summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-13 14:44:42 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2020-08-17 08:45:35 +0100
commit7e25a6b4d52a16e812dfd444d65283d2c75d2d77 (patch)
tree1f61c98c9d24ed35b685af62bcdb1d83a36b80f9 /meta
parent1bff01bda9741ad3a9b9e1937d73859636575c7c (diff)
downloadpoky-7e25a6b4d52a16e812dfd444d65283d2c75d2d77.tar.gz
qemu: Upgrade 5.0.0 -> 5.1.0
* Drop backported CVE fixes * Drop cpu backtrace patch from 2015 for debugging an issue which we no longer see (patch throws rejects, files have moved) * Update mips patch to account for file renames * Update chardev patch to match upstream code changes * Update webkitgtk patch, qemumips build works ok but qemux86 musl webkitgtk still fails. Need to figure out the correct fix and upstream it for this, current revert patch is not maintainable. Release notes for 5.1.0 mention slight qemumips performance improvements which would be valuable to us. My tests show no improvement in qemumips testimage execution time for core-image-sato-sdk. Fix a ptest issue for a file looking for /usr/bin/bash when we have /bin/bash. (From OE-Core rev: 686b770af67fdd2251f4ddab5b0eefc8fb0870ef) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/conf/distro/include/tcmode-default.inc2
-rw-r--r--meta/recipes-devtools/qemu/qemu-native.inc4
-rw-r--r--meta/recipes-devtools/qemu/qemu-native_5.1.0.bb (renamed from meta/recipes-devtools/qemu/qemu-native_5.0.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb (renamed from meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc11
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch15
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch17
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch13
-rw-r--r--meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch13
-rw-r--r--meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch13
-rw-r--r--meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch56
-rw-r--r--meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch10
-rw-r--r--meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch73
-rw-r--r--meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch14
-rw-r--r--meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch74
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch151
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch61
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch55
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch58
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch53
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch63
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch63
-rw-r--r--meta/recipes-devtools/qemu/qemu/find_datadir.patch14
-rw-r--r--meta/recipes-devtools/qemu/qemu_5.1.0.bb (renamed from meta/recipes-devtools/qemu/qemu_5.0.0.bb)0
27 files changed, 130 insertions, 733 deletions
diff --git a/meta/conf/distro/include/tcmode-default.inc b/meta/conf/distro/include/tcmode-default.inc
index c5cc4bdcdf..d5e0e9ebbb 100644
--- a/meta/conf/distro/include/tcmode-default.inc
+++ b/meta/conf/distro/include/tcmode-default.inc
@@ -22,7 +22,7 @@ BINUVERSION ?= "2.35%"
22GDBVERSION ?= "9.%" 22GDBVERSION ?= "9.%"
23GLIBCVERSION ?= "2.32" 23GLIBCVERSION ?= "2.32"
24LINUXLIBCVERSION ?= "5.4%" 24LINUXLIBCVERSION ?= "5.4%"
25QEMUVERSION ?= "5.0%" 25QEMUVERSION ?= "5.1%"
26GOVERSION ?= "1.14%" 26GOVERSION ?= "1.14%"
27# This can not use wildcards like 8.0.% since it is also used in mesa to denote 27# This can not use wildcards like 8.0.% since it is also used in mesa to denote
28# llvm version being used, so always bump it with llvm recipe version bump 28# llvm version being used, so always bump it with llvm recipe version bump
diff --git a/meta/recipes-devtools/qemu/qemu-native.inc b/meta/recipes-devtools/qemu/qemu-native.inc
index dcf140ea1b..aa5c9b9a72 100644
--- a/meta/recipes-devtools/qemu/qemu-native.inc
+++ b/meta/recipes-devtools/qemu/qemu-native.inc
@@ -2,10 +2,6 @@ inherit native
2 2
3require qemu.inc 3require qemu.inc
4 4
5SRC_URI_append = " \
6 file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \
7 "
8
9EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" 5EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'"
10 6
11LDFLAGS_append = " -fuse-ld=bfd" 7LDFLAGS_append = " -fuse-ld=bfd"
diff --git a/meta/recipes-devtools/qemu/qemu-native_5.0.0.bb b/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb
index c8acff8e19..c8acff8e19 100644
--- a/meta/recipes-devtools/qemu/qemu-native_5.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb
index 7394385d30..7394385d30 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 5d38ff1fa4..5599382a92 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -29,19 +29,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
29 file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ 29 file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \
30 file://0001-Add-enable-disable-udev.patch \ 30 file://0001-Add-enable-disable-udev.patch \
31 file://0001-qemu-Do-not-include-file-if-not-exists.patch \ 31 file://0001-qemu-Do-not-include-file-if-not-exists.patch \
32 file://CVE-2020-13361.patch \
33 file://find_datadir.patch \ 32 file://find_datadir.patch \
34 file://CVE-2020-10761.patch \
35 file://CVE-2020-13362.patch \
36 file://CVE-2020-13659.patch \
37 file://CVE-2020-13800.patch \
38 file://CVE-2020-13791.patch \
39 file://CVE-2020-15863.patch \
40 " 33 "
41UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 34UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
42 35
43SRC_URI[md5sum] = "ede6005d7143fe994dd089d31dc2cf6c" 36SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5"
44SRC_URI[sha256sum] = "2f13a92a0fa5c8b69ff0796b59b86b080bbb92ebad5d301a7724dd06b5e78cb6"
45 37
46COMPATIBLE_HOST_mipsarchn32 = "null" 38COMPATIBLE_HOST_mipsarchn32 = "null"
47COMPATIBLE_HOST_mipsarchn64 = "null" 39COMPATIBLE_HOST_mipsarchn64 = "null"
@@ -65,6 +57,7 @@ do_install_ptest() {
65 -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include 57 -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include
66 sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ 58 sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \
67 ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env 59 ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env
60 sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh
68} 61}
69 62
70# QEMU_TARGETS is overridable variable 63# QEMU_TARGETS is overridable variable
diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
index 40d83fcfa3..1304ee3bfd 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
@@ -12,13 +12,13 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
12 configure | 4 ++++ 12 configure | 4 ++++
13 1 file changed, 4 insertions(+) 13 1 file changed, 4 insertions(+)
14 14
15diff --git a/configure b/configure 15Index: qemu-5.1.0/configure
16index 36646e7b..48912a94 100755 16===================================================================
17--- a/configure 17--- qemu-5.1.0.orig/configure
18+++ b/configure 18+++ qemu-5.1.0/configure
19@@ -1601,6 +1601,10 @@ for opt do 19@@ -1640,6 +1640,10 @@ for opt do
20 ;; 20 ;;
21 --gdb=*) gdb_bin="$optarg" 21 --disable-libdaxctl) libdaxctl=no
22 ;; 22 ;;
23+ --enable-libudev) libudev="yes" 23+ --enable-libudev) libudev="yes"
24+ ;; 24+ ;;
@@ -27,6 +27,3 @@ index 36646e7b..48912a94 100755
27 *) 27 *)
28 echo "ERROR: unknown option $opt" 28 echo "ERROR: unknown option $opt"
29 echo "Try '$0 --help' for more information" 29 echo "Try '$0 --help' for more information"
30--
312.24.0
32
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
index ae89ae09dd..46c9da08a5 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -20,11 +20,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
20 hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- 20 hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++-
21 1 file changed, 93 insertions(+), 1 deletion(-) 21 1 file changed, 93 insertions(+), 1 deletion(-)
22 22
23diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c 23Index: qemu-5.1.0/hw/usb/dev-wacom.c
24index 8ed57b3b..1502928b 100644 24===================================================================
25--- a/hw/usb/dev-wacom.c 25--- qemu-5.1.0.orig/hw/usb/dev-wacom.c
26+++ b/hw/usb/dev-wacom.c 26+++ qemu-5.1.0/hw/usb/dev-wacom.c
27@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings = { 27@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings
28 [STR_SERIALNUMBER] = "1", 28 [STR_SERIALNUMBER] = "1",
29 }; 29 };
30 30
@@ -114,7 +114,7 @@ index 8ed57b3b..1502928b 100644
114 static const USBDescIface desc_iface_wacom = { 114 static const USBDescIface desc_iface_wacom = {
115 .bInterfaceNumber = 0, 115 .bInterfaceNumber = 0,
116 .bNumEndpoints = 1, 116 .bNumEndpoints = 1,
117@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wacom = { 117@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac
118 0x00, /* u8 country_code */ 118 0x00, /* u8 country_code */
119 0x01, /* u8 num_descriptors */ 119 0x01, /* u8 num_descriptors */
120 0x22, /* u8 type: Report */ 120 0x22, /* u8 type: Report */
@@ -123,7 +123,7 @@ index 8ed57b3b..1502928b 100644
123 }, 123 },
124 }, 124 },
125 }, 125 },
126@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, 126@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB
127 } 127 }
128 128
129 switch (request) { 129 switch (request) {
@@ -139,6 +139,3 @@ index 8ed57b3b..1502928b 100644
139 case WACOM_SET_REPORT: 139 case WACOM_SET_REPORT:
140 if (s->mouse_grabbed) { 140 if (s->mouse_grabbed) {
141 qemu_remove_mouse_event_handler(s->eh_entry); 141 qemu_remove_mouse_event_handler(s->eh_entry);
142--
1432.24.0
144
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
index 6e38d814cd..678e059463 100644
--- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
+++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
@@ -15,10 +15,10 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
15 linux-user/syscall.c | 2 ++ 15 linux-user/syscall.c | 2 ++
16 1 file changed, 2 insertions(+) 16 1 file changed, 2 insertions(+)
17 17
18diff --git a/linux-user/syscall.c b/linux-user/syscall.c 18Index: qemu-5.1.0/linux-user/syscall.c
19index d6f8cc97..a61420e7 100644 19===================================================================
20--- a/linux-user/syscall.c 20--- qemu-5.1.0.orig/linux-user/syscall.c
21+++ b/linux-user/syscall.c 21+++ qemu-5.1.0/linux-user/syscall.c
22@@ -109,7 +109,9 @@ 22@@ -109,7 +109,9 @@
23 #include <linux/blkpg.h> 23 #include <linux/blkpg.h>
24 #include <netpacket/packet.h> 24 #include <netpacket/packet.h>
@@ -28,7 +28,4 @@ index d6f8cc97..a61420e7 100644
28+#endif 28+#endif
29 #include <linux/rtc.h> 29 #include <linux/rtc.h>
30 #include <sound/asound.h> 30 #include <sound/asound.h>
31 #include "linux_loop.h" 31 #ifdef HAVE_DRM_H
32--
332.24.0
34
diff --git a/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
index 3d268870fc..f379948f14 100644
--- a/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
+++ b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
@@ -16,11 +16,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
16 tests/Makefile.include | 8 ++++++++ 16 tests/Makefile.include | 8 ++++++++
17 1 file changed, 8 insertions(+) 17 1 file changed, 8 insertions(+)
18 18
19diff --git a/tests/Makefile.include b/tests/Makefile.include 19Index: qemu-5.1.0/tests/Makefile.include
20index 51de6762..1ea4d322 100644 20===================================================================
21--- a/tests/Makefile.include 21--- qemu-5.1.0.orig/tests/Makefile.include
22+++ b/tests/Makefile.include 22+++ qemu-5.1.0/tests/Makefile.include
23@@ -941,4 +941,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) 23@@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
24 -include $(wildcard tests/qtest/*.d) 24 -include $(wildcard tests/qtest/*.d)
25 -include $(wildcard tests/qtest/libqos/*.d) 25 -include $(wildcard tests/qtest/libqos/*.d)
26 26
@@ -33,6 +33,3 @@ index 51de6762..1ea4d322 100644
33+ done 33+ done
34+ 34+
35 endif 35 endif
36--
372.24.0
38
diff --git a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
index 012d60d8f0..33cef42217 100644
--- a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
+++ b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -15,13 +15,13 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
15Signed-off-by: Roy Li <rongqing.li@windriver.com> 15Signed-off-by: Roy Li <rongqing.li@windriver.com>
16 16
17--- 17---
18 hw/mips/mips_malta.c | 2 +- 18 hw/mips/malta.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-) 19 1 file changed, 1 insertion(+), 1 deletion(-)
20 20
21diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c 21Index: qemu-5.1.0/hw/mips/malta.c
22index 92e9ca5b..3a7f3954 100644 22===================================================================
23--- a/hw/mips/mips_malta.c 23--- qemu-5.1.0.orig/hw/mips/malta.c
24+++ b/hw/mips/mips_malta.c 24+++ qemu-5.1.0/hw/mips/malta.c
25@@ -59,7 +59,7 @@ 25@@ -59,7 +59,7 @@
26 26
27 #define ENVP_ADDR 0x80002000l 27 #define ENVP_ADDR 0x80002000l
diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
index bc30397e8c..71f537f9b0 100644
--- a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
+++ b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
@@ -12,11 +12,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
12 configure | 9 --------- 12 configure | 9 ---------
13 1 file changed, 9 deletions(-) 13 1 file changed, 9 deletions(-)
14 14
15diff --git a/configure b/configure 15Index: qemu-5.1.0/configure
16index 6099be1d..a766017b 100755 16===================================================================
17--- a/configure 17--- qemu-5.1.0.orig/configure
18+++ b/configure 18+++ qemu-5.1.0/configure
19@@ -5390,15 +5390,6 @@ fi 19@@ -5751,15 +5751,6 @@ fi
20 # check if we have valgrind/valgrind.h 20 # check if we have valgrind/valgrind.h
21 21
22 valgrind_h=no 22 valgrind_h=no
diff --git a/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
index 2c5b241e41..02ebbee1a0 100644
--- a/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
+++ b/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
@@ -11,11 +11,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
11 configure | 4 ---- 11 configure | 4 ----
12 1 file changed, 4 deletions(-) 12 1 file changed, 4 deletions(-)
13 13
14diff --git a/configure b/configure 14Index: qemu-5.1.0/configure
15index 83c65439..6bdf488c 100755 15===================================================================
16--- a/configure 16--- qemu-5.1.0.orig/configure
17+++ b/configure 17+++ qemu-5.1.0/configure
18@@ -6251,10 +6251,6 @@ write_c_skeleton 18@@ -6515,10 +6515,6 @@ write_c_skeleton
19 if test "$gcov" = "yes" ; then 19 if test "$gcov" = "yes" ; then
20 QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" 20 QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS"
21 QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" 21 QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS"
@@ -26,6 +26,3 @@ index 83c65439..6bdf488c 100755
26 fi 26 fi
27 27
28 if test "$have_asan" = "yes"; then 28 if test "$have_asan" = "yes"; then
29--
302.24.0
31
diff --git a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
index 0810ae84c0..98fd5e9133 100644
--- a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
+++ b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
@@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
51 qapi/char.json | 5 +++ 51 qapi/char.json | 5 +++
52 3 files changed, 109 insertions(+) 52 3 files changed, 109 insertions(+)
53 53
54diff --git a/chardev/char-socket.c b/chardev/char-socket.c 54Index: qemu-5.1.0/chardev/char-socket.c
55index 185fe38d..54fa4234 100644 55===================================================================
56--- a/chardev/char-socket.c 56--- qemu-5.1.0.orig/chardev/char-socket.c
57+++ b/chardev/char-socket.c 57+++ qemu-5.1.0/chardev/char-socket.c
58@@ -1288,6 +1288,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock, 58@@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket(
59 return true; 59 return true;
60 } 60 }
61 61
@@ -123,7 +123,7 @@ index 185fe38d..54fa4234 100644
123 123
124 static void qmp_chardev_open_socket(Chardev *chr, 124 static void qmp_chardev_open_socket(Chardev *chr,
125 ChardevBackend *backend, 125 ChardevBackend *backend,
126@@ -1296,6 +1357,9 @@ static void qmp_chardev_open_socket(Chardev *chr, 126@@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char
127 { 127 {
128 SocketChardev *s = SOCKET_CHARDEV(chr); 128 SocketChardev *s = SOCKET_CHARDEV(chr);
129 ChardevSocket *sock = backend->u.socket.data; 129 ChardevSocket *sock = backend->u.socket.data;
@@ -133,7 +133,7 @@ index 185fe38d..54fa4234 100644
133 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; 133 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
134 bool is_listen = sock->has_server ? sock->server : true; 134 bool is_listen = sock->has_server ? sock->server : true;
135 bool is_telnet = sock->has_telnet ? sock->telnet : false; 135 bool is_telnet = sock->has_telnet ? sock->telnet : false;
136@@ -1361,6 +1425,14 @@ static void qmp_chardev_open_socket(Chardev *chr, 136@@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char
137 137
138 update_disconnected_filename(s); 138 update_disconnected_filename(s);
139 139
@@ -148,13 +148,15 @@ index 185fe38d..54fa4234 100644
148 if (s->is_listen) { 148 if (s->is_listen) {
149 if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, 149 if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
150 is_waitconnect, errp) < 0) { 150 is_waitconnect, errp) < 0) {
151@@ -1380,9 +1452,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, 151@@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp
152 const char *host = qemu_opt_get(opts, "host"); 152 const char *host = qemu_opt_get(opts, "host");
153 const char *port = qemu_opt_get(opts, "port"); 153 const char *port = qemu_opt_get(opts, "port");
154 const char *fd = qemu_opt_get(opts, "fd"); 154 const char *fd = qemu_opt_get(opts, "fd");
155+#ifndef _WIN32 155+#ifndef _WIN32
156+ const char *cmd = qemu_opt_get(opts, "cmd"); 156+ const char *cmd = qemu_opt_get(opts, "cmd");
157+#endif 157+#endif
158 bool tight = qemu_opt_get_bool(opts, "tight", true);
159 bool abstract = qemu_opt_get_bool(opts, "abstract", false);
158 SocketAddressLegacy *addr; 160 SocketAddressLegacy *addr;
159 ChardevSocket *sock; 161 ChardevSocket *sock;
160 162
@@ -171,19 +173,19 @@ index 185fe38d..54fa4234 100644
171+ } 173+ }
172+ } else 174+ } else
173+#endif 175+#endif
174+
175 if ((!!path + !!fd + !!host) != 1) { 176 if ((!!path + !!fd + !!host) != 1) {
176 error_setg(errp, 177 error_setg(errp,
177 "Exactly one of 'path', 'fd' or 'host' required"); 178 "Exactly one of 'path', 'fd' or 'host' required");
178@@ -1425,12 +1514,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, 179@@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp
179 sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); 180 sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
180 sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); 181 sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
181 182
183- addr = g_new0(SocketAddressLegacy, 1);
182+#ifndef _WIN32 184+#ifndef _WIN32
183+ sock->cmd = g_strdup(cmd); 185+ sock->cmd = g_strdup(cmd);
184+#endif 186+#endif
185+ 187+
186 addr = g_new0(SocketAddressLegacy, 1); 188+ addr = g_new0(SocketAddressLegacy, 1);
187+#ifndef _WIN32 189+#ifndef _WIN32
188+ if (path || cmd) { 190+ if (path || cmd) {
189+#else 191+#else
@@ -197,28 +199,28 @@ index 185fe38d..54fa4234 100644
197+#else 199+#else
198 q_unix->path = g_strdup(path); 200 q_unix->path = g_strdup(path);
199+#endif 201+#endif
202 q_unix->tight = tight;
203 q_unix->abstract = abstract;
200 } else if (host) { 204 } else if (host) {
201 addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; 205Index: qemu-5.1.0/chardev/char.c
202 addr->u.inet.data = g_new(InetSocketAddress, 1); 206===================================================================
203diff --git a/chardev/char.c b/chardev/char.c 207--- qemu-5.1.0.orig/chardev/char.c
204index 7b6b2cb1..0c2ca64b 100644 208+++ qemu-5.1.0/chardev/char.c
205--- a/chardev/char.c 209@@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = {
206+++ b/chardev/char.c
207@@ -837,6 +837,9 @@ QemuOptsList qemu_chardev_opts = {
208 },{
209 .name = "path", 210 .name = "path",
210 .type = QEMU_OPT_STRING, 211 .type = QEMU_OPT_STRING,
211+ },{ 212 },{
212+ .name = "cmd", 213+ .name = "cmd",
213+ .type = QEMU_OPT_STRING, 214+ .type = QEMU_OPT_STRING,
214 },{ 215+ },{
215 .name = "host", 216 .name = "host",
216 .type = QEMU_OPT_STRING, 217 .type = QEMU_OPT_STRING,
217diff --git a/qapi/char.json b/qapi/char.json 218 },{
218index a6e81ac7..517962c6 100644 219Index: qemu-5.1.0/qapi/char.json
219--- a/qapi/char.json 220===================================================================
220+++ b/qapi/char.json 221--- qemu-5.1.0.orig/qapi/char.json
221@@ -247,6 +247,10 @@ 222+++ qemu-5.1.0/qapi/char.json
223@@ -250,6 +250,10 @@
222 # 224 #
223 # @addr: socket address to listen on (server=true) 225 # @addr: socket address to listen on (server=true)
224 # or connect to (server=false) 226 # or connect to (server=false)
@@ -229,7 +231,7 @@ index a6e81ac7..517962c6 100644
229 # @tls-creds: the ID of the TLS credentials object (since 2.6) 231 # @tls-creds: the ID of the TLS credentials object (since 2.6)
230 # @tls-authz: the ID of the QAuthZ authorization object against which 232 # @tls-authz: the ID of the QAuthZ authorization object against which
231 # the client's x509 distinguished name will be validated. This 233 # the client's x509 distinguished name will be validated. This
232@@ -272,6 +276,7 @@ 234@@ -276,6 +280,7 @@
233 ## 235 ##
234 { 'struct': 'ChardevSocket', 236 { 'struct': 'ChardevSocket',
235 'data': { 'addr': 'SocketAddressLegacy', 237 'data': { 'addr': 'SocketAddressLegacy',
diff --git a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
index 89baad9b7f..034ac57821 100644
--- a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
+++ b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
@@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com>
29 hw/intc/apic.c | 2 +- 29 hw/intc/apic.c | 2 +-
30 1 file changed, 1 insertion(+), 1 deletion(-) 30 1 file changed, 1 insertion(+), 1 deletion(-)
31 31
32diff --git a/hw/intc/apic.c b/hw/intc/apic.c 32Index: qemu-5.1.0/hw/intc/apic.c
33index 2a74f7b4..4d5da365 100644 33===================================================================
34--- a/hw/intc/apic.c 34--- qemu-5.1.0.orig/hw/intc/apic.c
35+++ b/hw/intc/apic.c 35+++ qemu-5.1.0/hw/intc/apic.c
36@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) 36@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de
37 APICCommonState *s = APIC(dev); 37 APICCommonState *s = APIC(dev);
38 uint32_t lvt0; 38 uint32_t lvt0;
39 39
diff --git a/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
index 30bb4ddf26..d20f04ee59 100644
--- a/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
+++ b/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
@@ -18,11 +18,11 @@ Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
18 linux-user/main.c | 2 +- 18 linux-user/main.c | 2 +-
19 1 file changed, 1 insertion(+), 1 deletion(-) 19 1 file changed, 1 insertion(+), 1 deletion(-)
20 20
21diff --git a/linux-user/main.c b/linux-user/main.c 21Index: qemu-5.1.0/linux-user/main.c
22index 6ff7851e..ebff0485 100644 22===================================================================
23--- a/linux-user/main.c 23--- qemu-5.1.0.orig/linux-user/main.c
24+++ b/linux-user/main.c 24+++ qemu-5.1.0/linux-user/main.c
25@@ -78,7 +78,7 @@ int have_guest_base; 25@@ -92,7 +92,7 @@ static int last_log_mask;
26 (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) 26 (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
27 /* There are a number of places where we assign reserved_va to a variable 27 /* There are a number of places where we assign reserved_va to a variable
28 of type abi_ulong and expect it to fit. Avoid the last page. */ 28 of type abi_ulong and expect it to fit. Avoid the last page. */
diff --git a/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
index eef3f3f97f..f2a44986b7 100644
--- a/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
+++ b/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
@@ -28,29 +28,29 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
28 linux-user/syscall.c | 5 +---- 28 linux-user/syscall.c | 5 +----
29 4 files changed, 10 insertions(+), 23 deletions(-) 29 4 files changed, 10 insertions(+), 23 deletions(-)
30 30
31diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h 31Index: qemu-5.1.0/include/exec/cpu-all.h
32index 49384bb6..93b12519 100644 32===================================================================
33--- a/include/exec/cpu-all.h 33--- qemu-5.1.0.orig/include/exec/cpu-all.h
34+++ b/include/exec/cpu-all.h 34+++ qemu-5.1.0/include/exec/cpu-all.h
35@@ -162,12 +162,8 @@ extern unsigned long guest_base; 35@@ -176,11 +176,8 @@ extern unsigned long reserved_va;
36 extern int have_guest_base; 36 * avoid setting bits at the top of guest addresses that might need
37 extern unsigned long reserved_va; 37 * to be used for tags.
38 38 */
39-#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS 39-#define GUEST_ADDR_MAX_ \
40-#define GUEST_ADDR_MAX (~0ul) 40- ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \
41-#else 41- UINT32_MAX : ~0ul)
42-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \ 42-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_)
43-
43+#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ 44+#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \
44 (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) 45+ (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
45-#endif
46 #else 46 #else
47 47
48 #include "exec/hwaddr.h" 48 #include "exec/hwaddr.h"
49diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h 49Index: qemu-5.1.0/include/exec/cpu_ldst.h
50index 53de1975..cf19ed2e 100644 50===================================================================
51--- a/include/exec/cpu_ldst.h 51--- qemu-5.1.0.orig/include/exec/cpu_ldst.h
52+++ b/include/exec/cpu_ldst.h 52+++ qemu-5.1.0/include/exec/cpu_ldst.h
53@@ -70,7 +70,10 @@ typedef uint64_t abi_ptr; 53@@ -75,7 +75,10 @@ typedef uint64_t abi_ptr;
54 #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS 54 #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS
55 #define guest_addr_valid(x) (1) 55 #define guest_addr_valid(x) (1)
56 #else 56 #else
@@ -62,11 +62,11 @@ index 53de1975..cf19ed2e 100644
62 #endif 62 #endif
63 #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) 63 #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
64 64
65diff --git a/linux-user/mmap.c b/linux-user/mmap.c 65Index: qemu-5.1.0/linux-user/mmap.c
66index e3780337..1d4aba95 100644 66===================================================================
67--- a/linux-user/mmap.c 67--- qemu-5.1.0.orig/linux-user/mmap.c
68+++ b/linux-user/mmap.c 68+++ qemu-5.1.0/linux-user/mmap.c
69@@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) 69@@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi
70 return -TARGET_EINVAL; 70 return -TARGET_EINVAL;
71 len = TARGET_PAGE_ALIGN(len); 71 len = TARGET_PAGE_ALIGN(len);
72 end = start + len; 72 end = start + len;
@@ -75,18 +75,18 @@ index e3780337..1d4aba95 100644
75 return -TARGET_ENOMEM; 75 return -TARGET_ENOMEM;
76 } 76 }
77 prot &= PROT_READ | PROT_WRITE | PROT_EXEC; 77 prot &= PROT_READ | PROT_WRITE | PROT_EXEC;
78@@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, 78@@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab
79 * It can fail only on 64-bit host with 32-bit target. 79 * It can fail only on 64-bit host with 32-bit target.
80 * On any other target/host host mmap() handles this error correctly. 80 * On any other target/host host mmap() handles this error correctly.
81 */ 81 */
82- if (!guest_range_valid(start, len)) { 82- if (end < start || !guest_range_valid(start, len)) {
83- errno = ENOMEM; 83- errno = ENOMEM;
84+ if ((unsigned long)start + len - 1 > (abi_ulong) -1) { 84+ if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) {
85+ errno = EINVAL; 85+ errno = EINVAL;
86 goto fail; 86 goto fail;
87 } 87 }
88 88
89@@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_ulong len) 89@@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u
90 if (start & ~TARGET_PAGE_MASK) 90 if (start & ~TARGET_PAGE_MASK)
91 return -TARGET_EINVAL; 91 return -TARGET_EINVAL;
92 len = TARGET_PAGE_ALIGN(len); 92 len = TARGET_PAGE_ALIGN(len);
@@ -98,7 +98,7 @@ index e3780337..1d4aba95 100644
98 mmap_lock(); 98 mmap_lock();
99 end = start + len; 99 end = start + len;
100 real_start = start & qemu_host_page_mask; 100 real_start = start & qemu_host_page_mask;
101@@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, 101@@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add
102 int prot; 102 int prot;
103 void *host_addr; 103 void *host_addr;
104 104
@@ -112,11 +112,11 @@ index e3780337..1d4aba95 100644
112 mmap_lock(); 112 mmap_lock();
113 113
114 if (flags & MREMAP_FIXED) { 114 if (flags & MREMAP_FIXED) {
115diff --git a/linux-user/syscall.c b/linux-user/syscall.c 115Index: qemu-5.1.0/linux-user/syscall.c
116index 05f03919..d6f8cc97 100644 116===================================================================
117--- a/linux-user/syscall.c 117--- qemu-5.1.0.orig/linux-user/syscall.c
118+++ b/linux-user/syscall.c 118+++ qemu-5.1.0/linux-user/syscall.c
119@@ -4287,9 +4287,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, 119@@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch
120 return -TARGET_EINVAL; 120 return -TARGET_EINVAL;
121 } 121 }
122 } 122 }
@@ -126,7 +126,7 @@ index 05f03919..d6f8cc97 100644
126 126
127 mmap_lock(); 127 mmap_lock();
128 128
129@@ -7247,7 +7244,7 @@ static int open_self_maps(void *cpu_env, int fd) 129@@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env,
130 const char *path; 130 const char *path;
131 131
132 max = h2g_valid(max - 1) ? 132 max = h2g_valid(max - 1) ?
@@ -135,6 +135,3 @@ index 05f03919..d6f8cc97 100644
135 135
136 if (page_check_range(h2g(min), max - min, flags) == -1) { 136 if (page_check_range(h2g(min), max - min, flags) == -1) {
137 continue; 137 continue;
138--
1392.24.0
140
diff --git a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
index 34df78b7fe..d7e3fffdd0 100644
--- a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
+++ b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
@@ -14,11 +14,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com>
14 configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- 14 configure | 48 ++++++++++++++++++++++++++++++++++++++++--------
15 1 file changed, 40 insertions(+), 8 deletions(-) 15 1 file changed, 40 insertions(+), 8 deletions(-)
16 16
17diff --git a/configure b/configure 17Index: qemu-5.1.0/configure
18index 72f11aca..cac271ce 100755 18===================================================================
19--- a/configure 19--- qemu-5.1.0.orig/configure
20+++ b/configure 20+++ qemu-5.1.0/configure
21@@ -2875,6 +2875,30 @@ has_libgcrypt() { 21@@ -3084,6 +3084,30 @@ has_libgcrypt() {
22 return 0 22 return 0
23 } 23 }
24 24
@@ -49,7 +49,7 @@ index 72f11aca..cac271ce 100755
49 49
50 if test "$nettle" != "no"; then 50 if test "$nettle" != "no"; then
51 pass="no" 51 pass="no"
52@@ -2915,7 +2939,14 @@ fi 52@@ -3124,7 +3148,14 @@ fi
53 53
54 if test "$gcrypt" != "no"; then 54 if test "$gcrypt" != "no"; then
55 pass="no" 55 pass="no"
@@ -65,7 +65,7 @@ index 72f11aca..cac271ce 100755
65 gcrypt_cflags=$(libgcrypt-config --cflags) 65 gcrypt_cflags=$(libgcrypt-config --cflags)
66 gcrypt_libs=$(libgcrypt-config --libs) 66 gcrypt_libs=$(libgcrypt-config --libs)
67 # Debian has removed -lgpg-error from libgcrypt-config 67 # Debian has removed -lgpg-error from libgcrypt-config
68@@ -2925,15 +2956,16 @@ if test "$gcrypt" != "no"; then 68@@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then
69 then 69 then
70 gcrypt_libs="$gcrypt_libs -lgpg-error" 70 gcrypt_libs="$gcrypt_libs -lgpg-error"
71 fi 71 fi
diff --git a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
deleted file mode 100644
index e5ebfc1267..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
+++ /dev/null
@@ -1,74 +0,0 @@
1From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com>
3Date: Wed, 12 Aug 2015 15:11:30 -0500
4Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails.
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9Add custom_debug.h with function for print backtrace information.
10When pthread_kill fails in qemu_cpu_kick_thread display backtrace and
11current cpu information.
12
13Upstream-Status: Inappropriate
14Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com>
15
16---
17 cpus.c | 5 +++++
18 custom_debug.h | 24 ++++++++++++++++++++++++
19 2 files changed, 29 insertions(+)
20 create mode 100644 custom_debug.h
21
22diff --git a/cpus.c b/cpus.c
23index e83f72b4..e6e2576e 100644
24--- a/cpus.c
25+++ b/cpus.c
26@@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg)
27 return NULL;
28 }
29
30+#include "custom_debug.h"
31+
32 static void qemu_cpu_kick_thread(CPUState *cpu)
33 {
34 #ifndef _WIN32
35@@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu)
36 err = pthread_kill(cpu->thread->thread, SIG_IPI);
37 if (err && err != ESRCH) {
38 fprintf(stderr, "qemu:%s: %s", __func__, strerror(err));
39+ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index);
40+ cpu_dump_state(cpu, stderr, 0);
41+ backtrace_print();
42 exit(1);
43 }
44 #else /* _WIN32 */
45diff --git a/custom_debug.h b/custom_debug.h
46new file mode 100644
47index 00000000..f029e455
48--- /dev/null
49+++ b/custom_debug.h
50@@ -0,0 +1,24 @@
51+#include <execinfo.h>
52+#include <stdio.h>
53+#define BACKTRACE_MAX 128
54+static void backtrace_print(void)
55+{
56+ int nfuncs = 0;
57+ void *buf[BACKTRACE_MAX];
58+ char **symbols;
59+ int i;
60+
61+ nfuncs = backtrace(buf, BACKTRACE_MAX);
62+
63+ symbols = backtrace_symbols(buf, nfuncs);
64+ if (symbols == NULL) {
65+ fprintf(stderr, "backtrace_print failed to get symbols");
66+ return;
67+ }
68+
69+ fprintf(stderr, "Backtrace ...\n");
70+ for (i = 0; i < nfuncs; i++)
71+ fprintf(stderr, "%s\n", symbols[i]);
72+
73+ free(symbols);
74+}
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch
deleted file mode 100644
index 19f26ae5b0..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch
+++ /dev/null
@@ -1,151 +0,0 @@
1From 5c4fe018c025740fef4a0a4421e8162db0c3eefd Mon Sep 17 00:00:00 2001
2From: Eric Blake <eblake@redhat.com>
3Date: Mon, 8 Jun 2020 13:26:37 -0500
4Subject: [PATCH] nbd/server: Avoid long error message assertions
5 CVE-2020-10761
6
7Ever since commit 36683283 (v2.8), the server code asserts that error
8strings sent to the client are well-formed per the protocol by not
9exceeding the maximum string length of 4096. At the time the server
10first started sending error messages, the assertion could not be
11triggered, because messages were completely under our control.
12However, over the years, we have added latent scenarios where a client
13could trigger the server to attempt an error message that would
14include the client's information if it passed other checks first:
15
16- requesting NBD_OPT_INFO/GO on an export name that is not present
17 (commit 0cfae925 in v2.12 echoes the name)
18
19- requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is
20 not present (commit e7b1948d in v2.12 echoes the name)
21
22At the time, those were still safe because we flagged names larger
23than 256 bytes with a different message; but that changed in commit
2493676c88 (v4.2) when we raised the name limit to 4096 to match the NBD
25string limit. (That commit also failed to change the magic number
264096 in nbd_negotiate_send_rep_err to the just-introduced named
27constant.) So with that commit, long client names appended to server
28text can now trigger the assertion, and thus be used as a denial of
29service attack against a server. As a mitigating factor, if the
30server requires TLS, the client cannot trigger the problematic paths
31unless it first supplies TLS credentials, and such trusted clients are
32less likely to try to intentionally crash the server.
33
34We may later want to further sanitize the user-supplied strings we
35place into our error messages, such as scrubbing out control
36characters, but that is less important to the CVE fix, so it can be a
37later patch to the new nbd_sanitize_name.
38
39Consideration was given to changing the assertion in
40nbd_negotiate_send_rep_verr to instead merely log a server error and
41truncate the message, to avoid leaving a latent path that could
42trigger a future CVE DoS on any new error message. However, this
43merely complicates the code for something that is already (correctly)
44flagging coding errors, and now that we are aware of the long message
45pitfall, we are less likely to introduce such errors in the future,
46which would make such error handling dead code.
47
48Reported-by: Xueqiang Wei <xuwei@redhat.com>
49CC: qemu-stable@nongnu.org
50Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761
51Fixes: 93676c88d7
52Signed-off-by: Eric Blake <eblake@redhat.com>
53Message-Id: <20200610163741.3745251-2-eblake@redhat.com>
54Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
55
56Upstream-Status: Backport [https://github.com/qemu/qemu/commit/5c4fe018c025740fef4a0a4421e8162db0c3eefd]
57CVE: CVE-2020-10761
58Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
59
60---
61 nbd/server.c | 23 ++++++++++++++++++++---
62 tests/qemu-iotests/143 | 4 ++++
63 tests/qemu-iotests/143.out | 2 ++
64 3 files changed, 26 insertions(+), 3 deletions(-)
65
66diff --git a/nbd/server.c b/nbd/server.c
67index 02b1ed08014..20754e9ebc3 100644
68--- a/nbd/server.c
69+++ b/nbd/server.c
70@@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
71
72 msg = g_strdup_vprintf(fmt, va);
73 len = strlen(msg);
74- assert(len < 4096);
75+ assert(len < NBD_MAX_STRING_SIZE);
76 trace_nbd_negotiate_send_rep_err(msg);
77 ret = nbd_negotiate_send_rep_len(client, type, len, errp);
78 if (ret < 0) {
79@@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type,
80 return 0;
81 }
82
83+/*
84+ * Return a malloc'd copy of @name suitable for use in an error reply.
85+ */
86+static char *
87+nbd_sanitize_name(const char *name)
88+{
89+ if (strnlen(name, 80) < 80) {
90+ return g_strdup(name);
91+ }
92+ /* XXX Should we also try to sanitize any control characters? */
93+ return g_strdup_printf("%.80s...", name);
94+}
95+
96 /* Send an error reply.
97 * Return -errno on error, 0 on success. */
98 static int GCC_FMT_ATTR(4, 5)
99@@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp)
100
101 exp = nbd_export_find(name);
102 if (!exp) {
103+ g_autofree char *sane_name = nbd_sanitize_name(name);
104+
105 return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN,
106 errp, "export '%s' not present",
107- name);
108+ sane_name);
109 }
110
111 /* Don't bother sending NBD_INFO_NAME unless client requested it */
112@@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client,
113
114 meta->exp = nbd_export_find(export_name);
115 if (meta->exp == NULL) {
116+ g_autofree char *sane_name = nbd_sanitize_name(export_name);
117+
118 return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp,
119- "export '%s' not present", export_name);
120+ "export '%s' not present", sane_name);
121 }
122
123 ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp);
124diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143
125index f649b361950..d2349903b1b 100755
126--- a/tests/qemu-iotests/143
127+++ b/tests/qemu-iotests/143
128@@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \
129 $QEMU_IO_PROG -f raw -c quit \
130 "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \
131 | _filter_qemu_io | _filter_nbd
132+# Likewise, with longest possible name permitted in NBD protocol
133+$QEMU_IO_PROG -f raw -c quit \
134+ "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \
135+ | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/'
136
137 _send_qemu_cmd $QEMU_HANDLE \
138 "{ 'execute': 'quit' }" \
139diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out
140index 1f4001c6013..fc9c0a761fa 100644
141--- a/tests/qemu-iotests/143.out
142+++ b/tests/qemu-iotests/143.out
143@@ -5,6 +5,8 @@ QA output created by 143
144 {"return": {}}
145 qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available
146 server reported: export 'no_such_export' not present
147+qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available
148+server reported: export 'aa--aa...' not present
149 { 'execute': 'quit' }
150 {"return": {}}
151 {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}}
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch
deleted file mode 100644
index e0acc70f3c..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch
+++ /dev/null
@@ -1,61 +0,0 @@
1From 369ff955a8497988d079c4e3fa1e93c2570c1c69 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Fri, 15 May 2020 01:36:08 +0530
4Subject: [PATCH] es1370: check total frame count against current frame
5
6A guest user may set channel frame count via es1370_write()
7such that, in es1370_transfer_audio(), total frame count
8'size' is lesser than the number of frames that are processed
9'cnt'.
10
11 int cnt = d->frame_cnt >> 16;
12 int size = d->frame_cnt & 0xffff;
13
14if (size < cnt), it results in incorrect calculations leading
15to OOB access issue(s). Add check to avoid it.
16
17Reported-by: Ren Ding <rding@gatech.edu>
18Reported-by: Hanqing Zhao <hanqing@gatech.edu>
19Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20Message-id: 20200514200608.1744203-1-ppandit@redhat.com
21Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
22
23Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html]
24CVE: CVE-2020-13361
25Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
26---
27 hw/audio/es1370.c | 7 +++++--
28 1 file changed, 5 insertions(+), 2 deletions(-)
29
30diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
31index 89c4dabcd44..5f8a83ff562 100644
32--- a/hw/audio/es1370.c
33+++ b/hw/audio/es1370.c
34@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
35 int csc_bytes = (csc + 1) << d->shift;
36 int cnt = d->frame_cnt >> 16;
37 int size = d->frame_cnt & 0xffff;
38+ if (size < cnt) {
39+ return;
40+ }
41 int left = ((size - cnt + 1) << 2) + d->leftover;
42 int transferred = 0;
43 int temp = MIN (max, MIN (left, csc_bytes));
44@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
45 addr += (cnt << 2) + d->leftover;
46
47 if (index == ADC_CHANNEL) {
48- while (temp) {
49+ while (temp > 0) {
50 int acquired, to_copy;
51
52 to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
53@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel,
54 else {
55 SWVoiceOut *voice = s->dac_voice[index];
56
57- while (temp) {
58+ while (temp > 0) {
59 int copied, to_copy;
60
61 to_copy = MIN ((size_t) temp, sizeof (tmpbuf));
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch
deleted file mode 100644
index af8d4ba8f4..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch
+++ /dev/null
@@ -1,55 +0,0 @@
1From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 14 May 2020 00:55:38 +0530
4Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check
5 index
6
7A guest user may set 'reply_queue_head' field of MegasasState to
8a negative value. Later in 'megasas_lookup_frame' it is used to
9index into s->frames[] array. Use unsigned type to avoid OOB
10access issue.
11
12Also check that 'index' value stays within s->frames[] bounds
13through the while() loop in 'megasas_lookup_frame' to avoid OOB
14access.
15
16Reported-by: Ren Ding <rding@gatech.edu>
17Reported-by: Hanqing Zhao <hanqing@gatech.edu>
18Reported-by: Alexander Bulekov <alxndr@bu.edu>
19Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
20Acked-by: Alexander Bulekov <alxndr@bu.edu>
21Message-Id: <20200513192540.1583887-2-ppandit@redhat.com>
22Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
23
24Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661]
25CVE: CVE-2020-13362
26Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
27---
28 hw/scsi/megasas.c | 4 ++--
29 1 file changed, 2 insertions(+), 2 deletions(-)
30
31diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
32index af18c88b65..6ce598cd69 100644
33--- a/hw/scsi/megasas.c
34+++ b/hw/scsi/megasas.c
35@@ -112,7 +112,7 @@ typedef struct MegasasState {
36 uint64_t reply_queue_pa;
37 void *reply_queue;
38 int reply_queue_len;
39- int reply_queue_head;
40+ uint16_t reply_queue_head;
41 int reply_queue_tail;
42 uint64_t consumer_pa;
43 uint64_t producer_pa;
44@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s,
45
46 index = s->reply_queue_head;
47
48- while (num < s->fw_cmds) {
49+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) {
50 if (s->frames[index].pa && s->frames[index].pa == frame) {
51 cmd = &s->frames[index];
52 break;
53--
542.20.1
55
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
deleted file mode 100644
index 4d12ae8f16..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch
+++ /dev/null
@@ -1,58 +0,0 @@
1From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Tue, 26 May 2020 16:47:43 +0530
4Subject: [PATCH] exec: set map length to zero when returning NULL
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9When mapping physical memory into host's virtual address space,
10'address_space_map' may return NULL if BounceBuffer is in_use.
11Set and return '*plen = 0' to avoid later NULL pointer dereference.
12
13Reported-by: Alexander Bulekov <alxndr@bu.edu>
14Fixes: https://bugs.launchpad.net/qemu/+bug/1878259
15Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
16Suggested-by: Peter Maydell <peter.maydell@linaro.org>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Message-Id: <20200526111743.428367-1-ppandit@redhat.com>
19Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
20Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
21
22Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82]
23CVE: CVE-2020-13659
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 exec.c | 1 +
27 include/exec/memory.h | 3 ++-
28 2 files changed, 3 insertions(+), 1 deletion(-)
29
30diff --git a/exec.c b/exec.c
31index 9cbde85d8c..778263f1c6 100644
32--- a/exec.c
33+++ b/exec.c
34@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as,
35
36 if (!memory_access_is_direct(mr, is_write)) {
37 if (atomic_xchg(&bounce.in_use, true)) {
38+ *plen = 0;
39 return NULL;
40 }
41 /* Avoid unbounded allocations */
42diff --git a/include/exec/memory.h b/include/exec/memory.h
43index bd7fdd6081..af8ca7824e 100644
44--- a/include/exec/memory.h
45+++ b/include/exec/memory.h
46@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len,
47 /* address_space_map: map a physical memory region into a host virtual address
48 *
49 * May map a subset of the requested range, given by and returned in @plen.
50- * May return %NULL if resources needed to perform the mapping are exhausted.
51+ * May return %NULL and set *@plen to zero(0), if resources needed to perform
52+ * the mapping are exhausted.
53 * Use only for reads OR writes - not for read-modify-write operations.
54 * Use cpu_register_map_client() to know when retrying the map operation is
55 * likely to succeed.
56--
572.20.1
58
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
deleted file mode 100644
index 049dab914d..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch
+++ /dev/null
@@ -1,53 +0,0 @@
1From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 4 Jun 2020 17:05:25 +0530
4Subject: [PATCH] pci: assert configuration access is within bounds
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9While accessing PCI configuration bytes, assert that
10'address + len' is within PCI configuration space.
11
12Generally it is within bounds. This is more of a defensive
13assert, in case a buggy device was to send 'address' which
14may go out of bounds.
15
16Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Message-Id: <20200604113525.58898-1-ppandit@redhat.com>
19Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
20Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
21
22Upstream-Status: Backport [f7d6a635fa3b7797f9d072e280f065bf3cfcd24d]
23CVE: CVE-2020-13791
24Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
25---
26 hw/pci/pci.c | 4 ++++
27 1 file changed, 4 insertions(+)
28
29diff --git a/hw/pci/pci.c b/hw/pci/pci.c
30index 70c66965f5..7bf2ae6d92 100644
31--- a/hw/pci/pci.c
32+++ b/hw/pci/pci.c
33@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
34 {
35 uint32_t val = 0;
36
37+ assert(address + len <= pci_config_size(d));
38+
39 if (pci_is_express_downstream_port(d) &&
40 ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
41 pcie_sync_bridge_lnk(d);
42@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int
43 int i, was_irq_disabled = pci_irq_disabled(d);
44 uint32_t val = val_in;
45
46+ assert(addr + l <= pci_config_size(d));
47+
48 for (i = 0; i < l; val >>= 8, ++i) {
49 uint8_t wmask = d->wmask[addr + i];
50 uint8_t w1cmask = d->w1cmask[addr + i];
51--
522.20.1
53
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch
deleted file mode 100644
index 52bfafbbae..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Thu, 4 Jun 2020 14:38:30 +0530
4Subject: [PATCH] ati-vga: check mm_index before recursive call
5 (CVE-2020-13800)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10While accessing VGA registers via ati_mm_read/write routines,
11a guest may set 's->regs.mm_index' such that it leads to infinite
12recursion. Check mm_index value to avoid such recursion. Log an
13error message for wrong values.
14
15Reported-by: Ren Ding <rding@gatech.edu>
16Reported-by: Hanqing Zhao <hanqing@gatech.edu>
17Reported-by: Yi Ren <c4tren@gmail.com>
18Message-id: 20200604090830.33885-1-ppandit@redhat.com
19Suggested-by: BALATON Zoltan <balaton@eik.bme.hu>
20Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
21Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
22Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
23
24Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455]
25CVE: CVE-2020-13800
26Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
27---
28 hw/display/ati.c | 10 ++++++++--
29 1 file changed, 8 insertions(+), 2 deletions(-)
30
31diff --git a/hw/display/ati.c b/hw/display/ati.c
32index 065f197678..67604e68de 100644
33--- a/hw/display/ati.c
34+++ b/hw/display/ati.c
35@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size)
36 if (idx <= s->vga.vram_size - size) {
37 val = ldn_le_p(s->vga.vram_ptr + idx, size);
38 }
39- } else {
40+ } else if (s->regs.mm_index > MM_DATA + 3) {
41 val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size);
42+ } else {
43+ qemu_log_mask(LOG_GUEST_ERROR,
44+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index);
45 }
46 break;
47 case BIOS_0_SCRATCH ... BUS_CNTL - 1:
48@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr,
49 if (idx <= s->vga.vram_size - size) {
50 stn_le_p(s->vga.vram_ptr + idx, size, data);
51 }
52- } else {
53+ } else if (s->regs.mm_index > MM_DATA + 3) {
54 ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size);
55+ } else {
56+ qemu_log_mask(LOG_GUEST_ERROR,
57+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index);
58 }
59 break;
60 case BIOS_0_SCRATCH ... BUS_CNTL - 1:
61--
622.20.1
63
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
deleted file mode 100644
index 1505c7eed0..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch
+++ /dev/null
@@ -1,63 +0,0 @@
1From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001
2From: Mauro Matteo Cascella <mcascell@redhat.com>
3Date: Fri, 10 Jul 2020 11:19:41 +0200
4Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send()
5
6A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It
7occurs while sending an Ethernet frame due to missing break statements
8and improper checking of the buffer size.
9
10Reported-by: Ziming Zhang <ezrakiez@gmail.com>
11Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
12Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
13Signed-off-by: Jason Wang <jasowang@redhat.com>
14
15Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555]
16CVE: CVE-2020-15863
17Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
18
19---
20 hw/net/xgmac.c | 14 ++++++++++++--
21 1 file changed, 12 insertions(+), 2 deletions(-)
22
23diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c
24index 574dd47..5bf1b61 100644
25--- a/hw/net/xgmac.c
26+++ b/hw/net/xgmac.c
27@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s)
28 }
29 len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff);
30
31+ /*
32+ * FIXME: these cases of malformed tx descriptors (bad sizes)
33+ * should probably be reported back to the guest somehow
34+ * rather than simply silently stopping processing, but we
35+ * don't know what the hardware does in this situation.
36+ * This will only happen for buggy guests anyway.
37+ */
38 if ((bd.buffer1_size & 0xfff) > 2048) {
39 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
40 "xgmac buffer 1 len on send > 2048 (0x%x)\n",
41 __func__, bd.buffer1_size & 0xfff);
42+ break;
43 }
44 if ((bd.buffer2_size & 0xfff) != 0) {
45 DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- "
46 "xgmac buffer 2 len on send != 0 (0x%x)\n",
47 __func__, bd.buffer2_size & 0xfff);
48+ break;
49 }
50- if (len >= sizeof(frame)) {
51+ if (frame_size + len >= sizeof(frame)) {
52 DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu "
53- "buffer\n" , __func__, len, sizeof(frame));
54+ "buffer\n" , __func__, frame_size + len, sizeof(frame));
55 DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n",
56 __func__, bd.buffer1_size, bd.buffer2_size);
57+ break;
58 }
59
60 cpu_physical_memory_read(bd.buffer1_addr, ptr, len);
61--
621.8.3.1
63
diff --git a/meta/recipes-devtools/qemu/qemu/find_datadir.patch b/meta/recipes-devtools/qemu/qemu/find_datadir.patch
index 74e9ba56ce..9a4c11267a 100644
--- a/meta/recipes-devtools/qemu/qemu/find_datadir.patch
+++ b/meta/recipes-devtools/qemu/qemu/find_datadir.patch
@@ -9,8 +9,10 @@ Upstream-Status: Submitted [qemu-devel@nongnu.org]
9Signed-off-by: Joe Slater <joe.slater@windriver.com> 9Signed-off-by: Joe Slater <joe.slater@windriver.com>
10 10
11 11
12--- a/os-posix.c 12Index: qemu-5.1.0/os-posix.c
13+++ b/os-posix.c 13===================================================================
14--- qemu-5.1.0.orig/os-posix.c
15+++ qemu-5.1.0/os-posix.c
14@@ -82,8 +82,9 @@ void os_setup_signal_handling(void) 16@@ -82,8 +82,9 @@ void os_setup_signal_handling(void)
15 17
16 /* 18 /*
@@ -19,10 +21,10 @@ Signed-off-by: Joe Slater <joe.slater@windriver.com>
19 * When running from the build tree this will be "$bindir/../pc-bios". 21 * When running from the build tree this will be "$bindir/../pc-bios".
20- * Otherwise, this is CONFIG_QEMU_DATADIR. 22- * Otherwise, this is CONFIG_QEMU_DATADIR.
21+ * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. 23+ * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure.
22 */ 24 *
23 char *os_find_datadir(void) 25 * The caller must use g_free() to free the returned data when it is
24 { 26 * no longer required.
25@@ -93,6 +94,12 @@ char *os_find_datadir(void) 27@@ -96,6 +97,12 @@ char *os_find_datadir(void)
26 exec_dir = qemu_get_exec_dir(); 28 exec_dir = qemu_get_exec_dir();
27 g_return_val_if_fail(exec_dir != NULL, NULL); 29 g_return_val_if_fail(exec_dir != NULL, NULL);
28 30
diff --git a/meta/recipes-devtools/qemu/qemu_5.0.0.bb b/meta/recipes-devtools/qemu/qemu_5.1.0.bb
index 9b09490269..9b09490269 100644
--- a/meta/recipes-devtools/qemu/qemu_5.0.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_5.1.0.bb