qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs

The upgrade addresses following CVEs: CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 CVE-2015-8504 CVE-2016-1568 CVE-2016-2197 CVE-2016-2198 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-04-27 11:48:16 +0200
committer: Nora Björklund <nora.bjorklund@enea.com> 2016-04-28 09:02:11 +0200
commit: d3d0c7af34b996b4518b26d4f3b4eff831a651af (patch)
tree: d8dc6be1d65668e4cbaf04f47011542ed35b2031 /meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
parent: c6477d7bc514c951746d6b717c033475fc45f3fc (diff)
download: poky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz
1 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
new file mode 100644
index 0000000000..018aed5f80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
@@ -0,0 +1,46 @@
+From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
+X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+To: qemu-devel@nongnu.org
+Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
+Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO
+ having a slot
+Date: Thu, 10 Sep 2015 21:23:57 -0700
+Return false from can_receive() when the FIFO doesn't have a free RX
+slot. This fixes a bug in the current code where the allocated buffer
+is freed before the fifo pop, triggering a premature flush of queued RX
+packets. It also will handle a corner case, where the guest manually
+frees the allocated buffer before popping the rx FIFO (hence it is not
+enough to just delay the flush_queued_packets()).
+Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+Upstream-Status: Submitted
+---
+ hw/net/smc91c111.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+Index: qemu-2.4.0/hw/net/smc91c111.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/smc91c111.c
+++ qemu-2.4.0/hw/net/smc91c111.c
+@@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1
+     if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
+         return 1;
+     }
+-    if (s->allocated == (1 << NUM_PACKETS) - 1) {
+    if (s->allocated == (1 << NUM_PACKETS) - 1 ||
+        s->rx_fifo_len == NUM_PACKETS) {
+         return 0;
+     }
+     return 1;
+@@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c
+     } else {
+         s->int_level &= ~INT_RCV;
+     }
+    smc91c111_flush_queued_packets(s);
+     smc91c111_update(s);
+ }
+
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-04-27 11:48:16 +0200
committer	Nora Björklund <nora.bjorklund@enea.com>	2016-04-28 09:02:11 +0200
commit	d3d0c7af34b996b4518b26d4f3b4eff831a651af (patch)
tree	d8dc6be1d65668e4cbaf04f47011542ed35b2031 /meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
parent	c6477d7bc514c951746d6b717c033475fc45f3fc (diff)
download	poky-d3d0c7af34b996b4518b26d4f3b4eff831a651af.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch new file mode 100644 index 0000000000..018aed5f80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
@@ -0,0 +1,46 @@
	1	From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
	2	X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com>
	3	To: qemu-devel@nongnu.org
	4	Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
	5	Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO
	6	having a slot
	7	Date: Thu, 10 Sep 2015 21:23:57 -0700
	8
	9	Return false from can_receive() when the FIFO doesn't have a free RX
	10	slot. This fixes a bug in the current code where the allocated buffer
	11	is freed before the fifo pop, triggering a premature flush of queued RX
	12	packets. It also will handle a corner case, where the guest manually
	13	frees the allocated buffer before popping the rx FIFO (hence it is not
	14	enough to just delay the flush_queued_packets()).
	15
	16	Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
	17	Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
	18
	19	Upstream-Status: Submitted
	20	---
	21
	22	hw/net/smc91c111.c \| 4 +++-
	23	1 file changed, 3 insertions(+), 1 deletion(-)
	24
	25	Index: qemu-2.4.0/hw/net/smc91c111.c
	26	===================================================================
	27	--- qemu-2.4.0.orig/hw/net/smc91c111.c
	28	+++ qemu-2.4.0/hw/net/smc91c111.c
	29	@@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1
	30	if ((s->rcr & RCR_RXEN) == 0 \|\| (s->rcr & RCR_SOFT_RST)) {
	31	return 1;
	32	}
	33	- if (s->allocated == (1 << NUM_PACKETS) - 1) {
	34	+ if (s->allocated == (1 << NUM_PACKETS) - 1 \|\|
	35	+ s->rx_fifo_len == NUM_PACKETS) {
	36	return 0;
	37	}
	38	return 1;
	39	@@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c
	40	} else {
	41	s->int_level &= ~INT_RCV;
	42	}
	43	+ smc91c111_flush_queued_packets(s);
	44	smc91c111_update(s);
	45	}
	46