1 |
commit: 283a88cbb8cda315a05a039a3d56705660d250ba |
2 |
Author: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Jul 15 06:31:07 2016 +0000 |
4 |
Commit: Anthony G. Basile <blueness <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Jul 15 06:31:07 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=283a88cb |
7 |
|
8 |
app-emulation/qemu: update based on 2.5.0-r3 |
9 |
|
10 |
Package-Manager: portage-2.2.28 |
11 |
RepoMan-Options: --force |
12 |
|
13 |
app-emulation/qemu/Manifest | 19 ++- |
14 |
.../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ++++ |
15 |
.../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ++++ |
16 |
.../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 ++++++++++++++ |
17 |
.../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 +++++++ |
18 |
.../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 ++++++++ |
19 |
.../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 +++++++++++ |
20 |
.../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 +++++ |
21 |
.../qemu/files/qemu-2.5.0-CVE-2016-2198.patch | 46 ++++++ |
22 |
.../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ++++ |
23 |
.../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 +++++ |
24 |
.../files/qemu-2.5.0-rng-stack-corrupt-0.patch | 98 +++++++++++ |
25 |
.../files/qemu-2.5.0-rng-stack-corrupt-1.patch | 135 ++++++++++++++++ |
26 |
.../files/qemu-2.5.0-rng-stack-corrupt-2.patch | 155 ++++++++++++++++++ |
27 |
.../files/qemu-2.5.0-rng-stack-corrupt-3.patch | 179 +++++++++++++++++++++ |
28 |
.../qemu/files/qemu-2.5.0-sysmacros.patch | 15 ++ |
29 |
.../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 ++++++ |
30 |
.../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 +++++++ |
31 |
...emu-2.5.0-r99.ebuild => qemu-2.5.0-r999.ebuild} | 62 +++++-- |
32 |
19 files changed, 1335 insertions(+), 11 deletions(-) |
33 |
|
34 |
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest |
35 |
index 3d07bf4..4e4858a 100644 |
36 |
--- a/app-emulation/qemu/Manifest |
37 |
+++ b/app-emulation/qemu/Manifest |
38 |
@@ -4,14 +4,31 @@ AUX qemu-1.7.0-cflags.patch 300 SHA256 8f35e55c4bae93e82f9580eabe2d6a2d4660bd053 |
39 |
AUX qemu-2.0.0-F_SHLCK-and-F_EXLCK.patch 563 SHA256 99de67d610ad13a1dcf6c67a3c2b5b87fb909220173a956435737f9bea3c371b SHA512 a29e9a889388a6627ed492a79e66514ffb5e64f9479646982091811548fc2a9bf6682104a6c774d83e645e4b1db39e491afd4efce789fe164623442a7f3e5d00 WHIRLPOOL d3aab06099de263c22f4c71810a3b2cb8602d17731ec76674cd1415e539306555a7b96b789f0daad473600dfa04a83224ff603f7b9a9ac63a4902f74d0e9deb5 |
40 |
AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930 SHA256 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac SHA512 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea WHIRLPOOL 06b9dd5251ac03405c97b1f5a623b4d86bda2f72fbcd52b90ae4d11a0cfb59cae62df2cb6189405fbe53ab05ff2b7ca8165fda239dbfe5f31ed70abb53b3b9f3 |
41 |
AUX qemu-2.2.0-_sigev_un.patch 636 SHA256 f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512 f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb WHIRLPOOL 9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac |
42 |
+AUX qemu-2.5.0-9pfs-segfault.patch 1294 SHA256 707835ed8af1aa7e8fc9f0e06c6afa8e77fe7858b20ad4c2df2a1aec0627332d SHA512 2af7498939ba653c36808a7bccafe4a3d8c3d1cfa7199c5788f67fb001925dff17e4faba5e13c6b1517ca887209452f4ba7ed71f6b4464d55b5e942350406f90 WHIRLPOOL 591ba85bd9e5ab0665ed5835878886ec0d774a500ed966dd1b37e5478a4799a38d319a6bb88d214f202a83282db6a0434641b30c8b70ceef6bd2fb1e38f8faef |
43 |
AUX qemu-2.5.0-CVE-2015-8558.patch 1459 SHA256 d769e6eb6dc0bdb0b982ef5fe7d73cc6bad47233102f53d11c6ed6c9051602d8 SHA512 42961191890c500675610d5d33e6ff468b07428c6b428ac01bb5c0e3ea88ff611a3532f848d54317458475fef221a06e41761ef14ea61d1b741db73450c4f90d WHIRLPOOL 475679dc1a24bc75012995a9a2122847454701b65ff0b7f8192865b45de49ce08572f129a7cfdeb36521252ed2f80c95e9dddbd64cb8e39fdc5beacc25934798 |
44 |
AUX qemu-2.5.0-CVE-2015-8567.patch 3108 SHA256 88b72df4e02407c3b9ca4835c38988b97fcd5aa9c68da6fa47207fe675d4e661 SHA512 2f0243ec9764d72fe5e7a005a8db40d3d5c4c2edae5c3451087ee3f5c841c96a3112875cf88a19061fa2ce0d04715d247e6eb1eb83e1e5b57ec0b9eb324b8ce6 WHIRLPOOL b432ff3e105da5c0bd20dd1d7da0374f4005b2ac5a9a8c824e96730aeafa89bb8fc125f8b2857fdaf72024082ddbc0c7a28c3e3ffb9114c3d370db1b638c4731 |
45 |
+AUX qemu-2.5.0-CVE-2015-8613.patch 1264 SHA256 c8df9bb4c0100ef6c8ae09acd73878e46b3ad4a9e04b9cfe30445922bc33299c SHA512 ea2bf909ec29bab0b2131bf9d3e8fc04f176393258c4ce578d3ac8d76f09a25b96f8a3b2aa450b47c0ba9bc9637e5b93e7cc53542362b48930de18ceebb07698 WHIRLPOOL f0d415b1df9f05cb0431801054535f8939d46e7dda6eaa5ce990eef82ddc458003eb9ae5dc06e3269ddb5ed8f8c903c1f3d058d41e63ea9a5192b6149283feb2 |
46 |
+AUX qemu-2.5.0-CVE-2015-8619.patch 4220 SHA256 325bb3df340a1f5115a345a145bed94e9b2d5721cf8cce1217138e8d5a8a0c1a SHA512 317e882da18332fe667c10c55b8f026d347d93c61f668e8ddb916f1b0f5e39a9e3104c14ab2306ce761024a02a78af3a4808627ad9f18c0d43d748fd30c21505 WHIRLPOOL feddd255cf3844cd270ca2662f6140cc7104f8328e51acb01dc2f6f1b4646061569f5faa629264ebeaa5a2b18e595c4a90b69a588aa05f1acf70d9570067c6c0 |
47 |
AUX qemu-2.5.0-CVE-2015-8701.patch 1671 SHA256 f39e0c6301cffa1b14c3ef0ab72fce0e2acd42170759ef7954234d31602aeb99 SHA512 d39edf84e2d17e6080bbc4a270732cd73b41fa39d948ee7bc4456e1024c5a69ddfb5e848af3272615f5aa36a3b6410a12f5a73e00ccfa58e0d60d7289d034aa9 WHIRLPOOL 352148c367837ba2d6eb5eb39e00c128f0cff3faef159754a41318857bc11a6616be184c24df4767ec2c8c14910ad74fc3be48273f6312b1687910fbcaf7bec3 |
48 |
AUX qemu-2.5.0-CVE-2015-8743.patch 1777 SHA256 22aac571c1aa6f6a283d200a7703fdfea0a5bcaf227a003a2cbf5741bbb8df85 SHA512 65d8632fd43959983ca02f9ab116ec78ea043e6d867e6d743014885c2a423bb3b87c2e56caa37e7f29e971a44f5ea695cb4ce1c3a9c1fc2d734b25ca0b2f4054 WHIRLPOOL 9128c812cfbfe3d4629cd6c7c2c6f50c9ef2fe2d5b62b24486559279296987f593f852f913eb67fbe956d650d50612fa7a658a60b3d80cf4fa9256e332d77330 |
49 |
AUX qemu-2.5.0-CVE-2016-1568.patch 1476 SHA256 ba2a25142977eea531159d81ef8938e8519c92800aa1958e71da9e2780c8256a SHA512 643ef742e6cd1dbc8f420b38f684bc8639e4bd58ab38c254654d4b1a72b129202fecdddddfd308b48ed7813da193edff68d737080d5035c82daf9676ee17df22 WHIRLPOOL af9376400540f20d77ea06cb6a12ce415b72bb22cdde3365bba8b02deb8985aedfee303646e13e1d1263a2dcd17bf1518637183a81c66c2db7b438aa88ef7d95 |
50 |
+AUX qemu-2.5.0-CVE-2016-1714.patch 2168 SHA256 2a366b01f5c05a87324ca765cea90bc93eda819d264932ac4588e6303e0b7dee SHA512 25f5f67dbcb2175bac1b5d6d11bf6b27019526c0ee43ed8580a0de10bf82ac62e5a71ded4d18c0e561d8d3832da630c92f9f118277da349367f55b4939029216 WHIRLPOOL 600d0c90779aaf7c1840e106359c909d486c7cce483edc0e5ddc627a127c907f5dd9cbd5b8ce561e2675f6bfe8cd0502efa96557601ce26eda2311b1072ab48b |
51 |
+AUX qemu-2.5.0-CVE-2016-1922.patch 2114 SHA256 a10d23d5ff3d021aa0962c79a397b69518cec6cd570ebea771f03513d4b7eb1a SHA512 af895fd14e876f808203279176c5f5c28d95d0137385c6d0e56e27f9ad70b76552b8ce75a3be368ceed94fbc62999e8d6c5e6dbcd35e99d59c57787afe6ac57d WHIRLPOOL 199ec0c9bc766968778e5733e1ca0773999a3cccfa779d8fdf68c2ed866a1427048b0db9730eb2a1521be5e174ea6388b69053c85d0d25144e73df25ec7829a9 |
52 |
+AUX qemu-2.5.0-CVE-2016-1981.patch 4160 SHA256 ad440f4964670e68846a3469e0cb0eca3ecf11cfc5c2e32b09581b64eef43ab7 SHA512 f133a311da42cc831116251550359949e0f23f1163a7b0e638fc5f43edf1dea17a5e5843a06142c3086ef367d94898b074eebf8c371ea83b7a3981cfd20c4e27 WHIRLPOOL ba6e563917773d4488f51c11864a6ce1a4331ba6fc7925f47768282ea75f1a26c51792063c946579d49b28e3ed7a854a191732c1ba7ec40628395e971cf67782 |
53 |
+AUX qemu-2.5.0-CVE-2016-2197.patch 1358 SHA256 caa5eb42b21a3fc656982fdc4e511c8350eeb0511857d9b8f371e4e926c2ac80 SHA512 ee6467ef00c5db1e6c5f6331ec411afd139e7e8c5d5e23e3ee33b3161f0e79028ddecfa661bf4bfb5bac0cfa91385f69d66b57c5337384817f0756b7575aa099 WHIRLPOOL 67bab11771159560fd080d157477aa227aa351bb8101671c0e778a38a15d607a2346ade7b10310914f93d5a1faeb993003590e7bf75cd5c9d06db0c687085b51 |
54 |
+AUX qemu-2.5.0-CVE-2016-2198.patch 1540 SHA256 0d6d81a27ffac1af7c478a050aa690eb007cf9735a1a0c4b398eabeb990d5ab4 SHA512 b0b3131bb2b9b2d3f2a3f3286eeb92b527f0d3366e657cf8bcbabc6426b57893936c5a8ef66697ad1014b4525c09fa4d067195600f96ab2b005fd52b6e77d9a4 WHIRLPOOL f5c56b87f934c573fc71169fcded579b9917285fbfff59fd9288011775f482ead2ac09e1399f325e826305fab2f7bc2cd21d333711c526c1658a069a5ee93491 |
55 |
+AUX qemu-2.5.0-CVE-2016-2392.patch 1265 SHA256 a81d906bcf18fb5cf76fa5fa686c848a33f43054bff03a7a2e0e391a34884be8 SHA512 cac6503176f1e37fa6e9bab1daa4bbec6fb6fb3be4ec2e30427356969f3310b8bb898356f9e7f786e75c3ba07b9bc7afb9f0ac7a99adc12847de49b55c0d7960 WHIRLPOOL 65456ade1b773ebfe629ab0fb0045613b4d2f0f5c2d9ec20409170cba5011de46800bf1dd42a78334fe5166a2c8201e6505f3db904474cd4c28d1e88df0f9daf |
56 |
AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154 |
57 |
+AUX qemu-2.5.0-ne2000-reg-check.patch 1141 SHA256 b64fd5bfbd9c7b37b9003271e9902db4ea28b71095a51e161c7698e2f690183b SHA512 7f94ef8cb023224750abc5c2c7d515ccc6ce7f8b655a1454673ecc291193551b9ae00c248c609368a0cf143888ba2c3a5a929a4f9477e5efd27f92c45abc8722 WHIRLPOOL 43fec025a08e0aa0c14ab5ac11cd9aa49b03e52e3fcaacb6785ecd25aa531edfd04a5f8913330e27acf046f8cad2c57887e1a353779ee73ab8bb2dad65c446a7 |
58 |
+AUX qemu-2.5.0-rng-stack-corrupt-0.patch 3125 SHA256 164b155db78a9291b9f8dea71a16b5779e1a9d382a8cb0f5ff380d1f2d811cef SHA512 7da544873dbefbbc7a2ed69bd7cca0053bfe71ef7f5c2faf12cb5dc6e07b8d9104e5bcf329b3355e886edc5805509623234c9fe8fb536544d6285b04ccc59919 WHIRLPOOL f076264ce4bae5be2f34e006e3e4dcc20042313cb6da4977b61529c3100e835952807738d53a86967f98abad68eba1c8dcbb6a04af162b048399e059b5eb9d6b |
59 |
+AUX qemu-2.5.0-rng-stack-corrupt-1.patch 4110 SHA256 16966eb20072a5d16fec46e5959e32708342af9a7266fe4a90a0abaf68af3529 SHA512 530d6a5f9b6795013bbe197cf0a0d7eddfb06d18c0f8410bcf5bcc2d32c4b72c325b8b0ade2c517bd305fcbdab03124cc527d24d73ce767daf51de65d00920c8 WHIRLPOOL c0b653c67993c6c6ed282f0c86099c8c80a241f10e23ef3fd8e33c6d86fbb5553049550e83954cfc6d3576735c4ce28099f813917966c0a05c84bb46a6bee413 |
60 |
+AUX qemu-2.5.0-rng-stack-corrupt-2.patch 4601 SHA256 c2b4e1ee8ee4bb2f4d42012a847c1da83a9e2349238d37bba1a3b9c440957f7f SHA512 ba299d07c7382f39f177f8094594daf131727d3d28633b426064f7cc6bf75d19b1ae78db248fc70ddbdb43fd2a6b0c5ed7793e6f42aba2763cdb4c12d6816c54 WHIRLPOOL 62b6ab75c32574a4c53193d82c7f51efdaa4789154c2d2f9acee7ede240d2920d92e31dfead7edc17aa12f938919143ce049d2c9ef9733baccc27d382506437f |
61 |
+AUX qemu-2.5.0-rng-stack-corrupt-3.patch 5519 SHA256 5a3c2ed59bc30f395aee5cd0b77cdb06d868386e5bbe1b392169f8d96ae9474a SHA512 f62713130d3b989b274476a4cc2eafb95dc41de4723fe475e454132817a159eb729bbbe5a29aee755715100095670107c5762271184252e9d0cd43c4b25bc5d1 WHIRLPOOL f8e4aa90b90b03dd6e4dd68734cb16ee5f59a9585697ef3c48e7e861968798cb3c66018ad5a788f99b99e9fddab2ae83d977ec4b1a8599596a5ce03286726e3e |
62 |
+AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73 |
63 |
+AUX qemu-2.5.0-usb-ehci-oob.patch 2014 SHA256 e0593f8a645dfca3115ea56d1b74d701f07c60d80eadf0bf68133e7539de345a SHA512 c02e0881bb85ffbf7d401b4ee5801692262cddaef9245dfcbf323f0f4d310394e1fbbf639f7a3d2d39ae428c09513adcb9be7fdcf49b7accf133d911dc0b702c WHIRLPOOL 992b2c6d3464a53174054f0d2dc6ec70eeb1e17128ee65c7986d9f5ec80e037bca9bd5bfb65c66bb9bf85f0b56a1a6d008ab4dbe35602d7deea9489add2e7c4b |
64 |
+AUX qemu-2.5.0-usb-ndis-int-overflow.patch 2404 SHA256 caa4ff5ab038e88b2b09f04f2a9528fc47d42d35fbd35bbd7907afd292ef66db SHA512 f87de0a9f161f14814fafc883bd557f8f007a53729dc3c36145dd19ea9c52eabb81f6ada4e4a7122a461c9bed6f524ea0b92f9182b77a4c7cf9c8ecfc217f8e0 WHIRLPOOL 6022a3e0b125beb85efa2b6c1edf5a94dce27bd299d247078d418cf6515c8fc0ca1d8032034ef427c3d4681cc3536900099391b623152b2609cab2f4f963d046 |
65 |
AUX qemu-binfmt.initd-r1 6910 SHA256 2886c567589b958f450a87537cdb6c5bf95e8c1e4afbdf59139d16819e79d51d SHA512 09f399b6b559c6dd64d77843f600afad464909e72ae0924e97a5ef2eea55b3fb8abf6fbd57c380ec60e2f9d145ec365fd9a24c2e1b84cc6cef7070e4fb5bd72e WHIRLPOOL 983f6ae733c23c0049321184e1b6738ad5d27a70265945e6b47f3fb317ba3c84918b4929e728081549062fd0bf4a46c0a7e7184911355f3ac75963e1f8b70cd4 |
66 |
AUX qemu-kvm-1.4 68 SHA256 8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512 706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120 WHIRLPOOL ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067 |
67 |
DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef |
68 |
-EBUILD qemu-2.5.0-r99.ebuild 20028 SHA256 a8c89e0649ac5d54414b0ba7a4c86e2673fd3ec2e0d03cf23a559ad48a34fa4d SHA512 ccdc156b51f7e790eb0b4922c6a466658525c76e55818c9fa77cc56d542d6fe0607a9eb868c39b226376396282455d582e04921f6289a0cf35a9091aae239f86 WHIRLPOOL 0a9f4f35b22bdc85567f5f60729ba9e973db5b34cfcae571db66ab395010e27084c9fd58d1a65d237444099e893d829721f4984d8c6d47c4c55fea8eba7b7884 |
69 |
+EBUILD qemu-2.5.0-r999.ebuild 21699 SHA256 8ca42bbf30baa2271e0a1a7be920a06dba32f7c0b6c0ea50d3dd93d949d6522f SHA512 182ccb339259864276e7540b630dfb46e98058df978ffe7ad1a13df541f70f949a62ece46699cc2ba4c3311a24ccd609933733226bb660cc28c37a4f9608c755 WHIRLPOOL 462aa47e61ad570fc9d874145bbca1ab5b804b590f97a34c62f2640b774f380d105c7d2a61790c1c229b8613f8aa74e2d78f8e01dcdce336e202ce64b4172e2b |
70 |
MISC metadata.xml 3925 SHA256 d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512 3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6 WHIRLPOOL bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41 |
71 |
|
72 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
73 |
new file mode 100644 |
74 |
index 0000000..0e27684 |
75 |
--- /dev/null |
76 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
77 |
@@ -0,0 +1,34 @@ |
78 |
+From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001 |
79 |
+From: Greg Kurz <gkurz@××××××××××××××.com> |
80 |
+Date: Wed, 23 Dec 2015 10:56:58 +0100 |
81 |
+Subject: [PATCH] virtio-9p: use accessor to get thread_pool |
82 |
+ |
83 |
+The aio_context_new() function does not allocate a thread pool. This is |
84 |
+deferred to the first call to the aio_get_thread_pool() accessor. It is |
85 |
+hence forbidden to access the thread_pool field directly, as it may be |
86 |
+NULL. The accessor *must* be used always. |
87 |
+ |
88 |
+Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e |
89 |
+Reviewed-by: Michael Tokarev <mjt@×××××××.ru> |
90 |
+Tested-by: Michael Tokarev <mjt@×××××××.ru> |
91 |
+Cc: qemu-stable@××××××.org |
92 |
+Signed-off-by: Greg Kurz <gkurz@××××××××××××××.com> |
93 |
+--- |
94 |
+ hw/9pfs/virtio-9p-coth.c | 2 +- |
95 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
96 |
+ |
97 |
+diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c |
98 |
+index fb6e8f8..ab9425c 100644 |
99 |
+--- a/hw/9pfs/virtio-9p-coth.c |
100 |
++++ b/hw/9pfs/virtio-9p-coth.c |
101 |
+@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) |
102 |
+ void co_run_in_worker_bh(void *opaque) |
103 |
+ { |
104 |
+ Coroutine *co = opaque; |
105 |
+- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, |
106 |
++ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), |
107 |
+ coroutine_enter_func, co, coroutine_enter_cb, co); |
108 |
+ } |
109 |
+-- |
110 |
+2.7.4 |
111 |
+ |
112 |
|
113 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
114 |
new file mode 100644 |
115 |
index 0000000..61a52ee |
116 |
--- /dev/null |
117 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
118 |
@@ -0,0 +1,35 @@ |
119 |
+From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 |
120 |
+From: P J P <ppandit@××××××.com> |
121 |
+Date: Mon, 21 Dec 2015 15:13:13 +0530 |
122 |
+Subject: [PATCH] scsi: initialise info object with appropriate size |
123 |
+ |
124 |
+While processing controller 'CTRL_GET_INFO' command, the routine |
125 |
+'megasas_ctrl_get_info' overflows the '&info' object size. Use its |
126 |
+appropriate size to null initialise it. |
127 |
+ |
128 |
+Reported-by: Qinghao Tang <luodalongde@×××××.com> |
129 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
130 |
+Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> |
131 |
+Cc: qemu-stable@××××××.org |
132 |
+Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
133 |
+Signed-off-by: P J P <ppandit@××××××.com> |
134 |
+--- |
135 |
+ hw/scsi/megasas.c | 2 +- |
136 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
137 |
+ |
138 |
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c |
139 |
+index d7dc667..576f56c 100644 |
140 |
+--- a/hw/scsi/megasas.c |
141 |
++++ b/hw/scsi/megasas.c |
142 |
+@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) |
143 |
+ BusChild *kid; |
144 |
+ int num_pd_disks = 0; |
145 |
+ |
146 |
+- memset(&info, 0x0, cmd->iov_size); |
147 |
++ memset(&info, 0x0, dcmd_size); |
148 |
+ if (cmd->iov_size < dcmd_size) { |
149 |
+ trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, |
150 |
+ dcmd_size); |
151 |
+-- |
152 |
+2.7.4 |
153 |
+ |
154 |
|
155 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
156 |
new file mode 100644 |
157 |
index 0000000..be67336 |
158 |
--- /dev/null |
159 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
160 |
@@ -0,0 +1,121 @@ |
161 |
+From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001 |
162 |
+From: Wolfgang Bumiller <w.bumiller@×××××××.com> |
163 |
+Date: Wed, 13 Jan 2016 09:09:58 +0100 |
164 |
+Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) |
165 |
+ |
166 |
+When processing 'sendkey' command, hmp_sendkey routine null |
167 |
+terminates the 'keyname_buf' array. This results in an OOB |
168 |
+write issue, if 'keyname_len' was to fall outside of |
169 |
+'keyname_buf' array. |
170 |
+ |
171 |
+Since the keyname's length is known the keyname_buf can be |
172 |
+removed altogether by adding a length parameter to |
173 |
+index_from_key() and using it for the error output as well. |
174 |
+ |
175 |
+Reported-by: Ling Liu <liuling-it@×××.cn> |
176 |
+Signed-off-by: Wolfgang Bumiller <w.bumiller@×××××××.com> |
177 |
+Message-Id: <20160113080958.GA18934@olga> |
178 |
+[Comparison with "<" dumbed down, test for junk after strtoul() |
179 |
+tweaked] |
180 |
+Signed-off-by: Markus Armbruster <armbru@××××××.com> |
181 |
+--- |
182 |
+ hmp.c | 18 ++++++++---------- |
183 |
+ include/ui/console.h | 2 +- |
184 |
+ ui/input-legacy.c | 5 +++-- |
185 |
+ 3 files changed, 12 insertions(+), 13 deletions(-) |
186 |
+ |
187 |
+diff --git a/hmp.c b/hmp.c |
188 |
+index 54f2620..9c571f5 100644 |
189 |
+--- a/hmp.c |
190 |
++++ b/hmp.c |
191 |
+@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) |
192 |
+ int has_hold_time = qdict_haskey(qdict, "hold-time"); |
193 |
+ int hold_time = qdict_get_try_int(qdict, "hold-time", -1); |
194 |
+ Error *err = NULL; |
195 |
+- char keyname_buf[16]; |
196 |
+ char *separator; |
197 |
+ int keyname_len; |
198 |
+ |
199 |
+ while (1) { |
200 |
+ separator = strchr(keys, '-'); |
201 |
+ keyname_len = separator ? separator - keys : strlen(keys); |
202 |
+- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); |
203 |
+ |
204 |
+ /* Be compatible with old interface, convert user inputted "<" */ |
205 |
+- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { |
206 |
+- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); |
207 |
++ if (keys[0] == '<' && keyname_len == 1) { |
208 |
++ keys = "less"; |
209 |
+ keyname_len = 4; |
210 |
+ } |
211 |
+- keyname_buf[keyname_len] = 0; |
212 |
+ |
213 |
+ keylist = g_malloc0(sizeof(*keylist)); |
214 |
+ keylist->value = g_malloc0(sizeof(*keylist->value)); |
215 |
+@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) |
216 |
+ } |
217 |
+ tmp = keylist; |
218 |
+ |
219 |
+- if (strstart(keyname_buf, "0x", NULL)) { |
220 |
++ if (strstart(keys, "0x", NULL)) { |
221 |
+ char *endp; |
222 |
+- int value = strtoul(keyname_buf, &endp, 0); |
223 |
+- if (*endp != '\0') { |
224 |
++ int value = strtoul(keys, &endp, 0); |
225 |
++ assert(endp <= keys + keyname_len); |
226 |
++ if (endp != keys + keyname_len) { |
227 |
+ goto err_out; |
228 |
+ } |
229 |
+ keylist->value->type = KEY_VALUE_KIND_NUMBER; |
230 |
+ keylist->value->u.number = value; |
231 |
+ } else { |
232 |
+- int idx = index_from_key(keyname_buf); |
233 |
++ int idx = index_from_key(keys, keyname_len); |
234 |
+ if (idx == Q_KEY_CODE_MAX) { |
235 |
+ goto err_out; |
236 |
+ } |
237 |
+@@ -1789,7 +1787,7 @@ out: |
238 |
+ return; |
239 |
+ |
240 |
+ err_out: |
241 |
+- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); |
242 |
++ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); |
243 |
+ goto out; |
244 |
+ } |
245 |
+ |
246 |
+diff --git a/include/ui/console.h b/include/ui/console.h |
247 |
+index adac36d..116bc2b 100644 |
248 |
+--- a/include/ui/console.h |
249 |
++++ b/include/ui/console.h |
250 |
+@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) |
251 |
+ void curses_display_init(DisplayState *ds, int full_screen); |
252 |
+ |
253 |
+ /* input.c */ |
254 |
+-int index_from_key(const char *key); |
255 |
++int index_from_key(const char *key, size_t key_length); |
256 |
+ |
257 |
+ /* gtk.c */ |
258 |
+ void early_gtk_display_init(int opengl); |
259 |
+diff --git a/ui/input-legacy.c b/ui/input-legacy.c |
260 |
+index 35dfc27..3454055 100644 |
261 |
+--- a/ui/input-legacy.c |
262 |
++++ b/ui/input-legacy.c |
263 |
+@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { |
264 |
+ static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = |
265 |
+ QTAILQ_HEAD_INITIALIZER(led_handlers); |
266 |
+ |
267 |
+-int index_from_key(const char *key) |
268 |
++int index_from_key(const char *key, size_t key_length) |
269 |
+ { |
270 |
+ int i; |
271 |
+ |
272 |
+ for (i = 0; QKeyCode_lookup[i] != NULL; i++) { |
273 |
+- if (!strcmp(key, QKeyCode_lookup[i])) { |
274 |
++ if (!strncmp(key, QKeyCode_lookup[i], key_length) && |
275 |
++ !QKeyCode_lookup[i][key_length]) { |
276 |
+ break; |
277 |
+ } |
278 |
+ } |
279 |
+-- |
280 |
+2.7.4 |
281 |
+ |
282 |
|
283 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
284 |
new file mode 100644 |
285 |
index 0000000..917fa2f |
286 |
--- /dev/null |
287 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
288 |
@@ -0,0 +1,58 @@ |
289 |
+From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 |
290 |
+From: "Gabriel L. Somlo" <somlo@×××.edu> |
291 |
+Date: Thu, 5 Nov 2015 09:32:50 -0500 |
292 |
+Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer |
293 |
+MIME-Version: 1.0 |
294 |
+Content-Type: text/plain; charset=UTF-8 |
295 |
+Content-Transfer-Encoding: 8bit |
296 |
+ |
297 |
+When calculating a pointer to the currently selected fw_cfg item, the |
298 |
+following is used: |
299 |
+ |
300 |
+ FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
301 |
+ |
302 |
+When s->cur_entry is FW_CFG_INVALID, we are calculating the address of |
303 |
+a non-existent element in s->entries[arch][...], which is undefined. |
304 |
+ |
305 |
+This patch ensures the resulting entry pointer is set to NULL whenever |
306 |
+s->cur_entry is FW_CFG_INVALID. |
307 |
+ |
308 |
+Reported-by: Laszlo Ersek <lersek@××××××.com> |
309 |
+Reviewed-by: Laszlo Ersek <lersek@××××××.com> |
310 |
+Signed-off-by: Gabriel Somlo <somlo@×××.edu> |
311 |
+Message-id: 1446733972-1602-5-git-send-email-somlo@×××.edu |
312 |
+Cc: Marc Marí <markmb@××××××.com> |
313 |
+Signed-off-by: Gabriel Somlo <somlo@×××.edu> |
314 |
+Reviewed-by: Laszlo Ersek <lersek@××××××.com> |
315 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
316 |
+--- |
317 |
+ hw/nvram/fw_cfg.c | 6 ++++-- |
318 |
+ 1 file changed, 4 insertions(+), 2 deletions(-) |
319 |
+ |
320 |
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c |
321 |
+index c2d3a0a..046fa74 100644 |
322 |
+--- a/hw/nvram/fw_cfg.c |
323 |
++++ b/hw/nvram/fw_cfg.c |
324 |
+@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) |
325 |
+ static uint8_t fw_cfg_read(FWCfgState *s) |
326 |
+ { |
327 |
+ int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); |
328 |
+- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
329 |
++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : |
330 |
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
331 |
+ uint8_t ret; |
332 |
+ |
333 |
+ if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) |
334 |
+@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) |
335 |
+ } |
336 |
+ |
337 |
+ arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); |
338 |
+- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
339 |
++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : |
340 |
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
341 |
+ |
342 |
+ if (dma.control & FW_CFG_DMA_CTL_READ) { |
343 |
+ read = 1; |
344 |
+-- |
345 |
+2.7.4 |
346 |
+ |
347 |
|
348 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
349 |
new file mode 100644 |
350 |
index 0000000..23c2341 |
351 |
--- /dev/null |
352 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
353 |
@@ -0,0 +1,65 @@ |
354 |
+From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 |
355 |
+From: P J P <ppandit@××××××.com> |
356 |
+Date: Fri, 18 Dec 2015 11:35:07 +0530 |
357 |
+Subject: [PATCH] i386: avoid null pointer dereference |
358 |
+ |
359 |
+ Hello, |
360 |
+ |
361 |
+A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It |
362 |
+occurs while doing I/O port write operations via hmp interface. In that, |
363 |
+'current_cpu' remains null as it is not called from cpu_exec loop, which |
364 |
+results in the said issue. |
365 |
+ |
366 |
+Below is a proposed (tested)patch to fix this issue; Does it look okay? |
367 |
+ |
368 |
+=== |
369 |
+From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 |
370 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
371 |
+Date: Fri, 18 Dec 2015 11:16:07 +0530 |
372 |
+Subject: [PATCH] i386: avoid null pointer dereference |
373 |
+ |
374 |
+When I/O port write operation is called from hmp interface, |
375 |
+'current_cpu' remains null, as it is not called from cpu_exec() |
376 |
+loop. This leads to a null pointer dereference in vapic_write |
377 |
+routine. Add check to avoid it. |
378 |
+ |
379 |
+Reported-by: Ling Liu <liuling-it@×××.cn> |
380 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
381 |
+Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva> |
382 |
+Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
383 |
+Signed-off-by: P J P <ppandit@××××××.com> |
384 |
+--- |
385 |
+ hw/i386/kvmvapic.c | 15 ++++++++++----- |
386 |
+ 1 file changed, 10 insertions(+), 5 deletions(-) |
387 |
+ |
388 |
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c |
389 |
+index c6d34b2..f0922da 100644 |
390 |
+--- a/hw/i386/kvmvapic.c |
391 |
++++ b/hw/i386/kvmvapic.c |
392 |
+@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) |
393 |
+ static void vapic_write(void *opaque, hwaddr addr, uint64_t data, |
394 |
+ unsigned int size) |
395 |
+ { |
396 |
+- CPUState *cs = current_cpu; |
397 |
+- X86CPU *cpu = X86_CPU(cs); |
398 |
+- CPUX86State *env = &cpu->env; |
399 |
+- hwaddr rom_paddr; |
400 |
+ VAPICROMState *s = opaque; |
401 |
++ X86CPU *cpu; |
402 |
++ CPUX86State *env; |
403 |
++ hwaddr rom_paddr; |
404 |
+ |
405 |
+- cpu_synchronize_state(cs); |
406 |
++ if (!current_cpu) { |
407 |
++ return; |
408 |
++ } |
409 |
++ |
410 |
++ cpu_synchronize_state(current_cpu); |
411 |
++ cpu = X86_CPU(current_cpu); |
412 |
++ env = &cpu->env; |
413 |
+ |
414 |
+ /* |
415 |
+ * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. |
416 |
+-- |
417 |
+2.7.4 |
418 |
+ |
419 |
|
420 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
421 |
new file mode 100644 |
422 |
index 0000000..2922193 |
423 |
--- /dev/null |
424 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
425 |
@@ -0,0 +1,98 @@ |
426 |
+From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001 |
427 |
+From: Laszlo Ersek <lersek@××××××.com> |
428 |
+Date: Tue, 19 Jan 2016 14:17:20 +0100 |
429 |
+Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer |
430 |
+ start |
431 |
+ |
432 |
+The start_xmit() and e1000_receive_iov() functions implement DMA transfers |
433 |
+iterating over a set of descriptors that the guest's e1000 driver |
434 |
+prepares: |
435 |
+ |
436 |
+- the TDLEN and RDLEN registers store the total size of the descriptor |
437 |
+ area, |
438 |
+ |
439 |
+- while the TDH and RDH registers store the offset (in whole tx / rx |
440 |
+ descriptors) into the area where the transfer is supposed to start. |
441 |
+ |
442 |
+Each time a descriptor is processed, the TDH and RDH register is bumped |
443 |
+(as appropriate for the transfer direction). |
444 |
+ |
445 |
+QEMU already contains logic to deal with bogus transfers submitted by the |
446 |
+guest: |
447 |
+ |
448 |
+- Normally, the transmit case wants to increase TDH from its initial value |
449 |
+ to TDT. (TDT is allowed to be numerically smaller than the initial TDH |
450 |
+ value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe |
451 |
+ that QEMU currently has here is a check against reaching the original |
452 |
+ TDH value again -- a complete wraparound, which should never happen. |
453 |
+ |
454 |
+- In the receive case RDH is increased from its initial value until |
455 |
+ "total_size" bytes have been received; preferably in a single step, or |
456 |
+ in "s->rxbuf_size" byte steps, if the latter is smaller. However, null |
457 |
+ RX descriptors are skipped without receiving data, while RDH is |
458 |
+ incremented just the same. QEMU tries to prevent an infinite loop |
459 |
+ (processing only null RX descriptors) by detecting whether RDH assumes |
460 |
+ its original value during the loop. (Again, wrapping from RDLEN to 0 is |
461 |
+ normal.) |
462 |
+ |
463 |
+What both directions miss is that the guest could program TDLEN and RDLEN |
464 |
+so low, and the initial TDH and RDH so high, that these registers will |
465 |
+immediately be truncated to zero, and then never reassume their initial |
466 |
+values in the loop -- a full wraparound will never occur. |
467 |
+ |
468 |
+The condition that expresses this is: |
469 |
+ |
470 |
+ xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) |
471 |
+ |
472 |
+i.e., TDH or RDH start out after the last whole rx or tx descriptor that |
473 |
+fits into the TDLEN or RDLEN sized area. |
474 |
+ |
475 |
+This condition could be checked before we enter the loops, but |
476 |
+pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for |
477 |
+bogus DMA addresses, so we just extend the existing failsafes with the |
478 |
+above condition. |
479 |
+ |
480 |
+This is CVE-2016-1981. |
481 |
+ |
482 |
+Cc: "Michael S. Tsirkin" <mst@××××××.com> |
483 |
+Cc: Petr Matousek <pmatouse@××××××.com> |
484 |
+Cc: Stefano Stabellini <stefano.stabellini@×××××××××.com> |
485 |
+Cc: Prasad Pandit <ppandit@××××××.com> |
486 |
+Cc: Michael Roth <mdroth@××××××××××××××.com> |
487 |
+Cc: Jason Wang <jasowang@××××××.com> |
488 |
+Cc: qemu-stable@××××××.org |
489 |
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 |
490 |
+Signed-off-by: Laszlo Ersek <lersek@××××××.com> |
491 |
+Reviewed-by: Jason Wang <jasowang@××××××.com> |
492 |
+Signed-off-by: Jason Wang <jasowang@××××××.com> |
493 |
+--- |
494 |
+ hw/net/e1000.c | 6 ++++-- |
495 |
+ 1 file changed, 4 insertions(+), 2 deletions(-) |
496 |
+ |
497 |
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c |
498 |
+index 4eda7a3..0387fa0 100644 |
499 |
+--- a/hw/net/e1000.c |
500 |
++++ b/hw/net/e1000.c |
501 |
+@@ -909,7 +909,8 @@ start_xmit(E1000State *s) |
502 |
+ * bogus values to TDT/TDLEN. |
503 |
+ * there's nothing too intelligent we could do about this. |
504 |
+ */ |
505 |
+- if (s->mac_reg[TDH] == tdh_start) { |
506 |
++ if (s->mac_reg[TDH] == tdh_start || |
507 |
++ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { |
508 |
+ DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", |
509 |
+ tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); |
510 |
+ break; |
511 |
+@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) |
512 |
+ if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) |
513 |
+ s->mac_reg[RDH] = 0; |
514 |
+ /* see comment in start_xmit; same here */ |
515 |
+- if (s->mac_reg[RDH] == rdh_start) { |
516 |
++ if (s->mac_reg[RDH] == rdh_start || |
517 |
++ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { |
518 |
+ DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", |
519 |
+ rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); |
520 |
+ set_ics(s, 0, E1000_ICS_RXO); |
521 |
+-- |
522 |
+2.7.4 |
523 |
+ |
524 |
|
525 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
526 |
new file mode 100644 |
527 |
index 0000000..0ab7b02 |
528 |
--- /dev/null |
529 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
530 |
@@ -0,0 +1,43 @@ |
531 |
+From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001 |
532 |
+From: John Snow <jsnow@××××××.com> |
533 |
+Date: Wed, 10 Feb 2016 13:29:40 -0500 |
534 |
+Subject: [PATCH] ahci: Do not unmap NULL addresses |
535 |
+ |
536 |
+Definitely don't try to unmap a garbage address. |
537 |
+ |
538 |
+Reported-by: Zuozhi fzz <zuozhi.fzz@×××××××××××.com> |
539 |
+Signed-off-by: John Snow <jsnow@××××××.com> |
540 |
+Message-id: 1454103689-13042-2-git-send-email-jsnow@××××××.com |
541 |
+--- |
542 |
+ hw/ide/ahci.c | 8 ++++++++ |
543 |
+ 1 file changed, 8 insertions(+) |
544 |
+ |
545 |
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c |
546 |
+index 7e87b18..3a95dad 100644 |
547 |
+--- a/hw/ide/ahci.c |
548 |
++++ b/hw/ide/ahci.c |
549 |
+@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad) |
550 |
+ |
551 |
+ static void ahci_unmap_fis_address(AHCIDevice *ad) |
552 |
+ { |
553 |
++ if (ad->res_fis == NULL) { |
554 |
++ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n"); |
555 |
++ return; |
556 |
++ } |
557 |
+ dma_memory_unmap(ad->hba->as, ad->res_fis, 256, |
558 |
+ DMA_DIRECTION_FROM_DEVICE, 256); |
559 |
+ ad->res_fis = NULL; |
560 |
+@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad) |
561 |
+ |
562 |
+ static void ahci_unmap_clb_address(AHCIDevice *ad) |
563 |
+ { |
564 |
++ if (ad->lst == NULL) { |
565 |
++ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n"); |
566 |
++ return; |
567 |
++ } |
568 |
+ dma_memory_unmap(ad->hba->as, ad->lst, 1024, |
569 |
+ DMA_DIRECTION_FROM_DEVICE, 1024); |
570 |
+ ad->lst = NULL; |
571 |
+-- |
572 |
+2.7.4 |
573 |
+ |
574 |
|
575 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch |
576 |
new file mode 100644 |
577 |
index 0000000..d179c33 |
578 |
--- /dev/null |
579 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch |
580 |
@@ -0,0 +1,46 @@ |
581 |
+From dff0367cf66f489aa772320fa2937a8cac1ca30d Mon Sep 17 00:00:00 2001 |
582 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
583 |
+Date: Fri, 29 Jan 2016 18:30:34 +0530 |
584 |
+Subject: [PATCH] usb: ehci: add capability mmio write function |
585 |
+ |
586 |
+USB Ehci emulation supports host controller capability registers. |
587 |
+But its mmio '.write' function was missing, which lead to a null |
588 |
+pointer dereference issue. Add a do nothing 'ehci_caps_write' |
589 |
+definition to avoid it; Do nothing because capability registers |
590 |
+are Read Only(RO). |
591 |
+ |
592 |
+Reported-by: Zuozhi Fzz <zuozhi.fzz@×××××××××××.com> |
593 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
594 |
+Message-id: 1454072434-16045-1-git-send-email-ppandit@××××××.com |
595 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
596 |
+--- |
597 |
+ hw/usb/hcd-ehci.c | 6 ++++++ |
598 |
+ 1 file changed, 6 insertions(+) |
599 |
+ |
600 |
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
601 |
+index 1b50601..0f95d0d 100644 |
602 |
+--- a/hw/usb/hcd-ehci.c |
603 |
++++ b/hw/usb/hcd-ehci.c |
604 |
+@@ -895,6 +895,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr, |
605 |
+ return s->caps[addr]; |
606 |
+ } |
607 |
+ |
608 |
++static void ehci_caps_write(void *ptr, hwaddr addr, |
609 |
++ uint64_t val, unsigned size) |
610 |
++{ |
611 |
++} |
612 |
++ |
613 |
+ static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, |
614 |
+ unsigned size) |
615 |
+ { |
616 |
+@@ -2315,6 +2320,7 @@ static void ehci_frame_timer(void *opaque) |
617 |
+ |
618 |
+ static const MemoryRegionOps ehci_mmio_caps_ops = { |
619 |
+ .read = ehci_caps_read, |
620 |
++ .write = ehci_caps_write, |
621 |
+ .valid.min_access_size = 1, |
622 |
+ .valid.max_access_size = 4, |
623 |
+ .impl.min_access_size = 1, |
624 |
+-- |
625 |
+2.7.4 |
626 |
+ |
627 |
|
628 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
629 |
new file mode 100644 |
630 |
index 0000000..e7aa5ca |
631 |
--- /dev/null |
632 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
633 |
@@ -0,0 +1,35 @@ |
634 |
+From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 |
635 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
636 |
+Date: Thu, 11 Feb 2016 16:31:20 +0530 |
637 |
+Subject: [PATCH] usb: check USB configuration descriptor object |
638 |
+ |
639 |
+When processing remote NDIS control message packets, the USB Net |
640 |
+device emulator checks to see if the USB configuration descriptor |
641 |
+object is of RNDIS type(2). But it does not check if it is null, |
642 |
+which leads to a null dereference error. Add check to avoid it. |
643 |
+ |
644 |
+Reported-by: Qinghao Tang <luodalongde@×××××.com> |
645 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
646 |
+Message-id: 1455188480-14688-1-git-send-email-ppandit@××××××.com |
647 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
648 |
+--- |
649 |
+ hw/usb/dev-network.c | 3 ++- |
650 |
+ 1 file changed, 2 insertions(+), 1 deletion(-) |
651 |
+ |
652 |
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c |
653 |
+index 985a629..5dc4538 100644 |
654 |
+--- a/hw/usb/dev-network.c |
655 |
++++ b/hw/usb/dev-network.c |
656 |
+@@ -654,7 +654,8 @@ typedef struct USBNetState { |
657 |
+ |
658 |
+ static int is_rndis(USBNetState *s) |
659 |
+ { |
660 |
+- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; |
661 |
++ return s->dev.config ? |
662 |
++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; |
663 |
+ } |
664 |
+ |
665 |
+ static int ndis_query(USBNetState *s, uint32_t oid, |
666 |
+-- |
667 |
+2.7.4 |
668 |
+ |
669 |
|
670 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
671 |
new file mode 100644 |
672 |
index 0000000..2874b75 |
673 |
--- /dev/null |
674 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
675 |
@@ -0,0 +1,37 @@ |
676 |
+From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 |
677 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
678 |
+Date: Wed, 24 Feb 2016 11:41:33 +0530 |
679 |
+Subject: [PATCH] net: ne2000: check ring buffer control registers |
680 |
+ |
681 |
+Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) |
682 |
+bytes to process network packets. Registers PSTART & PSTOP |
683 |
+define ring buffer size & location. Setting these registers |
684 |
+to invalid values could lead to infinite loop or OOB r/w |
685 |
+access issues. Add check to avoid it. |
686 |
+ |
687 |
+Reported-by: Yang Hongke <yanghongke@××××××.com> |
688 |
+Tested-by: Yang Hongke <yanghongke@××××××.com> |
689 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
690 |
+Signed-off-by: Jason Wang <jasowang@××××××.com> |
691 |
+--- |
692 |
+ hw/net/ne2000.c | 4 ++++ |
693 |
+ 1 file changed, 4 insertions(+) |
694 |
+ |
695 |
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c |
696 |
+index e408083..f0feaf9 100644 |
697 |
+--- a/hw/net/ne2000.c |
698 |
++++ b/hw/net/ne2000.c |
699 |
+@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s) |
700 |
+ { |
701 |
+ int avail, index, boundary; |
702 |
+ |
703 |
++ if (s->stop <= s->start) { |
704 |
++ return 1; |
705 |
++ } |
706 |
++ |
707 |
+ index = s->curpag << 8; |
708 |
+ boundary = s->boundary << 8; |
709 |
+ if (index < boundary) |
710 |
+-- |
711 |
+2.7.4 |
712 |
+ |
713 |
|
714 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch |
715 |
new file mode 100644 |
716 |
index 0000000..684f6ad |
717 |
--- /dev/null |
718 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch |
719 |
@@ -0,0 +1,98 @@ |
720 |
+From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001 |
721 |
+From: Ladi Prosek <lprosek@××××××.com> |
722 |
+Date: Thu, 3 Mar 2016 09:37:15 +0100 |
723 |
+Subject: [PATCH] rng: remove the unused request cancellation code |
724 |
+ |
725 |
+rng_backend_cancel_requests had no callers and none of the code |
726 |
+deleted in this commit ever ran. |
727 |
+ |
728 |
+Signed-off-by: Ladi Prosek <lprosek@××××××.com> |
729 |
+Reviewed-by: Amit Shah <amit.shah@××××××.com> |
730 |
+Message-Id: <1456994238-9585-2-git-send-email-lprosek@××××××.com> |
731 |
+Signed-off-by: Amit Shah <amit.shah@××××××.com> |
732 |
+--- |
733 |
+ backends/rng-egd.c | 12 ------------ |
734 |
+ backends/rng.c | 9 --------- |
735 |
+ include/sysemu/rng.h | 11 ----------- |
736 |
+ 3 files changed, 32 deletions(-) |
737 |
+ |
738 |
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c |
739 |
+index 2de5cd5..0b2976a 100644 |
740 |
+--- a/backends/rng-egd.c |
741 |
++++ b/backends/rng-egd.c |
742 |
+@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s) |
743 |
+ s->requests = NULL; |
744 |
+ } |
745 |
+ |
746 |
+-static void rng_egd_cancel_requests(RngBackend *b) |
747 |
+-{ |
748 |
+- RngEgd *s = RNG_EGD(b); |
749 |
+- |
750 |
+- /* We simply delete the list of pending requests. If there is data in the |
751 |
+- * queue waiting to be read, this is okay, because there will always be |
752 |
+- * more data than we requested originally |
753 |
+- */ |
754 |
+- rng_egd_free_requests(s); |
755 |
+-} |
756 |
+- |
757 |
+ static void rng_egd_opened(RngBackend *b, Error **errp) |
758 |
+ { |
759 |
+ RngEgd *s = RNG_EGD(b); |
760 |
+@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data) |
761 |
+ RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); |
762 |
+ |
763 |
+ rbc->request_entropy = rng_egd_request_entropy; |
764 |
+- rbc->cancel_requests = rng_egd_cancel_requests; |
765 |
+ rbc->opened = rng_egd_opened; |
766 |
+ } |
767 |
+ |
768 |
+diff --git a/backends/rng.c b/backends/rng.c |
769 |
+index b7820ef..2f2f3ee 100644 |
770 |
+--- a/backends/rng.c |
771 |
++++ b/backends/rng.c |
772 |
+@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, |
773 |
+ } |
774 |
+ } |
775 |
+ |
776 |
+-void rng_backend_cancel_requests(RngBackend *s) |
777 |
+-{ |
778 |
+- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); |
779 |
+- |
780 |
+- if (k->cancel_requests) { |
781 |
+- k->cancel_requests(s); |
782 |
+- } |
783 |
+-} |
784 |
+- |
785 |
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp) |
786 |
+ { |
787 |
+ RngBackend *s = RNG_BACKEND(obj); |
788 |
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h |
789 |
+index 858be8c..87b3ebe 100644 |
790 |
+--- a/include/sysemu/rng.h |
791 |
++++ b/include/sysemu/rng.h |
792 |
+@@ -37,7 +37,6 @@ struct RngBackendClass |
793 |
+ |
794 |
+ void (*request_entropy)(RngBackend *s, size_t size, |
795 |
+ EntropyReceiveFunc *receive_entropy, void *opaque); |
796 |
+- void (*cancel_requests)(RngBackend *s); |
797 |
+ |
798 |
+ void (*opened)(RngBackend *s, Error **errp); |
799 |
+ }; |
800 |
+@@ -68,14 +67,4 @@ struct RngBackend |
801 |
+ void rng_backend_request_entropy(RngBackend *s, size_t size, |
802 |
+ EntropyReceiveFunc *receive_entropy, |
803 |
+ void *opaque); |
804 |
+- |
805 |
+-/** |
806 |
+- * rng_backend_cancel_requests: |
807 |
+- * @s: the backend to cancel all pending requests in |
808 |
+- * |
809 |
+- * Cancels all pending requests submitted by @rng_backend_request_entropy. This |
810 |
+- * should be used by a device during reset or in preparation for live migration |
811 |
+- * to stop tracking any request. |
812 |
+- */ |
813 |
+-void rng_backend_cancel_requests(RngBackend *s); |
814 |
+ #endif |
815 |
+-- |
816 |
+2.7.4 |
817 |
+ |
818 |
|
819 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch |
820 |
new file mode 100644 |
821 |
index 0000000..44ba8a7 |
822 |
--- /dev/null |
823 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch |
824 |
@@ -0,0 +1,135 @@ |
825 |
+From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001 |
826 |
+From: Ladi Prosek <lprosek@××××××.com> |
827 |
+Date: Thu, 3 Mar 2016 09:37:16 +0100 |
828 |
+Subject: [PATCH] rng: move request queue from RngEgd to RngBackend |
829 |
+ |
830 |
+The 'requests' field now lives in the RngBackend parent class. |
831 |
+There are no functional changes in this commit. |
832 |
+ |
833 |
+Signed-off-by: Ladi Prosek <lprosek@××××××.com> |
834 |
+Reviewed-by: Amit Shah <amit.shah@××××××.com> |
835 |
+Message-Id: <1456994238-9585-3-git-send-email-lprosek@××××××.com> |
836 |
+Signed-off-by: Amit Shah <amit.shah@××××××.com> |
837 |
+--- |
838 |
+ backends/rng-egd.c | 28 +++++++++------------------- |
839 |
+ include/sysemu/rng.h | 11 +++++++++++ |
840 |
+ 2 files changed, 20 insertions(+), 19 deletions(-) |
841 |
+ |
842 |
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c |
843 |
+index 0b2976a..b061362 100644 |
844 |
+--- a/backends/rng-egd.c |
845 |
++++ b/backends/rng-egd.c |
846 |
+@@ -25,19 +25,8 @@ typedef struct RngEgd |
847 |
+ |
848 |
+ CharDriverState *chr; |
849 |
+ char *chr_name; |
850 |
+- |
851 |
+- GSList *requests; |
852 |
+ } RngEgd; |
853 |
+ |
854 |
+-typedef struct RngRequest |
855 |
+-{ |
856 |
+- EntropyReceiveFunc *receive_entropy; |
857 |
+- uint8_t *data; |
858 |
+- void *opaque; |
859 |
+- size_t offset; |
860 |
+- size_t size; |
861 |
+-} RngRequest; |
862 |
+- |
863 |
+ static void rng_egd_request_entropy(RngBackend *b, size_t size, |
864 |
+ EntropyReceiveFunc *receive_entropy, |
865 |
+ void *opaque) |
866 |
+@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, |
867 |
+ size -= len; |
868 |
+ } |
869 |
+ |
870 |
+- s->requests = g_slist_append(s->requests, req); |
871 |
++ s->parent.requests = g_slist_append(s->parent.requests, req); |
872 |
+ } |
873 |
+ |
874 |
+ static void rng_egd_free_request(RngRequest *req) |
875 |
+@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque) |
876 |
+ GSList *i; |
877 |
+ int size = 0; |
878 |
+ |
879 |
+- for (i = s->requests; i; i = i->next) { |
880 |
++ for (i = s->parent.requests; i; i = i->next) { |
881 |
+ RngRequest *req = i->data; |
882 |
+ size += req->size - req->offset; |
883 |
+ } |
884 |
+@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) |
885 |
+ RngEgd *s = RNG_EGD(opaque); |
886 |
+ size_t buf_offset = 0; |
887 |
+ |
888 |
+- while (size > 0 && s->requests) { |
889 |
+- RngRequest *req = s->requests->data; |
890 |
++ while (size > 0 && s->parent.requests) { |
891 |
++ RngRequest *req = s->parent.requests->data; |
892 |
+ int len = MIN(size, req->size - req->offset); |
893 |
+ |
894 |
+ memcpy(req->data + req->offset, buf + buf_offset, len); |
895 |
+@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) |
896 |
+ size -= len; |
897 |
+ |
898 |
+ if (req->offset == req->size) { |
899 |
+- s->requests = g_slist_remove_link(s->requests, s->requests); |
900 |
++ s->parent.requests = g_slist_remove_link(s->parent.requests, |
901 |
++ s->parent.requests); |
902 |
+ |
903 |
+ req->receive_entropy(req->opaque, req->data, req->size); |
904 |
+ |
905 |
+@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s) |
906 |
+ { |
907 |
+ GSList *i; |
908 |
+ |
909 |
+- for (i = s->requests; i; i = i->next) { |
910 |
++ for (i = s->parent.requests; i; i = i->next) { |
911 |
+ rng_egd_free_request(i->data); |
912 |
+ } |
913 |
+ |
914 |
+- g_slist_free(s->requests); |
915 |
+- s->requests = NULL; |
916 |
++ g_slist_free(s->parent.requests); |
917 |
++ s->parent.requests = NULL; |
918 |
+ } |
919 |
+ |
920 |
+ static void rng_egd_opened(RngBackend *b, Error **errp) |
921 |
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h |
922 |
+index 87b3ebe..c744d82 100644 |
923 |
+--- a/include/sysemu/rng.h |
924 |
++++ b/include/sysemu/rng.h |
925 |
+@@ -24,6 +24,7 @@ |
926 |
+ #define RNG_BACKEND_CLASS(klass) \ |
927 |
+ OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) |
928 |
+ |
929 |
++typedef struct RngRequest RngRequest; |
930 |
+ typedef struct RngBackendClass RngBackendClass; |
931 |
+ typedef struct RngBackend RngBackend; |
932 |
+ |
933 |
+@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque, |
934 |
+ const void *data, |
935 |
+ size_t size); |
936 |
+ |
937 |
++struct RngRequest |
938 |
++{ |
939 |
++ EntropyReceiveFunc *receive_entropy; |
940 |
++ uint8_t *data; |
941 |
++ void *opaque; |
942 |
++ size_t offset; |
943 |
++ size_t size; |
944 |
++}; |
945 |
++ |
946 |
+ struct RngBackendClass |
947 |
+ { |
948 |
+ ObjectClass parent_class; |
949 |
+@@ -47,6 +57,7 @@ struct RngBackend |
950 |
+ |
951 |
+ /*< protected >*/ |
952 |
+ bool opened; |
953 |
++ GSList *requests; |
954 |
+ }; |
955 |
+ |
956 |
+ /** |
957 |
+-- |
958 |
+2.7.4 |
959 |
+ |
960 |
|
961 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch |
962 |
new file mode 100644 |
963 |
index 0000000..1cffcc5 |
964 |
--- /dev/null |
965 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch |
966 |
@@ -0,0 +1,155 @@ |
967 |
+From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001 |
968 |
+From: Ladi Prosek <lprosek@××××××.com> |
969 |
+Date: Thu, 3 Mar 2016 09:37:17 +0100 |
970 |
+Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend |
971 |
+ |
972 |
+RngBackend is now in charge of cleaning up the linked list on |
973 |
+instance finalization. It also exposes a function to finalize |
974 |
+individual RngRequest instances, called by its child classes. |
975 |
+ |
976 |
+Signed-off-by: Ladi Prosek <lprosek@××××××.com> |
977 |
+Reviewed-by: Amit Shah <amit.shah@××××××.com> |
978 |
+Message-Id: <1456994238-9585-4-git-send-email-lprosek@××××××.com> |
979 |
+Signed-off-by: Amit Shah <amit.shah@××××××.com> |
980 |
+--- |
981 |
+ backends/rng-egd.c | 25 +------------------------ |
982 |
+ backends/rng.c | 32 ++++++++++++++++++++++++++++++++ |
983 |
+ include/sysemu/rng.h | 12 ++++++++++++ |
984 |
+ 3 files changed, 45 insertions(+), 24 deletions(-) |
985 |
+ |
986 |
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c |
987 |
+index b061362..8f2bd16 100644 |
988 |
+--- a/backends/rng-egd.c |
989 |
++++ b/backends/rng-egd.c |
990 |
+@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, |
991 |
+ s->parent.requests = g_slist_append(s->parent.requests, req); |
992 |
+ } |
993 |
+ |
994 |
+-static void rng_egd_free_request(RngRequest *req) |
995 |
+-{ |
996 |
+- g_free(req->data); |
997 |
+- g_free(req); |
998 |
+-} |
999 |
+- |
1000 |
+ static int rng_egd_chr_can_read(void *opaque) |
1001 |
+ { |
1002 |
+ RngEgd *s = RNG_EGD(opaque); |
1003 |
+@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) |
1004 |
+ size -= len; |
1005 |
+ |
1006 |
+ if (req->offset == req->size) { |
1007 |
+- s->parent.requests = g_slist_remove_link(s->parent.requests, |
1008 |
+- s->parent.requests); |
1009 |
+- |
1010 |
+ req->receive_entropy(req->opaque, req->data, req->size); |
1011 |
+ |
1012 |
+- rng_egd_free_request(req); |
1013 |
++ rng_backend_finalize_request(&s->parent, req); |
1014 |
+ } |
1015 |
+ } |
1016 |
+ } |
1017 |
+ |
1018 |
+-static void rng_egd_free_requests(RngEgd *s) |
1019 |
+-{ |
1020 |
+- GSList *i; |
1021 |
+- |
1022 |
+- for (i = s->parent.requests; i; i = i->next) { |
1023 |
+- rng_egd_free_request(i->data); |
1024 |
+- } |
1025 |
+- |
1026 |
+- g_slist_free(s->parent.requests); |
1027 |
+- s->parent.requests = NULL; |
1028 |
+-} |
1029 |
+- |
1030 |
+ static void rng_egd_opened(RngBackend *b, Error **errp) |
1031 |
+ { |
1032 |
+ RngEgd *s = RNG_EGD(b); |
1033 |
+@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj) |
1034 |
+ } |
1035 |
+ |
1036 |
+ g_free(s->chr_name); |
1037 |
+- |
1038 |
+- rng_egd_free_requests(s); |
1039 |
+ } |
1040 |
+ |
1041 |
+ static void rng_egd_class_init(ObjectClass *klass, void *data) |
1042 |
+diff --git a/backends/rng.c b/backends/rng.c |
1043 |
+index 2f2f3ee..014cb9d 100644 |
1044 |
+--- a/backends/rng.c |
1045 |
++++ b/backends/rng.c |
1046 |
+@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp) |
1047 |
+ s->opened = true; |
1048 |
+ } |
1049 |
+ |
1050 |
++static void rng_backend_free_request(RngRequest *req) |
1051 |
++{ |
1052 |
++ g_free(req->data); |
1053 |
++ g_free(req); |
1054 |
++} |
1055 |
++ |
1056 |
++static void rng_backend_free_requests(RngBackend *s) |
1057 |
++{ |
1058 |
++ GSList *i; |
1059 |
++ |
1060 |
++ for (i = s->requests; i; i = i->next) { |
1061 |
++ rng_backend_free_request(i->data); |
1062 |
++ } |
1063 |
++ |
1064 |
++ g_slist_free(s->requests); |
1065 |
++ s->requests = NULL; |
1066 |
++} |
1067 |
++ |
1068 |
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req) |
1069 |
++{ |
1070 |
++ s->requests = g_slist_remove(s->requests, req); |
1071 |
++ rng_backend_free_request(req); |
1072 |
++} |
1073 |
++ |
1074 |
+ static void rng_backend_init(Object *obj) |
1075 |
+ { |
1076 |
+ object_property_add_bool(obj, "opened", |
1077 |
+@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj) |
1078 |
+ NULL); |
1079 |
+ } |
1080 |
+ |
1081 |
++static void rng_backend_finalize(Object *obj) |
1082 |
++{ |
1083 |
++ RngBackend *s = RNG_BACKEND(obj); |
1084 |
++ |
1085 |
++ rng_backend_free_requests(s); |
1086 |
++} |
1087 |
++ |
1088 |
+ static void rng_backend_class_init(ObjectClass *oc, void *data) |
1089 |
+ { |
1090 |
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); |
1091 |
+@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = { |
1092 |
+ .parent = TYPE_OBJECT, |
1093 |
+ .instance_size = sizeof(RngBackend), |
1094 |
+ .instance_init = rng_backend_init, |
1095 |
++ .instance_finalize = rng_backend_finalize, |
1096 |
+ .class_size = sizeof(RngBackendClass), |
1097 |
+ .class_init = rng_backend_class_init, |
1098 |
+ .abstract = true, |
1099 |
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h |
1100 |
+index c744d82..08a2eda 100644 |
1101 |
+--- a/include/sysemu/rng.h |
1102 |
++++ b/include/sysemu/rng.h |
1103 |
+@@ -78,4 +79,15 @@ struct RngBackend |
1104 |
+ void rng_backend_request_entropy(RngBackend *s, size_t size, |
1105 |
+ EntropyReceiveFunc *receive_entropy, |
1106 |
+ void *opaque); |
1107 |
++ |
1108 |
++/** |
1109 |
++ * rng_backend_free_request: |
1110 |
++ * @s: the backend that created the request |
1111 |
++ * @req: the request to finalize |
1112 |
++ * |
1113 |
++ * Used by child rng backend classes to finalize requests once they've been |
1114 |
++ * processed. The request is removed from the list of active requests and |
1115 |
++ * deleted. |
1116 |
++ */ |
1117 |
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req); |
1118 |
+ #endif |
1119 |
+-- |
1120 |
+2.7.4 |
1121 |
+ |
1122 |
|
1123 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch |
1124 |
new file mode 100644 |
1125 |
index 0000000..ca9340a |
1126 |
--- /dev/null |
1127 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch |
1128 |
@@ -0,0 +1,179 @@ |
1129 |
+From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 |
1130 |
+From: Ladi Prosek <lprosek@××××××.com> |
1131 |
+Date: Thu, 3 Mar 2016 09:37:18 +0100 |
1132 |
+Subject: [PATCH] rng: add request queue support to rng-random |
1133 |
+ |
1134 |
+Requests are now created in the RngBackend parent class and the |
1135 |
+code path is shared by both rng-egd and rng-random. |
1136 |
+ |
1137 |
+This commit fixes the rng-random implementation which processed |
1138 |
+only one request at a time and simply discarded all but the most |
1139 |
+recent one. In the guest this manifested as delayed completion |
1140 |
+of reads from virtio-rng, i.e. a read was completed only after |
1141 |
+another read was issued. |
1142 |
+ |
1143 |
+By switching rng-random to use the same request queue as rng-egd, |
1144 |
+the unsafe stack-based allocation of the entropy buffer is |
1145 |
+eliminated and replaced with g_malloc. |
1146 |
+ |
1147 |
+Signed-off-by: Ladi Prosek <lprosek@××××××.com> |
1148 |
+Reviewed-by: Amit Shah <amit.shah@××××××.com> |
1149 |
+Message-Id: <1456994238-9585-5-git-send-email-lprosek@××××××.com> |
1150 |
+Signed-off-by: Amit Shah <amit.shah@××××××.com> |
1151 |
+--- |
1152 |
+ backends/rng-egd.c | 16 ++-------------- |
1153 |
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------ |
1154 |
+ backends/rng.c | 13 ++++++++++++- |
1155 |
+ include/sysemu/rng.h | 3 +-- |
1156 |
+ 4 files changed, 34 insertions(+), 41 deletions(-) |
1157 |
+ |
1158 |
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c |
1159 |
+index 8f2bd16..30332ed 100644 |
1160 |
+--- a/backends/rng-egd.c |
1161 |
++++ b/backends/rng-egd.c |
1162 |
+@@ -27,20 +27,10 @@ typedef struct RngEgd |
1163 |
+ char *chr_name; |
1164 |
+ } RngEgd; |
1165 |
+ |
1166 |
+-static void rng_egd_request_entropy(RngBackend *b, size_t size, |
1167 |
+- EntropyReceiveFunc *receive_entropy, |
1168 |
+- void *opaque) |
1169 |
++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) |
1170 |
+ { |
1171 |
+ RngEgd *s = RNG_EGD(b); |
1172 |
+- RngRequest *req; |
1173 |
+- |
1174 |
+- req = g_malloc(sizeof(*req)); |
1175 |
+- |
1176 |
+- req->offset = 0; |
1177 |
+- req->size = size; |
1178 |
+- req->receive_entropy = receive_entropy; |
1179 |
+- req->opaque = opaque; |
1180 |
+- req->data = g_malloc(req->size); |
1181 |
++ size_t size = req->size; |
1182 |
+ |
1183 |
+ while (size > 0) { |
1184 |
+ uint8_t header[2]; |
1185 |
+@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, |
1186 |
+ |
1187 |
+ size -= len; |
1188 |
+ } |
1189 |
+- |
1190 |
+- s->parent.requests = g_slist_append(s->parent.requests, req); |
1191 |
+ } |
1192 |
+ |
1193 |
+ static int rng_egd_chr_can_read(void *opaque) |
1194 |
+diff --git a/backends/rng-random.c b/backends/rng-random.c |
1195 |
+index 8cdad6a..a6cb385 100644 |
1196 |
+--- a/backends/rng-random.c |
1197 |
++++ b/backends/rng-random.c |
1198 |
+@@ -22,10 +22,6 @@ struct RndRandom |
1199 |
+ |
1200 |
+ int fd; |
1201 |
+ char *filename; |
1202 |
+- |
1203 |
+- EntropyReceiveFunc *receive_func; |
1204 |
+- void *opaque; |
1205 |
+- size_t size; |
1206 |
+ }; |
1207 |
+ |
1208 |
+ /** |
1209 |
+@@ -38,36 +34,35 @@ struct RndRandom |
1210 |
+ static void entropy_available(void *opaque) |
1211 |
+ { |
1212 |
+ RndRandom *s = RNG_RANDOM(opaque); |
1213 |
+- uint8_t buffer[s->size]; |
1214 |
+- ssize_t len; |
1215 |
+ |
1216 |
+- len = read(s->fd, buffer, s->size); |
1217 |
+- if (len < 0 && errno == EAGAIN) { |
1218 |
+- return; |
1219 |
+- } |
1220 |
+- g_assert(len != -1); |
1221 |
++ while (s->parent.requests != NULL) { |
1222 |
++ RngRequest *req = s->parent.requests->data; |
1223 |
++ ssize_t len; |
1224 |
++ |
1225 |
++ len = read(s->fd, req->data, req->size); |
1226 |
++ if (len < 0 && errno == EAGAIN) { |
1227 |
++ return; |
1228 |
++ } |
1229 |
++ g_assert(len != -1); |
1230 |
+ |
1231 |
+- s->receive_func(s->opaque, buffer, len); |
1232 |
+- s->receive_func = NULL; |
1233 |
++ req->receive_entropy(req->opaque, req->data, len); |
1234 |
+ |
1235 |
++ rng_backend_finalize_request(&s->parent, req); |
1236 |
++ } |
1237 |
++ |
1238 |
++ /* We've drained all requests, the fd handler can be reset. */ |
1239 |
+ qemu_set_fd_handler(s->fd, NULL, NULL, NULL); |
1240 |
+ } |
1241 |
+ |
1242 |
+-static void rng_random_request_entropy(RngBackend *b, size_t size, |
1243 |
+- EntropyReceiveFunc *receive_entropy, |
1244 |
+- void *opaque) |
1245 |
++static void rng_random_request_entropy(RngBackend *b, RngRequest *req) |
1246 |
+ { |
1247 |
+ RndRandom *s = RNG_RANDOM(b); |
1248 |
+ |
1249 |
+- if (s->receive_func) { |
1250 |
+- s->receive_func(s->opaque, NULL, 0); |
1251 |
++ if (s->parent.requests == NULL) { |
1252 |
++ /* If there are no pending requests yet, we need to |
1253 |
++ * install our fd handler. */ |
1254 |
++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); |
1255 |
+ } |
1256 |
+- |
1257 |
+- s->receive_func = receive_entropy; |
1258 |
+- s->opaque = opaque; |
1259 |
+- s->size = size; |
1260 |
+- |
1261 |
+- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); |
1262 |
+ } |
1263 |
+ |
1264 |
+ static void rng_random_opened(RngBackend *b, Error **errp) |
1265 |
+diff --git a/backends/rng.c b/backends/rng.c |
1266 |
+index 014cb9d..277a41b 100644 |
1267 |
+--- a/backends/rng.c |
1268 |
++++ b/backends/rng.c |
1269 |
+@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, |
1270 |
+ void *opaque) |
1271 |
+ { |
1272 |
+ RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); |
1273 |
++ RngRequest *req; |
1274 |
+ |
1275 |
+ if (k->request_entropy) { |
1276 |
+- k->request_entropy(s, size, receive_entropy, opaque); |
1277 |
++ req = g_malloc(sizeof(*req)); |
1278 |
++ |
1279 |
++ req->offset = 0; |
1280 |
++ req->size = size; |
1281 |
++ req->receive_entropy = receive_entropy; |
1282 |
++ req->opaque = opaque; |
1283 |
++ req->data = g_malloc(req->size); |
1284 |
++ |
1285 |
++ k->request_entropy(s, req); |
1286 |
++ |
1287 |
++ s->requests = g_slist_append(s->requests, req); |
1288 |
+ } |
1289 |
+ } |
1290 |
+ |
1291 |
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h |
1292 |
+index 08a2eda..4fffd68 100644 |
1293 |
+--- a/include/sysemu/rng.h |
1294 |
++++ b/include/sysemu/rng.h |
1295 |
+@@ -45,8 +45,7 @@ struct RngBackendClass |
1296 |
+ { |
1297 |
+ ObjectClass parent_class; |
1298 |
+ |
1299 |
+- void (*request_entropy)(RngBackend *s, size_t size, |
1300 |
+- EntropyReceiveFunc *receive_entropy, void *opaque); |
1301 |
++ void (*request_entropy)(RngBackend *s, RngRequest *req); |
1302 |
+ |
1303 |
+ void (*opened)(RngBackend *s, Error **errp); |
1304 |
+ }; |
1305 |
+-- |
1306 |
+2.7.4 |
1307 |
+ |
1308 |
|
1309 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch |
1310 |
new file mode 100644 |
1311 |
index 0000000..f2e766d |
1312 |
--- /dev/null |
1313 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch |
1314 |
@@ -0,0 +1,15 @@ |
1315 |
+Linux C libs are moving away from implicit header pollution with sys/types.h |
1316 |
+ |
1317 |
+--- a/include/qemu/osdep.h |
1318 |
++++ b/include/qemu/osdep.h |
1319 |
+@@ -78,6 +78,10 @@ extern int daemon(int, int); |
1320 |
+ #include <assert.h> |
1321 |
+ #include <signal.h> |
1322 |
+ |
1323 |
++#ifdef __linux__ |
1324 |
++#include <sys/sysmacros.h> |
1325 |
++#endif |
1326 |
++ |
1327 |
+ #ifdef __OpenBSD__ |
1328 |
+ #include <sys/signal.h> |
1329 |
+ #endif |
1330 |
|
1331 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
1332 |
new file mode 100644 |
1333 |
index 0000000..2ddca3e |
1334 |
--- /dev/null |
1335 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
1336 |
@@ -0,0 +1,52 @@ |
1337 |
+From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001 |
1338 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
1339 |
+Date: Wed, 20 Jan 2016 01:26:46 +0530 |
1340 |
+Subject: [PATCH] usb: check page select value while processing iTD |
1341 |
+ |
1342 |
+While processing isochronous transfer descriptors(iTD), the page |
1343 |
+select(PG) field value could lead to an OOB read access. Add |
1344 |
+check to avoid it. |
1345 |
+ |
1346 |
+Reported-by: Qinghao Tang <luodalongde@×××××.com> |
1347 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
1348 |
+Message-id: 1453233406-12165-1-git-send-email-ppandit@××××××.com |
1349 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
1350 |
+--- |
1351 |
+ hw/usb/hcd-ehci.c | 10 ++++++---- |
1352 |
+ 1 file changed, 6 insertions(+), 4 deletions(-) |
1353 |
+ |
1354 |
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
1355 |
+index ab00268..93601d9 100644 |
1356 |
+--- a/hw/usb/hcd-ehci.c |
1357 |
++++ b/hw/usb/hcd-ehci.c |
1358 |
+@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci, |
1359 |
+ if (itd->transact[i] & ITD_XACT_ACTIVE) { |
1360 |
+ pg = get_field(itd->transact[i], ITD_XACT_PGSEL); |
1361 |
+ off = itd->transact[i] & ITD_XACT_OFFSET_MASK; |
1362 |
+- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); |
1363 |
+- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); |
1364 |
+ len = get_field(itd->transact[i], ITD_XACT_LENGTH); |
1365 |
+ |
1366 |
+ if (len > max * mult) { |
1367 |
+ len = max * mult; |
1368 |
+ } |
1369 |
+- |
1370 |
+- if (len > BUFF_SIZE) { |
1371 |
++ if (len > BUFF_SIZE || pg > 6) { |
1372 |
+ return -1; |
1373 |
+ } |
1374 |
+ |
1375 |
++ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); |
1376 |
+ qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); |
1377 |
+ if (off + len > 4096) { |
1378 |
+ /* transfer crosses page border */ |
1379 |
++ if (pg == 6) { |
1380 |
++ return -1; /* avoid page pg + 1 */ |
1381 |
++ } |
1382 |
++ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); |
1383 |
+ uint32_t len2 = off + len - 4096; |
1384 |
+ uint32_t len1 = len - len2; |
1385 |
+ qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); |
1386 |
+-- |
1387 |
+2.7.4 |
1388 |
+ |
1389 |
|
1390 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
1391 |
new file mode 100644 |
1392 |
index 0000000..da643fd |
1393 |
--- /dev/null |
1394 |
+++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
1395 |
@@ -0,0 +1,59 @@ |
1396 |
+From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 |
1397 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
1398 |
+Date: Wed, 17 Feb 2016 00:23:41 +0530 |
1399 |
+Subject: [PATCH] usb: check RNDIS buffer offsets & length |
1400 |
+ |
1401 |
+When processing remote NDIS control message packets, |
1402 |
+the USB Net device emulator uses a fixed length(4096) data buffer. |
1403 |
+The incoming informationBufferOffset & Length combination could |
1404 |
+overflow and cross that range. Check control message buffer |
1405 |
+offsets and length to avoid it. |
1406 |
+ |
1407 |
+Reported-by: Qinghao Tang <luodalongde@×××××.com> |
1408 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
1409 |
+Message-id: 1455648821-17340-3-git-send-email-ppandit@××××××.com |
1410 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
1411 |
+--- |
1412 |
+ hw/usb/dev-network.c | 9 ++++++--- |
1413 |
+ 1 file changed, 6 insertions(+), 3 deletions(-) |
1414 |
+ |
1415 |
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c |
1416 |
+index 5dc4538..c6abd38 100644 |
1417 |
+--- a/hw/usb/dev-network.c |
1418 |
++++ b/hw/usb/dev-network.c |
1419 |
+@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s, |
1420 |
+ |
1421 |
+ bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; |
1422 |
+ buflen = le32_to_cpu(buf->InformationBufferLength); |
1423 |
+- if (bufoffs + buflen > length) |
1424 |
++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { |
1425 |
+ return USB_RET_STALL; |
1426 |
++ } |
1427 |
+ |
1428 |
+ infobuflen = ndis_query(s, le32_to_cpu(buf->OID), |
1429 |
+ bufoffs + (uint8_t *) buf, buflen, infobuf, |
1430 |
+@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s, |
1431 |
+ |
1432 |
+ bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; |
1433 |
+ buflen = le32_to_cpu(buf->InformationBufferLength); |
1434 |
+- if (bufoffs + buflen > length) |
1435 |
++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { |
1436 |
+ return USB_RET_STALL; |
1437 |
++ } |
1438 |
+ |
1439 |
+ ret = ndis_set(s, le32_to_cpu(buf->OID), |
1440 |
+ bufoffs + (uint8_t *) buf, buflen); |
1441 |
+@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) |
1442 |
+ if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { |
1443 |
+ uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); |
1444 |
+ uint32_t size = le32_to_cpu(msg->DataLength); |
1445 |
+- if (offs + size <= len) |
1446 |
++ if (offs < len && size < len && offs + size <= len) { |
1447 |
+ qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); |
1448 |
++ } |
1449 |
+ } |
1450 |
+ s->out_ptr -= len; |
1451 |
+ memmove(s->out_buf, &s->out_buf[len], s->out_ptr); |
1452 |
+-- |
1453 |
+2.7.4 |
1454 |
+ |
1455 |
|
1456 |
diff --git a/app-emulation/qemu/qemu-2.5.0-r99.ebuild b/app-emulation/qemu/qemu-2.5.0-r999.ebuild |
1457 |
similarity index 90% |
1458 |
rename from app-emulation/qemu/qemu-2.5.0-r99.ebuild |
1459 |
rename to app-emulation/qemu/qemu-2.5.0-r999.ebuild |
1460 |
index c2bbcc1..876141b 100644 |
1461 |
--- a/app-emulation/qemu/qemu-2.5.0-r99.ebuild |
1462 |
+++ b/app-emulation/qemu/qemu-2.5.0-r999.ebuild |
1463 |
@@ -7,8 +7,10 @@ EAPI=5 |
1464 |
PYTHON_COMPAT=( python2_7 ) |
1465 |
PYTHON_REQ_USE="ncurses,readline" |
1466 |
|
1467 |
+PLOCALES="de_DE fr_FR hu it tr zh_CN" |
1468 |
+ |
1469 |
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ |
1470 |
- user udev fcaps readme.gentoo pax-utils |
1471 |
+ user udev fcaps readme.gentoo pax-utils l10n |
1472 |
|
1473 |
BACKPORTS= |
1474 |
|
1475 |
@@ -95,9 +97,9 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} |
1476 |
vte? ( x11-libs/vte:2.90 ) |
1477 |
) |
1478 |
) |
1479 |
- infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] ) |
1480 |
+ infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) |
1481 |
iscsi? ( net-libs/libiscsi ) |
1482 |
- jpeg? ( virtual/jpeg:=[static-libs(+)] ) |
1483 |
+ jpeg? ( virtual/jpeg:0=[static-libs(+)] ) |
1484 |
lzo? ( dev-libs/lzo:2[static-libs(+)] ) |
1485 |
ncurses? ( sys-libs/ncurses:0=[static-libs(+)] ) |
1486 |
nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) |
1487 |
@@ -212,11 +214,14 @@ QA_WX_LOAD="usr/bin/qemu-i386 |
1488 |
DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure |
1489 |
you have the kernel module loaded before running kvm. The easiest way to |
1490 |
ensure that the kernel module is loaded is to load it on boot.\n |
1491 |
-For AMD CPUs the module is called 'kvm-amd'\n |
1492 |
-For Intel CPUs the module is called 'kvm-intel'\n |
1493 |
-Please review /etc/conf.d/modules for how to load these\n\n |
1494 |
+For AMD CPUs the module is called 'kvm-amd'.\n |
1495 |
+For Intel CPUs the module is called 'kvm-intel'.\n |
1496 |
+Please review /etc/conf.d/modules for how to load these.\n\n |
1497 |
Make sure your user is in the 'kvm' group\n |
1498 |
-Just run 'gpasswd -a <USER> kvm', then have <USER> re-login." |
1499 |
+Just run 'gpasswd -a <USER> kvm', then have <USER> re-login.\n\n |
1500 |
+For brand new installs, the default permissions on /dev/kvm might not let you |
1501 |
+access it. You can tell udev to reset ownership/perms:\n |
1502 |
+udevadm trigger -c add /dev/kvm" |
1503 |
|
1504 |
qemu_support_kvm() { |
1505 |
if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \ |
1506 |
@@ -295,6 +300,29 @@ check_targets() { |
1507 |
popd >/dev/null |
1508 |
} |
1509 |
|
1510 |
+handle_locales() { |
1511 |
+ # Make sure locale list is kept up-to-date. |
1512 |
+ local detected sorted |
1513 |
+ detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u)) |
1514 |
+ sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u)) |
1515 |
+ if [[ ${sorted} != "${detected}" ]] ; then |
1516 |
+ eerror "The ebuild needs to be kept in sync." |
1517 |
+ eerror "PLOCALES: ${sorted}" |
1518 |
+ eerror " po/*.po: ${detected}" |
1519 |
+ die "sync PLOCALES" |
1520 |
+ fi |
1521 |
+ |
1522 |
+ # Deal with selective install of locales. |
1523 |
+ if use nls ; then |
1524 |
+ # Delete locales the user does not want. #577814 |
1525 |
+ rm_loc() { rm po/$1.po || die; } |
1526 |
+ l10n_for_each_disabled_locale_do rm_loc |
1527 |
+ else |
1528 |
+ # Cheap hack to disable gettext .mo generation. |
1529 |
+ rm -f po/*.po |
1530 |
+ fi |
1531 |
+} |
1532 |
+ |
1533 |
src_prepare() { |
1534 |
check_targets IUSE_SOFTMMU_TARGETS softmmu |
1535 |
check_targets IUSE_USER_TARGETS linux-user |
1536 |
@@ -304,9 +332,6 @@ src_prepare() { |
1537 |
-e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \ |
1538 |
Makefile Makefile.target || die |
1539 |
|
1540 |
- # Cheap hack to disable gettext .mo generation. |
1541 |
- use nls || rm -f po/*.po |
1542 |
- |
1543 |
# Patching for musl |
1544 |
epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch |
1545 |
epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch |
1546 |
@@ -322,6 +347,20 @@ src_prepare() { |
1547 |
epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110 |
1548 |
epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988 |
1549 |
epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566 |
1550 |
+ epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118 |
1551 |
+ epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300 |
1552 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560 |
1553 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082 |
1554 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412 |
1555 |
+ epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454 |
1556 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280 |
1557 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314 |
1558 |
+ epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902 |
1559 |
+ epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492 |
1560 |
+ epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420 |
1561 |
+ epatch "${FILESDIR}"/${P}-sysmacros.patch |
1562 |
+ epatch "${FILESDIR}"/${P}-ne2000-reg-check.patch #573816 |
1563 |
+ epatch "${FILESDIR}"/${P}-9pfs-segfault.patch #578142 |
1564 |
|
1565 |
# Fix ld and objcopy being called directly |
1566 |
tc-export AR LD OBJCOPY |
1567 |
@@ -330,6 +369,9 @@ src_prepare() { |
1568 |
MAKEOPTS+=" V=1" |
1569 |
|
1570 |
epatch_user |
1571 |
+ |
1572 |
+ # Run after we've applied all patches. |
1573 |
+ handle_locales |
1574 |
} |
1575 |
|
1576 |
## |