1 |
--- |
2 |
app-emulation/qemu/Manifest | 25 +---- |
3 |
app-emulation/qemu/files/qemu-1.7.0-cflags.patch | 11 -- |
4 |
.../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ------ |
5 |
.../qemu/files/qemu-2.5.0-CVE-2015-8558.patch | 50 --------- |
6 |
.../qemu/files/qemu-2.5.0-CVE-2015-8567.patch | 95 ---------------- |
7 |
.../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ------ |
8 |
.../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 --------------------- |
9 |
.../qemu/files/qemu-2.5.0-CVE-2015-8701.patch | 49 --------- |
10 |
.../qemu/files/qemu-2.5.0-CVE-2015-8743.patch | 50 --------- |
11 |
.../qemu/files/qemu-2.5.0-CVE-2016-1568.patch | 41 ------- |
12 |
.../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ---------- |
13 |
.../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 ----------- |
14 |
.../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 ----------------- |
15 |
.../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 -------- |
16 |
.../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ------ |
17 |
.../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 ------- |
18 |
.../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 --------- |
19 |
.../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ---------- |
20 |
.../qemu/files/qemu-2.5.1-CVE-2015-8558.patch | 107 ++++++++++++++++++ |
21 |
.../qemu/files/qemu-2.5.1-CVE-2016-4020.patch | 16 +++ |
22 |
.../files/qemu-2.5.1-stellaris_enet-overflow.patch | 47 ++++++++ |
23 |
.../qemu/files/qemu-2.5.1-xfs-linux-headers.patch | 82 ++++++++++++++ |
24 |
...emu-2.5.0-r999.ebuild => qemu-2.5.1-r99.ebuild} | 30 ++--- |
25 |
23 files changed, 267 insertions(+), 973 deletions(-) |
26 |
delete mode 100644 app-emulation/qemu/files/qemu-1.7.0-cflags.patch |
27 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
28 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch |
29 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch |
30 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
31 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
32 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch |
33 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch |
34 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch |
35 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
36 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
37 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
38 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
39 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
40 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
41 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
42 |
delete mode 100644 app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
43 |
create mode 100644 app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch |
44 |
create mode 100644 app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch |
45 |
create mode 100644 app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch |
46 |
create mode 100644 app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch |
47 |
rename app-emulation/qemu/{qemu-2.5.0-r999.ebuild => qemu-2.5.1-r99.ebuild} (94%) |
48 |
|
49 |
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest |
50 |
index 4e4858a..5d10f94 100644 |
51 |
--- a/app-emulation/qemu/Manifest |
52 |
+++ b/app-emulation/qemu/Manifest |
53 |
@@ -1,34 +1,21 @@ |
54 |
AUX 65-kvm.rules 40 SHA256 c16a8dc7855880b2651f1a3ff488ecc54d4ac1036c71fffd5007021d8d18a7c5 SHA512 98aad2a2f212a7ac0ee5b60a9c92744fa462bce5f26594845c7a31d692aaaca2d52cb57bdbede7dfc60b9862c2a6510665dbb03215d5cf76e62516a283decdd6 WHIRLPOOL 937de93a23930f6b8533f0c3e0dd249c99ddf7d54446dea857607266ac0a4b435c5b4a52b2986b138bace9c0a7ade66f94116b38e2bc4767ead54bd11baf0920 |
55 |
AUX bridge.conf 454 SHA256 a51850dd39923f3482e4c575b48ad9fef9c9ebb2f2176225da399b79ce48c69d SHA512 a907ee86b81a1b61033bb7621ded65112504131ef7b698c53e4014b958ee6fc79e66f63069015a01e41362cb70a7d0ed26dd9a03033cf776f4846f0e1f8f1533 WHIRLPOOL 8fcbd4abf9b8f7ca3d16fe0eaf17196ebf708dfecf85ce0f020e0de22b64905114f7b310f361826c81bb961c6b1bbbf984bff1e595bb949993b8966ccb222c35 |
56 |
-AUX qemu-1.7.0-cflags.patch 300 SHA256 8f35e55c4bae93e82f9580eabe2d6a2d4660bd05343e1f4e6c33815deeede91e SHA512 54446cb555b623b2306f8a323713e4dfb1b8b7bbf3af3771d5b62e164e0672cc21cbe44f08ca8b58052523e8d629e16355a44ebb544a999a44d11ac3af671f1c WHIRLPOOL b903b4abefeeb09a2ab2d1ee224de5d3694f99f50aacfe33882fce0c1c87c23dae4d57b001d1c35cc96fffa93d43fac4a8ab30a3e45fe1f380580162c0332e78 |
57 |
AUX qemu-2.0.0-F_SHLCK-and-F_EXLCK.patch 563 SHA256 99de67d610ad13a1dcf6c67a3c2b5b87fb909220173a956435737f9bea3c371b SHA512 a29e9a889388a6627ed492a79e66514ffb5e64f9479646982091811548fc2a9bf6682104a6c774d83e645e4b1db39e491afd4efce789fe164623442a7f3e5d00 WHIRLPOOL d3aab06099de263c22f4c71810a3b2cb8602d17731ec76674cd1415e539306555a7b96b789f0daad473600dfa04a83224ff603f7b9a9ac63a4902f74d0e9deb5 |
58 |
AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930 SHA256 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac SHA512 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea WHIRLPOOL 06b9dd5251ac03405c97b1f5a623b4d86bda2f72fbcd52b90ae4d11a0cfb59cae62df2cb6189405fbe53ab05ff2b7ca8165fda239dbfe5f31ed70abb53b3b9f3 |
59 |
AUX qemu-2.2.0-_sigev_un.patch 636 SHA256 f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512 f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb WHIRLPOOL 9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac |
60 |
-AUX qemu-2.5.0-9pfs-segfault.patch 1294 SHA256 707835ed8af1aa7e8fc9f0e06c6afa8e77fe7858b20ad4c2df2a1aec0627332d SHA512 2af7498939ba653c36808a7bccafe4a3d8c3d1cfa7199c5788f67fb001925dff17e4faba5e13c6b1517ca887209452f4ba7ed71f6b4464d55b5e942350406f90 WHIRLPOOL 591ba85bd9e5ab0665ed5835878886ec0d774a500ed966dd1b37e5478a4799a38d319a6bb88d214f202a83282db6a0434641b30c8b70ceef6bd2fb1e38f8faef |
61 |
-AUX qemu-2.5.0-CVE-2015-8558.patch 1459 SHA256 d769e6eb6dc0bdb0b982ef5fe7d73cc6bad47233102f53d11c6ed6c9051602d8 SHA512 42961191890c500675610d5d33e6ff468b07428c6b428ac01bb5c0e3ea88ff611a3532f848d54317458475fef221a06e41761ef14ea61d1b741db73450c4f90d WHIRLPOOL 475679dc1a24bc75012995a9a2122847454701b65ff0b7f8192865b45de49ce08572f129a7cfdeb36521252ed2f80c95e9dddbd64cb8e39fdc5beacc25934798 |
62 |
-AUX qemu-2.5.0-CVE-2015-8567.patch 3108 SHA256 88b72df4e02407c3b9ca4835c38988b97fcd5aa9c68da6fa47207fe675d4e661 SHA512 2f0243ec9764d72fe5e7a005a8db40d3d5c4c2edae5c3451087ee3f5c841c96a3112875cf88a19061fa2ce0d04715d247e6eb1eb83e1e5b57ec0b9eb324b8ce6 WHIRLPOOL b432ff3e105da5c0bd20dd1d7da0374f4005b2ac5a9a8c824e96730aeafa89bb8fc125f8b2857fdaf72024082ddbc0c7a28c3e3ffb9114c3d370db1b638c4731 |
63 |
-AUX qemu-2.5.0-CVE-2015-8613.patch 1264 SHA256 c8df9bb4c0100ef6c8ae09acd73878e46b3ad4a9e04b9cfe30445922bc33299c SHA512 ea2bf909ec29bab0b2131bf9d3e8fc04f176393258c4ce578d3ac8d76f09a25b96f8a3b2aa450b47c0ba9bc9637e5b93e7cc53542362b48930de18ceebb07698 WHIRLPOOL f0d415b1df9f05cb0431801054535f8939d46e7dda6eaa5ce990eef82ddc458003eb9ae5dc06e3269ddb5ed8f8c903c1f3d058d41e63ea9a5192b6149283feb2 |
64 |
-AUX qemu-2.5.0-CVE-2015-8619.patch 4220 SHA256 325bb3df340a1f5115a345a145bed94e9b2d5721cf8cce1217138e8d5a8a0c1a SHA512 317e882da18332fe667c10c55b8f026d347d93c61f668e8ddb916f1b0f5e39a9e3104c14ab2306ce761024a02a78af3a4808627ad9f18c0d43d748fd30c21505 WHIRLPOOL feddd255cf3844cd270ca2662f6140cc7104f8328e51acb01dc2f6f1b4646061569f5faa629264ebeaa5a2b18e595c4a90b69a588aa05f1acf70d9570067c6c0 |
65 |
-AUX qemu-2.5.0-CVE-2015-8701.patch 1671 SHA256 f39e0c6301cffa1b14c3ef0ab72fce0e2acd42170759ef7954234d31602aeb99 SHA512 d39edf84e2d17e6080bbc4a270732cd73b41fa39d948ee7bc4456e1024c5a69ddfb5e848af3272615f5aa36a3b6410a12f5a73e00ccfa58e0d60d7289d034aa9 WHIRLPOOL 352148c367837ba2d6eb5eb39e00c128f0cff3faef159754a41318857bc11a6616be184c24df4767ec2c8c14910ad74fc3be48273f6312b1687910fbcaf7bec3 |
66 |
-AUX qemu-2.5.0-CVE-2015-8743.patch 1777 SHA256 22aac571c1aa6f6a283d200a7703fdfea0a5bcaf227a003a2cbf5741bbb8df85 SHA512 65d8632fd43959983ca02f9ab116ec78ea043e6d867e6d743014885c2a423bb3b87c2e56caa37e7f29e971a44f5ea695cb4ce1c3a9c1fc2d734b25ca0b2f4054 WHIRLPOOL 9128c812cfbfe3d4629cd6c7c2c6f50c9ef2fe2d5b62b24486559279296987f593f852f913eb67fbe956d650d50612fa7a658a60b3d80cf4fa9256e332d77330 |
67 |
-AUX qemu-2.5.0-CVE-2016-1568.patch 1476 SHA256 ba2a25142977eea531159d81ef8938e8519c92800aa1958e71da9e2780c8256a SHA512 643ef742e6cd1dbc8f420b38f684bc8639e4bd58ab38c254654d4b1a72b129202fecdddddfd308b48ed7813da193edff68d737080d5035c82daf9676ee17df22 WHIRLPOOL af9376400540f20d77ea06cb6a12ce415b72bb22cdde3365bba8b02deb8985aedfee303646e13e1d1263a2dcd17bf1518637183a81c66c2db7b438aa88ef7d95 |
68 |
-AUX qemu-2.5.0-CVE-2016-1714.patch 2168 SHA256 2a366b01f5c05a87324ca765cea90bc93eda819d264932ac4588e6303e0b7dee SHA512 25f5f67dbcb2175bac1b5d6d11bf6b27019526c0ee43ed8580a0de10bf82ac62e5a71ded4d18c0e561d8d3832da630c92f9f118277da349367f55b4939029216 WHIRLPOOL 600d0c90779aaf7c1840e106359c909d486c7cce483edc0e5ddc627a127c907f5dd9cbd5b8ce561e2675f6bfe8cd0502efa96557601ce26eda2311b1072ab48b |
69 |
-AUX qemu-2.5.0-CVE-2016-1922.patch 2114 SHA256 a10d23d5ff3d021aa0962c79a397b69518cec6cd570ebea771f03513d4b7eb1a SHA512 af895fd14e876f808203279176c5f5c28d95d0137385c6d0e56e27f9ad70b76552b8ce75a3be368ceed94fbc62999e8d6c5e6dbcd35e99d59c57787afe6ac57d WHIRLPOOL 199ec0c9bc766968778e5733e1ca0773999a3cccfa779d8fdf68c2ed866a1427048b0db9730eb2a1521be5e174ea6388b69053c85d0d25144e73df25ec7829a9 |
70 |
-AUX qemu-2.5.0-CVE-2016-1981.patch 4160 SHA256 ad440f4964670e68846a3469e0cb0eca3ecf11cfc5c2e32b09581b64eef43ab7 SHA512 f133a311da42cc831116251550359949e0f23f1163a7b0e638fc5f43edf1dea17a5e5843a06142c3086ef367d94898b074eebf8c371ea83b7a3981cfd20c4e27 WHIRLPOOL ba6e563917773d4488f51c11864a6ce1a4331ba6fc7925f47768282ea75f1a26c51792063c946579d49b28e3ed7a854a191732c1ba7ec40628395e971cf67782 |
71 |
-AUX qemu-2.5.0-CVE-2016-2197.patch 1358 SHA256 caa5eb42b21a3fc656982fdc4e511c8350eeb0511857d9b8f371e4e926c2ac80 SHA512 ee6467ef00c5db1e6c5f6331ec411afd139e7e8c5d5e23e3ee33b3161f0e79028ddecfa661bf4bfb5bac0cfa91385f69d66b57c5337384817f0756b7575aa099 WHIRLPOOL 67bab11771159560fd080d157477aa227aa351bb8101671c0e778a38a15d607a2346ade7b10310914f93d5a1faeb993003590e7bf75cd5c9d06db0c687085b51 |
72 |
AUX qemu-2.5.0-CVE-2016-2198.patch 1540 SHA256 0d6d81a27ffac1af7c478a050aa690eb007cf9735a1a0c4b398eabeb990d5ab4 SHA512 b0b3131bb2b9b2d3f2a3f3286eeb92b527f0d3366e657cf8bcbabc6426b57893936c5a8ef66697ad1014b4525c09fa4d067195600f96ab2b005fd52b6e77d9a4 WHIRLPOOL f5c56b87f934c573fc71169fcded579b9917285fbfff59fd9288011775f482ead2ac09e1399f325e826305fab2f7bc2cd21d333711c526c1658a069a5ee93491 |
73 |
-AUX qemu-2.5.0-CVE-2016-2392.patch 1265 SHA256 a81d906bcf18fb5cf76fa5fa686c848a33f43054bff03a7a2e0e391a34884be8 SHA512 cac6503176f1e37fa6e9bab1daa4bbec6fb6fb3be4ec2e30427356969f3310b8bb898356f9e7f786e75c3ba07b9bc7afb9f0ac7a99adc12847de49b55c0d7960 WHIRLPOOL 65456ade1b773ebfe629ab0fb0045613b4d2f0f5c2d9ec20409170cba5011de46800bf1dd42a78334fe5166a2c8201e6505f3db904474cd4c28d1e88df0f9daf |
74 |
AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154 |
75 |
-AUX qemu-2.5.0-ne2000-reg-check.patch 1141 SHA256 b64fd5bfbd9c7b37b9003271e9902db4ea28b71095a51e161c7698e2f690183b SHA512 7f94ef8cb023224750abc5c2c7d515ccc6ce7f8b655a1454673ecc291193551b9ae00c248c609368a0cf143888ba2c3a5a929a4f9477e5efd27f92c45abc8722 WHIRLPOOL 43fec025a08e0aa0c14ab5ac11cd9aa49b03e52e3fcaacb6785ecd25aa531edfd04a5f8913330e27acf046f8cad2c57887e1a353779ee73ab8bb2dad65c446a7 |
76 |
AUX qemu-2.5.0-rng-stack-corrupt-0.patch 3125 SHA256 164b155db78a9291b9f8dea71a16b5779e1a9d382a8cb0f5ff380d1f2d811cef SHA512 7da544873dbefbbc7a2ed69bd7cca0053bfe71ef7f5c2faf12cb5dc6e07b8d9104e5bcf329b3355e886edc5805509623234c9fe8fb536544d6285b04ccc59919 WHIRLPOOL f076264ce4bae5be2f34e006e3e4dcc20042313cb6da4977b61529c3100e835952807738d53a86967f98abad68eba1c8dcbb6a04af162b048399e059b5eb9d6b |
77 |
AUX qemu-2.5.0-rng-stack-corrupt-1.patch 4110 SHA256 16966eb20072a5d16fec46e5959e32708342af9a7266fe4a90a0abaf68af3529 SHA512 530d6a5f9b6795013bbe197cf0a0d7eddfb06d18c0f8410bcf5bcc2d32c4b72c325b8b0ade2c517bd305fcbdab03124cc527d24d73ce767daf51de65d00920c8 WHIRLPOOL c0b653c67993c6c6ed282f0c86099c8c80a241f10e23ef3fd8e33c6d86fbb5553049550e83954cfc6d3576735c4ce28099f813917966c0a05c84bb46a6bee413 |
78 |
AUX qemu-2.5.0-rng-stack-corrupt-2.patch 4601 SHA256 c2b4e1ee8ee4bb2f4d42012a847c1da83a9e2349238d37bba1a3b9c440957f7f SHA512 ba299d07c7382f39f177f8094594daf131727d3d28633b426064f7cc6bf75d19b1ae78db248fc70ddbdb43fd2a6b0c5ed7793e6f42aba2763cdb4c12d6816c54 WHIRLPOOL 62b6ab75c32574a4c53193d82c7f51efdaa4789154c2d2f9acee7ede240d2920d92e31dfead7edc17aa12f938919143ce049d2c9ef9733baccc27d382506437f |
79 |
AUX qemu-2.5.0-rng-stack-corrupt-3.patch 5519 SHA256 5a3c2ed59bc30f395aee5cd0b77cdb06d868386e5bbe1b392169f8d96ae9474a SHA512 f62713130d3b989b274476a4cc2eafb95dc41de4723fe475e454132817a159eb729bbbe5a29aee755715100095670107c5762271184252e9d0cd43c4b25bc5d1 WHIRLPOOL f8e4aa90b90b03dd6e4dd68734cb16ee5f59a9585697ef3c48e7e861968798cb3c66018ad5a788f99b99e9fddab2ae83d977ec4b1a8599596a5ce03286726e3e |
80 |
AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73 |
81 |
-AUX qemu-2.5.0-usb-ehci-oob.patch 2014 SHA256 e0593f8a645dfca3115ea56d1b74d701f07c60d80eadf0bf68133e7539de345a SHA512 c02e0881bb85ffbf7d401b4ee5801692262cddaef9245dfcbf323f0f4d310394e1fbbf639f7a3d2d39ae428c09513adcb9be7fdcf49b7accf133d911dc0b702c WHIRLPOOL 992b2c6d3464a53174054f0d2dc6ec70eeb1e17128ee65c7986d9f5ec80e037bca9bd5bfb65c66bb9bf85f0b56a1a6d008ab4dbe35602d7deea9489add2e7c4b |
82 |
-AUX qemu-2.5.0-usb-ndis-int-overflow.patch 2404 SHA256 caa4ff5ab038e88b2b09f04f2a9528fc47d42d35fbd35bbd7907afd292ef66db SHA512 f87de0a9f161f14814fafc883bd557f8f007a53729dc3c36145dd19ea9c52eabb81f6ada4e4a7122a461c9bed6f524ea0b92f9182b77a4c7cf9c8ecfc217f8e0 WHIRLPOOL 6022a3e0b125beb85efa2b6c1edf5a94dce27bd299d247078d418cf6515c8fc0ca1d8032034ef427c3d4681cc3536900099391b623152b2609cab2f4f963d046 |
83 |
+AUX qemu-2.5.1-CVE-2015-8558.patch 3237 SHA256 3320c5624a33076b36f39566a4c3bbe5f95adae44207512d791175bcfc3959ff SHA512 c6ea0ca7d0ea221e9704001d26dae143861463ec45c7a543f041520874dd6e3a2d4bdb6d1eca25097f265aa2a1600858c9908b59cdd640007ab057cf7b86083f WHIRLPOOL 0c3c683a79f68ab3073a3b5e6afe2b6184d66254bd8278e131d5aa199ff51d52e5b186521ff8799345b1f1977afc112550e1a7d4b684b2a3267e9caddd0f1576 |
84 |
+AUX qemu-2.5.1-CVE-2016-4020.patch 567 SHA256 6c8e933593cfbedc98de81bf01e394d1ca1d016109fcc81e91f6472d2092b1a0 SHA512 90ac43329cbbcc0451470e010a1a1bd32ef8891c1f2d7d7e54e870e740c77ea8dfdec30989d586aaea250de6ca294504bf7e88818bf35e3269cf528ea3e50ce5 WHIRLPOOL 7ea7c7af1f2a3f11bc5bfe7b708021bbcb03c00d354a733c0fad14193110559cd1561939bd5bb6597a84bc01e74a914ef9dc51f28c522473b424919edc17cdb3 |
85 |
+AUX qemu-2.5.1-stellaris_enet-overflow.patch 1569 SHA256 5d20aef8139068eeb63c167856c8f0004e8761227d9bb1fd67240c4b922f704a SHA512 92c015af82eb92bf5f6f4d6fd86b402636a61f0ac9572cc2f002d4c795ce133f7858a38336fd5f4a25c7157dea969d288bb73f00d9a8b3b8f517ba2aea6e4ba8 WHIRLPOOL 94c49f8f78864ac3da247b569d2afc2ee0d801482a00117a7898fb396440118ef3bc54e1b61023496184f37404c893a1ef7725ce6ca9a27ca596cdf38e747603 |
86 |
+AUX qemu-2.5.1-xfs-linux-headers.patch 2634 SHA256 ca1eb8d4593d794541f375cb1425861e145aa036d440b9d29c4cb7b5102d018b SHA512 88b8a6178893e3354d90ad1a7cfc370fc05ffd2e3ea7c9cc8aeda9e129ea93d45838b5816afb46c0594886fbb129e3665a738f4c195183b843caedc0302530c0 WHIRLPOOL 193f1b89710ecbbb5b645a59ac6f3b7bad8191cc3228bad0427cb80c54e1b55d11d25abe1f59173b9669452f57a52f830d074bb106bdc3c05b6659826a4d561d |
87 |
AUX qemu-binfmt.initd-r1 6910 SHA256 2886c567589b958f450a87537cdb6c5bf95e8c1e4afbdf59139d16819e79d51d SHA512 09f399b6b559c6dd64d77843f600afad464909e72ae0924e97a5ef2eea55b3fb8abf6fbd57c380ec60e2f9d145ec365fd9a24c2e1b84cc6cef7070e4fb5bd72e WHIRLPOOL 983f6ae733c23c0049321184e1b6738ad5d27a70265945e6b47f3fb317ba3c84918b4929e728081549062fd0bf4a46c0a7e7184911355f3ac75963e1f8b70cd4 |
88 |
AUX qemu-kvm-1.4 68 SHA256 8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512 706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120 WHIRLPOOL ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067 |
89 |
-DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef |
90 |
-EBUILD qemu-2.5.0-r999.ebuild 21699 SHA256 8ca42bbf30baa2271e0a1a7be920a06dba32f7c0b6c0ea50d3dd93d949d6522f SHA512 182ccb339259864276e7540b630dfb46e98058df978ffe7ad1a13df541f70f949a62ece46699cc2ba4c3311a24ccd609933733226bb660cc28c37a4f9608c755 WHIRLPOOL 462aa47e61ad570fc9d874145bbca1ab5b804b590f97a34c62f2640b774f380d105c7d2a61790c1c229b8613f8aa74e2d78f8e01dcdce336e202ce64b4172e2b |
91 |
+DIST qemu-2.5.1.tar.bz2 25464539 SHA256 028752c33bb786abbfe496ba57315dc5a7d0a33b5a7a767f6d7a29020c525d2c SHA512 66959ad6a2a89f23c5daba245c76f71ddc03a33a1167bca639a042ebbf7329b2e698cd2c0e65c22a9874563a34256a48386aa9df6475b06d38db74187e3e3b3f WHIRLPOOL 32525271574692d56b7794dc63606659f46e6ae19a56dee31b3cec33dab9c4eb74147a65db4940229492d8680f38c2d05bc2a8fbcb4b6887b0c1cbe5fbbe44cf |
92 |
+EBUILD qemu-2.5.1-r99.ebuild 21104 SHA256 92637c4d36984ff78616a2ca9a1952d453f035608357b2f212cddc4b98bed5de SHA512 0dd1b5d37448371604efb213894bfde17ab08d234affc675dc2474ba395e4b854071711304c30be4a405ed98d6cb2be7f107958487080cd8dbeb15fada2da9f8 WHIRLPOOL cc8ed2d2140b669da67d8a5f15b93651638848f77b853d11b7e235ba37b75d945076266798fff1ccf8d74ba16113cbead260b10e9c8aaed03c07fb5d9d1f1ce3 |
93 |
MISC metadata.xml 3925 SHA256 d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512 3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6 WHIRLPOOL bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41 |
94 |
diff --git a/app-emulation/qemu/files/qemu-1.7.0-cflags.patch b/app-emulation/qemu/files/qemu-1.7.0-cflags.patch |
95 |
deleted file mode 100644 |
96 |
index cd003f6..0000000 |
97 |
--- a/app-emulation/qemu/files/qemu-1.7.0-cflags.patch |
98 |
+++ /dev/null |
99 |
@@ -1,11 +0,0 @@ |
100 |
---- a/configure |
101 |
-+++ b/configure |
102 |
-@@ -3131,8 +3131,6 @@ fi |
103 |
- if test "$gcov" = "yes" ; then |
104 |
- CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" |
105 |
- LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" |
106 |
--elif test "$debug" = "no" ; then |
107 |
-- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" |
108 |
- fi |
109 |
- |
110 |
- |
111 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
112 |
deleted file mode 100644 |
113 |
index 0e27684..0000000 |
114 |
--- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch |
115 |
+++ /dev/null |
116 |
@@ -1,34 +0,0 @@ |
117 |
-From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001 |
118 |
-From: Greg Kurz <gkurz@××××××××××××××.com> |
119 |
-Date: Wed, 23 Dec 2015 10:56:58 +0100 |
120 |
-Subject: [PATCH] virtio-9p: use accessor to get thread_pool |
121 |
- |
122 |
-The aio_context_new() function does not allocate a thread pool. This is |
123 |
-deferred to the first call to the aio_get_thread_pool() accessor. It is |
124 |
-hence forbidden to access the thread_pool field directly, as it may be |
125 |
-NULL. The accessor *must* be used always. |
126 |
- |
127 |
-Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e |
128 |
-Reviewed-by: Michael Tokarev <mjt@×××××××.ru> |
129 |
-Tested-by: Michael Tokarev <mjt@×××××××.ru> |
130 |
-Cc: qemu-stable@××××××.org |
131 |
-Signed-off-by: Greg Kurz <gkurz@××××××××××××××.com> |
132 |
---- |
133 |
- hw/9pfs/virtio-9p-coth.c | 2 +- |
134 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
135 |
- |
136 |
-diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c |
137 |
-index fb6e8f8..ab9425c 100644 |
138 |
---- a/hw/9pfs/virtio-9p-coth.c |
139 |
-+++ b/hw/9pfs/virtio-9p-coth.c |
140 |
-@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) |
141 |
- void co_run_in_worker_bh(void *opaque) |
142 |
- { |
143 |
- Coroutine *co = opaque; |
144 |
-- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, |
145 |
-+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), |
146 |
- coroutine_enter_func, co, coroutine_enter_cb, co); |
147 |
- } |
148 |
--- |
149 |
-2.7.4 |
150 |
- |
151 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch |
152 |
deleted file mode 100644 |
153 |
index fbc6a0a..0000000 |
154 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch |
155 |
+++ /dev/null |
156 |
@@ -1,50 +0,0 @@ |
157 |
-https://bugs.gentoo.org/568246 |
158 |
- |
159 |
-From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 |
160 |
-From: Gerd Hoffmann <kraxel@××××××.com> |
161 |
-Date: Mon, 14 Dec 2015 09:21:23 +0100 |
162 |
-Subject: [PATCH] ehci: make idt processing more robust |
163 |
- |
164 |
-Make ehci_process_itd return an error in case we didn't do any actual |
165 |
-iso transfer because we've found no active transaction. That'll avoid |
166 |
-ehci happily run in circles forever if the guest builds a loop out of |
167 |
-idts. |
168 |
- |
169 |
-This is CVE-2015-8558. |
170 |
- |
171 |
-Cc: qemu-stable@××××××.org |
172 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
173 |
-Tested-by: P J P <ppandit@××××××.com> |
174 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
175 |
---- |
176 |
- hw/usb/hcd-ehci.c | 5 +++-- |
177 |
- 1 file changed, 3 insertions(+), 2 deletions(-) |
178 |
- |
179 |
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
180 |
-index 4e2161b..d07f228 100644 |
181 |
---- a/hw/usb/hcd-ehci.c |
182 |
-+++ b/hw/usb/hcd-ehci.c |
183 |
-@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, |
184 |
- { |
185 |
- USBDevice *dev; |
186 |
- USBEndpoint *ep; |
187 |
-- uint32_t i, len, pid, dir, devaddr, endp; |
188 |
-+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; |
189 |
- uint32_t pg, off, ptr1, ptr2, max, mult; |
190 |
- |
191 |
- ehci->periodic_sched_active = PERIODIC_ACTIVE; |
192 |
-@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, |
193 |
- ehci_raise_irq(ehci, USBSTS_INT); |
194 |
- } |
195 |
- itd->transact[i] &= ~ITD_XACT_ACTIVE; |
196 |
-+ xfers++; |
197 |
- } |
198 |
- } |
199 |
-- return 0; |
200 |
-+ return xfers ? 0 : -1; |
201 |
- } |
202 |
- |
203 |
- |
204 |
--- |
205 |
-2.6.2 |
206 |
- |
207 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch |
208 |
deleted file mode 100644 |
209 |
index e196043..0000000 |
210 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch |
211 |
+++ /dev/null |
212 |
@@ -1,95 +0,0 @@ |
213 |
-https://bugs.gentoo.org/567868 |
214 |
- |
215 |
-From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 |
216 |
-From: P J P <ppandit@××××××.com> |
217 |
-Date: Tue, 15 Dec 2015 12:27:54 +0530 |
218 |
-Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device |
219 |
- |
220 |
-Vmxnet3 device emulator does not check if the device is active |
221 |
-before activating it, also it did not free the transmit & receive |
222 |
-buffers while deactivating the device, thus resulting in memory |
223 |
-leakage on the host. This patch fixes both these issues to avoid |
224 |
-host memory leakage. |
225 |
- |
226 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
227 |
-Reviewed-by: Dmitry Fleytman <dmitry@××××××.com> |
228 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
229 |
-Cc: qemu-stable@××××××.org |
230 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
231 |
---- |
232 |
- hw/net/vmxnet3.c | 24 ++++++++++++++++-------- |
233 |
- 1 file changed, 16 insertions(+), 8 deletions(-) |
234 |
- |
235 |
-diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c |
236 |
-index a5dd79a..9c1adfc 100644 |
237 |
---- a/hw/net/vmxnet3.c |
238 |
-+++ b/hw/net/vmxnet3.c |
239 |
-@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) |
240 |
- |
241 |
- static void vmxnet3_deactivate_device(VMXNET3State *s) |
242 |
- { |
243 |
-- VMW_CBPRN("Deactivating vmxnet3..."); |
244 |
-- s->device_active = false; |
245 |
-+ if (s->device_active) { |
246 |
-+ VMW_CBPRN("Deactivating vmxnet3..."); |
247 |
-+ vmxnet_tx_pkt_reset(s->tx_pkt); |
248 |
-+ vmxnet_tx_pkt_uninit(s->tx_pkt); |
249 |
-+ vmxnet_rx_pkt_uninit(s->rx_pkt); |
250 |
-+ s->device_active = false; |
251 |
-+ } |
252 |
- } |
253 |
- |
254 |
- static void vmxnet3_reset(VMXNET3State *s) |
255 |
-@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) |
256 |
- |
257 |
- vmxnet3_deactivate_device(s); |
258 |
- vmxnet3_reset_interrupt_states(s); |
259 |
-- vmxnet_tx_pkt_reset(s->tx_pkt); |
260 |
- s->drv_shmem = 0; |
261 |
- s->tx_sop = true; |
262 |
- s->skip_current_tx_pkt = false; |
263 |
-@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) |
264 |
- return; |
265 |
- } |
266 |
- |
267 |
-+ /* Verify if device is active */ |
268 |
-+ if (s->device_active) { |
269 |
-+ VMW_CFPRN("Vmxnet3 device is active"); |
270 |
-+ return; |
271 |
-+ } |
272 |
-+ |
273 |
- vmxnet3_adjust_by_guest_type(s); |
274 |
- vmxnet3_update_features(s); |
275 |
- vmxnet3_update_pm_state(s); |
276 |
-@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) |
277 |
- break; |
278 |
- |
279 |
- case VMXNET3_CMD_QUIESCE_DEV: |
280 |
-- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); |
281 |
-+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); |
282 |
- vmxnet3_deactivate_device(s); |
283 |
- break; |
284 |
- |
285 |
-@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, |
286 |
- * shared address only after we get the high part |
287 |
- */ |
288 |
- if (val == 0) { |
289 |
-- s->device_active = false; |
290 |
-+ vmxnet3_deactivate_device(s); |
291 |
- } |
292 |
- s->temp_shared_guest_driver_memory = val; |
293 |
- s->drv_shmem = 0; |
294 |
-@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) |
295 |
- static void vmxnet3_net_uninit(VMXNET3State *s) |
296 |
- { |
297 |
- g_free(s->mcast_list); |
298 |
-- vmxnet_tx_pkt_reset(s->tx_pkt); |
299 |
-- vmxnet_tx_pkt_uninit(s->tx_pkt); |
300 |
-- vmxnet_rx_pkt_uninit(s->rx_pkt); |
301 |
-+ vmxnet3_deactivate_device(s); |
302 |
- qemu_del_nic(s->nic); |
303 |
- } |
304 |
- |
305 |
--- |
306 |
-2.6.2 |
307 |
- |
308 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
309 |
deleted file mode 100644 |
310 |
index 61a52ee..0000000 |
311 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch |
312 |
+++ /dev/null |
313 |
@@ -1,35 +0,0 @@ |
314 |
-From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 |
315 |
-From: P J P <ppandit@××××××.com> |
316 |
-Date: Mon, 21 Dec 2015 15:13:13 +0530 |
317 |
-Subject: [PATCH] scsi: initialise info object with appropriate size |
318 |
- |
319 |
-While processing controller 'CTRL_GET_INFO' command, the routine |
320 |
-'megasas_ctrl_get_info' overflows the '&info' object size. Use its |
321 |
-appropriate size to null initialise it. |
322 |
- |
323 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
324 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
325 |
-Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva> |
326 |
-Cc: qemu-stable@××××××.org |
327 |
-Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
328 |
-Signed-off-by: P J P <ppandit@××××××.com> |
329 |
---- |
330 |
- hw/scsi/megasas.c | 2 +- |
331 |
- 1 file changed, 1 insertion(+), 1 deletion(-) |
332 |
- |
333 |
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c |
334 |
-index d7dc667..576f56c 100644 |
335 |
---- a/hw/scsi/megasas.c |
336 |
-+++ b/hw/scsi/megasas.c |
337 |
-@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) |
338 |
- BusChild *kid; |
339 |
- int num_pd_disks = 0; |
340 |
- |
341 |
-- memset(&info, 0x0, cmd->iov_size); |
342 |
-+ memset(&info, 0x0, dcmd_size); |
343 |
- if (cmd->iov_size < dcmd_size) { |
344 |
- trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, |
345 |
- dcmd_size); |
346 |
--- |
347 |
-2.7.4 |
348 |
- |
349 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
350 |
deleted file mode 100644 |
351 |
index be67336..0000000 |
352 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch |
353 |
+++ /dev/null |
354 |
@@ -1,121 +0,0 @@ |
355 |
-From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001 |
356 |
-From: Wolfgang Bumiller <w.bumiller@×××××××.com> |
357 |
-Date: Wed, 13 Jan 2016 09:09:58 +0100 |
358 |
-Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) |
359 |
- |
360 |
-When processing 'sendkey' command, hmp_sendkey routine null |
361 |
-terminates the 'keyname_buf' array. This results in an OOB |
362 |
-write issue, if 'keyname_len' was to fall outside of |
363 |
-'keyname_buf' array. |
364 |
- |
365 |
-Since the keyname's length is known the keyname_buf can be |
366 |
-removed altogether by adding a length parameter to |
367 |
-index_from_key() and using it for the error output as well. |
368 |
- |
369 |
-Reported-by: Ling Liu <liuling-it@×××.cn> |
370 |
-Signed-off-by: Wolfgang Bumiller <w.bumiller@×××××××.com> |
371 |
-Message-Id: <20160113080958.GA18934@olga> |
372 |
-[Comparison with "<" dumbed down, test for junk after strtoul() |
373 |
-tweaked] |
374 |
-Signed-off-by: Markus Armbruster <armbru@××××××.com> |
375 |
---- |
376 |
- hmp.c | 18 ++++++++---------- |
377 |
- include/ui/console.h | 2 +- |
378 |
- ui/input-legacy.c | 5 +++-- |
379 |
- 3 files changed, 12 insertions(+), 13 deletions(-) |
380 |
- |
381 |
-diff --git a/hmp.c b/hmp.c |
382 |
-index 54f2620..9c571f5 100644 |
383 |
---- a/hmp.c |
384 |
-+++ b/hmp.c |
385 |
-@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) |
386 |
- int has_hold_time = qdict_haskey(qdict, "hold-time"); |
387 |
- int hold_time = qdict_get_try_int(qdict, "hold-time", -1); |
388 |
- Error *err = NULL; |
389 |
-- char keyname_buf[16]; |
390 |
- char *separator; |
391 |
- int keyname_len; |
392 |
- |
393 |
- while (1) { |
394 |
- separator = strchr(keys, '-'); |
395 |
- keyname_len = separator ? separator - keys : strlen(keys); |
396 |
-- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); |
397 |
- |
398 |
- /* Be compatible with old interface, convert user inputted "<" */ |
399 |
-- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { |
400 |
-- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); |
401 |
-+ if (keys[0] == '<' && keyname_len == 1) { |
402 |
-+ keys = "less"; |
403 |
- keyname_len = 4; |
404 |
- } |
405 |
-- keyname_buf[keyname_len] = 0; |
406 |
- |
407 |
- keylist = g_malloc0(sizeof(*keylist)); |
408 |
- keylist->value = g_malloc0(sizeof(*keylist->value)); |
409 |
-@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) |
410 |
- } |
411 |
- tmp = keylist; |
412 |
- |
413 |
-- if (strstart(keyname_buf, "0x", NULL)) { |
414 |
-+ if (strstart(keys, "0x", NULL)) { |
415 |
- char *endp; |
416 |
-- int value = strtoul(keyname_buf, &endp, 0); |
417 |
-- if (*endp != '\0') { |
418 |
-+ int value = strtoul(keys, &endp, 0); |
419 |
-+ assert(endp <= keys + keyname_len); |
420 |
-+ if (endp != keys + keyname_len) { |
421 |
- goto err_out; |
422 |
- } |
423 |
- keylist->value->type = KEY_VALUE_KIND_NUMBER; |
424 |
- keylist->value->u.number = value; |
425 |
- } else { |
426 |
-- int idx = index_from_key(keyname_buf); |
427 |
-+ int idx = index_from_key(keys, keyname_len); |
428 |
- if (idx == Q_KEY_CODE_MAX) { |
429 |
- goto err_out; |
430 |
- } |
431 |
-@@ -1789,7 +1787,7 @@ out: |
432 |
- return; |
433 |
- |
434 |
- err_out: |
435 |
-- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); |
436 |
-+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); |
437 |
- goto out; |
438 |
- } |
439 |
- |
440 |
-diff --git a/include/ui/console.h b/include/ui/console.h |
441 |
-index adac36d..116bc2b 100644 |
442 |
---- a/include/ui/console.h |
443 |
-+++ b/include/ui/console.h |
444 |
-@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) |
445 |
- void curses_display_init(DisplayState *ds, int full_screen); |
446 |
- |
447 |
- /* input.c */ |
448 |
--int index_from_key(const char *key); |
449 |
-+int index_from_key(const char *key, size_t key_length); |
450 |
- |
451 |
- /* gtk.c */ |
452 |
- void early_gtk_display_init(int opengl); |
453 |
-diff --git a/ui/input-legacy.c b/ui/input-legacy.c |
454 |
-index 35dfc27..3454055 100644 |
455 |
---- a/ui/input-legacy.c |
456 |
-+++ b/ui/input-legacy.c |
457 |
-@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { |
458 |
- static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = |
459 |
- QTAILQ_HEAD_INITIALIZER(led_handlers); |
460 |
- |
461 |
--int index_from_key(const char *key) |
462 |
-+int index_from_key(const char *key, size_t key_length) |
463 |
- { |
464 |
- int i; |
465 |
- |
466 |
- for (i = 0; QKeyCode_lookup[i] != NULL; i++) { |
467 |
-- if (!strcmp(key, QKeyCode_lookup[i])) { |
468 |
-+ if (!strncmp(key, QKeyCode_lookup[i], key_length) && |
469 |
-+ !QKeyCode_lookup[i][key_length]) { |
470 |
- break; |
471 |
- } |
472 |
- } |
473 |
--- |
474 |
-2.7.4 |
475 |
- |
476 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch |
477 |
deleted file mode 100644 |
478 |
index 0dab1c3..0000000 |
479 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch |
480 |
+++ /dev/null |
481 |
@@ -1,49 +0,0 @@ |
482 |
-https://bugs.gentoo.org/570110 |
483 |
- |
484 |
-From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 |
485 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
486 |
-Date: Mon, 28 Dec 2015 16:24:08 +0530 |
487 |
-Subject: [PATCH] net: rocker: fix an incorrect array bounds check |
488 |
- |
489 |
-While processing transmit(tx) descriptors in 'tx_consume' routine |
490 |
-the switch emulator suffers from an off-by-one error, if a |
491 |
-descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) |
492 |
-fragments. Fix an incorrect bounds check to avoid it. |
493 |
- |
494 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
495 |
-Cc: qemu-stable@××××××.org |
496 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
497 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
498 |
---- |
499 |
- hw/net/rocker/rocker.c | 8 ++++---- |
500 |
- 1 file changed, 4 insertions(+), 4 deletions(-) |
501 |
- |
502 |
-diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c |
503 |
-index c57f1a6..2e77e50 100644 |
504 |
---- a/hw/net/rocker/rocker.c |
505 |
-+++ b/hw/net/rocker/rocker.c |
506 |
-@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) |
507 |
- frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); |
508 |
- frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); |
509 |
- |
510 |
-+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { |
511 |
-+ goto err_too_many_frags; |
512 |
-+ } |
513 |
- iov[iovcnt].iov_len = frag_len; |
514 |
- iov[iovcnt].iov_base = g_malloc(frag_len); |
515 |
- if (!iov[iovcnt].iov_base) { |
516 |
-@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) |
517 |
- err = -ROCKER_ENXIO; |
518 |
- goto err_bad_io; |
519 |
- } |
520 |
-- |
521 |
-- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { |
522 |
-- goto err_too_many_frags; |
523 |
-- } |
524 |
-+ iovcnt++; |
525 |
- } |
526 |
- |
527 |
- if (iovcnt) { |
528 |
--- |
529 |
-2.6.2 |
530 |
- |
531 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch |
532 |
deleted file mode 100644 |
533 |
index b2bca56..0000000 |
534 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch |
535 |
+++ /dev/null |
536 |
@@ -1,50 +0,0 @@ |
537 |
-https://bugs.gentoo.org/570988 |
538 |
- |
539 |
-From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 |
540 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
541 |
-Date: Thu, 31 Dec 2015 17:05:27 +0530 |
542 |
-Subject: [PATCH] net: ne2000: fix bounds check in ioport operations |
543 |
- |
544 |
-While doing ioport r/w operations, ne2000 device emulation suffers |
545 |
-from OOB r/w errors. Update respective array bounds check to avoid |
546 |
-OOB access. |
547 |
- |
548 |
-Reported-by: Ling Liu <liuling-it@×××.cn> |
549 |
-Cc: qemu-stable@××××××.org |
550 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
551 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
552 |
---- |
553 |
- hw/net/ne2000.c | 10 ++++++---- |
554 |
- 1 file changed, 6 insertions(+), 4 deletions(-) |
555 |
- |
556 |
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c |
557 |
-index 010f9ef..a3dffff 100644 |
558 |
---- a/hw/net/ne2000.c |
559 |
-+++ b/hw/net/ne2000.c |
560 |
-@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, |
561 |
- uint32_t val) |
562 |
- { |
563 |
- addr &= ~1; /* XXX: check exact behaviour if not even */ |
564 |
-- if (addr < 32 || |
565 |
-- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { |
566 |
-+ if (addr < 32 |
567 |
-+ || (addr >= NE2000_PMEM_START |
568 |
-+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { |
569 |
- stl_le_p(s->mem + addr, val); |
570 |
- } |
571 |
- } |
572 |
-@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) |
573 |
- static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) |
574 |
- { |
575 |
- addr &= ~1; /* XXX: check exact behaviour if not even */ |
576 |
-- if (addr < 32 || |
577 |
-- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { |
578 |
-+ if (addr < 32 |
579 |
-+ || (addr >= NE2000_PMEM_START |
580 |
-+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { |
581 |
- return ldl_le_p(s->mem + addr); |
582 |
- } else { |
583 |
- return 0xffffffff; |
584 |
--- |
585 |
-2.6.2 |
586 |
- |
587 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch |
588 |
deleted file mode 100644 |
589 |
index 4ce9a35..0000000 |
590 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch |
591 |
+++ /dev/null |
592 |
@@ -1,41 +0,0 @@ |
593 |
-https://bugs.gentoo.org/571566 |
594 |
- |
595 |
-From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 |
596 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
597 |
-Date: Mon, 11 Jan 2016 14:10:42 -0500 |
598 |
-Subject: [PATCH] ide: ahci: reset ncq object to unused on error |
599 |
- |
600 |
-When processing NCQ commands, AHCI device emulation prepares a |
601 |
-NCQ transfer object; To which an aio control block(aiocb) object |
602 |
-is assigned in 'execute_ncq_command'. In case, when the NCQ |
603 |
-command is invalid, the 'aiocb' object is not assigned, and NCQ |
604 |
-transfer object is left as 'used'. This leads to a use after |
605 |
-free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. |
606 |
-Reset NCQ transfer object to 'unused' to avoid it. |
607 |
- |
608 |
-[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] |
609 |
- |
610 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
611 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
612 |
-Reviewed-by: John Snow <jsnow@××××××.com> |
613 |
-Message-id: 1452282511-4116-1-git-send-email-ppandit@××××××.com |
614 |
-Signed-off-by: John Snow <jsnow@××××××.com> |
615 |
---- |
616 |
- hw/ide/ahci.c | 1 + |
617 |
- 1 file changed, 1 insertion(+) |
618 |
- |
619 |
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c |
620 |
-index dd1912e..17f1cbd 100644 |
621 |
---- a/hw/ide/ahci.c |
622 |
-+++ b/hw/ide/ahci.c |
623 |
-@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) |
624 |
- ide_state->error = ABRT_ERR; |
625 |
- ide_state->status = READY_STAT | ERR_STAT; |
626 |
- ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); |
627 |
-+ ncq_tfs->used = 0; |
628 |
- } |
629 |
- |
630 |
- static void ncq_finish(NCQTransferState *ncq_tfs) |
631 |
--- |
632 |
-2.6.2 |
633 |
- |
634 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
635 |
deleted file mode 100644 |
636 |
index 917fa2f..0000000 |
637 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch |
638 |
+++ /dev/null |
639 |
@@ -1,58 +0,0 @@ |
640 |
-From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 |
641 |
-From: "Gabriel L. Somlo" <somlo@×××.edu> |
642 |
-Date: Thu, 5 Nov 2015 09:32:50 -0500 |
643 |
-Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer |
644 |
-MIME-Version: 1.0 |
645 |
-Content-Type: text/plain; charset=UTF-8 |
646 |
-Content-Transfer-Encoding: 8bit |
647 |
- |
648 |
-When calculating a pointer to the currently selected fw_cfg item, the |
649 |
-following is used: |
650 |
- |
651 |
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
652 |
- |
653 |
-When s->cur_entry is FW_CFG_INVALID, we are calculating the address of |
654 |
-a non-existent element in s->entries[arch][...], which is undefined. |
655 |
- |
656 |
-This patch ensures the resulting entry pointer is set to NULL whenever |
657 |
-s->cur_entry is FW_CFG_INVALID. |
658 |
- |
659 |
-Reported-by: Laszlo Ersek <lersek@××××××.com> |
660 |
-Reviewed-by: Laszlo Ersek <lersek@××××××.com> |
661 |
-Signed-off-by: Gabriel Somlo <somlo@×××.edu> |
662 |
-Message-id: 1446733972-1602-5-git-send-email-somlo@×××.edu |
663 |
-Cc: Marc Marí <markmb@××××××.com> |
664 |
-Signed-off-by: Gabriel Somlo <somlo@×××.edu> |
665 |
-Reviewed-by: Laszlo Ersek <lersek@××××××.com> |
666 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
667 |
---- |
668 |
- hw/nvram/fw_cfg.c | 6 ++++-- |
669 |
- 1 file changed, 4 insertions(+), 2 deletions(-) |
670 |
- |
671 |
-diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c |
672 |
-index c2d3a0a..046fa74 100644 |
673 |
---- a/hw/nvram/fw_cfg.c |
674 |
-+++ b/hw/nvram/fw_cfg.c |
675 |
-@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) |
676 |
- static uint8_t fw_cfg_read(FWCfgState *s) |
677 |
- { |
678 |
- int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); |
679 |
-- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
680 |
-+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : |
681 |
-+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
682 |
- uint8_t ret; |
683 |
- |
684 |
- if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) |
685 |
-@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) |
686 |
- } |
687 |
- |
688 |
- arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); |
689 |
-- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
690 |
-+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : |
691 |
-+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; |
692 |
- |
693 |
- if (dma.control & FW_CFG_DMA_CTL_READ) { |
694 |
- read = 1; |
695 |
--- |
696 |
-2.7.4 |
697 |
- |
698 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
699 |
deleted file mode 100644 |
700 |
index 23c2341..0000000 |
701 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch |
702 |
+++ /dev/null |
703 |
@@ -1,65 +0,0 @@ |
704 |
-From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 |
705 |
-From: P J P <ppandit@××××××.com> |
706 |
-Date: Fri, 18 Dec 2015 11:35:07 +0530 |
707 |
-Subject: [PATCH] i386: avoid null pointer dereference |
708 |
- |
709 |
- Hello, |
710 |
- |
711 |
-A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It |
712 |
-occurs while doing I/O port write operations via hmp interface. In that, |
713 |
-'current_cpu' remains null as it is not called from cpu_exec loop, which |
714 |
-results in the said issue. |
715 |
- |
716 |
-Below is a proposed (tested)patch to fix this issue; Does it look okay? |
717 |
- |
718 |
-=== |
719 |
-From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 |
720 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
721 |
-Date: Fri, 18 Dec 2015 11:16:07 +0530 |
722 |
-Subject: [PATCH] i386: avoid null pointer dereference |
723 |
- |
724 |
-When I/O port write operation is called from hmp interface, |
725 |
-'current_cpu' remains null, as it is not called from cpu_exec() |
726 |
-loop. This leads to a null pointer dereference in vapic_write |
727 |
-routine. Add check to avoid it. |
728 |
- |
729 |
-Reported-by: Ling Liu <liuling-it@×××.cn> |
730 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
731 |
-Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva> |
732 |
-Signed-off-by: Paolo Bonzini <pbonzini@××××××.com> |
733 |
-Signed-off-by: P J P <ppandit@××××××.com> |
734 |
---- |
735 |
- hw/i386/kvmvapic.c | 15 ++++++++++----- |
736 |
- 1 file changed, 10 insertions(+), 5 deletions(-) |
737 |
- |
738 |
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c |
739 |
-index c6d34b2..f0922da 100644 |
740 |
---- a/hw/i386/kvmvapic.c |
741 |
-+++ b/hw/i386/kvmvapic.c |
742 |
-@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) |
743 |
- static void vapic_write(void *opaque, hwaddr addr, uint64_t data, |
744 |
- unsigned int size) |
745 |
- { |
746 |
-- CPUState *cs = current_cpu; |
747 |
-- X86CPU *cpu = X86_CPU(cs); |
748 |
-- CPUX86State *env = &cpu->env; |
749 |
-- hwaddr rom_paddr; |
750 |
- VAPICROMState *s = opaque; |
751 |
-+ X86CPU *cpu; |
752 |
-+ CPUX86State *env; |
753 |
-+ hwaddr rom_paddr; |
754 |
- |
755 |
-- cpu_synchronize_state(cs); |
756 |
-+ if (!current_cpu) { |
757 |
-+ return; |
758 |
-+ } |
759 |
-+ |
760 |
-+ cpu_synchronize_state(current_cpu); |
761 |
-+ cpu = X86_CPU(current_cpu); |
762 |
-+ env = &cpu->env; |
763 |
- |
764 |
- /* |
765 |
- * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. |
766 |
--- |
767 |
-2.7.4 |
768 |
- |
769 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
770 |
deleted file mode 100644 |
771 |
index 2922193..0000000 |
772 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch |
773 |
+++ /dev/null |
774 |
@@ -1,98 +0,0 @@ |
775 |
-From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001 |
776 |
-From: Laszlo Ersek <lersek@××××××.com> |
777 |
-Date: Tue, 19 Jan 2016 14:17:20 +0100 |
778 |
-Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer |
779 |
- start |
780 |
- |
781 |
-The start_xmit() and e1000_receive_iov() functions implement DMA transfers |
782 |
-iterating over a set of descriptors that the guest's e1000 driver |
783 |
-prepares: |
784 |
- |
785 |
-- the TDLEN and RDLEN registers store the total size of the descriptor |
786 |
- area, |
787 |
- |
788 |
-- while the TDH and RDH registers store the offset (in whole tx / rx |
789 |
- descriptors) into the area where the transfer is supposed to start. |
790 |
- |
791 |
-Each time a descriptor is processed, the TDH and RDH register is bumped |
792 |
-(as appropriate for the transfer direction). |
793 |
- |
794 |
-QEMU already contains logic to deal with bogus transfers submitted by the |
795 |
-guest: |
796 |
- |
797 |
-- Normally, the transmit case wants to increase TDH from its initial value |
798 |
- to TDT. (TDT is allowed to be numerically smaller than the initial TDH |
799 |
- value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe |
800 |
- that QEMU currently has here is a check against reaching the original |
801 |
- TDH value again -- a complete wraparound, which should never happen. |
802 |
- |
803 |
-- In the receive case RDH is increased from its initial value until |
804 |
- "total_size" bytes have been received; preferably in a single step, or |
805 |
- in "s->rxbuf_size" byte steps, if the latter is smaller. However, null |
806 |
- RX descriptors are skipped without receiving data, while RDH is |
807 |
- incremented just the same. QEMU tries to prevent an infinite loop |
808 |
- (processing only null RX descriptors) by detecting whether RDH assumes |
809 |
- its original value during the loop. (Again, wrapping from RDLEN to 0 is |
810 |
- normal.) |
811 |
- |
812 |
-What both directions miss is that the guest could program TDLEN and RDLEN |
813 |
-so low, and the initial TDH and RDH so high, that these registers will |
814 |
-immediately be truncated to zero, and then never reassume their initial |
815 |
-values in the loop -- a full wraparound will never occur. |
816 |
- |
817 |
-The condition that expresses this is: |
818 |
- |
819 |
- xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) |
820 |
- |
821 |
-i.e., TDH or RDH start out after the last whole rx or tx descriptor that |
822 |
-fits into the TDLEN or RDLEN sized area. |
823 |
- |
824 |
-This condition could be checked before we enter the loops, but |
825 |
-pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for |
826 |
-bogus DMA addresses, so we just extend the existing failsafes with the |
827 |
-above condition. |
828 |
- |
829 |
-This is CVE-2016-1981. |
830 |
- |
831 |
-Cc: "Michael S. Tsirkin" <mst@××××××.com> |
832 |
-Cc: Petr Matousek <pmatouse@××××××.com> |
833 |
-Cc: Stefano Stabellini <stefano.stabellini@×××××××××.com> |
834 |
-Cc: Prasad Pandit <ppandit@××××××.com> |
835 |
-Cc: Michael Roth <mdroth@××××××××××××××.com> |
836 |
-Cc: Jason Wang <jasowang@××××××.com> |
837 |
-Cc: qemu-stable@××××××.org |
838 |
-RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 |
839 |
-Signed-off-by: Laszlo Ersek <lersek@××××××.com> |
840 |
-Reviewed-by: Jason Wang <jasowang@××××××.com> |
841 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
842 |
---- |
843 |
- hw/net/e1000.c | 6 ++++-- |
844 |
- 1 file changed, 4 insertions(+), 2 deletions(-) |
845 |
- |
846 |
-diff --git a/hw/net/e1000.c b/hw/net/e1000.c |
847 |
-index 4eda7a3..0387fa0 100644 |
848 |
---- a/hw/net/e1000.c |
849 |
-+++ b/hw/net/e1000.c |
850 |
-@@ -909,7 +909,8 @@ start_xmit(E1000State *s) |
851 |
- * bogus values to TDT/TDLEN. |
852 |
- * there's nothing too intelligent we could do about this. |
853 |
- */ |
854 |
-- if (s->mac_reg[TDH] == tdh_start) { |
855 |
-+ if (s->mac_reg[TDH] == tdh_start || |
856 |
-+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { |
857 |
- DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", |
858 |
- tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); |
859 |
- break; |
860 |
-@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) |
861 |
- if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) |
862 |
- s->mac_reg[RDH] = 0; |
863 |
- /* see comment in start_xmit; same here */ |
864 |
-- if (s->mac_reg[RDH] == rdh_start) { |
865 |
-+ if (s->mac_reg[RDH] == rdh_start || |
866 |
-+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { |
867 |
- DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", |
868 |
- rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); |
869 |
- set_ics(s, 0, E1000_ICS_RXO); |
870 |
--- |
871 |
-2.7.4 |
872 |
- |
873 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
874 |
deleted file mode 100644 |
875 |
index 0ab7b02..0000000 |
876 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch |
877 |
+++ /dev/null |
878 |
@@ -1,43 +0,0 @@ |
879 |
-From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001 |
880 |
-From: John Snow <jsnow@××××××.com> |
881 |
-Date: Wed, 10 Feb 2016 13:29:40 -0500 |
882 |
-Subject: [PATCH] ahci: Do not unmap NULL addresses |
883 |
- |
884 |
-Definitely don't try to unmap a garbage address. |
885 |
- |
886 |
-Reported-by: Zuozhi fzz <zuozhi.fzz@×××××××××××.com> |
887 |
-Signed-off-by: John Snow <jsnow@××××××.com> |
888 |
-Message-id: 1454103689-13042-2-git-send-email-jsnow@××××××.com |
889 |
---- |
890 |
- hw/ide/ahci.c | 8 ++++++++ |
891 |
- 1 file changed, 8 insertions(+) |
892 |
- |
893 |
-diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c |
894 |
-index 7e87b18..3a95dad 100644 |
895 |
---- a/hw/ide/ahci.c |
896 |
-+++ b/hw/ide/ahci.c |
897 |
-@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad) |
898 |
- |
899 |
- static void ahci_unmap_fis_address(AHCIDevice *ad) |
900 |
- { |
901 |
-+ if (ad->res_fis == NULL) { |
902 |
-+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n"); |
903 |
-+ return; |
904 |
-+ } |
905 |
- dma_memory_unmap(ad->hba->as, ad->res_fis, 256, |
906 |
- DMA_DIRECTION_FROM_DEVICE, 256); |
907 |
- ad->res_fis = NULL; |
908 |
-@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad) |
909 |
- |
910 |
- static void ahci_unmap_clb_address(AHCIDevice *ad) |
911 |
- { |
912 |
-+ if (ad->lst == NULL) { |
913 |
-+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n"); |
914 |
-+ return; |
915 |
-+ } |
916 |
- dma_memory_unmap(ad->hba->as, ad->lst, 1024, |
917 |
- DMA_DIRECTION_FROM_DEVICE, 1024); |
918 |
- ad->lst = NULL; |
919 |
--- |
920 |
-2.7.4 |
921 |
- |
922 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
923 |
deleted file mode 100644 |
924 |
index e7aa5ca..0000000 |
925 |
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch |
926 |
+++ /dev/null |
927 |
@@ -1,35 +0,0 @@ |
928 |
-From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 |
929 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
930 |
-Date: Thu, 11 Feb 2016 16:31:20 +0530 |
931 |
-Subject: [PATCH] usb: check USB configuration descriptor object |
932 |
- |
933 |
-When processing remote NDIS control message packets, the USB Net |
934 |
-device emulator checks to see if the USB configuration descriptor |
935 |
-object is of RNDIS type(2). But it does not check if it is null, |
936 |
-which leads to a null dereference error. Add check to avoid it. |
937 |
- |
938 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
939 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
940 |
-Message-id: 1455188480-14688-1-git-send-email-ppandit@××××××.com |
941 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
942 |
---- |
943 |
- hw/usb/dev-network.c | 3 ++- |
944 |
- 1 file changed, 2 insertions(+), 1 deletion(-) |
945 |
- |
946 |
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c |
947 |
-index 985a629..5dc4538 100644 |
948 |
---- a/hw/usb/dev-network.c |
949 |
-+++ b/hw/usb/dev-network.c |
950 |
-@@ -654,7 +654,8 @@ typedef struct USBNetState { |
951 |
- |
952 |
- static int is_rndis(USBNetState *s) |
953 |
- { |
954 |
-- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; |
955 |
-+ return s->dev.config ? |
956 |
-+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; |
957 |
- } |
958 |
- |
959 |
- static int ndis_query(USBNetState *s, uint32_t oid, |
960 |
--- |
961 |
-2.7.4 |
962 |
- |
963 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
964 |
deleted file mode 100644 |
965 |
index 2874b75..0000000 |
966 |
--- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch |
967 |
+++ /dev/null |
968 |
@@ -1,37 +0,0 @@ |
969 |
-From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 |
970 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
971 |
-Date: Wed, 24 Feb 2016 11:41:33 +0530 |
972 |
-Subject: [PATCH] net: ne2000: check ring buffer control registers |
973 |
- |
974 |
-Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) |
975 |
-bytes to process network packets. Registers PSTART & PSTOP |
976 |
-define ring buffer size & location. Setting these registers |
977 |
-to invalid values could lead to infinite loop or OOB r/w |
978 |
-access issues. Add check to avoid it. |
979 |
- |
980 |
-Reported-by: Yang Hongke <yanghongke@××××××.com> |
981 |
-Tested-by: Yang Hongke <yanghongke@××××××.com> |
982 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
983 |
-Signed-off-by: Jason Wang <jasowang@××××××.com> |
984 |
---- |
985 |
- hw/net/ne2000.c | 4 ++++ |
986 |
- 1 file changed, 4 insertions(+) |
987 |
- |
988 |
-diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c |
989 |
-index e408083..f0feaf9 100644 |
990 |
---- a/hw/net/ne2000.c |
991 |
-+++ b/hw/net/ne2000.c |
992 |
-@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s) |
993 |
- { |
994 |
- int avail, index, boundary; |
995 |
- |
996 |
-+ if (s->stop <= s->start) { |
997 |
-+ return 1; |
998 |
-+ } |
999 |
-+ |
1000 |
- index = s->curpag << 8; |
1001 |
- boundary = s->boundary << 8; |
1002 |
- if (index < boundary) |
1003 |
--- |
1004 |
-2.7.4 |
1005 |
- |
1006 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
1007 |
deleted file mode 100644 |
1008 |
index 2ddca3e..0000000 |
1009 |
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch |
1010 |
+++ /dev/null |
1011 |
@@ -1,52 +0,0 @@ |
1012 |
-From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001 |
1013 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
1014 |
-Date: Wed, 20 Jan 2016 01:26:46 +0530 |
1015 |
-Subject: [PATCH] usb: check page select value while processing iTD |
1016 |
- |
1017 |
-While processing isochronous transfer descriptors(iTD), the page |
1018 |
-select(PG) field value could lead to an OOB read access. Add |
1019 |
-check to avoid it. |
1020 |
- |
1021 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
1022 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
1023 |
-Message-id: 1453233406-12165-1-git-send-email-ppandit@××××××.com |
1024 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
1025 |
---- |
1026 |
- hw/usb/hcd-ehci.c | 10 ++++++---- |
1027 |
- 1 file changed, 6 insertions(+), 4 deletions(-) |
1028 |
- |
1029 |
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
1030 |
-index ab00268..93601d9 100644 |
1031 |
---- a/hw/usb/hcd-ehci.c |
1032 |
-+++ b/hw/usb/hcd-ehci.c |
1033 |
-@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci, |
1034 |
- if (itd->transact[i] & ITD_XACT_ACTIVE) { |
1035 |
- pg = get_field(itd->transact[i], ITD_XACT_PGSEL); |
1036 |
- off = itd->transact[i] & ITD_XACT_OFFSET_MASK; |
1037 |
-- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); |
1038 |
-- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); |
1039 |
- len = get_field(itd->transact[i], ITD_XACT_LENGTH); |
1040 |
- |
1041 |
- if (len > max * mult) { |
1042 |
- len = max * mult; |
1043 |
- } |
1044 |
-- |
1045 |
-- if (len > BUFF_SIZE) { |
1046 |
-+ if (len > BUFF_SIZE || pg > 6) { |
1047 |
- return -1; |
1048 |
- } |
1049 |
- |
1050 |
-+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); |
1051 |
- qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); |
1052 |
- if (off + len > 4096) { |
1053 |
- /* transfer crosses page border */ |
1054 |
-+ if (pg == 6) { |
1055 |
-+ return -1; /* avoid page pg + 1 */ |
1056 |
-+ } |
1057 |
-+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); |
1058 |
- uint32_t len2 = off + len - 4096; |
1059 |
- uint32_t len1 = len - len2; |
1060 |
- qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); |
1061 |
--- |
1062 |
-2.7.4 |
1063 |
- |
1064 |
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
1065 |
deleted file mode 100644 |
1066 |
index da643fd..0000000 |
1067 |
--- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch |
1068 |
+++ /dev/null |
1069 |
@@ -1,59 +0,0 @@ |
1070 |
-From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 |
1071 |
-From: Prasad J Pandit <pjp@×××××××××××××.org> |
1072 |
-Date: Wed, 17 Feb 2016 00:23:41 +0530 |
1073 |
-Subject: [PATCH] usb: check RNDIS buffer offsets & length |
1074 |
- |
1075 |
-When processing remote NDIS control message packets, |
1076 |
-the USB Net device emulator uses a fixed length(4096) data buffer. |
1077 |
-The incoming informationBufferOffset & Length combination could |
1078 |
-overflow and cross that range. Check control message buffer |
1079 |
-offsets and length to avoid it. |
1080 |
- |
1081 |
-Reported-by: Qinghao Tang <luodalongde@×××××.com> |
1082 |
-Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
1083 |
-Message-id: 1455648821-17340-3-git-send-email-ppandit@××××××.com |
1084 |
-Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
1085 |
---- |
1086 |
- hw/usb/dev-network.c | 9 ++++++--- |
1087 |
- 1 file changed, 6 insertions(+), 3 deletions(-) |
1088 |
- |
1089 |
-diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c |
1090 |
-index 5dc4538..c6abd38 100644 |
1091 |
---- a/hw/usb/dev-network.c |
1092 |
-+++ b/hw/usb/dev-network.c |
1093 |
-@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s, |
1094 |
- |
1095 |
- bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; |
1096 |
- buflen = le32_to_cpu(buf->InformationBufferLength); |
1097 |
-- if (bufoffs + buflen > length) |
1098 |
-+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { |
1099 |
- return USB_RET_STALL; |
1100 |
-+ } |
1101 |
- |
1102 |
- infobuflen = ndis_query(s, le32_to_cpu(buf->OID), |
1103 |
- bufoffs + (uint8_t *) buf, buflen, infobuf, |
1104 |
-@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s, |
1105 |
- |
1106 |
- bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; |
1107 |
- buflen = le32_to_cpu(buf->InformationBufferLength); |
1108 |
-- if (bufoffs + buflen > length) |
1109 |
-+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { |
1110 |
- return USB_RET_STALL; |
1111 |
-+ } |
1112 |
- |
1113 |
- ret = ndis_set(s, le32_to_cpu(buf->OID), |
1114 |
- bufoffs + (uint8_t *) buf, buflen); |
1115 |
-@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) |
1116 |
- if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { |
1117 |
- uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); |
1118 |
- uint32_t size = le32_to_cpu(msg->DataLength); |
1119 |
-- if (offs + size <= len) |
1120 |
-+ if (offs < len && size < len && offs + size <= len) { |
1121 |
- qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); |
1122 |
-+ } |
1123 |
- } |
1124 |
- s->out_ptr -= len; |
1125 |
- memmove(s->out_buf, &s->out_buf[len], s->out_ptr); |
1126 |
--- |
1127 |
-2.7.4 |
1128 |
- |
1129 |
diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch |
1130 |
new file mode 100644 |
1131 |
index 0000000..cf1a4c3 |
1132 |
--- /dev/null |
1133 |
+++ b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch |
1134 |
@@ -0,0 +1,107 @@ |
1135 |
+https://bugs.gentoo.org/580426 |
1136 |
+https://bugs.gentoo.org/568246 |
1137 |
+ |
1138 |
+From a49923d2837d20510d645d3758f1ad87c32d0730 Mon Sep 17 00:00:00 2001 |
1139 |
+From: Gerd Hoffmann <kraxel@××××××.com> |
1140 |
+Date: Mon, 18 Apr 2016 09:20:54 +0200 |
1141 |
+Subject: [PATCH] Revert "ehci: make idt processing more robust" |
1142 |
+ |
1143 |
+This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254. |
1144 |
+ |
1145 |
+Breaks FreeBSD. |
1146 |
+ |
1147 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
1148 |
+--- |
1149 |
+ hw/usb/hcd-ehci.c | 5 ++--- |
1150 |
+ 1 file changed, 2 insertions(+), 3 deletions(-) |
1151 |
+ |
1152 |
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
1153 |
+index d5c0e1c..43a8f7a 100644 |
1154 |
+--- a/hw/usb/hcd-ehci.c |
1155 |
++++ b/hw/usb/hcd-ehci.c |
1156 |
+@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci, |
1157 |
+ { |
1158 |
+ USBDevice *dev; |
1159 |
+ USBEndpoint *ep; |
1160 |
+- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; |
1161 |
++ uint32_t i, len, pid, dir, devaddr, endp; |
1162 |
+ uint32_t pg, off, ptr1, ptr2, max, mult; |
1163 |
+ |
1164 |
+ ehci->periodic_sched_active = PERIODIC_ACTIVE; |
1165 |
+@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci, |
1166 |
+ ehci_raise_irq(ehci, USBSTS_INT); |
1167 |
+ } |
1168 |
+ itd->transact[i] &= ~ITD_XACT_ACTIVE; |
1169 |
+- xfers++; |
1170 |
+ } |
1171 |
+ } |
1172 |
+- return xfers ? 0 : -1; |
1173 |
++ return 0; |
1174 |
+ } |
1175 |
+ |
1176 |
+ |
1177 |
+-- |
1178 |
+2.7.4 |
1179 |
+ |
1180 |
+From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001 |
1181 |
+From: Gerd Hoffmann <kraxel@××××××.com> |
1182 |
+Date: Mon, 18 Apr 2016 09:11:38 +0200 |
1183 |
+Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors |
1184 |
+MIME-Version: 1.0 |
1185 |
+Content-Type: text/plain; charset=UTF-8 |
1186 |
+Content-Transfer-Encoding: 8bit |
1187 |
+ |
1188 |
+Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a |
1189 |
+DoS by the guest (create a circular iTD queue and let qemu ehci |
1190 |
+emulation run in circles forever). Unfortunately this has two problems: |
1191 |
+First it misses the case of siTDs, and second it reportedly breaks |
1192 |
+FreeBSD. |
1193 |
+ |
1194 |
+So lets go for a different approach: just count the number of iTDs and |
1195 |
+siTDs we have seen per frame and apply a limit. That should really |
1196 |
+catch all cases now. |
1197 |
+ |
1198 |
+Reported-by: 杜少博 <dushaobo@×××.cn> |
1199 |
+Signed-off-by: Gerd Hoffmann <kraxel@××××××.com> |
1200 |
+--- |
1201 |
+ hw/usb/hcd-ehci.c | 6 +++++- |
1202 |
+ 1 file changed, 5 insertions(+), 1 deletion(-) |
1203 |
+ |
1204 |
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c |
1205 |
+index 159f58d..d5c0e1c 100644 |
1206 |
+--- a/hw/usb/hcd-ehci.c |
1207 |
++++ b/hw/usb/hcd-ehci.c |
1208 |
+@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) |
1209 |
+ static void ehci_advance_state(EHCIState *ehci, int async) |
1210 |
+ { |
1211 |
+ EHCIQueue *q = NULL; |
1212 |
++ int itd_count = 0; |
1213 |
+ int again; |
1214 |
+ |
1215 |
+ do { |
1216 |
+@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) |
1217 |
+ |
1218 |
+ case EST_FETCHITD: |
1219 |
+ again = ehci_state_fetchitd(ehci, async); |
1220 |
++ itd_count++; |
1221 |
+ break; |
1222 |
+ |
1223 |
+ case EST_FETCHSITD: |
1224 |
+ again = ehci_state_fetchsitd(ehci, async); |
1225 |
++ itd_count++; |
1226 |
+ break; |
1227 |
+ |
1228 |
+ case EST_ADVANCEQUEUE: |
1229 |
+@@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int async) |
1230 |
+ break; |
1231 |
+ } |
1232 |
+ |
1233 |
+- if (again < 0) { |
1234 |
++ if (again < 0 || itd_count > 16) { |
1235 |
++ /* TODO: notify guest (raise HSE irq?) */ |
1236 |
+ fprintf(stderr, "processing error - resetting ehci HC\n"); |
1237 |
+ ehci_reset(ehci); |
1238 |
+ again = 0; |
1239 |
+-- |
1240 |
+2.7.4 |
1241 |
+ |
1242 |
diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch |
1243 |
new file mode 100644 |
1244 |
index 0000000..e3115c1 |
1245 |
--- /dev/null |
1246 |
+++ b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch |
1247 |
@@ -0,0 +1,16 @@ |
1248 |
+https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html |
1249 |
+https://bugs.gentoo.org/580040 |
1250 |
+ |
1251 |
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c |
1252 |
+index c69f374..ff1e31a 100644 |
1253 |
+--- a/hw/i386/kvmvapic.c |
1254 |
++++ b/hw/i386/kvmvapic.c |
1255 |
+@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) |
1256 |
+ CPUX86State *env = &cpu->env; |
1257 |
+ VAPICHandlers *handlers; |
1258 |
+ uint8_t opcode[2]; |
1259 |
+- uint32_t imm32; |
1260 |
++ uint32_t imm32 = 0; |
1261 |
+ target_ulong current_pc = 0; |
1262 |
+ target_ulong current_cs_base = 0; |
1263 |
+ int current_flags = 0; |
1264 |
diff --git a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch |
1265 |
new file mode 100644 |
1266 |
index 0000000..ab7d3f3 |
1267 |
--- /dev/null |
1268 |
+++ b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch |
1269 |
@@ -0,0 +1,47 @@ |
1270 |
+From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 |
1271 |
+From: Prasad J Pandit <pjp@×××××××××××××.org> |
1272 |
+Date: Fri, 8 Apr 2016 11:33:48 +0530 |
1273 |
+Subject: [PATCH] net: stellaris_enet: check packet length against receive |
1274 |
+ buffer |
1275 |
+ |
1276 |
+When receiving packets over Stellaris ethernet controller, it |
1277 |
+uses receive buffer of size 2048 bytes. In case the controller |
1278 |
+accepts large(MTU) packets, it could lead to memory corruption. |
1279 |
+Add check to avoid it. |
1280 |
+ |
1281 |
+Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@×××××.com> |
1282 |
+Signed-off-by: Prasad J Pandit <pjp@×××××××××××××.org> |
1283 |
+Message-id: 1460095428-22698-1-git-send-email-ppandit@××××××.com |
1284 |
+Reviewed-by: Peter Maydell <peter.maydell@××××××.org> |
1285 |
+Signed-off-by: Peter Maydell <peter.maydell@××××××.org> |
1286 |
+--- |
1287 |
+ hw/net/stellaris_enet.c | 12 +++++++++++- |
1288 |
+ 1 file changed, 11 insertions(+), 1 deletion(-) |
1289 |
+ |
1290 |
+diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c |
1291 |
+index 84cf60b..6880894 100644 |
1292 |
+--- a/hw/net/stellaris_enet.c |
1293 |
++++ b/hw/net/stellaris_enet.c |
1294 |
+@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si |
1295 |
+ n = s->next_packet + s->np; |
1296 |
+ if (n >= 31) |
1297 |
+ n -= 31; |
1298 |
+- s->np++; |
1299 |
+ |
1300 |
++ if (size >= sizeof(s->rx[n].data) - 6) { |
1301 |
++ /* If the packet won't fit into the |
1302 |
++ * emulated 2K RAM, this is reported |
1303 |
++ * as a FIFO overrun error. |
1304 |
++ */ |
1305 |
++ s->ris |= SE_INT_FOV; |
1306 |
++ stellaris_enet_update(s); |
1307 |
++ return -1; |
1308 |
++ } |
1309 |
++ |
1310 |
++ s->np++; |
1311 |
+ s->rx[n].len = size + 6; |
1312 |
+ p = s->rx[n].data; |
1313 |
+ *(p++) = (size + 6); |
1314 |
+-- |
1315 |
+2.7.4 |
1316 |
+ |
1317 |
diff --git a/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch b/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch |
1318 |
new file mode 100644 |
1319 |
index 0000000..743171b |
1320 |
--- /dev/null |
1321 |
+++ b/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch |
1322 |
@@ -0,0 +1,82 @@ |
1323 |
+https://bugs.gentoo.org/577810 |
1324 |
+ |
1325 |
+From 277abf15a60f7653bfb05ffb513ed74ffdaea1b7 Mon Sep 17 00:00:00 2001 |
1326 |
+From: Jan Vesely <jano.vesely@×××××.com> |
1327 |
+Date: Fri, 29 Apr 2016 13:15:23 -0400 |
1328 |
+Subject: [PATCH] configure: Check if struct fsxattr is available from linux |
1329 |
+ header |
1330 |
+MIME-Version: 1.0 |
1331 |
+Content-Type: text/plain; charset=UTF-8 |
1332 |
+Content-Transfer-Encoding: 8bit |
1333 |
+ |
1334 |
+Fixes build failure with --enable-xfsctl and |
1335 |
+new linux headers (>=4.5) and older xfsprogs(<4.5): |
1336 |
+In file included from /usr/include/xfs/xfs.h:38:0, |
1337 |
+ from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:97: |
1338 |
+/usr/include/xfs/xfs_fs.h:42:8: error: redefinition of ‘struct fsxattr’ |
1339 |
+ struct fsxattr { |
1340 |
+ ^ |
1341 |
+In file included from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:60:0: |
1342 |
+/usr/include/linux/fs.h:155:8: note: originally defined here |
1343 |
+ struct fsxattr { |
1344 |
+ |
1345 |
+This is really a bug in the system headers, but we can work around it |
1346 |
+by defining HAVE_FSXATTR in the QEMU headers if linux/fs.h provides |
1347 |
+the struct, so that xfs_fs.h doesn't try to define it as well. |
1348 |
+ |
1349 |
+CC: qemu-trivial@××××××.org |
1350 |
+CC: Markus Armbruster <armbru@××××××.com> |
1351 |
+CC: Peter Maydell <peter.maydell@××××××.org> |
1352 |
+CC: Stefan Weil <sw@××××××××.de> |
1353 |
+Tested-by: Stefan Weil <sw@××××××××.de> |
1354 |
+Signed-off-by: Jan Vesely <jano.vesely@×××××.com> |
1355 |
+[PMM: adjusted commit message, comments] |
1356 |
+Signed-off-by: Peter Maydell <peter.maydell@××××××.org> |
1357 |
+--- |
1358 |
+ configure | 23 +++++++++++++++++++++++ |
1359 |
+ 1 file changed, 23 insertions(+) |
1360 |
+ |
1361 |
+diff --git a/configure b/configure |
1362 |
+index ab54f3c..c37fc5f 100755 |
1363 |
+--- a/configure |
1364 |
++++ b/configure |
1365 |
+@@ -4494,6 +4494,21 @@ if test "$fortify_source" != "no"; then |
1366 |
+ fi |
1367 |
+ |
1368 |
+ ########################################## |
1369 |
++# check if struct fsxattr is available via linux/fs.h |
1370 |
++ |
1371 |
++have_fsxattr=no |
1372 |
++cat > $TMPC << EOF |
1373 |
++#include <linux/fs.h> |
1374 |
++struct fsxattr foo; |
1375 |
++int main(void) { |
1376 |
++ return 0; |
1377 |
++} |
1378 |
++EOF |
1379 |
++if compile_prog "" "" ; then |
1380 |
++ have_fsxattr=yes |
1381 |
++fi |
1382 |
++ |
1383 |
++########################################## |
1384 |
+ # End of CC checks |
1385 |
+ # After here, no more $cc or $ld runs |
1386 |
+ |
1387 |
+@@ -5160,6 +5175,14 @@ fi |
1388 |
+ if test "$have_ifaddrs_h" = "yes" ; then |
1389 |
+ echo "HAVE_IFADDRS_H=y" >> $config_host_mak |
1390 |
+ fi |
1391 |
++ |
1392 |
++# Work around a system header bug with some kernel/XFS header |
1393 |
++# versions where they both try to define 'struct fsxattr': |
1394 |
++# xfs headers will not try to redefine structs from linux headers |
1395 |
++# if this macro is set. |
1396 |
++if test "$have_fsxattr" = "yes" ; then |
1397 |
++ echo "HAVE_FSXATTR=y" >> $config_host_mak |
1398 |
++fi |
1399 |
+ if test "$vte" = "yes" ; then |
1400 |
+ echo "CONFIG_VTE=y" >> $config_host_mak |
1401 |
+ echo "VTE_CFLAGS=$vte_cflags" >> $config_host_mak |
1402 |
+-- |
1403 |
+2.8.2 |
1404 |
+ |
1405 |
diff --git a/app-emulation/qemu/qemu-2.5.0-r999.ebuild b/app-emulation/qemu/qemu-2.5.1-r99.ebuild |
1406 |
similarity index 94% |
1407 |
rename from app-emulation/qemu/qemu-2.5.0-r999.ebuild |
1408 |
rename to app-emulation/qemu/qemu-2.5.1-r99.ebuild |
1409 |
index 876141b..1d169e8 100644 |
1410 |
--- a/app-emulation/qemu/qemu-2.5.0-r999.ebuild |
1411 |
+++ b/app-emulation/qemu/qemu-2.5.1-r99.ebuild |
1412 |
@@ -84,8 +84,8 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} |
1413 |
fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) |
1414 |
glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) |
1415 |
gnutls? ( |
1416 |
- dev-libs/nettle[static-libs(+)] |
1417 |
- >=net-libs/gnutls-3.0[static-libs(+)] |
1418 |
+ dev-libs/nettle:=[static-libs(+)] |
1419 |
+ >=net-libs/gnutls-3.0:=[static-libs(+)] |
1420 |
) |
1421 |
gtk? ( |
1422 |
gtk2? ( |
1423 |
@@ -342,25 +342,13 @@ src_prepare() { |
1424 |
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ |
1425 |
epatch |
1426 |
|
1427 |
- epatch "${FILESDIR}"/${P}-CVE-2015-8567.patch #567868 |
1428 |
- epatch "${FILESDIR}"/${P}-CVE-2015-8558.patch #568246 |
1429 |
- epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110 |
1430 |
- epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988 |
1431 |
- epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566 |
1432 |
- epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118 |
1433 |
- epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300 |
1434 |
- epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560 |
1435 |
- epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082 |
1436 |
- epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412 |
1437 |
- epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454 |
1438 |
- epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280 |
1439 |
- epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314 |
1440 |
- epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902 |
1441 |
- epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492 |
1442 |
- epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420 |
1443 |
- epatch "${FILESDIR}"/${P}-sysmacros.patch |
1444 |
- epatch "${FILESDIR}"/${P}-ne2000-reg-check.patch #573816 |
1445 |
- epatch "${FILESDIR}"/${P}-9pfs-segfault.patch #578142 |
1446 |
+ epatch "${FILESDIR}"/${PN}-2.5.0-CVE-2016-2198.patch #573314 |
1447 |
+ epatch "${FILESDIR}"/${PN}-2.5.0-rng-stack-corrupt-{0,1,2,3}.patch #576420 |
1448 |
+ epatch "${FILESDIR}"/${PN}-2.5.1-stellaris_enet-overflow.patch #579614 |
1449 |
+ epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2016-4020.patch #580040 |
1450 |
+ epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2015-8558.patch #568246 #580426 |
1451 |
+ epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch |
1452 |
+ epatch "${FILESDIR}"/${PN}-2.5.1-xfs-linux-headers.patch #577810 |
1453 |
|
1454 |
# Fix ld and objcopy being called directly |
1455 |
tc-export AR LD OBJCOPY |
1456 |
-- |
1457 |
2.7.3 |