1 |
commit: 6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9 |
2 |
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Sep 5 05:00:00 2016 +0000 |
4 |
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 5 05:30:00 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ac7a9b9 |
7 |
|
8 |
app-emulation/qemu: drop obsolete patches |
9 |
|
10 |
Package-Manager: portage-2.2.28 |
11 |
|
12 |
.../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ------ |
13 |
.../qemu/files/qemu-2.5.0-CVE-2015-8567.patch | 95 ---------------- |
14 |
.../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ------ |
15 |
.../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 --------------------- |
16 |
.../qemu/files/qemu-2.5.0-CVE-2015-8701.patch | 49 --------- |
17 |
.../qemu/files/qemu-2.5.0-CVE-2015-8743.patch | 50 --------- |
18 |
.../qemu/files/qemu-2.5.0-CVE-2016-1568.patch | 41 ------- |
19 |
.../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ---------- |
20 |
.../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 ----------- |
21 |
.../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 ----------------- |
22 |
.../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 -------- |
23 |
.../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ------ |
24 |
.../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 ------- |
25 |
.../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 --------- |
26 |
.../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ---------- |
27 |
.../qemu/files/qemu-2.6.0-crypto-static.patch | 60 ---------- |
28 |
.../qemu/files/qemu-2.6.0-glib-size_t.patch | 11 -- |
29 |
17 files changed, 943 deletions(-) |
30 |
|
31 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
32 |
deleted file mode 100644 |
33 |
index 0e27684..00000000 |
34 |
--- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
35 |
+++ /dev/null |
36 |
@@ -1,34 +0,0 @@ |
37 |
-From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001 |
38 |
-From: Greg Kurz <gkurz@××××××××××××××.com> |
39 |
-Date: Wed, 23 Dec 2015 10:56:58 +0100 |
40 |
-Subject: [PATCH] virtio-9p: use accessor to get thread_pool |
41 |
- |
42 |
-The aio_context_new() function does not allocate a thread pool. This is |
43 |
-deferred to the first call to the aio_get_thread_pool() accessor. It is |
44 |
-hence forbidden to access the thread_pool field directly, as it may be |
45 |
-NULL. The accessor *must* be used always. |
46 |
- |
47 |
-Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e |
48 |
-Reviewed-by: Michael Tokarev <mjt@×××××××.ru> |
49 |
-Tested-by: Michael Tokarev <mjt@×××××××.ru> |
50 |
-Cc: qemu-stable@××××××.org |
51 |
-Signed-off-by: Greg Kurz <gkurz@××××××××××××××.com> |
52 |
---- |
53 |
- hw/9pfs/virtio-9p-coth.c | 2 +- |
54 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
55 |
- |
56 |
-diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c |
57 |
-index fb6e8f8..ab9425c 100644 |
58 |
---- a/hw/9pfs/virtio-9p-coth.c |
59 |
-+++ b/hw/9pfs/virtio-9p-coth.c |
60 |
-@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) |
61 |
- void co_run_in_worker_bh(void *opaque) |
62 |
- { |
63 |
- Coroutine *co = opaque; |
64 |
-- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, |
65 |
-+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), |
66 |
- coroutine_enter_func, co, coroutine_enter_cb, co); |
67 |
- } |
68 |
--- |
69 |
-2.7.4 |
70 |
- |
71 |
|
72 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch |
73 |
deleted file mode 100644 |
74 |
index e196043..00000000 |
75 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch |
76 |
+++ /dev/null |
77 |
@@ -1,95 +0,0 @@ |
78 |
-https://bugs.gentoo.org/567868 |
79 |
- |
80 |
-From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 |
81 |
-From: P J P <ppandit@××××××.com> |
82 |
-Date: Tue, 15 Dec 2015 12:27:54 +0530 |
83 |
-Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device |
84 |
- |
85 |
-Vmxnet3 device emulator does not check if the device is active |
86 |
-before activating it, also it did not free the transmit & receive |
87 |
-buffers while deactivating the device, thus resulting in memory |
88 |
-leakage on the host. This patch fixes both these issues to avoid |
89 |
-host memory leakage. |
90 |
- |
91 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
92 |
-Reviewed-by: Dmitry Fleytman <dmitry@××××××.com> |
93 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
94 |
-Cc: qemu-stable@××××××.org |
95 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
96 |
---- |
97 |
- hw/net/vmxnet3.c | 24 ++++++++++++++++-------- |
98 |
- 1 file changed, 16 insertions(+), 8 deletions(-) |
99 |
- |
100 |
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c |
101 |
-index a5dd79a..9c1adfc 100644 |
102 |
---- a/hw/net/vmxnet3.c |
103 |
-+++ b/hw/net/vmxnet3.c |
104 |
-@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) |
105 |
- |
106 |
- static void vmxnet3_deactivate_device(VMXNET3State *s) |
107 |
- { |
108 |
-- VMW_CBPRN("Deactivating vmxnet3..."); |
109 |
-- s->device_active = false; |
110 |
-+ if (s->device_active) { |
111 |
-+ VMW_CBPRN("Deactivating vmxnet3..."); |
112 |
-+ vmxnet_tx_pkt_reset(s->tx_pkt); |
113 |
-+ vmxnet_tx_pkt_uninit(s->tx_pkt); |
114 |
-+ vmxnet_rx_pkt_uninit(s->rx_pkt); |
115 |
-+ s->device_active = false; |
116 |
-+ } |
117 |
- } |
118 |
- |
119 |
- static void vmxnet3_reset(VMXNET3State *s) |
120 |
-@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) |
121 |
- |
122 |
- vmxnet3_deactivate_device(s); |
123 |
- vmxnet3_reset_interrupt_states(s); |
124 |
-- vmxnet_tx_pkt_reset(s->tx_pkt); |
125 |
- s->drv_shmem = 0; |
126 |
- s->tx_sop = true; |
127 |
- s->skip_current_tx_pkt = false; |
128 |
-@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) |
129 |
- return; |
130 |
- } |
131 |
- |
132 |
-+ /* Verify if device is active */ |
133 |
-+ if (s->device_active) { |
134 |
-+ VMW_CFPRN("Vmxnet3 device is active"); |
135 |
-+ return; |
136 |
-+ } |
137 |
-+ |
138 |
- vmxnet3_adjust_by_guest_type(s); |
139 |
- vmxnet3_update_features(s); |
140 |
- vmxnet3_update_pm_state(s); |
141 |
-@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) |
142 |
- break; |
143 |
- |
144 |
- case VMXNET3_CMD_QUIESCE_DEV: |
145 |
-- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); |
146 |
-+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); |
147 |
- vmxnet3_deactivate_device(s); |
148 |
- break; |
149 |
- |
150 |
-@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, |
151 |
- * shared address only after we get the high part |
152 |
- */ |
153 |
- if (val == 0) { |
154 |
-- s->device_active = false; |
155 |
-+ vmxnet3_deactivate_device(s); |
156 |
- } |
157 |
- s->temp_shared_guest_driver_memory = val; |
158 |
- s->drv_shmem = 0; |
159 |
-@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) |
160 |
- static void vmxnet3_net_uninit(VMXNET3State *s) |
161 |
- { |
162 |
- g_free(s->mcast_list); |
163 |
-- vmxnet_tx_pkt_reset(s->tx_pkt); |
164 |
-- vmxnet_tx_pkt_uninit(s->tx_pkt); |
165 |
-- vmxnet_rx_pkt_uninit(s->rx_pkt); |
166 |
-+ vmxnet3_deactivate_device(s); |
167 |
- qemu_del_nic(s->nic); |
168 |
- } |
169 |
- |
170 |
--- |
171 |
-2.6.2 |
172 |
- |
173 |
|
174 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
175 |
deleted file mode 100644 |
176 |
index 61a52ee..00000000 |
177 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
178 |
+++ /dev/null |
179 |
@@ -1,35 +0,0 @@ |
180 |
-From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 |
181 |
-From: P J P <ppandit@××××××.com> |
182 |
-Date: Mon, 21 Dec 2015 15:13:13 +0530 |
183 |
-Subject: [PATCH] scsi: initialise info object with appropriate size |
184 |
- |
185 |
-While processing controller 'CTRL_GET_INFO' command, the routine |
186 |
-'megasas_ctrl_get_info' overflows the '&info' object size. Use its |
187 |
-appropriate size to null initialise it. |
188 |
- |
189 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
190 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
191 |
-Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> |
192 |
-Cc: qemu-stable@××××××.org |
193 |
-Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
194 |
-Signed-off-by: P J P <ppandit@××××××.com> |
195 |
---- |
196 |
- hw/scsi/megasas.c | 2 +- |
197 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
198 |
- |
199 |
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c |
200 |
-index d7dc667..576f56c 100644 |
201 |
---- a/hw/scsi/megasas.c |
202 |
-+++ b/hw/scsi/megasas.c |
203 |
-@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) |
204 |
- BusChild *kid; |
205 |
- int num_pd_disks = 0; |
206 |
- |
207 |
-- memset(&info, 0x0, cmd->iov_size); |
208 |
-+ memset(&info, 0x0, dcmd_size); |
209 |
- if (cmd->iov_size < dcmd_size) { |
210 |
- trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, |
211 |
- dcmd_size); |
212 |
--- |
213 |
-2.7.4 |
214 |
- |
215 |
|
216 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
217 |
deleted file mode 100644 |
218 |
index be67336..00000000 |
219 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
220 |
+++ /dev/null |
221 |
@@ -1,121 +0,0 @@ |
222 |
-From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001 |
223 |
-From: Wolfgang Bumiller <w.bumiller@×××××××.com> |
224 |
-Date: Wed, 13 Jan 2016 09:09:58 +0100 |
225 |
-Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) |
226 |
- |
227 |
-When processing 'sendkey' command, hmp_sendkey routine null |
228 |
-terminates the 'keyname_buf' array. This results in an OOB |
229 |
-write issue, if 'keyname_len' was to fall outside of |
230 |
-'keyname_buf' array. |
231 |
- |
232 |
-Since the keyname's length is known the keyname_buf can be |
233 |
-removed altogether by adding a length parameter to |
234 |
-index_from_key() and using it for the error output as well. |
235 |
- |
236 |
-Reported-by: Ling Liu <liuling-it@×××.cn> |
237 |
-Signed-off-by: Wolfgang Bumiller <w.bumiller@×××××××.com> |
238 |
-Message-Id: <20160113080958.GA18934@olga> |
239 |
-[Comparison with "<" dumbed down, test for junk after strtoul() |
240 |
-tweaked] |
241 |
-Signed-off-by: Markus Armbruster <armbru@××××××.com> |
242 |
---- |
243 |
- hmp.c | 18 ++++++++---------- |
244 |
- include/ui/console.h | 2 +- |
245 |
- ui/input-legacy.c | 5 +++-- |
246 |
- 3 files changed, 12 insertions(+), 13 deletions(-) |
247 |
- |
248 |
-diff --git a/hmp.c b/hmp.c |
249 |
-index 54f2620..9c571f5 100644 |
250 |
---- a/hmp.c |
251 |
-+++ b/hmp.c |
252 |
-@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) |
253 |
- int has_hold_time = qdict_haskey(qdict, "hold-time"); |
254 |
- int hold_time = qdict_get_try_int(qdict, "hold-time", -1); |
255 |
- Error *err = NULL; |
256 |
-- char keyname_buf[16]; |
257 |
- char *separator; |
258 |
- int keyname_len; |
259 |
- |
260 |
- while (1) { |
261 |
- separator = strchr(keys, '-'); |
262 |
- keyname_len = separator ? separator - keys : strlen(keys); |
263 |
-- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); |
264 |
- |
265 |
- /* Be compatible with old interface, convert user inputted "<" */ |
266 |
-- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { |
267 |
-- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); |
268 |
-+ if (keys[0] == '<' && keyname_len == 1) { |
269 |
-+ keys = "less"; |
270 |
- keyname_len = 4; |
271 |
- } |
272 |
-- keyname_buf[keyname_len] = 0; |
273 |
- |
274 |
- keylist = g_malloc0(sizeof(*keylist)); |
275 |
- keylist->value = g_malloc0(sizeof(*keylist->value)); |
276 |
-@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) |
277 |
- } |
278 |
- tmp = keylist; |
279 |
- |
280 |
-- if (strstart(keyname_buf, "0x", NULL)) { |
281 |
-+ if (strstart(keys, "0x", NULL)) { |
282 |
- char *endp; |
283 |
-- int value = strtoul(keyname_buf, &endp, 0); |
284 |
-- if (*endp != '\0') { |
285 |
-+ int value = strtoul(keys, &endp, 0); |
286 |
-+ assert(endp <= keys + keyname_len); |
287 |
-+ if (endp != keys + keyname_len) { |
288 |
- goto err_out; |
289 |
- } |
290 |
- keylist->value->type = KEY_VALUE_KIND_NUMBER; |
291 |
- keylist->value->u.number = value; |
292 |
- } else { |
293 |
-- int idx = index_from_key(keyname_buf); |
294 |
-+ int idx = index_from_key(keys, keyname_len); |
295 |
- if (idx == Q_KEY_CODE_MAX) { |
296 |
- goto err_out; |
297 |
- } |
298 |
-@@ -1789,7 +1787,7 @@ out: |
299 |
- return; |
300 |
- |
301 |
- err_out: |
302 |
-- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); |
303 |
-+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); |
304 |
- goto out; |
305 |
- } |
306 |
- |
307 |
-diff --git a/include/ui/console.h b/include/ui/console.h |
308 |
-index adac36d..116bc2b 100644 |
309 |
---- a/include/ui/console.h |
310 |
-+++ b/include/ui/console.h |
311 |
-@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) |
312 |
- void curses_display_init(DisplayState *ds, int full_screen); |
313 |
- |
314 |
- /* input.c */ |
315 |
--int index_from_key(const char *key); |
316 |
-+int index_from_key(const char *key, size_t key_length); |
317 |
- |
318 |
- /* gtk.c */ |
319 |
- void early_gtk_display_init(int opengl); |
320 |
-diff --git a/ui/input-legacy.c b/ui/input-legacy.c |
321 |
-index 35dfc27..3454055 100644 |
322 |
---- a/ui/input-legacy.c |
323 |
-+++ b/ui/input-legacy.c |
324 |
-@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { |
325 |
- static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = |
326 |
- QTAILQ_HEAD_INITIALIZER(led_handlers); |
327 |
- |
328 |
--int index_from_key(const char *key) |
329 |
-+int index_from_key(const char *key, size_t key_length) |
330 |
- { |
331 |
- int i; |
332 |
- |
333 |
- for (i = 0; QKeyCode_lookup[i] != NULL; i++) { |
334 |
-- if (!strcmp(key, QKeyCode_lookup[i])) { |
335 |
-+ if (!strncmp(key, QKeyCode_lookup[i], key_length) && |
336 |
-+ !QKeyCode_lookup[i][key_length]) { |
337 |
- break; |
338 |
- } |
339 |
- } |
340 |
--- |
341 |
-2.7.4 |
342 |
- |
343 |
|
344 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch |
345 |
deleted file mode 100644 |
346 |
index 0dab1c3..00000000 |
347 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch |
348 |
+++ /dev/null |
349 |
@@ -1,49 +0,0 @@ |
350 |
-https://bugs.gentoo.org/570110 |
351 |
- |
352 |
-From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 |
353 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
354 |
-Date: Mon, 28 Dec 2015 16:24:08 +0530 |
355 |
-Subject: [PATCH] net: rocker: fix an incorrect array bounds check |
356 |
- |
357 |
-While processing transmit(tx) descriptors in 'tx_consume' routine |
358 |
-the switch emulator suffers from an off-by-one error, if a |
359 |
-descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) |
360 |
-fragments. Fix an incorrect bounds check to avoid it. |
361 |
- |
362 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
363 |
-Cc: qemu-stable@××××××.org |
364 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
365 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
366 |
---- |
367 |
- hw/net/rocker/rocker.c | 8 ++++---- |
368 |
- 1 file changed, 4 insertions(+), 4 deletions(-) |
369 |
- |
370 |
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c |
371 |
-index c57f1a6..2e77e50 100644 |
372 |
---- a/hw/net/rocker/rocker.c |
373 |
-+++ b/hw/net/rocker/rocker.c |
374 |
-@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) |
375 |
- frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); |
376 |
- frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); |
377 |
- |
378 |
-+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { |
379 |
-+ goto err_too_many_frags; |
380 |
-+ } |
381 |
- iov[iovcnt].iov_len = frag_len; |
382 |
- iov[iovcnt].iov_base = g_malloc(frag_len); |
383 |
- if (!iov[iovcnt].iov_base) { |
384 |
-@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) |
385 |
- err = -ROCKER_ENXIO; |
386 |
- goto err_bad_io; |
387 |
- } |
388 |
-- |
389 |
-- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { |
390 |
-- goto err_too_many_frags; |
391 |
-- } |
392 |
-+ iovcnt++; |
393 |
- } |
394 |
- |
395 |
- if (iovcnt) { |
396 |
--- |
397 |
-2.6.2 |
398 |
- |
399 |
|
400 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch |
401 |
deleted file mode 100644 |
402 |
index b2bca56..00000000 |
403 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch |
404 |
+++ /dev/null |
405 |
@@ -1,50 +0,0 @@ |
406 |
-https://bugs.gentoo.org/570988 |
407 |
- |
408 |
-From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 |
409 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
410 |
-Date: Thu, 31 Dec 2015 17:05:27 +0530 |
411 |
-Subject: [PATCH] net: ne2000: fix bounds check in ioport operations |
412 |
- |
413 |
-While doing ioport r/w operations, ne2000 device emulation suffers |
414 |
-from OOB r/w errors. Update respective array bounds check to avoid |
415 |
-OOB access. |
416 |
- |
417 |
-Reported-by: Ling Liu <liuling-it@×××.cn> |
418 |
-Cc: qemu-stable@××××××.org |
419 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
420 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
421 |
---- |
422 |
- hw/net/ne2000.c | 10 ++++++---- |
423 |
- 1 file changed, 6 insertions(+), 4 deletions(-) |
424 |
- |
425 |
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c |
426 |
-index 010f9ef..a3dffff 100644 |
427 |
---- a/hw/net/ne2000.c |
428 |
-+++ b/hw/net/ne2000.c |
429 |
-@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, |
430 |
- uint32_t val) |
431 |
- { |
432 |
- addr &= ~1; /* XXX: check exact behaviour if not even */ |
433 |
-- if (addr < 32 || |
434 |
-- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { |
435 |
-+ if (addr < 32 |
436 |
-+ || (addr >= NE2000_PMEM_START |
437 |
-+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { |
438 |
- stl_le_p(s->mem + addr, val); |
439 |
- } |
440 |
- } |
441 |
-@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) |
442 |
- static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) |
443 |
- { |
444 |
- addr &= ~1; /* XXX: check exact behaviour if not even */ |
445 |
-- if (addr < 32 || |
446 |
-- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { |
447 |
-+ if (addr < 32 |
448 |
-+ || (addr >= NE2000_PMEM_START |
449 |
-+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { |
450 |
- return ldl_le_p(s->mem + addr); |
451 |
- } else { |
452 |
- return 0xffffffff; |
453 |
--- |
454 |
-2.6.2 |
455 |
- |
456 |
|
457 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch |
458 |
deleted file mode 100644 |
459 |
index 4ce9a35..00000000 |
460 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch |
461 |
+++ /dev/null |
462 |
@@ -1,41 +0,0 @@ |
463 |
-https://bugs.gentoo.org/571566 |
464 |
- |
465 |
-From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 |
466 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
467 |
-Date: Mon, 11 Jan 2016 14:10:42 -0500 |
468 |
-Subject: [PATCH] ide: ahci: reset ncq object to unused on error |
469 |
- |
470 |
-When processing NCQ commands, AHCI device emulation prepares a |
471 |
-NCQ transfer object; To which an aio control block(aiocb) object |
472 |
-is assigned in 'execute_ncq_command'. In case, when the NCQ |
473 |
-command is invalid, the 'aiocb' object is not assigned, and NCQ |
474 |
-transfer object is left as 'used'. This leads to a use after |
475 |
-free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. |
476 |
-Reset NCQ transfer object to 'unused' to avoid it. |
477 |
- |
478 |
-[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] |
479 |
- |
480 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
481 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
482 |
-Reviewed-by: John Snow <jsnow@××××××.com> |
483 |
-Message-id: 1452282511-4116-1-git-send-email-ppandit@××××××.com |
484 |
-Signed-off-by: John Snow <jsnow@××××××.com> |
485 |
---- |
486 |
- hw/ide/ahci.c | 1 + |
487 |
- 1 file changed, 1 insertion(+) |
488 |
- |
489 |
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c |
490 |
-index dd1912e..17f1cbd 100644 |
491 |
---- a/hw/ide/ahci.c |
492 |
-+++ b/hw/ide/ahci.c |
493 |
-@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) |
494 |
- ide_state->error = ABRT_ERR; |
495 |
- ide_state->status = READY_STAT | ERR_STAT; |
496 |
- ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); |
497 |
-+ ncq_tfs->used = 0; |
498 |
- } |
499 |
- |
500 |
- static void ncq_finish(NCQTransferState *ncq_tfs) |
501 |
--- |
502 |
-2.6.2 |
503 |
- |
504 |
|
505 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
506 |
deleted file mode 100644 |
507 |
index 917fa2f..00000000 |
508 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
509 |
+++ /dev/null |
510 |
@@ -1,58 +0,0 @@ |
511 |
-From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 |
512 |
-From: "Gabriel L. Somlo" <somlo@×××.edu> |
513 |
-Date: Thu, 5 Nov 2015 09:32:50 -0500 |
514 |
-Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer |
515 |
-MIME-Version: 1.0 |
516 |
-Content-Type: text/plain; charset=UTF-8 |
517 |
-Content-Transfer-Encoding: 8bit |
518 |
- |
519 |
-When calculating a pointer to the currently selected fw_cfg item, the |
520 |
-following is used: |
521 |
- |
522 |
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
523 |
- |
524 |
-When s->cur_entry is FW_CFG_INVALID, we are calculating the address of |
525 |
-a non-existent element in s->entries[arch][...], which is undefined. |
526 |
- |
527 |
-This patch ensures the resulting entry pointer is set to NULL whenever |
528 |
-s->cur_entry is FW_CFG_INVALID. |
529 |
- |
530 |
-Reported-by: Laszlo Ersek <lersek@××××××.com> |
531 |
-Reviewed-by: Laszlo Ersek <lersek@××××××.com> |
532 |
-Signed-off-by: Gabriel Somlo <somlo@×××.edu> |
533 |
-Message-id: 1446733972-1602-5-git-send-email-somlo@×××.edu |
534 |
-Cc: Marc Marí <markmb@××××××.com> |
535 |
-Signed-off-by: Gabriel Somlo <somlo@×××.edu> |
536 |
-Reviewed-by: Laszlo Ersek <lersek@××××××.com> |
537 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
538 |
---- |
539 |
- hw/nvram/fw_cfg.c | 6 ++++-- |
540 |
- 1 file changed, 4 insertions(+), 2 deletions(-) |
541 |
- |
542 |
-diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c |
543 |
-index c2d3a0a..046fa74 100644 |
544 |
---- a/hw/nvram/fw_cfg.c |
545 |
-+++ b/hw/nvram/fw_cfg.c |
546 |
-@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) |
547 |
- static uint8_t fw_cfg_read(FWCfgState *s) |
548 |
- { |
549 |
- int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); |
550 |
-- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
551 |
-+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : |
552 |
-+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
553 |
- uint8_t ret; |
554 |
- |
555 |
- if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) |
556 |
-@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) |
557 |
- } |
558 |
- |
559 |
- arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); |
560 |
-- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
561 |
-+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : |
562 |
-+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
563 |
- |
564 |
- if (dma.control & FW_CFG_DMA_CTL_READ) { |
565 |
- read = 1; |
566 |
--- |
567 |
-2.7.4 |
568 |
- |
569 |
|
570 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
571 |
deleted file mode 100644 |
572 |
index 23c2341..00000000 |
573 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
574 |
+++ /dev/null |
575 |
@@ -1,65 +0,0 @@ |
576 |
-From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 |
577 |
-From: P J P <ppandit@××××××.com> |
578 |
-Date: Fri, 18 Dec 2015 11:35:07 +0530 |
579 |
-Subject: [PATCH] i386: avoid null pointer dereference |
580 |
- |
581 |
- Hello, |
582 |
- |
583 |
-A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It |
584 |
-occurs while doing I/O port write operations via hmp interface. In that, |
585 |
-'current_cpu' remains null as it is not called from cpu_exec loop, which |
586 |
-results in the said issue. |
587 |
- |
588 |
-Below is a proposed (tested)patch to fix this issue; Does it look okay? |
589 |
- |
590 |
-=== |
591 |
-From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 |
592 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
593 |
-Date: Fri, 18 Dec 2015 11:16:07 +0530 |
594 |
-Subject: [PATCH] i386: avoid null pointer dereference |
595 |
- |
596 |
-When I/O port write operation is called from hmp interface, |
597 |
-'current_cpu' remains null, as it is not called from cpu_exec() |
598 |
-loop. This leads to a null pointer dereference in vapic_write |
599 |
-routine. Add check to avoid it. |
600 |
- |
601 |
-Reported-by: Ling Liu <liuling-it@×××.cn> |
602 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
603 |
-Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva> |
604 |
-Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
605 |
-Signed-off-by: P J P <ppandit@××××××.com> |
606 |
---- |
607 |
- hw/i386/kvmvapic.c | 15 ++++++++++----- |
608 |
- 1 file changed, 10 insertions(+), 5 deletions(-) |
609 |
- |
610 |
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c |
611 |
-index c6d34b2..f0922da 100644 |
612 |
---- a/hw/i386/kvmvapic.c |
613 |
-+++ b/hw/i386/kvmvapic.c |
614 |
-@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) |
615 |
- static void vapic_write(void *opaque, hwaddr addr, uint64_t data, |
616 |
- unsigned int size) |
617 |
- { |
618 |
-- CPUState *cs = current_cpu; |
619 |
-- X86CPU *cpu = X86_CPU(cs); |
620 |
-- CPUX86State *env = &cpu->env; |
621 |
-- hwaddr rom_paddr; |
622 |
- VAPICROMState *s = opaque; |
623 |
-+ X86CPU *cpu; |
624 |
-+ CPUX86State *env; |
625 |
-+ hwaddr rom_paddr; |
626 |
- |
627 |
-- cpu_synchronize_state(cs); |
628 |
-+ if (!current_cpu) { |
629 |
-+ return; |
630 |
-+ } |
631 |
-+ |
632 |
-+ cpu_synchronize_state(current_cpu); |
633 |
-+ cpu = X86_CPU(current_cpu); |
634 |
-+ env = &cpu->env; |
635 |
- |
636 |
- /* |
637 |
- * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. |
638 |
--- |
639 |
-2.7.4 |
640 |
- |
641 |
|
642 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
643 |
deleted file mode 100644 |
644 |
index 2922193..00000000 |
645 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
646 |
+++ /dev/null |
647 |
@@ -1,98 +0,0 @@ |
648 |
-From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001 |
649 |
-From: Laszlo Ersek <lersek@××××××.com> |
650 |
-Date: Tue, 19 Jan 2016 14:17:20 +0100 |
651 |
-Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer |
652 |
- start |
653 |
- |
654 |
-The start_xmit() and e1000_receive_iov() functions implement DMA transfers |
655 |
-iterating over a set of descriptors that the guest's e1000 driver |
656 |
-prepares: |
657 |
- |
658 |
-- the TDLEN and RDLEN registers store the total size of the descriptor |
659 |
- area, |
660 |
- |
661 |
-- while the TDH and RDH registers store the offset (in whole tx / rx |
662 |
- descriptors) into the area where the transfer is supposed to start. |
663 |
- |
664 |
-Each time a descriptor is processed, the TDH and RDH register is bumped |
665 |
-(as appropriate for the transfer direction). |
666 |
- |
667 |
-QEMU already contains logic to deal with bogus transfers submitted by the |
668 |
-guest: |
669 |
- |
670 |
-- Normally, the transmit case wants to increase TDH from its initial value |
671 |
- to TDT. (TDT is allowed to be numerically smaller than the initial TDH |
672 |
- value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe |
673 |
- that QEMU currently has here is a check against reaching the original |
674 |
- TDH value again -- a complete wraparound, which should never happen. |
675 |
- |
676 |
-- In the receive case RDH is increased from its initial value until |
677 |
- "total_size" bytes have been received; preferably in a single step, or |
678 |
- in "s->rxbuf_size" byte steps, if the latter is smaller. However, null |
679 |
- RX descriptors are skipped without receiving data, while RDH is |
680 |
- incremented just the same. QEMU tries to prevent an infinite loop |
681 |
- (processing only null RX descriptors) by detecting whether RDH assumes |
682 |
- its original value during the loop. (Again, wrapping from RDLEN to 0 is |
683 |
- normal.) |
684 |
- |
685 |
-What both directions miss is that the guest could program TDLEN and RDLEN |
686 |
-so low, and the initial TDH and RDH so high, that these registers will |
687 |
-immediately be truncated to zero, and then never reassume their initial |
688 |
-values in the loop -- a full wraparound will never occur. |
689 |
- |
690 |
-The condition that expresses this is: |
691 |
- |
692 |
- xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) |
693 |
- |
694 |
-i.e., TDH or RDH start out after the last whole rx or tx descriptor that |
695 |
-fits into the TDLEN or RDLEN sized area. |
696 |
- |
697 |
-This condition could be checked before we enter the loops, but |
698 |
-pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for |
699 |
-bogus DMA addresses, so we just extend the existing failsafes with the |
700 |
-above condition. |
701 |
- |
702 |
-This is CVE-2016-1981. |
703 |
- |
704 |
-Cc: "Michael S. Tsirkin" <mst@××××××.com> |
705 |
-Cc: Petr Matousek <pmatouse@××××××.com> |
706 |
-Cc: Stefano Stabellini <stefano.stabellini@×××××××××.com> |
707 |
-Cc: Prasad Pandit <ppandit@××××××.com> |
708 |
-Cc: Michael Roth <mdroth@××××××××××××××.com> |
709 |
-Cc: Jason Wang <jasowang@××××××.com> |
710 |
-Cc: qemu-stable@××××××.org |
711 |
-RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 |
712 |
-Signed-off-by: Laszlo Ersek <lersek@××××××.com> |
713 |
-Reviewed-by: Jason Wang <jasowang@××××××.com> |
714 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
715 |
---- |
716 |
- hw/net/e1000.c | 6 ++++-- |
717 |
- 1 file changed, 4 insertions(+), 2 deletions(-) |
718 |
- |
719 |
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c |
720 |
-index 4eda7a3..0387fa0 100644 |
721 |
---- a/hw/net/e1000.c |
722 |
-+++ b/hw/net/e1000.c |
723 |
-@@ -909,7 +909,8 @@ start_xmit(E1000State *s) |
724 |
- * bogus values to TDT/TDLEN. |
725 |
- * there's nothing too intelligent we could do about this. |
726 |
- */ |
727 |
-- if (s->mac_reg[TDH] == tdh_start) { |
728 |
-+ if (s->mac_reg[TDH] == tdh_start || |
729 |
-+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { |
730 |
- DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", |
731 |
- tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); |
732 |
- break; |
733 |
-@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) |
734 |
- if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) |
735 |
- s->mac_reg[RDH] = 0; |
736 |
- /* see comment in start_xmit; same here */ |
737 |
-- if (s->mac_reg[RDH] == rdh_start) { |
738 |
-+ if (s->mac_reg[RDH] == rdh_start || |
739 |
-+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { |
740 |
- DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", |
741 |
- rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); |
742 |
- set_ics(s, 0, E1000_ICS_RXO); |
743 |
--- |
744 |
-2.7.4 |
745 |
- |
746 |
|
747 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
748 |
deleted file mode 100644 |
749 |
index 0ab7b02..00000000 |
750 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
751 |
+++ /dev/null |
752 |
@@ -1,43 +0,0 @@ |
753 |
-From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001 |
754 |
-From: John Snow <jsnow@××××××.com> |
755 |
-Date: Wed, 10 Feb 2016 13:29:40 -0500 |
756 |
-Subject: [PATCH] ahci: Do not unmap NULL addresses |
757 |
- |
758 |
-Definitely don't try to unmap a garbage address. |
759 |
- |
760 |
-Reported-by: Zuozhi fzz <zuozhi.fzz@×××××××××××.com> |
761 |
-Signed-off-by: John Snow <jsnow@××××××.com> |
762 |
-Message-id: 1454103689-13042-2-git-send-email-jsnow@××××××.com |
763 |
---- |
764 |
- hw/ide/ahci.c | 8 ++++++++ |
765 |
- 1 file changed, 8 insertions(+) |
766 |
- |
767 |
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c |
768 |
-index 7e87b18..3a95dad 100644 |
769 |
---- a/hw/ide/ahci.c |
770 |
-+++ b/hw/ide/ahci.c |
771 |
-@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad) |
772 |
- |
773 |
- static void ahci_unmap_fis_address(AHCIDevice *ad) |
774 |
- { |
775 |
-+ if (ad->res_fis == NULL) { |
776 |
-+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n"); |
777 |
-+ return; |
778 |
-+ } |
779 |
- dma_memory_unmap(ad->hba->as, ad->res_fis, 256, |
780 |
- DMA_DIRECTION_FROM_DEVICE, 256); |
781 |
- ad->res_fis = NULL; |
782 |
-@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad) |
783 |
- |
784 |
- static void ahci_unmap_clb_address(AHCIDevice *ad) |
785 |
- { |
786 |
-+ if (ad->lst == NULL) { |
787 |
-+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n"); |
788 |
-+ return; |
789 |
-+ } |
790 |
- dma_memory_unmap(ad->hba->as, ad->lst, 1024, |
791 |
- DMA_DIRECTION_FROM_DEVICE, 1024); |
792 |
- ad->lst = NULL; |
793 |
--- |
794 |
-2.7.4 |
795 |
- |
796 |
|
797 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
798 |
deleted file mode 100644 |
799 |
index e7aa5ca..00000000 |
800 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
801 |
+++ /dev/null |
802 |
@@ -1,35 +0,0 @@ |
803 |
-From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 |
804 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
805 |
-Date: Thu, 11 Feb 2016 16:31:20 +0530 |
806 |
-Subject: [PATCH] usb: check USB configuration descriptor object |
807 |
- |
808 |
-When processing remote NDIS control message packets, the USB Net |
809 |
-device emulator checks to see if the USB configuration descriptor |
810 |
-object is of RNDIS type(2). But it does not check if it is null, |
811 |
-which leads to a null dereference error. Add check to avoid it. |
812 |
- |
813 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
814 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
815 |
-Message-id: 1455188480-14688-1-git-send-email-ppandit@××××××.com |
816 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
817 |
---- |
818 |
- hw/usb/dev-network.c | 3 ++- |
819 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
820 |
- |
821 |
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c |
822 |
-index 985a629..5dc4538 100644 |
823 |
---- a/hw/usb/dev-network.c |
824 |
-+++ b/hw/usb/dev-network.c |
825 |
-@@ -654,7 +654,8 @@ typedef struct USBNetState { |
826 |
- |
827 |
- static int is_rndis(USBNetState *s) |
828 |
- { |
829 |
-- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; |
830 |
-+ return s->dev.config ? |
831 |
-+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; |
832 |
- } |
833 |
- |
834 |
- static int ndis_query(USBNetState *s, uint32_t oid, |
835 |
--- |
836 |
-2.7.4 |
837 |
- |
838 |
|
839 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
840 |
deleted file mode 100644 |
841 |
index 2874b75..00000000 |
842 |
--- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
843 |
+++ /dev/null |
844 |
@@ -1,37 +0,0 @@ |
845 |
-From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 |
846 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
847 |
-Date: Wed, 24 Feb 2016 11:41:33 +0530 |
848 |
-Subject: [PATCH] net: ne2000: check ring buffer control registers |
849 |
- |
850 |
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) |
851 |
-bytes to process network packets. Registers PSTART & PSTOP |
852 |
-define ring buffer size & location. Setting these registers |
853 |
-to invalid values could lead to infinite loop or OOB r/w |
854 |
-access issues. Add check to avoid it. |
855 |
- |
856 |
-Reported-by: Yang Hongke <yanghongke@××××××.com> |
857 |
-Tested-by: Yang Hongke <yanghongke@××××××.com> |
858 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
859 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
860 |
---- |
861 |
- hw/net/ne2000.c | 4 ++++ |
862 |
- 1 file changed, 4 insertions(+) |
863 |
- |
864 |
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c |
865 |
-index e408083..f0feaf9 100644 |
866 |
---- a/hw/net/ne2000.c |
867 |
-+++ b/hw/net/ne2000.c |
868 |
-@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s) |
869 |
- { |
870 |
- int avail, index, boundary; |
871 |
- |
872 |
-+ if (s->stop <= s->start) { |
873 |
-+ return 1; |
874 |
-+ } |
875 |
-+ |
876 |
- index = s->curpag << 8; |
877 |
- boundary = s->boundary << 8; |
878 |
- if (index < boundary) |
879 |
--- |
880 |
-2.7.4 |
881 |
- |
882 |
|
883 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
884 |
deleted file mode 100644 |
885 |
index 2ddca3e..00000000 |
886 |
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
887 |
+++ /dev/null |
888 |
@@ -1,52 +0,0 @@ |
889 |
-From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001 |
890 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
891 |
-Date: Wed, 20 Jan 2016 01:26:46 +0530 |
892 |
-Subject: [PATCH] usb: check page select value while processing iTD |
893 |
- |
894 |
-While processing isochronous transfer descriptors(iTD), the page |
895 |
-select(PG) field value could lead to an OOB read access. Add |
896 |
-check to avoid it. |
897 |
- |
898 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
899 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
900 |
-Message-id: 1453233406-12165-1-git-send-email-ppandit@××××××.com |
901 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
902 |
---- |
903 |
- hw/usb/hcd-ehci.c | 10 ++++++---- |
904 |
- 1 file changed, 6 insertions(+), 4 deletions(-) |
905 |
- |
906 |
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
907 |
-index ab00268..93601d9 100644 |
908 |
---- a/hw/usb/hcd-ehci.c |
909 |
-+++ b/hw/usb/hcd-ehci.c |
910 |
-@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci, |
911 |
- if (itd->transact[i] & ITD_XACT_ACTIVE) { |
912 |
- pg = get_field(itd->transact[i], ITD_XACT_PGSEL); |
913 |
- off = itd->transact[i] & ITD_XACT_OFFSET_MASK; |
914 |
-- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); |
915 |
-- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); |
916 |
- len = get_field(itd->transact[i], ITD_XACT_LENGTH); |
917 |
- |
918 |
- if (len > max * mult) { |
919 |
- len = max * mult; |
920 |
- } |
921 |
-- |
922 |
-- if (len > BUFF_SIZE) { |
923 |
-+ if (len > BUFF_SIZE || pg > 6) { |
924 |
- return -1; |
925 |
- } |
926 |
- |
927 |
-+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); |
928 |
- qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); |
929 |
- if (off + len > 4096) { |
930 |
- /* transfer crosses page border */ |
931 |
-+ if (pg == 6) { |
932 |
-+ return -1; /* avoid page pg + 1 */ |
933 |
-+ } |
934 |
-+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); |
935 |
- uint32_t len2 = off + len - 4096; |
936 |
- uint32_t len1 = len - len2; |
937 |
- qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); |
938 |
--- |
939 |
-2.7.4 |
940 |
- |
941 |
|
942 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
943 |
deleted file mode 100644 |
944 |
index da643fd..00000000 |
945 |
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
946 |
+++ /dev/null |
947 |
@@ -1,59 +0,0 @@ |
948 |
-From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 |
949 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
950 |
-Date: Wed, 17 Feb 2016 00:23:41 +0530 |
951 |
-Subject: [PATCH] usb: check RNDIS buffer offsets & length |
952 |
- |
953 |
-When processing remote NDIS control message packets, |
954 |
-the USB Net device emulator uses a fixed length(4096) data buffer. |
955 |
-The incoming informationBufferOffset & Length combination could |
956 |
-overflow and cross that range. Check control message buffer |
957 |
-offsets and length to avoid it. |
958 |
- |
959 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
960 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
961 |
-Message-id: 1455648821-17340-3-git-send-email-ppandit@××××××.com |
962 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
963 |
---- |
964 |
- hw/usb/dev-network.c | 9 ++++++--- |
965 |
- 1 file changed, 6 insertions(+), 3 deletions(-) |
966 |
- |
967 |
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c |
968 |
-index 5dc4538..c6abd38 100644 |
969 |
---- a/hw/usb/dev-network.c |
970 |
-+++ b/hw/usb/dev-network.c |
971 |
-@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s, |
972 |
- |
973 |
- bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; |
974 |
- buflen = le32_to_cpu(buf->InformationBufferLength); |
975 |
-- if (bufoffs + buflen > length) |
976 |
-+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { |
977 |
- return USB_RET_STALL; |
978 |
-+ } |
979 |
- |
980 |
- infobuflen = ndis_query(s, le32_to_cpu(buf->OID), |
981 |
- bufoffs + (uint8_t *) buf, buflen, infobuf, |
982 |
-@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s, |
983 |
- |
984 |
- bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; |
985 |
- buflen = le32_to_cpu(buf->InformationBufferLength); |
986 |
-- if (bufoffs + buflen > length) |
987 |
-+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { |
988 |
- return USB_RET_STALL; |
989 |
-+ } |
990 |
- |
991 |
- ret = ndis_set(s, le32_to_cpu(buf->OID), |
992 |
- bufoffs + (uint8_t *) buf, buflen); |
993 |
-@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) |
994 |
- if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { |
995 |
- uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); |
996 |
- uint32_t size = le32_to_cpu(msg->DataLength); |
997 |
-- if (offs + size <= len) |
998 |
-+ if (offs < len && size < len && offs + size <= len) { |
999 |
- qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); |
1000 |
-+ } |
1001 |
- } |
1002 |
- s->out_ptr -= len; |
1003 |
- memmove(s->out_buf, &s->out_buf[len], s->out_ptr); |
1004 |
--- |
1005 |
-2.7.4 |
1006 |
- |
1007 |
|
1008 |
diff --git a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch b/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch |
1009 |
deleted file mode 100644 |
1010 |
index 4856373..00000000 |
1011 |
--- a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch |
1012 |
+++ /dev/null |
1013 |
@@ -1,60 +0,0 @@ |
1014 |
-https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01611.html |
1015 |
- |
1016 |
-From 6a2909cf98e892783b2502df6f7f4de46d13e42b Mon Sep 17 00:00:00 2001 |
1017 |
-From: Mike Frysinger <vapier@××××××××.org> |
1018 |
-Date: Mon, 6 Jun 2016 17:58:26 -0400 |
1019 |
-Subject: [PATCH] crypto: aes: always rename internal symbols |
1020 |
- |
1021 |
-OpenSSL's libcrypto always defines AES symbols with the same names as |
1022 |
-qemu's local aes code. This is problematic when enabling at least curl |
1023 |
-as that frequently also uses libcrypto. It might not be noticed when |
1024 |
-running, but if you try to statically link, everything falls down. |
1025 |
- |
1026 |
-An example snippet: |
1027 |
- LINK qemu-nbd |
1028 |
-.../libcrypto.a(aes-x86_64.o): In function 'AES_encrypt': |
1029 |
-(.text+0x460): multiple definition of 'AES_encrypt' |
1030 |
-crypto/aes.o:aes.c:(.text+0x670): first defined here |
1031 |
-.../libcrypto.a(aes-x86_64.o): In function 'AES_decrypt': |
1032 |
-(.text+0x9f0): multiple definition of 'AES_decrypt' |
1033 |
-crypto/aes.o:aes.c:(.text+0xb30): first defined here |
1034 |
-.../libcrypto.a(aes-x86_64.o): In function 'AES_cbc_encrypt': |
1035 |
-(.text+0xf90): multiple definition of 'AES_cbc_encrypt' |
1036 |
-crypto/aes.o:aes.c:(.text+0xff0): first defined here |
1037 |
-collect2: error: ld returned 1 exit status |
1038 |
-.../qemu-2.6.0/rules.mak:105: recipe for target 'qemu-nbd' failed |
1039 |
-make: *** [qemu-nbd] Error 1 |
1040 |
- |
1041 |
-The aes.h header has redefines already for FreeBSD, but go ahead and |
1042 |
-enable that for everyone since there's no real good reason to not use |
1043 |
-a namespace all the time. |
1044 |
- |
1045 |
-Signed-off-by: Mike Frysinger <vapier@××××××××.org> |
1046 |
---- |
1047 |
- include/crypto/aes.h | 5 ++--- |
1048 |
- 1 file changed, 2 insertions(+), 3 deletions(-) |
1049 |
- |
1050 |
-diff --git a/include/crypto/aes.h b/include/crypto/aes.h |
1051 |
-index a006da2224a9..12fb321b89de 100644 |
1052 |
---- a/include/crypto/aes.h |
1053 |
-+++ b/include/crypto/aes.h |
1054 |
-@@ -10,14 +10,13 @@ struct aes_key_st { |
1055 |
- }; |
1056 |
- typedef struct aes_key_st AES_KEY; |
1057 |
- |
1058 |
--/* FreeBSD has its own AES_set_decrypt_key in -lcrypto, avoid conflicts */ |
1059 |
--#ifdef __FreeBSD__ |
1060 |
-+/* FreeBSD/OpenSSL have their own AES functions with the same names in -lcrypto |
1061 |
-+ * (which might be pulled in via curl), so redefine to avoid conflicts. */ |
1062 |
- #define AES_set_encrypt_key QEMU_AES_set_encrypt_key |
1063 |
- #define AES_set_decrypt_key QEMU_AES_set_decrypt_key |
1064 |
- #define AES_encrypt QEMU_AES_encrypt |
1065 |
- #define AES_decrypt QEMU_AES_decrypt |
1066 |
- #define AES_cbc_encrypt QEMU_AES_cbc_encrypt |
1067 |
--#endif |
1068 |
- |
1069 |
- int AES_set_encrypt_key(const unsigned char *userKey, const int bits, |
1070 |
- AES_KEY *key); |
1071 |
--- |
1072 |
-2.8.2 |
1073 |
- |
1074 |
|
1075 |
diff --git a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch b/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch |
1076 |
deleted file mode 100644 |
1077 |
index 5fd678c..00000000 |
1078 |
--- a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch |
1079 |
+++ /dev/null |
1080 |
@@ -1,11 +0,0 @@ |
1081 |
---- a/configure 2016-08-07 15:50:20.386687733 +0200 |
1082 |
-+++ b/configure 2016-08-07 15:53:55.489691690 +0200 |
1083 |
-@@ -2967,7 +2967,7 @@ |
1084 |
- } |
1085 |
- EOF |
1086 |
- |
1087 |
--if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then |
1088 |
-+if ! compile_prog "$CFLAGS" "$LIBS" ; then |
1089 |
- error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\ |
1090 |
- "You probably need to set PKG_CONFIG_LIBDIR"\ |
1091 |
- "to point to the right pkg-config files for your"\ |