qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs

The upgrade addresses following CVEs: CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 CVE-2015-8504 CVE-2016-1568 CVE-2016-2197 CVE-2016-2198 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-04-27 11:48:16 +0200
committer: Nora Björklund <nora.bjorklund@enea.com> 2016-04-28 09:02:11 +0200
commit: d3d0c7af34b996b4518b26d4f3b4eff831a651af (patch)
tree: d8dc6be1d65668e4cbaf04f47011542ed35b2031 /meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
parent: c6477d7bc514c951746d6b717c033475fc45f3fc (diff)
download: poky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz
1 files changed, 0 insertions, 92 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
deleted file mode 100644
index f05441fce6..0000000000
--- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-qemu: CVE-2015-3456
-the patch comes from:
-https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
-http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
-fdc: force the fifo access to be in bounds of the allocated buffer
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-This is CVE-2015-3456.
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
-Signed-off-by: Li Wang <li.wang@windriver.com>
-Upstream-Status: Backport
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
---
- hw/block/fdc.c |   17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index 490d127..045459e 100644
--- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- {
-     FDrive *cur_drv;
-     uint32_t retval = 0;
-    int pos;
-+    uint32_t pos;
- 
-     cur_drv = get_cur_drv(fdctrl);
-     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
-         return 0;
-     }
-     pos = fdctrl->data_pos;
-+    pos %= FD_SECTOR_LEN;
-     if (fdctrl->msr & FD_MSR_NONDMA) {
-        pos %= FD_SECTOR_LEN;
-         if (pos == 0) {
-             if (fdctrl->data_pos != 0)
-                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
-     FDrive *cur_drv = get_cur_drv(fdctrl);
-+    uint32_t pos;
- 
-    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+    pos = fdctrl->data_pos - 1;
-+    pos %= FD_SECTOR_LEN;
-+    if (fdctrl->fifo[pos] & 0x80) {
-         /* Command parameters done */
-        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+        if (fdctrl->fifo[pos] & 0x40) {
-             fdctrl->fifo[0] = fdctrl->fifo[1];
-             fdctrl->fifo[2] = 0;
-             fdctrl->fifo[3] = 0;
-@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
-     FDrive *cur_drv;
-    int pos;
-+    uint32_t pos;
- 
-     /* Reset mode */
-     if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
-     }
- 
-     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
-    fdctrl->fifo[fdctrl->data_pos++] = value;
-+    pos = fdctrl->data_pos++;
-+    pos %= FD_SECTOR_LEN;
-+    fdctrl->fifo[pos] = value;
-     if (fdctrl->data_pos == fdctrl->data_len) {
-         /* We now have all parameters
-          * and will be able to treat the command
-- 
-1.7.9.5
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-04-27 11:48:16 +0200
committer	Nora Björklund <nora.bjorklund@enea.com>	2016-04-28 09:02:11 +0200
commit	d3d0c7af34b996b4518b26d4f3b4eff831a651af (patch)
tree	d8dc6be1d65668e4cbaf04f47011542ed35b2031 /meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch
parent	c6477d7bc514c951746d6b717c033475fc45f3fc (diff)
download	poky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch deleted file mode 100644 index f05441fce6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch +++ /dev/null
@@ -1,92 +0,0 @@
1	qemu: CVE-2015-3456
2
3	the patch comes from:
4	https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456
5	http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c
6
7	fdc: force the fifo access to be in bounds of the allocated buffer
8
9	During processing of certain commands such as FD_CMD_READ_ID and
10	FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
11	get out of bounds leading to memory corruption with values coming
12	from the guest.
13
14	Fix this by making sure that the index is always bounded by the
15	allocated memory.
16
17	This is CVE-2015-3456.
18
19	Signed-off-by: Petr Matousek <pmatouse@redhat.com>
20	Reviewed-by: John Snow <jsnow@redhat.com>
21	Signed-off-by: John Snow <jsnow@redhat.com>
22	Signed-off-by: Li Wang <li.wang@windriver.com>
23
24	Upstream-Status: Backport
25
26	Signed-off-by: Kai Kang <kai.kang@windriver.com>
27	---
28	hw/block/fdc.c \| 17 +++++++++++------
29	1 file changed, 11 insertions(+), 6 deletions(-)
30
31	diff --git a/hw/block/fdc.c b/hw/block/fdc.c
32	index 490d127..045459e 100644
33	--- a/hw/block/fdc.c
34	+++ b/hw/block/fdc.c
35	@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
36	{
37	FDrive *cur_drv;
38	uint32_t retval = 0;
39	- int pos;
40	+ uint32_t pos;
41
42	cur_drv = get_cur_drv(fdctrl);
43	fdctrl->dsr &= ~FD_DSR_PWRDOWN;
44	@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
45	return 0;
46	}
47	pos = fdctrl->data_pos;
48	+ pos %= FD_SECTOR_LEN;
49	if (fdctrl->msr & FD_MSR_NONDMA) {
50	- pos %= FD_SECTOR_LEN;
51	if (pos == 0) {
52	if (fdctrl->data_pos != 0)
53	if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
54	@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
55	static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
56	{
57	FDrive *cur_drv = get_cur_drv(fdctrl);
58	+ uint32_t pos;
59
60	- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
61	+ pos = fdctrl->data_pos - 1;
62	+ pos %= FD_SECTOR_LEN;
63	+ if (fdctrl->fifo[pos] & 0x80) {
64	/* Command parameters done */
65	- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
66	+ if (fdctrl->fifo[pos] & 0x40) {
67	fdctrl->fifo[0] = fdctrl->fifo[1];
68	fdctrl->fifo[2] = 0;
69	fdctrl->fifo[3] = 0;
70	@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256];
71	static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
72	{
73	FDrive *cur_drv;
74	- int pos;
75	+ uint32_t pos;
76
77	/* Reset mode */
78	if (!(fdctrl->dor & FD_DOR_nRESET)) {
79	@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
80	}
81
82	FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
83	- fdctrl->fifo[fdctrl->data_pos++] = value;
84	+ pos = fdctrl->data_pos++;
85	+ pos %= FD_SECTOR_LEN;
86	+ fdctrl->fifo[pos] = value;
87	if (fdctrl->data_pos == fdctrl->data_len) {
88	/* We now have all parameters
89	* and will be able to treat the command
90	--
91	1.7.9.5
92