summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-15 15:57:03 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-16 08:29:59 +0100
commitd9aa32dbf9145d25565a17ac39b186e332ed9a12 (patch)
tree5d1c158c2e9c06265965641f638372a1e63c5135 /meta
parenta9e49336dcddf8b2a43116e7850c3e731786fb86 (diff)
downloadpoky-d9aa32dbf9145d25565a17ac39b186e332ed9a12.tar.gz
qemu: Upgrade 5.2.0 -> 6.0.0
Building without PIE support seems broken upstream, enable it by default to match the configuration others evidently use. Tweak git submodule option to match upstream. Drop backported/merged patches, refresh others. (From OE-Core rev: ede1b86e663f1cafccc8aa8c35fa13ebd3f55d11) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/conf/distro/include/tcmode-default.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu-native_6.0.0.bb (renamed from meta/recipes-devtools/qemu/qemu-native_5.2.0.bb)2
-rw-r--r--meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb (renamed from meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb)2
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc35
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch31
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch6
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch15
-rw-r--r--meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch12
-rw-r--r--meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch8
-rw-r--r--meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch32
-rw-r--r--meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch8
-rw-r--r--meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch12
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch143
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch107
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch153
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch117
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch303
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch81
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch73
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch70
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch55
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch214
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch89
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch56
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch92
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch109
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch75
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch56
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch99
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch177
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch42
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch43
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch45
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch44
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch46
-rw-r--r--meta/recipes-devtools/qemu/qemu/cross.patch12
-rw-r--r--meta/recipes-devtools/qemu/qemu/determinism.patch29
-rw-r--r--meta/recipes-devtools/qemu/qemu/mingwfix.patch21
-rw-r--r--meta/recipes-devtools/qemu/qemu/mmap.patch29
-rw-r--r--meta/recipes-devtools/qemu/qemu/mmap2.patch25
-rw-r--r--meta/recipes-devtools/qemu/qemu_6.0.0.bb (renamed from meta/recipes-devtools/qemu/qemu_5.2.0.bb)4
47 files changed, 99 insertions, 2670 deletions
diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc
index a0c35eed09..c6e5ac61d7 100644
--- a/meta/conf/distro/include/tcmode-default.inc
+++ b/meta/conf/distro/include/tcmode-default.inc
@@ -22,7 +22,7 @@ BINUVERSION ?= "2.36%"
22GDBVERSION ?= "10.%" 22GDBVERSION ?= "10.%"
23GLIBCVERSION ?= "2.33" 23GLIBCVERSION ?= "2.33"
24LINUXLIBCVERSION ?= "5.10%" 24LINUXLIBCVERSION ?= "5.10%"
25QEMUVERSION ?= "5.2%" 25QEMUVERSION ?= "6.0%"
26GOVERSION ?= "1.16%" 26GOVERSION ?= "1.16%"
27# This can not use wildcards like 8.0.% since it is also used in mesa to denote 27# This can not use wildcards like 8.0.% since it is also used in mesa to denote
28# llvm version being used, so always bump it with llvm recipe version bump 28# llvm version being used, so always bump it with llvm recipe version bump
diff --git a/meta/recipes-devtools/qemu/qemu-native_5.2.0.bb b/meta/recipes-devtools/qemu/qemu-native_6.0.0.bb
index c8acff8e19..d23d7a8ada 100644
--- a/meta/recipes-devtools/qemu/qemu-native_5.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_6.0.0.bb
@@ -6,4 +6,4 @@ require qemu-native.inc
6 6
7EXTRA_OECONF_append = " --target-list=${@get_qemu_usermode_target_list(d)} --disable-tools --disable-blobs --disable-guest-agent" 7EXTRA_OECONF_append = " --target-list=${@get_qemu_usermode_target_list(d)} --disable-tools --disable-blobs --disable-guest-agent"
8 8
9PACKAGECONFIG ??= "" 9PACKAGECONFIG ??= "pie"
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb
index 390dadea48..9d7d0cdceb 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_5.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_6.0.0.bb
@@ -11,7 +11,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native"
11 11
12EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" 12EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}"
13 13
14PACKAGECONFIG ??= "fdt alsa kvm \ 14PACKAGECONFIG ??= "fdt alsa kvm pie \
15 ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ 15 ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \
16" 16"
17 17
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 74c53c6309..0cbd66301e 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -25,43 +25,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
25 file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ 25 file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
26 file://0001-Add-enable-disable-udev.patch \ 26 file://0001-Add-enable-disable-udev.patch \
27 file://0001-qemu-Do-not-include-file-if-not-exists.patch \ 27 file://0001-qemu-Do-not-include-file-if-not-exists.patch \
28 file://mingwfix.patch \
29 file://mmap.patch \
30 file://mmap2.patch \ 28 file://mmap2.patch \
31 file://determinism.patch \ 29 file://determinism.patch \
32 file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \ 30 file://0001-tests-meson.build-use-relative-path-to-refer-to-file.patch \
33 file://CVE-2021-20203.patch \
34 file://CVE-2020-35517_1.patch \
35 file://CVE-2020-35517_2.patch \
36 file://CVE-2020-35517_3.patch \
37 file://CVE-2021-20181.patch \
38 file://CVE-2020-29443.patch \
39 file://CVE-2021-20221.patch \
40 file://CVE-2021-3409_1.patch \
41 file://CVE-2021-3409_2.patch \
42 file://CVE-2021-3409_3.patch \
43 file://CVE-2021-3409_4.patch \
44 file://CVE-2021-3409_5.patch \
45 file://CVE-2021-3409_6.patch \
46 file://CVE-2021-3416_1.patch \
47 file://CVE-2021-3416_2.patch \
48 file://CVE-2021-3416_3.patch \
49 file://CVE-2021-3416_4.patch \
50 file://CVE-2021-3416_5.patch \
51 file://CVE-2021-3416_6.patch \
52 file://CVE-2021-3416_7.patch \
53 file://CVE-2021-3416_8.patch \
54 file://CVE-2021-3416_9.patch \
55 file://CVE-2021-3416_10.patch \
56 file://CVE-2021-20257.patch \
57 file://CVE-2020-27821.patch \
58 file://CVE-2021-20263.patch \
59 file://CVE-2021-3392.patch \
60 file://0001-configure-fix-detection-of-gdbus-codegen.patch \ 31 file://0001-configure-fix-detection-of-gdbus-codegen.patch \
61 " 32 "
62UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 33UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
63 34
64SRC_URI[sha256sum] = "cb18d889b628fbe637672b0326789d9b0e3b8027e0445b936537c78549df17bc" 35SRC_URI[sha256sum] = "87bc1a471ca24b97e7005711066007d443423d19aacda3d442558ae032fa30b9"
65 36
66SRC_URI_append_class-target = " file://cross.patch" 37SRC_URI_append_class-target = " file://cross.patch"
67SRC_URI_append_class-nativesdk = " file://cross.patch" 38SRC_URI_append_class-nativesdk = " file://cross.patch"
@@ -94,8 +65,6 @@ do_install_ptest() {
94 find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcodp]" | xargs -i rm -rf {} 65 find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcodp]" | xargs -i rm -rf {}
95 66
96 # Don't check the file genreated by configure 67 # Don't check the file genreated by configure
97 sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \
98 ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env
99 sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh 68 sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh
100 69
101 # Strip the paths from the QEMU variable, we can use PATH 70 # Strip the paths from the QEMU variable, we can use PATH
@@ -122,7 +91,7 @@ EXTRA_OECONF = " \
122 --extra-cflags='${CFLAGS}' \ 91 --extra-cflags='${CFLAGS}' \
123 --extra-ldflags='${LDFLAGS}' \ 92 --extra-ldflags='${LDFLAGS}' \
124 --with-git=/bin/false \ 93 --with-git=/bin/false \
125 --disable-git-update \ 94 --with-git-submodules=ignore \
126 --meson=meson \ 95 --meson=meson \
127 ${PACKAGECONFIG_CONFARGS} \ 96 ${PACKAGECONFIG_CONFARGS} \
128 " 97 "
diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
index c99adee8a9..4b37967e7a 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
@@ -12,13 +12,13 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
12 configure | 4 ++++ 12 configure | 4 ++++
13 1 file changed, 4 insertions(+) 13 1 file changed, 4 insertions(+)
14 14
15Index: qemu-5.2.0/configure 15Index: qemu-6.0.0/configure
16=================================================================== 16===================================================================
17--- qemu-5.2.0.orig/configure 17--- qemu-6.0.0.orig/configure
18+++ qemu-5.2.0/configure 18+++ qemu-6.0.0/configure
19@@ -1525,6 +1525,10 @@ for opt do 19@@ -1565,6 +1565,10 @@ for opt do
20 ;; 20 ;;
21 --disable-libdaxctl) libdaxctl=no 21 --disable-gio) gio=no
22 ;; 22 ;;
23+ --enable-libudev) libudev="yes" 23+ --enable-libudev) libudev="yes"
24+ ;; 24+ ;;
diff --git a/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch b/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch
index 1f20077883..8bffc31293 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-configure-fix-detection-of-gdbus-codegen.patch
@@ -26,20 +26,20 @@ Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
26 configure | 4 +++- 26 configure | 4 +++-
27 1 file changed, 3 insertions(+), 1 deletion(-) 27 1 file changed, 3 insertions(+), 1 deletion(-)
28 28
29diff --git a/configure b/configure 29Index: qemu-6.0.0/configure
30index 18c26e0389..4c36e221d3 100755 30===================================================================
31--- a/configure 31--- qemu-6.0.0.orig/configure
32+++ b/configure 32+++ qemu-6.0.0/configure
33@@ -3496,7 +3496,7 @@ if $pkg_config --atleast-version=$glib_req_ver gio-2.0; then 33@@ -3366,7 +3366,7 @@ if ! test "$gio" = "no"; then
34 gio_cflags=$($pkg_config --cflags gio-2.0) 34 gio_cflags=$($pkg_config --cflags gio-2.0)
35 gio_libs=$($pkg_config --libs gio-2.0) 35 gio_libs=$($pkg_config --libs gio-2.0)
36 gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0) 36 gdbus_codegen=$($pkg_config --variable=gdbus_codegen gio-2.0)
37- if [ ! -x "$gdbus_codegen" ]; then 37- if [ ! -x "$gdbus_codegen" ]; then
38+ if ! has "$gdbus_codegen"; then 38+ if ! has "$gdbus_codegen"; then
39 gdbus_codegen= 39 gdbus_codegen=
40 fi 40 fi
41 # Check that the libraries actually work -- Ubuntu 18.04 ships 41 # Check that the libraries actually work -- Ubuntu 18.04 ships
42@@ -6172,6 +6172,8 @@ if test "$gio" = "yes" ; then 42@@ -5704,6 +5704,8 @@ if test "$gio" = "yes" ; then
43 echo "CONFIG_GIO=y" >> $config_host_mak 43 echo "CONFIG_GIO=y" >> $config_host_mak
44 echo "GIO_CFLAGS=$gio_cflags" >> $config_host_mak 44 echo "GIO_CFLAGS=$gio_cflags" >> $config_host_mak
45 echo "GIO_LIBS=$gio_libs" >> $config_host_mak 45 echo "GIO_LIBS=$gio_libs" >> $config_host_mak
@@ -48,6 +48,3 @@ index 18c26e0389..4c36e221d3 100755
48 echo "GDBUS_CODEGEN=$gdbus_codegen" >> $config_host_mak 48 echo "GDBUS_CODEGEN=$gdbus_codegen" >> $config_host_mak
49 fi 49 fi
50 echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak 50 echo "CONFIG_TLS_PRIORITY=\"$tls_priority\"" >> $config_host_mak
51--
522.24.0
53
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
index 8ce12bdb43..2f2d19f536 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -20,10 +20,10 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
20 hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- 20 hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++-
21 1 file changed, 93 insertions(+), 1 deletion(-) 21 1 file changed, 93 insertions(+), 1 deletion(-)
22 22
23Index: qemu-5.2.0/hw/usb/dev-wacom.c 23Index: qemu-6.0.0/hw/usb/dev-wacom.c
24=================================================================== 24===================================================================
25--- qemu-5.2.0.orig/hw/usb/dev-wacom.c 25--- qemu-6.0.0.orig/hw/usb/dev-wacom.c
26+++ qemu-5.2.0/hw/usb/dev-wacom.c 26+++ qemu-6.0.0/hw/usb/dev-wacom.c
27@@ -69,6 +69,89 @@ static const USBDescStrings desc_strings 27@@ -69,6 +69,89 @@ static const USBDescStrings desc_strings
28 [STR_SERIALNUMBER] = "1", 28 [STR_SERIALNUMBER] = "1",
29 }; 29 };
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
index 3fe9aa6eb5..b8d288d3a2 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
@@ -15,11 +15,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
15 linux-user/syscall.c | 2 ++ 15 linux-user/syscall.c | 2 ++
16 1 file changed, 2 insertions(+) 16 1 file changed, 2 insertions(+)
17 17
18Index: qemu-5.2.0/linux-user/syscall.c 18Index: qemu-6.0.0/linux-user/syscall.c
19=================================================================== 19===================================================================
20--- qemu-5.2.0.orig/linux-user/syscall.c 20--- qemu-6.0.0.orig/linux-user/syscall.c
21+++ qemu-5.2.0/linux-user/syscall.c 21+++ qemu-6.0.0/linux-user/syscall.c
22@@ -109,7 +109,9 @@ 22@@ -113,7 +113,9 @@
23 #include <linux/blkpg.h> 23 #include <linux/blkpg.h>
24 #include <netpacket/packet.h> 24 #include <netpacket/packet.h>
25 #include <linux/netlink.h> 25 #include <linux/netlink.h>
@@ -28,4 +28,4 @@ Index: qemu-5.2.0/linux-user/syscall.c
28+#endif 28+#endif
29 #include <linux/rtc.h> 29 #include <linux/rtc.h>
30 #include <sound/asound.h> 30 #include <sound/asound.h>
31 #ifdef CONFIG_BTRFS 31 #ifdef HAVE_BTRFS_H
diff --git a/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch b/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
index 5cb5757c37..d5e1ab4d51 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-tests-meson.build-use-relative-path-to-refer-to-file.patch
@@ -16,19 +16,16 @@ Signed-off-by: Changqing Li <changqing.li@windriver.com>
16 tests/meson.build | 2 +- 16 tests/meson.build | 2 +-
17 1 files changed, 1 insertions(+), 1 deletion(-) 17 1 files changed, 1 insertions(+), 1 deletion(-)
18 18
19diff --git a/tests/meson.build b/tests/meson.build 19Index: qemu-6.0.0/tests/unit/meson.build
20index afeb6be..54684b5 100644 20===================================================================
21--- a/tests/meson.build 21--- qemu-6.0.0.orig/tests/unit/meson.build
22+++ b/tests/meson.build 22+++ qemu-6.0.0/tests/unit/meson.build
23@@ -113,7 +113,7 @@ tests = { 23@@ -42,7 +42,7 @@ tests = {
24 'test-keyval': [testqapi], 24 'test-keyval': [testqapi],
25 'test-logging': [], 25 'test-logging': [],
26 'test-uuid': [], 26 'test-uuid': [],
27- 'ptimer-test': ['ptimer-test-stubs.c', meson.source_root() / 'hw/core/ptimer.c'], 27- 'ptimer-test': ['ptimer-test-stubs.c', meson.source_root() / 'hw/core/ptimer.c'],
28+ 'ptimer-test': ['ptimer-test-stubs.c', '../hw/core/ptimer.c'], 28+ 'ptimer-test': ['ptimer-test-stubs.c', '../../hw/core/ptimer.c'],
29 'test-qapi-util': [], 29 'test-qapi-util': [],
30 } 30 }
31 31
32--
332.29.2
34
diff --git a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
index fd54f96b03..733789be29 100644
--- a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
+++ b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -18,13 +18,13 @@ Signed-off-by: Roy Li <rongqing.li@windriver.com>
18 hw/mips/malta.c | 2 +- 18 hw/mips/malta.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-) 19 1 file changed, 1 insertion(+), 1 deletion(-)
20 20
21Index: qemu-5.2.0/hw/mips/malta.c 21Index: qemu-6.0.0/hw/mips/malta.c
22=================================================================== 22===================================================================
23--- qemu-5.2.0.orig/hw/mips/malta.c 23--- qemu-6.0.0.orig/hw/mips/malta.c
24+++ qemu-5.2.0/hw/mips/malta.c 24+++ qemu-6.0.0/hw/mips/malta.c
25@@ -62,7 +62,7 @@ 25@@ -65,7 +65,7 @@
26 26 #define ENVP_PADDR 0x2000
27 #define ENVP_ADDR 0x80002000l 27 #define ENVP_VADDR cpu_mips_phys_to_kseg0(NULL, ENVP_PADDR)
28 #define ENVP_NB_ENTRIES 16 28 #define ENVP_NB_ENTRIES 16
29-#define ENVP_ENTRY_SIZE 256 29-#define ENVP_ENTRY_SIZE 256
30+#define ENVP_ENTRY_SIZE 1024 30+#define ENVP_ENTRY_SIZE 1024
diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
index a0bd1c5ebc..330bcaef0a 100644
--- a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
+++ b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
@@ -12,11 +12,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
12 configure | 9 --------- 12 configure | 9 ---------
13 1 file changed, 9 deletions(-) 13 1 file changed, 9 deletions(-)
14 14
15Index: qemu-5.2.0/configure 15Index: qemu-6.0.0/configure
16=================================================================== 16===================================================================
17--- qemu-5.2.0.orig/configure 17--- qemu-6.0.0.orig/configure
18+++ qemu-5.2.0/configure 18+++ qemu-6.0.0/configure
19@@ -5001,15 +5001,6 @@ fi 19@@ -4648,15 +4648,6 @@ fi
20 # check if we have valgrind/valgrind.h 20 # check if we have valgrind/valgrind.h
21 21
22 valgrind_h=no 22 valgrind_h=no
diff --git a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
index 201125c1f4..05dc849dad 100644
--- a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
+++ b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
@@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
51 qapi/char.json | 5 +++ 51 qapi/char.json | 5 +++
52 3 files changed, 109 insertions(+) 52 3 files changed, 109 insertions(+)
53 53
54Index: qemu-5.2.0/chardev/char-socket.c 54Index: qemu-6.0.0/chardev/char-socket.c
55=================================================================== 55===================================================================
56--- qemu-5.2.0.orig/chardev/char-socket.c 56--- qemu-6.0.0.orig/chardev/char-socket.c
57+++ qemu-5.2.0/chardev/char-socket.c 57+++ qemu-6.0.0/chardev/char-socket.c
58@@ -1308,6 +1308,67 @@ static bool qmp_chardev_validate_socket( 58@@ -1362,6 +1362,67 @@ static bool qmp_chardev_validate_socket(
59 return true; 59 return true;
60 } 60 }
61 61
@@ -123,7 +123,7 @@ Index: qemu-5.2.0/chardev/char-socket.c
123 123
124 static void qmp_chardev_open_socket(Chardev *chr, 124 static void qmp_chardev_open_socket(Chardev *chr,
125 ChardevBackend *backend, 125 ChardevBackend *backend,
126@@ -1316,6 +1377,9 @@ static void qmp_chardev_open_socket(Char 126@@ -1370,6 +1431,9 @@ static void qmp_chardev_open_socket(Char
127 { 127 {
128 SocketChardev *s = SOCKET_CHARDEV(chr); 128 SocketChardev *s = SOCKET_CHARDEV(chr);
129 ChardevSocket *sock = backend->u.socket.data; 129 ChardevSocket *sock = backend->u.socket.data;
@@ -133,7 +133,7 @@ Index: qemu-5.2.0/chardev/char-socket.c
133 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; 133 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
134 bool is_listen = sock->has_server ? sock->server : true; 134 bool is_listen = sock->has_server ? sock->server : true;
135 bool is_telnet = sock->has_telnet ? sock->telnet : false; 135 bool is_telnet = sock->has_telnet ? sock->telnet : false;
136@@ -1381,6 +1445,14 @@ static void qmp_chardev_open_socket(Char 136@@ -1446,6 +1510,14 @@ static void qmp_chardev_open_socket(Char
137 137
138 update_disconnected_filename(s); 138 update_disconnected_filename(s);
139 139
@@ -148,7 +148,7 @@ Index: qemu-5.2.0/chardev/char-socket.c
148 if (s->is_listen) { 148 if (s->is_listen) {
149 if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, 149 if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
150 is_waitconnect, errp) < 0) { 150 is_waitconnect, errp) < 0) {
151@@ -1400,6 +1472,9 @@ static void qemu_chr_parse_socket(QemuOp 151@@ -1465,6 +1537,9 @@ static void qemu_chr_parse_socket(QemuOp
152 const char *host = qemu_opt_get(opts, "host"); 152 const char *host = qemu_opt_get(opts, "host");
153 const char *port = qemu_opt_get(opts, "port"); 153 const char *port = qemu_opt_get(opts, "port");
154 const char *fd = qemu_opt_get(opts, "fd"); 154 const char *fd = qemu_opt_get(opts, "fd");
@@ -158,7 +158,7 @@ Index: qemu-5.2.0/chardev/char-socket.c
158 #ifdef CONFIG_LINUX 158 #ifdef CONFIG_LINUX
159 bool tight = qemu_opt_get_bool(opts, "tight", true); 159 bool tight = qemu_opt_get_bool(opts, "tight", true);
160 bool abstract = qemu_opt_get_bool(opts, "abstract", false); 160 bool abstract = qemu_opt_get_bool(opts, "abstract", false);
161@@ -1407,6 +1482,20 @@ static void qemu_chr_parse_socket(QemuOp 161@@ -1472,6 +1547,20 @@ static void qemu_chr_parse_socket(QemuOp
162 SocketAddressLegacy *addr; 162 SocketAddressLegacy *addr;
163 ChardevSocket *sock; 163 ChardevSocket *sock;
164 164
@@ -179,7 +179,7 @@ Index: qemu-5.2.0/chardev/char-socket.c
179 if ((!!path + !!fd + !!host) != 1) { 179 if ((!!path + !!fd + !!host) != 1) {
180 error_setg(errp, 180 error_setg(errp,
181 "Exactly one of 'path', 'fd' or 'host' required"); 181 "Exactly one of 'path', 'fd' or 'host' required");
182@@ -1448,13 +1537,24 @@ static void qemu_chr_parse_socket(QemuOp 182@@ -1522,13 +1611,24 @@ static void qemu_chr_parse_socket(QemuOp
183 sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds")); 183 sock->tls_creds = g_strdup(qemu_opt_get(opts, "tls-creds"));
184 sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); 184 sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
185 sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); 185 sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
@@ -204,11 +204,11 @@ Index: qemu-5.2.0/chardev/char-socket.c
204 #ifdef CONFIG_LINUX 204 #ifdef CONFIG_LINUX
205 q_unix->has_tight = true; 205 q_unix->has_tight = true;
206 q_unix->tight = tight; 206 q_unix->tight = tight;
207Index: qemu-5.2.0/chardev/char.c 207Index: qemu-6.0.0/chardev/char.c
208=================================================================== 208===================================================================
209--- qemu-5.2.0.orig/chardev/char.c 209--- qemu-6.0.0.orig/chardev/char.c
210+++ qemu-5.2.0/chardev/char.c 210+++ qemu-6.0.0/chardev/char.c
211@@ -839,6 +839,9 @@ QemuOptsList qemu_chardev_opts = { 211@@ -840,6 +840,9 @@ QemuOptsList qemu_chardev_opts = {
212 .name = "path", 212 .name = "path",
213 .type = QEMU_OPT_STRING, 213 .type = QEMU_OPT_STRING,
214 },{ 214 },{
@@ -218,10 +218,10 @@ Index: qemu-5.2.0/chardev/char.c
218 .name = "host", 218 .name = "host",
219 .type = QEMU_OPT_STRING, 219 .type = QEMU_OPT_STRING,
220 },{ 220 },{
221Index: qemu-5.2.0/qapi/char.json 221Index: qemu-6.0.0/qapi/char.json
222=================================================================== 222===================================================================
223--- qemu-5.2.0.orig/qapi/char.json 223--- qemu-6.0.0.orig/qapi/char.json
224+++ qemu-5.2.0/qapi/char.json 224+++ qemu-6.0.0/qapi/char.json
225@@ -250,6 +250,10 @@ 225@@ -250,6 +250,10 @@
226 # 226 #
227 # @addr: socket address to listen on (server=true) 227 # @addr: socket address to listen on (server=true)
diff --git a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
index 294cf5129f..3491fa8a53 100644
--- a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
+++ b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
@@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com>
29 hw/intc/apic.c | 2 +- 29 hw/intc/apic.c | 2 +-
30 1 file changed, 1 insertion(+), 1 deletion(-) 30 1 file changed, 1 insertion(+), 1 deletion(-)
31 31
32Index: qemu-5.2.0/hw/intc/apic.c 32Index: qemu-6.0.0/hw/intc/apic.c
33=================================================================== 33===================================================================
34--- qemu-5.2.0.orig/hw/intc/apic.c 34--- qemu-6.0.0.orig/hw/intc/apic.c
35+++ qemu-5.2.0/hw/intc/apic.c 35+++ qemu-6.0.0/hw/intc/apic.c
36@@ -605,7 +605,7 @@ int apic_accept_pic_intr(DeviceState *de 36@@ -606,7 +606,7 @@ int apic_accept_pic_intr(DeviceState *de
37 APICCommonState *s = APIC(dev); 37 APICCommonState *s = APIC(dev);
38 uint32_t lvt0; 38 uint32_t lvt0;
39 39
diff --git a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
index c5d206b91b..cc6a5fe754 100644
--- a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
+++ b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
@@ -14,11 +14,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com>
14 configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- 14 configure | 48 ++++++++++++++++++++++++++++++++++++++++--------
15 1 file changed, 40 insertions(+), 8 deletions(-) 15 1 file changed, 40 insertions(+), 8 deletions(-)
16 16
17Index: qemu-5.2.0/configure 17Index: qemu-6.0.0/configure
18=================================================================== 18===================================================================
19--- qemu-5.2.0.orig/configure 19--- qemu-6.0.0.orig/configure
20+++ qemu-5.2.0/configure 20+++ qemu-6.0.0/configure
21@@ -2956,6 +2956,30 @@ has_libgcrypt() { 21@@ -2847,6 +2847,30 @@ has_libgcrypt() {
22 return 0 22 return 0
23 } 23 }
24 24
@@ -49,7 +49,7 @@ Index: qemu-5.2.0/configure
49 49
50 if test "$nettle" != "no"; then 50 if test "$nettle" != "no"; then
51 pass="no" 51 pass="no"
52@@ -2994,7 +3018,14 @@ fi 52@@ -2885,7 +2909,14 @@ fi
53 53
54 if test "$gcrypt" != "no"; then 54 if test "$gcrypt" != "no"; then
55 pass="no" 55 pass="no"
@@ -65,7 +65,7 @@ Index: qemu-5.2.0/configure
65 gcrypt_cflags=$(libgcrypt-config --cflags) 65 gcrypt_cflags=$(libgcrypt-config --cflags)
66 gcrypt_libs=$(libgcrypt-config --libs) 66 gcrypt_libs=$(libgcrypt-config --libs)
67 # Debian has removed -lgpg-error from libgcrypt-config 67 # Debian has removed -lgpg-error from libgcrypt-config
68@@ -3004,12 +3035,12 @@ if test "$gcrypt" != "no"; then 68@@ -2895,12 +2926,12 @@ if test "$gcrypt" != "no"; then
69 then 69 then
70 gcrypt_libs="$gcrypt_libs -lgpg-error" 70 gcrypt_libs="$gcrypt_libs -lgpg-error"
71 fi 71 fi
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
deleted file mode 100644
index 58622f0487..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-27821.patch
+++ /dev/null
@@ -1,143 +0,0 @@
1From 279f90a9ab07304f0a49fc10e4bfd1243a8cddbe Mon Sep 17 00:00:00 2001
2From: Paolo Bonzini <pbonzini@redhat.com>
3Date: Tue, 1 Dec 2020 09:29:56 -0500
4Subject: [PATCH 1/2] memory: clamp cached translation in case it points to an
5 MMIO region
6
7In using the address_space_translate_internal API, address_space_cache_init
8forgot one piece of advice that can be found in the code for
9address_space_translate_internal:
10
11 /* MMIO registers can be expected to perform full-width accesses based only
12 * on their address, without considering adjacent registers that could
13 * decode to completely different MemoryRegions. When such registers
14 * exist (e.g. I/O ports 0xcf8 and 0xcf9 on most PC chipsets), MMIO
15 * regions overlap wildly. For this reason we cannot clamp the accesses
16 * here.
17 *
18 * If the length is small (as is the case for address_space_ldl/stl),
19 * everything works fine. If the incoming length is large, however,
20 * the caller really has to do the clamping through memory_access_size.
21 */
22
23address_space_cache_init is exactly one such case where "the incoming length
24is large", therefore we need to clamp the resulting length---not to
25memory_access_size though, since we are not doing an access yet, but to
26the size of the resulting section. This ensures that subsequent accesses
27to the cached MemoryRegionSection will be in range.
28
29With this patch, the enclosed testcase notices that the used ring does
30not fit into the MSI-X table and prints a "qemu-system-x86_64: Cannot map used"
31error.
32
33Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
34
35Upstream-Status: Backport [4bfb024bc76973d40a359476dc0291f46e435442]
36CVE: CVE-2020-27821
37
38Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
39---
40 softmmu/physmem.c | 10 ++++++++
41 tests/qtest/fuzz-test.c | 51 +++++++++++++++++++++++++++++++++++++++++
42 2 files changed, 61 insertions(+)
43
44diff --git a/softmmu/physmem.c b/softmmu/physmem.c
45index 3027747c0..2cd1de4a2 100644
46--- a/softmmu/physmem.c
47+++ b/softmmu/physmem.c
48@@ -3255,6 +3255,7 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
49 AddressSpaceDispatch *d;
50 hwaddr l;
51 MemoryRegion *mr;
52+ Int128 diff;
53
54 assert(len > 0);
55
56@@ -3263,6 +3264,15 @@ int64_t address_space_cache_init(MemoryRegionCache *cache,
57 d = flatview_to_dispatch(cache->fv);
58 cache->mrs = *address_space_translate_internal(d, addr, &cache->xlat, &l, true);
59
60+ /*
61+ * cache->xlat is now relative to cache->mrs.mr, not to the section itself.
62+ * Take that into account to compute how many bytes are there between
63+ * cache->xlat and the end of the section.
64+ */
65+ diff = int128_sub(cache->mrs.size,
66+ int128_make64(cache->xlat - cache->mrs.offset_within_region));
67+ l = int128_get64(int128_min(diff, int128_make64(l)));
68+
69 mr = cache->mrs.mr;
70 memory_region_ref(mr);
71 if (memory_access_is_direct(mr, is_write)) {
72diff --git a/tests/qtest/fuzz-test.c b/tests/qtest/fuzz-test.c
73index 9cb4c42bd..28739248e 100644
74--- a/tests/qtest/fuzz-test.c
75+++ b/tests/qtest/fuzz-test.c
76@@ -47,6 +47,55 @@ static void test_lp1878642_pci_bus_get_irq_level_assert(void)
77 qtest_outl(s, 0x5d02, 0xebed205d);
78 }
79
80+/*
81+ * Here a MemoryRegionCache pointed to an MMIO region but had a
82+ * larger size than the underlying region.
83+ */
84+static void test_mmio_oob_from_memory_region_cache(void)
85+{
86+ QTestState *s;
87+
88+ s = qtest_init("-M pc-q35-5.2 -display none -m 512M "
89+ "-device virtio-scsi,num_queues=8,addr=03.0 ");
90+
91+ qtest_outl(s, 0xcf8, 0x80001811);
92+ qtest_outb(s, 0xcfc, 0x6e);
93+ qtest_outl(s, 0xcf8, 0x80001824);
94+ qtest_outl(s, 0xcf8, 0x80001813);
95+ qtest_outl(s, 0xcfc, 0xa080000);
96+ qtest_outl(s, 0xcf8, 0x80001802);
97+ qtest_outl(s, 0xcfc, 0x5a175a63);
98+ qtest_outb(s, 0x6e08, 0x9e);
99+ qtest_writeb(s, 0x9f003, 0xff);
100+ qtest_writeb(s, 0x9f004, 0x01);
101+ qtest_writeb(s, 0x9e012, 0x0e);
102+ qtest_writeb(s, 0x9e01b, 0x0e);
103+ qtest_writeb(s, 0x9f006, 0x01);
104+ qtest_writeb(s, 0x9f008, 0x01);
105+ qtest_writeb(s, 0x9f00a, 0x01);
106+ qtest_writeb(s, 0x9f00c, 0x01);
107+ qtest_writeb(s, 0x9f00e, 0x01);
108+ qtest_writeb(s, 0x9f010, 0x01);
109+ qtest_writeb(s, 0x9f012, 0x01);
110+ qtest_writeb(s, 0x9f014, 0x01);
111+ qtest_writeb(s, 0x9f016, 0x01);
112+ qtest_writeb(s, 0x9f018, 0x01);
113+ qtest_writeb(s, 0x9f01a, 0x01);
114+ qtest_writeb(s, 0x9f01c, 0x01);
115+ qtest_writeb(s, 0x9f01e, 0x01);
116+ qtest_writeb(s, 0x9f020, 0x01);
117+ qtest_writeb(s, 0x9f022, 0x01);
118+ qtest_writeb(s, 0x9f024, 0x01);
119+ qtest_writeb(s, 0x9f026, 0x01);
120+ qtest_writeb(s, 0x9f028, 0x01);
121+ qtest_writeb(s, 0x9f02a, 0x01);
122+ qtest_writeb(s, 0x9f02c, 0x01);
123+ qtest_writeb(s, 0x9f02e, 0x01);
124+ qtest_writeb(s, 0x9f030, 0x01);
125+ qtest_outb(s, 0x6e10, 0x00);
126+ qtest_quit(s);
127+}
128+
129 int main(int argc, char **argv)
130 {
131 const char *arch = qtest_get_arch();
132@@ -58,6 +107,8 @@ int main(int argc, char **argv)
133 test_lp1878263_megasas_zero_iov_cnt);
134 qtest_add_func("fuzz/test_lp1878642_pci_bus_get_irq_level_assert",
135 test_lp1878642_pci_bus_get_irq_level_assert);
136+ qtest_add_func("fuzz/test_mmio_oob_from_memory_region_cache",
137+ test_mmio_oob_from_memory_region_cache);
138 }
139
140 return g_test_run();
141--
1422.29.2
143
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
deleted file mode 100644
index c72324fce6..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-29443.patch
+++ /dev/null
@@ -1,107 +0,0 @@
1From c9a71afe182be5b62bd2ccdaf861695e0ec0731a Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 18 Jan 2021 17:21:30 +0530
4Subject: [PATCH] ide: atapi: check logical block address and read size
5 (CVE-2020-29443)
6
7While processing ATAPI cmd_read/cmd_read_cd commands,
8Logical Block Address (LBA) maybe invalid OR closer to the last block,
9leading to an OOB access issues. Add range check to avoid it.
10
11Fixes: CVE-2020-29443
12Reported-by: Wenxiang Qian <leonwxqian@gmail.com>
13Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
14Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
15Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
16Message-Id: <20210118115130.457044-1-ppandit@redhat.com>
17Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
18
19Upstream-Status: Backport [b8d7f1bc59276fec85e4d09f1567613a3e14d31e]
20CVE: CVE-2020-29443
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/ide/atapi.c | 30 ++++++++++++++++++++++++------
25 1 file changed, 24 insertions(+), 6 deletions(-)
26
27diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
28index e79157863..b626199e3 100644
29--- a/hw/ide/atapi.c
30+++ b/hw/ide/atapi.c
31@@ -322,6 +322,8 @@ static void ide_atapi_cmd_reply(IDEState *s, int size, int max_size)
32 static void ide_atapi_cmd_read_pio(IDEState *s, int lba, int nb_sectors,
33 int sector_size)
34 {
35+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
36+
37 s->lba = lba;
38 s->packet_transfer_size = nb_sectors * sector_size;
39 s->elementary_transfer_size = 0;
40@@ -420,6 +422,8 @@ eot:
41 static void ide_atapi_cmd_read_dma(IDEState *s, int lba, int nb_sectors,
42 int sector_size)
43 {
44+ assert(0 <= lba && lba < (s->nb_sectors >> 2));
45+
46 s->lba = lba;
47 s->packet_transfer_size = nb_sectors * sector_size;
48 s->io_buffer_size = 0;
49@@ -973,35 +977,49 @@ static void cmd_prevent_allow_medium_removal(IDEState *s, uint8_t* buf)
50
51 static void cmd_read(IDEState *s, uint8_t* buf)
52 {
53- int nb_sectors, lba;
54+ unsigned int nb_sectors, lba;
55+
56+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
57+ uint64_t total_sectors = s->nb_sectors >> 2;
58
59 if (buf[0] == GPCMD_READ_10) {
60 nb_sectors = lduw_be_p(buf + 7);
61 } else {
62 nb_sectors = ldl_be_p(buf + 6);
63 }
64-
65- lba = ldl_be_p(buf + 2);
66 if (nb_sectors == 0) {
67 ide_atapi_cmd_ok(s);
68 return;
69 }
70
71+ lba = ldl_be_p(buf + 2);
72+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
73+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
74+ return;
75+ }
76+
77 ide_atapi_cmd_read(s, lba, nb_sectors, 2048);
78 }
79
80 static void cmd_read_cd(IDEState *s, uint8_t* buf)
81 {
82- int nb_sectors, lba, transfer_request;
83+ unsigned int nb_sectors, lba, transfer_request;
84
85- nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
86- lba = ldl_be_p(buf + 2);
87+ /* Total logical sectors of ATAPI_SECTOR_SIZE(=2048) bytes */
88+ uint64_t total_sectors = s->nb_sectors >> 2;
89
90+ nb_sectors = (buf[6] << 16) | (buf[7] << 8) | buf[8];
91 if (nb_sectors == 0) {
92 ide_atapi_cmd_ok(s);
93 return;
94 }
95
96+ lba = ldl_be_p(buf + 2);
97+ if (lba >= total_sectors || lba + nb_sectors - 1 >= total_sectors) {
98+ ide_atapi_cmd_error(s, ILLEGAL_REQUEST, ASC_LOGICAL_BLOCK_OOR);
99+ return;
100+ }
101+
102 transfer_request = buf[9] & 0xf8;
103 if (transfer_request == 0x00) {
104 /* nothing */
105--
1062.29.2
107
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
deleted file mode 100644
index 73a4cb2064..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_1.patch
+++ /dev/null
@@ -1,153 +0,0 @@
1From 8afaaee976965b7fb90ec225a51d60f35c5f173c Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Thu, 4 Feb 2021 15:02:06 +0000
4Subject: [PATCH] virtiofsd: extract lo_do_open() from lo_open()
5
6Both lo_open() and lo_create() have similar code to open a file. Extract
7a common lo_do_open() function from lo_open() that will be used by
8lo_create() in a later commit.
9
10Since lo_do_open() does not otherwise need fuse_req_t req, convert
11lo_add_fd_mapping() to use struct lo_data *lo instead.
12
13Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
14Message-Id: <20210204150208.367837-2-stefanha@redhat.com>
15Reviewed-by: Greg Kurz <groug@kaod.org>
16Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
17
18Upstream-Status: Backport
19[https://github.com/qemu/qemu/commit/8afaaee976965b7fb90ec225a51d60f35c5f173c]
20
21CVE: CVE-2020-35517
22
23Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
24Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
25---
26 tools/virtiofsd/passthrough_ll.c | 73 +++++++++++++++++++++++++---------------
27 1 file changed, 46 insertions(+), 27 deletions(-)
28
29diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
30index 5fb36d9..f14fa51 100644
31--- a/tools/virtiofsd/passthrough_ll.c
32+++ b/tools/virtiofsd/passthrough_ll.c
33@@ -459,17 +459,17 @@ static void lo_map_remove(struct lo_map *map, size_t key)
34 }
35
36 /* Assumes lo->mutex is held */
37-static ssize_t lo_add_fd_mapping(fuse_req_t req, int fd)
38+static ssize_t lo_add_fd_mapping(struct lo_data *lo, int fd)
39 {
40 struct lo_map_elem *elem;
41
42- elem = lo_map_alloc_elem(&lo_data(req)->fd_map);
43+ elem = lo_map_alloc_elem(&lo->fd_map);
44 if (!elem) {
45 return -1;
46 }
47
48 elem->fd = fd;
49- return elem - lo_data(req)->fd_map.elems;
50+ return elem - lo->fd_map.elems;
51 }
52
53 /* Assumes lo->mutex is held */
54@@ -1651,6 +1651,38 @@ static void update_open_flags(int writeback, int allow_direct_io,
55 }
56 }
57
58+static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
59+ struct fuse_file_info *fi)
60+{
61+ char buf[64];
62+ ssize_t fh;
63+ int fd;
64+
65+ update_open_flags(lo->writeback, lo->allow_direct_io, fi);
66+
67+ sprintf(buf, "%i", inode->fd);
68+ fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
69+ if (fd == -1) {
70+ return errno;
71+ }
72+
73+ pthread_mutex_lock(&lo->mutex);
74+ fh = lo_add_fd_mapping(lo, fd);
75+ pthread_mutex_unlock(&lo->mutex);
76+ if (fh == -1) {
77+ close(fd);
78+ return ENOMEM;
79+ }
80+
81+ fi->fh = fh;
82+ if (lo->cache == CACHE_NONE) {
83+ fi->direct_io = 1;
84+ } else if (lo->cache == CACHE_ALWAYS) {
85+ fi->keep_cache = 1;
86+ }
87+ return 0;
88+}
89+
90 static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
91 mode_t mode, struct fuse_file_info *fi)
92 {
93@@ -1691,7 +1723,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
94 ssize_t fh;
95
96 pthread_mutex_lock(&lo->mutex);
97- fh = lo_add_fd_mapping(req, fd);
98+ fh = lo_add_fd_mapping(lo, fd);
99 pthread_mutex_unlock(&lo->mutex);
100 if (fh == -1) {
101 close(fd);
102@@ -1892,38 +1924,25 @@ static void lo_fsyncdir(fuse_req_t req, fuse_ino_t ino, int datasync,
103
104 static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
105 {
106- int fd;
107- ssize_t fh;
108- char buf[64];
109 struct lo_data *lo = lo_data(req);
110+ struct lo_inode *inode = lo_inode(req, ino);
111+ int err;
112
113 fuse_log(FUSE_LOG_DEBUG, "lo_open(ino=%" PRIu64 ", flags=%d)\n", ino,
114 fi->flags);
115
116- update_open_flags(lo->writeback, lo->allow_direct_io, fi);
117-
118- sprintf(buf, "%i", lo_fd(req, ino));
119- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
120- if (fd == -1) {
121- return (void)fuse_reply_err(req, errno);
122- }
123-
124- pthread_mutex_lock(&lo->mutex);
125- fh = lo_add_fd_mapping(req, fd);
126- pthread_mutex_unlock(&lo->mutex);
127- if (fh == -1) {
128- close(fd);
129- fuse_reply_err(req, ENOMEM);
130+ if (!inode) {
131+ fuse_reply_err(req, EBADF);
132 return;
133 }
134
135- fi->fh = fh;
136- if (lo->cache == CACHE_NONE) {
137- fi->direct_io = 1;
138- } else if (lo->cache == CACHE_ALWAYS) {
139- fi->keep_cache = 1;
140+ err = lo_do_open(lo, inode, fi);
141+ lo_inode_put(lo, &inode);
142+ if (err) {
143+ fuse_reply_err(req, err);
144+ } else {
145+ fuse_reply_open(req, fi);
146 }
147- fuse_reply_open(req, fi);
148 }
149
150 static void lo_release(fuse_req_t req, fuse_ino_t ino,
151--
1521.8.3.1
153
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
deleted file mode 100644
index bf11bdb6f8..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_2.patch
+++ /dev/null
@@ -1,117 +0,0 @@
1From 22d2ece71e533310da31f2857ebc4a00d91968b3 Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Thu, 4 Feb 2021 15:02:07 +0000
4Subject: [PATCH] virtiofsd: optionally return inode pointer from
5 lo_do_lookup()
6
7lo_do_lookup() finds an existing inode or allocates a new one. It
8increments nlookup so that the inode stays alive until the client
9releases it.
10
11Existing callers don't need the struct lo_inode so the function doesn't
12return it. Extend the function to optionally return the inode. The next
13commit will need it.
14
15Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
16Reviewed-by: Greg Kurz <groug@kaod.org>
17Message-Id: <20210204150208.367837-3-stefanha@redhat.com>
18Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
19
20Upstream-Status: Backport
21[https://github.com/qemu/qemu/commit/22d2ece71e533310da31f2857ebc4a00d91968b3]
22
23CVE: CVE-2020-35517
24
25Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
26Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
27---
28 tools/virtiofsd/passthrough_ll.c | 29 +++++++++++++++++++++--------
29 1 file changed, 21 insertions(+), 8 deletions(-)
30
31diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
32index f14fa51..aa35fc6 100644
33--- a/tools/virtiofsd/passthrough_ll.c
34+++ b/tools/virtiofsd/passthrough_ll.c
35@@ -831,11 +831,13 @@ static int do_statx(struct lo_data *lo, int dirfd, const char *pathname,
36 }
37
38 /*
39- * Increments nlookup and caller must release refcount using
40- * lo_inode_put(&parent).
41+ * Increments nlookup on the inode on success. unref_inode_lolocked() must be
42+ * called eventually to decrement nlookup again. If inodep is non-NULL, the
43+ * inode pointer is stored and the caller must call lo_inode_put().
44 */
45 static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
46- struct fuse_entry_param *e)
47+ struct fuse_entry_param *e,
48+ struct lo_inode **inodep)
49 {
50 int newfd;
51 int res;
52@@ -845,6 +847,10 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
53 struct lo_inode *inode = NULL;
54 struct lo_inode *dir = lo_inode(req, parent);
55
56+ if (inodep) {
57+ *inodep = NULL;
58+ }
59+
60 /*
61 * name_to_handle_at() and open_by_handle_at() can reach here with fuse
62 * mount point in guest, but we don't have its inode info in the
63@@ -913,7 +919,14 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
64 pthread_mutex_unlock(&lo->mutex);
65 }
66 e->ino = inode->fuse_ino;
67- lo_inode_put(lo, &inode);
68+
69+ /* Transfer ownership of inode pointer to caller or drop it */
70+ if (inodep) {
71+ *inodep = inode;
72+ } else {
73+ lo_inode_put(lo, &inode);
74+ }
75+
76 lo_inode_put(lo, &dir);
77
78 fuse_log(FUSE_LOG_DEBUG, " %lli/%s -> %lli\n", (unsigned long long)parent,
79@@ -948,7 +961,7 @@ static void lo_lookup(fuse_req_t req, fuse_ino_t parent, const char *name)
80 return;
81 }
82
83- err = lo_do_lookup(req, parent, name, &e);
84+ err = lo_do_lookup(req, parent, name, &e, NULL);
85 if (err) {
86 fuse_reply_err(req, err);
87 } else {
88@@ -1056,7 +1069,7 @@ static void lo_mknod_symlink(fuse_req_t req, fuse_ino_t parent,
89 goto out;
90 }
91
92- saverr = lo_do_lookup(req, parent, name, &e);
93+ saverr = lo_do_lookup(req, parent, name, &e, NULL);
94 if (saverr) {
95 goto out;
96 }
97@@ -1534,7 +1547,7 @@ static void lo_do_readdir(fuse_req_t req, fuse_ino_t ino, size_t size,
98
99 if (plus) {
100 if (!is_dot_or_dotdot(name)) {
101- err = lo_do_lookup(req, ino, name, &e);
102+ err = lo_do_lookup(req, ino, name, &e, NULL);
103 if (err) {
104 goto error;
105 }
106@@ -1732,7 +1745,7 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
107 }
108
109 fi->fh = fh;
110- err = lo_do_lookup(req, parent, name, &e);
111+ err = lo_do_lookup(req, parent, name, &e, NULL);
112 }
113 if (lo->cache == CACHE_NONE) {
114 fi->direct_io = 1;
115--
1161.8.3.1
117
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
deleted file mode 100644
index f348f3f2bd..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-35517_3.patch
+++ /dev/null
@@ -1,303 +0,0 @@
1From a3fdbbc7f271bff7d53d0501b29d910ece0b3789 Mon Sep 17 00:00:00 2001
2From: Stefan Hajnoczi <stefanha@redhat.com>
3Date: Thu, 4 Feb 2021 15:02:08 +0000
4Subject: [PATCH] virtiofsd: prevent opening of special files (CVE-2020-35517)
5
6A well-behaved FUSE client does not attempt to open special files with
7FUSE_OPEN because they are handled on the client side (e.g. device nodes
8are handled by client-side device drivers).
9
10The check to prevent virtiofsd from opening special files is missing in
11a few cases, most notably FUSE_OPEN. A malicious client can cause
12virtiofsd to open a device node, potentially allowing the guest to
13escape. This can be exploited by a modified guest device driver. It is
14not exploitable from guest userspace since the guest kernel will handle
15special files inside the guest instead of sending FUSE requests.
16
17This patch fixes this issue by introducing the lo_inode_open() function
18to check the file type before opening it. This is a short-term solution
19because it does not prevent a compromised virtiofsd process from opening
20device nodes on the host.
21
22Restructure lo_create() to try O_CREAT | O_EXCL first. Note that O_CREAT
23| O_EXCL does not follow symlinks, so O_NOFOLLOW masking is not
24necessary here. If the file exists and the user did not specify O_EXCL,
25open it via lo_do_open().
26
27Reported-by: Alex Xu <alex@alxu.ca>
28Fixes: CVE-2020-35517
29Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
30Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
31Reviewed-by: Greg Kurz <groug@kaod.org>
32Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
33Message-Id: <20210204150208.367837-4-stefanha@redhat.com>
34Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
35
36Upstream-Status: Backport
37[https://github.com/qemu/qemu/commit/a3fdbbc7f271bff7d53d0501b29d910ece0b3789]
38
39CVE: CVE-2020-35517
40
41Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
42Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
43---
44 tools/virtiofsd/passthrough_ll.c | 144 ++++++++++++++++++++-----------
45 1 file changed, 92 insertions(+), 52 deletions(-)
46
47diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
48index aa35fc6ba5a5..147b59338a18 100644
49--- a/tools/virtiofsd/passthrough_ll.c
50+++ b/tools/virtiofsd/passthrough_ll.c
51@@ -555,6 +555,38 @@ static int lo_fd(fuse_req_t req, fuse_ino_t ino)
52 return fd;
53 }
54
55+/*
56+ * Open a file descriptor for an inode. Returns -EBADF if the inode is not a
57+ * regular file or a directory.
58+ *
59+ * Use this helper function instead of raw openat(2) to prevent security issues
60+ * when a malicious client opens special files such as block device nodes.
61+ * Symlink inodes are also rejected since symlinks must already have been
62+ * traversed on the client side.
63+ */
64+static int lo_inode_open(struct lo_data *lo, struct lo_inode *inode,
65+ int open_flags)
66+{
67+ g_autofree char *fd_str = g_strdup_printf("%d", inode->fd);
68+ int fd;
69+
70+ if (!S_ISREG(inode->filetype) && !S_ISDIR(inode->filetype)) {
71+ return -EBADF;
72+ }
73+
74+ /*
75+ * The file is a symlink so O_NOFOLLOW must be ignored. We checked earlier
76+ * that the inode is not a special file but if an external process races
77+ * with us then symlinks are traversed here. It is not possible to escape
78+ * the shared directory since it is mounted as "/" though.
79+ */
80+ fd = openat(lo->proc_self_fd, fd_str, open_flags & ~O_NOFOLLOW);
81+ if (fd < 0) {
82+ return -errno;
83+ }
84+ return fd;
85+}
86+
87 static void lo_init(void *userdata, struct fuse_conn_info *conn)
88 {
89 struct lo_data *lo = (struct lo_data *)userdata;
90@@ -684,9 +716,9 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
91 if (fi) {
92 truncfd = fd;
93 } else {
94- sprintf(procname, "%i", ifd);
95- truncfd = openat(lo->proc_self_fd, procname, O_RDWR);
96+ truncfd = lo_inode_open(lo, inode, O_RDWR);
97 if (truncfd < 0) {
98+ errno = -truncfd;
99 goto out_err;
100 }
101 }
102@@ -848,7 +880,7 @@ static int lo_do_lookup(fuse_req_t req, fuse_ino_t parent, const char *name,
103 struct lo_inode *dir = lo_inode(req, parent);
104
105 if (inodep) {
106- *inodep = NULL;
107+ *inodep = NULL; /* in case there is an error */
108 }
109
110 /*
111@@ -1664,19 +1696,26 @@ static void update_open_flags(int writeback, int allow_direct_io,
112 }
113 }
114
115+/*
116+ * Open a regular file, set up an fd mapping, and fill out the struct
117+ * fuse_file_info for it. If existing_fd is not negative, use that fd instead
118+ * opening a new one. Takes ownership of existing_fd.
119+ *
120+ * Returns 0 on success or a positive errno.
121+ */
122 static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
123- struct fuse_file_info *fi)
124+ int existing_fd, struct fuse_file_info *fi)
125 {
126- char buf[64];
127 ssize_t fh;
128- int fd;
129+ int fd = existing_fd;
130
131 update_open_flags(lo->writeback, lo->allow_direct_io, fi);
132
133- sprintf(buf, "%i", inode->fd);
134- fd = openat(lo->proc_self_fd, buf, fi->flags & ~O_NOFOLLOW);
135- if (fd == -1) {
136- return errno;
137+ if (fd < 0) {
138+ fd = lo_inode_open(lo, inode, fi->flags);
139+ if (fd < 0) {
140+ return -fd;
141+ }
142 }
143
144 pthread_mutex_lock(&lo->mutex);
145@@ -1699,9 +1738,10 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
146 static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
147 mode_t mode, struct fuse_file_info *fi)
148 {
149- int fd;
150+ int fd = -1;
151 struct lo_data *lo = lo_data(req);
152 struct lo_inode *parent_inode;
153+ struct lo_inode *inode = NULL;
154 struct fuse_entry_param e;
155 int err;
156 struct lo_cred old = {};
157@@ -1727,36 +1767,38 @@ static void lo_create(fuse_req_t req, fuse_ino_t parent, const char *name,
158
159 update_open_flags(lo->writeback, lo->allow_direct_io, fi);
160
161- fd = openat(parent_inode->fd, name, (fi->flags | O_CREAT) & ~O_NOFOLLOW,
162- mode);
163+ /* Try to create a new file but don't open existing files */
164+ fd = openat(parent_inode->fd, name, fi->flags | O_CREAT | O_EXCL, mode);
165 err = fd == -1 ? errno : 0;
166- lo_restore_cred(&old);
167
168- if (!err) {
169- ssize_t fh;
170+ lo_restore_cred(&old);
171
172- pthread_mutex_lock(&lo->mutex);
173- fh = lo_add_fd_mapping(lo, fd);
174- pthread_mutex_unlock(&lo->mutex);
175- if (fh == -1) {
176- close(fd);
177- err = ENOMEM;
178- goto out;
179- }
180+ /* Ignore the error if file exists and O_EXCL was not given */
181+ if (err && (err != EEXIST || (fi->flags & O_EXCL))) {
182+ goto out;
183+ }
184
185- fi->fh = fh;
186- err = lo_do_lookup(req, parent, name, &e, NULL);
187+ err = lo_do_lookup(req, parent, name, &e, &inode);
188+ if (err) {
189+ goto out;
190 }
191- if (lo->cache == CACHE_NONE) {
192- fi->direct_io = 1;
193- } else if (lo->cache == CACHE_ALWAYS) {
194- fi->keep_cache = 1;
195+
196+ err = lo_do_open(lo, inode, fd, fi);
197+ fd = -1; /* lo_do_open() takes ownership of fd */
198+ if (err) {
199+ /* Undo lo_do_lookup() nlookup ref */
200+ unref_inode_lolocked(lo, inode, 1);
201 }
202
203 out:
204+ lo_inode_put(lo, &inode);
205 lo_inode_put(lo, &parent_inode);
206
207 if (err) {
208+ if (fd >= 0) {
209+ close(fd);
210+ }
211+
212 fuse_reply_err(req, err);
213 } else {
214 fuse_reply_create(req, &e, fi);
215@@ -1770,7 +1812,6 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
216 pid_t pid, int *err)
217 {
218 struct lo_inode_plock *plock;
219- char procname[64];
220 int fd;
221
222 plock =
223@@ -1787,12 +1828,10 @@ static struct lo_inode_plock *lookup_create_plock_ctx(struct lo_data *lo,
224 }
225
226 /* Open another instance of file which can be used for ofd locks. */
227- sprintf(procname, "%i", inode->fd);
228-
229 /* TODO: What if file is not writable? */
230- fd = openat(lo->proc_self_fd, procname, O_RDWR);
231- if (fd == -1) {
232- *err = errno;
233+ fd = lo_inode_open(lo, inode, O_RDWR);
234+ if (fd < 0) {
235+ *err = -fd;
236 free(plock);
237 return NULL;
238 }
239@@ -1949,7 +1988,7 @@ static void lo_open(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
240 return;
241 }
242
243- err = lo_do_open(lo, inode, fi);
244+ err = lo_do_open(lo, inode, -1, fi);
245 lo_inode_put(lo, &inode);
246 if (err) {
247 fuse_reply_err(req, err);
248@@ -2014,39 +2053,40 @@ static void lo_flush(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi)
249 static void lo_fsync(fuse_req_t req, fuse_ino_t ino, int datasync,
250 struct fuse_file_info *fi)
251 {
252+ struct lo_inode *inode = lo_inode(req, ino);
253+ struct lo_data *lo = lo_data(req);
254 int res;
255 int fd;
256- char *buf;
257
258 fuse_log(FUSE_LOG_DEBUG, "lo_fsync(ino=%" PRIu64 ", fi=0x%p)\n", ino,
259 (void *)fi);
260
261- if (!fi) {
262- struct lo_data *lo = lo_data(req);
263-
264- res = asprintf(&buf, "%i", lo_fd(req, ino));
265- if (res == -1) {
266- return (void)fuse_reply_err(req, errno);
267- }
268+ if (!inode) {
269+ fuse_reply_err(req, EBADF);
270+ return;
271+ }
272
273- fd = openat(lo->proc_self_fd, buf, O_RDWR);
274- free(buf);
275- if (fd == -1) {
276- return (void)fuse_reply_err(req, errno);
277+ if (!fi) {
278+ fd = lo_inode_open(lo, inode, O_RDWR);
279+ if (fd < 0) {
280+ res = -fd;
281+ goto out;
282 }
283 } else {
284 fd = lo_fi_fd(req, fi);
285 }
286
287 if (datasync) {
288- res = fdatasync(fd);
289+ res = fdatasync(fd) == -1 ? errno : 0;
290 } else {
291- res = fsync(fd);
292+ res = fsync(fd) == -1 ? errno : 0;
293 }
294 if (!fi) {
295 close(fd);
296 }
297- fuse_reply_err(req, res == -1 ? errno : 0);
298+out:
299+ lo_inode_put(lo, &inode);
300+ fuse_reply_err(req, res);
301 }
302
303 static void lo_read(fuse_req_t req, fuse_ino_t ino, size_t size, off_t offset,
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
deleted file mode 100644
index 1b8c77f838..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20181.patch
+++ /dev/null
@@ -1,81 +0,0 @@
1From c2d2d14e8deece958bbc4fc649d22c3564bc4e7e Mon Sep 17 00:00:00 2001
2From: Greg Kurz <groug@kaod.org>
3Date: Thu, 14 Jan 2021 17:04:12 +0100
4Subject: [PATCH] 9pfs: Fully restart unreclaim loop (CVE-2021-20181)
5
6Depending on the client activity, the server can be asked to open a huge
7number of file descriptors and eventually hit RLIMIT_NOFILE. This is
8currently mitigated using a reclaim logic : the server closes the file
9descriptors of idle fids, based on the assumption that it will be able
10to re-open them later. This assumption doesn't hold of course if the
11client requests the file to be unlinked. In this case, we loop on the
12entire fid list and mark all related fids as unreclaimable (the reclaim
13logic will just ignore them) and, of course, we open or re-open their
14file descriptors if needed since we're about to unlink the file.
15
16This is the purpose of v9fs_mark_fids_unreclaim(). Since the actual
17opening of a file can cause the coroutine to yield, another client
18request could possibly add a new fid that we may want to mark as
19non-reclaimable as well. The loop is thus restarted if the re-open
20request was actually transmitted to the backend. This is achieved
21by keeping a reference on the first fid (head) before traversing
22the list.
23
24This is wrong in several ways:
25- a potential clunk request from the client could tear the first
26 fid down and cause the reference to be stale. This leads to a
27 use-after-free error that can be detected with ASAN, using a
28 custom 9p client
29- fids are added at the head of the list : restarting from the
30 previous head will always miss fids added by a some other
31 potential request
32
33All these problems could be avoided if fids were being added at the
34end of the list. This can be achieved with a QSIMPLEQ, but this is
35probably too much change for a bug fix. For now let's keep it
36simple and just restart the loop from the current head.
37
38Fixes: CVE-2021-20181
39Buglink: https://bugs.launchpad.net/qemu/+bug/1911666
40Reported-by: Zero Day Initiative <zdi-disclosures@trendmicro.com>
41Reviewed-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
42Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
43Message-Id: <161064025265.1838153.15185571283519390907.stgit@bahia.lan>
44Signed-off-by: Greg Kurz <groug@kaod.org>
45
46Upstream-Status: Backport [89fbea8737e8f7b954745a1ffc4238d377055305]
47CVE: CVE-2021-20181
48
49Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
50---
51 hw/9pfs/9p.c | 6 +++---
52 1 file changed, 3 insertions(+), 3 deletions(-)
53
54diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
55index 94df440fc..6026b51a1 100644
56--- a/hw/9pfs/9p.c
57+++ b/hw/9pfs/9p.c
58@@ -502,9 +502,9 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
59 {
60 int err;
61 V9fsState *s = pdu->s;
62- V9fsFidState *fidp, head_fid;
63+ V9fsFidState *fidp;
64
65- head_fid.next = s->fid_list;
66+again:
67 for (fidp = s->fid_list; fidp; fidp = fidp->next) {
68 if (fidp->path.size != path->size) {
69 continue;
70@@ -524,7 +524,7 @@ static int coroutine_fn v9fs_mark_fids_unreclaim(V9fsPDU *pdu, V9fsPath *path)
71 * switched to the worker thread
72 */
73 if (err == 0) {
74- fidp = &head_fid;
75+ goto again;
76 }
77 }
78 }
79--
802.29.2
81
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
deleted file mode 100644
index 269c6f1294..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20203.patch
+++ /dev/null
@@ -1,73 +0,0 @@
1From: Prasad J Pandit <pjp@fedoraproject.org>
2
3While activating device in vmxnet3_acticate_device(), it does not
4validate guest supplied configuration values against predefined
5minimum - maximum limits. This may lead to integer overflow or
6OOB access issues. Add checks to avoid it.
7
8Fixes: CVE-2021-20203
9Buglink: https://bugs.launchpad.net/qemu/+bug/1913873
10Reported-by: Gaoning Pan <pgn@zju.edu.cn>
11Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
12
13Upstream-Status: Acepted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html]
14CVE: CVE-2021-20203
15Signed-off-by: Minjae Kim <flowergom@gmail.com>
16---
17 hw/net/vmxnet3.c | 13 +++++++++++++
18 1 file changed, 13 insertions(+)
19
20diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
21index eff299f629..4a910ca971 100644
22--- a/hw/net/vmxnet3.c
23+++ b/hw/net/vmxnet3.c
24@@ -1420,6 +1420,7 @@ static void vmxnet3_activate_device(VMXNET3State *s)
25 vmxnet3_setup_rx_filtering(s);
26 /* Cache fields from shared memory */
27 s->mtu = VMXNET3_READ_DRV_SHARED32(d, s->drv_shmem, devRead.misc.mtu);
28+ assert(VMXNET3_MIN_MTU <= s->mtu && s->mtu < VMXNET3_MAX_MTU);
29 VMW_CFPRN("MTU is %u", s->mtu);
30
31 s->max_rx_frags =
32@@ -1473,6 +1474,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
33 /* Read rings memory locations for TX queues */
34 pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.txRingBasePA);
35 size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.txRingSize);
36+ if (size > VMXNET3_TX_RING_MAX_SIZE) {
37+ size = VMXNET3_TX_RING_MAX_SIZE;
38+ }
39
40 vmxnet3_ring_init(d, &s->txq_descr[i].tx_ring, pa, size,
41 sizeof(struct Vmxnet3_TxDesc), false);
42@@ -1483,6 +1487,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
43 /* TXC ring */
44 pa = VMXNET3_READ_TX_QUEUE_DESCR64(d, qdescr_pa, conf.compRingBasePA);
45 size = VMXNET3_READ_TX_QUEUE_DESCR32(d, qdescr_pa, conf.compRingSize);
46+ if (size > VMXNET3_TC_RING_MAX_SIZE) {
47+ size = VMXNET3_TC_RING_MAX_SIZE;
48+ }
49 vmxnet3_ring_init(d, &s->txq_descr[i].comp_ring, pa, size,
50 sizeof(struct Vmxnet3_TxCompDesc), true);
51 VMXNET3_RING_DUMP(VMW_CFPRN, "TXC", i, &s->txq_descr[i].comp_ring);
52@@ -1524,6 +1531,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
53 /* RX rings */
54 pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.rxRingBasePA[j]);
55 size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.rxRingSize[j]);
56+ if (size > VMXNET3_RX_RING_MAX_SIZE) {
57+ size = VMXNET3_RX_RING_MAX_SIZE;
58+ }
59 vmxnet3_ring_init(d, &s->rxq_descr[i].rx_ring[j], pa, size,
60 sizeof(struct Vmxnet3_RxDesc), false);
61 VMW_CFPRN("RX queue %d:%d: Base: %" PRIx64 ", Size: %d",
62@@ -1533,6 +1543,9 @@ static void vmxnet3_activate_device(VMXNET3State *s)
63 /* RXC ring */
64 pa = VMXNET3_READ_RX_QUEUE_DESCR64(d, qd_pa, conf.compRingBasePA);
65 size = VMXNET3_READ_RX_QUEUE_DESCR32(d, qd_pa, conf.compRingSize);
66+ if (size > VMXNET3_RC_RING_MAX_SIZE) {
67+ size = VMXNET3_RC_RING_MAX_SIZE;
68+ }
69 vmxnet3_ring_init(d, &s->rxq_descr[i].comp_ring, pa, size,
70 sizeof(struct Vmxnet3_RxCompDesc), true);
71 VMW_CFPRN("RXC queue %d: Base: %" PRIx64 ", Size: %d", i, pa, size);
72--
732.29.2
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
deleted file mode 100644
index d762a51d02..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20221.patch
+++ /dev/null
@@ -1,70 +0,0 @@
1From e428bcfb86fb46d9773ae11e69712052dcff3d45 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <f4bug@amsat.org>
3Date: Sun, 31 Jan 2021 11:34:01 +0100
4Subject: [PATCH] hw/intc/arm_gic: Fix interrupt ID in GICD_SGIR register
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Per the ARM Generic Interrupt Controller Architecture specification
10(document "ARM IHI 0048B.b (ID072613)"), the SGIINTID field is 4 bit,
11not 10:
12
13 - 4.3 Distributor register descriptions
14 - 4.3.15 Software Generated Interrupt Register, GICD_SG
15
16 - Table 4-21 GICD_SGIR bit assignments
17
18 The Interrupt ID of the SGI to forward to the specified CPU
19 interfaces. The value of this field is the Interrupt ID, in
20 the range 0-15, for example a value of 0b0011 specifies
21 Interrupt ID 3.
22
23Correct the irq mask to fix an undefined behavior (which eventually
24lead to a heap-buffer-overflow, see [Buglink]):
25
26 $ echo 'writel 0x8000f00 0xff4affb0' | qemu-system-aarch64 -M virt,accel=qtest -qtest stdio
27 [I 1612088147.116987] OPENED
28 [R +0.278293] writel 0x8000f00 0xff4affb0
29 ../hw/intc/arm_gic.c:1498:13: runtime error: index 944 out of bounds for type 'uint8_t [16][8]'
30 SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../hw/intc/arm_gic.c:1498:13
31
32This fixes a security issue when running with KVM on Arm with
33kernel-irqchip=off. (The default is kernel-irqchip=on, which is
34unaffected, and which is also the correct choice for performance.)
35
36Cc: qemu-stable@nongnu.org
37Fixes: CVE-2021-20221
38Fixes: 9ee6e8bb853 ("ARMv7 support.")
39Buglink: https://bugs.launchpad.net/qemu/+bug/1913916
40Buglink: https://bugs.launchpad.net/qemu/+bug/1913917
41Reported-by: Alexander Bulekov <alxndr@bu.edu>
42Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
43Message-id: 20210131103401.217160-1-f4bug@amsat.org
44Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
45Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
46
47Upstream-Status: Backport [edfe2eb4360cde4ed5d95bda7777edcb3510f76a]
48CVE: CVE-2021-20221
49
50Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
51---
52 hw/intc/arm_gic.c | 2 +-
53 1 file changed, 1 insertion(+), 1 deletion(-)
54
55diff --git a/hw/intc/arm_gic.c b/hw/intc/arm_gic.c
56index c60dc6b5e..fbde60de0 100644
57--- a/hw/intc/arm_gic.c
58+++ b/hw/intc/arm_gic.c
59@@ -1474,7 +1474,7 @@ static void gic_dist_writel(void *opaque, hwaddr offset,
60 int target_cpu;
61
62 cpu = gic_get_current_cpu(s);
63- irq = value & 0x3ff;
64+ irq = value & 0xf;
65 switch ((value >> 24) & 3) {
66 case 0:
67 mask = (value >> 16) & ALL_CPU_MASK;
68--
692.29.2
70
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
deleted file mode 100644
index 7175b24e99..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20257.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From affdf476543405045c281a7c67d1eaedbcea8135 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:45:28 +0800
4Subject: [PATCH] e1000: fail early for evil descriptor
5
6During procss_tx_desc(), driver can try to chain data descriptor with
7legacy descriptor, when will lead underflow for the following
8calculation in process_tx_desc() for bytes:
9
10 if (tp->size + bytes > msh)
11 bytes = msh - tp->size;
12
13This will lead a infinite loop. So check and fail early if tp->size if
14greater or equal to msh.
15
16Reported-by: Alexander Bulekov <alxndr@bu.edu>
17Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
18Reported-by: Ruhr-University Bochum <bugs-syssec@rub.de>
19Cc: Prasad J Pandit <ppandit@redhat.com>
20Cc: qemu-stable@nongnu.org
21Signed-off-by: Jason Wang <jasowang@redhat.com>
22
23Upstream-Status: Backport [3de46e6fc489c52c9431a8a832ad8170a7569bd8]
24CVE: CVE-2021-20257
25
26Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
27---
28 hw/net/e1000.c | 4 ++++
29 1 file changed, 4 insertions(+)
30
31diff --git a/hw/net/e1000.c b/hw/net/e1000.c
32index cf22c4f07..c3564c7ce 100644
33--- a/hw/net/e1000.c
34+++ b/hw/net/e1000.c
35@@ -670,6 +670,9 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
36 msh = tp->tso_props.hdr_len + tp->tso_props.mss;
37 do {
38 bytes = split_size;
39+ if (tp->size >= msh) {
40+ goto eop;
41+ }
42 if (tp->size + bytes > msh)
43 bytes = msh - tp->size;
44
45@@ -695,6 +698,7 @@ process_tx_desc(E1000State *s, struct e1000_tx_desc *dp)
46 tp->size += split_size;
47 }
48
49+eop:
50 if (!(txd_lower & E1000_TXD_CMD_EOP))
51 return;
52 if (!(tp->cptse && tp->size < tp->tso_props.hdr_len)) {
53--
542.29.2
55
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
deleted file mode 100644
index 4f9a91f0c6..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-20263.patch
+++ /dev/null
@@ -1,214 +0,0 @@
1From aaa5f8e00c2e85a893b972f1e243fb14c26b70dc Mon Sep 17 00:00:00 2001
2From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
3Date: Wed, 24 Feb 2021 19:56:25 +0000
4Subject: [PATCH 2/2] virtiofs: drop remapped security.capability xattr as
5 needed
6
7On Linux, the 'security.capability' xattr holds a set of
8capabilities that can change when an executable is run, giving
9a limited form of privilege escalation to those programs that
10the writer of the file deemed worthy.
11
12Any write causes the 'security.capability' xattr to be dropped,
13stopping anyone from gaining privilege by modifying a blessed
14file.
15
16Fuse relies on the daemon to do this dropping, and in turn the
17daemon relies on the host kernel to drop the xattr for it. However,
18with the addition of -o xattrmap, the xattr that the guest
19stores its capabilities in is now not the same as the one that
20the host kernel automatically clears.
21
22Where the mapping changes 'security.capability', explicitly clear
23the remapped name to preserve the same behaviour.
24
25This bug is assigned CVE-2021-20263.
26
27Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
28Reviewed-by: Vivek Goyal <vgoyal@redhat.com>
29
30Upstream-Status: Backport [e586edcb410543768ef009eaa22a2d9dd4a53846]
31CVE: CVE-2021-20263
32
33Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
34---
35 docs/tools/virtiofsd.rst | 4 ++
36 tools/virtiofsd/passthrough_ll.c | 77 +++++++++++++++++++++++++++++++-
37 2 files changed, 80 insertions(+), 1 deletion(-)
38
39diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
40index 866b7db3e..00554c75b 100644
41--- a/docs/tools/virtiofsd.rst
42+++ b/docs/tools/virtiofsd.rst
43@@ -228,6 +228,10 @@ The 'map' type adds a number of separate rules to add **prepend** as a prefix
44 to the matched **key** (or all attributes if **key** is empty).
45 There may be at most one 'map' rule and it must be the last rule in the set.
46
47+Note: When the 'security.capability' xattr is remapped, the daemon has to do
48+extra work to remove it during many operations, which the host kernel normally
49+does itself.
50+
51 xattr-mapping Examples
52 ----------------------
53
54diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
55index 03c5e0d13..c9197da86 100644
56--- a/tools/virtiofsd/passthrough_ll.c
57+++ b/tools/virtiofsd/passthrough_ll.c
58@@ -160,6 +160,7 @@ struct lo_data {
59 int posix_lock;
60 int xattr;
61 char *xattrmap;
62+ char *xattr_security_capability;
63 char *source;
64 char *modcaps;
65 double timeout;
66@@ -226,6 +227,8 @@ static __thread bool cap_loaded = 0;
67
68 static struct lo_inode *lo_find(struct lo_data *lo, struct stat *st,
69 uint64_t mnt_id);
70+static int xattr_map_client(const struct lo_data *lo, const char *client_name,
71+ char **out_name);
72
73 static int is_dot_or_dotdot(const char *name)
74 {
75@@ -365,6 +368,37 @@ out:
76 return ret;
77 }
78
79+/*
80+ * The host kernel normally drops security.capability xattr's on
81+ * any write, however if we're remapping xattr names we need to drop
82+ * whatever the clients security.capability is actually stored as.
83+ */
84+static int drop_security_capability(const struct lo_data *lo, int fd)
85+{
86+ if (!lo->xattr_security_capability) {
87+ /* We didn't remap the name, let the host kernel do it */
88+ return 0;
89+ }
90+ if (!fremovexattr(fd, lo->xattr_security_capability)) {
91+ /* All good */
92+ return 0;
93+ }
94+
95+ switch (errno) {
96+ case ENODATA:
97+ /* Attribute didn't exist, that's fine */
98+ return 0;
99+
100+ case ENOTSUP:
101+ /* FS didn't support attribute anyway, also fine */
102+ return 0;
103+
104+ default:
105+ /* Hmm other error */
106+ return errno;
107+ }
108+}
109+
110 static void lo_map_init(struct lo_map *map)
111 {
112 map->elems = NULL;
113@@ -717,6 +751,11 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
114 uid_t uid = (valid & FUSE_SET_ATTR_UID) ? attr->st_uid : (uid_t)-1;
115 gid_t gid = (valid & FUSE_SET_ATTR_GID) ? attr->st_gid : (gid_t)-1;
116
117+ saverr = drop_security_capability(lo, ifd);
118+ if (saverr) {
119+ goto out_err;
120+ }
121+
122 res = fchownat(ifd, "", uid, gid, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW);
123 if (res == -1) {
124 goto out_err;
125@@ -735,6 +774,14 @@ static void lo_setattr(fuse_req_t req, fuse_ino_t ino, struct stat *attr,
126 }
127 }
128
129+ saverr = drop_security_capability(lo, truncfd);
130+ if (saverr) {
131+ if (!fi) {
132+ close(truncfd);
133+ }
134+ goto out_err;
135+ }
136+
137 res = ftruncate(truncfd, attr->st_size);
138 if (!fi) {
139 saverr = errno;
140@@ -1726,6 +1773,13 @@ static int lo_do_open(struct lo_data *lo, struct lo_inode *inode,
141 if (fd < 0) {
142 return -fd;
143 }
144+ if (fi->flags & (O_TRUNC)) {
145+ int err = drop_security_capability(lo, fd);
146+ if (err) {
147+ close(fd);
148+ return err;
149+ }
150+ }
151 }
152
153 pthread_mutex_lock(&lo->mutex);
154@@ -2114,6 +2168,12 @@ static void lo_write_buf(fuse_req_t req, fuse_ino_t ino,
155 "lo_write_buf(ino=%" PRIu64 ", size=%zd, off=%lu)\n", ino,
156 out_buf.buf[0].size, (unsigned long)off);
157
158+ res = drop_security_capability(lo_data(req), out_buf.buf[0].fd);
159+ if (res) {
160+ fuse_reply_err(req, res);
161+ return;
162+ }
163+
164 /*
165 * If kill_priv is set, drop CAP_FSETID which should lead to kernel
166 * clearing setuid/setgid on file.
167@@ -2353,6 +2413,7 @@ static void parse_xattrmap(struct lo_data *lo)
168 {
169 const char *map = lo->xattrmap;
170 const char *tmp;
171+ int ret;
172
173 lo->xattr_map_nentries = 0;
174 while (*map) {
175@@ -2383,7 +2444,7 @@ static void parse_xattrmap(struct lo_data *lo)
176 * the last entry.
177 */
178 parse_xattrmap_map(lo, map, sep);
179- return;
180+ break;
181 } else {
182 fuse_log(FUSE_LOG_ERR,
183 "%s: Unexpected type;"
184@@ -2452,6 +2513,19 @@ static void parse_xattrmap(struct lo_data *lo)
185 fuse_log(FUSE_LOG_ERR, "Empty xattr map\n");
186 exit(1);
187 }
188+
189+ ret = xattr_map_client(lo, "security.capability",
190+ &lo->xattr_security_capability);
191+ if (ret) {
192+ fuse_log(FUSE_LOG_ERR, "Failed to map security.capability: %s\n",
193+ strerror(ret));
194+ exit(1);
195+ }
196+ if (!strcmp(lo->xattr_security_capability, "security.capability")) {
197+ /* 1-1 mapping, don't need to do anything */
198+ free(lo->xattr_security_capability);
199+ lo->xattr_security_capability = NULL;
200+ }
201 }
202
203 /*
204@@ -3480,6 +3554,7 @@ static void fuse_lo_data_cleanup(struct lo_data *lo)
205
206 free(lo->xattrmap);
207 free_xattrmap(lo);
208+ free(lo->xattr_security_capability);
209 free(lo->source);
210 }
211
212--
2132.29.2
214
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
deleted file mode 100644
index af94cff7e8..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3392.patch
+++ /dev/null
@@ -1,89 +0,0 @@
1From 3791642c8d60029adf9b00bcb4e34d7d8a1aea4d Mon Sep 17 00:00:00 2001
2From: Michael Tokarev <mjt@tls.msk.ru>
3Date: Mon, 19 Apr 2021 15:42:47 +0200
4Subject: [PATCH] mptsas: Remove unused MPTSASState 'pending' field
5 (CVE-2021-3392)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10While processing SCSI i/o requests in mptsas_process_scsi_io_request(),
11the Megaraid emulator appends new MPTSASRequest object 'req' to
12the 's->pending' queue. In case of an error, this same object gets
13dequeued in mptsas_free_request() only if SCSIRequest object
14'req->sreq' is initialised. This may lead to a use-after-free issue.
15
16Since s->pending is actually not used, simply remove it from
17MPTSASState.
18
19Cc: qemu-stable@nongnu.org
20Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
21Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
22Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
23Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
24Message-id: 20210419134247.1467982-1-f4bug@amsat.org
25Message-Id: <20210416102243.1293871-1-mjt@msgid.tls.msk.ru>
26Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
27Reported-by: Cheolwoo Myung <cwmyung@snu.ac.kr>
28BugLink: https://bugs.launchpad.net/qemu/+bug/1914236 (CVE-2021-3392)
29Fixes: e351b826112 ("hw: Add support for LSI SAS1068 (mptsas) device")
30[PMD: Reworded description, added more tags]
31Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
32Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
33Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
34
35CVE: CVE-2021-3392
36Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d]
37Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
38---
39 hw/scsi/mptsas.c | 6 ------
40 hw/scsi/mptsas.h | 1 -
41 2 files changed, 7 deletions(-)
42
43diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
44index 7416e7870614..db3219e7d206 100644
45--- a/hw/scsi/mptsas.c
46+++ b/hw/scsi/mptsas.c
47@@ -251,13 +251,10 @@ static int mptsas_build_sgl(MPTSASState *s, MPTSASRequest *req, hwaddr addr)
48
49 static void mptsas_free_request(MPTSASRequest *req)
50 {
51- MPTSASState *s = req->dev;
52-
53 if (req->sreq != NULL) {
54 req->sreq->hba_private = NULL;
55 scsi_req_unref(req->sreq);
56 req->sreq = NULL;
57- QTAILQ_REMOVE(&s->pending, req, next);
58 }
59 qemu_sglist_destroy(&req->qsg);
60 g_free(req);
61@@ -303,7 +300,6 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
62 }
63
64 req = g_new0(MPTSASRequest, 1);
65- QTAILQ_INSERT_TAIL(&s->pending, req, next);
66 req->scsi_io = *scsi_io;
67 req->dev = s;
68
69@@ -1319,8 +1315,6 @@ static void mptsas_scsi_realize(PCIDevice *dev, Error **errp)
70
71 s->request_bh = qemu_bh_new(mptsas_fetch_requests, s);
72
73- QTAILQ_INIT(&s->pending);
74-
75 scsi_bus_new(&s->bus, sizeof(s->bus), &dev->qdev, &mptsas_scsi_info, NULL);
76 }
77
78diff --git a/hw/scsi/mptsas.h b/hw/scsi/mptsas.h
79index b85ac1a5fcc7..c046497db719 100644
80--- a/hw/scsi/mptsas.h
81+++ b/hw/scsi/mptsas.h
82@@ -79,7 +79,6 @@ struct MPTSASState {
83 uint16_t reply_frame_size;
84
85 SCSIBus bus;
86- QTAILQ_HEAD(, MPTSASRequest) pending;
87 };
88
89 void mptsas_fix_scsi_io_endianness(MPIMsgSCSIIORequest *req);
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
deleted file mode 100644
index f9395add43..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_1.patch
+++ /dev/null
@@ -1,56 +0,0 @@
1From c01ae9a35b3c6b4a8e1f1bfa0a0caafe394f8b5c Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Tue, 16 Feb 2021 11:46:52 +0800
4Subject: [PATCH 1/6] hw/sd: sdhci: Simplify updating s->prnsts in
5 sdhci_sdma_transfer_multi_blocks()
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10s->prnsts is updated in both branches of the if () else () statement.
11Move the common bits outside so that it is cleaner.
12
13Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
14Tested-by: Alexander Bulekov <alxndr@bu.edu>
15Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
16Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
17Message-Id: <1613447214-81951-5-git-send-email-bmeng.cn@gmail.com>
18Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
19
20Upstream-Status: Backport [8bc1f1aa51d32c3184e7b19d5b94c35ecc06f056]
21CVE: CVE-2021-3409
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/sd/sdhci.c | 7 +++----
26 1 file changed, 3 insertions(+), 4 deletions(-)
27
28diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
29index 2f8b74a84..f83c5e295 100644
30--- a/hw/sd/sdhci.c
31+++ b/hw/sd/sdhci.c
32@@ -596,9 +596,9 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
33 page_aligned = true;
34 }
35
36+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
37 if (s->trnmod & SDHC_TRNS_READ) {
38- s->prnsts |= SDHC_DOING_READ | SDHC_DATA_INHIBIT |
39- SDHC_DAT_LINE_ACTIVE;
40+ s->prnsts |= SDHC_DOING_READ;
41 while (s->blkcnt) {
42 if (s->data_count == 0) {
43 sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
44@@ -625,8 +625,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
45 }
46 }
47 } else {
48- s->prnsts |= SDHC_DOING_WRITE | SDHC_DATA_INHIBIT |
49- SDHC_DAT_LINE_ACTIVE;
50+ s->prnsts |= SDHC_DOING_WRITE;
51 while (s->blkcnt) {
52 begin = s->data_count;
53 if (((boundary_count + begin) < block_size) && page_aligned) {
54--
552.29.2
56
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
deleted file mode 100644
index f3d2bb1375..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_2.patch
+++ /dev/null
@@ -1,92 +0,0 @@
1From b9bb4700798bce98888c51d7b6dbc19ec49159d5 Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:35 +0800
4Subject: [PATCH 2/6] hw/sd: sdhci: Don't transfer any data when command time
5 out
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10At the end of sdhci_send_command(), it starts a data transfer if the
11command register indicates data is associated. But the data transfer
12should only be initiated when the command execution has succeeded.
13
14With this fix, the following reproducer:
15
16outl 0xcf8 0x80001810
17outl 0xcfc 0xe1068000
18outl 0xcf8 0x80001804
19outw 0xcfc 0x7
20write 0xe106802c 0x1 0x0f
21write 0xe1068004 0xc 0x2801d10101fffffbff28a384
22write 0xe106800c 0x1f 0x9dacbbcad9e8f7061524334251606f7e8d9cabbac9d8e7f60514233241505f
23write 0xe1068003 0x28 0x80d000251480d000252280d000253080d000253e80d000254c80d000255a80d000256880d0002576
24write 0xe1068003 0x1 0xfe
25
26cannot be reproduced with the following QEMU command line:
27
28$ qemu-system-x86_64 -nographic -M pc-q35-5.0 \
29 -device sdhci-pci,sd-spec-version=3 \
30 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
31 -device sd-card,drive=mydrive \
32 -monitor none -serial none -qtest stdio
33
34Cc: qemu-stable@nongnu.org
35Fixes: CVE-2020-17380
36Fixes: CVE-2020-25085
37Fixes: CVE-2021-3409
38Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
39Reported-by: Alexander Bulekov <alxndr@bu.edu>
40Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
41Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
42Reported-by: Simon Wörner (Ruhr-Universität Bochum)
43Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
44Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
45Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
46Acked-by: Alistair Francis <alistair.francis@wdc.com>
47Tested-by: Alexander Bulekov <alxndr@bu.edu>
48Tested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
49Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
50Message-Id: <20210303122639.20004-2-bmeng.cn@gmail.com>
51Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
52
53Upstream-Status: Backport [b263d8f928001b5cfa2a993ea43b7a5b3a1811e8]
54CVE: CVE-2021-3409
55
56Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
57---
58 hw/sd/sdhci.c | 4 +++-
59 1 file changed, 3 insertions(+), 1 deletion(-)
60
61diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
62index f83c5e295..44f8a82ea 100644
63--- a/hw/sd/sdhci.c
64+++ b/hw/sd/sdhci.c
65@@ -326,6 +326,7 @@ static void sdhci_send_command(SDHCIState *s)
66 SDRequest request;
67 uint8_t response[16];
68 int rlen;
69+ bool timeout = false;
70
71 s->errintsts = 0;
72 s->acmd12errsts = 0;
73@@ -349,6 +350,7 @@ static void sdhci_send_command(SDHCIState *s)
74 trace_sdhci_response16(s->rspreg[3], s->rspreg[2],
75 s->rspreg[1], s->rspreg[0]);
76 } else {
77+ timeout = true;
78 trace_sdhci_error("timeout waiting for command response");
79 if (s->errintstsen & SDHC_EISEN_CMDTIMEOUT) {
80 s->errintsts |= SDHC_EIS_CMDTIMEOUT;
81@@ -369,7 +371,7 @@ static void sdhci_send_command(SDHCIState *s)
82
83 sdhci_update_irq(s);
84
85- if (s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
86+ if (!timeout && s->blksize && (s->cmdreg & SDHC_CMD_DATA_PRESENT)) {
87 s->data_count = 0;
88 sdhci_data_transfer(s);
89 }
90--
912.29.2
92
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
deleted file mode 100644
index c3b37ed616..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_3.patch
+++ /dev/null
@@ -1,109 +0,0 @@
1From 405ca416ccc8135544a4fe5732974497244128c9 Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:36 +0800
4Subject: [PATCH 3/6] hw/sd: sdhci: Don't write to SDHC_SYSAD register when
5 transfer is in progress
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10Per "SD Host Controller Standard Specification Version 7.00"
11chapter 2.2.1 SDMA System Address Register:
12
13This register can be accessed only if no transaction is executing
14(i.e., after a transaction has stopped).
15
16With this fix, the following reproducer:
17
18outl 0xcf8 0x80001010
19outl 0xcfc 0xfbefff00
20outl 0xcf8 0x80001001
21outl 0xcfc 0x06000000
22write 0xfbefff2c 0x1 0x05
23write 0xfbefff0f 0x1 0x37
24write 0xfbefff0a 0x1 0x01
25write 0xfbefff0f 0x1 0x29
26write 0xfbefff0f 0x1 0x02
27write 0xfbefff0f 0x1 0x03
28write 0xfbefff04 0x1 0x01
29write 0xfbefff05 0x1 0x01
30write 0xfbefff07 0x1 0x02
31write 0xfbefff0c 0x1 0x33
32write 0xfbefff0e 0x1 0x20
33write 0xfbefff0f 0x1 0x00
34write 0xfbefff2a 0x1 0x01
35write 0xfbefff0c 0x1 0x00
36write 0xfbefff03 0x1 0x00
37write 0xfbefff05 0x1 0x00
38write 0xfbefff2a 0x1 0x02
39write 0xfbefff0c 0x1 0x32
40write 0xfbefff01 0x1 0x01
41write 0xfbefff02 0x1 0x01
42write 0xfbefff03 0x1 0x01
43
44cannot be reproduced with the following QEMU command line:
45
46$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
47 -nodefaults -device sdhci-pci,sd-spec-version=3 \
48 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
49 -device sd-card,drive=mydrive -qtest stdio
50
51Cc: qemu-stable@nongnu.org
52Fixes: CVE-2020-17380
53Fixes: CVE-2020-25085
54Fixes: CVE-2021-3409
55Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
56Reported-by: Alexander Bulekov <alxndr@bu.edu>
57Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
58Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
59Reported-by: Simon Wörner (Ruhr-Universität Bochum)
60Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
61Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
62Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
63Tested-by: Alexander Bulekov <alxndr@bu.edu>
64Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
65Message-Id: <20210303122639.20004-3-bmeng.cn@gmail.com>
66Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
67
68Upstream-Status: Backport [8be45cc947832b3c02144c9d52921f499f2d77fe]
69CVE: CVE-2021-3409
70
71Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
72---
73 hw/sd/sdhci.c | 20 +++++++++++---------
74 1 file changed, 11 insertions(+), 9 deletions(-)
75
76diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
77index 44f8a82ea..d8a46f307 100644
78--- a/hw/sd/sdhci.c
79+++ b/hw/sd/sdhci.c
80@@ -1121,15 +1121,17 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
81
82 switch (offset & ~0x3) {
83 case SDHC_SYSAD:
84- s->sdmasysad = (s->sdmasysad & mask) | value;
85- MASKED_WRITE(s->sdmasysad, mask, value);
86- /* Writing to last byte of sdmasysad might trigger transfer */
87- if (!(mask & 0xFF000000) && TRANSFERRING_DATA(s->prnsts) && s->blkcnt &&
88- s->blksize && SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
89- if (s->trnmod & SDHC_TRNS_MULTI) {
90- sdhci_sdma_transfer_multi_blocks(s);
91- } else {
92- sdhci_sdma_transfer_single_block(s);
93+ if (!TRANSFERRING_DATA(s->prnsts)) {
94+ s->sdmasysad = (s->sdmasysad & mask) | value;
95+ MASKED_WRITE(s->sdmasysad, mask, value);
96+ /* Writing to last byte of sdmasysad might trigger transfer */
97+ if (!(mask & 0xFF000000) && s->blkcnt && s->blksize &&
98+ SDHC_DMA_TYPE(s->hostctl1) == SDHC_CTRL_SDMA) {
99+ if (s->trnmod & SDHC_TRNS_MULTI) {
100+ sdhci_sdma_transfer_multi_blocks(s);
101+ } else {
102+ sdhci_sdma_transfer_single_block(s);
103+ }
104 }
105 }
106 break;
107--
1082.29.2
109
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
deleted file mode 100644
index d5be99759d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_4.patch
+++ /dev/null
@@ -1,75 +0,0 @@
1From b672bcaf5522294a4d8de3e88e0932d55585ee3b Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:37 +0800
4Subject: [PATCH 4/6] hw/sd: sdhci: Correctly set the controller status for
5 ADMA
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10When an ADMA transfer is started, the codes forget to set the
11controller status to indicate a transfer is in progress.
12
13With this fix, the following 2 reproducers:
14
15https://paste.debian.net/plain/1185136
16https://paste.debian.net/plain/1185141
17
18cannot be reproduced with the following QEMU command line:
19
20$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
21 -nodefaults -device sdhci-pci,sd-spec-version=3 \
22 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
23 -device sd-card,drive=mydrive -qtest stdio
24
25Cc: qemu-stable@nongnu.org
26Fixes: CVE-2020-17380
27Fixes: CVE-2020-25085
28Fixes: CVE-2021-3409
29Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
30Reported-by: Alexander Bulekov <alxndr@bu.edu>
31Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
32Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
33Reported-by: Simon Wörner (Ruhr-Universität Bochum)
34Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
35Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
36Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
37Tested-by: Alexander Bulekov <alxndr@bu.edu>
38Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
39Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
40Message-Id: <20210303122639.20004-4-bmeng.cn@gmail.com>
41Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
42
43Upstream-Status: Backport [bc6f28995ff88f5d82c38afcfd65406f0ae375aa]
44CVE: CVE-2021-3409
45
46Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
47---
48 hw/sd/sdhci.c | 3 +++
49 1 file changed, 3 insertions(+)
50
51diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
52index d8a46f307..7de03c6dd 100644
53--- a/hw/sd/sdhci.c
54+++ b/hw/sd/sdhci.c
55@@ -768,7 +768,9 @@ static void sdhci_do_adma(SDHCIState *s)
56
57 switch (dscr.attr & SDHC_ADMA_ATTR_ACT_MASK) {
58 case SDHC_ADMA_ATTR_ACT_TRAN: /* data transfer */
59+ s->prnsts |= SDHC_DATA_INHIBIT | SDHC_DAT_LINE_ACTIVE;
60 if (s->trnmod & SDHC_TRNS_READ) {
61+ s->prnsts |= SDHC_DOING_READ;
62 while (length) {
63 if (s->data_count == 0) {
64 sdbus_read_data(&s->sdbus, s->fifo_buffer, block_size);
65@@ -796,6 +798,7 @@ static void sdhci_do_adma(SDHCIState *s)
66 }
67 }
68 } else {
69+ s->prnsts |= SDHC_DOING_WRITE;
70 while (length) {
71 begin = s->data_count;
72 if ((length + begin) < block_size) {
73--
742.29.2
75
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
deleted file mode 100644
index 7199056838..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_5.patch
+++ /dev/null
@@ -1,56 +0,0 @@
1From c2298884cf6bcf2b047b4bae5f78432b052b5729 Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:38 +0800
4Subject: [PATCH 5/6] hw/sd: sdhci: Limit block size only when SDHC_BLKSIZE
5 register is writable
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10The codes to limit the maximum block size is only necessary when
11SDHC_BLKSIZE register is writable.
12
13Tested-by: Alexander Bulekov <alxndr@bu.edu>
14Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
15Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
16Message-Id: <20210303122639.20004-5-bmeng.cn@gmail.com>
17Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
18
19Upstream-Status: Backport [5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd]
20CVE: CVE-2021-3409
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/sd/sdhci.c | 14 +++++++-------
25 1 file changed, 7 insertions(+), 7 deletions(-)
26
27diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
28index 7de03c6dd..6c780126e 100644
29--- a/hw/sd/sdhci.c
30+++ b/hw/sd/sdhci.c
31@@ -1142,15 +1142,15 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
32 if (!TRANSFERRING_DATA(s->prnsts)) {
33 MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
34 MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
35- }
36
37- /* Limit block size to the maximum buffer size */
38- if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
39- qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
40- "the maximum buffer 0x%x\n", __func__, s->blksize,
41- s->buf_maxsz);
42+ /* Limit block size to the maximum buffer size */
43+ if (extract32(s->blksize, 0, 12) > s->buf_maxsz) {
44+ qemu_log_mask(LOG_GUEST_ERROR, "%s: Size 0x%x is larger than "
45+ "the maximum buffer 0x%x\n", __func__, s->blksize,
46+ s->buf_maxsz);
47
48- s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
49+ s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
50+ }
51 }
52
53 break;
54--
552.29.2
56
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
deleted file mode 100644
index 624c1f6496..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3409_6.patch
+++ /dev/null
@@ -1,99 +0,0 @@
1From db916870a839346767b6d5ca7d0eed3128ba5fea Mon Sep 17 00:00:00 2001
2From: Bin Meng <bmeng.cn@gmail.com>
3Date: Wed, 3 Mar 2021 20:26:39 +0800
4Subject: [PATCH 6/6] hw/sd: sdhci: Reset the data pointer of s->fifo_buffer[]
5 when a different block size is programmed
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10If the block size is programmed to a different value from the
11previous one, reset the data pointer of s->fifo_buffer[] so that
12s->fifo_buffer[] can be filled in using the new block size in
13the next transfer.
14
15With this fix, the following reproducer:
16
17outl 0xcf8 0x80001010
18outl 0xcfc 0xe0000000
19outl 0xcf8 0x80001001
20outl 0xcfc 0x06000000
21write 0xe000002c 0x1 0x05
22write 0xe0000005 0x1 0x02
23write 0xe0000007 0x1 0x01
24write 0xe0000028 0x1 0x10
25write 0x0 0x1 0x23
26write 0x2 0x1 0x08
27write 0xe000000c 0x1 0x01
28write 0xe000000e 0x1 0x20
29write 0xe000000f 0x1 0x00
30write 0xe000000c 0x1 0x32
31write 0xe0000004 0x2 0x0200
32write 0xe0000028 0x1 0x00
33write 0xe0000003 0x1 0x40
34
35cannot be reproduced with the following QEMU command line:
36
37$ qemu-system-x86_64 -nographic -machine accel=qtest -m 512M \
38 -nodefaults -device sdhci-pci,sd-spec-version=3 \
39 -drive if=sd,index=0,file=null-co://,format=raw,id=mydrive \
40 -device sd-card,drive=mydrive -qtest stdio
41
42Cc: qemu-stable@nongnu.org
43Fixes: CVE-2020-17380
44Fixes: CVE-2020-25085
45Fixes: CVE-2021-3409
46Fixes: d7dfca0807a0 ("hw/sdhci: introduce standard SD host controller")
47Reported-by: Alexander Bulekov <alxndr@bu.edu>
48Reported-by: Cornelius Aschermann (Ruhr-Universität Bochum)
49Reported-by: Sergej Schumilo (Ruhr-Universität Bochum)
50Reported-by: Simon Wörner (Ruhr-Universität Bochum)
51Buglink: https://bugs.launchpad.net/qemu/+bug/1892960
52Buglink: https://bugs.launchpad.net/qemu/+bug/1909418
53Buglink: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
54Tested-by: Alexander Bulekov <alxndr@bu.edu>
55Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
56Message-Id: <20210303122639.20004-6-bmeng.cn@gmail.com>
57Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
58
59Upstream-Status: Backport [cffb446e8fd19a14e1634c7a3a8b07be3f01d5c9]
60CVE: CVE-2021-3409
61
62Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
63---
64 hw/sd/sdhci.c | 12 ++++++++++++
65 1 file changed, 12 insertions(+)
66
67diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
68index 6c780126e..216842420 100644
69--- a/hw/sd/sdhci.c
70+++ b/hw/sd/sdhci.c
71@@ -1140,6 +1140,8 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
72 break;
73 case SDHC_BLKSIZE:
74 if (!TRANSFERRING_DATA(s->prnsts)) {
75+ uint16_t blksize = s->blksize;
76+
77 MASKED_WRITE(s->blksize, mask, extract32(value, 0, 12));
78 MASKED_WRITE(s->blkcnt, mask >> 16, value >> 16);
79
80@@ -1151,6 +1153,16 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
81
82 s->blksize = deposit32(s->blksize, 0, 12, s->buf_maxsz);
83 }
84+
85+ /*
86+ * If the block size is programmed to a different value from
87+ * the previous one, reset the data pointer of s->fifo_buffer[]
88+ * so that s->fifo_buffer[] can be filled in using the new block
89+ * size in the next transfer.
90+ */
91+ if (blksize != s->blksize) {
92+ s->data_count = 0;
93+ }
94 }
95
96 break;
97--
982.29.2
99
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
deleted file mode 100644
index 5bacd67481..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_1.patch
+++ /dev/null
@@ -1,177 +0,0 @@
1From 4b1988a29d67277d6c8ce1df52975f5616592913 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 11:44:36 +0800
4Subject: [PATCH 01/10] net: introduce qemu_receive_packet()
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Some NIC supports loopback mode and this is done by calling
10nc->info->receive() directly which in fact suppresses the effort of
11reentrancy check that is done in qemu_net_queue_send().
12
13Unfortunately we can't use qemu_net_queue_send() here since for
14loopback there's no sender as peer, so this patch introduce a
15qemu_receive_packet() which is used for implementing loopback mode
16for a NIC with this check.
17
18NIC that supports loopback mode will be converted to this helper.
19
20This is intended to address CVE-2021-3416.
21
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
24Cc: qemu-stable@nongnu.org
25Signed-off-by: Jason Wang <jasowang@redhat.com>
26
27Upstream-Status: Backport [705df5466c98f3efdd2b68d3b31dad86858acad7]
28CVE: CVE-2021-3416
29
30Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
31---
32 include/net/net.h | 5 +++++
33 include/net/queue.h | 8 ++++++++
34 net/net.c | 38 +++++++++++++++++++++++++++++++-------
35 net/queue.c | 22 ++++++++++++++++++++++
36 4 files changed, 66 insertions(+), 7 deletions(-)
37
38diff --git a/include/net/net.h b/include/net/net.h
39index 778fc787c..03f058ecb 100644
40--- a/include/net/net.h
41+++ b/include/net/net.h
42@@ -143,12 +143,17 @@ void *qemu_get_nic_opaque(NetClientState *nc);
43 void qemu_del_net_client(NetClientState *nc);
44 typedef void (*qemu_nic_foreach)(NICState *nic, void *opaque);
45 void qemu_foreach_nic(qemu_nic_foreach func, void *opaque);
46+int qemu_can_receive_packet(NetClientState *nc);
47 int qemu_can_send_packet(NetClientState *nc);
48 ssize_t qemu_sendv_packet(NetClientState *nc, const struct iovec *iov,
49 int iovcnt);
50 ssize_t qemu_sendv_packet_async(NetClientState *nc, const struct iovec *iov,
51 int iovcnt, NetPacketSent *sent_cb);
52 ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size);
53+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size);
54+ssize_t qemu_receive_packet_iov(NetClientState *nc,
55+ const struct iovec *iov,
56+ int iovcnt);
57 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size);
58 ssize_t qemu_send_packet_async(NetClientState *nc, const uint8_t *buf,
59 int size, NetPacketSent *sent_cb);
60diff --git a/include/net/queue.h b/include/net/queue.h
61index c0269bb1d..9f2f289d7 100644
62--- a/include/net/queue.h
63+++ b/include/net/queue.h
64@@ -55,6 +55,14 @@ void qemu_net_queue_append_iov(NetQueue *queue,
65
66 void qemu_del_net_queue(NetQueue *queue);
67
68+ssize_t qemu_net_queue_receive(NetQueue *queue,
69+ const uint8_t *data,
70+ size_t size);
71+
72+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
73+ const struct iovec *iov,
74+ int iovcnt);
75+
76 ssize_t qemu_net_queue_send(NetQueue *queue,
77 NetClientState *sender,
78 unsigned flags,
79diff --git a/net/net.c b/net/net.c
80index 6a2c3d956..5e15e5d27 100644
81--- a/net/net.c
82+++ b/net/net.c
83@@ -528,6 +528,17 @@ int qemu_set_vnet_be(NetClientState *nc, bool is_be)
84 #endif
85 }
86
87+int qemu_can_receive_packet(NetClientState *nc)
88+{
89+ if (nc->receive_disabled) {
90+ return 0;
91+ } else if (nc->info->can_receive &&
92+ !nc->info->can_receive(nc)) {
93+ return 0;
94+ }
95+ return 1;
96+}
97+
98 int qemu_can_send_packet(NetClientState *sender)
99 {
100 int vm_running = runstate_is_running();
101@@ -540,13 +551,7 @@ int qemu_can_send_packet(NetClientState *sender)
102 return 1;
103 }
104
105- if (sender->peer->receive_disabled) {
106- return 0;
107- } else if (sender->peer->info->can_receive &&
108- !sender->peer->info->can_receive(sender->peer)) {
109- return 0;
110- }
111- return 1;
112+ return qemu_can_receive_packet(sender->peer);
113 }
114
115 static ssize_t filter_receive_iov(NetClientState *nc,
116@@ -679,6 +684,25 @@ ssize_t qemu_send_packet(NetClientState *nc, const uint8_t *buf, int size)
117 return qemu_send_packet_async(nc, buf, size, NULL);
118 }
119
120+ssize_t qemu_receive_packet(NetClientState *nc, const uint8_t *buf, int size)
121+{
122+ if (!qemu_can_receive_packet(nc)) {
123+ return 0;
124+ }
125+
126+ return qemu_net_queue_receive(nc->incoming_queue, buf, size);
127+}
128+
129+ssize_t qemu_receive_packet_iov(NetClientState *nc, const struct iovec *iov,
130+ int iovcnt)
131+{
132+ if (!qemu_can_receive_packet(nc)) {
133+ return 0;
134+ }
135+
136+ return qemu_net_queue_receive_iov(nc->incoming_queue, iov, iovcnt);
137+}
138+
139 ssize_t qemu_send_packet_raw(NetClientState *nc, const uint8_t *buf, int size)
140 {
141 return qemu_send_packet_async_with_flags(nc, QEMU_NET_PACKET_FLAG_RAW,
142diff --git a/net/queue.c b/net/queue.c
143index 19e32c80f..c872d51df 100644
144--- a/net/queue.c
145+++ b/net/queue.c
146@@ -182,6 +182,28 @@ static ssize_t qemu_net_queue_deliver_iov(NetQueue *queue,
147 return ret;
148 }
149
150+ssize_t qemu_net_queue_receive(NetQueue *queue,
151+ const uint8_t *data,
152+ size_t size)
153+{
154+ if (queue->delivering) {
155+ return 0;
156+ }
157+
158+ return qemu_net_queue_deliver(queue, NULL, 0, data, size);
159+}
160+
161+ssize_t qemu_net_queue_receive_iov(NetQueue *queue,
162+ const struct iovec *iov,
163+ int iovcnt)
164+{
165+ if (queue->delivering) {
166+ return 0;
167+ }
168+
169+ return qemu_net_queue_deliver_iov(queue, NULL, 0, iov, iovcnt);
170+}
171+
172 ssize_t qemu_net_queue_send(NetQueue *queue,
173 NetClientState *sender,
174 unsigned flags,
175--
1762.29.2
177
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
deleted file mode 100644
index 7deec1a347..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_10.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 65b851efd3d0280425c202f4e5880c48f8334dae Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:35:30 -0500
4Subject: [PATCH 10/10] lan9118: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [37cee01784ff0df13e5209517e1b3594a5e792d1]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/lan9118.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/lan9118.c b/hw/net/lan9118.c
30index ab57c02c8..75f18ae2d 100644
31--- a/hw/net/lan9118.c
32+++ b/hw/net/lan9118.c
33@@ -669,7 +669,7 @@ static void do_tx_packet(lan9118_state *s)
34 /* FIXME: Honor TX disable, and allow queueing of packets. */
35 if (s->phy_control & 0x4000) {
36 /* This assumes the receive routine doesn't touch the VLANClient. */
37- lan9118_receive(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
39 } else {
40 qemu_send_packet(qemu_get_queue(s->nic), s->txp->data, s->txp->len);
41 }
42--
432.29.2
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
deleted file mode 100644
index 5e53e20bac..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_2.patch
+++ /dev/null
@@ -1,42 +0,0 @@
1From e2a48a3c7cc33dbbe89f896e0f07462cb04ff6b5 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:13:22 +0800
4Subject: [PATCH 02/10] e1000: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Signed-off-by: Jason Wang <jasowang@redhat.com>
18
19Upstream-Status: Backport [1caff0340f49c93d535c6558a5138d20d475315c]
20CVE: CVE-2021-3416
21
22Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
23---
24 hw/net/e1000.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/hw/net/e1000.c b/hw/net/e1000.c
28index d7d05ae30..cf22c4f07 100644
29--- a/hw/net/e1000.c
30+++ b/hw/net/e1000.c
31@@ -546,7 +546,7 @@ e1000_send_packet(E1000State *s, const uint8_t *buf, int size)
32
33 NetClientState *nc = qemu_get_queue(s->nic);
34 if (s->phy_reg[PHY_CTRL] & MII_CR_LOOPBACK) {
35- nc->info->receive(nc, buf, size);
36+ qemu_receive_packet(nc, buf, size);
37 } else {
38 qemu_send_packet(nc, buf, size);
39 }
40--
412.29.2
42
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
deleted file mode 100644
index 3fc469e3e3..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_3.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From c041a4da1ff119715e0ccf2d4a7af62568f17b93 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 12:57:40 +0800
4Subject: [PATCH 03/10] dp8393x: switch to use qemu_receive_packet() for
5 loopback packet
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [331d2ac9ea307c990dc86e6493e8f0c48d14bb33]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/dp8393x.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/dp8393x.c b/hw/net/dp8393x.c
29index 205c0decc..533a8304d 100644
30--- a/hw/net/dp8393x.c
31+++ b/hw/net/dp8393x.c
32@@ -506,7 +506,7 @@ static void dp8393x_do_transmit_packets(dp8393xState *s)
33 s->regs[SONIC_TCR] |= SONIC_TCR_CRSL;
34 if (nc->info->can_receive(nc)) {
35 s->loopback_packet = 1;
36- nc->info->receive(nc, s->tx_buffer, tx_len);
37+ qemu_receive_packet(nc, s->tx_buffer, tx_len);
38 }
39 } else {
40 /* Transmit packet */
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
deleted file mode 100644
index e14f37735d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_4.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From 9ac5345344b75995bc96d171eaa5dc8d26bf0e21 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:00:01 +0800
4Subject: [PATCH 04/10] msf2-mac: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [26194a58f4eb83c5bdf4061a1628508084450ba1]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/msf2-emac.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/msf2-emac.c b/hw/net/msf2-emac.c
29index 32ba9e841..3e6206044 100644
30--- a/hw/net/msf2-emac.c
31+++ b/hw/net/msf2-emac.c
32@@ -158,7 +158,7 @@ static void msf2_dma_tx(MSF2EmacState *s)
33 * R_CFG1 bit 0 is set.
34 */
35 if (s->regs[R_CFG1] & R_CFG1_LB_EN_MASK) {
36- nc->info->receive(nc, buf, size);
37+ qemu_receive_packet(nc, buf, size);
38 } else {
39 qemu_send_packet(nc, buf, size);
40 }
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
deleted file mode 100644
index c3f8f97592..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_5.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From d465dc79c9ee729d91ef086b993e956b1935be69 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:14:35 +0800
4Subject: [PATCH 05/10] sungem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
19Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [8c92060d3c0248bd4d515719a35922cd2391b9b4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/sungem.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/hw/net/sungem.c b/hw/net/sungem.c
31index 33c3722df..3684a4d73 100644
32--- a/hw/net/sungem.c
33+++ b/hw/net/sungem.c
34@@ -306,7 +306,7 @@ static void sungem_send_packet(SunGEMState *s, const uint8_t *buf,
35 NetClientState *nc = qemu_get_queue(s->nic);
36
37 if (s->macregs[MAC_XIFCFG >> 2] & MAC_XIFCFG_LBCK) {
38- nc->info->receive(nc, buf, size);
39+ qemu_receive_packet(nc, buf, size);
40 } else {
41 qemu_send_packet(nc, buf, size);
42 }
43--
442.29.2
45
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
deleted file mode 100644
index 855c6970f4..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_6.patch
+++ /dev/null
@@ -1,43 +0,0 @@
1From c0010f9b2bafe866fe32e3c2688454bc24147136 Mon Sep 17 00:00:00 2001
2From: Jason Wang <jasowang@redhat.com>
3Date: Wed, 24 Feb 2021 13:27:52 +0800
4Subject: [PATCH 06/10] tx_pkt: switch to use qemu_receive_packet_iov() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_receive_iov() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Jason Wang <jasowang@redhat.com>
19
20Upstream-Status: Backport [8c552542b81e56ff532dd27ec6e5328954bdda73]
21CVE: CVE-2021-3416
22
23Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
24---
25 hw/net/net_tx_pkt.c | 2 +-
26 1 file changed, 1 insertion(+), 1 deletion(-)
27
28diff --git a/hw/net/net_tx_pkt.c b/hw/net/net_tx_pkt.c
29index da262edc3..1f9aa59ec 100644
30--- a/hw/net/net_tx_pkt.c
31+++ b/hw/net/net_tx_pkt.c
32@@ -553,7 +553,7 @@ static inline void net_tx_pkt_sendv(struct NetTxPkt *pkt,
33 NetClientState *nc, const struct iovec *iov, int iov_cnt)
34 {
35 if (pkt->is_loopback) {
36- nc->info->receive_iov(nc, iov, iov_cnt);
37+ qemu_receive_packet_iov(nc, iov, iov_cnt);
38 } else {
39 qemu_sendv_packet(nc, iov, iov_cnt);
40 }
41--
422.29.2
43
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
deleted file mode 100644
index 4e1115de02..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_7.patch
+++ /dev/null
@@ -1,45 +0,0 @@
1From 64b38675c728354e4015e4bec3d975cd4cb8a981 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Fri, 26 Feb 2021 13:47:53 -0500
4Subject: [PATCH 07/10] rtl8139: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Buglink: https://bugs.launchpad.net/qemu/+bug/1910826
18Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
19Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
20Signed-off-by: Jason Wang <jasowang@redhat.com>
21
22Upstream-Status: Backport [5311fb805a4403bba024e83886fa0e7572265de4]
23CVE: CVE-2021-3416
24
25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
26---
27 hw/net/rtl8139.c | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
31index ba5ace1ab..d2dd03e6a 100644
32--- a/hw/net/rtl8139.c
33+++ b/hw/net/rtl8139.c
34@@ -1795,7 +1795,7 @@ static void rtl8139_transfer_frame(RTL8139State *s, uint8_t *buf, int size,
35 }
36
37 DPRINTF("+++ transmit loopback mode\n");
38- rtl8139_do_receive(qemu_get_queue(s->nic), buf, size, do_interrupt);
39+ qemu_receive_packet(qemu_get_queue(s->nic), buf, size);
40
41 if (iov) {
42 g_free(buf2);
43--
442.29.2
45
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
deleted file mode 100644
index ed716468dc..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_8.patch
+++ /dev/null
@@ -1,44 +0,0 @@
1From 023ce62f0a788ad3a8233c7a828554bceeafd031 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 10:33:34 -0500
4Subject: [PATCH 08/10] pcnet: switch to use qemu_receive_packet() for loopback
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9This patch switches to use qemu_receive_packet() which can detect
10reentrancy and return early.
11
12This is intended to address CVE-2021-3416.
13
14Cc: Prasad J Pandit <ppandit@redhat.com>
15Cc: qemu-stable@nongnu.org
16Buglink: https://bugs.launchpad.net/qemu/+bug/1917085
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [99ccfaa1edafd79f7a3a0ff7b58ae4da7c514928]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/pcnet.c | 2 +-
27 1 file changed, 1 insertion(+), 1 deletion(-)
28
29diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
30index f3f18d859..dcd3fc494 100644
31--- a/hw/net/pcnet.c
32+++ b/hw/net/pcnet.c
33@@ -1250,7 +1250,7 @@ txagain:
34 if (BCR_SWSTYLE(s) == 1)
35 add_crc = !GET_FIELD(tmd.status, TMDS, NOFCS);
36 s->looptest = add_crc ? PCNET_LOOPTEST_CRC : PCNET_LOOPTEST_NOCRC;
37- pcnet_receive(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
38+ qemu_receive_packet(qemu_get_queue(s->nic), s->buffer, s->xmit_pos);
39 s->looptest = 0;
40 } else {
41 if (s->nic) {
42--
432.29.2
44
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch b/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
deleted file mode 100644
index 39d32b33a4..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2021-3416_9.patch
+++ /dev/null
@@ -1,46 +0,0 @@
1From ecf7e62bb2cb02c9bd40082504ae376f3e19ffd2 Mon Sep 17 00:00:00 2001
2From: Alexander Bulekov <alxndr@bu.edu>
3Date: Mon, 1 Mar 2021 14:33:43 -0500
4Subject: [PATCH 09/10] cadence_gem: switch to use qemu_receive_packet() for
5 loopback
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10This patch switches to use qemu_receive_packet() which can detect
11reentrancy and return early.
12
13This is intended to address CVE-2021-3416.
14
15Cc: Prasad J Pandit <ppandit@redhat.com>
16Cc: qemu-stable@nongnu.org
17Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
18Signed-off-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Jason Wang <jasowang@redhat.com>
20
21Upstream-Status: Backport [e73adfbeec9d4e008630c814759052ed945c3fed]
22CVE: CVE-2021-3416
23
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/net/cadence_gem.c | 4 ++--
27 1 file changed, 2 insertions(+), 2 deletions(-)
28
29diff --git a/hw/net/cadence_gem.c b/hw/net/cadence_gem.c
30index 7a534691f..43b760e3f 100644
31--- a/hw/net/cadence_gem.c
32+++ b/hw/net/cadence_gem.c
33@@ -1275,8 +1275,8 @@ static void gem_transmit(CadenceGEMState *s)
34 /* Send the packet somewhere */
35 if (s->phy_loop || (s->regs[GEM_NWCTRL] &
36 GEM_NWCTRL_LOCALLOOP)) {
37- gem_receive(qemu_get_queue(s->nic), s->tx_packet,
38- total_bytes);
39+ qemu_receive_packet(qemu_get_queue(s->nic), s->tx_packet,
40+ total_bytes);
41 } else {
42 qemu_send_packet(qemu_get_queue(s->nic), s->tx_packet,
43 total_bytes);
44--
452.29.2
46
diff --git a/meta/recipes-devtools/qemu/qemu/cross.patch b/meta/recipes-devtools/qemu/qemu/cross.patch
index 438c1ad086..a0fc39e5e2 100644
--- a/meta/recipes-devtools/qemu/qemu/cross.patch
+++ b/meta/recipes-devtools/qemu/qemu/cross.patch
@@ -6,19 +6,19 @@ Upstream-Status: Inappropriate [may be rewritten in a way upstream may accept?]
6Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 6Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
7 7
8 8
9Index: qemu-5.2.0/configure 9Index: qemu-6.0.0/configure
10=================================================================== 10===================================================================
11--- qemu-5.2.0.orig/configure 11--- qemu-6.0.0.orig/configure
12+++ qemu-5.2.0/configure 12+++ qemu-6.0.0/configure
13@@ -6973,7 +6973,6 @@ if has $sdl2_config; then 13@@ -6371,7 +6371,6 @@ if has $sdl2_config; then
14 fi 14 fi
15 echo "strip = [$(meson_quote $strip)]" >> $cross 15 echo "strip = [$(meson_quote $strip)]" >> $cross
16 echo "windres = [$(meson_quote $windres)]" >> $cross 16 echo "windres = [$(meson_quote $windres)]" >> $cross
17-if test -n "$cross_prefix"; then 17-if test "$cross_compile" = "yes"; then
18 cross_arg="--cross-file config-meson.cross" 18 cross_arg="--cross-file config-meson.cross"
19 echo "[host_machine]" >> $cross 19 echo "[host_machine]" >> $cross
20 if test "$mingw32" = "yes" ; then 20 if test "$mingw32" = "yes" ; then
21@@ -6999,9 +6998,6 @@ if test -n "$cross_prefix"; then 21@@ -6403,9 +6402,6 @@ if test "$cross_compile" = "yes"; then
22 else 22 else
23 echo "endian = 'little'" >> $cross 23 echo "endian = 'little'" >> $cross
24 fi 24 fi
diff --git a/meta/recipes-devtools/qemu/qemu/determinism.patch b/meta/recipes-devtools/qemu/qemu/determinism.patch
index cb1c907777..330a31204d 100644
--- a/meta/recipes-devtools/qemu/qemu/determinism.patch
+++ b/meta/recipes-devtools/qemu/qemu/determinism.patch
@@ -4,38 +4,19 @@ qemu build are not reproducible due to either full buildpaths or timestamps.
4Replace the full paths with relative ones. I couldn't figure out how to get 4Replace the full paths with relative ones. I couldn't figure out how to get
5meson to pass relative paths but we can fix that in the script. 5meson to pass relative paths but we can fix that in the script.
6 6
7For the keymaps, omit the timestamps as they don't matter to us.
8
9Upstream-Status: Pending [some version of all/part of this may be accepted] 7Upstream-Status: Pending [some version of all/part of this may be accepted]
10RP 2021/3/1 8RP 2021/3/1
11 9
12Index: qemu-5.2.0/scripts/decodetree.py 10Index: qemu-6.0.0/scripts/decodetree.py
13=================================================================== 11===================================================================
14--- qemu-5.2.0.orig/scripts/decodetree.py 12--- qemu-6.0.0.orig/scripts/decodetree.py
15+++ qemu-5.2.0/scripts/decodetree.py 13+++ qemu-6.0.0/scripts/decodetree.py
16@@ -1303,8 +1303,8 @@ def main(): 14@@ -1304,7 +1304,7 @@ def main():
17 toppat = ExcMultiPattern(0) 15 toppat = ExcMultiPattern(0)
18 16
19 for filename in args: 17 for filename in args:
20- input_file = filename 18- input_file = filename
21- f = open(filename, 'r')
22+ input_file = os.path.relpath(filename) 19+ input_file = os.path.relpath(filename)
23+ f = open(input_file, 'r') 20 f = open(filename, 'rt', encoding='utf-8')
24 parse_file(f, toppat) 21 parse_file(f, toppat)
25 f.close() 22 f.close()
26
27Index: qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen
28===================================================================
29--- qemu-5.2.0.orig/ui/keycodemapdb/tools/keymap-gen
30+++ qemu-5.2.0/ui/keycodemapdb/tools/keymap-gen
31@@ -317,9 +317,8 @@ class LanguageGenerator(object):
32 raise NotImplementedError()
33
34 def generate_header(self, database, args):
35- today = time.strftime("%Y-%m-%d %H:%M")
36 self._boilerplate([
37- "This file is auto-generated from keymaps.csv on %s" % today,
38+ "This file is auto-generated from keymaps.csv",
39 "Database checksum sha256(%s)" % database.mapchecksum,
40 "To re-generate, run:",
41 " %s" % args,
diff --git a/meta/recipes-devtools/qemu/qemu/mingwfix.patch b/meta/recipes-devtools/qemu/qemu/mingwfix.patch
deleted file mode 100644
index 8d76cef638..0000000000
--- a/meta/recipes-devtools/qemu/qemu/mingwfix.patch
+++ /dev/null
@@ -1,21 +0,0 @@
1OE assumes that mingw files are in a unix like file layout. The
2'flattening' done by configure in qemu for mingw32 breaks things
3for us. We are discussing with upstream but for now, hack this to
4disable it and use the unix like layout everywhere.
5
6Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
7Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01073.html]
8
9Index: qemu-5.2.0/configure
10===================================================================
11--- qemu-5.2.0.orig/configure
12+++ qemu-5.2.0/configure
13@@ -1541,7 +1541,7 @@ libdir="${libdir:-$prefix/lib}"
14 libexecdir="${libexecdir:-$prefix/libexec}"
15 includedir="${includedir:-$prefix/include}"
16
17-if test "$mingw32" = "yes" ; then
18+if test "$mingw32" = "dontwantthis" ; then
19 mandir="$prefix"
20 datadir="$prefix"
21 docdir="$prefix"
diff --git a/meta/recipes-devtools/qemu/qemu/mmap.patch b/meta/recipes-devtools/qemu/qemu/mmap.patch
deleted file mode 100644
index edd9734f30..0000000000
--- a/meta/recipes-devtools/qemu/qemu/mmap.patch
+++ /dev/null
@@ -1,29 +0,0 @@
1If mremap() is called without the MREMAP_MAYMOVE flag with a start address
2just before the end of memory (reserved_va) where new_size would exceed
3GUEST_ADD_MAX, the assert(end - 1 <= GUEST_ADDR_MAX) in page_set_flags()
4would trigger.
5
6Add an extra guard to the guest_range_valid() checks to prevent this and
7avoid asserting binaries when reserved_va is set.
8
9This meant a test case now gives the same behaviour regardless of whether
10reserved_va is set or not.
11
12Upstream-Status: Backport [https://github.com/qemu/qemu/commit/ccc5ccc17f8cfbfd87d9aede5d12a2d47c56e712]
13Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
14
15Index: qemu-5.2.0/linux-user/mmap.c
16===================================================================
17--- qemu-5.2.0.orig/linux-user/mmap.c
18+++ qemu-5.2.0/linux-user/mmap.c
19@@ -727,7 +727,9 @@ abi_long target_mremap(abi_ulong old_add
20
21 if (!guest_range_valid(old_addr, old_size) ||
22 ((flags & MREMAP_FIXED) &&
23- !guest_range_valid(new_addr, new_size))) {
24+ !guest_range_valid(new_addr, new_size)) ||
25+ ((flags & MREMAP_MAYMOVE) == 0 &&
26+ !guest_range_valid(old_addr, new_size))) {
27 errno = ENOMEM;
28 return -1;
29 }
diff --git a/meta/recipes-devtools/qemu/qemu/mmap2.patch b/meta/recipes-devtools/qemu/qemu/mmap2.patch
index 1652131757..e115473b70 100644
--- a/meta/recipes-devtools/qemu/qemu/mmap2.patch
+++ b/meta/recipes-devtools/qemu/qemu/mmap2.patch
@@ -13,27 +13,26 @@ rather than ENOMEM so adjust the other part of the test to this.
13Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html] 13Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg01355.html]
14Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org 14Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org
15 15
16Index: qemu-5.2.0/linux-user/mmap.c 16Index: qemu-6.0.0/linux-user/mmap.c
17=================================================================== 17===================================================================
18--- qemu-5.2.0.orig/linux-user/mmap.c 18--- qemu-6.0.0.orig/linux-user/mmap.c
19+++ qemu-5.2.0/linux-user/mmap.c 19+++ qemu-6.0.0/linux-user/mmap.c
20@@ -722,12 +722,14 @@ abi_long target_mremap(abi_ulong old_add 20@@ -733,12 +733,16 @@ abi_long target_mremap(abi_ulong old_add
21 int prot; 21 int prot;
22 void *host_addr; 22 void *host_addr;
23 23
24- if (!guest_range_valid(old_addr, old_size) || 24- if (!guest_range_valid_untagged(old_addr, old_size) ||
25- ((flags & MREMAP_FIXED) && 25- ((flags & MREMAP_FIXED) &&
26- !guest_range_valid(new_addr, new_size)) || 26+ if (!guest_range_valid_untagged(old_addr, old_size)) {
27- ((flags & MREMAP_MAYMOVE) == 0 &&
28- !guest_range_valid(old_addr, new_size))) {
29- errno = ENOMEM;
30+ if (!guest_range_valid(old_addr, old_size)) {
31+ errno = EFAULT; 27+ errno = EFAULT;
32+ return -1; 28+ return -1;
33+ } 29+ }
34+ 30+
35+ if (((flags & MREMAP_FIXED) && !guest_range_valid(new_addr, new_size)) || 31+ if (((flags & MREMAP_FIXED) &&
36+ ((flags & MREMAP_MAYMOVE) == 0 && !guest_range_valid(old_addr, new_size))) { 32 !guest_range_valid_untagged(new_addr, new_size)) ||
33 ((flags & MREMAP_MAYMOVE) == 0 &&
34 !guest_range_valid_untagged(old_addr, new_size))) {
35- errno = ENOMEM;
37+ errno = EINVAL; 36+ errno = EINVAL;
38 return -1; 37 return -1;
39 } 38 }
diff --git a/meta/recipes-devtools/qemu/qemu_5.2.0.bb b/meta/recipes-devtools/qemu/qemu_6.0.0.bb
index f265204b10..90b135a617 100644
--- a/meta/recipes-devtools/qemu/qemu_5.2.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_6.0.0.bb
@@ -19,11 +19,11 @@ do_install_append_class-nativesdk() {
19} 19}
20 20
21PACKAGECONFIG ??= " \ 21PACKAGECONFIG ??= " \
22 fdt sdl kvm \ 22 fdt sdl kvm pie \
23 ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ 23 ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \
24 ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ 24 ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \
25 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \ 25 ${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
26" 26"
27PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm \ 27PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm pie \
28 ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ 28 ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \
29" 29"