Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/musl:master commit in: app-emulation/qemu/, app-emulation/qemu/files/
Date: Fri, 15 Jul 2016 06:27:48
Message-Id: 1468564267.283a88cbb8cda315a05a039a3d56705660d250ba.blueness@gentoo
1 commit: 283a88cbb8cda315a05a039a3d56705660d250ba
2 Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
3 AuthorDate: Fri Jul 15 06:31:07 2016 +0000
4 Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org>
5 CommitDate: Fri Jul 15 06:31:07 2016 +0000
6 URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=283a88cb
7
8 app-emulation/qemu: update based on 2.5.0-r3
9
10 Package-Manager: portage-2.2.28
11 RepoMan-Options: --force
12
13 app-emulation/qemu/Manifest | 19 ++-
14 .../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ++++
15 .../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ++++
16 .../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 ++++++++++++++
17 .../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 +++++++
18 .../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 ++++++++
19 .../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 +++++++++++
20 .../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 +++++
21 .../qemu/files/qemu-2.5.0-CVE-2016-2198.patch | 46 ++++++
22 .../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ++++
23 .../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 +++++
24 .../files/qemu-2.5.0-rng-stack-corrupt-0.patch | 98 +++++++++++
25 .../files/qemu-2.5.0-rng-stack-corrupt-1.patch | 135 ++++++++++++++++
26 .../files/qemu-2.5.0-rng-stack-corrupt-2.patch | 155 ++++++++++++++++++
27 .../files/qemu-2.5.0-rng-stack-corrupt-3.patch | 179 +++++++++++++++++++++
28 .../qemu/files/qemu-2.5.0-sysmacros.patch | 15 ++
29 .../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 ++++++
30 .../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 +++++++
31 ...emu-2.5.0-r99.ebuild => qemu-2.5.0-r999.ebuild} | 62 +++++--
32 19 files changed, 1335 insertions(+), 11 deletions(-)
33
34 diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest
35 index 3d07bf4..4e4858a 100644
36 --- a/app-emulation/qemu/Manifest
37 +++ b/app-emulation/qemu/Manifest
38 @@ -4,14 +4,31 @@ AUX qemu-1.7.0-cflags.patch 300 SHA256 8f35e55c4bae93e82f9580eabe2d6a2d4660bd053
39 AUX qemu-2.0.0-F_SHLCK-and-F_EXLCK.patch 563 SHA256 99de67d610ad13a1dcf6c67a3c2b5b87fb909220173a956435737f9bea3c371b SHA512 a29e9a889388a6627ed492a79e66514ffb5e64f9479646982091811548fc2a9bf6682104a6c774d83e645e4b1db39e491afd4efce789fe164623442a7f3e5d00 WHIRLPOOL d3aab06099de263c22f4c71810a3b2cb8602d17731ec76674cd1415e539306555a7b96b789f0daad473600dfa04a83224ff603f7b9a9ac63a4902f74d0e9deb5
40 AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930 SHA256 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac SHA512 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea WHIRLPOOL 06b9dd5251ac03405c97b1f5a623b4d86bda2f72fbcd52b90ae4d11a0cfb59cae62df2cb6189405fbe53ab05ff2b7ca8165fda239dbfe5f31ed70abb53b3b9f3
41 AUX qemu-2.2.0-_sigev_un.patch 636 SHA256 f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512 f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb WHIRLPOOL 9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac
42 +AUX qemu-2.5.0-9pfs-segfault.patch 1294 SHA256 707835ed8af1aa7e8fc9f0e06c6afa8e77fe7858b20ad4c2df2a1aec0627332d SHA512 2af7498939ba653c36808a7bccafe4a3d8c3d1cfa7199c5788f67fb001925dff17e4faba5e13c6b1517ca887209452f4ba7ed71f6b4464d55b5e942350406f90 WHIRLPOOL 591ba85bd9e5ab0665ed5835878886ec0d774a500ed966dd1b37e5478a4799a38d319a6bb88d214f202a83282db6a0434641b30c8b70ceef6bd2fb1e38f8faef
43 AUX qemu-2.5.0-CVE-2015-8558.patch 1459 SHA256 d769e6eb6dc0bdb0b982ef5fe7d73cc6bad47233102f53d11c6ed6c9051602d8 SHA512 42961191890c500675610d5d33e6ff468b07428c6b428ac01bb5c0e3ea88ff611a3532f848d54317458475fef221a06e41761ef14ea61d1b741db73450c4f90d WHIRLPOOL 475679dc1a24bc75012995a9a2122847454701b65ff0b7f8192865b45de49ce08572f129a7cfdeb36521252ed2f80c95e9dddbd64cb8e39fdc5beacc25934798
44 AUX qemu-2.5.0-CVE-2015-8567.patch 3108 SHA256 88b72df4e02407c3b9ca4835c38988b97fcd5aa9c68da6fa47207fe675d4e661 SHA512 2f0243ec9764d72fe5e7a005a8db40d3d5c4c2edae5c3451087ee3f5c841c96a3112875cf88a19061fa2ce0d04715d247e6eb1eb83e1e5b57ec0b9eb324b8ce6 WHIRLPOOL b432ff3e105da5c0bd20dd1d7da0374f4005b2ac5a9a8c824e96730aeafa89bb8fc125f8b2857fdaf72024082ddbc0c7a28c3e3ffb9114c3d370db1b638c4731
45 +AUX qemu-2.5.0-CVE-2015-8613.patch 1264 SHA256 c8df9bb4c0100ef6c8ae09acd73878e46b3ad4a9e04b9cfe30445922bc33299c SHA512 ea2bf909ec29bab0b2131bf9d3e8fc04f176393258c4ce578d3ac8d76f09a25b96f8a3b2aa450b47c0ba9bc9637e5b93e7cc53542362b48930de18ceebb07698 WHIRLPOOL f0d415b1df9f05cb0431801054535f8939d46e7dda6eaa5ce990eef82ddc458003eb9ae5dc06e3269ddb5ed8f8c903c1f3d058d41e63ea9a5192b6149283feb2
46 +AUX qemu-2.5.0-CVE-2015-8619.patch 4220 SHA256 325bb3df340a1f5115a345a145bed94e9b2d5721cf8cce1217138e8d5a8a0c1a SHA512 317e882da18332fe667c10c55b8f026d347d93c61f668e8ddb916f1b0f5e39a9e3104c14ab2306ce761024a02a78af3a4808627ad9f18c0d43d748fd30c21505 WHIRLPOOL feddd255cf3844cd270ca2662f6140cc7104f8328e51acb01dc2f6f1b4646061569f5faa629264ebeaa5a2b18e595c4a90b69a588aa05f1acf70d9570067c6c0
47 AUX qemu-2.5.0-CVE-2015-8701.patch 1671 SHA256 f39e0c6301cffa1b14c3ef0ab72fce0e2acd42170759ef7954234d31602aeb99 SHA512 d39edf84e2d17e6080bbc4a270732cd73b41fa39d948ee7bc4456e1024c5a69ddfb5e848af3272615f5aa36a3b6410a12f5a73e00ccfa58e0d60d7289d034aa9 WHIRLPOOL 352148c367837ba2d6eb5eb39e00c128f0cff3faef159754a41318857bc11a6616be184c24df4767ec2c8c14910ad74fc3be48273f6312b1687910fbcaf7bec3
48 AUX qemu-2.5.0-CVE-2015-8743.patch 1777 SHA256 22aac571c1aa6f6a283d200a7703fdfea0a5bcaf227a003a2cbf5741bbb8df85 SHA512 65d8632fd43959983ca02f9ab116ec78ea043e6d867e6d743014885c2a423bb3b87c2e56caa37e7f29e971a44f5ea695cb4ce1c3a9c1fc2d734b25ca0b2f4054 WHIRLPOOL 9128c812cfbfe3d4629cd6c7c2c6f50c9ef2fe2d5b62b24486559279296987f593f852f913eb67fbe956d650d50612fa7a658a60b3d80cf4fa9256e332d77330
49 AUX qemu-2.5.0-CVE-2016-1568.patch 1476 SHA256 ba2a25142977eea531159d81ef8938e8519c92800aa1958e71da9e2780c8256a SHA512 643ef742e6cd1dbc8f420b38f684bc8639e4bd58ab38c254654d4b1a72b129202fecdddddfd308b48ed7813da193edff68d737080d5035c82daf9676ee17df22 WHIRLPOOL af9376400540f20d77ea06cb6a12ce415b72bb22cdde3365bba8b02deb8985aedfee303646e13e1d1263a2dcd17bf1518637183a81c66c2db7b438aa88ef7d95
50 +AUX qemu-2.5.0-CVE-2016-1714.patch 2168 SHA256 2a366b01f5c05a87324ca765cea90bc93eda819d264932ac4588e6303e0b7dee SHA512 25f5f67dbcb2175bac1b5d6d11bf6b27019526c0ee43ed8580a0de10bf82ac62e5a71ded4d18c0e561d8d3832da630c92f9f118277da349367f55b4939029216 WHIRLPOOL 600d0c90779aaf7c1840e106359c909d486c7cce483edc0e5ddc627a127c907f5dd9cbd5b8ce561e2675f6bfe8cd0502efa96557601ce26eda2311b1072ab48b
51 +AUX qemu-2.5.0-CVE-2016-1922.patch 2114 SHA256 a10d23d5ff3d021aa0962c79a397b69518cec6cd570ebea771f03513d4b7eb1a SHA512 af895fd14e876f808203279176c5f5c28d95d0137385c6d0e56e27f9ad70b76552b8ce75a3be368ceed94fbc62999e8d6c5e6dbcd35e99d59c57787afe6ac57d WHIRLPOOL 199ec0c9bc766968778e5733e1ca0773999a3cccfa779d8fdf68c2ed866a1427048b0db9730eb2a1521be5e174ea6388b69053c85d0d25144e73df25ec7829a9
52 +AUX qemu-2.5.0-CVE-2016-1981.patch 4160 SHA256 ad440f4964670e68846a3469e0cb0eca3ecf11cfc5c2e32b09581b64eef43ab7 SHA512 f133a311da42cc831116251550359949e0f23f1163a7b0e638fc5f43edf1dea17a5e5843a06142c3086ef367d94898b074eebf8c371ea83b7a3981cfd20c4e27 WHIRLPOOL ba6e563917773d4488f51c11864a6ce1a4331ba6fc7925f47768282ea75f1a26c51792063c946579d49b28e3ed7a854a191732c1ba7ec40628395e971cf67782
53 +AUX qemu-2.5.0-CVE-2016-2197.patch 1358 SHA256 caa5eb42b21a3fc656982fdc4e511c8350eeb0511857d9b8f371e4e926c2ac80 SHA512 ee6467ef00c5db1e6c5f6331ec411afd139e7e8c5d5e23e3ee33b3161f0e79028ddecfa661bf4bfb5bac0cfa91385f69d66b57c5337384817f0756b7575aa099 WHIRLPOOL 67bab11771159560fd080d157477aa227aa351bb8101671c0e778a38a15d607a2346ade7b10310914f93d5a1faeb993003590e7bf75cd5c9d06db0c687085b51
54 +AUX qemu-2.5.0-CVE-2016-2198.patch 1540 SHA256 0d6d81a27ffac1af7c478a050aa690eb007cf9735a1a0c4b398eabeb990d5ab4 SHA512 b0b3131bb2b9b2d3f2a3f3286eeb92b527f0d3366e657cf8bcbabc6426b57893936c5a8ef66697ad1014b4525c09fa4d067195600f96ab2b005fd52b6e77d9a4 WHIRLPOOL f5c56b87f934c573fc71169fcded579b9917285fbfff59fd9288011775f482ead2ac09e1399f325e826305fab2f7bc2cd21d333711c526c1658a069a5ee93491
55 +AUX qemu-2.5.0-CVE-2016-2392.patch 1265 SHA256 a81d906bcf18fb5cf76fa5fa686c848a33f43054bff03a7a2e0e391a34884be8 SHA512 cac6503176f1e37fa6e9bab1daa4bbec6fb6fb3be4ec2e30427356969f3310b8bb898356f9e7f786e75c3ba07b9bc7afb9f0ac7a99adc12847de49b55c0d7960 WHIRLPOOL 65456ade1b773ebfe629ab0fb0045613b4d2f0f5c2d9ec20409170cba5011de46800bf1dd42a78334fe5166a2c8201e6505f3db904474cd4c28d1e88df0f9daf
56 AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154
57 +AUX qemu-2.5.0-ne2000-reg-check.patch 1141 SHA256 b64fd5bfbd9c7b37b9003271e9902db4ea28b71095a51e161c7698e2f690183b SHA512 7f94ef8cb023224750abc5c2c7d515ccc6ce7f8b655a1454673ecc291193551b9ae00c248c609368a0cf143888ba2c3a5a929a4f9477e5efd27f92c45abc8722 WHIRLPOOL 43fec025a08e0aa0c14ab5ac11cd9aa49b03e52e3fcaacb6785ecd25aa531edfd04a5f8913330e27acf046f8cad2c57887e1a353779ee73ab8bb2dad65c446a7
58 +AUX qemu-2.5.0-rng-stack-corrupt-0.patch 3125 SHA256 164b155db78a9291b9f8dea71a16b5779e1a9d382a8cb0f5ff380d1f2d811cef SHA512 7da544873dbefbbc7a2ed69bd7cca0053bfe71ef7f5c2faf12cb5dc6e07b8d9104e5bcf329b3355e886edc5805509623234c9fe8fb536544d6285b04ccc59919 WHIRLPOOL f076264ce4bae5be2f34e006e3e4dcc20042313cb6da4977b61529c3100e835952807738d53a86967f98abad68eba1c8dcbb6a04af162b048399e059b5eb9d6b
59 +AUX qemu-2.5.0-rng-stack-corrupt-1.patch 4110 SHA256 16966eb20072a5d16fec46e5959e32708342af9a7266fe4a90a0abaf68af3529 SHA512 530d6a5f9b6795013bbe197cf0a0d7eddfb06d18c0f8410bcf5bcc2d32c4b72c325b8b0ade2c517bd305fcbdab03124cc527d24d73ce767daf51de65d00920c8 WHIRLPOOL c0b653c67993c6c6ed282f0c86099c8c80a241f10e23ef3fd8e33c6d86fbb5553049550e83954cfc6d3576735c4ce28099f813917966c0a05c84bb46a6bee413
60 +AUX qemu-2.5.0-rng-stack-corrupt-2.patch 4601 SHA256 c2b4e1ee8ee4bb2f4d42012a847c1da83a9e2349238d37bba1a3b9c440957f7f SHA512 ba299d07c7382f39f177f8094594daf131727d3d28633b426064f7cc6bf75d19b1ae78db248fc70ddbdb43fd2a6b0c5ed7793e6f42aba2763cdb4c12d6816c54 WHIRLPOOL 62b6ab75c32574a4c53193d82c7f51efdaa4789154c2d2f9acee7ede240d2920d92e31dfead7edc17aa12f938919143ce049d2c9ef9733baccc27d382506437f
61 +AUX qemu-2.5.0-rng-stack-corrupt-3.patch 5519 SHA256 5a3c2ed59bc30f395aee5cd0b77cdb06d868386e5bbe1b392169f8d96ae9474a SHA512 f62713130d3b989b274476a4cc2eafb95dc41de4723fe475e454132817a159eb729bbbe5a29aee755715100095670107c5762271184252e9d0cd43c4b25bc5d1 WHIRLPOOL f8e4aa90b90b03dd6e4dd68734cb16ee5f59a9585697ef3c48e7e861968798cb3c66018ad5a788f99b99e9fddab2ae83d977ec4b1a8599596a5ce03286726e3e
62 +AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73
63 +AUX qemu-2.5.0-usb-ehci-oob.patch 2014 SHA256 e0593f8a645dfca3115ea56d1b74d701f07c60d80eadf0bf68133e7539de345a SHA512 c02e0881bb85ffbf7d401b4ee5801692262cddaef9245dfcbf323f0f4d310394e1fbbf639f7a3d2d39ae428c09513adcb9be7fdcf49b7accf133d911dc0b702c WHIRLPOOL 992b2c6d3464a53174054f0d2dc6ec70eeb1e17128ee65c7986d9f5ec80e037bca9bd5bfb65c66bb9bf85f0b56a1a6d008ab4dbe35602d7deea9489add2e7c4b
64 +AUX qemu-2.5.0-usb-ndis-int-overflow.patch 2404 SHA256 caa4ff5ab038e88b2b09f04f2a9528fc47d42d35fbd35bbd7907afd292ef66db SHA512 f87de0a9f161f14814fafc883bd557f8f007a53729dc3c36145dd19ea9c52eabb81f6ada4e4a7122a461c9bed6f524ea0b92f9182b77a4c7cf9c8ecfc217f8e0 WHIRLPOOL 6022a3e0b125beb85efa2b6c1edf5a94dce27bd299d247078d418cf6515c8fc0ca1d8032034ef427c3d4681cc3536900099391b623152b2609cab2f4f963d046
65 AUX qemu-binfmt.initd-r1 6910 SHA256 2886c567589b958f450a87537cdb6c5bf95e8c1e4afbdf59139d16819e79d51d SHA512 09f399b6b559c6dd64d77843f600afad464909e72ae0924e97a5ef2eea55b3fb8abf6fbd57c380ec60e2f9d145ec365fd9a24c2e1b84cc6cef7070e4fb5bd72e WHIRLPOOL 983f6ae733c23c0049321184e1b6738ad5d27a70265945e6b47f3fb317ba3c84918b4929e728081549062fd0bf4a46c0a7e7184911355f3ac75963e1f8b70cd4
66 AUX qemu-kvm-1.4 68 SHA256 8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512 706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120 WHIRLPOOL ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067
67 DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef
68 -EBUILD qemu-2.5.0-r99.ebuild 20028 SHA256 a8c89e0649ac5d54414b0ba7a4c86e2673fd3ec2e0d03cf23a559ad48a34fa4d SHA512 ccdc156b51f7e790eb0b4922c6a466658525c76e55818c9fa77cc56d542d6fe0607a9eb868c39b226376396282455d582e04921f6289a0cf35a9091aae239f86 WHIRLPOOL 0a9f4f35b22bdc85567f5f60729ba9e973db5b34cfcae571db66ab395010e27084c9fd58d1a65d237444099e893d829721f4984d8c6d47c4c55fea8eba7b7884
69 +EBUILD qemu-2.5.0-r999.ebuild 21699 SHA256 8ca42bbf30baa2271e0a1a7be920a06dba32f7c0b6c0ea50d3dd93d949d6522f SHA512 182ccb339259864276e7540b630dfb46e98058df978ffe7ad1a13df541f70f949a62ece46699cc2ba4c3311a24ccd609933733226bb660cc28c37a4f9608c755 WHIRLPOOL 462aa47e61ad570fc9d874145bbca1ab5b804b590f97a34c62f2640b774f380d105c7d2a61790c1c229b8613f8aa74e2d78f8e01dcdce336e202ce64b4172e2b
70 MISC metadata.xml 3925 SHA256 d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512 3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6 WHIRLPOOL bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41
71
72 diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
73 new file mode 100644
74 index 0000000..0e27684
75 --- /dev/null
76 +++ b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
77 @@ -0,0 +1,34 @@
78 +From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
79 +From: Greg Kurz <gkurz@××××××××××××××.com>
80 +Date: Wed, 23 Dec 2015 10:56:58 +0100
81 +Subject: [PATCH] virtio-9p: use accessor to get thread_pool
82 +
83 +The aio_context_new() function does not allocate a thread pool. This is
84 +deferred to the first call to the aio_get_thread_pool() accessor. It is
85 +hence forbidden to access the thread_pool field directly, as it may be
86 +NULL. The accessor *must* be used always.
87 +
88 +Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
89 +Reviewed-by: Michael Tokarev <mjt@×××××××.ru>
90 +Tested-by: Michael Tokarev <mjt@×××××××.ru>
91 +Cc: qemu-stable@××××××.org
92 +Signed-off-by: Greg Kurz <gkurz@××××××××××××××.com>
93 +---
94 + hw/9pfs/virtio-9p-coth.c | 2 +-
95 + 1 file changed, 1 insertion(+), 1 deletion(-)
96 +
97 +diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
98 +index fb6e8f8..ab9425c 100644
99 +--- a/hw/9pfs/virtio-9p-coth.c
100 ++++ b/hw/9pfs/virtio-9p-coth.c
101 +@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
102 + void co_run_in_worker_bh(void *opaque)
103 + {
104 + Coroutine *co = opaque;
105 +- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
106 ++ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
107 + coroutine_enter_func, co, coroutine_enter_cb, co);
108 + }
109 +--
110 +2.7.4
111 +
112
113 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
114 new file mode 100644
115 index 0000000..61a52ee
116 --- /dev/null
117 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
118 @@ -0,0 +1,35 @@
119 +From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
120 +From: P J P <ppandit@××××××.com>
121 +Date: Mon, 21 Dec 2015 15:13:13 +0530
122 +Subject: [PATCH] scsi: initialise info object with appropriate size
123 +
124 +While processing controller 'CTRL_GET_INFO' command, the routine
125 +'megasas_ctrl_get_info' overflows the '&info' object size. Use its
126 +appropriate size to null initialise it.
127 +
128 +Reported-by: Qinghao Tang <luodalongde@×××××.com>
129 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
130 +Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
131 +Cc: qemu-stable@××××××.org
132 +Signed-off-by: Paolo Bonzini <pbonzini@××××××.com>
133 +Signed-off-by: P J P <ppandit@××××××.com>
134 +---
135 + hw/scsi/megasas.c | 2 +-
136 + 1 file changed, 1 insertion(+), 1 deletion(-)
137 +
138 +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
139 +index d7dc667..576f56c 100644
140 +--- a/hw/scsi/megasas.c
141 ++++ b/hw/scsi/megasas.c
142 +@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
143 + BusChild *kid;
144 + int num_pd_disks = 0;
145 +
146 +- memset(&info, 0x0, cmd->iov_size);
147 ++ memset(&info, 0x0, dcmd_size);
148 + if (cmd->iov_size < dcmd_size) {
149 + trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
150 + dcmd_size);
151 +--
152 +2.7.4
153 +
154
155 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
156 new file mode 100644
157 index 0000000..be67336
158 --- /dev/null
159 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
160 @@ -0,0 +1,121 @@
161 +From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001
162 +From: Wolfgang Bumiller <w.bumiller@×××××××.com>
163 +Date: Wed, 13 Jan 2016 09:09:58 +0100
164 +Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
165 +
166 +When processing 'sendkey' command, hmp_sendkey routine null
167 +terminates the 'keyname_buf' array. This results in an OOB
168 +write issue, if 'keyname_len' was to fall outside of
169 +'keyname_buf' array.
170 +
171 +Since the keyname's length is known the keyname_buf can be
172 +removed altogether by adding a length parameter to
173 +index_from_key() and using it for the error output as well.
174 +
175 +Reported-by: Ling Liu <liuling-it@×××.cn>
176 +Signed-off-by: Wolfgang Bumiller <w.bumiller@×××××××.com>
177 +Message-Id: <20160113080958.GA18934@olga>
178 +[Comparison with "<" dumbed down, test for junk after strtoul()
179 +tweaked]
180 +Signed-off-by: Markus Armbruster <armbru@××××××.com>
181 +---
182 + hmp.c | 18 ++++++++----------
183 + include/ui/console.h | 2 +-
184 + ui/input-legacy.c | 5 +++--
185 + 3 files changed, 12 insertions(+), 13 deletions(-)
186 +
187 +diff --git a/hmp.c b/hmp.c
188 +index 54f2620..9c571f5 100644
189 +--- a/hmp.c
190 ++++ b/hmp.c
191 +@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
192 + int has_hold_time = qdict_haskey(qdict, "hold-time");
193 + int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
194 + Error *err = NULL;
195 +- char keyname_buf[16];
196 + char *separator;
197 + int keyname_len;
198 +
199 + while (1) {
200 + separator = strchr(keys, '-');
201 + keyname_len = separator ? separator - keys : strlen(keys);
202 +- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
203 +
204 + /* Be compatible with old interface, convert user inputted "<" */
205 +- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
206 +- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
207 ++ if (keys[0] == '<' && keyname_len == 1) {
208 ++ keys = "less";
209 + keyname_len = 4;
210 + }
211 +- keyname_buf[keyname_len] = 0;
212 +
213 + keylist = g_malloc0(sizeof(*keylist));
214 + keylist->value = g_malloc0(sizeof(*keylist->value));
215 +@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
216 + }
217 + tmp = keylist;
218 +
219 +- if (strstart(keyname_buf, "0x", NULL)) {
220 ++ if (strstart(keys, "0x", NULL)) {
221 + char *endp;
222 +- int value = strtoul(keyname_buf, &endp, 0);
223 +- if (*endp != '\0') {
224 ++ int value = strtoul(keys, &endp, 0);
225 ++ assert(endp <= keys + keyname_len);
226 ++ if (endp != keys + keyname_len) {
227 + goto err_out;
228 + }
229 + keylist->value->type = KEY_VALUE_KIND_NUMBER;
230 + keylist->value->u.number = value;
231 + } else {
232 +- int idx = index_from_key(keyname_buf);
233 ++ int idx = index_from_key(keys, keyname_len);
234 + if (idx == Q_KEY_CODE_MAX) {
235 + goto err_out;
236 + }
237 +@@ -1789,7 +1787,7 @@ out:
238 + return;
239 +
240 + err_out:
241 +- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
242 ++ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
243 + goto out;
244 + }
245 +
246 +diff --git a/include/ui/console.h b/include/ui/console.h
247 +index adac36d..116bc2b 100644
248 +--- a/include/ui/console.h
249 ++++ b/include/ui/console.h
250 +@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
251 + void curses_display_init(DisplayState *ds, int full_screen);
252 +
253 + /* input.c */
254 +-int index_from_key(const char *key);
255 ++int index_from_key(const char *key, size_t key_length);
256 +
257 + /* gtk.c */
258 + void early_gtk_display_init(int opengl);
259 +diff --git a/ui/input-legacy.c b/ui/input-legacy.c
260 +index 35dfc27..3454055 100644
261 +--- a/ui/input-legacy.c
262 ++++ b/ui/input-legacy.c
263 +@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
264 + static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
265 + QTAILQ_HEAD_INITIALIZER(led_handlers);
266 +
267 +-int index_from_key(const char *key)
268 ++int index_from_key(const char *key, size_t key_length)
269 + {
270 + int i;
271 +
272 + for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
273 +- if (!strcmp(key, QKeyCode_lookup[i])) {
274 ++ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
275 ++ !QKeyCode_lookup[i][key_length]) {
276 + break;
277 + }
278 + }
279 +--
280 +2.7.4
281 +
282
283 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
284 new file mode 100644
285 index 0000000..917fa2f
286 --- /dev/null
287 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
288 @@ -0,0 +1,58 @@
289 +From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
290 +From: "Gabriel L. Somlo" <somlo@×××.edu>
291 +Date: Thu, 5 Nov 2015 09:32:50 -0500
292 +Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
293 +MIME-Version: 1.0
294 +Content-Type: text/plain; charset=UTF-8
295 +Content-Transfer-Encoding: 8bit
296 +
297 +When calculating a pointer to the currently selected fw_cfg item, the
298 +following is used:
299 +
300 + FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
301 +
302 +When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
303 +a non-existent element in s->entries[arch][...], which is undefined.
304 +
305 +This patch ensures the resulting entry pointer is set to NULL whenever
306 +s->cur_entry is FW_CFG_INVALID.
307 +
308 +Reported-by: Laszlo Ersek <lersek@××××××.com>
309 +Reviewed-by: Laszlo Ersek <lersek@××××××.com>
310 +Signed-off-by: Gabriel Somlo <somlo@×××.edu>
311 +Message-id: 1446733972-1602-5-git-send-email-somlo@×××.edu
312 +Cc: Marc Marí <markmb@××××××.com>
313 +Signed-off-by: Gabriel Somlo <somlo@×××.edu>
314 +Reviewed-by: Laszlo Ersek <lersek@××××××.com>
315 +Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
316 +---
317 + hw/nvram/fw_cfg.c | 6 ++++--
318 + 1 file changed, 4 insertions(+), 2 deletions(-)
319 +
320 +diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
321 +index c2d3a0a..046fa74 100644
322 +--- a/hw/nvram/fw_cfg.c
323 ++++ b/hw/nvram/fw_cfg.c
324 +@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
325 + static uint8_t fw_cfg_read(FWCfgState *s)
326 + {
327 + int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
328 +- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
329 ++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
330 ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
331 + uint8_t ret;
332 +
333 + if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
334 +@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
335 + }
336 +
337 + arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
338 +- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
339 ++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
340 ++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
341 +
342 + if (dma.control & FW_CFG_DMA_CTL_READ) {
343 + read = 1;
344 +--
345 +2.7.4
346 +
347
348 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
349 new file mode 100644
350 index 0000000..23c2341
351 --- /dev/null
352 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
353 @@ -0,0 +1,65 @@
354 +From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
355 +From: P J P <ppandit@××××××.com>
356 +Date: Fri, 18 Dec 2015 11:35:07 +0530
357 +Subject: [PATCH] i386: avoid null pointer dereference
358 +
359 + Hello,
360 +
361 +A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
362 +occurs while doing I/O port write operations via hmp interface. In that,
363 +'current_cpu' remains null as it is not called from cpu_exec loop, which
364 +results in the said issue.
365 +
366 +Below is a proposed (tested)patch to fix this issue; Does it look okay?
367 +
368 +===
369 +From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
370 +From: Prasad J Pandit <pjp@×××××××××××××.org>
371 +Date: Fri, 18 Dec 2015 11:16:07 +0530
372 +Subject: [PATCH] i386: avoid null pointer dereference
373 +
374 +When I/O port write operation is called from hmp interface,
375 +'current_cpu' remains null, as it is not called from cpu_exec()
376 +loop. This leads to a null pointer dereference in vapic_write
377 +routine. Add check to avoid it.
378 +
379 +Reported-by: Ling Liu <liuling-it@×××.cn>
380 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
381 +Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
382 +Signed-off-by: Paolo Bonzini <pbonzini@××××××.com>
383 +Signed-off-by: P J P <ppandit@××××××.com>
384 +---
385 + hw/i386/kvmvapic.c | 15 ++++++++++-----
386 + 1 file changed, 10 insertions(+), 5 deletions(-)
387 +
388 +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
389 +index c6d34b2..f0922da 100644
390 +--- a/hw/i386/kvmvapic.c
391 ++++ b/hw/i386/kvmvapic.c
392 +@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
393 + static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
394 + unsigned int size)
395 + {
396 +- CPUState *cs = current_cpu;
397 +- X86CPU *cpu = X86_CPU(cs);
398 +- CPUX86State *env = &cpu->env;
399 +- hwaddr rom_paddr;
400 + VAPICROMState *s = opaque;
401 ++ X86CPU *cpu;
402 ++ CPUX86State *env;
403 ++ hwaddr rom_paddr;
404 +
405 +- cpu_synchronize_state(cs);
406 ++ if (!current_cpu) {
407 ++ return;
408 ++ }
409 ++
410 ++ cpu_synchronize_state(current_cpu);
411 ++ cpu = X86_CPU(current_cpu);
412 ++ env = &cpu->env;
413 +
414 + /*
415 + * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
416 +--
417 +2.7.4
418 +
419
420 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
421 new file mode 100644
422 index 0000000..2922193
423 --- /dev/null
424 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
425 @@ -0,0 +1,98 @@
426 +From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001
427 +From: Laszlo Ersek <lersek@××××××.com>
428 +Date: Tue, 19 Jan 2016 14:17:20 +0100
429 +Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
430 + start
431 +
432 +The start_xmit() and e1000_receive_iov() functions implement DMA transfers
433 +iterating over a set of descriptors that the guest's e1000 driver
434 +prepares:
435 +
436 +- the TDLEN and RDLEN registers store the total size of the descriptor
437 + area,
438 +
439 +- while the TDH and RDH registers store the offset (in whole tx / rx
440 + descriptors) into the area where the transfer is supposed to start.
441 +
442 +Each time a descriptor is processed, the TDH and RDH register is bumped
443 +(as appropriate for the transfer direction).
444 +
445 +QEMU already contains logic to deal with bogus transfers submitted by the
446 +guest:
447 +
448 +- Normally, the transmit case wants to increase TDH from its initial value
449 + to TDT. (TDT is allowed to be numerically smaller than the initial TDH
450 + value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
451 + that QEMU currently has here is a check against reaching the original
452 + TDH value again -- a complete wraparound, which should never happen.
453 +
454 +- In the receive case RDH is increased from its initial value until
455 + "total_size" bytes have been received; preferably in a single step, or
456 + in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
457 + RX descriptors are skipped without receiving data, while RDH is
458 + incremented just the same. QEMU tries to prevent an infinite loop
459 + (processing only null RX descriptors) by detecting whether RDH assumes
460 + its original value during the loop. (Again, wrapping from RDLEN to 0 is
461 + normal.)
462 +
463 +What both directions miss is that the guest could program TDLEN and RDLEN
464 +so low, and the initial TDH and RDH so high, that these registers will
465 +immediately be truncated to zero, and then never reassume their initial
466 +values in the loop -- a full wraparound will never occur.
467 +
468 +The condition that expresses this is:
469 +
470 + xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
471 +
472 +i.e., TDH or RDH start out after the last whole rx or tx descriptor that
473 +fits into the TDLEN or RDLEN sized area.
474 +
475 +This condition could be checked before we enter the loops, but
476 +pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
477 +bogus DMA addresses, so we just extend the existing failsafes with the
478 +above condition.
479 +
480 +This is CVE-2016-1981.
481 +
482 +Cc: "Michael S. Tsirkin" <mst@××××××.com>
483 +Cc: Petr Matousek <pmatouse@××××××.com>
484 +Cc: Stefano Stabellini <stefano.stabellini@×××××××××.com>
485 +Cc: Prasad Pandit <ppandit@××××××.com>
486 +Cc: Michael Roth <mdroth@××××××××××××××.com>
487 +Cc: Jason Wang <jasowang@××××××.com>
488 +Cc: qemu-stable@××××××.org
489 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
490 +Signed-off-by: Laszlo Ersek <lersek@××××××.com>
491 +Reviewed-by: Jason Wang <jasowang@××××××.com>
492 +Signed-off-by: Jason Wang <jasowang@××××××.com>
493 +---
494 + hw/net/e1000.c | 6 ++++--
495 + 1 file changed, 4 insertions(+), 2 deletions(-)
496 +
497 +diff --git a/hw/net/e1000.c b/hw/net/e1000.c
498 +index 4eda7a3..0387fa0 100644
499 +--- a/hw/net/e1000.c
500 ++++ b/hw/net/e1000.c
501 +@@ -909,7 +909,8 @@ start_xmit(E1000State *s)
502 + * bogus values to TDT/TDLEN.
503 + * there's nothing too intelligent we could do about this.
504 + */
505 +- if (s->mac_reg[TDH] == tdh_start) {
506 ++ if (s->mac_reg[TDH] == tdh_start ||
507 ++ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
508 + DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
509 + tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
510 + break;
511 +@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
512 + if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
513 + s->mac_reg[RDH] = 0;
514 + /* see comment in start_xmit; same here */
515 +- if (s->mac_reg[RDH] == rdh_start) {
516 ++ if (s->mac_reg[RDH] == rdh_start ||
517 ++ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
518 + DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
519 + rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
520 + set_ics(s, 0, E1000_ICS_RXO);
521 +--
522 +2.7.4
523 +
524
525 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
526 new file mode 100644
527 index 0000000..0ab7b02
528 --- /dev/null
529 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
530 @@ -0,0 +1,43 @@
531 +From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001
532 +From: John Snow <jsnow@××××××.com>
533 +Date: Wed, 10 Feb 2016 13:29:40 -0500
534 +Subject: [PATCH] ahci: Do not unmap NULL addresses
535 +
536 +Definitely don't try to unmap a garbage address.
537 +
538 +Reported-by: Zuozhi fzz <zuozhi.fzz@×××××××××××.com>
539 +Signed-off-by: John Snow <jsnow@××××××.com>
540 +Message-id: 1454103689-13042-2-git-send-email-jsnow@××××××.com
541 +---
542 + hw/ide/ahci.c | 8 ++++++++
543 + 1 file changed, 8 insertions(+)
544 +
545 +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
546 +index 7e87b18..3a95dad 100644
547 +--- a/hw/ide/ahci.c
548 ++++ b/hw/ide/ahci.c
549 +@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
550 +
551 + static void ahci_unmap_fis_address(AHCIDevice *ad)
552 + {
553 ++ if (ad->res_fis == NULL) {
554 ++ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
555 ++ return;
556 ++ }
557 + dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
558 + DMA_DIRECTION_FROM_DEVICE, 256);
559 + ad->res_fis = NULL;
560 +@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
561 +
562 + static void ahci_unmap_clb_address(AHCIDevice *ad)
563 + {
564 ++ if (ad->lst == NULL) {
565 ++ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
566 ++ return;
567 ++ }
568 + dma_memory_unmap(ad->hba->as, ad->lst, 1024,
569 + DMA_DIRECTION_FROM_DEVICE, 1024);
570 + ad->lst = NULL;
571 +--
572 +2.7.4
573 +
574
575 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
576 new file mode 100644
577 index 0000000..d179c33
578 --- /dev/null
579 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
580 @@ -0,0 +1,46 @@
581 +From dff0367cf66f489aa772320fa2937a8cac1ca30d Mon Sep 17 00:00:00 2001
582 +From: Prasad J Pandit <pjp@×××××××××××××.org>
583 +Date: Fri, 29 Jan 2016 18:30:34 +0530
584 +Subject: [PATCH] usb: ehci: add capability mmio write function
585 +
586 +USB Ehci emulation supports host controller capability registers.
587 +But its mmio '.write' function was missing, which lead to a null
588 +pointer dereference issue. Add a do nothing 'ehci_caps_write'
589 +definition to avoid it; Do nothing because capability registers
590 +are Read Only(RO).
591 +
592 +Reported-by: Zuozhi Fzz <zuozhi.fzz@×××××××××××.com>
593 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
594 +Message-id: 1454072434-16045-1-git-send-email-ppandit@××××××.com
595 +Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
596 +---
597 + hw/usb/hcd-ehci.c | 6 ++++++
598 + 1 file changed, 6 insertions(+)
599 +
600 +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
601 +index 1b50601..0f95d0d 100644
602 +--- a/hw/usb/hcd-ehci.c
603 ++++ b/hw/usb/hcd-ehci.c
604 +@@ -895,6 +895,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
605 + return s->caps[addr];
606 + }
607 +
608 ++static void ehci_caps_write(void *ptr, hwaddr addr,
609 ++ uint64_t val, unsigned size)
610 ++{
611 ++}
612 ++
613 + static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
614 + unsigned size)
615 + {
616 +@@ -2315,6 +2320,7 @@ static void ehci_frame_timer(void *opaque)
617 +
618 + static const MemoryRegionOps ehci_mmio_caps_ops = {
619 + .read = ehci_caps_read,
620 ++ .write = ehci_caps_write,
621 + .valid.min_access_size = 1,
622 + .valid.max_access_size = 4,
623 + .impl.min_access_size = 1,
624 +--
625 +2.7.4
626 +
627
628 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
629 new file mode 100644
630 index 0000000..e7aa5ca
631 --- /dev/null
632 +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
633 @@ -0,0 +1,35 @@
634 +From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001
635 +From: Prasad J Pandit <pjp@×××××××××××××.org>
636 +Date: Thu, 11 Feb 2016 16:31:20 +0530
637 +Subject: [PATCH] usb: check USB configuration descriptor object
638 +
639 +When processing remote NDIS control message packets, the USB Net
640 +device emulator checks to see if the USB configuration descriptor
641 +object is of RNDIS type(2). But it does not check if it is null,
642 +which leads to a null dereference error. Add check to avoid it.
643 +
644 +Reported-by: Qinghao Tang <luodalongde@×××××.com>
645 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
646 +Message-id: 1455188480-14688-1-git-send-email-ppandit@××××××.com
647 +Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
648 +---
649 + hw/usb/dev-network.c | 3 ++-
650 + 1 file changed, 2 insertions(+), 1 deletion(-)
651 +
652 +diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
653 +index 985a629..5dc4538 100644
654 +--- a/hw/usb/dev-network.c
655 ++++ b/hw/usb/dev-network.c
656 +@@ -654,7 +654,8 @@ typedef struct USBNetState {
657 +
658 + static int is_rndis(USBNetState *s)
659 + {
660 +- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
661 ++ return s->dev.config ?
662 ++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
663 + }
664 +
665 + static int ndis_query(USBNetState *s, uint32_t oid,
666 +--
667 +2.7.4
668 +
669
670 diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
671 new file mode 100644
672 index 0000000..2874b75
673 --- /dev/null
674 +++ b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
675 @@ -0,0 +1,37 @@
676 +From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001
677 +From: Prasad J Pandit <pjp@×××××××××××××.org>
678 +Date: Wed, 24 Feb 2016 11:41:33 +0530
679 +Subject: [PATCH] net: ne2000: check ring buffer control registers
680 +
681 +Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
682 +bytes to process network packets. Registers PSTART & PSTOP
683 +define ring buffer size & location. Setting these registers
684 +to invalid values could lead to infinite loop or OOB r/w
685 +access issues. Add check to avoid it.
686 +
687 +Reported-by: Yang Hongke <yanghongke@××××××.com>
688 +Tested-by: Yang Hongke <yanghongke@××××××.com>
689 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
690 +Signed-off-by: Jason Wang <jasowang@××××××.com>
691 +---
692 + hw/net/ne2000.c | 4 ++++
693 + 1 file changed, 4 insertions(+)
694 +
695 +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
696 +index e408083..f0feaf9 100644
697 +--- a/hw/net/ne2000.c
698 ++++ b/hw/net/ne2000.c
699 +@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s)
700 + {
701 + int avail, index, boundary;
702 +
703 ++ if (s->stop <= s->start) {
704 ++ return 1;
705 ++ }
706 ++
707 + index = s->curpag << 8;
708 + boundary = s->boundary << 8;
709 + if (index < boundary)
710 +--
711 +2.7.4
712 +
713
714 diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
715 new file mode 100644
716 index 0000000..684f6ad
717 --- /dev/null
718 +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
719 @@ -0,0 +1,98 @@
720 +From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
721 +From: Ladi Prosek <lprosek@××××××.com>
722 +Date: Thu, 3 Mar 2016 09:37:15 +0100
723 +Subject: [PATCH] rng: remove the unused request cancellation code
724 +
725 +rng_backend_cancel_requests had no callers and none of the code
726 +deleted in this commit ever ran.
727 +
728 +Signed-off-by: Ladi Prosek <lprosek@××××××.com>
729 +Reviewed-by: Amit Shah <amit.shah@××××××.com>
730 +Message-Id: <1456994238-9585-2-git-send-email-lprosek@××××××.com>
731 +Signed-off-by: Amit Shah <amit.shah@××××××.com>
732 +---
733 + backends/rng-egd.c | 12 ------------
734 + backends/rng.c | 9 ---------
735 + include/sysemu/rng.h | 11 -----------
736 + 3 files changed, 32 deletions(-)
737 +
738 +diff --git a/backends/rng-egd.c b/backends/rng-egd.c
739 +index 2de5cd5..0b2976a 100644
740 +--- a/backends/rng-egd.c
741 ++++ b/backends/rng-egd.c
742 +@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s)
743 + s->requests = NULL;
744 + }
745 +
746 +-static void rng_egd_cancel_requests(RngBackend *b)
747 +-{
748 +- RngEgd *s = RNG_EGD(b);
749 +-
750 +- /* We simply delete the list of pending requests. If there is data in the
751 +- * queue waiting to be read, this is okay, because there will always be
752 +- * more data than we requested originally
753 +- */
754 +- rng_egd_free_requests(s);
755 +-}
756 +-
757 + static void rng_egd_opened(RngBackend *b, Error **errp)
758 + {
759 + RngEgd *s = RNG_EGD(b);
760 +@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data)
761 + RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
762 +
763 + rbc->request_entropy = rng_egd_request_entropy;
764 +- rbc->cancel_requests = rng_egd_cancel_requests;
765 + rbc->opened = rng_egd_opened;
766 + }
767 +
768 +diff --git a/backends/rng.c b/backends/rng.c
769 +index b7820ef..2f2f3ee 100644
770 +--- a/backends/rng.c
771 ++++ b/backends/rng.c
772 +@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
773 + }
774 + }
775 +
776 +-void rng_backend_cancel_requests(RngBackend *s)
777 +-{
778 +- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
779 +-
780 +- if (k->cancel_requests) {
781 +- k->cancel_requests(s);
782 +- }
783 +-}
784 +-
785 + static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
786 + {
787 + RngBackend *s = RNG_BACKEND(obj);
788 +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
789 +index 858be8c..87b3ebe 100644
790 +--- a/include/sysemu/rng.h
791 ++++ b/include/sysemu/rng.h
792 +@@ -37,7 +37,6 @@ struct RngBackendClass
793 +
794 + void (*request_entropy)(RngBackend *s, size_t size,
795 + EntropyReceiveFunc *receive_entropy, void *opaque);
796 +- void (*cancel_requests)(RngBackend *s);
797 +
798 + void (*opened)(RngBackend *s, Error **errp);
799 + };
800 +@@ -68,14 +67,4 @@ struct RngBackend
801 + void rng_backend_request_entropy(RngBackend *s, size_t size,
802 + EntropyReceiveFunc *receive_entropy,
803 + void *opaque);
804 +-
805 +-/**
806 +- * rng_backend_cancel_requests:
807 +- * @s: the backend to cancel all pending requests in
808 +- *
809 +- * Cancels all pending requests submitted by @rng_backend_request_entropy. This
810 +- * should be used by a device during reset or in preparation for live migration
811 +- * to stop tracking any request.
812 +- */
813 +-void rng_backend_cancel_requests(RngBackend *s);
814 + #endif
815 +--
816 +2.7.4
817 +
818
819 diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
820 new file mode 100644
821 index 0000000..44ba8a7
822 --- /dev/null
823 +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
824 @@ -0,0 +1,135 @@
825 +From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
826 +From: Ladi Prosek <lprosek@××××××.com>
827 +Date: Thu, 3 Mar 2016 09:37:16 +0100
828 +Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
829 +
830 +The 'requests' field now lives in the RngBackend parent class.
831 +There are no functional changes in this commit.
832 +
833 +Signed-off-by: Ladi Prosek <lprosek@××××××.com>
834 +Reviewed-by: Amit Shah <amit.shah@××××××.com>
835 +Message-Id: <1456994238-9585-3-git-send-email-lprosek@××××××.com>
836 +Signed-off-by: Amit Shah <amit.shah@××××××.com>
837 +---
838 + backends/rng-egd.c | 28 +++++++++-------------------
839 + include/sysemu/rng.h | 11 +++++++++++
840 + 2 files changed, 20 insertions(+), 19 deletions(-)
841 +
842 +diff --git a/backends/rng-egd.c b/backends/rng-egd.c
843 +index 0b2976a..b061362 100644
844 +--- a/backends/rng-egd.c
845 ++++ b/backends/rng-egd.c
846 +@@ -25,19 +25,8 @@ typedef struct RngEgd
847 +
848 + CharDriverState *chr;
849 + char *chr_name;
850 +-
851 +- GSList *requests;
852 + } RngEgd;
853 +
854 +-typedef struct RngRequest
855 +-{
856 +- EntropyReceiveFunc *receive_entropy;
857 +- uint8_t *data;
858 +- void *opaque;
859 +- size_t offset;
860 +- size_t size;
861 +-} RngRequest;
862 +-
863 + static void rng_egd_request_entropy(RngBackend *b, size_t size,
864 + EntropyReceiveFunc *receive_entropy,
865 + void *opaque)
866 +@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
867 + size -= len;
868 + }
869 +
870 +- s->requests = g_slist_append(s->requests, req);
871 ++ s->parent.requests = g_slist_append(s->parent.requests, req);
872 + }
873 +
874 + static void rng_egd_free_request(RngRequest *req)
875 +@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque)
876 + GSList *i;
877 + int size = 0;
878 +
879 +- for (i = s->requests; i; i = i->next) {
880 ++ for (i = s->parent.requests; i; i = i->next) {
881 + RngRequest *req = i->data;
882 + size += req->size - req->offset;
883 + }
884 +@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
885 + RngEgd *s = RNG_EGD(opaque);
886 + size_t buf_offset = 0;
887 +
888 +- while (size > 0 && s->requests) {
889 +- RngRequest *req = s->requests->data;
890 ++ while (size > 0 && s->parent.requests) {
891 ++ RngRequest *req = s->parent.requests->data;
892 + int len = MIN(size, req->size - req->offset);
893 +
894 + memcpy(req->data + req->offset, buf + buf_offset, len);
895 +@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
896 + size -= len;
897 +
898 + if (req->offset == req->size) {
899 +- s->requests = g_slist_remove_link(s->requests, s->requests);
900 ++ s->parent.requests = g_slist_remove_link(s->parent.requests,
901 ++ s->parent.requests);
902 +
903 + req->receive_entropy(req->opaque, req->data, req->size);
904 +
905 +@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s)
906 + {
907 + GSList *i;
908 +
909 +- for (i = s->requests; i; i = i->next) {
910 ++ for (i = s->parent.requests; i; i = i->next) {
911 + rng_egd_free_request(i->data);
912 + }
913 +
914 +- g_slist_free(s->requests);
915 +- s->requests = NULL;
916 ++ g_slist_free(s->parent.requests);
917 ++ s->parent.requests = NULL;
918 + }
919 +
920 + static void rng_egd_opened(RngBackend *b, Error **errp)
921 +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
922 +index 87b3ebe..c744d82 100644
923 +--- a/include/sysemu/rng.h
924 ++++ b/include/sysemu/rng.h
925 +@@ -24,6 +24,7 @@
926 + #define RNG_BACKEND_CLASS(klass) \
927 + OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
928 +
929 ++typedef struct RngRequest RngRequest;
930 + typedef struct RngBackendClass RngBackendClass;
931 + typedef struct RngBackend RngBackend;
932 +
933 +@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
934 + const void *data,
935 + size_t size);
936 +
937 ++struct RngRequest
938 ++{
939 ++ EntropyReceiveFunc *receive_entropy;
940 ++ uint8_t *data;
941 ++ void *opaque;
942 ++ size_t offset;
943 ++ size_t size;
944 ++};
945 ++
946 + struct RngBackendClass
947 + {
948 + ObjectClass parent_class;
949 +@@ -47,6 +57,7 @@ struct RngBackend
950 +
951 + /*< protected >*/
952 + bool opened;
953 ++ GSList *requests;
954 + };
955 +
956 + /**
957 +--
958 +2.7.4
959 +
960
961 diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
962 new file mode 100644
963 index 0000000..1cffcc5
964 --- /dev/null
965 +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
966 @@ -0,0 +1,155 @@
967 +From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
968 +From: Ladi Prosek <lprosek@××××××.com>
969 +Date: Thu, 3 Mar 2016 09:37:17 +0100
970 +Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
971 +
972 +RngBackend is now in charge of cleaning up the linked list on
973 +instance finalization. It also exposes a function to finalize
974 +individual RngRequest instances, called by its child classes.
975 +
976 +Signed-off-by: Ladi Prosek <lprosek@××××××.com>
977 +Reviewed-by: Amit Shah <amit.shah@××××××.com>
978 +Message-Id: <1456994238-9585-4-git-send-email-lprosek@××××××.com>
979 +Signed-off-by: Amit Shah <amit.shah@××××××.com>
980 +---
981 + backends/rng-egd.c | 25 +------------------------
982 + backends/rng.c | 32 ++++++++++++++++++++++++++++++++
983 + include/sysemu/rng.h | 12 ++++++++++++
984 + 3 files changed, 45 insertions(+), 24 deletions(-)
985 +
986 +diff --git a/backends/rng-egd.c b/backends/rng-egd.c
987 +index b061362..8f2bd16 100644
988 +--- a/backends/rng-egd.c
989 ++++ b/backends/rng-egd.c
990 +@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
991 + s->parent.requests = g_slist_append(s->parent.requests, req);
992 + }
993 +
994 +-static void rng_egd_free_request(RngRequest *req)
995 +-{
996 +- g_free(req->data);
997 +- g_free(req);
998 +-}
999 +-
1000 + static int rng_egd_chr_can_read(void *opaque)
1001 + {
1002 + RngEgd *s = RNG_EGD(opaque);
1003 +@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size)
1004 + size -= len;
1005 +
1006 + if (req->offset == req->size) {
1007 +- s->parent.requests = g_slist_remove_link(s->parent.requests,
1008 +- s->parent.requests);
1009 +-
1010 + req->receive_entropy(req->opaque, req->data, req->size);
1011 +
1012 +- rng_egd_free_request(req);
1013 ++ rng_backend_finalize_request(&s->parent, req);
1014 + }
1015 + }
1016 + }
1017 +
1018 +-static void rng_egd_free_requests(RngEgd *s)
1019 +-{
1020 +- GSList *i;
1021 +-
1022 +- for (i = s->parent.requests; i; i = i->next) {
1023 +- rng_egd_free_request(i->data);
1024 +- }
1025 +-
1026 +- g_slist_free(s->parent.requests);
1027 +- s->parent.requests = NULL;
1028 +-}
1029 +-
1030 + static void rng_egd_opened(RngBackend *b, Error **errp)
1031 + {
1032 + RngEgd *s = RNG_EGD(b);
1033 +@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj)
1034 + }
1035 +
1036 + g_free(s->chr_name);
1037 +-
1038 +- rng_egd_free_requests(s);
1039 + }
1040 +
1041 + static void rng_egd_class_init(ObjectClass *klass, void *data)
1042 +diff --git a/backends/rng.c b/backends/rng.c
1043 +index 2f2f3ee..014cb9d 100644
1044 +--- a/backends/rng.c
1045 ++++ b/backends/rng.c
1046 +@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp)
1047 + s->opened = true;
1048 + }
1049 +
1050 ++static void rng_backend_free_request(RngRequest *req)
1051 ++{
1052 ++ g_free(req->data);
1053 ++ g_free(req);
1054 ++}
1055 ++
1056 ++static void rng_backend_free_requests(RngBackend *s)
1057 ++{
1058 ++ GSList *i;
1059 ++
1060 ++ for (i = s->requests; i; i = i->next) {
1061 ++ rng_backend_free_request(i->data);
1062 ++ }
1063 ++
1064 ++ g_slist_free(s->requests);
1065 ++ s->requests = NULL;
1066 ++}
1067 ++
1068 ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
1069 ++{
1070 ++ s->requests = g_slist_remove(s->requests, req);
1071 ++ rng_backend_free_request(req);
1072 ++}
1073 ++
1074 + static void rng_backend_init(Object *obj)
1075 + {
1076 + object_property_add_bool(obj, "opened",
1077 +@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj)
1078 + NULL);
1079 + }
1080 +
1081 ++static void rng_backend_finalize(Object *obj)
1082 ++{
1083 ++ RngBackend *s = RNG_BACKEND(obj);
1084 ++
1085 ++ rng_backend_free_requests(s);
1086 ++}
1087 ++
1088 + static void rng_backend_class_init(ObjectClass *oc, void *data)
1089 + {
1090 + UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
1091 +@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = {
1092 + .parent = TYPE_OBJECT,
1093 + .instance_size = sizeof(RngBackend),
1094 + .instance_init = rng_backend_init,
1095 ++ .instance_finalize = rng_backend_finalize,
1096 + .class_size = sizeof(RngBackendClass),
1097 + .class_init = rng_backend_class_init,
1098 + .abstract = true,
1099 +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
1100 +index c744d82..08a2eda 100644
1101 +--- a/include/sysemu/rng.h
1102 ++++ b/include/sysemu/rng.h
1103 +@@ -78,4 +79,15 @@ struct RngBackend
1104 + void rng_backend_request_entropy(RngBackend *s, size_t size,
1105 + EntropyReceiveFunc *receive_entropy,
1106 + void *opaque);
1107 ++
1108 ++/**
1109 ++ * rng_backend_free_request:
1110 ++ * @s: the backend that created the request
1111 ++ * @req: the request to finalize
1112 ++ *
1113 ++ * Used by child rng backend classes to finalize requests once they've been
1114 ++ * processed. The request is removed from the list of active requests and
1115 ++ * deleted.
1116 ++ */
1117 ++void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
1118 + #endif
1119 +--
1120 +2.7.4
1121 +
1122
1123 diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
1124 new file mode 100644
1125 index 0000000..ca9340a
1126 --- /dev/null
1127 +++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
1128 @@ -0,0 +1,179 @@
1129 +From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
1130 +From: Ladi Prosek <lprosek@××××××.com>
1131 +Date: Thu, 3 Mar 2016 09:37:18 +0100
1132 +Subject: [PATCH] rng: add request queue support to rng-random
1133 +
1134 +Requests are now created in the RngBackend parent class and the
1135 +code path is shared by both rng-egd and rng-random.
1136 +
1137 +This commit fixes the rng-random implementation which processed
1138 +only one request at a time and simply discarded all but the most
1139 +recent one. In the guest this manifested as delayed completion
1140 +of reads from virtio-rng, i.e. a read was completed only after
1141 +another read was issued.
1142 +
1143 +By switching rng-random to use the same request queue as rng-egd,
1144 +the unsafe stack-based allocation of the entropy buffer is
1145 +eliminated and replaced with g_malloc.
1146 +
1147 +Signed-off-by: Ladi Prosek <lprosek@××××××.com>
1148 +Reviewed-by: Amit Shah <amit.shah@××××××.com>
1149 +Message-Id: <1456994238-9585-5-git-send-email-lprosek@××××××.com>
1150 +Signed-off-by: Amit Shah <amit.shah@××××××.com>
1151 +---
1152 + backends/rng-egd.c | 16 ++--------------
1153 + backends/rng-random.c | 43 +++++++++++++++++++------------------------
1154 + backends/rng.c | 13 ++++++++++++-
1155 + include/sysemu/rng.h | 3 +--
1156 + 4 files changed, 34 insertions(+), 41 deletions(-)
1157 +
1158 +diff --git a/backends/rng-egd.c b/backends/rng-egd.c
1159 +index 8f2bd16..30332ed 100644
1160 +--- a/backends/rng-egd.c
1161 ++++ b/backends/rng-egd.c
1162 +@@ -27,20 +27,10 @@ typedef struct RngEgd
1163 + char *chr_name;
1164 + } RngEgd;
1165 +
1166 +-static void rng_egd_request_entropy(RngBackend *b, size_t size,
1167 +- EntropyReceiveFunc *receive_entropy,
1168 +- void *opaque)
1169 ++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
1170 + {
1171 + RngEgd *s = RNG_EGD(b);
1172 +- RngRequest *req;
1173 +-
1174 +- req = g_malloc(sizeof(*req));
1175 +-
1176 +- req->offset = 0;
1177 +- req->size = size;
1178 +- req->receive_entropy = receive_entropy;
1179 +- req->opaque = opaque;
1180 +- req->data = g_malloc(req->size);
1181 ++ size_t size = req->size;
1182 +
1183 + while (size > 0) {
1184 + uint8_t header[2];
1185 +@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size,
1186 +
1187 + size -= len;
1188 + }
1189 +-
1190 +- s->parent.requests = g_slist_append(s->parent.requests, req);
1191 + }
1192 +
1193 + static int rng_egd_chr_can_read(void *opaque)
1194 +diff --git a/backends/rng-random.c b/backends/rng-random.c
1195 +index 8cdad6a..a6cb385 100644
1196 +--- a/backends/rng-random.c
1197 ++++ b/backends/rng-random.c
1198 +@@ -22,10 +22,6 @@ struct RndRandom
1199 +
1200 + int fd;
1201 + char *filename;
1202 +-
1203 +- EntropyReceiveFunc *receive_func;
1204 +- void *opaque;
1205 +- size_t size;
1206 + };
1207 +
1208 + /**
1209 +@@ -38,36 +34,35 @@ struct RndRandom
1210 + static void entropy_available(void *opaque)
1211 + {
1212 + RndRandom *s = RNG_RANDOM(opaque);
1213 +- uint8_t buffer[s->size];
1214 +- ssize_t len;
1215 +
1216 +- len = read(s->fd, buffer, s->size);
1217 +- if (len < 0 && errno == EAGAIN) {
1218 +- return;
1219 +- }
1220 +- g_assert(len != -1);
1221 ++ while (s->parent.requests != NULL) {
1222 ++ RngRequest *req = s->parent.requests->data;
1223 ++ ssize_t len;
1224 ++
1225 ++ len = read(s->fd, req->data, req->size);
1226 ++ if (len < 0 && errno == EAGAIN) {
1227 ++ return;
1228 ++ }
1229 ++ g_assert(len != -1);
1230 +
1231 +- s->receive_func(s->opaque, buffer, len);
1232 +- s->receive_func = NULL;
1233 ++ req->receive_entropy(req->opaque, req->data, len);
1234 +
1235 ++ rng_backend_finalize_request(&s->parent, req);
1236 ++ }
1237 ++
1238 ++ /* We've drained all requests, the fd handler can be reset. */
1239 + qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
1240 + }
1241 +
1242 +-static void rng_random_request_entropy(RngBackend *b, size_t size,
1243 +- EntropyReceiveFunc *receive_entropy,
1244 +- void *opaque)
1245 ++static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
1246 + {
1247 + RndRandom *s = RNG_RANDOM(b);
1248 +
1249 +- if (s->receive_func) {
1250 +- s->receive_func(s->opaque, NULL, 0);
1251 ++ if (s->parent.requests == NULL) {
1252 ++ /* If there are no pending requests yet, we need to
1253 ++ * install our fd handler. */
1254 ++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
1255 + }
1256 +-
1257 +- s->receive_func = receive_entropy;
1258 +- s->opaque = opaque;
1259 +- s->size = size;
1260 +-
1261 +- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
1262 + }
1263 +
1264 + static void rng_random_opened(RngBackend *b, Error **errp)
1265 +diff --git a/backends/rng.c b/backends/rng.c
1266 +index 014cb9d..277a41b 100644
1267 +--- a/backends/rng.c
1268 ++++ b/backends/rng.c
1269 +@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
1270 + void *opaque)
1271 + {
1272 + RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
1273 ++ RngRequest *req;
1274 +
1275 + if (k->request_entropy) {
1276 +- k->request_entropy(s, size, receive_entropy, opaque);
1277 ++ req = g_malloc(sizeof(*req));
1278 ++
1279 ++ req->offset = 0;
1280 ++ req->size = size;
1281 ++ req->receive_entropy = receive_entropy;
1282 ++ req->opaque = opaque;
1283 ++ req->data = g_malloc(req->size);
1284 ++
1285 ++ k->request_entropy(s, req);
1286 ++
1287 ++ s->requests = g_slist_append(s->requests, req);
1288 + }
1289 + }
1290 +
1291 +diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
1292 +index 08a2eda..4fffd68 100644
1293 +--- a/include/sysemu/rng.h
1294 ++++ b/include/sysemu/rng.h
1295 +@@ -45,8 +45,7 @@ struct RngBackendClass
1296 + {
1297 + ObjectClass parent_class;
1298 +
1299 +- void (*request_entropy)(RngBackend *s, size_t size,
1300 +- EntropyReceiveFunc *receive_entropy, void *opaque);
1301 ++ void (*request_entropy)(RngBackend *s, RngRequest *req);
1302 +
1303 + void (*opened)(RngBackend *s, Error **errp);
1304 + };
1305 +--
1306 +2.7.4
1307 +
1308
1309 diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
1310 new file mode 100644
1311 index 0000000..f2e766d
1312 --- /dev/null
1313 +++ b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
1314 @@ -0,0 +1,15 @@
1315 +Linux C libs are moving away from implicit header pollution with sys/types.h
1316 +
1317 +--- a/include/qemu/osdep.h
1318 ++++ b/include/qemu/osdep.h
1319 +@@ -78,6 +78,10 @@ extern int daemon(int, int);
1320 + #include <assert.h>
1321 + #include <signal.h>
1322 +
1323 ++#ifdef __linux__
1324 ++#include <sys/sysmacros.h>
1325 ++#endif
1326 ++
1327 + #ifdef __OpenBSD__
1328 + #include <sys/signal.h>
1329 + #endif
1330
1331 diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
1332 new file mode 100644
1333 index 0000000..2ddca3e
1334 --- /dev/null
1335 +++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
1336 @@ -0,0 +1,52 @@
1337 +From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001
1338 +From: Prasad J Pandit <pjp@×××××××××××××.org>
1339 +Date: Wed, 20 Jan 2016 01:26:46 +0530
1340 +Subject: [PATCH] usb: check page select value while processing iTD
1341 +
1342 +While processing isochronous transfer descriptors(iTD), the page
1343 +select(PG) field value could lead to an OOB read access. Add
1344 +check to avoid it.
1345 +
1346 +Reported-by: Qinghao Tang <luodalongde@×××××.com>
1347 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
1348 +Message-id: 1453233406-12165-1-git-send-email-ppandit@××××××.com
1349 +Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
1350 +---
1351 + hw/usb/hcd-ehci.c | 10 ++++++----
1352 + 1 file changed, 6 insertions(+), 4 deletions(-)
1353 +
1354 +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
1355 +index ab00268..93601d9 100644
1356 +--- a/hw/usb/hcd-ehci.c
1357 ++++ b/hw/usb/hcd-ehci.c
1358 +@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci,
1359 + if (itd->transact[i] & ITD_XACT_ACTIVE) {
1360 + pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
1361 + off = itd->transact[i] & ITD_XACT_OFFSET_MASK;
1362 +- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
1363 +- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
1364 + len = get_field(itd->transact[i], ITD_XACT_LENGTH);
1365 +
1366 + if (len > max * mult) {
1367 + len = max * mult;
1368 + }
1369 +-
1370 +- if (len > BUFF_SIZE) {
1371 ++ if (len > BUFF_SIZE || pg > 6) {
1372 + return -1;
1373 + }
1374 +
1375 ++ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
1376 + qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
1377 + if (off + len > 4096) {
1378 + /* transfer crosses page border */
1379 ++ if (pg == 6) {
1380 ++ return -1; /* avoid page pg + 1 */
1381 ++ }
1382 ++ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
1383 + uint32_t len2 = off + len - 4096;
1384 + uint32_t len1 = len - len2;
1385 + qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
1386 +--
1387 +2.7.4
1388 +
1389
1390 diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
1391 new file mode 100644
1392 index 0000000..da643fd
1393 --- /dev/null
1394 +++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
1395 @@ -0,0 +1,59 @@
1396 +From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001
1397 +From: Prasad J Pandit <pjp@×××××××××××××.org>
1398 +Date: Wed, 17 Feb 2016 00:23:41 +0530
1399 +Subject: [PATCH] usb: check RNDIS buffer offsets & length
1400 +
1401 +When processing remote NDIS control message packets,
1402 +the USB Net device emulator uses a fixed length(4096) data buffer.
1403 +The incoming informationBufferOffset & Length combination could
1404 +overflow and cross that range. Check control message buffer
1405 +offsets and length to avoid it.
1406 +
1407 +Reported-by: Qinghao Tang <luodalongde@×××××.com>
1408 +Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
1409 +Message-id: 1455648821-17340-3-git-send-email-ppandit@××××××.com
1410 +Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
1411 +---
1412 + hw/usb/dev-network.c | 9 ++++++---
1413 + 1 file changed, 6 insertions(+), 3 deletions(-)
1414 +
1415 +diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
1416 +index 5dc4538..c6abd38 100644
1417 +--- a/hw/usb/dev-network.c
1418 ++++ b/hw/usb/dev-network.c
1419 +@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s,
1420 +
1421 + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
1422 + buflen = le32_to_cpu(buf->InformationBufferLength);
1423 +- if (bufoffs + buflen > length)
1424 ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
1425 + return USB_RET_STALL;
1426 ++ }
1427 +
1428 + infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
1429 + bufoffs + (uint8_t *) buf, buflen, infobuf,
1430 +@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s,
1431 +
1432 + bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
1433 + buflen = le32_to_cpu(buf->InformationBufferLength);
1434 +- if (bufoffs + buflen > length)
1435 ++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
1436 + return USB_RET_STALL;
1437 ++ }
1438 +
1439 + ret = ndis_set(s, le32_to_cpu(buf->OID),
1440 + bufoffs + (uint8_t *) buf, buflen);
1441 +@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
1442 + if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
1443 + uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
1444 + uint32_t size = le32_to_cpu(msg->DataLength);
1445 +- if (offs + size <= len)
1446 ++ if (offs < len && size < len && offs + size <= len) {
1447 + qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
1448 ++ }
1449 + }
1450 + s->out_ptr -= len;
1451 + memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
1452 +--
1453 +2.7.4
1454 +
1455
1456 diff --git a/app-emulation/qemu/qemu-2.5.0-r99.ebuild b/app-emulation/qemu/qemu-2.5.0-r999.ebuild
1457 similarity index 90%
1458 rename from app-emulation/qemu/qemu-2.5.0-r99.ebuild
1459 rename to app-emulation/qemu/qemu-2.5.0-r999.ebuild
1460 index c2bbcc1..876141b 100644
1461 --- a/app-emulation/qemu/qemu-2.5.0-r99.ebuild
1462 +++ b/app-emulation/qemu/qemu-2.5.0-r999.ebuild
1463 @@ -7,8 +7,10 @@ EAPI=5
1464 PYTHON_COMPAT=( python2_7 )
1465 PYTHON_REQ_USE="ncurses,readline"
1466
1467 +PLOCALES="de_DE fr_FR hu it tr zh_CN"
1468 +
1469 inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
1470 - user udev fcaps readme.gentoo pax-utils
1471 + user udev fcaps readme.gentoo pax-utils l10n
1472
1473 BACKPORTS=
1474
1475 @@ -95,9 +97,9 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
1476 vte? ( x11-libs/vte:2.90 )
1477 )
1478 )
1479 - infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] )
1480 + infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] )
1481 iscsi? ( net-libs/libiscsi )
1482 - jpeg? ( virtual/jpeg:=[static-libs(+)] )
1483 + jpeg? ( virtual/jpeg:0=[static-libs(+)] )
1484 lzo? ( dev-libs/lzo:2[static-libs(+)] )
1485 ncurses? ( sys-libs/ncurses:0=[static-libs(+)] )
1486 nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] )
1487 @@ -212,11 +214,14 @@ QA_WX_LOAD="usr/bin/qemu-i386
1488 DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure
1489 you have the kernel module loaded before running kvm. The easiest way to
1490 ensure that the kernel module is loaded is to load it on boot.\n
1491 -For AMD CPUs the module is called 'kvm-amd'\n
1492 -For Intel CPUs the module is called 'kvm-intel'\n
1493 -Please review /etc/conf.d/modules for how to load these\n\n
1494 +For AMD CPUs the module is called 'kvm-amd'.\n
1495 +For Intel CPUs the module is called 'kvm-intel'.\n
1496 +Please review /etc/conf.d/modules for how to load these.\n\n
1497 Make sure your user is in the 'kvm' group\n
1498 -Just run 'gpasswd -a <USER> kvm', then have <USER> re-login."
1499 +Just run 'gpasswd -a <USER> kvm', then have <USER> re-login.\n\n
1500 +For brand new installs, the default permissions on /dev/kvm might not let you
1501 +access it. You can tell udev to reset ownership/perms:\n
1502 +udevadm trigger -c add /dev/kvm"
1503
1504 qemu_support_kvm() {
1505 if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \
1506 @@ -295,6 +300,29 @@ check_targets() {
1507 popd >/dev/null
1508 }
1509
1510 +handle_locales() {
1511 + # Make sure locale list is kept up-to-date.
1512 + local detected sorted
1513 + detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u))
1514 + sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u))
1515 + if [[ ${sorted} != "${detected}" ]] ; then
1516 + eerror "The ebuild needs to be kept in sync."
1517 + eerror "PLOCALES: ${sorted}"
1518 + eerror " po/*.po: ${detected}"
1519 + die "sync PLOCALES"
1520 + fi
1521 +
1522 + # Deal with selective install of locales.
1523 + if use nls ; then
1524 + # Delete locales the user does not want. #577814
1525 + rm_loc() { rm po/$1.po || die; }
1526 + l10n_for_each_disabled_locale_do rm_loc
1527 + else
1528 + # Cheap hack to disable gettext .mo generation.
1529 + rm -f po/*.po
1530 + fi
1531 +}
1532 +
1533 src_prepare() {
1534 check_targets IUSE_SOFTMMU_TARGETS softmmu
1535 check_targets IUSE_USER_TARGETS linux-user
1536 @@ -304,9 +332,6 @@ src_prepare() {
1537 -e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \
1538 Makefile Makefile.target || die
1539
1540 - # Cheap hack to disable gettext .mo generation.
1541 - use nls || rm -f po/*.po
1542 -
1543 # Patching for musl
1544 epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch
1545 epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
1546 @@ -322,6 +347,20 @@ src_prepare() {
1547 epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110
1548 epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988
1549 epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566
1550 + epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118
1551 + epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300
1552 + epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560
1553 + epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082
1554 + epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412
1555 + epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454
1556 + epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280
1557 + epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314
1558 + epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902
1559 + epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492
1560 + epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420
1561 + epatch "${FILESDIR}"/${P}-sysmacros.patch
1562 + epatch "${FILESDIR}"/${P}-ne2000-reg-check.patch #573816
1563 + epatch "${FILESDIR}"/${P}-9pfs-segfault.patch #578142
1564
1565 # Fix ld and objcopy being called directly
1566 tc-export AR LD OBJCOPY
1567 @@ -330,6 +369,9 @@ src_prepare() {
1568 MAKEOPTS+=" V=1"
1569
1570 epatch_user
1571 +
1572 + # Run after we've applied all patches.
1573 + handle_locales
1574 }
1575
1576 ##
Report Message
Find on MARC Find on Google Groups