diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-04-27 11:48:16 +0200 |
---|---|---|
committer | Nora Björklund <nora.bjorklund@enea.com> | 2016-04-28 09:02:11 +0200 |
commit | d3d0c7af34b996b4518b26d4f3b4eff831a651af (patch) | |
tree | d8dc6be1d65668e4cbaf04f47011542ed35b2031 | |
parent | c6477d7bc514c951746d6b717c033475fc45f3fc (diff) | |
download | poky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz |
qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs
The upgrade addresses following CVEs:
CVE-2015-7295
CVE-2015-7504
CVE-2015-7512
CVE-2015-8345
CVE-2015-8504
CVE-2016-1568
CVE-2016-2197
CVE-2016-2198
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
34 files changed, 1050 insertions, 391 deletions
diff --git a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch b/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch deleted file mode 100644 index ec541fa668..0000000000 --- a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch +++ /dev/null | |||
@@ -1,30 +0,0 @@ | |||
1 | Prevent out-of-bounds array access on | ||
2 | acpi_pcihp_pci_status. | ||
3 | |||
4 | Upstream-Status: Backport | ||
5 | |||
6 | Signed-off-by: Gonglei <arei.gonglei@huawei.com> | ||
7 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
8 | --- | ||
9 | v2: | ||
10 | - change commit message. | ||
11 | - add 'Reviewed-by' | ||
12 | --- | ||
13 | hw/acpi/pcihp.c | 2 +- | ||
14 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
15 | |||
16 | diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c | ||
17 | index fae663a..34dedf1 100644 | ||
18 | --- a/hw/acpi/pcihp.c | ||
19 | +++ b/hw/acpi/pcihp.c | ||
20 | @@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) | ||
21 | uint32_t val = 0; | ||
22 | int bsel = s->hotplug_select; | ||
23 | |||
24 | - if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { | ||
25 | + if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { | ||
26 | return 0; | ||
27 | } | ||
28 | |||
29 | -- | ||
30 | 1.7.12.4 | ||
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c9a5d328f9..abbace8704 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -3,24 +3,30 @@ HOMEPAGE = "http://qemu.org" | |||
3 | LICENSE = "GPLv2 & LGPLv2.1" | 3 | LICENSE = "GPLv2 & LGPLv2.1" |
4 | DEPENDS = "glib-2.0 zlib pixman" | 4 | DEPENDS = "glib-2.0 zlib pixman" |
5 | RDEPENDS_${PN}_class-target += "bash python" | 5 | RDEPENDS_${PN}_class-target += "bash python" |
6 | RDEPENDS_${PN}-ptest = "bash make" | ||
6 | 7 | ||
7 | require qemu-targets.inc | 8 | require qemu-targets.inc |
8 | inherit autotools-brokensep | 9 | inherit autotools ptest |
9 | BBCLASSEXTEND = "native nativesdk" | 10 | BBCLASSEXTEND = "native nativesdk" |
10 | 11 | ||
12 | PR = "r1" | ||
13 | |||
11 | # QEMU_TARGETS is overridable variable | 14 | # QEMU_TARGETS is overridable variable |
12 | QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64" | 15 | QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64" |
13 | 16 | ||
14 | SRC_URI = "\ | 17 | SRC_URI = "\ |
15 | file://powerpc_rom.bin \ | 18 | file://powerpc_rom.bin \ |
16 | file://larger_default_ram_size.patch \ | ||
17 | file://disable-grabs.patch \ | 19 | file://disable-grabs.patch \ |
18 | file://exclude-some-arm-EABI-obsolete-syscalls.patch \ | 20 | file://exclude-some-arm-EABI-obsolete-syscalls.patch \ |
19 | file://wacom.patch \ | 21 | file://wacom.patch \ |
22 | file://add-ptest-in-makefile.patch \ | ||
23 | file://run-ptest \ | ||
24 | file://cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch \ | ||
20 | " | 25 | " |
21 | 26 | ||
22 | SRC_URI_append_class-native = "\ | 27 | SRC_URI_append_class-native = "\ |
23 | file://fix-libcap-header-issue-on-some-distro.patch \ | 28 | file://fix-libcap-header-issue-on-some-distro.patch \ |
29 | file://cpus.c-qemu_cpu_kick_thread_debugging.patch \ | ||
24 | " | 30 | " |
25 | 31 | ||
26 | EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'" | 32 | EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'" |
@@ -35,16 +41,6 @@ do_configure_prepend_class-native() { | |||
35 | if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then | 41 | if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then |
36 | export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH | 42 | export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH |
37 | fi | 43 | fi |
38 | |||
39 | # Undo the -lX11 added by linker-flags.patch, don't assume that host has libX11 installed | ||
40 | sed -i 's/-lX11//g' Makefile.target | ||
41 | } | ||
42 | |||
43 | do_configure_prepend_class-nativesdk() { | ||
44 | if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "" ] ; then | ||
45 | # Undo the -lX11 added by linker-flags.patch | ||
46 | sed -i 's/-lX11//g' Makefile.target | ||
47 | fi | ||
48 | } | 44 | } |
49 | 45 | ||
50 | KVMENABLE = "--enable-kvm" | 46 | KVMENABLE = "--enable-kvm" |
@@ -63,6 +59,17 @@ do_configure() { | |||
63 | test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh | 59 | test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh |
64 | } | 60 | } |
65 | 61 | ||
62 | do_compile_ptest() { | ||
63 | make buildtest-TESTS | ||
64 | } | ||
65 | |||
66 | do_install_ptest() { | ||
67 | cp -rL ${B}/tests ${D}${PTEST_PATH} | ||
68 | find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} | ||
69 | |||
70 | cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests | ||
71 | } | ||
72 | |||
66 | do_install () { | 73 | do_install () { |
67 | export STRIP="true" | 74 | export STRIP="true" |
68 | autotools_do_install | 75 | autotools_do_install |
@@ -84,8 +91,12 @@ do_install_append() { | |||
84 | } | 91 | } |
85 | # END of qemu-mips workaround | 92 | # END of qemu-mips workaround |
86 | 93 | ||
87 | PACKAGECONFIG ??= "fdt sdl alsa" | 94 | PACKAGECONFIG ??= " \ |
88 | PACKAGECONFIG_class-native ??= "fdt alsa" | 95 | fdt sdl \ |
96 | ${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'alsa', '', d)} \ | ||
97 | ${@bb.utils.contains('DISTRO_FEATURES', 'xen', 'xen', '', d)} \ | ||
98 | " | ||
99 | PACKAGECONFIG_class-native ??= "fdt alsa uuid" | ||
89 | PACKAGECONFIG_class-nativesdk ??= "fdt sdl" | 100 | PACKAGECONFIG_class-nativesdk ??= "fdt sdl" |
90 | NATIVEDEPS = "" | 101 | NATIVEDEPS = "" |
91 | NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}" | 102 | NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}" |
@@ -93,10 +104,8 @@ PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl ${NATIVEDEPS}," | |||
93 | PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," | 104 | PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," |
94 | PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," | 105 | PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," |
95 | PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," | 106 | PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," |
96 | PACKAGECONFIG[xen] = "--enable-xen, --disable-xen,," | 107 | PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen,xen-libxenstore xen-libxenctrl xen-libxenguest" |
97 | PACKAGECONFIG[quorum] = "--enable-quorum, --disable-quorum, gnutls," | ||
98 | PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls," | 108 | PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls," |
99 | PACKAGECONFIG[vnc-ws] = "--enable-vnc --enable-vnc-ws,--disable-vnc-ws, gnutls," | ||
100 | PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," | 109 | PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," |
101 | PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," | 110 | PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," |
102 | PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," | 111 | PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," |
@@ -110,15 +119,11 @@ PACKAGECONFIG[ssh2] = "--enable-libssh2,--disable-libssh2,libssh2," | |||
110 | PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" | 119 | PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" |
111 | PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" | 120 | PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" |
112 | PACKAGECONFIG[alsa] = ",,alsa-lib" | 121 | PACKAGECONFIG[alsa] = ",,alsa-lib" |
113 | PACKAGECONFIG[glx] = "--enable-glx,--disable-glx,mesa" | 122 | PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,mesa" |
114 | PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" | 123 | PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" |
115 | PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" | 124 | PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" |
125 | PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls" | ||
116 | 126 | ||
117 | EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}" | 127 | EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}" |
118 | 128 | ||
119 | # Qemu target will not build in world build for ARM or Mips | ||
120 | BROKEN_qemuarm = "1" | ||
121 | BROKEN_qemumips64 = "1" | ||
122 | BROKEN_qemumips = "1" | ||
123 | |||
124 | INSANE_SKIP_${PN} = "arch" | 129 | INSANE_SKIP_${PN} = "arch" |
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch deleted file mode 100644 index 4f992bae14..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 12 Nov 2014 11:44:39 +0200 | ||
4 | Subject: [PATCH] migration: fix parameter validation on ram load | ||
5 | |||
6 | During migration, the values read from migration stream during ram load | ||
7 | are not validated. Especially offset in host_from_stream_offset() and | ||
8 | also the length of the writes in the callers of said function. | ||
9 | |||
10 | To fix this, we need to make sure that the [offset, offset + length] | ||
11 | range fits into one of the allocated memory regions. | ||
12 | |||
13 | Validating addr < len should be sufficient since data seems to always be | ||
14 | managed in TARGET_PAGE_SIZE chunks. | ||
15 | |||
16 | Fixes: CVE-2014-7840 | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Note: follow-up patches add extra checks on each block->host access. | ||
21 | |||
22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
24 | Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
25 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | arch_init.c | 5 +++-- | ||
29 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/arch_init.c b/arch_init.c | ||
32 | index 88a5ba0..593a990 100644 | ||
33 | --- a/arch_init.c | ||
34 | +++ b/arch_init.c | ||
35 | @@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
36 | uint8_t len; | ||
37 | |||
38 | if (flags & RAM_SAVE_FLAG_CONTINUE) { | ||
39 | - if (!block) { | ||
40 | + if (!block || block->length <= offset) { | ||
41 | error_report("Ack, bad migration stream!"); | ||
42 | return NULL; | ||
43 | } | ||
44 | @@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
45 | id[len] = 0; | ||
46 | |||
47 | QTAILQ_FOREACH(block, &ram_list.blocks, next) { | ||
48 | - if (!strncmp(id, block->idstr, sizeof(id))) | ||
49 | + if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { | ||
50 | return memory_region_get_ram_ptr(block->mr) + offset; | ||
51 | + } | ||
52 | } | ||
53 | |||
54 | error_report("Can't find block %s!", id); | ||
55 | -- | ||
56 | 1.9.1 | ||
57 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch new file mode 100644 index 0000000000..d7ae8713ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:28 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() | ||
5 | |||
6 | Factor out sg unmapping logic. This will be reused by the patch that | ||
7 | can discard descriptor. | ||
8 | |||
9 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
10 | Cc: Andrew James <andrew.james@hpe.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c | ||
18 | |||
19 | CVE: CVE-2015-7295 patch #1 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/virtio/virtio.c | 14 ++++++++++---- | ||
26 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) | ||
33 | return vring_avail_idx(vq) == vq->last_avail_idx; | ||
34 | } | ||
35 | |||
36 | -void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | - unsigned int len, unsigned int idx) | ||
38 | +static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, | ||
39 | + unsigned int len) | ||
40 | { | ||
41 | unsigned int offset; | ||
42 | int i; | ||
43 | |||
44 | - trace_virtqueue_fill(vq, elem, len, idx); | ||
45 | - | ||
46 | offset = 0; | ||
47 | for (i = 0; i < elem->in_num; i++) { | ||
48 | size_t size = MIN(len - offset, elem->in_sg[i].iov_len); | ||
49 | @@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const | ||
50 | cpu_physical_memory_unmap(elem->out_sg[i].iov_base, | ||
51 | elem->out_sg[i].iov_len, | ||
52 | 0, elem->out_sg[i].iov_len); | ||
53 | +} | ||
54 | + | ||
55 | +void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
56 | + unsigned int len, unsigned int idx) | ||
57 | +{ | ||
58 | + trace_virtqueue_fill(vq, elem, len, idx); | ||
59 | + | ||
60 | + virtqueue_unmap_sg(vq, elem, len); | ||
61 | |||
62 | idx = (idx + vring_used_idx(vq)) % vq->vring.num; | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch new file mode 100644 index 0000000000..45dfab36ef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:29 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_discard() | ||
5 | |||
6 | This patch introduces virtqueue_discard() to discard a descriptor and | ||
7 | unmap the sgs. This will be used by the patch that will discard | ||
8 | descriptor when packet is truncated. | ||
9 | |||
10 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade | ||
17 | |||
18 | CVE: CVE-2015-7295 patch #2 | ||
19 | [Yocto # 9013] | ||
20 | |||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | hw/virtio/virtio.c | 7 +++++++ | ||
25 | include/hw/virtio/virtio.h | 2 ++ | ||
26 | 2 files changed, 9 insertions(+) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue | ||
33 | 0, elem->out_sg[i].iov_len); | ||
34 | } | ||
35 | |||
36 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | + unsigned int len) | ||
38 | +{ | ||
39 | + vq->last_avail_idx--; | ||
40 | + virtqueue_unmap_sg(vq, elem, len); | ||
41 | +} | ||
42 | + | ||
43 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
44 | unsigned int len, unsigned int idx) | ||
45 | { | ||
46 | Index: qemu-2.4.0/include/hw/virtio/virtio.h | ||
47 | =================================================================== | ||
48 | --- qemu-2.4.0.orig/include/hw/virtio/virtio.h | ||
49 | +++ qemu-2.4.0/include/hw/virtio/virtio.h | ||
50 | @@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev | ||
51 | void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, | ||
52 | unsigned int len); | ||
53 | void virtqueue_flush(VirtQueue *vq, unsigned int count); | ||
54 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
55 | + unsigned int len); | ||
56 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
57 | unsigned int len, unsigned int idx); | ||
58 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch new file mode 100644 index 0000000000..74442e32f5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:30 +0800 | ||
4 | Subject: [PATCH] virtio-net: correctly drop truncated packets | ||
5 | |||
6 | When packet is truncated during receiving, we drop the packets but | ||
7 | neither discard the descriptor nor add and signal used | ||
8 | descriptor. This will lead several issues: | ||
9 | |||
10 | - sg mappings are leaked | ||
11 | - rx will be stalled if a lots of packets were truncated | ||
12 | |||
13 | In order to be consistent with vhost, fix by discarding the descriptor | ||
14 | in this case. | ||
15 | |||
16 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
18 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
19 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | |||
23 | git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3 | ||
24 | |||
25 | CVE: CVE-2015-7295 patch #3 | ||
26 | [Yocto # 9013] | ||
27 | |||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | hw/net/virtio-net.c | 8 +------- | ||
32 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
33 | |||
34 | Index: qemu-2.4.0/hw/net/virtio-net.c | ||
35 | =================================================================== | ||
36 | --- qemu-2.4.0.orig/hw/net/virtio-net.c | ||
37 | +++ qemu-2.4.0/hw/net/virtio-net.c | ||
38 | @@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetCli | ||
39 | * must have consumed the complete packet. | ||
40 | * Otherwise, drop it. */ | ||
41 | if (!n->mergeable_rx_bufs && offset < size) { | ||
42 | -#if 0 | ||
43 | - error_report("virtio-net truncated non-mergeable packet: " | ||
44 | - "i %zd mergeable %d offset %zd, size %zd, " | ||
45 | - "guest hdr len %zd, host hdr len %zd", | ||
46 | - i, n->mergeable_rx_bufs, | ||
47 | - offset, size, n->guest_hdr_len, n->host_hdr_len); | ||
48 | -#endif | ||
49 | + virtqueue_discard(q->rx_vq, &elem, total); | ||
50 | return size; | ||
51 | } | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch new file mode 100644 index 0000000000..90a7947abb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Fri, 20 Nov 2015 11:50:31 +0530 | ||
4 | Subject: [PATCH] net: pcnet: add check to validate receive data | ||
5 | size(CVE-2015-7504) | ||
6 | |||
7 | In loopback mode, pcnet_receive routine appends CRC code to the | ||
8 | receive buffer. If the data size given is same as the buffer size, | ||
9 | the appended CRC code overwrites 4 bytes after s->buffer. Added a | ||
10 | check to avoid that. | ||
11 | |||
12 | Reported by: Qinghao Tang <luodalongde@gmail.com> | ||
13 | Cc: qemu-stable@nongnu.org | ||
14 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
15 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
16 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7 | ||
21 | |||
22 | CVE: CVE-2015-7504 | ||
23 | [Yocto # 9013] | ||
24 | |||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/net/pcnet.c | 8 +++++--- | ||
29 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
30 | |||
31 | Index: qemu-2.4.0/hw/net/pcnet.c | ||
32 | =================================================================== | ||
33 | --- qemu-2.4.0.orig/hw/net/pcnet.c | ||
34 | +++ qemu-2.4.0/hw/net/pcnet.c | ||
35 | @@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc | ||
36 | uint32_t fcs = ~0; | ||
37 | uint8_t *p = src; | ||
38 | |||
39 | - while (p != &src[size-4]) | ||
40 | + while (p != &src[size]) | ||
41 | CRC(fcs, *p++); | ||
42 | crc_err = (*(uint32_t *)p != htonl(fcs)); | ||
43 | } | ||
44 | @@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s | ||
45 | bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); | ||
46 | |||
47 | /* if multi-tmd packet outsizes s->buffer then skip it silently. | ||
48 | - Note: this is not what real hw does */ | ||
49 | - if (s->xmit_pos + bcnt > sizeof(s->buffer)) { | ||
50 | + * Note: this is not what real hw does. | ||
51 | + * Last four bytes of s->buffer are used to store CRC FCS code. | ||
52 | + */ | ||
53 | + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { | ||
54 | s->xmit_pos = -1; | ||
55 | goto txdone; | ||
56 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch new file mode 100644 index 0000000000..50b8a6cee8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Mon, 30 Nov 2015 15:00:06 +0800 | ||
4 | Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) | ||
5 | |||
6 | Backends could provide a packet whose length is greater than buffer | ||
7 | size. Check for this and truncate the packet to avoid rx buffer | ||
8 | overflow in this case. | ||
9 | |||
10 | Cc: Prasad J Pandit <pjp@fedoraproject.org> | ||
11 | Cc: qemu-stable@nongnu.org | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | Upsteam_Status: Backport | ||
16 | |||
17 | http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343 | ||
18 | |||
19 | CVE: CVE-2015-7512 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/net/pcnet.c | 6 ++++++ | ||
26 | 1 file changed, 6 insertions(+) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/net/pcnet.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/net/pcnet.c | ||
31 | +++ qemu-2.4.0/hw/net/pcnet.c | ||
32 | @@ -1065,6 +1065,12 @@ ssize_t pcnet_receive(NetClientState *nc | ||
33 | int pktcount = 0; | ||
34 | |||
35 | if (!s->looptest) { | ||
36 | + if (size > 4092) { | ||
37 | +#ifdef PCNET_DEBUG_RMD | ||
38 | + fprintf(stderr, "pcnet: truncates rx packet.\n"); | ||
39 | +#endif | ||
40 | + size = 4092; | ||
41 | + } | ||
42 | memcpy(src, buf, size); | ||
43 | /* no need to compute the CRC */ | ||
44 | src[size] = 0; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch new file mode 100644 index 0000000000..310b458a0c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Weil <sw@weilnetz.de> | ||
3 | Date: Fri, 20 Nov 2015 08:42:33 +0100 | ||
4 | Subject: [PATCH] eepro100: Prevent two endless loops | ||
5 | |||
6 | http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html | ||
7 | shows an example how an endless loop in function action_command can | ||
8 | be achieved. | ||
9 | |||
10 | During my code review, I noticed a 2nd case which can result in an | ||
11 | endless loop. | ||
12 | |||
13 | Reported-by: Qinghao Tang <luodalongde@gmail.com> | ||
14 | Signed-off-by: Stefan Weil <sw@weilnetz.de> | ||
15 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24 | ||
20 | |||
21 | CVE: CVE-2015-8345 | ||
22 | [Yocto # 9013] | ||
23 | |||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | hw/net/eepro100.c | 16 ++++++++++++++++ | ||
28 | 1 file changed, 16 insertions(+) | ||
29 | |||
30 | diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c | ||
31 | index 60333b7..685a478 100644 | ||
32 | --- a/hw/net/eepro100.c | ||
33 | +++ b/hw/net/eepro100.c | ||
34 | @@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) | ||
35 | #if 0 | ||
36 | uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); | ||
37 | #endif | ||
38 | + if (tx_buffer_size == 0) { | ||
39 | + /* Prevent an endless loop. */ | ||
40 | + logout("loop in %s:%u\n", __FILE__, __LINE__); | ||
41 | + break; | ||
42 | + } | ||
43 | tbd_address += 8; | ||
44 | TRACE(RXTX, logout | ||
45 | ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", | ||
46 | @@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) | ||
47 | |||
48 | static void action_command(EEPRO100State *s) | ||
49 | { | ||
50 | + /* The loop below won't stop if it gets special handcrafted data. | ||
51 | + Therefore we limit the number of iterations. */ | ||
52 | + unsigned max_loop_count = 16; | ||
53 | + | ||
54 | for (;;) { | ||
55 | bool bit_el; | ||
56 | bool bit_s; | ||
57 | @@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) | ||
58 | #if 0 | ||
59 | bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); | ||
60 | #endif | ||
61 | + | ||
62 | + if (max_loop_count-- == 0) { | ||
63 | + /* Prevent an endless loop. */ | ||
64 | + logout("loop in %s:%u\n", __FILE__, __LINE__); | ||
65 | + break; | ||
66 | + } | ||
67 | + | ||
68 | s->cu_offset = s->tx.link; | ||
69 | TRACE(OTHER, | ||
70 | logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", | ||
71 | -- | ||
72 | 2.3.5 | ||
73 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch new file mode 100644 index 0000000000..9e660217ff --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 3 Dec 2015 18:54:17 +0530 | ||
4 | Subject: [PATCH] ui: vnc: avoid floating point exception | ||
5 | |||
6 | While sending 'SetPixelFormat' messages to a VNC server, | ||
7 | the client could set the 'red-max', 'green-max' and 'blue-max' | ||
8 | values to be zero. This leads to a floating point exception in | ||
9 | write_png_palette while doing frame buffer updates. | ||
10 | |||
11 | Reported-by: Lian Yihan <lianyihan@360.cn> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> | ||
14 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8 | ||
19 | |||
20 | CVE: CVE-2015-8504 | ||
21 | [Yocto # 9013] | ||
22 | |||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | ui/vnc.c | 6 +++--- | ||
27 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
28 | |||
29 | Index: qemu-2.4.0/ui/vnc.c | ||
30 | =================================================================== | ||
31 | --- qemu-2.4.0.orig/ui/vnc.c | ||
32 | +++ qemu-2.4.0/ui/vnc.c | ||
33 | @@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *v | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | - vs->client_pf.rmax = red_max; | ||
38 | + vs->client_pf.rmax = red_max ? red_max : 0xFF; | ||
39 | vs->client_pf.rbits = hweight_long(red_max); | ||
40 | vs->client_pf.rshift = red_shift; | ||
41 | vs->client_pf.rmask = red_max << red_shift; | ||
42 | - vs->client_pf.gmax = green_max; | ||
43 | + vs->client_pf.gmax = green_max ? green_max : 0xFF; | ||
44 | vs->client_pf.gbits = hweight_long(green_max); | ||
45 | vs->client_pf.gshift = green_shift; | ||
46 | vs->client_pf.gmask = green_max << green_shift; | ||
47 | - vs->client_pf.bmax = blue_max; | ||
48 | + vs->client_pf.bmax = blue_max ? blue_max : 0xFF; | ||
49 | vs->client_pf.bbits = hweight_long(blue_max); | ||
50 | vs->client_pf.bshift = blue_shift; | ||
51 | vs->client_pf.bmask = blue_max << blue_shift; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch new file mode 100644 index 0000000000..9c40ffb5f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Mon, 11 Jan 2016 14:10:42 -0500 | ||
4 | Subject: [PATCH] ide: ahci: reset ncq object to unused on error | ||
5 | |||
6 | When processing NCQ commands, AHCI device emulation prepares a | ||
7 | NCQ transfer object; To which an aio control block(aiocb) object | ||
8 | is assigned in 'execute_ncq_command'. In case, when the NCQ | ||
9 | command is invalid, the 'aiocb' object is not assigned, and NCQ | ||
10 | transfer object is left as 'used'. This leads to a use after | ||
11 | free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. | ||
12 | Reset NCQ transfer object to 'unused' to avoid it. | ||
13 | |||
14 | [Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] | ||
15 | |||
16 | Reported-by: Qinghao Tang <luodalongde@gmail.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
19 | Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com | ||
20 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | |||
24 | http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab | ||
25 | |||
26 | CVE: CVE-2016-1568 | ||
27 | [Yocto # 9013] | ||
28 | |||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | hw/ide/ahci.c | 1 + | ||
33 | 1 file changed, 1 insertion(+) | ||
34 | |||
35 | Index: qemu-2.4.0/hw/ide/ahci.c | ||
36 | =================================================================== | ||
37 | --- qemu-2.4.0.orig/hw/ide/ahci.c | ||
38 | +++ qemu-2.4.0/hw/ide/ahci.c | ||
39 | @@ -898,6 +898,7 @@ static void ncq_err(NCQTransferState *nc | ||
40 | ide_state->error = ABRT_ERR; | ||
41 | ide_state->status = READY_STAT | ERR_STAT; | ||
42 | ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); | ||
43 | + ncq_tfs->used = 0; | ||
44 | } | ||
45 | |||
46 | static void ncq_finish(NCQTransferState *ncq_tfs) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch new file mode 100644 index 0000000000..946435c430 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From: Prasad J Pandit <address@hidden> | ||
2 | |||
3 | When IDE AHCI emulation uses Frame Information Structures(FIS) | ||
4 | engine for data transfer, the mapped FIS buffer address is stored | ||
5 | in a static 'bounce.buffer'. When a request is made to map another | ||
6 | memory region, address_space_map() returns NULL because | ||
7 | 'bounce.buffer' is in_use. It leads to a null pointer dereference | ||
8 | error while doing 'dma_memory_unmap'. Add a check to avoid it. | ||
9 | |||
10 | Reported-by: Zuozhi fzz <address@hidden> | ||
11 | Signed-off-by: Prasad J Pandit <address@hidden> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05740.html | ||
15 | |||
16 | CVE: CVE-2016-2197 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | hw/ide/ahci.c | 16 ++++++++++------ | ||
21 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
22 | |||
23 | Update as per review | ||
24 | -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05715.html | ||
25 | |||
26 | Index: qemu-2.5.0/hw/ide/ahci.c | ||
27 | =================================================================== | ||
28 | --- qemu-2.5.0.orig/hw/ide/ahci.c | ||
29 | +++ qemu-2.5.0/hw/ide/ahci.c | ||
30 | @@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDev | ||
31 | |||
32 | static void ahci_unmap_fis_address(AHCIDevice *ad) | ||
33 | { | ||
34 | - dma_memory_unmap(ad->hba->as, ad->res_fis, 256, | ||
35 | - DMA_DIRECTION_FROM_DEVICE, 256); | ||
36 | - ad->res_fis = NULL; | ||
37 | + if (ad->res_fis) { | ||
38 | + dma_memory_unmap(ad->hba->as, ad->res_fis, 256, | ||
39 | + DMA_DIRECTION_FROM_DEVICE, 256); | ||
40 | + ad->res_fis = NULL; | ||
41 | + } | ||
42 | } | ||
43 | |||
44 | static bool ahci_map_clb_address(AHCIDevice *ad) | ||
45 | @@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDev | ||
46 | |||
47 | static void ahci_unmap_clb_address(AHCIDevice *ad) | ||
48 | { | ||
49 | - dma_memory_unmap(ad->hba->as, ad->lst, 1024, | ||
50 | - DMA_DIRECTION_FROM_DEVICE, 1024); | ||
51 | - ad->lst = NULL; | ||
52 | + if (ad->lst) { | ||
53 | + dma_memory_unmap(ad->hba->as, ad->lst, 1024, | ||
54 | + DMA_DIRECTION_FROM_DEVICE, 1024); | ||
55 | + ad->lst = NULL; | ||
56 | + } | ||
57 | } | ||
58 | |||
59 | static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch new file mode 100644 index 0000000000..f1201f0613 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From: Prasad J Pandit <address@hidden> | ||
2 | |||
3 | USB Ehci emulation supports host controller capability registers. | ||
4 | But its mmio '.write' function was missing, which lead to a null | ||
5 | pointer dereference issue. Add a do nothing 'ehci_caps_write' | ||
6 | definition to avoid it; Do nothing because capability registers | ||
7 | are Read Only(RO). | ||
8 | |||
9 | Reported-by: Zuozhi Fzz <address@hidden> | ||
10 | Signed-off-by: Prasad J Pandit <address@hidden> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html | ||
14 | |||
15 | CVE: CVE-2016-2198 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | hw/usb/hcd-ehci.c | 6 ++++++ | ||
20 | 1 file changed, 6 insertions(+) | ||
21 | |||
22 | Index: qemu-2.5.0/hw/usb/hcd-ehci.c | ||
23 | =================================================================== | ||
24 | --- qemu-2.5.0.orig/hw/usb/hcd-ehci.c | ||
25 | +++ qemu-2.5.0/hw/usb/hcd-ehci.c | ||
26 | @@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr | ||
27 | return s->caps[addr]; | ||
28 | } | ||
29 | |||
30 | +static void ehci_caps_write(void *ptr, hwaddr addr, | ||
31 | + uint64_t val, unsigned size) | ||
32 | +{ | ||
33 | +} | ||
34 | + | ||
35 | static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, | ||
36 | unsigned size) | ||
37 | { | ||
38 | @@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu | ||
39 | |||
40 | static const MemoryRegionOps ehci_mmio_caps_ops = { | ||
41 | .read = ehci_caps_read, | ||
42 | + .write = ehci_caps_write, | ||
43 | .valid.min_access_size = 1, | ||
44 | .valid.max_access_size = 4, | ||
45 | .impl.min_access_size = 1, | ||
diff --git a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch index 7f1c5a9058..1a6cf5119b 100644 --- a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch +++ b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch | |||
@@ -14,27 +14,33 @@ Signed-off-by: Jiang Lu <lu.jiang@windriver.com> | |||
14 | Updated it on 2014-01-15 for rebasing | 14 | Updated it on 2014-01-15 for rebasing |
15 | 15 | ||
16 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | 16 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> |
17 | |||
18 | Update it when upgrade qemu to 2.2.0 | ||
19 | |||
20 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
21 | Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> | ||
17 | --- | 22 | --- |
18 | hw/arm/versatilepb.c | 6 ++++++ | 23 | hw/arm/versatilepb.c | 7 +++++++ |
19 | 1 file changed, 6 insertions(+) | 24 | 1 file changed, 7 insertions(+) |
20 | 25 | ||
21 | diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c | 26 | diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c |
22 | index b48d84c..ad2cd5a 100644 | 27 | index 6c69f4e..9278d90 100644 |
23 | --- a/hw/arm/versatilepb.c | 28 | --- a/hw/arm/versatilepb.c |
24 | +++ b/hw/arm/versatilepb.c | 29 | +++ b/hw/arm/versatilepb.c |
25 | @@ -199,6 +199,12 @@ static void versatile_init(QEMUMachineInitArgs *args, int board_id) | 30 | @@ -204,6 +204,13 @@ static void versatile_init(MachineState *machine, int board_id) |
26 | fprintf(stderr, "Unable to find CPU definition\n"); | ||
27 | exit(1); | 31 | exit(1); |
28 | } | 32 | } |
29 | + if (ram_size > (256 << 20)) { | 33 | |
34 | + if (machine->ram_size > (256 << 20)) { | ||
30 | + fprintf(stderr, | 35 | + fprintf(stderr, |
31 | + "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n", | 36 | + "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n", |
32 | + ((unsigned int)ram_size / (1 << 20))); | 37 | + ((unsigned int)ram_size / (1 << 20))); |
33 | + exit(1); | 38 | + exit(1); |
34 | + } | 39 | + } |
35 | memory_region_init_ram(ram, NULL, "versatile.ram", machine->ram_size); | 40 | + |
36 | vmstate_register_ram_global(ram); | 41 | cpuobj = object_new(object_class_get_name(cpu_oc)); |
37 | /* ??? RAM should repeat to fill physical memory space. */ | 42 | |
43 | /* By default ARM1176 CPUs have EL3 enabled. This board does not | ||
38 | -- | 44 | -- |
39 | 1.7.10.4 | 45 | 2.1.0 |
40 | 46 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch new file mode 100644 index 0000000000..a99f72098c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Add subpackage -ptest which runs all unit test cases for qemu. | ||
4 | |||
5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
6 | --- | ||
7 | tests/Makefile | 10 ++++++++++ | ||
8 | 1 file changed, 10 insertions(+) | ||
9 | |||
10 | diff --git a/tests/Makefile b/tests/Makefile | ||
11 | index 88f7105..3f40b4b 100644 | ||
12 | --- a/tests/Makefile | ||
13 | +++ b/tests/Makefile | ||
14 | @@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) | ||
15 | |||
16 | -include $(wildcard tests/*.d) | ||
17 | -include $(wildcard tests/libqos/*.d) | ||
18 | + | ||
19 | +buildtest-TESTS: $(check-unit-y) | ||
20 | + | ||
21 | +runtest-TESTS: | ||
22 | + for f in $(check-unit-y); do \ | ||
23 | + nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ | ||
24 | + $$nf; \ | ||
25 | + done | ||
26 | + | ||
27 | -- | ||
28 | 1.7.9.5 | ||
29 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch new file mode 100644 index 0000000000..6822132541 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 697a834c35d19447b7dcdb9e1d9434bc6ce17c21 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> | ||
3 | Date: Wed, 12 Aug 2015 15:11:30 -0500 | ||
4 | Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Add custom_debug.h with function for print backtrace information. | ||
10 | When pthread_kill fails in qemu_cpu_kick_thread display backtrace and | ||
11 | current cpu information. | ||
12 | |||
13 | Upstream-Status: Inappropriate | ||
14 | Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> | ||
15 | --- | ||
16 | cpus.c | 5 +++++ | ||
17 | custom_debug.h | 24 ++++++++++++++++++++++++ | ||
18 | 2 files changed, 29 insertions(+) | ||
19 | create mode 100644 custom_debug.h | ||
20 | |||
21 | diff --git a/cpus.c b/cpus.c | ||
22 | index a822ce3..7e4786e 100644 | ||
23 | --- a/cpus.c | ||
24 | +++ b/cpus.c | ||
25 | @@ -1080,6 +1080,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) | ||
26 | return NULL; | ||
27 | } | ||
28 | |||
29 | +#include "custom_debug.h" | ||
30 | + | ||
31 | static void qemu_cpu_kick_thread(CPUState *cpu) | ||
32 | { | ||
33 | #ifndef _WIN32 | ||
34 | @@ -1088,6 +1090,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) | ||
35 | err = pthread_kill(cpu->thread->thread, SIG_IPI); | ||
36 | if (err) { | ||
37 | fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); | ||
38 | + fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); | ||
39 | + cpu_dump_state(cpu, stderr, fprintf, 0); | ||
40 | + backtrace_print(); | ||
41 | exit(1); | ||
42 | } | ||
43 | #else /* _WIN32 */ | ||
44 | diff --git a/custom_debug.h b/custom_debug.h | ||
45 | new file mode 100644 | ||
46 | index 0000000..f029e45 | ||
47 | --- /dev/null | ||
48 | +++ b/custom_debug.h | ||
49 | @@ -0,0 +1,24 @@ | ||
50 | +#include <execinfo.h> | ||
51 | +#include <stdio.h> | ||
52 | +#define BACKTRACE_MAX 128 | ||
53 | +static void backtrace_print(void) | ||
54 | +{ | ||
55 | + int nfuncs = 0; | ||
56 | + void *buf[BACKTRACE_MAX]; | ||
57 | + char **symbols; | ||
58 | + int i; | ||
59 | + | ||
60 | + nfuncs = backtrace(buf, BACKTRACE_MAX); | ||
61 | + | ||
62 | + symbols = backtrace_symbols(buf, nfuncs); | ||
63 | + if (symbols == NULL) { | ||
64 | + fprintf(stderr, "backtrace_print failed to get symbols"); | ||
65 | + return; | ||
66 | + } | ||
67 | + | ||
68 | + fprintf(stderr, "Backtrace ...\n"); | ||
69 | + for (i = 0; i < nfuncs; i++) | ||
70 | + fprintf(stderr, "%s\n", symbols[i]); | ||
71 | + | ||
72 | + free(symbols); | ||
73 | +} | ||
74 | -- | ||
75 | 1.9.1 | ||
76 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch new file mode 100644 index 0000000000..45dffabc34 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Upstream-Status: Submitted | ||
2 | |||
3 | From f354b9333408d411854af058cc44cceda60b4473 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> | ||
5 | Date: Thu, 3 Sep 2015 14:07:34 -0500 | ||
6 | Subject: [PATCH] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu | ||
7 | thread init | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=UTF-8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | When QEMU starts the RCU thread executes qemu_mutex_lock_thread | ||
13 | causing error "qemu:qemu_cpu_kick_thread: No such process" and exits. | ||
14 | |||
15 | This isn't occur frequently but in glibc the thread id can exist and | ||
16 | this not guarantee that the thread is on active/running state. If is | ||
17 | inserted a sleep(1) after newthread assignment [1] the issue appears. | ||
18 | |||
19 | So not make assumption that thread exist if first_cpu->thread is set | ||
20 | then change the validation of cpu to created that is set into cpu | ||
21 | threads (kvm, tcg, dummy). | ||
22 | |||
23 | [1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621 | ||
24 | |||
25 | Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> | ||
26 | --- | ||
27 | cpus.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/cpus.c b/cpus.c | ||
31 | index 7e4786e..05e5400 100644 | ||
32 | --- a/cpus.c | ||
33 | +++ b/cpus.c | ||
34 | @@ -1171,7 +1171,7 @@ void qemu_mutex_lock_iothread(void) | ||
35 | * TCG code execution. | ||
36 | */ | ||
37 | if (!tcg_enabled() || qemu_in_vcpu_thread() || | ||
38 | - !first_cpu || !first_cpu->thread) { | ||
39 | + !first_cpu || !first_cpu->created) { | ||
40 | qemu_mutex_lock(&qemu_global_mutex); | ||
41 | atomic_dec(&iothread_requesting_mutex); | ||
42 | } else { | ||
43 | -- | ||
44 | 1.9.1 | ||
45 | |||
diff --git a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch index 171bda7e95..171bda7e95 100644 --- a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch +++ b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch | |||
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch deleted file mode 100644 index 711c36071d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch +++ /dev/null | |||
@@ -1,22 +0,0 @@ | |||
1 | This patch is taken from debian. 128M is too less sometimes if distro | ||
2 | with lot of packages is booted so this patch raises the default to 384M | ||
3 | |||
4 | It has not been applied to upstream qemu | ||
5 | |||
6 | Khem Raj <raj.khem@gmail.com> | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Index: qemu-0.14.0/vl.c | ||
11 | =================================================================== | ||
12 | --- qemu-0.14.0.orig/vl.c | ||
13 | +++ qemu-0.14.0/vl.c | ||
14 | @@ -168,7 +168,7 @@ int main(int argc, char **argv) | ||
15 | //#define DEBUG_NET | ||
16 | //#define DEBUG_SLIRP | ||
17 | |||
18 | -#define DEFAULT_RAM_SIZE 128 | ||
19 | +#define DEFAULT_RAM_SIZE 384 | ||
20 | |||
21 | #define MAX_VIRTIO_CONSOLES 1 | ||
22 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/no-valgrind.patch b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch new file mode 100644 index 0000000000..91f728042d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds. | ||
2 | |||
3 | Upstream-Status: Inappropriate | ||
4 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
5 | |||
6 | diff --git a/configure b/configure | ||
7 | index b3c4f51..4d3929e 100755 | ||
8 | --- a/configure | ||
9 | +++ b/configure | ||
10 | @@ -4193,9 +4192,0 @@ valgrind_h=no | ||
11 | -cat > $TMPC << EOF | ||
12 | -#include <valgrind/valgrind.h> | ||
13 | -int main(void) { | ||
14 | - return 0; | ||
15 | -} | ||
16 | -EOF | ||
17 | -if compile_prog "" "" ; then | ||
18 | - valgrind_h=yes | ||
19 | -fi | ||
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch deleted file mode 100644 index f05441fce6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | qemu: CVE-2015-3456 | ||
2 | |||
3 | the patch comes from: | ||
4 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 | ||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c | ||
6 | |||
7 | fdc: force the fifo access to be in bounds of the allocated buffer | ||
8 | |||
9 | During processing of certain commands such as FD_CMD_READ_ID and | ||
10 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | ||
11 | get out of bounds leading to memory corruption with values coming | ||
12 | from the guest. | ||
13 | |||
14 | Fix this by making sure that the index is always bounded by the | ||
15 | allocated memory. | ||
16 | |||
17 | This is CVE-2015-3456. | ||
18 | |||
19 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
20 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
21 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
22 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | |||
26 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
27 | --- | ||
28 | hw/block/fdc.c | 17 +++++++++++------ | ||
29 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
30 | |||
31 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
32 | index 490d127..045459e 100644 | ||
33 | --- a/hw/block/fdc.c | ||
34 | +++ b/hw/block/fdc.c | ||
35 | @@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
36 | { | ||
37 | FDrive *cur_drv; | ||
38 | uint32_t retval = 0; | ||
39 | - int pos; | ||
40 | + uint32_t pos; | ||
41 | |||
42 | cur_drv = get_cur_drv(fdctrl); | ||
43 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | ||
44 | @@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
45 | return 0; | ||
46 | } | ||
47 | pos = fdctrl->data_pos; | ||
48 | + pos %= FD_SECTOR_LEN; | ||
49 | if (fdctrl->msr & FD_MSR_NONDMA) { | ||
50 | - pos %= FD_SECTOR_LEN; | ||
51 | if (pos == 0) { | ||
52 | if (fdctrl->data_pos != 0) | ||
53 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | ||
54 | @@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | ||
55 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | ||
56 | { | ||
57 | FDrive *cur_drv = get_cur_drv(fdctrl); | ||
58 | + uint32_t pos; | ||
59 | |||
60 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | ||
61 | + pos = fdctrl->data_pos - 1; | ||
62 | + pos %= FD_SECTOR_LEN; | ||
63 | + if (fdctrl->fifo[pos] & 0x80) { | ||
64 | /* Command parameters done */ | ||
65 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | ||
66 | + if (fdctrl->fifo[pos] & 0x40) { | ||
67 | fdctrl->fifo[0] = fdctrl->fifo[1]; | ||
68 | fdctrl->fifo[2] = 0; | ||
69 | fdctrl->fifo[3] = 0; | ||
70 | @@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; | ||
71 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
72 | { | ||
73 | FDrive *cur_drv; | ||
74 | - int pos; | ||
75 | + uint32_t pos; | ||
76 | |||
77 | /* Reset mode */ | ||
78 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | ||
79 | @@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
80 | } | ||
81 | |||
82 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | ||
83 | - fdctrl->fifo[fdctrl->data_pos++] = value; | ||
84 | + pos = fdctrl->data_pos++; | ||
85 | + pos %= FD_SECTOR_LEN; | ||
86 | + fdctrl->fifo[pos] = value; | ||
87 | if (fdctrl->data_pos == fdctrl->data_len) { | ||
88 | /* We now have all parameters | ||
89 | * and will be able to treat the command | ||
90 | -- | ||
91 | 1.7.9.5 | ||
92 | |||
diff --git a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch index c7425ab8d4..c7425ab8d4 100644 --- a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch +++ b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch | |||
diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest new file mode 100644 index 0000000000..f4b8e97e1e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/run-ptest | |||
@@ -0,0 +1,8 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | #This script is used to run qemu test suites | ||
4 | ptestdir=$(pwd) | ||
5 | cd tests | ||
6 | |||
7 | export SRC_PATH=$ptestdir | ||
8 | make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' | ||
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch deleted file mode 100644 index a7ecf31c01..0000000000 --- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Thu, 18 Sep 2014 08:35:37 +0200 | ||
4 | Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of | ||
5 | uninitialized socket | ||
6 | |||
7 | When guest sends udp packet with source port and source addr 0, | ||
8 | uninitialized socket is picked up when looking for matching and already | ||
9 | created udp sockets, and later passed to sosendto() where NULL pointer | ||
10 | dereference is hit during so->slirp->vnetwork_mask.s_addr access. | ||
11 | |||
12 | Fix this by checking that the socket is not just a socket stub. | ||
13 | |||
14 | This is CVE-2014-3640. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> | ||
20 | Reported-by: Stephane Duverger <stephane.duverger@eads.net> | ||
21 | Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> | ||
22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
24 | Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com | ||
25 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
26 | (cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a) | ||
27 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
28 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
29 | --- | ||
30 | slirp/udp.c | 2 +- | ||
31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/slirp/udp.c b/slirp/udp.c | ||
34 | index 8cc6cb6..f77e00f 100644 | ||
35 | --- a/slirp/udp.c | ||
36 | +++ b/slirp/udp.c | ||
37 | @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) | ||
38 | * Locate pcb for datagram. | ||
39 | */ | ||
40 | so = slirp->udp_last_so; | ||
41 | - if (so->so_lport != uh->uh_sport || | ||
42 | + if (so == &slirp->udb || so->so_lport != uh->uh_sport || | ||
43 | so->so_laddr.s_addr != ip->ip_src.s_addr) { | ||
44 | struct socket *tmp; | ||
45 | |||
46 | -- | ||
47 | 1.9.1 | ||
48 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch new file mode 100644 index 0000000000..e37e777347 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | The smc91c111.c driver appears to have several issues. The can_receive() | ||
2 | function can return that the driver is ready when rx_fifo has not been | ||
3 | freed yet. There is also no sanity check of rx_fifo() in _receive() which | ||
4 | can lead to corruption of the rx_fifo array. | ||
5 | |||
6 | release_packet() can also call qemu_flush_queued_packets() before rx_fifo | ||
7 | has been cleaned up, resulting in cases where packets are submitted | ||
8 | for which there is not yet any space. | ||
9 | |||
10 | This patch therefore: | ||
11 | |||
12 | * fixes the logic in can_receive() | ||
13 | * adds logic to receive() as a sanity check | ||
14 | * moves the flush() calls to the correct places where data is ready | ||
15 | to be received | ||
16 | |||
17 | Upstream-Status: Pending [discussion in progress on mailing list] | ||
18 | RP 2015/9/7 | ||
19 | |||
20 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
21 | =================================================================== | ||
22 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
23 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
24 | @@ -185,7 +185,6 @@ static void smc91c111_release_packet(smc | ||
25 | s->allocated &= ~(1 << packet); | ||
26 | if (s->tx_alloc == 0x80) | ||
27 | smc91c111_tx_alloc(s); | ||
28 | - qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
29 | } | ||
30 | |||
31 | /* Flush the TX FIFO. */ | ||
32 | @@ -237,9 +236,11 @@ static void smc91c111_do_tx(smc91c111_st | ||
33 | } | ||
34 | } | ||
35 | #endif | ||
36 | - if (s->ctr & CTR_AUTO_RELEASE) | ||
37 | + if (s->ctr & CTR_AUTO_RELEASE) { | ||
38 | /* Race? */ | ||
39 | smc91c111_release_packet(s, packetnum); | ||
40 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
41 | + } | ||
42 | else if (s->tx_fifo_done_len < NUM_PACKETS) | ||
43 | s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; | ||
44 | qemu_send_packet(qemu_get_queue(s->nic), p, len); | ||
45 | @@ -379,9 +380,11 @@ static void smc91c111_writeb(void *opaqu | ||
46 | smc91c111_release_packet(s, s->rx_fifo[0]); | ||
47 | } | ||
48 | smc91c111_pop_rx_fifo(s); | ||
49 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
50 | break; | ||
51 | case 5: /* Release. */ | ||
52 | smc91c111_release_packet(s, s->packet_num); | ||
53 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
54 | break; | ||
55 | case 6: /* Add to TX FIFO. */ | ||
56 | smc91c111_queue_tx(s, s->packet_num); | ||
57 | @@ -642,7 +642,7 @@ static int smc91c111_can_receive(NetClie | ||
58 | |||
59 | if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) | ||
60 | return 1; | ||
61 | - if (s->allocated == (1 << NUM_PACKETS) - 1) | ||
62 | + if ((s->allocated == (1 << NUM_PACKETS) - 1) || (s->rx_fifo_len == NUM_PACKETS)) | ||
63 | return 0; | ||
64 | return 1; | ||
65 | } | ||
66 | @@ -671,6 +671,8 @@ static ssize_t smc91c111_receive(NetClie | ||
67 | /* TODO: Flag overrun and receive errors. */ | ||
68 | if (packetsize > 2048) | ||
69 | return -1; | ||
70 | + if (s->rx_fifo_len == NUM_PACKETS) | ||
71 | + return -1; | ||
72 | packetnum = smc91c111_allocate_packet(s); | ||
73 | if (packetnum == 0x80) | ||
74 | return -1; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch new file mode 100644 index 0000000000..bd1223a446 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From: Peter Crosthwaite <crosthwaitepeter@gmail.com> | ||
2 | Subject: [RFT PATCH v1 1/3] net: smc91c111: guard flush_queued_packets() on | ||
3 | can_rx() | ||
4 | Date: Thu, 10 Sep 2015 21:23:43 -0700 | ||
5 | |||
6 | Check that the core can once again receive packets before asking the | ||
7 | net layer to do a flush. This will make it more convenient to flush | ||
8 | packets when adding new conditions to can_receive. | ||
9 | |||
10 | Add missing if braces while moving the can_receive() core code. | ||
11 | |||
12 | Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
13 | |||
14 | Upstream-Status: Submitted | ||
15 | |||
16 | --- | ||
17 | |||
18 | hw/net/smc91c111.c | 30 ++++++++++++++++++++++-------- | ||
19 | 1 file changed, 22 insertions(+), 8 deletions(-) | ||
20 | |||
21 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
22 | =================================================================== | ||
23 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
24 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
25 | @@ -124,6 +124,24 @@ static void smc91c111_update(smc91c111_s | ||
26 | qemu_set_irq(s->irq, level); | ||
27 | } | ||
28 | |||
29 | +static int smc91c111_can_receive(smc91c111_state *s) | ||
30 | +{ | ||
31 | + if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) { | ||
32 | + return 1; | ||
33 | + } | ||
34 | + if (s->allocated == (1 << NUM_PACKETS) - 1) { | ||
35 | + return 0; | ||
36 | + } | ||
37 | + return 1; | ||
38 | +} | ||
39 | + | ||
40 | +static inline void smc91c111_flush_queued_packets(smc91c111_state *s) | ||
41 | +{ | ||
42 | + if (smc91c111_can_receive(s)) { | ||
43 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
44 | + } | ||
45 | +} | ||
46 | + | ||
47 | /* Try to allocate a packet. Returns 0x80 on failure. */ | ||
48 | static int smc91c111_allocate_packet(smc91c111_state *s) | ||
49 | { | ||
50 | @@ -185,7 +203,7 @@ static void smc91c111_release_packet(smc | ||
51 | s->allocated &= ~(1 << packet); | ||
52 | if (s->tx_alloc == 0x80) | ||
53 | smc91c111_tx_alloc(s); | ||
54 | - qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
55 | + smc91c111_flush_queued_packets(s); | ||
56 | } | ||
57 | |||
58 | /* Flush the TX FIFO. */ | ||
59 | @@ -636,15 +654,11 @@ static uint32_t smc91c111_readl(void *op | ||
60 | return val; | ||
61 | } | ||
62 | |||
63 | -static int smc91c111_can_receive(NetClientState *nc) | ||
64 | +static int smc91c111_can_receive_nc(NetClientState *nc) | ||
65 | { | ||
66 | smc91c111_state *s = qemu_get_nic_opaque(nc); | ||
67 | |||
68 | - if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) | ||
69 | - return 1; | ||
70 | - if (s->allocated == (1 << NUM_PACKETS) - 1) | ||
71 | - return 0; | ||
72 | - return 1; | ||
73 | + return smc91c111_can_receive(s); | ||
74 | } | ||
75 | |||
76 | static ssize_t smc91c111_receive(NetClientState *nc, const uint8_t *buf, size_t size) | ||
77 | @@ -739,7 +753,7 @@ static const MemoryRegionOps smc91c111_m | ||
78 | static NetClientInfo net_smc91c111_info = { | ||
79 | .type = NET_CLIENT_OPTIONS_KIND_NIC, | ||
80 | .size = sizeof(NICState), | ||
81 | - .can_receive = smc91c111_can_receive, | ||
82 | + .can_receive = smc91c111_can_receive_nc, | ||
83 | .receive = smc91c111_receive, | ||
84 | }; | ||
85 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch new file mode 100644 index 0000000000..018aed5f80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From: Peter Crosthwaite <crosthwaitepeter@gmail.com> | ||
2 | X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
3 | To: qemu-devel@nongnu.org | ||
4 | Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org | ||
5 | Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO | ||
6 | having a slot | ||
7 | Date: Thu, 10 Sep 2015 21:23:57 -0700 | ||
8 | |||
9 | Return false from can_receive() when the FIFO doesn't have a free RX | ||
10 | slot. This fixes a bug in the current code where the allocated buffer | ||
11 | is freed before the fifo pop, triggering a premature flush of queued RX | ||
12 | packets. It also will handle a corner case, where the guest manually | ||
13 | frees the allocated buffer before popping the rx FIFO (hence it is not | ||
14 | enough to just delay the flush_queued_packets()). | ||
15 | |||
16 | Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
17 | Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
18 | |||
19 | Upstream-Status: Submitted | ||
20 | --- | ||
21 | |||
22 | hw/net/smc91c111.c | 4 +++- | ||
23 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
24 | |||
25 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
26 | =================================================================== | ||
27 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
28 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
29 | @@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1 | ||
30 | if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) { | ||
31 | return 1; | ||
32 | } | ||
33 | - if (s->allocated == (1 << NUM_PACKETS) - 1) { | ||
34 | + if (s->allocated == (1 << NUM_PACKETS) - 1 || | ||
35 | + s->rx_fifo_len == NUM_PACKETS) { | ||
36 | return 0; | ||
37 | } | ||
38 | return 1; | ||
39 | @@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c | ||
40 | } else { | ||
41 | s->int_level &= ~INT_RCV; | ||
42 | } | ||
43 | + smc91c111_flush_queued_packets(s); | ||
44 | smc91c111_update(s); | ||
45 | } | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch new file mode 100644 index 0000000000..9e865f7f09 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From: Peter Crosthwaite <crosthwaitepeter@gmail.com> | ||
2 | To: qemu-devel@nongnu.org | ||
3 | Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org | ||
4 | Subject: [RFT PATCH v1 3/3] net: smc91c111: flush packets on RCR register | ||
5 | changes | ||
6 | Date: Thu, 10 Sep 2015 21:24:12 -0700 | ||
7 | |||
8 | The SOFT_RST or RXEN in the control register can be used as a condition | ||
9 | to unblock the net layer via can_receive(). So check for possible | ||
10 | flushes on RCR changes. This will drop all pending packets on soft | ||
11 | reset or disable which is the functional intent of the can_receive() | ||
12 | logic. | ||
13 | |||
14 | Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
15 | |||
16 | Upstream-Status: Submitted | ||
17 | --- | ||
18 | |||
19 | hw/net/smc91c111.c | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
23 | =================================================================== | ||
24 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
25 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
26 | @@ -331,6 +331,7 @@ static void smc91c111_writeb(void *opaqu | ||
27 | if (s->rcr & RCR_SOFT_RST) { | ||
28 | smc91c111_reset(DEVICE(s)); | ||
29 | } | ||
30 | + smc91c111_flush_queued_packets(s); | ||
31 | return; | ||
32 | case 10: case 11: /* RPCR */ | ||
33 | /* Ignored */ | ||
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch deleted file mode 100644 index 10a6dacbe5..0000000000 --- a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch +++ /dev/null | |||
@@ -1,53 +0,0 @@ | |||
1 | From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Mon, 27 Oct 2014 12:41:44 +0100 | ||
4 | Subject: [PATCH] vnc: sanitize bits_per_pixel from the client | ||
5 | |||
6 | bits_per_pixel that are less than 8 could result in accessing | ||
7 | non-initialized buffers later in the code due to the expectation | ||
8 | that bytes_per_pixel value that is used to initialize these buffers is | ||
9 | never zero. | ||
10 | |||
11 | To fix this check that bits_per_pixel from the client is one of the | ||
12 | values that the rfb protocol specification allows. | ||
13 | |||
14 | This is CVE-2014-7815. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | |||
20 | [ kraxel: apply codestyle fix ] | ||
21 | |||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | (cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) | ||
24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
25 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
26 | --- | ||
27 | ui/vnc.c | 10 ++++++++++ | ||
28 | 1 file changed, 10 insertions(+) | ||
29 | |||
30 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
31 | index f8d9b7d..87e34ae 100644 | ||
32 | --- a/ui/vnc.c | ||
33 | +++ b/ui/vnc.c | ||
34 | @@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, | ||
35 | return; | ||
36 | } | ||
37 | |||
38 | + switch (bits_per_pixel) { | ||
39 | + case 8: | ||
40 | + case 16: | ||
41 | + case 32: | ||
42 | + break; | ||
43 | + default: | ||
44 | + vnc_client_error(vs); | ||
45 | + return; | ||
46 | + } | ||
47 | + | ||
48 | vs->client_pf.rmax = red_max; | ||
49 | vs->client_pf.rbits = hweight_long(red_max); | ||
50 | vs->client_pf.rshift = red_shift; | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch index fd1b4a6963..cd06aa4ac6 100644 --- a/meta/recipes-devtools/qemu/qemu/wacom.patch +++ b/meta/recipes-devtools/qemu/qemu/wacom.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | The USB wacom device is missing a HID descriptor which causes it | 1 | The USB wacom device is missing a HID descriptor which causes it |
2 | to fail to operate with recent kernels (e.g. 3.17). | 2 | to fail to operate with recent kernels (e.g. 3.17). |
3 | 3 | ||
4 | This patch adds a HID desriptor to the device, based upon one from | 4 | This patch adds a HID desriptor to the device, based upon one from |
5 | real wcom device. | 5 | real wcom device. |
6 | 6 | ||
7 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | 7 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> |
@@ -16,12 +16,12 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
16 | @@ -68,6 +68,89 @@ | 16 | @@ -68,6 +68,89 @@ |
17 | [STR_SERIALNUMBER] = "1", | 17 | [STR_SERIALNUMBER] = "1", |
18 | }; | 18 | }; |
19 | 19 | ||
20 | +static const uint8_t qemu_tablet_hid_report_descriptor[] = { | 20 | +static const uint8_t qemu_tablet_hid_report_descriptor[] = { |
21 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ | 21 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ |
22 | + 0x09, 0x02, /* Usage (Mouse) */ | 22 | + 0x09, 0x02, /* Usage (Mouse) */ |
23 | + 0xa1, 0x01, /* Collection (Application) */ | 23 | + 0xa1, 0x01, /* Collection (Application) */ |
24 | + 0x85, 0x01, /* Report ID (1) */ | 24 | + 0x85, 0x01, /* Report ID (1) */ |
25 | + 0x09, 0x01, /* Usage (Pointer) */ | 25 | + 0x09, 0x01, /* Usage (Pointer) */ |
26 | + 0xa1, 0x00, /* Collection (Physical) */ | 26 | + 0xa1, 0x00, /* Collection (Physical) */ |
27 | + 0x05, 0x09, /* Usage Page (Button) */ | 27 | + 0x05, 0x09, /* Usage Page (Button) */ |
@@ -48,7 +48,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
48 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ | 48 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ |
49 | + 0x09, 0x01, /* Usage (Digitizer) */ | 49 | + 0x09, 0x01, /* Usage (Digitizer) */ |
50 | + 0xa1, 0x01, /* Collection (Application) */ | 50 | + 0xa1, 0x01, /* Collection (Application) */ |
51 | + 0x85, 0x02, /* Report ID (2) */ | 51 | + 0x85, 0x02, /* Report ID (2) */ |
52 | + 0xa1, 0x00, /* Collection (Physical) */ | 52 | + 0xa1, 0x00, /* Collection (Physical) */ |
53 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | 53 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ |
54 | + 0x09, 0x01, /* Usage (Digitizer) */ | 54 | + 0x09, 0x01, /* Usage (Digitizer) */ |
@@ -59,14 +59,14 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
59 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | 59 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ |
60 | + 0xc0, /* End Collection */ | 60 | + 0xc0, /* End Collection */ |
61 | + 0x09, 0x01, /* Usage (Digitizer) */ | 61 | + 0x09, 0x01, /* Usage (Digitizer) */ |
62 | + 0x85, 0x02, /* Report ID (2) */ | 62 | + 0x85, 0x02, /* Report ID (2) */ |
63 | + 0x95, 0x01, /* Report Count (1) */ | 63 | + 0x95, 0x01, /* Report Count (1) */ |
64 | + 0xb1, 0x02, /* FEATURE (2) */ | 64 | + 0xb1, 0x02, /* FEATURE (2) */ |
65 | + 0xc0, /* End Collection */ | 65 | + 0xc0, /* End Collection */ |
66 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | 66 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ |
67 | + 0x09, 0x01, /* Usage (Digitizer) */ | 67 | + 0x09, 0x01, /* Usage (Digitizer) */ |
68 | + 0xa1, 0x01, /* Collection (Application) */ | 68 | + 0xa1, 0x01, /* Collection (Application) */ |
69 | + 0x85, 0x02, /* Report ID (2) */ | 69 | + 0x85, 0x02, /* Report ID (2) */ |
70 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ | 70 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ |
71 | + 0x09, 0x22, /* Usage (Finger) */ | 71 | + 0x09, 0x22, /* Usage (Finger) */ |
72 | + 0xa1, 0x00, /* Collection (Physical) */ | 72 | + 0xa1, 0x00, /* Collection (Physical) */ |
@@ -95,7 +95,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
95 | + 0x75, 0x08, /* Report Size (8) */ | 95 | + 0x75, 0x08, /* Report Size (8) */ |
96 | + 0x95, 0x0d, /* Report Count (13) */ | 96 | + 0x95, 0x0d, /* Report Count (13) */ |
97 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | 97 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ |
98 | + 0xc0, /* End Collection */ | 98 | + 0xc0, /* End Collection */ |
99 | + 0xc0, /* End Collection */ | 99 | + 0xc0, /* End Collection */ |
100 | +}; | 100 | +}; |
101 | + | 101 | + |
@@ -114,7 +114,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
114 | }, | 114 | }, |
115 | @@ -265,6 +350,15 @@ | 115 | @@ -265,6 +350,15 @@ |
116 | } | 116 | } |
117 | 117 | ||
118 | switch (request) { | 118 | switch (request) { |
119 | + case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: | 119 | + case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: |
120 | + switch (value >> 8) { | 120 | + switch (value >> 8) { |
diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb deleted file mode 100644 index 92a89d699c..0000000000 --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb +++ /dev/null | |||
@@ -1,32 +0,0 @@ | |||
1 | require qemu.inc | ||
2 | |||
3 | LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | ||
4 | file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" | ||
5 | |||
6 | SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | ||
7 | file://qemu-enlarge-env-entry-size.patch \ | ||
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | ||
9 | file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ | ||
10 | file://qemu-CVE-2015-3456.patch \ | ||
11 | file://CVE-2014-7840.patch \ | ||
12 | file://vnc-CVE-2014-7815.patch \ | ||
13 | file://slirp-CVE-2014-3640.patch \ | ||
14 | " | ||
15 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | ||
16 | SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" | ||
17 | SRC_URI[sha256sum] = "397e23184f4bf613589a8fe0c6542461dc2afdf17ed337e97e6fd2f31e8f8802" | ||
18 | |||
19 | COMPATIBLE_HOST_class-target_mips64 = "null" | ||
20 | |||
21 | do_sanitize_sources() { | ||
22 | # These .git files point to a nonexistent path "../.git/modules" and will confuse git | ||
23 | # if it tries to recurse into those directories. | ||
24 | rm -f ${S}/dtc/.git ${S}/pixman/.git | ||
25 | } | ||
26 | |||
27 | addtask sanitize_sources after do_unpack before do_patch | ||
28 | |||
29 | do_install_append() { | ||
30 | # Prevent QA warnings about installed ${localstatedir}/run | ||
31 | if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi | ||
32 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb new file mode 100644 index 0000000000..8d47b16e64 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb | |||
@@ -0,0 +1,33 @@ | |||
1 | require qemu.inc | ||
2 | |||
3 | LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | ||
4 | file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" | ||
5 | |||
6 | SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | ||
7 | file://qemu-enlarge-env-entry-size.patch \ | ||
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | ||
9 | file://smc91c111_fix1.patch \ | ||
10 | file://smc91c111_fix2.patch \ | ||
11 | file://smc91c111_fix3.patch \ | ||
12 | file://no-valgrind.patch \ | ||
13 | file://CVE-2015-8504.patch \ | ||
14 | file://CVE-2015-7504.patch \ | ||
15 | file://CVE-2015-7512.patch \ | ||
16 | file://CVE-2015-8345.patch \ | ||
17 | file://CVE-2016-1568.patch \ | ||
18 | file://CVE-2015-7295_1.patch \ | ||
19 | file://CVE-2015-7295_2.patch \ | ||
20 | file://CVE-2015-7295_3.patch \ | ||
21 | file://CVE-2016-2197.patch \ | ||
22 | file://CVE-2016-2198.patch \ | ||
23 | " | ||
24 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | ||
25 | SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" | ||
26 | SRC_URI[sha256sum] = "72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620" | ||
27 | |||
28 | COMPATIBLE_HOST_class-target_mips64 = "null" | ||
29 | |||
30 | do_install_append() { | ||
31 | # Prevent QA warnings about installed ${localstatedir}/run | ||
32 | if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi | ||
33 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu_git.bb b/meta/recipes-devtools/qemu/qemu_git.bb deleted file mode 100644 index a30932a8ba..0000000000 --- a/meta/recipes-devtools/qemu/qemu_git.bb +++ /dev/null | |||
@@ -1,15 +0,0 @@ | |||
1 | require qemu.inc | ||
2 | |||
3 | SRCREV = "04024dea2674861fcf13582a77b58130c67fccd8" | ||
4 | |||
5 | LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ | ||
6 | file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" | ||
7 | |||
8 | PV = "1.3.0+git${SRCPV}" | ||
9 | |||
10 | SRC_URI_prepend = "git://git.qemu.org/qemu.git" | ||
11 | S = "${WORKDIR}/git" | ||
12 | |||
13 | DEFAULT_PREFERENCE = "-1" | ||
14 | |||
15 | COMPATIBLE_HOST_class-target_mips64 = "null" | ||
diff --git a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb index d2981b5575..7f4c6d9349 100644 --- a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb +++ b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb | |||
@@ -2,6 +2,8 @@ SUMMARY = "QEMU wrapper script" | |||
2 | LICENSE = "MIT" | 2 | LICENSE = "MIT" |
3 | LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" | 3 | LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" |
4 | 4 | ||
5 | S = "${WORKDIR}" | ||
6 | |||
5 | inherit qemu | 7 | inherit qemu |
6 | 8 | ||
7 | do_install () { | 9 | do_install () { |
@@ -9,7 +11,7 @@ do_install () { | |||
9 | 11 | ||
10 | echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper | 12 | echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper |
11 | qemu_binary=${@qemu_target_binary(d)} | 13 | qemu_binary=${@qemu_target_binary(d)} |
12 | qemu_options='${@d.getVar("QEMU_OPTIONS_%s" % d.getVar('PACKAGE_ARCH', True), True) or d.getVar('QEMU_OPTIONS', True) or ""}' | 14 | qemu_options='${QEMU_OPTIONS}' |
13 | echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper | 15 | echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper |
14 | fallback_qemu_bin= | 16 | fallback_qemu_bin= |
15 | case $qemu_binary in | 17 | case $qemu_binary in |