qemu: upgrade to 2.7.0

This upgrade can fix a qemuppc + openssh bug, the ssh connection maybe refused or closed randomly, and it's not easy to reproduce. RP pointed that this upgrade can fix the problem, and it does work in my local testing. * Update add-ptest-in-makefile.patch Here is the Changlog: http://wiki.qemu.org/ChangeLog/2.7 (From OE-Core rev: 056ce17e168bf856ff95a6f659098403169cb889) Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-05-10 14:17:34 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-05-11 15:28:59 +0200
commit: 17a9a734122e446bd2708a4273af1fe4eacb87ae (patch)
tree: 55c8bf72fe305f7024b684a1642deb61dac12082 /meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
parent: 5c021b4550f77ddc7d32664a08e46ba69d16c2c7 (diff)
download: poky-17a9a734122e446bd2708a4273af1fe4eacb87ae.tar.gz
1 files changed, 0 insertions, 78 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
deleted file mode 100644
index 3cbe394bfd..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Thu, 19 May 2016 16:09:31 +0530
-Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
-The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
-FIFO buffer. It is used to handle command and data transfer.
-Routine get_cmd() uses DMA to read scsi commands into this buffer.
-Add check to validate DMA length against buffer size to avoid any
-overrun.
-Fixes CVE-2016-4441.
-Upstream-Status: Backport
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Cc: qemu-stable@nongnu.org
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- hw/scsi/esp.c |   11 +++++++----
- 1 files changed, 7 insertions(+), 4 deletions(-)
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 01497e6..591c817 100644
--- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
-     }
- }
- 
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
- {
-     uint32_t dmalen;
-     int target;
-@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
-         dmalen = s->rregs[ESP_TCLO];
-         dmalen |= s->rregs[ESP_TCMID] << 8;
-         dmalen |= s->rregs[ESP_TCHI] << 16;
-+        if (dmalen > buflen) {
-+            return 0;
-+        }
-         s->dma_memory_read(s->dma_opaque, buf, dmalen);
-     } else {
-         dmalen = s->ti_size;
-@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
-         s->dma_cb = handle_satn;
-         return;
-     }
-    len = get_cmd(s, buf);
-+    len = get_cmd(s, buf, sizeof(buf));
-     if (len)
-         do_cmd(s, buf);
- }
-@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
-         s->dma_cb = handle_s_without_atn;
-         return;
-     }
-    len = get_cmd(s, buf);
-+    len = get_cmd(s, buf, sizeof(buf));
-     if (len) {
-         do_busid_cmd(s, buf, 0);
-     }
-@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
-         s->dma_cb = handle_satn_stop;
-         return;
-     }
-    s->cmdlen = get_cmd(s, s->cmdbuf);
-+    s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
-     if (s->cmdlen) {
-         trace_esp_handle_satn_stop(s->cmdlen);
-         s->do_cmd = 1;
-- 
-1.7.0.4
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-05-10 14:17:34 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-05-11 15:28:59 +0200
commit	17a9a734122e446bd2708a4273af1fe4eacb87ae (patch)
tree	55c8bf72fe305f7024b684a1642deb61dac12082 /meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch
parent	5c021b4550f77ddc7d32664a08e46ba69d16c2c7 (diff)
download	poky-17a9a734122e446bd2708a4273af1fe4eacb87ae.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch deleted file mode 100644 index 3cbe394bfd..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch +++ /dev/null
@@ -1,78 +0,0 @@
1	From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001
2	From: Prasad J Pandit <pjp@fedoraproject.org>
3	Date: Thu, 19 May 2016 16:09:31 +0530
4	Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441)
5
6	The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
7	FIFO buffer. It is used to handle command and data transfer.
8	Routine get_cmd() uses DMA to read scsi commands into this buffer.
9	Add check to validate DMA length against buffer size to avoid any
10	overrun.
11
12	Fixes CVE-2016-4441.
13
14	Upstream-Status: Backport
15
16	Reported-by: Li Qiang <liqiang6-s@360.cn>
17	Cc: qemu-stable@nongnu.org
18	Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
19	Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
20	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
21	Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
22	---
23	hw/scsi/esp.c \| 11 +++++++----
24	1 files changed, 7 insertions(+), 4 deletions(-)
25
26	diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
27	index 01497e6..591c817 100644
28	--- a/hw/scsi/esp.c
29	+++ b/hw/scsi/esp.c
30	@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
31	}
32	}
33
34	-static uint32_t get_cmd(ESPState s, uint8_t buf)
35	+static uint32_t get_cmd(ESPState s, uint8_t buf, uint8_t buflen)
36	{
37	uint32_t dmalen;
38	int target;
39	@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState s, uint8_t buf)
40	dmalen = s->rregs[ESP_TCLO];
41	dmalen \|= s->rregs[ESP_TCMID] << 8;
42	dmalen \|= s->rregs[ESP_TCHI] << 16;
43	+ if (dmalen > buflen) {
44	+ return 0;
45	+ }
46	s->dma_memory_read(s->dma_opaque, buf, dmalen);
47	} else {
48	dmalen = s->ti_size;
49	@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
50	s->dma_cb = handle_satn;
51	return;
52	}
53	- len = get_cmd(s, buf);
54	+ len = get_cmd(s, buf, sizeof(buf));
55	if (len)
56	do_cmd(s, buf);
57	}
58	@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
59	s->dma_cb = handle_s_without_atn;
60	return;
61	}
62	- len = get_cmd(s, buf);
63	+ len = get_cmd(s, buf, sizeof(buf));
64	if (len) {
65	do_busid_cmd(s, buf, 0);
66	}
67	@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
68	s->dma_cb = handle_satn_stop;
69	return;
70	}
71	- s->cmdlen = get_cmd(s, s->cmdbuf);
72	+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
73	if (s->cmdlen) {
74	trace_esp_handle_satn_stop(s->cmdlen);
75	s->do_cmd = 1;
76	--
77	1.7.0.4
78