diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-05-10 14:17:34 +0200 |
---|---|---|
committer | Adrian Dudau <adrian.dudau@enea.com> | 2017-05-11 15:28:59 +0200 |
commit | 17a9a734122e446bd2708a4273af1fe4eacb87ae (patch) | |
tree | 55c8bf72fe305f7024b684a1642deb61dac12082 /meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch | |
parent | 5c021b4550f77ddc7d32664a08e46ba69d16c2c7 (diff) | |
download | poky-17a9a734122e446bd2708a4273af1fe4eacb87ae.tar.gz |
qemu: upgrade to 2.7.0
This upgrade can fix a qemuppc + openssh bug, the ssh connection maybe
refused or closed randomly, and it's not easy to reproduce. RP pointed
that this upgrade can fix the problem, and it does work in my local
testing.
* Update add-ptest-in-makefile.patch
Here is the Changlog:
http://wiki.qemu.org/ChangeLog/2.7
(From OE-Core rev: 056ce17e168bf856ff95a6f659098403169cb889)
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch deleted file mode 100644 index 350ae2becc..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 16 Jun 2016 00:22:35 +0200 | ||
4 | Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size | ||
5 | |||
6 | While doing DMA read into ESP command buffer 's->cmdbuf', it could | ||
7 | write past the 's->cmdbuf' area, if it was transferring more than 16 | ||
8 | bytes. Increase the command buffer size to 32, which is maximum when | ||
9 | 's->do_cmd' is set, and add a check on 'len' to avoid OOB access. | ||
10 | |||
11 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2016-6351 patch1 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | hw/scsi/esp.c | 6 ++++-- | ||
21 | include/hw/scsi/esp.h | 3 ++- | ||
22 | 2 files changed, 6 insertions(+), 3 deletions(-) | ||
23 | |||
24 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
25 | =================================================================== | ||
26 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
27 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
28 | @@ -241,6 +241,8 @@ static void esp_do_dma(ESPState *s) | ||
29 | len = s->dma_left; | ||
30 | if (s->do_cmd) { | ||
31 | trace_esp_do_dma(s->cmdlen, len); | ||
32 | + assert (s->cmdlen <= sizeof(s->cmdbuf) && | ||
33 | + len <= sizeof(s->cmdbuf) - s->cmdlen); | ||
34 | s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); | ||
35 | s->ti_size = 0; | ||
36 | s->cmdlen = 0; | ||
37 | @@ -340,7 +342,7 @@ static void handle_ti(ESPState *s) | ||
38 | s->dma_counter = dmalen; | ||
39 | |||
40 | if (s->do_cmd) | ||
41 | - minlen = (dmalen < 32) ? dmalen : 32; | ||
42 | + minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; | ||
43 | else if (s->ti_size < 0) | ||
44 | minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; | ||
45 | else | ||
46 | @@ -446,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t | ||
47 | break; | ||
48 | case ESP_FIFO: | ||
49 | if (s->do_cmd) { | ||
50 | - if (s->cmdlen < TI_BUFSZ) { | ||
51 | + if (s->cmdlen < ESP_CMDBUF_SZ) { | ||
52 | s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
53 | } else { | ||
54 | trace_esp_error_fifo_overrun(); | ||
55 | Index: qemu-2.4.0/include/hw/scsi/esp.h | ||
56 | =================================================================== | ||
57 | --- qemu-2.4.0.orig/include/hw/scsi/esp.h | ||
58 | +++ qemu-2.4.0/include/hw/scsi/esp.h | ||
59 | @@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shi | ||
60 | |||
61 | #define ESP_REGS 16 | ||
62 | #define TI_BUFSZ 16 | ||
63 | +#define ESP_CMDBUF_SZ 32 | ||
64 | |||
65 | typedef struct ESPState ESPState; | ||
66 | |||
67 | @@ -31,7 +32,7 @@ struct ESPState { | ||
68 | SCSIBus bus; | ||
69 | SCSIDevice *current_dev; | ||
70 | SCSIRequest *current_req; | ||
71 | - uint8_t cmdbuf[TI_BUFSZ]; | ||
72 | + uint8_t cmdbuf[ESP_CMDBUF_SZ]; | ||
73 | uint32_t cmdlen; | ||
74 | uint32_t do_cmd; | ||
75 | |||