diff options
author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-13 14:44:42 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-17 08:45:35 +0100 |
commit | 7e25a6b4d52a16e812dfd444d65283d2c75d2d77 (patch) | |
tree | 1f61c98c9d24ed35b685af62bcdb1d83a36b80f9 /meta/recipes-devtools | |
parent | 1bff01bda9741ad3a9b9e1937d73859636575c7c (diff) | |
download | poky-7e25a6b4d52a16e812dfd444d65283d2c75d2d77.tar.gz |
qemu: Upgrade 5.0.0 -> 5.1.0
* Drop backported CVE fixes
* Drop cpu backtrace patch from 2015 for debugging an issue which we no longer see
(patch throws rejects, files have moved)
* Update mips patch to account for file renames
* Update chardev patch to match upstream code changes
* Update webkitgtk patch, qemumips build works ok but qemux86 musl webkitgtk still
fails. Need to figure out the correct fix and upstream it for this, current
revert patch is not maintainable.
Release notes for 5.1.0 mention slight qemumips performance improvements
which would be valuable to us. My tests show no improvement in qemumips
testimage execution time for core-image-sato-sdk.
Fix a ptest issue for a file looking for /usr/bin/bash when we have
/bin/bash.
(From OE-Core rev: 686b770af67fdd2251f4ddab5b0eefc8fb0870ef)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools')
26 files changed, 129 insertions, 732 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-native.inc b/meta/recipes-devtools/qemu/qemu-native.inc index dcf140ea1b..aa5c9b9a72 100644 --- a/meta/recipes-devtools/qemu/qemu-native.inc +++ b/meta/recipes-devtools/qemu/qemu-native.inc | |||
@@ -2,10 +2,6 @@ inherit native | |||
2 | 2 | ||
3 | require qemu.inc | 3 | require qemu.inc |
4 | 4 | ||
5 | SRC_URI_append = " \ | ||
6 | file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \ | ||
7 | " | ||
8 | |||
9 | EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" | 5 | EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" |
10 | 6 | ||
11 | LDFLAGS_append = " -fuse-ld=bfd" | 7 | LDFLAGS_append = " -fuse-ld=bfd" |
diff --git a/meta/recipes-devtools/qemu/qemu-native_5.0.0.bb b/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb index c8acff8e19..c8acff8e19 100644 --- a/meta/recipes-devtools/qemu/qemu-native_5.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb | |||
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb index 7394385d30..7394385d30 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb | |||
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5d38ff1fa4..5599382a92 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -29,19 +29,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
29 | file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ | 29 | file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ |
30 | file://0001-Add-enable-disable-udev.patch \ | 30 | file://0001-Add-enable-disable-udev.patch \ |
31 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ | 31 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ |
32 | file://CVE-2020-13361.patch \ | ||
33 | file://find_datadir.patch \ | 32 | file://find_datadir.patch \ |
34 | file://CVE-2020-10761.patch \ | ||
35 | file://CVE-2020-13362.patch \ | ||
36 | file://CVE-2020-13659.patch \ | ||
37 | file://CVE-2020-13800.patch \ | ||
38 | file://CVE-2020-13791.patch \ | ||
39 | file://CVE-2020-15863.patch \ | ||
40 | " | 33 | " |
41 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
42 | 35 | ||
43 | SRC_URI[md5sum] = "ede6005d7143fe994dd089d31dc2cf6c" | 36 | SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5" |
44 | SRC_URI[sha256sum] = "2f13a92a0fa5c8b69ff0796b59b86b080bbb92ebad5d301a7724dd06b5e78cb6" | ||
45 | 37 | ||
46 | COMPATIBLE_HOST_mipsarchn32 = "null" | 38 | COMPATIBLE_HOST_mipsarchn32 = "null" |
47 | COMPATIBLE_HOST_mipsarchn64 = "null" | 39 | COMPATIBLE_HOST_mipsarchn64 = "null" |
@@ -65,6 +57,7 @@ do_install_ptest() { | |||
65 | -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include | 57 | -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include |
66 | sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ | 58 | sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ |
67 | ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env | 59 | ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env |
60 | sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh | ||
68 | } | 61 | } |
69 | 62 | ||
70 | # QEMU_TARGETS is overridable variable | 63 | # QEMU_TARGETS is overridable variable |
diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch index 40d83fcfa3..1304ee3bfd 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch | |||
@@ -12,13 +12,13 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
12 | configure | 4 ++++ | 12 | configure | 4 ++++ |
13 | 1 file changed, 4 insertions(+) | 13 | 1 file changed, 4 insertions(+) |
14 | 14 | ||
15 | diff --git a/configure b/configure | 15 | Index: qemu-5.1.0/configure |
16 | index 36646e7b..48912a94 100755 | 16 | =================================================================== |
17 | --- a/configure | 17 | --- qemu-5.1.0.orig/configure |
18 | +++ b/configure | 18 | +++ qemu-5.1.0/configure |
19 | @@ -1601,6 +1601,10 @@ for opt do | 19 | @@ -1640,6 +1640,10 @@ for opt do |
20 | ;; | 20 | ;; |
21 | --gdb=*) gdb_bin="$optarg" | 21 | --disable-libdaxctl) libdaxctl=no |
22 | ;; | 22 | ;; |
23 | + --enable-libudev) libudev="yes" | 23 | + --enable-libudev) libudev="yes" |
24 | + ;; | 24 | + ;; |
@@ -27,6 +27,3 @@ index 36646e7b..48912a94 100755 | |||
27 | *) | 27 | *) |
28 | echo "ERROR: unknown option $opt" | 28 | echo "ERROR: unknown option $opt" |
29 | echo "Try '$0 --help' for more information" | 29 | echo "Try '$0 --help' for more information" |
30 | -- | ||
31 | 2.24.0 | ||
32 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch index ae89ae09dd..46c9da08a5 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch | |||
@@ -20,11 +20,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
20 | hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- | 20 | hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- |
21 | 1 file changed, 93 insertions(+), 1 deletion(-) | 21 | 1 file changed, 93 insertions(+), 1 deletion(-) |
22 | 22 | ||
23 | diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c | 23 | Index: qemu-5.1.0/hw/usb/dev-wacom.c |
24 | index 8ed57b3b..1502928b 100644 | 24 | =================================================================== |
25 | --- a/hw/usb/dev-wacom.c | 25 | --- qemu-5.1.0.orig/hw/usb/dev-wacom.c |
26 | +++ b/hw/usb/dev-wacom.c | 26 | +++ qemu-5.1.0/hw/usb/dev-wacom.c |
27 | @@ -74,6 +74,89 @@ static const USBDescStrings desc_strings = { | 27 | @@ -74,6 +74,89 @@ static const USBDescStrings desc_strings |
28 | [STR_SERIALNUMBER] = "1", | 28 | [STR_SERIALNUMBER] = "1", |
29 | }; | 29 | }; |
30 | 30 | ||
@@ -114,7 +114,7 @@ index 8ed57b3b..1502928b 100644 | |||
114 | static const USBDescIface desc_iface_wacom = { | 114 | static const USBDescIface desc_iface_wacom = { |
115 | .bInterfaceNumber = 0, | 115 | .bInterfaceNumber = 0, |
116 | .bNumEndpoints = 1, | 116 | .bNumEndpoints = 1, |
117 | @@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wacom = { | 117 | @@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac |
118 | 0x00, /* u8 country_code */ | 118 | 0x00, /* u8 country_code */ |
119 | 0x01, /* u8 num_descriptors */ | 119 | 0x01, /* u8 num_descriptors */ |
120 | 0x22, /* u8 type: Report */ | 120 | 0x22, /* u8 type: Report */ |
@@ -123,7 +123,7 @@ index 8ed57b3b..1502928b 100644 | |||
123 | }, | 123 | }, |
124 | }, | 124 | }, |
125 | }, | 125 | }, |
126 | @@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, | 126 | @@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB |
127 | } | 127 | } |
128 | 128 | ||
129 | switch (request) { | 129 | switch (request) { |
@@ -139,6 +139,3 @@ index 8ed57b3b..1502928b 100644 | |||
139 | case WACOM_SET_REPORT: | 139 | case WACOM_SET_REPORT: |
140 | if (s->mouse_grabbed) { | 140 | if (s->mouse_grabbed) { |
141 | qemu_remove_mouse_event_handler(s->eh_entry); | 141 | qemu_remove_mouse_event_handler(s->eh_entry); |
142 | -- | ||
143 | 2.24.0 | ||
144 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch index 6e38d814cd..678e059463 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch | |||
@@ -15,10 +15,10 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
15 | linux-user/syscall.c | 2 ++ | 15 | linux-user/syscall.c | 2 ++ |
16 | 1 file changed, 2 insertions(+) | 16 | 1 file changed, 2 insertions(+) |
17 | 17 | ||
18 | diff --git a/linux-user/syscall.c b/linux-user/syscall.c | 18 | Index: qemu-5.1.0/linux-user/syscall.c |
19 | index d6f8cc97..a61420e7 100644 | 19 | =================================================================== |
20 | --- a/linux-user/syscall.c | 20 | --- qemu-5.1.0.orig/linux-user/syscall.c |
21 | +++ b/linux-user/syscall.c | 21 | +++ qemu-5.1.0/linux-user/syscall.c |
22 | @@ -109,7 +109,9 @@ | 22 | @@ -109,7 +109,9 @@ |
23 | #include <linux/blkpg.h> | 23 | #include <linux/blkpg.h> |
24 | #include <netpacket/packet.h> | 24 | #include <netpacket/packet.h> |
@@ -28,7 +28,4 @@ index d6f8cc97..a61420e7 100644 | |||
28 | +#endif | 28 | +#endif |
29 | #include <linux/rtc.h> | 29 | #include <linux/rtc.h> |
30 | #include <sound/asound.h> | 30 | #include <sound/asound.h> |
31 | #include "linux_loop.h" | 31 | #ifdef HAVE_DRM_H |
32 | -- | ||
33 | 2.24.0 | ||
34 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch index 3d268870fc..f379948f14 100644 --- a/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch +++ b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch | |||
@@ -16,11 +16,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
16 | tests/Makefile.include | 8 ++++++++ | 16 | tests/Makefile.include | 8 ++++++++ |
17 | 1 file changed, 8 insertions(+) | 17 | 1 file changed, 8 insertions(+) |
18 | 18 | ||
19 | diff --git a/tests/Makefile.include b/tests/Makefile.include | 19 | Index: qemu-5.1.0/tests/Makefile.include |
20 | index 51de6762..1ea4d322 100644 | 20 | =================================================================== |
21 | --- a/tests/Makefile.include | 21 | --- qemu-5.1.0.orig/tests/Makefile.include |
22 | +++ b/tests/Makefile.include | 22 | +++ qemu-5.1.0/tests/Makefile.include |
23 | @@ -941,4 +941,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) | 23 | @@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) |
24 | -include $(wildcard tests/qtest/*.d) | 24 | -include $(wildcard tests/qtest/*.d) |
25 | -include $(wildcard tests/qtest/libqos/*.d) | 25 | -include $(wildcard tests/qtest/libqos/*.d) |
26 | 26 | ||
@@ -33,6 +33,3 @@ index 51de6762..1ea4d322 100644 | |||
33 | + done | 33 | + done |
34 | + | 34 | + |
35 | endif | 35 | endif |
36 | -- | ||
37 | 2.24.0 | ||
38 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch index 012d60d8f0..33cef42217 100644 --- a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch | |||
@@ -15,13 +15,13 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> | |||
15 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 15 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
16 | 16 | ||
17 | --- | 17 | --- |
18 | hw/mips/mips_malta.c | 2 +- | 18 | hw/mips/malta.c | 2 +- |
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | 19 | 1 file changed, 1 insertion(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c | 21 | Index: qemu-5.1.0/hw/mips/malta.c |
22 | index 92e9ca5b..3a7f3954 100644 | 22 | =================================================================== |
23 | --- a/hw/mips/mips_malta.c | 23 | --- qemu-5.1.0.orig/hw/mips/malta.c |
24 | +++ b/hw/mips/mips_malta.c | 24 | +++ qemu-5.1.0/hw/mips/malta.c |
25 | @@ -59,7 +59,7 @@ | 25 | @@ -59,7 +59,7 @@ |
26 | 26 | ||
27 | #define ENVP_ADDR 0x80002000l | 27 | #define ENVP_ADDR 0x80002000l |
diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch index bc30397e8c..71f537f9b0 100644 --- a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch +++ b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch | |||
@@ -12,11 +12,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> | |||
12 | configure | 9 --------- | 12 | configure | 9 --------- |
13 | 1 file changed, 9 deletions(-) | 13 | 1 file changed, 9 deletions(-) |
14 | 14 | ||
15 | diff --git a/configure b/configure | 15 | Index: qemu-5.1.0/configure |
16 | index 6099be1d..a766017b 100755 | 16 | =================================================================== |
17 | --- a/configure | 17 | --- qemu-5.1.0.orig/configure |
18 | +++ b/configure | 18 | +++ qemu-5.1.0/configure |
19 | @@ -5390,15 +5390,6 @@ fi | 19 | @@ -5751,15 +5751,6 @@ fi |
20 | # check if we have valgrind/valgrind.h | 20 | # check if we have valgrind/valgrind.h |
21 | 21 | ||
22 | valgrind_h=no | 22 | valgrind_h=no |
diff --git a/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch index 2c5b241e41..02ebbee1a0 100644 --- a/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch +++ b/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch | |||
@@ -11,11 +11,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
11 | configure | 4 ---- | 11 | configure | 4 ---- |
12 | 1 file changed, 4 deletions(-) | 12 | 1 file changed, 4 deletions(-) |
13 | 13 | ||
14 | diff --git a/configure b/configure | 14 | Index: qemu-5.1.0/configure |
15 | index 83c65439..6bdf488c 100755 | 15 | =================================================================== |
16 | --- a/configure | 16 | --- qemu-5.1.0.orig/configure |
17 | +++ b/configure | 17 | +++ qemu-5.1.0/configure |
18 | @@ -6251,10 +6251,6 @@ write_c_skeleton | 18 | @@ -6515,10 +6515,6 @@ write_c_skeleton |
19 | if test "$gcov" = "yes" ; then | 19 | if test "$gcov" = "yes" ; then |
20 | QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" | 20 | QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" |
21 | QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" | 21 | QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" |
@@ -26,6 +26,3 @@ index 83c65439..6bdf488c 100755 | |||
26 | fi | 26 | fi |
27 | 27 | ||
28 | if test "$have_asan" = "yes"; then | 28 | if test "$have_asan" = "yes"; then |
29 | -- | ||
30 | 2.24.0 | ||
31 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch index 0810ae84c0..98fd5e9133 100644 --- a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch +++ b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch | |||
@@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> | |||
51 | qapi/char.json | 5 +++ | 51 | qapi/char.json | 5 +++ |
52 | 3 files changed, 109 insertions(+) | 52 | 3 files changed, 109 insertions(+) |
53 | 53 | ||
54 | diff --git a/chardev/char-socket.c b/chardev/char-socket.c | 54 | Index: qemu-5.1.0/chardev/char-socket.c |
55 | index 185fe38d..54fa4234 100644 | 55 | =================================================================== |
56 | --- a/chardev/char-socket.c | 56 | --- qemu-5.1.0.orig/chardev/char-socket.c |
57 | +++ b/chardev/char-socket.c | 57 | +++ qemu-5.1.0/chardev/char-socket.c |
58 | @@ -1288,6 +1288,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock, | 58 | @@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket( |
59 | return true; | 59 | return true; |
60 | } | 60 | } |
61 | 61 | ||
@@ -123,7 +123,7 @@ index 185fe38d..54fa4234 100644 | |||
123 | 123 | ||
124 | static void qmp_chardev_open_socket(Chardev *chr, | 124 | static void qmp_chardev_open_socket(Chardev *chr, |
125 | ChardevBackend *backend, | 125 | ChardevBackend *backend, |
126 | @@ -1296,6 +1357,9 @@ static void qmp_chardev_open_socket(Chardev *chr, | 126 | @@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char |
127 | { | 127 | { |
128 | SocketChardev *s = SOCKET_CHARDEV(chr); | 128 | SocketChardev *s = SOCKET_CHARDEV(chr); |
129 | ChardevSocket *sock = backend->u.socket.data; | 129 | ChardevSocket *sock = backend->u.socket.data; |
@@ -133,7 +133,7 @@ index 185fe38d..54fa4234 100644 | |||
133 | bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; | 133 | bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; |
134 | bool is_listen = sock->has_server ? sock->server : true; | 134 | bool is_listen = sock->has_server ? sock->server : true; |
135 | bool is_telnet = sock->has_telnet ? sock->telnet : false; | 135 | bool is_telnet = sock->has_telnet ? sock->telnet : false; |
136 | @@ -1361,6 +1425,14 @@ static void qmp_chardev_open_socket(Chardev *chr, | 136 | @@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char |
137 | 137 | ||
138 | update_disconnected_filename(s); | 138 | update_disconnected_filename(s); |
139 | 139 | ||
@@ -148,13 +148,15 @@ index 185fe38d..54fa4234 100644 | |||
148 | if (s->is_listen) { | 148 | if (s->is_listen) { |
149 | if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, | 149 | if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, |
150 | is_waitconnect, errp) < 0) { | 150 | is_waitconnect, errp) < 0) { |
151 | @@ -1380,9 +1452,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, | 151 | @@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp |
152 | const char *host = qemu_opt_get(opts, "host"); | 152 | const char *host = qemu_opt_get(opts, "host"); |
153 | const char *port = qemu_opt_get(opts, "port"); | 153 | const char *port = qemu_opt_get(opts, "port"); |
154 | const char *fd = qemu_opt_get(opts, "fd"); | 154 | const char *fd = qemu_opt_get(opts, "fd"); |
155 | +#ifndef _WIN32 | 155 | +#ifndef _WIN32 |
156 | + const char *cmd = qemu_opt_get(opts, "cmd"); | 156 | + const char *cmd = qemu_opt_get(opts, "cmd"); |
157 | +#endif | 157 | +#endif |
158 | bool tight = qemu_opt_get_bool(opts, "tight", true); | ||
159 | bool abstract = qemu_opt_get_bool(opts, "abstract", false); | ||
158 | SocketAddressLegacy *addr; | 160 | SocketAddressLegacy *addr; |
159 | ChardevSocket *sock; | 161 | ChardevSocket *sock; |
160 | 162 | ||
@@ -171,19 +173,19 @@ index 185fe38d..54fa4234 100644 | |||
171 | + } | 173 | + } |
172 | + } else | 174 | + } else |
173 | +#endif | 175 | +#endif |
174 | + | ||
175 | if ((!!path + !!fd + !!host) != 1) { | 176 | if ((!!path + !!fd + !!host) != 1) { |
176 | error_setg(errp, | 177 | error_setg(errp, |
177 | "Exactly one of 'path', 'fd' or 'host' required"); | 178 | "Exactly one of 'path', 'fd' or 'host' required"); |
178 | @@ -1425,12 +1514,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, | 179 | @@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp |
179 | sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); | 180 | sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); |
180 | sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); | 181 | sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); |
181 | 182 | ||
183 | - addr = g_new0(SocketAddressLegacy, 1); | ||
182 | +#ifndef _WIN32 | 184 | +#ifndef _WIN32 |
183 | + sock->cmd = g_strdup(cmd); | 185 | + sock->cmd = g_strdup(cmd); |
184 | +#endif | 186 | +#endif |
185 | + | 187 | + |
186 | addr = g_new0(SocketAddressLegacy, 1); | 188 | + addr = g_new0(SocketAddressLegacy, 1); |
187 | +#ifndef _WIN32 | 189 | +#ifndef _WIN32 |
188 | + if (path || cmd) { | 190 | + if (path || cmd) { |
189 | +#else | 191 | +#else |
@@ -197,28 +199,28 @@ index 185fe38d..54fa4234 100644 | |||
197 | +#else | 199 | +#else |
198 | q_unix->path = g_strdup(path); | 200 | q_unix->path = g_strdup(path); |
199 | +#endif | 201 | +#endif |
202 | q_unix->tight = tight; | ||
203 | q_unix->abstract = abstract; | ||
200 | } else if (host) { | 204 | } else if (host) { |
201 | addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; | 205 | Index: qemu-5.1.0/chardev/char.c |
202 | addr->u.inet.data = g_new(InetSocketAddress, 1); | 206 | =================================================================== |
203 | diff --git a/chardev/char.c b/chardev/char.c | 207 | --- qemu-5.1.0.orig/chardev/char.c |
204 | index 7b6b2cb1..0c2ca64b 100644 | 208 | +++ qemu-5.1.0/chardev/char.c |
205 | --- a/chardev/char.c | 209 | @@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = { |
206 | +++ b/chardev/char.c | ||
207 | @@ -837,6 +837,9 @@ QemuOptsList qemu_chardev_opts = { | ||
208 | },{ | ||
209 | .name = "path", | 210 | .name = "path", |
210 | .type = QEMU_OPT_STRING, | 211 | .type = QEMU_OPT_STRING, |
211 | + },{ | 212 | },{ |
212 | + .name = "cmd", | 213 | + .name = "cmd", |
213 | + .type = QEMU_OPT_STRING, | 214 | + .type = QEMU_OPT_STRING, |
214 | },{ | 215 | + },{ |
215 | .name = "host", | 216 | .name = "host", |
216 | .type = QEMU_OPT_STRING, | 217 | .type = QEMU_OPT_STRING, |
217 | diff --git a/qapi/char.json b/qapi/char.json | 218 | },{ |
218 | index a6e81ac7..517962c6 100644 | 219 | Index: qemu-5.1.0/qapi/char.json |
219 | --- a/qapi/char.json | 220 | =================================================================== |
220 | +++ b/qapi/char.json | 221 | --- qemu-5.1.0.orig/qapi/char.json |
221 | @@ -247,6 +247,10 @@ | 222 | +++ qemu-5.1.0/qapi/char.json |
223 | @@ -250,6 +250,10 @@ | ||
222 | # | 224 | # |
223 | # @addr: socket address to listen on (server=true) | 225 | # @addr: socket address to listen on (server=true) |
224 | # or connect to (server=false) | 226 | # or connect to (server=false) |
@@ -229,7 +231,7 @@ index a6e81ac7..517962c6 100644 | |||
229 | # @tls-creds: the ID of the TLS credentials object (since 2.6) | 231 | # @tls-creds: the ID of the TLS credentials object (since 2.6) |
230 | # @tls-authz: the ID of the QAuthZ authorization object against which | 232 | # @tls-authz: the ID of the QAuthZ authorization object against which |
231 | # the client's x509 distinguished name will be validated. This | 233 | # the client's x509 distinguished name will be validated. This |
232 | @@ -272,6 +276,7 @@ | 234 | @@ -276,6 +280,7 @@ |
233 | ## | 235 | ## |
234 | { 'struct': 'ChardevSocket', | 236 | { 'struct': 'ChardevSocket', |
235 | 'data': { 'addr': 'SocketAddressLegacy', | 237 | 'data': { 'addr': 'SocketAddressLegacy', |
diff --git a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch index 89baad9b7f..034ac57821 100644 --- a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch +++ b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch | |||
@@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> | |||
29 | hw/intc/apic.c | 2 +- | 29 | hw/intc/apic.c | 2 +- |
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | 30 | 1 file changed, 1 insertion(+), 1 deletion(-) |
31 | 31 | ||
32 | diff --git a/hw/intc/apic.c b/hw/intc/apic.c | 32 | Index: qemu-5.1.0/hw/intc/apic.c |
33 | index 2a74f7b4..4d5da365 100644 | 33 | =================================================================== |
34 | --- a/hw/intc/apic.c | 34 | --- qemu-5.1.0.orig/hw/intc/apic.c |
35 | +++ b/hw/intc/apic.c | 35 | +++ qemu-5.1.0/hw/intc/apic.c |
36 | @@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) | 36 | @@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de |
37 | APICCommonState *s = APIC(dev); | 37 | APICCommonState *s = APIC(dev); |
38 | uint32_t lvt0; | 38 | uint32_t lvt0; |
39 | 39 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch index 30bb4ddf26..d20f04ee59 100644 --- a/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch +++ b/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch | |||
@@ -18,11 +18,11 @@ Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> | |||
18 | linux-user/main.c | 2 +- | 18 | linux-user/main.c | 2 +- |
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | 19 | 1 file changed, 1 insertion(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/linux-user/main.c b/linux-user/main.c | 21 | Index: qemu-5.1.0/linux-user/main.c |
22 | index 6ff7851e..ebff0485 100644 | 22 | =================================================================== |
23 | --- a/linux-user/main.c | 23 | --- qemu-5.1.0.orig/linux-user/main.c |
24 | +++ b/linux-user/main.c | 24 | +++ qemu-5.1.0/linux-user/main.c |
25 | @@ -78,7 +78,7 @@ int have_guest_base; | 25 | @@ -92,7 +92,7 @@ static int last_log_mask; |
26 | (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) | 26 | (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) |
27 | /* There are a number of places where we assign reserved_va to a variable | 27 | /* There are a number of places where we assign reserved_va to a variable |
28 | of type abi_ulong and expect it to fit. Avoid the last page. */ | 28 | of type abi_ulong and expect it to fit. Avoid the last page. */ |
diff --git a/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch index eef3f3f97f..f2a44986b7 100644 --- a/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch +++ b/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch | |||
@@ -28,29 +28,29 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
28 | linux-user/syscall.c | 5 +---- | 28 | linux-user/syscall.c | 5 +---- |
29 | 4 files changed, 10 insertions(+), 23 deletions(-) | 29 | 4 files changed, 10 insertions(+), 23 deletions(-) |
30 | 30 | ||
31 | diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h | 31 | Index: qemu-5.1.0/include/exec/cpu-all.h |
32 | index 49384bb6..93b12519 100644 | 32 | =================================================================== |
33 | --- a/include/exec/cpu-all.h | 33 | --- qemu-5.1.0.orig/include/exec/cpu-all.h |
34 | +++ b/include/exec/cpu-all.h | 34 | +++ qemu-5.1.0/include/exec/cpu-all.h |
35 | @@ -162,12 +162,8 @@ extern unsigned long guest_base; | 35 | @@ -176,11 +176,8 @@ extern unsigned long reserved_va; |
36 | extern int have_guest_base; | 36 | * avoid setting bits at the top of guest addresses that might need |
37 | extern unsigned long reserved_va; | 37 | * to be used for tags. |
38 | 38 | */ | |
39 | -#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS | 39 | -#define GUEST_ADDR_MAX_ \ |
40 | -#define GUEST_ADDR_MAX (~0ul) | 40 | - ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \ |
41 | -#else | 41 | - UINT32_MAX : ~0ul) |
42 | -#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \ | 42 | -#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_) |
43 | - | ||
43 | +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ | 44 | +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ |
44 | (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) | 45 | + (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) |
45 | -#endif | ||
46 | #else | 46 | #else |
47 | 47 | ||
48 | #include "exec/hwaddr.h" | 48 | #include "exec/hwaddr.h" |
49 | diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h | 49 | Index: qemu-5.1.0/include/exec/cpu_ldst.h |
50 | index 53de1975..cf19ed2e 100644 | 50 | =================================================================== |
51 | --- a/include/exec/cpu_ldst.h | 51 | --- qemu-5.1.0.orig/include/exec/cpu_ldst.h |
52 | +++ b/include/exec/cpu_ldst.h | 52 | +++ qemu-5.1.0/include/exec/cpu_ldst.h |
53 | @@ -70,7 +70,10 @@ typedef uint64_t abi_ptr; | 53 | @@ -75,7 +75,10 @@ typedef uint64_t abi_ptr; |
54 | #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS | 54 | #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS |
55 | #define guest_addr_valid(x) (1) | 55 | #define guest_addr_valid(x) (1) |
56 | #else | 56 | #else |
@@ -62,11 +62,11 @@ index 53de1975..cf19ed2e 100644 | |||
62 | #endif | 62 | #endif |
63 | #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) | 63 | #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) |
64 | 64 | ||
65 | diff --git a/linux-user/mmap.c b/linux-user/mmap.c | 65 | Index: qemu-5.1.0/linux-user/mmap.c |
66 | index e3780337..1d4aba95 100644 | 66 | =================================================================== |
67 | --- a/linux-user/mmap.c | 67 | --- qemu-5.1.0.orig/linux-user/mmap.c |
68 | +++ b/linux-user/mmap.c | 68 | +++ qemu-5.1.0/linux-user/mmap.c |
69 | @@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) | 69 | @@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi |
70 | return -TARGET_EINVAL; | 70 | return -TARGET_EINVAL; |
71 | len = TARGET_PAGE_ALIGN(len); | 71 | len = TARGET_PAGE_ALIGN(len); |
72 | end = start + len; | 72 | end = start + len; |
@@ -75,18 +75,18 @@ index e3780337..1d4aba95 100644 | |||
75 | return -TARGET_ENOMEM; | 75 | return -TARGET_ENOMEM; |
76 | } | 76 | } |
77 | prot &= PROT_READ | PROT_WRITE | PROT_EXEC; | 77 | prot &= PROT_READ | PROT_WRITE | PROT_EXEC; |
78 | @@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, | 78 | @@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab |
79 | * It can fail only on 64-bit host with 32-bit target. | 79 | * It can fail only on 64-bit host with 32-bit target. |
80 | * On any other target/host host mmap() handles this error correctly. | 80 | * On any other target/host host mmap() handles this error correctly. |
81 | */ | 81 | */ |
82 | - if (!guest_range_valid(start, len)) { | 82 | - if (end < start || !guest_range_valid(start, len)) { |
83 | - errno = ENOMEM; | 83 | - errno = ENOMEM; |
84 | + if ((unsigned long)start + len - 1 > (abi_ulong) -1) { | 84 | + if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) { |
85 | + errno = EINVAL; | 85 | + errno = EINVAL; |
86 | goto fail; | 86 | goto fail; |
87 | } | 87 | } |
88 | 88 | ||
89 | @@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_ulong len) | 89 | @@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u |
90 | if (start & ~TARGET_PAGE_MASK) | 90 | if (start & ~TARGET_PAGE_MASK) |
91 | return -TARGET_EINVAL; | 91 | return -TARGET_EINVAL; |
92 | len = TARGET_PAGE_ALIGN(len); | 92 | len = TARGET_PAGE_ALIGN(len); |
@@ -98,7 +98,7 @@ index e3780337..1d4aba95 100644 | |||
98 | mmap_lock(); | 98 | mmap_lock(); |
99 | end = start + len; | 99 | end = start + len; |
100 | real_start = start & qemu_host_page_mask; | 100 | real_start = start & qemu_host_page_mask; |
101 | @@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, | 101 | @@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add |
102 | int prot; | 102 | int prot; |
103 | void *host_addr; | 103 | void *host_addr; |
104 | 104 | ||
@@ -112,11 +112,11 @@ index e3780337..1d4aba95 100644 | |||
112 | mmap_lock(); | 112 | mmap_lock(); |
113 | 113 | ||
114 | if (flags & MREMAP_FIXED) { | 114 | if (flags & MREMAP_FIXED) { |
115 | diff --git a/linux-user/syscall.c b/linux-user/syscall.c | 115 | Index: qemu-5.1.0/linux-user/syscall.c |
116 | index 05f03919..d6f8cc97 100644 | 116 | =================================================================== |
117 | --- a/linux-user/syscall.c | 117 | --- qemu-5.1.0.orig/linux-user/syscall.c |
118 | +++ b/linux-user/syscall.c | 118 | +++ qemu-5.1.0/linux-user/syscall.c |
119 | @@ -4287,9 +4287,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, | 119 | @@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch |
120 | return -TARGET_EINVAL; | 120 | return -TARGET_EINVAL; |
121 | } | 121 | } |
122 | } | 122 | } |
@@ -126,7 +126,7 @@ index 05f03919..d6f8cc97 100644 | |||
126 | 126 | ||
127 | mmap_lock(); | 127 | mmap_lock(); |
128 | 128 | ||
129 | @@ -7247,7 +7244,7 @@ static int open_self_maps(void *cpu_env, int fd) | 129 | @@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env, |
130 | const char *path; | 130 | const char *path; |
131 | 131 | ||
132 | max = h2g_valid(max - 1) ? | 132 | max = h2g_valid(max - 1) ? |
@@ -135,6 +135,3 @@ index 05f03919..d6f8cc97 100644 | |||
135 | 135 | ||
136 | if (page_check_range(h2g(min), max - min, flags) == -1) { | 136 | if (page_check_range(h2g(min), max - min, flags) == -1) { |
137 | continue; | 137 | continue; |
138 | -- | ||
139 | 2.24.0 | ||
140 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch index 34df78b7fe..d7e3fffdd0 100644 --- a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch +++ b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch | |||
@@ -14,11 +14,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> | |||
14 | configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- | 14 | configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- |
15 | 1 file changed, 40 insertions(+), 8 deletions(-) | 15 | 1 file changed, 40 insertions(+), 8 deletions(-) |
16 | 16 | ||
17 | diff --git a/configure b/configure | 17 | Index: qemu-5.1.0/configure |
18 | index 72f11aca..cac271ce 100755 | 18 | =================================================================== |
19 | --- a/configure | 19 | --- qemu-5.1.0.orig/configure |
20 | +++ b/configure | 20 | +++ qemu-5.1.0/configure |
21 | @@ -2875,6 +2875,30 @@ has_libgcrypt() { | 21 | @@ -3084,6 +3084,30 @@ has_libgcrypt() { |
22 | return 0 | 22 | return 0 |
23 | } | 23 | } |
24 | 24 | ||
@@ -49,7 +49,7 @@ index 72f11aca..cac271ce 100755 | |||
49 | 49 | ||
50 | if test "$nettle" != "no"; then | 50 | if test "$nettle" != "no"; then |
51 | pass="no" | 51 | pass="no" |
52 | @@ -2915,7 +2939,14 @@ fi | 52 | @@ -3124,7 +3148,14 @@ fi |
53 | 53 | ||
54 | if test "$gcrypt" != "no"; then | 54 | if test "$gcrypt" != "no"; then |
55 | pass="no" | 55 | pass="no" |
@@ -65,7 +65,7 @@ index 72f11aca..cac271ce 100755 | |||
65 | gcrypt_cflags=$(libgcrypt-config --cflags) | 65 | gcrypt_cflags=$(libgcrypt-config --cflags) |
66 | gcrypt_libs=$(libgcrypt-config --libs) | 66 | gcrypt_libs=$(libgcrypt-config --libs) |
67 | # Debian has removed -lgpg-error from libgcrypt-config | 67 | # Debian has removed -lgpg-error from libgcrypt-config |
68 | @@ -2925,15 +2956,16 @@ if test "$gcrypt" != "no"; then | 68 | @@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then |
69 | then | 69 | then |
70 | gcrypt_libs="$gcrypt_libs -lgpg-error" | 70 | gcrypt_libs="$gcrypt_libs -lgpg-error" |
71 | fi | 71 | fi |
diff --git a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch deleted file mode 100644 index e5ebfc1267..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch +++ /dev/null | |||
@@ -1,74 +0,0 @@ | |||
1 | From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> | ||
3 | Date: Wed, 12 Aug 2015 15:11:30 -0500 | ||
4 | Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Add custom_debug.h with function for print backtrace information. | ||
10 | When pthread_kill fails in qemu_cpu_kick_thread display backtrace and | ||
11 | current cpu information. | ||
12 | |||
13 | Upstream-Status: Inappropriate | ||
14 | Signed-off-by: AnÃbal Limón <anibal.limon@linux.intel.com> | ||
15 | |||
16 | --- | ||
17 | cpus.c | 5 +++++ | ||
18 | custom_debug.h | 24 ++++++++++++++++++++++++ | ||
19 | 2 files changed, 29 insertions(+) | ||
20 | create mode 100644 custom_debug.h | ||
21 | |||
22 | diff --git a/cpus.c b/cpus.c | ||
23 | index e83f72b4..e6e2576e 100644 | ||
24 | --- a/cpus.c | ||
25 | +++ b/cpus.c | ||
26 | @@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) | ||
27 | return NULL; | ||
28 | } | ||
29 | |||
30 | +#include "custom_debug.h" | ||
31 | + | ||
32 | static void qemu_cpu_kick_thread(CPUState *cpu) | ||
33 | { | ||
34 | #ifndef _WIN32 | ||
35 | @@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) | ||
36 | err = pthread_kill(cpu->thread->thread, SIG_IPI); | ||
37 | if (err && err != ESRCH) { | ||
38 | fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); | ||
39 | + fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); | ||
40 | + cpu_dump_state(cpu, stderr, 0); | ||
41 | + backtrace_print(); | ||
42 | exit(1); | ||
43 | } | ||
44 | #else /* _WIN32 */ | ||
45 | diff --git a/custom_debug.h b/custom_debug.h | ||
46 | new file mode 100644 | ||
47 | index 00000000..f029e455 | ||
48 | --- /dev/null | ||
49 | +++ b/custom_debug.h | ||
50 | @@ -0,0 +1,24 @@ | ||
51 | +#include <execinfo.h> | ||
52 | +#include <stdio.h> | ||
53 | +#define BACKTRACE_MAX 128 | ||
54 | +static void backtrace_print(void) | ||
55 | +{ | ||
56 | + int nfuncs = 0; | ||
57 | + void *buf[BACKTRACE_MAX]; | ||
58 | + char **symbols; | ||
59 | + int i; | ||
60 | + | ||
61 | + nfuncs = backtrace(buf, BACKTRACE_MAX); | ||
62 | + | ||
63 | + symbols = backtrace_symbols(buf, nfuncs); | ||
64 | + if (symbols == NULL) { | ||
65 | + fprintf(stderr, "backtrace_print failed to get symbols"); | ||
66 | + return; | ||
67 | + } | ||
68 | + | ||
69 | + fprintf(stderr, "Backtrace ...\n"); | ||
70 | + for (i = 0; i < nfuncs; i++) | ||
71 | + fprintf(stderr, "%s\n", symbols[i]); | ||
72 | + | ||
73 | + free(symbols); | ||
74 | +} | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch deleted file mode 100644 index 19f26ae5b0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch +++ /dev/null | |||
@@ -1,151 +0,0 @@ | |||
1 | From 5c4fe018c025740fef4a0a4421e8162db0c3eefd Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Blake <eblake@redhat.com> | ||
3 | Date: Mon, 8 Jun 2020 13:26:37 -0500 | ||
4 | Subject: [PATCH] nbd/server: Avoid long error message assertions | ||
5 | CVE-2020-10761 | ||
6 | |||
7 | Ever since commit 36683283 (v2.8), the server code asserts that error | ||
8 | strings sent to the client are well-formed per the protocol by not | ||
9 | exceeding the maximum string length of 4096. At the time the server | ||
10 | first started sending error messages, the assertion could not be | ||
11 | triggered, because messages were completely under our control. | ||
12 | However, over the years, we have added latent scenarios where a client | ||
13 | could trigger the server to attempt an error message that would | ||
14 | include the client's information if it passed other checks first: | ||
15 | |||
16 | - requesting NBD_OPT_INFO/GO on an export name that is not present | ||
17 | (commit 0cfae925 in v2.12 echoes the name) | ||
18 | |||
19 | - requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is | ||
20 | not present (commit e7b1948d in v2.12 echoes the name) | ||
21 | |||
22 | At the time, those were still safe because we flagged names larger | ||
23 | than 256 bytes with a different message; but that changed in commit | ||
24 | 93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD | ||
25 | string limit. (That commit also failed to change the magic number | ||
26 | 4096 in nbd_negotiate_send_rep_err to the just-introduced named | ||
27 | constant.) So with that commit, long client names appended to server | ||
28 | text can now trigger the assertion, and thus be used as a denial of | ||
29 | service attack against a server. As a mitigating factor, if the | ||
30 | server requires TLS, the client cannot trigger the problematic paths | ||
31 | unless it first supplies TLS credentials, and such trusted clients are | ||
32 | less likely to try to intentionally crash the server. | ||
33 | |||
34 | We may later want to further sanitize the user-supplied strings we | ||
35 | place into our error messages, such as scrubbing out control | ||
36 | characters, but that is less important to the CVE fix, so it can be a | ||
37 | later patch to the new nbd_sanitize_name. | ||
38 | |||
39 | Consideration was given to changing the assertion in | ||
40 | nbd_negotiate_send_rep_verr to instead merely log a server error and | ||
41 | truncate the message, to avoid leaving a latent path that could | ||
42 | trigger a future CVE DoS on any new error message. However, this | ||
43 | merely complicates the code for something that is already (correctly) | ||
44 | flagging coding errors, and now that we are aware of the long message | ||
45 | pitfall, we are less likely to introduce such errors in the future, | ||
46 | which would make such error handling dead code. | ||
47 | |||
48 | Reported-by: Xueqiang Wei <xuwei@redhat.com> | ||
49 | CC: qemu-stable@nongnu.org | ||
50 | Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761 | ||
51 | Fixes: 93676c88d7 | ||
52 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
53 | Message-Id: <20200610163741.3745251-2-eblake@redhat.com> | ||
54 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
55 | |||
56 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/5c4fe018c025740fef4a0a4421e8162db0c3eefd] | ||
57 | CVE: CVE-2020-10761 | ||
58 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
59 | |||
60 | --- | ||
61 | nbd/server.c | 23 ++++++++++++++++++++--- | ||
62 | tests/qemu-iotests/143 | 4 ++++ | ||
63 | tests/qemu-iotests/143.out | 2 ++ | ||
64 | 3 files changed, 26 insertions(+), 3 deletions(-) | ||
65 | |||
66 | diff --git a/nbd/server.c b/nbd/server.c | ||
67 | index 02b1ed08014..20754e9ebc3 100644 | ||
68 | --- a/nbd/server.c | ||
69 | +++ b/nbd/server.c | ||
70 | @@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
71 | |||
72 | msg = g_strdup_vprintf(fmt, va); | ||
73 | len = strlen(msg); | ||
74 | - assert(len < 4096); | ||
75 | + assert(len < NBD_MAX_STRING_SIZE); | ||
76 | trace_nbd_negotiate_send_rep_err(msg); | ||
77 | ret = nbd_negotiate_send_rep_len(client, type, len, errp); | ||
78 | if (ret < 0) { | ||
79 | @@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | +/* | ||
84 | + * Return a malloc'd copy of @name suitable for use in an error reply. | ||
85 | + */ | ||
86 | +static char * | ||
87 | +nbd_sanitize_name(const char *name) | ||
88 | +{ | ||
89 | + if (strnlen(name, 80) < 80) { | ||
90 | + return g_strdup(name); | ||
91 | + } | ||
92 | + /* XXX Should we also try to sanitize any control characters? */ | ||
93 | + return g_strdup_printf("%.80s...", name); | ||
94 | +} | ||
95 | + | ||
96 | /* Send an error reply. | ||
97 | * Return -errno on error, 0 on success. */ | ||
98 | static int GCC_FMT_ATTR(4, 5) | ||
99 | @@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) | ||
100 | |||
101 | exp = nbd_export_find(name); | ||
102 | if (!exp) { | ||
103 | + g_autofree char *sane_name = nbd_sanitize_name(name); | ||
104 | + | ||
105 | return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, | ||
106 | errp, "export '%s' not present", | ||
107 | - name); | ||
108 | + sane_name); | ||
109 | } | ||
110 | |||
111 | /* Don't bother sending NBD_INFO_NAME unless client requested it */ | ||
112 | @@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client, | ||
113 | |||
114 | meta->exp = nbd_export_find(export_name); | ||
115 | if (meta->exp == NULL) { | ||
116 | + g_autofree char *sane_name = nbd_sanitize_name(export_name); | ||
117 | + | ||
118 | return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, | ||
119 | - "export '%s' not present", export_name); | ||
120 | + "export '%s' not present", sane_name); | ||
121 | } | ||
122 | |||
123 | ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); | ||
124 | diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143 | ||
125 | index f649b361950..d2349903b1b 100755 | ||
126 | --- a/tests/qemu-iotests/143 | ||
127 | +++ b/tests/qemu-iotests/143 | ||
128 | @@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \ | ||
129 | $QEMU_IO_PROG -f raw -c quit \ | ||
130 | "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
131 | | _filter_qemu_io | _filter_nbd | ||
132 | +# Likewise, with longest possible name permitted in NBD protocol | ||
133 | +$QEMU_IO_PROG -f raw -c quit \ | ||
134 | + "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
135 | + | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/' | ||
136 | |||
137 | _send_qemu_cmd $QEMU_HANDLE \ | ||
138 | "{ 'execute': 'quit' }" \ | ||
139 | diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out | ||
140 | index 1f4001c6013..fc9c0a761fa 100644 | ||
141 | --- a/tests/qemu-iotests/143.out | ||
142 | +++ b/tests/qemu-iotests/143.out | ||
143 | @@ -5,6 +5,8 @@ QA output created by 143 | ||
144 | {"return": {}} | ||
145 | qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available | ||
146 | server reported: export 'no_such_export' not present | ||
147 | +qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available | ||
148 | +server reported: export 'aa--aa...' not present | ||
149 | { 'execute': 'quit' } | ||
150 | {"return": {}} | ||
151 | {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch deleted file mode 100644 index e0acc70f3c..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | From 369ff955a8497988d079c4e3fa1e93c2570c1c69 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Fri, 15 May 2020 01:36:08 +0530 | ||
4 | Subject: [PATCH] es1370: check total frame count against current frame | ||
5 | |||
6 | A guest user may set channel frame count via es1370_write() | ||
7 | such that, in es1370_transfer_audio(), total frame count | ||
8 | 'size' is lesser than the number of frames that are processed | ||
9 | 'cnt'. | ||
10 | |||
11 | int cnt = d->frame_cnt >> 16; | ||
12 | int size = d->frame_cnt & 0xffff; | ||
13 | |||
14 | if (size < cnt), it results in incorrect calculations leading | ||
15 | to OOB access issue(s). Add check to avoid it. | ||
16 | |||
17 | Reported-by: Ren Ding <rding@gatech.edu> | ||
18 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Message-id: 20200514200608.1744203-1-ppandit@redhat.com | ||
21 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html] | ||
24 | CVE: CVE-2020-13361 | ||
25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
26 | --- | ||
27 | hw/audio/es1370.c | 7 +++++-- | ||
28 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
29 | |||
30 | diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c | ||
31 | index 89c4dabcd44..5f8a83ff562 100644 | ||
32 | --- a/hw/audio/es1370.c | ||
33 | +++ b/hw/audio/es1370.c | ||
34 | @@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
35 | int csc_bytes = (csc + 1) << d->shift; | ||
36 | int cnt = d->frame_cnt >> 16; | ||
37 | int size = d->frame_cnt & 0xffff; | ||
38 | + if (size < cnt) { | ||
39 | + return; | ||
40 | + } | ||
41 | int left = ((size - cnt + 1) << 2) + d->leftover; | ||
42 | int transferred = 0; | ||
43 | int temp = MIN (max, MIN (left, csc_bytes)); | ||
44 | @@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
45 | addr += (cnt << 2) + d->leftover; | ||
46 | |||
47 | if (index == ADC_CHANNEL) { | ||
48 | - while (temp) { | ||
49 | + while (temp > 0) { | ||
50 | int acquired, to_copy; | ||
51 | |||
52 | to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); | ||
53 | @@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
54 | else { | ||
55 | SWVoiceOut *voice = s->dac_voice[index]; | ||
56 | |||
57 | - while (temp) { | ||
58 | + while (temp > 0) { | ||
59 | int copied, to_copy; | ||
60 | |||
61 | to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch deleted file mode 100644 index af8d4ba8f4..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 14 May 2020 00:55:38 +0530 | ||
4 | Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check | ||
5 | index | ||
6 | |||
7 | A guest user may set 'reply_queue_head' field of MegasasState to | ||
8 | a negative value. Later in 'megasas_lookup_frame' it is used to | ||
9 | index into s->frames[] array. Use unsigned type to avoid OOB | ||
10 | access issue. | ||
11 | |||
12 | Also check that 'index' value stays within s->frames[] bounds | ||
13 | through the while() loop in 'megasas_lookup_frame' to avoid OOB | ||
14 | access. | ||
15 | |||
16 | Reported-by: Ren Ding <rding@gatech.edu> | ||
17 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Acked-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> | ||
22 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661] | ||
25 | CVE: CVE-2020-13362 | ||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/scsi/megasas.c | 4 ++-- | ||
29 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | ||
32 | index af18c88b65..6ce598cd69 100644 | ||
33 | --- a/hw/scsi/megasas.c | ||
34 | +++ b/hw/scsi/megasas.c | ||
35 | @@ -112,7 +112,7 @@ typedef struct MegasasState { | ||
36 | uint64_t reply_queue_pa; | ||
37 | void *reply_queue; | ||
38 | int reply_queue_len; | ||
39 | - int reply_queue_head; | ||
40 | + uint16_t reply_queue_head; | ||
41 | int reply_queue_tail; | ||
42 | uint64_t consumer_pa; | ||
43 | uint64_t producer_pa; | ||
44 | @@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, | ||
45 | |||
46 | index = s->reply_queue_head; | ||
47 | |||
48 | - while (num < s->fw_cmds) { | ||
49 | + while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { | ||
50 | if (s->frames[index].pa && s->frames[index].pa == frame) { | ||
51 | cmd = &s->frames[index]; | ||
52 | break; | ||
53 | -- | ||
54 | 2.20.1 | ||
55 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch deleted file mode 100644 index 4d12ae8f16..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 26 May 2020 16:47:43 +0530 | ||
4 | Subject: [PATCH] exec: set map length to zero when returning NULL | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | When mapping physical memory into host's virtual address space, | ||
10 | 'address_space_map' may return NULL if BounceBuffer is in_use. | ||
11 | Set and return '*plen = 0' to avoid later NULL pointer dereference. | ||
12 | |||
13 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
14 | Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 | ||
15 | Suggested-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | Suggested-by: Peter Maydell <peter.maydell@linaro.org> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Message-Id: <20200526111743.428367-1-ppandit@redhat.com> | ||
19 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
20 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82] | ||
23 | CVE: CVE-2020-13659 | ||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | exec.c | 1 + | ||
27 | include/exec/memory.h | 3 ++- | ||
28 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/exec.c b/exec.c | ||
31 | index 9cbde85d8c..778263f1c6 100644 | ||
32 | --- a/exec.c | ||
33 | +++ b/exec.c | ||
34 | @@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, | ||
35 | |||
36 | if (!memory_access_is_direct(mr, is_write)) { | ||
37 | if (atomic_xchg(&bounce.in_use, true)) { | ||
38 | + *plen = 0; | ||
39 | return NULL; | ||
40 | } | ||
41 | /* Avoid unbounded allocations */ | ||
42 | diff --git a/include/exec/memory.h b/include/exec/memory.h | ||
43 | index bd7fdd6081..af8ca7824e 100644 | ||
44 | --- a/include/exec/memory.h | ||
45 | +++ b/include/exec/memory.h | ||
46 | @@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, | ||
47 | /* address_space_map: map a physical memory region into a host virtual address | ||
48 | * | ||
49 | * May map a subset of the requested range, given by and returned in @plen. | ||
50 | - * May return %NULL if resources needed to perform the mapping are exhausted. | ||
51 | + * May return %NULL and set *@plen to zero(0), if resources needed to perform | ||
52 | + * the mapping are exhausted. | ||
53 | * Use only for reads OR writes - not for read-modify-write operations. | ||
54 | * Use cpu_register_map_client() to know when retrying the map operation is | ||
55 | * likely to succeed. | ||
56 | -- | ||
57 | 2.20.1 | ||
58 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch deleted file mode 100644 index 049dab914d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch +++ /dev/null | |||
@@ -1,53 +0,0 @@ | |||
1 | From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 4 Jun 2020 17:05:25 +0530 | ||
4 | Subject: [PATCH] pci: assert configuration access is within bounds | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | While accessing PCI configuration bytes, assert that | ||
10 | 'address + len' is within PCI configuration space. | ||
11 | |||
12 | Generally it is within bounds. This is more of a defensive | ||
13 | assert, in case a buggy device was to send 'address' which | ||
14 | may go out of bounds. | ||
15 | |||
16 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Message-Id: <20200604113525.58898-1-ppandit@redhat.com> | ||
19 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [f7d6a635fa3b7797f9d072e280f065bf3cfcd24d] | ||
23 | CVE: CVE-2020-13791 | ||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | hw/pci/pci.c | 4 ++++ | ||
27 | 1 file changed, 4 insertions(+) | ||
28 | |||
29 | diff --git a/hw/pci/pci.c b/hw/pci/pci.c | ||
30 | index 70c66965f5..7bf2ae6d92 100644 | ||
31 | --- a/hw/pci/pci.c | ||
32 | +++ b/hw/pci/pci.c | ||
33 | @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, | ||
34 | { | ||
35 | uint32_t val = 0; | ||
36 | |||
37 | + assert(address + len <= pci_config_size(d)); | ||
38 | + | ||
39 | if (pci_is_express_downstream_port(d) && | ||
40 | ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { | ||
41 | pcie_sync_bridge_lnk(d); | ||
42 | @@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int | ||
43 | int i, was_irq_disabled = pci_irq_disabled(d); | ||
44 | uint32_t val = val_in; | ||
45 | |||
46 | + assert(addr + l <= pci_config_size(d)); | ||
47 | + | ||
48 | for (i = 0; i < l; val >>= 8, ++i) { | ||
49 | uint8_t wmask = d->wmask[addr + i]; | ||
50 | uint8_t w1cmask = d->w1cmask[addr + i]; | ||
51 | -- | ||
52 | 2.20.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch deleted file mode 100644 index 52bfafbbae..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 4 Jun 2020 14:38:30 +0530 | ||
4 | Subject: [PATCH] ati-vga: check mm_index before recursive call | ||
5 | (CVE-2020-13800) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | While accessing VGA registers via ati_mm_read/write routines, | ||
11 | a guest may set 's->regs.mm_index' such that it leads to infinite | ||
12 | recursion. Check mm_index value to avoid such recursion. Log an | ||
13 | error message for wrong values. | ||
14 | |||
15 | Reported-by: Ren Ding <rding@gatech.edu> | ||
16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
17 | Reported-by: Yi Ren <c4tren@gmail.com> | ||
18 | Message-id: 20200604090830.33885-1-ppandit@redhat.com | ||
19 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
20 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] | ||
25 | CVE: CVE-2020-13800 | ||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/display/ati.c | 10 ++++++++-- | ||
29 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/display/ati.c b/hw/display/ati.c | ||
32 | index 065f197678..67604e68de 100644 | ||
33 | --- a/hw/display/ati.c | ||
34 | +++ b/hw/display/ati.c | ||
35 | @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) | ||
36 | if (idx <= s->vga.vram_size - size) { | ||
37 | val = ldn_le_p(s->vga.vram_ptr + idx, size); | ||
38 | } | ||
39 | - } else { | ||
40 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
41 | val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); | ||
42 | + } else { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
44 | + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); | ||
45 | } | ||
46 | break; | ||
47 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
48 | @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, | ||
49 | if (idx <= s->vga.vram_size - size) { | ||
50 | stn_le_p(s->vga.vram_ptr + idx, size, data); | ||
51 | } | ||
52 | - } else { | ||
53 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
54 | ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); | ||
55 | + } else { | ||
56 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
57 | + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); | ||
58 | } | ||
59 | break; | ||
60 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
61 | -- | ||
62 | 2.20.1 | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch deleted file mode 100644 index 1505c7eed0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Fri, 10 Jul 2020 11:19:41 +0200 | ||
4 | Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() | ||
5 | |||
6 | A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It | ||
7 | occurs while sending an Ethernet frame due to missing break statements | ||
8 | and improper checking of the buffer size. | ||
9 | |||
10 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
11 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
12 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555] | ||
16 | CVE: CVE-2020-15863 | ||
17 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
18 | |||
19 | --- | ||
20 | hw/net/xgmac.c | 14 ++++++++++++-- | ||
21 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c | ||
24 | index 574dd47..5bf1b61 100644 | ||
25 | --- a/hw/net/xgmac.c | ||
26 | +++ b/hw/net/xgmac.c | ||
27 | @@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) | ||
28 | } | ||
29 | len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); | ||
30 | |||
31 | + /* | ||
32 | + * FIXME: these cases of malformed tx descriptors (bad sizes) | ||
33 | + * should probably be reported back to the guest somehow | ||
34 | + * rather than simply silently stopping processing, but we | ||
35 | + * don't know what the hardware does in this situation. | ||
36 | + * This will only happen for buggy guests anyway. | ||
37 | + */ | ||
38 | if ((bd.buffer1_size & 0xfff) > 2048) { | ||
39 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
40 | "xgmac buffer 1 len on send > 2048 (0x%x)\n", | ||
41 | __func__, bd.buffer1_size & 0xfff); | ||
42 | + break; | ||
43 | } | ||
44 | if ((bd.buffer2_size & 0xfff) != 0) { | ||
45 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
46 | "xgmac buffer 2 len on send != 0 (0x%x)\n", | ||
47 | __func__, bd.buffer2_size & 0xfff); | ||
48 | + break; | ||
49 | } | ||
50 | - if (len >= sizeof(frame)) { | ||
51 | + if (frame_size + len >= sizeof(frame)) { | ||
52 | DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " | ||
53 | - "buffer\n" , __func__, len, sizeof(frame)); | ||
54 | + "buffer\n" , __func__, frame_size + len, sizeof(frame)); | ||
55 | DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", | ||
56 | __func__, bd.buffer1_size, bd.buffer2_size); | ||
57 | + break; | ||
58 | } | ||
59 | |||
60 | cpu_physical_memory_read(bd.buffer1_addr, ptr, len); | ||
61 | -- | ||
62 | 1.8.3.1 | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/find_datadir.patch b/meta/recipes-devtools/qemu/qemu/find_datadir.patch index 74e9ba56ce..9a4c11267a 100644 --- a/meta/recipes-devtools/qemu/qemu/find_datadir.patch +++ b/meta/recipes-devtools/qemu/qemu/find_datadir.patch | |||
@@ -9,8 +9,10 @@ Upstream-Status: Submitted [qemu-devel@nongnu.org] | |||
9 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | 9 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
10 | 10 | ||
11 | 11 | ||
12 | --- a/os-posix.c | 12 | Index: qemu-5.1.0/os-posix.c |
13 | +++ b/os-posix.c | 13 | =================================================================== |
14 | --- qemu-5.1.0.orig/os-posix.c | ||
15 | +++ qemu-5.1.0/os-posix.c | ||
14 | @@ -82,8 +82,9 @@ void os_setup_signal_handling(void) | 16 | @@ -82,8 +82,9 @@ void os_setup_signal_handling(void) |
15 | 17 | ||
16 | /* | 18 | /* |
@@ -19,10 +21,10 @@ Signed-off-by: Joe Slater <joe.slater@windriver.com> | |||
19 | * When running from the build tree this will be "$bindir/../pc-bios". | 21 | * When running from the build tree this will be "$bindir/../pc-bios". |
20 | - * Otherwise, this is CONFIG_QEMU_DATADIR. | 22 | - * Otherwise, this is CONFIG_QEMU_DATADIR. |
21 | + * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. | 23 | + * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. |
22 | */ | 24 | * |
23 | char *os_find_datadir(void) | 25 | * The caller must use g_free() to free the returned data when it is |
24 | { | 26 | * no longer required. |
25 | @@ -93,6 +94,12 @@ char *os_find_datadir(void) | 27 | @@ -96,6 +97,12 @@ char *os_find_datadir(void) |
26 | exec_dir = qemu_get_exec_dir(); | 28 | exec_dir = qemu_get_exec_dir(); |
27 | g_return_val_if_fail(exec_dir != NULL, NULL); | 29 | g_return_val_if_fail(exec_dir != NULL, NULL); |
28 | 30 | ||
diff --git a/meta/recipes-devtools/qemu/qemu_5.0.0.bb b/meta/recipes-devtools/qemu/qemu_5.1.0.bb index 9b09490269..9b09490269 100644 --- a/meta/recipes-devtools/qemu/qemu_5.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_5.1.0.bb | |||