Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Matthias Maier <tamiko@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
Date: Mon, 05 Sep 2016 05:30:19
Message-Id: 1473053400.6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9.tamiko@gentoo
1 commit: 6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9
2 Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
3 AuthorDate: Mon Sep 5 05:00:00 2016 +0000
4 Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
5 CommitDate: Mon Sep 5 05:30:00 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ac7a9b9
7
8 app-emulation/qemu: drop obsolete patches
9
10 Package-Manager: portage-2.2.28
11
12 .../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ------
13 .../qemu/files/qemu-2.5.0-CVE-2015-8567.patch | 95 ----------------
14 .../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ------
15 .../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 ---------------------
16 .../qemu/files/qemu-2.5.0-CVE-2015-8701.patch | 49 ---------
17 .../qemu/files/qemu-2.5.0-CVE-2015-8743.patch | 50 ---------
18 .../qemu/files/qemu-2.5.0-CVE-2016-1568.patch | 41 -------
19 .../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ----------
20 .../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 -----------
21 .../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 -----------------
22 .../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 --------
23 .../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ------
24 .../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 -------
25 .../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 ---------
26 .../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ----------
27 .../qemu/files/qemu-2.6.0-crypto-static.patch | 60 ----------
28 .../qemu/files/qemu-2.6.0-glib-size_t.patch | 11 --
29 17 files changed, 943 deletions(-)
30
31 diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
32 deleted file mode 100644
33 index 0e27684..00000000
34 --- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch
35 +++ /dev/null
36 @@ -1,34 +0,0 @@
37 -From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
38 -From: Greg Kurz <gkurz@××××××××××××××.com>
39 -Date: Wed, 23 Dec 2015 10:56:58 +0100
40 -Subject: [PATCH] virtio-9p: use accessor to get thread_pool
41 -
42 -The aio_context_new() function does not allocate a thread pool. This is
43 -deferred to the first call to the aio_get_thread_pool() accessor. It is
44 -hence forbidden to access the thread_pool field directly, as it may be
45 -NULL. The accessor *must* be used always.
46 -
47 -Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
48 -Reviewed-by: Michael Tokarev <mjt@×××××××.ru>
49 -Tested-by: Michael Tokarev <mjt@×××××××.ru>
50 -Cc: qemu-stable@××××××.org
51 -Signed-off-by: Greg Kurz <gkurz@××××××××××××××.com>
52 ----
53 - hw/9pfs/virtio-9p-coth.c | 2 +-
54 - 1 file changed, 1 insertion(+), 1 deletion(-)
55 -
56 -diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
57 -index fb6e8f8..ab9425c 100644
58 ---- a/hw/9pfs/virtio-9p-coth.c
59 -+++ b/hw/9pfs/virtio-9p-coth.c
60 -@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
61 - void co_run_in_worker_bh(void *opaque)
62 - {
63 - Coroutine *co = opaque;
64 -- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
65 -+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
66 - coroutine_enter_func, co, coroutine_enter_cb, co);
67 - }
68 ---
69 -2.7.4
70 -
71
72 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
73 deleted file mode 100644
74 index e196043..00000000
75 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
76 +++ /dev/null
77 @@ -1,95 +0,0 @@
78 -https://bugs.gentoo.org/567868
79 -
80 -From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001
81 -From: P J P <ppandit@××××××.com>
82 -Date: Tue, 15 Dec 2015 12:27:54 +0530
83 -Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
84 -
85 -Vmxnet3 device emulator does not check if the device is active
86 -before activating it, also it did not free the transmit & receive
87 -buffers while deactivating the device, thus resulting in memory
88 -leakage on the host. This patch fixes both these issues to avoid
89 -host memory leakage.
90 -
91 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
92 -Reviewed-by: Dmitry Fleytman <dmitry@××××××.com>
93 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
94 -Cc: qemu-stable@××××××.org
95 -Signed-off-by: Jason Wang <jasowang@××××××.com>
96 ----
97 - hw/net/vmxnet3.c | 24 ++++++++++++++++--------
98 - 1 file changed, 16 insertions(+), 8 deletions(-)
99 -
100 -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
101 -index a5dd79a..9c1adfc 100644
102 ---- a/hw/net/vmxnet3.c
103 -+++ b/hw/net/vmxnet3.c
104 -@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
105 -
106 - static void vmxnet3_deactivate_device(VMXNET3State *s)
107 - {
108 -- VMW_CBPRN("Deactivating vmxnet3...");
109 -- s->device_active = false;
110 -+ if (s->device_active) {
111 -+ VMW_CBPRN("Deactivating vmxnet3...");
112 -+ vmxnet_tx_pkt_reset(s->tx_pkt);
113 -+ vmxnet_tx_pkt_uninit(s->tx_pkt);
114 -+ vmxnet_rx_pkt_uninit(s->rx_pkt);
115 -+ s->device_active = false;
116 -+ }
117 - }
118 -
119 - static void vmxnet3_reset(VMXNET3State *s)
120 -@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
121 -
122 - vmxnet3_deactivate_device(s);
123 - vmxnet3_reset_interrupt_states(s);
124 -- vmxnet_tx_pkt_reset(s->tx_pkt);
125 - s->drv_shmem = 0;
126 - s->tx_sop = true;
127 - s->skip_current_tx_pkt = false;
128 -@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
129 - return;
130 - }
131 -
132 -+ /* Verify if device is active */
133 -+ if (s->device_active) {
134 -+ VMW_CFPRN("Vmxnet3 device is active");
135 -+ return;
136 -+ }
137 -+
138 - vmxnet3_adjust_by_guest_type(s);
139 - vmxnet3_update_features(s);
140 - vmxnet3_update_pm_state(s);
141 -@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
142 - break;
143 -
144 - case VMXNET3_CMD_QUIESCE_DEV:
145 -- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
146 -+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
147 - vmxnet3_deactivate_device(s);
148 - break;
149 -
150 -@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
151 - * shared address only after we get the high part
152 - */
153 - if (val == 0) {
154 -- s->device_active = false;
155 -+ vmxnet3_deactivate_device(s);
156 - }
157 - s->temp_shared_guest_driver_memory = val;
158 - s->drv_shmem = 0;
159 -@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
160 - static void vmxnet3_net_uninit(VMXNET3State *s)
161 - {
162 - g_free(s->mcast_list);
163 -- vmxnet_tx_pkt_reset(s->tx_pkt);
164 -- vmxnet_tx_pkt_uninit(s->tx_pkt);
165 -- vmxnet_rx_pkt_uninit(s->rx_pkt);
166 -+ vmxnet3_deactivate_device(s);
167 - qemu_del_nic(s->nic);
168 - }
169 -
170 ---
171 -2.6.2
172 -
173
174 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
175 deleted file mode 100644
176 index 61a52ee..00000000
177 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
178 +++ /dev/null
179 @@ -1,35 +0,0 @@
180 -From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
181 -From: P J P <ppandit@××××××.com>
182 -Date: Mon, 21 Dec 2015 15:13:13 +0530
183 -Subject: [PATCH] scsi: initialise info object with appropriate size
184 -
185 -While processing controller 'CTRL_GET_INFO' command, the routine
186 -'megasas_ctrl_get_info' overflows the '&info' object size. Use its
187 -appropriate size to null initialise it.
188 -
189 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
190 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
191 -Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
192 -Cc: qemu-stable@××××××.org
193 -Signed-off-by: Paolo Bonzini <pbonzini@××××××.com>
194 -Signed-off-by: P J P <ppandit@××××××.com>
195 ----
196 - hw/scsi/megasas.c | 2 +-
197 - 1 file changed, 1 insertion(+), 1 deletion(-)
198 -
199 -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
200 -index d7dc667..576f56c 100644
201 ---- a/hw/scsi/megasas.c
202 -+++ b/hw/scsi/megasas.c
203 -@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
204 - BusChild *kid;
205 - int num_pd_disks = 0;
206 -
207 -- memset(&info, 0x0, cmd->iov_size);
208 -+ memset(&info, 0x0, dcmd_size);
209 - if (cmd->iov_size < dcmd_size) {
210 - trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
211 - dcmd_size);
212 ---
213 -2.7.4
214 -
215
216 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
217 deleted file mode 100644
218 index be67336..00000000
219 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
220 +++ /dev/null
221 @@ -1,121 +0,0 @@
222 -From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001
223 -From: Wolfgang Bumiller <w.bumiller@×××××××.com>
224 -Date: Wed, 13 Jan 2016 09:09:58 +0100
225 -Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
226 -
227 -When processing 'sendkey' command, hmp_sendkey routine null
228 -terminates the 'keyname_buf' array. This results in an OOB
229 -write issue, if 'keyname_len' was to fall outside of
230 -'keyname_buf' array.
231 -
232 -Since the keyname's length is known the keyname_buf can be
233 -removed altogether by adding a length parameter to
234 -index_from_key() and using it for the error output as well.
235 -
236 -Reported-by: Ling Liu <liuling-it@×××.cn>
237 -Signed-off-by: Wolfgang Bumiller <w.bumiller@×××××××.com>
238 -Message-Id: <20160113080958.GA18934@olga>
239 -[Comparison with "<" dumbed down, test for junk after strtoul()
240 -tweaked]
241 -Signed-off-by: Markus Armbruster <armbru@××××××.com>
242 ----
243 - hmp.c | 18 ++++++++----------
244 - include/ui/console.h | 2 +-
245 - ui/input-legacy.c | 5 +++--
246 - 3 files changed, 12 insertions(+), 13 deletions(-)
247 -
248 -diff --git a/hmp.c b/hmp.c
249 -index 54f2620..9c571f5 100644
250 ---- a/hmp.c
251 -+++ b/hmp.c
252 -@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
253 - int has_hold_time = qdict_haskey(qdict, "hold-time");
254 - int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
255 - Error *err = NULL;
256 -- char keyname_buf[16];
257 - char *separator;
258 - int keyname_len;
259 -
260 - while (1) {
261 - separator = strchr(keys, '-');
262 - keyname_len = separator ? separator - keys : strlen(keys);
263 -- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
264 -
265 - /* Be compatible with old interface, convert user inputted "<" */
266 -- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
267 -- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
268 -+ if (keys[0] == '<' && keyname_len == 1) {
269 -+ keys = "less";
270 - keyname_len = 4;
271 - }
272 -- keyname_buf[keyname_len] = 0;
273 -
274 - keylist = g_malloc0(sizeof(*keylist));
275 - keylist->value = g_malloc0(sizeof(*keylist->value));
276 -@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
277 - }
278 - tmp = keylist;
279 -
280 -- if (strstart(keyname_buf, "0x", NULL)) {
281 -+ if (strstart(keys, "0x", NULL)) {
282 - char *endp;
283 -- int value = strtoul(keyname_buf, &endp, 0);
284 -- if (*endp != '\0') {
285 -+ int value = strtoul(keys, &endp, 0);
286 -+ assert(endp <= keys + keyname_len);
287 -+ if (endp != keys + keyname_len) {
288 - goto err_out;
289 - }
290 - keylist->value->type = KEY_VALUE_KIND_NUMBER;
291 - keylist->value->u.number = value;
292 - } else {
293 -- int idx = index_from_key(keyname_buf);
294 -+ int idx = index_from_key(keys, keyname_len);
295 - if (idx == Q_KEY_CODE_MAX) {
296 - goto err_out;
297 - }
298 -@@ -1789,7 +1787,7 @@ out:
299 - return;
300 -
301 - err_out:
302 -- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
303 -+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
304 - goto out;
305 - }
306 -
307 -diff --git a/include/ui/console.h b/include/ui/console.h
308 -index adac36d..116bc2b 100644
309 ---- a/include/ui/console.h
310 -+++ b/include/ui/console.h
311 -@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
312 - void curses_display_init(DisplayState *ds, int full_screen);
313 -
314 - /* input.c */
315 --int index_from_key(const char *key);
316 -+int index_from_key(const char *key, size_t key_length);
317 -
318 - /* gtk.c */
319 - void early_gtk_display_init(int opengl);
320 -diff --git a/ui/input-legacy.c b/ui/input-legacy.c
321 -index 35dfc27..3454055 100644
322 ---- a/ui/input-legacy.c
323 -+++ b/ui/input-legacy.c
324 -@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
325 - static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
326 - QTAILQ_HEAD_INITIALIZER(led_handlers);
327 -
328 --int index_from_key(const char *key)
329 -+int index_from_key(const char *key, size_t key_length)
330 - {
331 - int i;
332 -
333 - for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
334 -- if (!strcmp(key, QKeyCode_lookup[i])) {
335 -+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
336 -+ !QKeyCode_lookup[i][key_length]) {
337 - break;
338 - }
339 - }
340 ---
341 -2.7.4
342 -
343
344 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
345 deleted file mode 100644
346 index 0dab1c3..00000000
347 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
348 +++ /dev/null
349 @@ -1,49 +0,0 @@
350 -https://bugs.gentoo.org/570110
351 -
352 -From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
353 -From: Prasad J Pandit <pjp@×××××××××××××.org>
354 -Date: Mon, 28 Dec 2015 16:24:08 +0530
355 -Subject: [PATCH] net: rocker: fix an incorrect array bounds check
356 -
357 -While processing transmit(tx) descriptors in 'tx_consume' routine
358 -the switch emulator suffers from an off-by-one error, if a
359 -descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
360 -fragments. Fix an incorrect bounds check to avoid it.
361 -
362 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
363 -Cc: qemu-stable@××××××.org
364 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
365 -Signed-off-by: Jason Wang <jasowang@××××××.com>
366 ----
367 - hw/net/rocker/rocker.c | 8 ++++----
368 - 1 file changed, 4 insertions(+), 4 deletions(-)
369 -
370 -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
371 -index c57f1a6..2e77e50 100644
372 ---- a/hw/net/rocker/rocker.c
373 -+++ b/hw/net/rocker/rocker.c
374 -@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
375 - frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
376 - frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
377 -
378 -+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
379 -+ goto err_too_many_frags;
380 -+ }
381 - iov[iovcnt].iov_len = frag_len;
382 - iov[iovcnt].iov_base = g_malloc(frag_len);
383 - if (!iov[iovcnt].iov_base) {
384 -@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
385 - err = -ROCKER_ENXIO;
386 - goto err_bad_io;
387 - }
388 --
389 -- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
390 -- goto err_too_many_frags;
391 -- }
392 -+ iovcnt++;
393 - }
394 -
395 - if (iovcnt) {
396 ---
397 -2.6.2
398 -
399
400 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
401 deleted file mode 100644
402 index b2bca56..00000000
403 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
404 +++ /dev/null
405 @@ -1,50 +0,0 @@
406 -https://bugs.gentoo.org/570988
407 -
408 -From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
409 -From: Prasad J Pandit <pjp@×××××××××××××.org>
410 -Date: Thu, 31 Dec 2015 17:05:27 +0530
411 -Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
412 -
413 -While doing ioport r/w operations, ne2000 device emulation suffers
414 -from OOB r/w errors. Update respective array bounds check to avoid
415 -OOB access.
416 -
417 -Reported-by: Ling Liu <liuling-it@×××.cn>
418 -Cc: qemu-stable@××××××.org
419 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
420 -Signed-off-by: Jason Wang <jasowang@××××××.com>
421 ----
422 - hw/net/ne2000.c | 10 ++++++----
423 - 1 file changed, 6 insertions(+), 4 deletions(-)
424 -
425 -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
426 -index 010f9ef..a3dffff 100644
427 ---- a/hw/net/ne2000.c
428 -+++ b/hw/net/ne2000.c
429 -@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
430 - uint32_t val)
431 - {
432 - addr &= ~1; /* XXX: check exact behaviour if not even */
433 -- if (addr < 32 ||
434 -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
435 -+ if (addr < 32
436 -+ || (addr >= NE2000_PMEM_START
437 -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
438 - stl_le_p(s->mem + addr, val);
439 - }
440 - }
441 -@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
442 - static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
443 - {
444 - addr &= ~1; /* XXX: check exact behaviour if not even */
445 -- if (addr < 32 ||
446 -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
447 -+ if (addr < 32
448 -+ || (addr >= NE2000_PMEM_START
449 -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
450 - return ldl_le_p(s->mem + addr);
451 - } else {
452 - return 0xffffffff;
453 ---
454 -2.6.2
455 -
456
457 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
458 deleted file mode 100644
459 index 4ce9a35..00000000
460 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
461 +++ /dev/null
462 @@ -1,41 +0,0 @@
463 -https://bugs.gentoo.org/571566
464 -
465 -From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
466 -From: Prasad J Pandit <pjp@×××××××××××××.org>
467 -Date: Mon, 11 Jan 2016 14:10:42 -0500
468 -Subject: [PATCH] ide: ahci: reset ncq object to unused on error
469 -
470 -When processing NCQ commands, AHCI device emulation prepares a
471 -NCQ transfer object; To which an aio control block(aiocb) object
472 -is assigned in 'execute_ncq_command'. In case, when the NCQ
473 -command is invalid, the 'aiocb' object is not assigned, and NCQ
474 -transfer object is left as 'used'. This leads to a use after
475 -free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
476 -Reset NCQ transfer object to 'unused' to avoid it.
477 -
478 -[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
479 -
480 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
481 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
482 -Reviewed-by: John Snow <jsnow@××××××.com>
483 -Message-id: 1452282511-4116-1-git-send-email-ppandit@××××××.com
484 -Signed-off-by: John Snow <jsnow@××××××.com>
485 ----
486 - hw/ide/ahci.c | 1 +
487 - 1 file changed, 1 insertion(+)
488 -
489 -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
490 -index dd1912e..17f1cbd 100644
491 ---- a/hw/ide/ahci.c
492 -+++ b/hw/ide/ahci.c
493 -@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
494 - ide_state->error = ABRT_ERR;
495 - ide_state->status = READY_STAT | ERR_STAT;
496 - ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
497 -+ ncq_tfs->used = 0;
498 - }
499 -
500 - static void ncq_finish(NCQTransferState *ncq_tfs)
501 ---
502 -2.6.2
503 -
504
505 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
506 deleted file mode 100644
507 index 917fa2f..00000000
508 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
509 +++ /dev/null
510 @@ -1,58 +0,0 @@
511 -From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
512 -From: "Gabriel L. Somlo" <somlo@×××.edu>
513 -Date: Thu, 5 Nov 2015 09:32:50 -0500
514 -Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
515 -MIME-Version: 1.0
516 -Content-Type: text/plain; charset=UTF-8
517 -Content-Transfer-Encoding: 8bit
518 -
519 -When calculating a pointer to the currently selected fw_cfg item, the
520 -following is used:
521 -
522 - FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
523 -
524 -When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
525 -a non-existent element in s->entries[arch][...], which is undefined.
526 -
527 -This patch ensures the resulting entry pointer is set to NULL whenever
528 -s->cur_entry is FW_CFG_INVALID.
529 -
530 -Reported-by: Laszlo Ersek <lersek@××××××.com>
531 -Reviewed-by: Laszlo Ersek <lersek@××××××.com>
532 -Signed-off-by: Gabriel Somlo <somlo@×××.edu>
533 -Message-id: 1446733972-1602-5-git-send-email-somlo@×××.edu
534 -Cc: Marc Marí <markmb@××××××.com>
535 -Signed-off-by: Gabriel Somlo <somlo@×××.edu>
536 -Reviewed-by: Laszlo Ersek <lersek@××××××.com>
537 -Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
538 ----
539 - hw/nvram/fw_cfg.c | 6 ++++--
540 - 1 file changed, 4 insertions(+), 2 deletions(-)
541 -
542 -diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
543 -index c2d3a0a..046fa74 100644
544 ---- a/hw/nvram/fw_cfg.c
545 -+++ b/hw/nvram/fw_cfg.c
546 -@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
547 - static uint8_t fw_cfg_read(FWCfgState *s)
548 - {
549 - int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
550 -- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
551 -+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
552 -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
553 - uint8_t ret;
554 -
555 - if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
556 -@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
557 - }
558 -
559 - arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
560 -- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
561 -+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
562 -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
563 -
564 - if (dma.control & FW_CFG_DMA_CTL_READ) {
565 - read = 1;
566 ---
567 -2.7.4
568 -
569
570 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
571 deleted file mode 100644
572 index 23c2341..00000000
573 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
574 +++ /dev/null
575 @@ -1,65 +0,0 @@
576 -From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
577 -From: P J P <ppandit@××××××.com>
578 -Date: Fri, 18 Dec 2015 11:35:07 +0530
579 -Subject: [PATCH] i386: avoid null pointer dereference
580 -
581 - Hello,
582 -
583 -A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
584 -occurs while doing I/O port write operations via hmp interface. In that,
585 -'current_cpu' remains null as it is not called from cpu_exec loop, which
586 -results in the said issue.
587 -
588 -Below is a proposed (tested)patch to fix this issue; Does it look okay?
589 -
590 -===
591 -From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
592 -From: Prasad J Pandit <pjp@×××××××××××××.org>
593 -Date: Fri, 18 Dec 2015 11:16:07 +0530
594 -Subject: [PATCH] i386: avoid null pointer dereference
595 -
596 -When I/O port write operation is called from hmp interface,
597 -'current_cpu' remains null, as it is not called from cpu_exec()
598 -loop. This leads to a null pointer dereference in vapic_write
599 -routine. Add check to avoid it.
600 -
601 -Reported-by: Ling Liu <liuling-it@×××.cn>
602 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
603 -Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
604 -Signed-off-by: Paolo Bonzini <pbonzini@××××××.com>
605 -Signed-off-by: P J P <ppandit@××××××.com>
606 ----
607 - hw/i386/kvmvapic.c | 15 ++++++++++-----
608 - 1 file changed, 10 insertions(+), 5 deletions(-)
609 -
610 -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
611 -index c6d34b2..f0922da 100644
612 ---- a/hw/i386/kvmvapic.c
613 -+++ b/hw/i386/kvmvapic.c
614 -@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
615 - static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
616 - unsigned int size)
617 - {
618 -- CPUState *cs = current_cpu;
619 -- X86CPU *cpu = X86_CPU(cs);
620 -- CPUX86State *env = &cpu->env;
621 -- hwaddr rom_paddr;
622 - VAPICROMState *s = opaque;
623 -+ X86CPU *cpu;
624 -+ CPUX86State *env;
625 -+ hwaddr rom_paddr;
626 -
627 -- cpu_synchronize_state(cs);
628 -+ if (!current_cpu) {
629 -+ return;
630 -+ }
631 -+
632 -+ cpu_synchronize_state(current_cpu);
633 -+ cpu = X86_CPU(current_cpu);
634 -+ env = &cpu->env;
635 -
636 - /*
637 - * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
638 ---
639 -2.7.4
640 -
641
642 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
643 deleted file mode 100644
644 index 2922193..00000000
645 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
646 +++ /dev/null
647 @@ -1,98 +0,0 @@
648 -From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001
649 -From: Laszlo Ersek <lersek@××××××.com>
650 -Date: Tue, 19 Jan 2016 14:17:20 +0100
651 -Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
652 - start
653 -
654 -The start_xmit() and e1000_receive_iov() functions implement DMA transfers
655 -iterating over a set of descriptors that the guest's e1000 driver
656 -prepares:
657 -
658 -- the TDLEN and RDLEN registers store the total size of the descriptor
659 - area,
660 -
661 -- while the TDH and RDH registers store the offset (in whole tx / rx
662 - descriptors) into the area where the transfer is supposed to start.
663 -
664 -Each time a descriptor is processed, the TDH and RDH register is bumped
665 -(as appropriate for the transfer direction).
666 -
667 -QEMU already contains logic to deal with bogus transfers submitted by the
668 -guest:
669 -
670 -- Normally, the transmit case wants to increase TDH from its initial value
671 - to TDT. (TDT is allowed to be numerically smaller than the initial TDH
672 - value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
673 - that QEMU currently has here is a check against reaching the original
674 - TDH value again -- a complete wraparound, which should never happen.
675 -
676 -- In the receive case RDH is increased from its initial value until
677 - "total_size" bytes have been received; preferably in a single step, or
678 - in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
679 - RX descriptors are skipped without receiving data, while RDH is
680 - incremented just the same. QEMU tries to prevent an infinite loop
681 - (processing only null RX descriptors) by detecting whether RDH assumes
682 - its original value during the loop. (Again, wrapping from RDLEN to 0 is
683 - normal.)
684 -
685 -What both directions miss is that the guest could program TDLEN and RDLEN
686 -so low, and the initial TDH and RDH so high, that these registers will
687 -immediately be truncated to zero, and then never reassume their initial
688 -values in the loop -- a full wraparound will never occur.
689 -
690 -The condition that expresses this is:
691 -
692 - xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
693 -
694 -i.e., TDH or RDH start out after the last whole rx or tx descriptor that
695 -fits into the TDLEN or RDLEN sized area.
696 -
697 -This condition could be checked before we enter the loops, but
698 -pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
699 -bogus DMA addresses, so we just extend the existing failsafes with the
700 -above condition.
701 -
702 -This is CVE-2016-1981.
703 -
704 -Cc: "Michael S. Tsirkin" <mst@××××××.com>
705 -Cc: Petr Matousek <pmatouse@××××××.com>
706 -Cc: Stefano Stabellini <stefano.stabellini@×××××××××.com>
707 -Cc: Prasad Pandit <ppandit@××××××.com>
708 -Cc: Michael Roth <mdroth@××××××××××××××.com>
709 -Cc: Jason Wang <jasowang@××××××.com>
710 -Cc: qemu-stable@××××××.org
711 -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
712 -Signed-off-by: Laszlo Ersek <lersek@××××××.com>
713 -Reviewed-by: Jason Wang <jasowang@××××××.com>
714 -Signed-off-by: Jason Wang <jasowang@××××××.com>
715 ----
716 - hw/net/e1000.c | 6 ++++--
717 - 1 file changed, 4 insertions(+), 2 deletions(-)
718 -
719 -diff --git a/hw/net/e1000.c b/hw/net/e1000.c
720 -index 4eda7a3..0387fa0 100644
721 ---- a/hw/net/e1000.c
722 -+++ b/hw/net/e1000.c
723 -@@ -909,7 +909,8 @@ start_xmit(E1000State *s)
724 - * bogus values to TDT/TDLEN.
725 - * there's nothing too intelligent we could do about this.
726 - */
727 -- if (s->mac_reg[TDH] == tdh_start) {
728 -+ if (s->mac_reg[TDH] == tdh_start ||
729 -+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
730 - DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
731 - tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
732 - break;
733 -@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
734 - if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
735 - s->mac_reg[RDH] = 0;
736 - /* see comment in start_xmit; same here */
737 -- if (s->mac_reg[RDH] == rdh_start) {
738 -+ if (s->mac_reg[RDH] == rdh_start ||
739 -+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
740 - DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
741 - rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
742 - set_ics(s, 0, E1000_ICS_RXO);
743 ---
744 -2.7.4
745 -
746
747 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
748 deleted file mode 100644
749 index 0ab7b02..00000000
750 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
751 +++ /dev/null
752 @@ -1,43 +0,0 @@
753 -From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001
754 -From: John Snow <jsnow@××××××.com>
755 -Date: Wed, 10 Feb 2016 13:29:40 -0500
756 -Subject: [PATCH] ahci: Do not unmap NULL addresses
757 -
758 -Definitely don't try to unmap a garbage address.
759 -
760 -Reported-by: Zuozhi fzz <zuozhi.fzz@×××××××××××.com>
761 -Signed-off-by: John Snow <jsnow@××××××.com>
762 -Message-id: 1454103689-13042-2-git-send-email-jsnow@××××××.com
763 ----
764 - hw/ide/ahci.c | 8 ++++++++
765 - 1 file changed, 8 insertions(+)
766 -
767 -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
768 -index 7e87b18..3a95dad 100644
769 ---- a/hw/ide/ahci.c
770 -+++ b/hw/ide/ahci.c
771 -@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
772 -
773 - static void ahci_unmap_fis_address(AHCIDevice *ad)
774 - {
775 -+ if (ad->res_fis == NULL) {
776 -+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
777 -+ return;
778 -+ }
779 - dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
780 - DMA_DIRECTION_FROM_DEVICE, 256);
781 - ad->res_fis = NULL;
782 -@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
783 -
784 - static void ahci_unmap_clb_address(AHCIDevice *ad)
785 - {
786 -+ if (ad->lst == NULL) {
787 -+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
788 -+ return;
789 -+ }
790 - dma_memory_unmap(ad->hba->as, ad->lst, 1024,
791 - DMA_DIRECTION_FROM_DEVICE, 1024);
792 - ad->lst = NULL;
793 ---
794 -2.7.4
795 -
796
797 diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
798 deleted file mode 100644
799 index e7aa5ca..00000000
800 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
801 +++ /dev/null
802 @@ -1,35 +0,0 @@
803 -From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001
804 -From: Prasad J Pandit <pjp@×××××××××××××.org>
805 -Date: Thu, 11 Feb 2016 16:31:20 +0530
806 -Subject: [PATCH] usb: check USB configuration descriptor object
807 -
808 -When processing remote NDIS control message packets, the USB Net
809 -device emulator checks to see if the USB configuration descriptor
810 -object is of RNDIS type(2). But it does not check if it is null,
811 -which leads to a null dereference error. Add check to avoid it.
812 -
813 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
814 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
815 -Message-id: 1455188480-14688-1-git-send-email-ppandit@××××××.com
816 -Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
817 ----
818 - hw/usb/dev-network.c | 3 ++-
819 - 1 file changed, 2 insertions(+), 1 deletion(-)
820 -
821 -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
822 -index 985a629..5dc4538 100644
823 ---- a/hw/usb/dev-network.c
824 -+++ b/hw/usb/dev-network.c
825 -@@ -654,7 +654,8 @@ typedef struct USBNetState {
826 -
827 - static int is_rndis(USBNetState *s)
828 - {
829 -- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
830 -+ return s->dev.config ?
831 -+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
832 - }
833 -
834 - static int ndis_query(USBNetState *s, uint32_t oid,
835 ---
836 -2.7.4
837 -
838
839 diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
840 deleted file mode 100644
841 index 2874b75..00000000
842 --- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch
843 +++ /dev/null
844 @@ -1,37 +0,0 @@
845 -From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001
846 -From: Prasad J Pandit <pjp@×××××××××××××.org>
847 -Date: Wed, 24 Feb 2016 11:41:33 +0530
848 -Subject: [PATCH] net: ne2000: check ring buffer control registers
849 -
850 -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
851 -bytes to process network packets. Registers PSTART & PSTOP
852 -define ring buffer size & location. Setting these registers
853 -to invalid values could lead to infinite loop or OOB r/w
854 -access issues. Add check to avoid it.
855 -
856 -Reported-by: Yang Hongke <yanghongke@××××××.com>
857 -Tested-by: Yang Hongke <yanghongke@××××××.com>
858 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
859 -Signed-off-by: Jason Wang <jasowang@××××××.com>
860 ----
861 - hw/net/ne2000.c | 4 ++++
862 - 1 file changed, 4 insertions(+)
863 -
864 -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
865 -index e408083..f0feaf9 100644
866 ---- a/hw/net/ne2000.c
867 -+++ b/hw/net/ne2000.c
868 -@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s)
869 - {
870 - int avail, index, boundary;
871 -
872 -+ if (s->stop <= s->start) {
873 -+ return 1;
874 -+ }
875 -+
876 - index = s->curpag << 8;
877 - boundary = s->boundary << 8;
878 - if (index < boundary)
879 ---
880 -2.7.4
881 -
882
883 diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
884 deleted file mode 100644
885 index 2ddca3e..00000000
886 --- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
887 +++ /dev/null
888 @@ -1,52 +0,0 @@
889 -From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001
890 -From: Prasad J Pandit <pjp@×××××××××××××.org>
891 -Date: Wed, 20 Jan 2016 01:26:46 +0530
892 -Subject: [PATCH] usb: check page select value while processing iTD
893 -
894 -While processing isochronous transfer descriptors(iTD), the page
895 -select(PG) field value could lead to an OOB read access. Add
896 -check to avoid it.
897 -
898 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
899 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
900 -Message-id: 1453233406-12165-1-git-send-email-ppandit@××××××.com
901 -Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
902 ----
903 - hw/usb/hcd-ehci.c | 10 ++++++----
904 - 1 file changed, 6 insertions(+), 4 deletions(-)
905 -
906 -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
907 -index ab00268..93601d9 100644
908 ---- a/hw/usb/hcd-ehci.c
909 -+++ b/hw/usb/hcd-ehci.c
910 -@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci,
911 - if (itd->transact[i] & ITD_XACT_ACTIVE) {
912 - pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
913 - off = itd->transact[i] & ITD_XACT_OFFSET_MASK;
914 -- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
915 -- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
916 - len = get_field(itd->transact[i], ITD_XACT_LENGTH);
917 -
918 - if (len > max * mult) {
919 - len = max * mult;
920 - }
921 --
922 -- if (len > BUFF_SIZE) {
923 -+ if (len > BUFF_SIZE || pg > 6) {
924 - return -1;
925 - }
926 -
927 -+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
928 - qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
929 - if (off + len > 4096) {
930 - /* transfer crosses page border */
931 -+ if (pg == 6) {
932 -+ return -1; /* avoid page pg + 1 */
933 -+ }
934 -+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
935 - uint32_t len2 = off + len - 4096;
936 - uint32_t len1 = len - len2;
937 - qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
938 ---
939 -2.7.4
940 -
941
942 diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
943 deleted file mode 100644
944 index da643fd..00000000
945 --- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
946 +++ /dev/null
947 @@ -1,59 +0,0 @@
948 -From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001
949 -From: Prasad J Pandit <pjp@×××××××××××××.org>
950 -Date: Wed, 17 Feb 2016 00:23:41 +0530
951 -Subject: [PATCH] usb: check RNDIS buffer offsets & length
952 -
953 -When processing remote NDIS control message packets,
954 -the USB Net device emulator uses a fixed length(4096) data buffer.
955 -The incoming informationBufferOffset & Length combination could
956 -overflow and cross that range. Check control message buffer
957 -offsets and length to avoid it.
958 -
959 -Reported-by: Qinghao Tang <luodalongde@×××××.com>
960 -Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org>
961 -Message-id: 1455648821-17340-3-git-send-email-ppandit@××××××.com
962 -Signed-off-by: Gerd Hoffmann <kraxel@××××××.com>
963 ----
964 - hw/usb/dev-network.c | 9 ++++++---
965 - 1 file changed, 6 insertions(+), 3 deletions(-)
966 -
967 -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
968 -index 5dc4538..c6abd38 100644
969 ---- a/hw/usb/dev-network.c
970 -+++ b/hw/usb/dev-network.c
971 -@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s,
972 -
973 - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
974 - buflen = le32_to_cpu(buf->InformationBufferLength);
975 -- if (bufoffs + buflen > length)
976 -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
977 - return USB_RET_STALL;
978 -+ }
979 -
980 - infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
981 - bufoffs + (uint8_t *) buf, buflen, infobuf,
982 -@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s,
983 -
984 - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
985 - buflen = le32_to_cpu(buf->InformationBufferLength);
986 -- if (bufoffs + buflen > length)
987 -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
988 - return USB_RET_STALL;
989 -+ }
990 -
991 - ret = ndis_set(s, le32_to_cpu(buf->OID),
992 - bufoffs + (uint8_t *) buf, buflen);
993 -@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
994 - if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
995 - uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
996 - uint32_t size = le32_to_cpu(msg->DataLength);
997 -- if (offs + size <= len)
998 -+ if (offs < len && size < len && offs + size <= len) {
999 - qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
1000 -+ }
1001 - }
1002 - s->out_ptr -= len;
1003 - memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
1004 ---
1005 -2.7.4
1006 -
1007
1008 diff --git a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch b/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch
1009 deleted file mode 100644
1010 index 4856373..00000000
1011 --- a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch
1012 +++ /dev/null
1013 @@ -1,60 +0,0 @@
1014 -https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01611.html
1015 -
1016 -From 6a2909cf98e892783b2502df6f7f4de46d13e42b Mon Sep 17 00:00:00 2001
1017 -From: Mike Frysinger <vapier@××××××××.org>
1018 -Date: Mon, 6 Jun 2016 17:58:26 -0400
1019 -Subject: [PATCH] crypto: aes: always rename internal symbols
1020 -
1021 -OpenSSL's libcrypto always defines AES symbols with the same names as
1022 -qemu's local aes code. This is problematic when enabling at least curl
1023 -as that frequently also uses libcrypto. It might not be noticed when
1024 -running, but if you try to statically link, everything falls down.
1025 -
1026 -An example snippet:
1027 - LINK qemu-nbd
1028 -.../libcrypto.a(aes-x86_64.o): In function 'AES_encrypt':
1029 -(.text+0x460): multiple definition of 'AES_encrypt'
1030 -crypto/aes.o:aes.c:(.text+0x670): first defined here
1031 -.../libcrypto.a(aes-x86_64.o): In function 'AES_decrypt':
1032 -(.text+0x9f0): multiple definition of 'AES_decrypt'
1033 -crypto/aes.o:aes.c:(.text+0xb30): first defined here
1034 -.../libcrypto.a(aes-x86_64.o): In function 'AES_cbc_encrypt':
1035 -(.text+0xf90): multiple definition of 'AES_cbc_encrypt'
1036 -crypto/aes.o:aes.c:(.text+0xff0): first defined here
1037 -collect2: error: ld returned 1 exit status
1038 -.../qemu-2.6.0/rules.mak:105: recipe for target 'qemu-nbd' failed
1039 -make: *** [qemu-nbd] Error 1
1040 -
1041 -The aes.h header has redefines already for FreeBSD, but go ahead and
1042 -enable that for everyone since there's no real good reason to not use
1043 -a namespace all the time.
1044 -
1045 -Signed-off-by: Mike Frysinger <vapier@××××××××.org>
1046 ----
1047 - include/crypto/aes.h | 5 ++---
1048 - 1 file changed, 2 insertions(+), 3 deletions(-)
1049 -
1050 -diff --git a/include/crypto/aes.h b/include/crypto/aes.h
1051 -index a006da2224a9..12fb321b89de 100644
1052 ---- a/include/crypto/aes.h
1053 -+++ b/include/crypto/aes.h
1054 -@@ -10,14 +10,13 @@ struct aes_key_st {
1055 - };
1056 - typedef struct aes_key_st AES_KEY;
1057 -
1058 --/* FreeBSD has its own AES_set_decrypt_key in -lcrypto, avoid conflicts */
1059 --#ifdef __FreeBSD__
1060 -+/* FreeBSD/OpenSSL have their own AES functions with the same names in -lcrypto
1061 -+ * (which might be pulled in via curl), so redefine to avoid conflicts. */
1062 - #define AES_set_encrypt_key QEMU_AES_set_encrypt_key
1063 - #define AES_set_decrypt_key QEMU_AES_set_decrypt_key
1064 - #define AES_encrypt QEMU_AES_encrypt
1065 - #define AES_decrypt QEMU_AES_decrypt
1066 - #define AES_cbc_encrypt QEMU_AES_cbc_encrypt
1067 --#endif
1068 -
1069 - int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
1070 - AES_KEY *key);
1071 ---
1072 -2.8.2
1073 -
1074
1075 diff --git a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch b/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch
1076 deleted file mode 100644
1077 index 5fd678c..00000000
1078 --- a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch
1079 +++ /dev/null
1080 @@ -1,11 +0,0 @@
1081 ---- a/configure 2016-08-07 15:50:20.386687733 +0200
1082 -+++ b/configure 2016-08-07 15:53:55.489691690 +0200
1083 -@@ -2967,7 +2967,7 @@
1084 - }
1085 - EOF
1086 -
1087 --if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then
1088 -+if ! compile_prog "$CFLAGS" "$LIBS" ; then
1089 - error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\
1090 - "You probably need to set PKG_CONFIG_LIBDIR"\
1091 - "to point to the right pkg-config files for your"\
Report Message
Find on MARC Find on Google Groups