/net/eth.c
-@@ -16,6 +16,7 @@
-  */
- 
- #include "qemu/osdep.h"
-+#include "qemu/log.h"
- #include "net/eth.h"
- #include "net/checksum.h"
- #include "net/tap.h"
-@@ -71,9 +72,8 @@ eth_get_gso_type(uint16_t l3_proto, uint8_t *l3_hdr, uint8_t l4proto)
-             return VIRTIO_NET_HDR_GSO_TCPV6 | ecn_state;
-         }
-     }
--
--    /* Unsupported offload */
--    g_assert_not_reached();
-+    qemu_log_mask(LOG_GUEST_ERROR, "%s: probably not GSO frame, "
-+        "unknown L3 protocol: 0x%04"PRIx16"\n", __func__, l3_proto);
- 
-     return VIRTIO_NET_HDR_GSO_NONE | ecn_state;
- }
--- 
-2.28.0
-
diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index d1a66c9981938d..fe334f0b5a0c14 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -1,13 +1,13 @@
 { stdenv, fetchurl, fetchpatch, python, zlib, pkgconfig, glib
 , ncurses, perl, pixman, vde2, alsaLib, texinfo, flex
-, bison, lzo, snappy, libaio, gnutls, nettle, curl
-, makeWrapper
+, bison, lzo, snappy, libaio, gnutls, nettle, curl, ninja, meson
+, makeWrapper, autoPatchelfHook
 , attr, libcap, libcap_ng
 , CoreServices, Cocoa, Hypervisor, rez, setfile
 , numaSupport ? stdenv.isLinux && !stdenv.isAarch32, numactl
 , seccompSupport ? stdenv.isLinux, libseccomp
 , pulseSupport ? !stdenv.isDarwin, libpulseaudio
-, sdlSupport ? !stdenv.isDarwin, SDL2
+, sdlSupport ? !stdenv.isDarwin, SDL2, SDL2_image
 , gtkSupport ? !stdenv.isDarwin && !xenSupport, gtk3, gettext, vte, wrapGAppsHook
 , vncSupport ? true, libjpeg, libpng
 , smartcardSupport ? true, libcacard
@@ -36,7 +36,7 @@ let
 in
 
 stdenv.mkDerivation rec {
-  version = "5.1.0";
+  version = "5.2.0";
   pname = "qemu"
     + stdenv.lib.optionalString xenSupport "-xen"
     + stdenv.lib.optionalString hostCpuOnly "-host-cpu-only"
@@ -44,10 +44,10 @@ stdenv.mkDerivation rec {
 
   src = fetchurl {
     url= "https://download.qemu.org/qemu-${version}.tar.xz";
-    sha256 = "1rd41wwlvp0vpialjp2czs6i3lsc338xc72l3zkbb7ixjfslw5y9";
+    sha256 = "1g0pvx4qbirpcn9mni704y03n3lvkmw2c0rbcwvydyr8ns4xh66b";
   };
 
-  nativeBuildInputs = [ python python.pkgs.sphinx pkgconfig flex bison ]
+  nativeBuildInputs = [ python python.pkgs.sphinx pkgconfig flex bison meson ninja autoPatchelfHook ]
     ++ optionals gtkSupport [ wrapGAppsHook ];
   buildInputs =
     [ zlib glib ncurses perl pixman
@@ -58,7 +58,7 @@ stdenv.mkDerivation rec {
     ++ optionals seccompSupport [ libseccomp ]
     ++ optionals numaSupport [ numactl ]
     ++ optionals pulseSupport [ libpulseaudio ]
-    ++ optionals sdlSupport [ SDL2 ]
+    ++ optionals sdlSupport [ SDL2 SDL2_image ]
     ++ optionals gtkSupport [ gtk3 gettext vte ]
     ++ optionals vncSupport [ libjpeg libpng ]
     ++ optionals smartcardSupport [ libcacard ]
@@ -72,20 +72,13 @@ stdenv.mkDerivation rec {
     ++ optionals smbdSupport [ samba ];
 
   enableParallelBuilding = true;
+  dontUseMesonConfigure = true; # meson's configurePhase isn't compatible with qemu build
 
   outputs = [ "out" "ga" ];
 
   patches = [
-    ./no-etc-install.patch
     ./fix-qemu-ga.patch
     ./9p-ignore-noatime.patch
-    ./CVE-2020-27617.patch
-    (fetchpatch {
-      # e1000e: infinite loop scenario in case of null packet descriptor, remove for QEMU >= 5.2.0-rc3
-      name = "CVE-2020-28916.patch";
-      url = "https://git.qemu.org/?p=qemu.git;a=patch;h=c2cb511634012344e3d0fe49a037a33b12d8a98a";
-      sha256 = "1kvm6wl4vry0npiisxsn76h8nf1iv5fmqsyjvb46203f1yyg5pis";
-    })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch
     ++ optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {
@@ -103,27 +96,19 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  # Remove CVE-2020-{29129,29130} for QEMU >5.1.0
-  postPatch = ''
-    (cd slirp && patch -p1 < ${fetchpatch {
-      name = "CVE-2020-29129_CVE-2020-29130.patch";
-      url = "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f.patch";
-      sha256 = "01vbjqgnc0kp881l5p6b31cyyirhwhavm6x36hlgkymswvl3wh9w";
-    }})
-  '';
-
   hardeningDisable = [ "stackprotector" ];
 
   preConfigure = ''
     unset CPP # intereferes with dependency calculation
+    # this script isn't marked as executable b/c it's indirectly used by meson. Needed to patch its shebang
+    chmod +x ./scripts/shaderinclude.pl
+    patchShebangs .
   '' + optionalString stdenv.hostPlatform.isMusl ''
     NIX_CFLAGS_COMPILE+=" -D_LINUX_SYSINFO_H"
   '';
 
   configureFlags =
     [ "--audio-drv-list=${audio}"
-      "--sysconfdir=/etc"
-      "--localstatedir=/var"
       "--enable-docs"
       "--enable-tools"
       "--enable-guest-agent"
@@ -163,6 +148,7 @@ stdenv.mkDerivation rec {
       wrapGApp $f
     done
   '';
+  preBuild = "cd build";
 
   # Add a ‘qemu-kvm’ wrapper for compatibility/convenience.
   postInstall = ''
diff --git a/pkgs/applications/virtualization/qemu/no-etc-install.patch b/pkgs/applications/virtualization/qemu/no-etc-install.patch
deleted file mode 100644
index 5bab930d06a58a..00000000000000
--- a/pkgs/applications/virtualization/qemu/no-etc-install.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/Makefile b/Makefile
---- a/Makefile
-+++ b/Makefile
-@@ -867,7 +867,7 @@ install-includedir:
- 	$(INSTALL_DIR) "$(DESTDIR)$(includedir)"
- 
- install: all $(if $(BUILD_DOCS),install-doc) \
--	install-datadir install-localstatedir install-includedir \
-+	install-datadir install-includedir \
- 	$(if $(INSTALL_BLOBS),$(edk2-decompressed)) \
- 	recurse-install
- ifneq ($(TOOLS),)

From 9957e6df869168197fa7eb42a66f63cf39e19d44 Mon Sep 17 00:00:00 2001
From: Milan <me@pbb.lc>
Date: Mon, 25 Jan 2021 19:24:32 +0100
Subject: [PATCH 2/9] qemu: fix build when desktop file does not exist
 (#110721)

The qemu-user variants as used by binfmt emulation through
`(lib.systems.elaborate lib.systems.examples.aarch64-multiplatform).emulator pkgs`
does not install a .desktop file since qemu 5.2.0. This change allows
the build to continue if deletion of the desktop file fails.
(cherry picked from commit b7871c3f2da1a38bccd839401f6113f734f62e43)
---
 pkgs/applications/virtualization/qemu/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index fe334f0b5a0c14..3de4e866b468dd 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -137,7 +137,7 @@ stdenv.mkDerivation rec {
 
   postFixup = ''
     # the .desktop is both invalid and pointless
-    rm $out/share/applications/qemu.desktop
+    rm -f $out/share/applications/qemu.desktop
 
     # copy qemu-ga (guest agent) to separate output
     mkdir -p $ga/bin

From 4d32d47751619954763c8b8d97cd948c5f3cd136 Mon Sep 17 00:00:00 2001
From: TredwellGit <tredwell@tutanota.com>
Date: Sat, 13 Feb 2021 00:25:28 +0000
Subject: [PATCH 3/9] qemu: set sysconfdir

Fixes https://github.com/NixOS/nixpkgs/issues/111675 and https://github.com/NixOS/nixpkgs/issues/110142.

(cherry picked from commit dd441204f66039f0ee23cf134ece6423f749dd1e)
---
 pkgs/applications/virtualization/qemu/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 3de4e866b468dd..7cc009f99d8af4 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -112,6 +112,7 @@ stdenv.mkDerivation rec {
       "--enable-docs"
       "--enable-tools"
       "--enable-guest-agent"
+      "--sysconfdir=/etc"
     ]
     # disable sysctl check on darwin.
     ++ optional stdenv.isDarwin "--cpu=x86_64"

From 76a29c2c79a078fd3debece84b6a72c7606211bd Mon Sep 17 00:00:00 2001
From: Ivan Babrou <github@ivan.computer>
Date: Mon, 8 Feb 2021 13:42:49 -0800
Subject: [PATCH 4/9] qemu: only apply autoPatchelfHook on linux

It fails on darwin due to missing `patchelf` and the missing ELFs:

```
/nix/store/...-auto-patchelf-hook/nix-support/setup-hook: line 220: -l: command not found
```

(cherry picked from commit 251add14cf97aa893e9934c225ee7412861bc655)
---
 pkgs/applications/virtualization/qemu/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 7cc009f99d8af4..df1d51d1cc4821 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -47,8 +47,9 @@ stdenv.mkDerivation rec {
     sha256 = "1g0pvx4qbirpcn9mni704y03n3lvkmw2c0rbcwvydyr8ns4xh66b";
   };
 
-  nativeBuildInputs = [ python python.pkgs.sphinx pkgconfig flex bison meson ninja autoPatchelfHook ]
-    ++ optionals gtkSupport [ wrapGAppsHook ];
+  nativeBuildInputs = [ python python.pkgs.sphinx pkgconfig flex bison meson ninja ]
+    ++ optionals gtkSupport [ wrapGAppsHook ]
+    ++ optionals stdenv.isLinux [ autoPatchelfHook ];
   buildInputs =
     [ zlib glib ncurses perl pixman
       vde2 texinfo makeWrapper lzo snappy

From 52a2d75aa7ca7850cd8331d0429e0ec3e59d7169 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Tue, 2 Mar 2021 16:56:43 +0100
Subject: [PATCH 5/9] qemu: remove not require enableParallelBuild

(cherry picked from commit 993fb95e7832e62e8de93735ffcd2006bc693fc5)
---
 pkgs/applications/virtualization/qemu/default.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index df1d51d1cc4821..897e521c2837b4 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -72,7 +72,6 @@ stdenv.mkDerivation rec {
     ++ optionals virglSupport [ virglrenderer ]
     ++ optionals smbdSupport [ samba ];
 
-  enableParallelBuilding = true;
   dontUseMesonConfigure = true; # meson's configurePhase isn't compatible with qemu build
 
   outputs = [ "out" "ga" ];

From 2c36bd6eed5bde3ed62965c8e4e7c499fffa411b Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Tue, 9 Feb 2021 21:26:43 +0000
Subject: [PATCH 6/9] qemu: re-enable stack protection

5e259952953 ("qemu: 2.6.1 -> 2.7.0") added this, because the QEMU
build failed without it.  That's no longer the case, so we can bring
back stack protection.

(cherry picked from commit 8f0bd879da6142aed53c544b9354c090206e07be)
---
 pkgs/applications/virtualization/qemu/default.nix | 2 --
 1 file changed, 2 deletions(-)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index 897e521c2837b4..b349251554cc58 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -96,8 +96,6 @@ stdenv.mkDerivation rec {
     })
   ];
 
-  hardeningDisable = [ "stackprotector" ];
-
   preConfigure = ''
     unset CPP # intereferes with dependency calculation
     # this script isn't marked as executable b/c it's indirectly used by meson. Needed to patch its shebang

From d64d7b061e9c71a25cb486325ca36d3af3f4366e Mon Sep 17 00:00:00 2001
From: Alyssa Ross <hi@alyssa.is>
Date: Wed, 10 Feb 2021 20:48:54 +0000
Subject: [PATCH 7/9] qemu: set localstatedir

Otherwise qemu-qa, qemu-pr-helper, and virtiofsd, try to write to
$out/var at runtime.

Fixes: https://github.com/NixOS/nixpkgs/issues/113909
Fixes: https://github.com/NixOS/nixpkgs/pull/112886
(cherry picked from commit 8e71416e5d4306c3800133ca6dc2ad4469480b90)
---
 pkgs/applications/virtualization/qemu/default.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index b349251554cc58..fcd7d39611e666 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -96,6 +96,12 @@ stdenv.mkDerivation rec {
     })
   ];
 
+  # Otherwise tries to ensure /var/run exists.
+  postPatch = ''
+    sed -i "/install_subdir('run', install_dir: get_option('localstatedir'))/d" \
+        qga/meson.build
+  '';
+
   preConfigure = ''
     unset CPP # intereferes with dependency calculation
     # this script isn't marked as executable b/c it's indirectly used by meson. Needed to patch its shebang
@@ -110,6 +116,7 @@ stdenv.mkDerivation rec {
       "--enable-docs"
       "--enable-tools"
       "--enable-guest-agent"
+      "--localstatedir=/var"
       "--sysconfdir=/etc"
     ]
     # disable sysctl check on darwin.

From 47cb673e4571ff6435fe1910a891d66a3d20bad3 Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sun, 25 Apr 2021 01:09:01 +0100
Subject: [PATCH 8/9] qemu: add patches for many CVEs

CVE-2020-27821
CVE-2020-20221
CVE-2020-20181
CVE-2020-35517
CVE-2021-20263
CVE-2021-3416
CVE-2021-3409
CVE-2021-3392

(cherry picked from commit 3f2857f78244798d354519a142b5e9a7fca26e49)
---
 .../virtualization/qemu/default.nix           | 120 ++++++++++++++++++
 1 file changed, 120 insertions(+)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index fcd7d39611e666..d76533b7c206b5 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -79,6 +79,126 @@ stdenv.mkDerivation rec {
   patches = [
     ./fix-qemu-ga.patch
     ./9p-ignore-noatime.patch
+    (fetchpatch {
+      name = "CVE-2020-27821.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/memory-clamp-cached-translation-if-points-to-MMIO-region-CVE-2020-27821.patch";
+      sha256 = "0sj0kr0g6jalygr5mb9i17fgr491jzaxvk3dvala0268940s01x9";
+    })
+    (fetchpatch {
+      name = "CVE-2020-20221.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/arm_gic-fix-interrupt-ID-in-GICD_SGIR-CVE-2021-20221.patch";
+      sha256 = "1iyvcw87hzlc57fg5l87vddqmch8iw2yghk0s125hk5shn1bygjq";
+    })
+    (fetchpatch {
+      name = "CVE-2020-20181.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch";
+      sha256 = "149ifiazj6rn4d4mv2c7lcayq744fijsv5abxlb8bhbkj99wd64f";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35517.part-1.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-extract-lo_do_open-from-lo_open.patch";
+      sha256 = "0j4waaz6q54by4a7vd5m8s2n8y0an9hqf0ndycxsy03g4ksm669d";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35517.part-2.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-optionally-return-inode-pointer-from-lo_do_lookup.patch";
+      sha256 = "08bag890r6dx2rhnq58gyvsxvzwqgvn83pjlg95b5ic0z6gyjnsg";
+    })
+    (fetchpatch {
+      name = "CVE-2020-35517.part-3.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-prevent-opening-of-special-files-CVE-2020-35517.patch";
+      sha256 = "0ziy6638zbkn037l29ywirvgymbqq66l5rngg8iwyky67acilv94";
+    })
+    (fetchpatch {
+      name = "CVE-2021-20263.part-1.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-save-error-code-early-at-the-failure-callsite.patch";
+      sha256 = "15rwb15yjpclrqaxkhx76npr8zlfm9mj4jb19czg093is2cn4rys";
+    })
+    (fetchpatch {
+      name = "CVE-2021-20263.part-2.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/virtiofsd-drop-remapped-security.capability-xattr-as-needed-CVE-2021-20263.patch";
+      sha256 = "06ylz80ilg30wlskd4dsjx677fp5qr8cranwlakvjhr88b630xw0";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-1.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-introduce.patch";
+      sha256 = "0hcpf00vqpg9rc0wl8cry905w04614843aqifybyv15wbv190gpz";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-2.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-cadence_gem.patch";
+      sha256 = "12mjnrvs6p4g5frzqb08k4h86hphdqlka91fcma2a3m4ap98nrxy";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-3.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-dp8393x.patch";
+      sha256 = "02z6q0578fj55phjlg2larrsx3psch2ixzy470yf57jl3jq1dy6k";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-4.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-e1000.patch";
+      sha256 = "0zzbiz8i9js524mcdi739c7hrsmn82gnafrygi0xrd5sqf1hp08z";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-5.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-lan9118.patch";
+      sha256 = "1f44v5znd9s7l7wgc71nbg8jw1bjqiga4wkz7d7cpnkv3l7b9kjj";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-6.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-msf2.patch";
+      sha256 = "04n1rzn6gfxdalp34903ysdhlvxqkfndnqayjj3iv1k27i5pcidn";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-7.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-pcnet.patch";
+      sha256 = "1p9ls6f8r6hxprj8ha6278fydcxj3av29p1hvszxmabazml2g7l2";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-8.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-rtl8139.patch";
+      sha256 = "0lms1zn49kpwblkp54widjjy7fwyhdh1x832l1jvds79l2nm6i04";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-9.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-sungem.patch";
+      sha256 = "1mkzyrgsp9ml9yqzjxdfqnwjr7n0fd8vxby4yp4ksrskyni8y0p4";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3416.part-10.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/net-qemu_receive_packet-for-loopback-tx_pkt-iov.patch";
+      sha256 = "1pwqq8yw06y3p6hah3dgjhsqzk802wbn7zyajla1zwdfpic63jss";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3409.part-1.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/dont-transfer-any-data-when-command-time-out.patch";
+      sha256 = "0wf1yhb9mqpfgh9rv0hff0v1sw3zl2vsfgjrby4r8jvxdfjrxj8s";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3409.part-2.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/dont-write-to-SDHC_SYSAD-register-when-transfer-is-in-progress.patch";
+      sha256 = "1dd405dsdc7fbp68yf6f32js1azsv3n595c6nbxh28kfh9lspx4v";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3409.part-3.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/correctly-set-the-controller-status-for-ADMA.patch";
+      sha256 = "08jk51pfrbn1zfymahgllrzivajh2v2qx0868rv9zmgi0jldbky6";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3409.part-4.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/limit-block-size-only-when-SDHC_BLKSIZE-register-is-writable.patch";
+      sha256 = "1valfhw3l83br1cny6n4kmrv0f416hl625mggayqfz4prsknyhh7";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3409.part-5.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/sdhci/reset-the-data-pointer-of-s-fifo_buffer-when-a-different-block-size-is-programmed.patch";
+      sha256 = "01p5qrr00rh3mlwrp3qq56h7yhqv0w7pw2cw035nxw3mnap03v31";
+    })
+    (fetchpatch {
+      name = "CVE-2021-3392.patch";
+      url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/mptsas-remove-unused-MPTSASState.pending-CVE-2021-3392.patch";
+      sha256 = "0n7dn2p102c21mf3ncqrnks0wl5kas6yspafbn8jd03ignjgc4hd";
+    })
   ] ++ optional nixosTestRunner ./force-uid0-on-9p.patch
     ++ optionals stdenv.hostPlatform.isMusl [
     (fetchpatch {

From 1e17a38a1ecfafd4a23597613b8f9f9e8487ccbf Mon Sep 17 00:00:00 2001
From: Robert Scott <code@humanleg.org.uk>
Date: Sun, 25 Apr 2021 19:09:36 +0100
Subject: [PATCH 9/9] qemu: patches: use correct CVE numbers for CVE-2021-20221
 & CVE-2021-20181

(cherry picked from commit 5b0b678a31100332903324f434e1d4f053a5f404)
---
 pkgs/applications/virtualization/qemu/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/applications/virtualization/qemu/default.nix b/pkgs/applications/virtualization/qemu/default.nix
index d76533b7c206b5..a767171e2dd7ab 100644
--- a/pkgs/applications/virtualization/qemu/default.nix
+++ b/pkgs/applications/virtualization/qemu/default.nix
@@ -85,12 +85,12 @@ stdenv.mkDerivation rec {
       sha256 = "0sj0kr0g6jalygr5mb9i17fgr491jzaxvk3dvala0268940s01x9";
     })
     (fetchpatch {
-      name = "CVE-2020-20221.patch";
+      name = "CVE-2021-20221.patch";
       url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/arm_gic-fix-interrupt-ID-in-GICD_SGIR-CVE-2021-20221.patch";
       sha256 = "1iyvcw87hzlc57fg5l87vddqmch8iw2yghk0s125hk5shn1bygjq";
     })
     (fetchpatch {
-      name = "CVE-2020-20181.patch";
+      name = "CVE-2021-20181.patch";
       url = "https://sources.debian.org/data/main/q/qemu/1:5.2+dfsg-10/debian/patches/9pfs-Fully-restart-unreclaim-loop-CVE-2021-20181.patch";
       sha256 = "149ifiazj6rn4d4mv2c7lcayq744fijsv5abxlb8bhbkj99wd64f";
     })