diff options
author | Sakib Sajal <sakib.sajal@windriver.com> | 2020-06-19 14:12:59 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-06-23 12:31:03 +0100 |
commit | a3102471e4e789d77040f5ed0da1b8e438328b5f (patch) | |
tree | 083c7ac42e426047f32ba8de41d0a9b24615593f /meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch | |
parent | f5bbb3ba2d65ba7911b7ede5fb32b54b5b904a07 (diff) | |
download | poky-a3102471e4e789d77040f5ed0da1b8e438328b5f.tar.gz |
qemu: uprev v4.2.0 -> v5.0.0
Major update after v4.2.
Changes:
- os_find_datadir() was changed after the v4.2 release
causing v5.0 to not find the bios and not boot the
image. Fix is sent to upstream qemu.
See: qemu/find_datadir.patch
- v5.0 binary had host contamination for dynamically linked
libraries, "--extra-ldflags='${LDFLAGS}'" in EXTRA_OECONF
resolved the issue
- bluetooth code was removed: qemu.git$ git show 1d4ffe8dc7
hence removed PACKAGECONFIG[bluez]
- -show-cursor qemu option is now deprecated, updated
scripts/runqemu to use updated option instead
- added PACKAGECONFIG definitions
- added qemu-ptest to conf/distro/include/ptest-packagelists.inc
- increased support for ARM architecture, cpu and board
- removed patches merged upstream and refreshed
existing ones
Testing:
Build core-image-minimal against the machines in
openembedded-core/meta/conf/machine and succesfully
booted with qemu v5.0
Ran qemu-ptest on x86-64 and arm64 with identical results:
PASS: 1166
SKIP: 0
FAIL: 0
(From OE-Core rev: ee9ec9e344541c1ccd9b9b8e3b8c1e00d008ad85)
Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Joe Slater <joe.slater@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch deleted file mode 100644 index aa7bc82329..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch +++ /dev/null | |||
@@ -1,64 +0,0 @@ | |||
1 | From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 | ||
2 | From: Felipe Franciosi <felipe@nutanix.com> | ||
3 | Date: Thu, 23 Jan 2020 12:44:59 +0000 | ||
4 | Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) | ||
5 | |||
6 | When querying an iSCSI server for the provisioning status of blocks (via | ||
7 | GET LBA STATUS), Qemu only validates that the response descriptor zero's | ||
8 | LBA matches the one requested. Given the SCSI spec allows servers to | ||
9 | respond with the status of blocks beyond the end of the LUN, Qemu may | ||
10 | have its heap corrupted by clearing/setting too many bits at the end of | ||
11 | its allocmap for the LUN. | ||
12 | |||
13 | A malicious guest in control of the iSCSI server could carefully program | ||
14 | Qemu's heap (by selectively setting the bitmap) and then smash it. | ||
15 | |||
16 | This limits the number of bits that iscsi_co_block_status() will try to | ||
17 | update in the allocmap so it can't overflow the bitmap. | ||
18 | |||
19 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc] | ||
20 | CVE: CVE-2020-1711 | ||
21 | |||
22 | Fixes: CVE-2020-1711 | ||
23 | Cc: qemu-stable@nongnu.org | ||
24 | Signed-off-by: Felipe Franciosi <felipe@nutanix.com> | ||
25 | Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> | ||
26 | Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> | ||
27 | Signed-off-by: Kevin Wolf <kwolf@redhat.com> | ||
28 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
29 | --- | ||
30 | block/iscsi.c | 5 +++-- | ||
31 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
32 | |||
33 | diff --git a/block/iscsi.c b/block/iscsi.c | ||
34 | index 2aea7e3..cbd5729 100644 | ||
35 | --- a/block/iscsi.c | ||
36 | +++ b/block/iscsi.c | ||
37 | @@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, | ||
38 | struct scsi_get_lba_status *lbas = NULL; | ||
39 | struct scsi_lba_status_descriptor *lbasd = NULL; | ||
40 | struct IscsiTask iTask; | ||
41 | - uint64_t lba; | ||
42 | + uint64_t lba, max_bytes; | ||
43 | int ret; | ||
44 | |||
45 | iscsi_co_init_iscsitask(iscsilun, &iTask); | ||
46 | @@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, | ||
47 | } | ||
48 | |||
49 | lba = offset / iscsilun->block_size; | ||
50 | + max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; | ||
51 | |||
52 | qemu_mutex_lock(&iscsilun->mutex); | ||
53 | retry: | ||
54 | @@ -764,7 +765,7 @@ retry: | ||
55 | goto out_unlock; | ||
56 | } | ||
57 | |||
58 | - *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; | ||
59 | + *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); | ||
60 | |||
61 | if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || | ||
62 | lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { | ||
63 | -- | ||
64 | 1.8.3.1 | ||