summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-05-10 12:17:34 (GMT)
committerAdrian Dudau <adrian.dudau@enea.com>2017-05-11 13:28:59 (GMT)
commit17a9a734122e446bd2708a4273af1fe4eacb87ae (patch)
tree55c8bf72fe305f7024b684a1642deb61dac12082
parent5c021b4550f77ddc7d32664a08e46ba69d16c2c7 (diff)
downloadpoky-17a9a734122e446bd2708a4273af1fe4eacb87ae.tar.gz
qemu: upgrade to 2.7.0
This upgrade can fix a qemuppc + openssh bug, the ssh connection maybe refused or closed randomly, and it's not easy to reproduce. RP pointed that this upgrade can fix the problem, and it does work in my local testing. * Update add-ptest-in-makefile.patch Here is the Changlog: http://wiki.qemu.org/ChangeLog/2.7 (From OE-Core rev: 056ce17e168bf856ff95a6f659098403169cb889) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc3
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch78
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch105
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch67
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch75
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch19
-rw-r--r--meta/recipes-devtools/qemu/qemu_2.7.0.bb (renamed from meta/recipes-devtools/qemu/qemu_2.6.0.bb)12
10 files changed, 13 insertions, 491 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 36d600f..509bc95 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -66,7 +66,8 @@ do_install_ptest() {
66 cp -rL ${B}/tests ${D}${PTEST_PATH} 66 cp -rL ${B}/tests ${D}${PTEST_PATH}
67 find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} 67 find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {}
68 68
69 cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests 69 cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests
70
70} 71}
71 72
72do_install () { 73do_install () {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch
deleted file mode 100644
index 69c11e2..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1From 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 7 Apr 2016 15:56:02 +0530
4Subject: [PATCH] net: mipsnet: check packet length against buffer
5
6When receiving packets over MIPSnet network device, it uses
7receive buffer of size 1514 bytes. In case the controller
8accepts large(MTU) packets, it could lead to memory corruption.
9Add check to avoid it.
10
11Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
16Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
17
18Upstream-Status: Backport
19CVE: CVE-2016-4002
20Signed-off-by: Armin Kuster <akuster@mvista.com>
21
22---
23 hw/net/mipsnet.c | 3 +++
24 1 file changed, 3 insertions(+)
25
26Index: qemu-2.4.0/hw/net/mipsnet.c
27===================================================================
28--- qemu-2.4.0.orig/hw/net/mipsnet.c
29+++ qemu-2.4.0/hw/net/mipsnet.c
30@@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClient
31 if (!mipsnet_can_receive(nc))
32 return 0;
33
34+ if (size >= sizeof(s->rx_buffer)) {
35+ return 0;
36+ }
37 s->busy = 1;
38
39 /* Just accept everything. */
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch
deleted file mode 100644
index 5d3b9a9..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From 0a5e3685ea10c578f8063ca0dbb009af45693d85 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 19 May 2016 16:09:30 +0530
4Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
5
6The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
7FIFO buffer. It is used to handle command and data transfer. While
8writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
9was missing to validate input length. Add check to avoid OOB write
10access.
11
12Fixes CVE-2016-4439.
13
14Reported-by: Li Qiang <liqiang6-s@360.cn>
15Cc: qemu-stable@nongnu.org
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
18Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
19(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
20Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
21
22Upstream-Status: Backport
23CVE: CVE-2016-4439
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 hw/scsi/esp.c | 6 +++++-
28 1 file changed, 5 insertions(+), 1 deletion(-)
29
30Index: qemu-2.4.0/hw/scsi/esp.c
31===================================================================
32--- qemu-2.4.0.orig/hw/scsi/esp.c
33+++ qemu-2.4.0/hw/scsi/esp.c
34@@ -446,7 +446,11 @@ void esp_reg_write(ESPState *s, uint32_t
35 break;
36 case ESP_FIFO:
37 if (s->do_cmd) {
38- s->cmdbuf[s->cmdlen++] = val & 0xff;
39+ if (s->cmdlen < TI_BUFSZ) {
40+ s->cmdbuf[s->cmdlen++] = val & 0xff;
41+ } else {
42+ trace_esp_error_fifo_overrun();
43+ }
44 } else if (s->ti_size == TI_BUFSZ - 1) {
45 trace_esp_error_fifo_overrun();
46 } else {
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
deleted file mode 100644
index 3cbe394..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
+++ /dev/null
@@ -1,78 +0,0 @@
1From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 19 May 2016 16:09:31 +0530
4Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
5
6The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
7FIFO buffer. It is used to handle command and data transfer.
8Routine get_cmd() uses DMA to read scsi commands into this buffer.
9Add check to validate DMA length against buffer size to avoid any
10overrun.
11
12Fixes CVE-2016-4441.
13
14Upstream-Status: Backport
15
16Reported-by: Li Qiang <liqiang6-s@360.cn>
17Cc: qemu-stable@nongnu.org
18Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
19Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
20Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
21Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
22---
23 hw/scsi/esp.c | 11 +++++++----
24 1 files changed, 7 insertions(+), 4 deletions(-)
25
26diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
27index 01497e6..591c817 100644
28--- a/hw/scsi/esp.c
29+++ b/hw/scsi/esp.c
30@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
31 }
32 }
33
34-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
35+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
36 {
37 uint32_t dmalen;
38 int target;
39@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
40 dmalen = s->rregs[ESP_TCLO];
41 dmalen |= s->rregs[ESP_TCMID] << 8;
42 dmalen |= s->rregs[ESP_TCHI] << 16;
43+ if (dmalen > buflen) {
44+ return 0;
45+ }
46 s->dma_memory_read(s->dma_opaque, buf, dmalen);
47 } else {
48 dmalen = s->ti_size;
49@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
50 s->dma_cb = handle_satn;
51 return;
52 }
53- len = get_cmd(s, buf);
54+ len = get_cmd(s, buf, sizeof(buf));
55 if (len)
56 do_cmd(s, buf);
57 }
58@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
59 s->dma_cb = handle_s_without_atn;
60 return;
61 }
62- len = get_cmd(s, buf);
63+ len = get_cmd(s, buf, sizeof(buf));
64 if (len) {
65 do_busid_cmd(s, buf, 0);
66 }
67@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
68 s->dma_cb = handle_satn_stop;
69 return;
70 }
71- s->cmdlen = get_cmd(s, s->cmdbuf);
72+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
73 if (s->cmdlen) {
74 trace_esp_handle_satn_stop(s->cmdlen);
75 s->do_cmd = 1;
76--
771.7.0.4
78
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
deleted file mode 100644
index 52d2a1e..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch
+++ /dev/null
@@ -1,105 +0,0 @@
1From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 23 May 2016 16:18:05 +0530
4Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952)
5
6Vmware Paravirtual SCSI emulation uses command descriptors to
7process SCSI commands. These descriptors come with their ring
8buffers. A guest could set the ring buffer size to an arbitrary
9value leading to OOB access issue. Add check to avoid it.
10
11Upstream-Status: Backported
12
13Reported-by: Li Qiang <liqiang6-s@360.cn>
14Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15Cc: qemu-stable@nongnu.org
16Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
17Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
18Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
19Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
20Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
21---
22 hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
23 1 files changed, 20 insertions(+), 4 deletions(-)
24
25diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
26index f67b5bf..2d7528d 100644
27--- a/hw/scsi/vmw_pvscsi.c
28+++ b/hw/scsi/vmw_pvscsi.c
29@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
30 return log;
31 }
32
33-static void
34+static int
35 pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
36 {
37 int i;
38@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
39 uint32_t req_ring_size, cmp_ring_size;
40 m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
41
42+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
43+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
44+ return -1;
45+ }
46 req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
47 cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
48 txr_len_log2 = pvscsi_log2(req_ring_size - 1);
49@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
50
51 /* Flush ring state page changes */
52 smp_wmb();
53+
54+ return 0;
55 }
56
57-static void
58+static int
59 pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
60 {
61 int i;
62 uint32_t len_log2;
63 uint32_t ring_size;
64
65+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
66+ return -1;
67+ }
68 ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
69 len_log2 = pvscsi_log2(ring_size - 1);
70
71@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
72
73 /* Flush ring state page changes */
74 smp_wmb();
75+
76+ return 0;
77 }
78
79 static void
80@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
81 trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
82
83 pvscsi_dbg_dump_tx_rings_config(rc);
84- pvscsi_ring_init_data(&s->rings, rc);
85+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
86+ return PVSCSI_COMMAND_PROCESSING_FAILED;
87+ }
88+
89 s->rings_info_valid = TRUE;
90 return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
91 }
92@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
93 }
94
95 if (s->rings_info_valid) {
96- pvscsi_ring_init_msg(&s->rings, rc);
97+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
98+ return PVSCSI_COMMAND_PROCESSING_FAILED;
99+ }
100 s->msg_ring_info_valid = TRUE;
101 }
102 return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
103--
1041.7.0.4
105
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
deleted file mode 100644
index fe084f5..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch
+++ /dev/null
@@ -1,67 +0,0 @@
1From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Tue, 19 Jul 2016 13:07:13 +0100
4Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
5
6A broken or malicious guest can submit more requests than the virtqueue
7size permits, causing unbounded memory allocation in QEMU.
8
9The guest can submit requests without bothering to wait for completion
10and is therefore not bound by virtqueue size. This requires reusing
11vring descriptors in more than one request, which is not allowed by the
12VIRTIO 1.0 specification.
13
14In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification
15says:
16
17 1. The driver places the buffer into free descriptor(s) in the
18 descriptor table, chaining as necessary
19
20and
21
22 Note that the above code does not take precautions against the
23 available ring buffer wrapping around: this is not possible since the
24 ring buffer is the same size as the descriptor table, so step (1) will
25 prevent such a condition.
26
27This implies that placing more buffers into the virtqueue than the
28descriptor table size is not allowed.
29
30QEMU is missing the check to prevent this case. Processing a request
31allocates a VirtQueueElement leading to unbounded memory allocation
32controlled by the guest.
33
34Exit with an error if the guest provides more requests than the
35virtqueue size permits. This bounds memory allocation and makes the
36buggy guest visible to the user.
37
38This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360
39Marvel Team, China.
40
41Reported-by: Zhenhao Hong <hongzhenhao@360.cn>
42Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
43
44Upstream-Status: Backport
45CVE: CVE-2106-5403
46Signed-off-by: Armin Kuster <akuster@mvista.com>
47
48---
49 hw/virtio/virtio.c | 5 +++++
50 1 file changed, 5 insertions(+)
51
52Index: qemu-2.4.0/hw/virtio/virtio.c
53===================================================================
54--- qemu-2.4.0.orig/hw/virtio/virtio.c
55+++ qemu-2.4.0/hw/virtio/virtio.c
56@@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
57
58 max = vq->vring.num;
59
60+ if (vq->inuse >= vq->vring.num) {
61+ error_report("Virtqueue size exceeded");
62+ exit(1);
63+ }
64+
65 i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
66 if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
67 vring_set_avail_event(vq, vq->last_avail_idx);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch
deleted file mode 100644
index 350ae2b..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch
+++ /dev/null
@@ -1,75 +0,0 @@
1From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 16 Jun 2016 00:22:35 +0200
4Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
5
6While doing DMA read into ESP command buffer 's->cmdbuf', it could
7write past the 's->cmdbuf' area, if it was transferring more than 16
8bytes. Increase the command buffer size to 32, which is maximum when
9's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
10
11Reported-by: Li Qiang <liqiang6-s@360.cn>
12Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
13Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
14
15Upstream-Status: Backport
16CVE: CVE-2016-6351 patch1
17Signed-off-by: Armin Kuster <akuster@mvista.com>
18
19---
20 hw/scsi/esp.c | 6 ++++--
21 include/hw/scsi/esp.h | 3 ++-
22 2 files changed, 6 insertions(+), 3 deletions(-)
23
24Index: qemu-2.4.0/hw/scsi/esp.c
25===================================================================
26--- qemu-2.4.0.orig/hw/scsi/esp.c
27+++ qemu-2.4.0/hw/scsi/esp.c
28@@ -241,6 +241,8 @@ static void esp_do_dma(ESPState *s)
29 len = s->dma_left;
30 if (s->do_cmd) {
31 trace_esp_do_dma(s->cmdlen, len);
32+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
33+ len <= sizeof(s->cmdbuf) - s->cmdlen);
34 s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
35 s->ti_size = 0;
36 s->cmdlen = 0;
37@@ -340,7 +342,7 @@ static void handle_ti(ESPState *s)
38 s->dma_counter = dmalen;
39
40 if (s->do_cmd)
41- minlen = (dmalen < 32) ? dmalen : 32;
42+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
43 else if (s->ti_size < 0)
44 minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
45 else
46@@ -446,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t
47 break;
48 case ESP_FIFO:
49 if (s->do_cmd) {
50- if (s->cmdlen < TI_BUFSZ) {
51+ if (s->cmdlen < ESP_CMDBUF_SZ) {
52 s->cmdbuf[s->cmdlen++] = val & 0xff;
53 } else {
54 trace_esp_error_fifo_overrun();
55Index: qemu-2.4.0/include/hw/scsi/esp.h
56===================================================================
57--- qemu-2.4.0.orig/include/hw/scsi/esp.h
58+++ qemu-2.4.0/include/hw/scsi/esp.h
59@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shi
60
61 #define ESP_REGS 16
62 #define TI_BUFSZ 16
63+#define ESP_CMDBUF_SZ 32
64
65 typedef struct ESPState ESPState;
66
67@@ -31,7 +32,7 @@ struct ESPState {
68 SCSIBus bus;
69 SCSIDevice *current_dev;
70 SCSIRequest *current_req;
71- uint8_t cmdbuf[TI_BUFSZ];
72+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
73 uint32_t cmdlen;
74 uint32_t do_cmd;
75
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
deleted file mode 100644
index c4ed354..0000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001
2From: Paolo Bonzini <pbonzini@redhat.com>
3Date: Mon, 20 Jun 2016 16:32:39 +0200
4Subject: [PATCH] scsi: esp: fix migration
5
6Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
72016-06-16) changed the size of a migrated field. Split it in two
8parts, and only migrate the second part in a new vmstate version.
9
10Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
11
12Upstream-Status: Backport
13CVE: CVE-2016-6351 patch1
14Signed-off-by: Armin Kuster <akuster@mvista.com>
15
16---
17 hw/scsi/esp.c | 5 +++--
18 include/migration/vmstate.h | 5 ++++-
19 2 files changed, 7 insertions(+), 3 deletions(-)
20
21Index: qemu-2.4.0/hw/scsi/esp.c
22===================================================================
23--- qemu-2.4.0.orig/hw/scsi/esp.c
24+++ qemu-2.4.0/hw/scsi/esp.c
25@@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque
26
27 const VMStateDescription vmstate_esp = {
28 .name ="esp",
29- .version_id = 3,
30+ .version_id = 4,
31 .minimum_version_id = 3,
32 .fields = (VMStateField[]) {
33 VMSTATE_BUFFER(rregs, ESPState),
34@@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = {
35 VMSTATE_BUFFER(ti_buf, ESPState),
36 VMSTATE_UINT32(status, ESPState),
37 VMSTATE_UINT32(dma, ESPState),
38- VMSTATE_BUFFER(cmdbuf, ESPState),
39+ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
40+ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
41 VMSTATE_UINT32(cmdlen, ESPState),
42 VMSTATE_UINT32(do_cmd, ESPState),
43 VMSTATE_UINT32(dma_left, ESPState),
44Index: qemu-2.4.0/include/migration/vmstate.h
45===================================================================
46--- qemu-2.4.0.orig/include/migration/vmstate.h
47+++ qemu-2.4.0/include/migration/vmstate.h
48@@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi
49 #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \
50 VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
51
52+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
53+ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
54+
55 #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
56- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
57+ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
58
59 #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \
60 VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)
diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
index a99f720..2ce3478 100644
--- a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
+++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch
@@ -4,14 +4,14 @@ Add subpackage -ptest which runs all unit test cases for qemu.
4 4
5Signed-off-by: Kai Kang <kai.kang@windriver.com> 5Signed-off-by: Kai Kang <kai.kang@windriver.com>
6--- 6---
7 tests/Makefile | 10 ++++++++++ 7 tests/Makefile.include | 8 ++++++++
8 1 file changed, 10 insertions(+) 8 1 file changed, 8 insertions(+)
9 9
10diff --git a/tests/Makefile b/tests/Makefile 10diff --git a/tests/Makefile.include b/tests/Makefile.include
11index 88f7105..3f40b4b 100644 11index 14be491..0fce37a 100644
12--- a/tests/Makefile 12--- a/tests/Makefile.include
13+++ b/tests/Makefile 13+++ b/tests/Makefile.include
14@@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) 14@@ -776,3 +776,11 @@ all: $(QEMU_IOTESTS_HELPERS-y)
15 15
16 -include $(wildcard tests/*.d) 16 -include $(wildcard tests/*.d)
17 -include $(wildcard tests/libqos/*.d) 17 -include $(wildcard tests/libqos/*.d)
@@ -23,7 +23,6 @@ index 88f7105..3f40b4b 100644
23+ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ 23+ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \
24+ $$nf; \ 24+ $$nf; \
25+ done 25+ done
26+ 26--
27-- 272.9.0
281.7.9.5
29 28
diff --git a/meta/recipes-devtools/qemu/qemu_2.6.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
index 837e6ae..5be9768 100644
--- a/meta/recipes-devtools/qemu/qemu_2.6.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb
@@ -8,19 +8,11 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ 8 file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \
9 file://no-valgrind.patch \ 9 file://no-valgrind.patch \
10 file://pathlimit.patch \ 10 file://pathlimit.patch \
11 file://CVE-2016-4439.patch \
12 file://CVE-2016-6351_p1.patch \
13 file://CVE-2016-6351_p2.patch \
14 file://CVE-2016-4002.patch \
15 file://CVE-2016-5403.patch \
16 file://CVE-2016-4441.patch \
17 file://CVE-2016-4952.patch \
18 " 11 "
19SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" 12SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
20 13
21SRC_URI[md5sum] = "ca3f70b43f093e33e9e014f144067f13" 14SRC_URI[md5sum] = "08d4d06d1cb598efecd796137f4844ab"
22SRC_URI[sha256sum] = "c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec" 15SRC_URI[sha256sum] = "326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53"
23
24 16
25COMPATIBLE_HOST_class-target_mips64 = "null" 17COMPATIBLE_HOST_class-target_mips64 = "null"
26 18