diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | 63 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch | 58 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch | 52 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.2.0.bb | 3 |
4 files changed, 176 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch new file mode 100644 index 0000000000..bc41c458c4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:28 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() | ||
5 | |||
6 | Factor out sg unmapping logic. This will be reused by the patch that | ||
7 | can discard descriptor. | ||
8 | |||
9 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
10 | Cc: Andrew James <andrew.james@hpe.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c | ||
18 | |||
19 | CVE: CVE-2015-7295 patch #1 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/virtio/virtio.c | 14 ++++++++++---- | ||
26 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
27 | |||
28 | Index: qemu-2.2.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.2.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.2.0/hw/virtio/virtio.c | ||
32 | @@ -240,14 +240,12 @@ int virtio_queue_empty(VirtQueue *vq) | ||
33 | return vring_avail_idx(vq) == vq->last_avail_idx; | ||
34 | } | ||
35 | |||
36 | -void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | - unsigned int len, unsigned int idx) | ||
38 | +static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, | ||
39 | + unsigned int len) | ||
40 | { | ||
41 | unsigned int offset; | ||
42 | int i; | ||
43 | |||
44 | - trace_virtqueue_fill(vq, elem, len, idx); | ||
45 | - | ||
46 | offset = 0; | ||
47 | for (i = 0; i < elem->in_num; i++) { | ||
48 | size_t size = MIN(len - offset, elem->in_sg[i].iov_len); | ||
49 | @@ -263,6 +261,14 @@ void virtqueue_fill(VirtQueue *vq, const | ||
50 | cpu_physical_memory_unmap(elem->out_sg[i].iov_base, | ||
51 | elem->out_sg[i].iov_len, | ||
52 | 0, elem->out_sg[i].iov_len); | ||
53 | +} | ||
54 | + | ||
55 | +void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
56 | + unsigned int len, unsigned int idx) | ||
57 | +{ | ||
58 | + trace_virtqueue_fill(vq, elem, len, idx); | ||
59 | + | ||
60 | + virtqueue_unmap_sg(vq, elem, len); | ||
61 | |||
62 | idx = (idx + vring_used_idx(vq)) % vq->vring.num; | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch new file mode 100644 index 0000000000..74debf42a2 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:29 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_discard() | ||
5 | |||
6 | This patch introduces virtqueue_discard() to discard a descriptor and | ||
7 | unmap the sgs. This will be used by the patch that will discard | ||
8 | descriptor when packet is truncated. | ||
9 | |||
10 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade | ||
17 | |||
18 | CVE: CVE-2015-7295 patch #2 | ||
19 | [Yocto # 9013] | ||
20 | |||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | hw/virtio/virtio.c | 7 +++++++ | ||
25 | include/hw/virtio/virtio.h | 2 ++ | ||
26 | 2 files changed, 9 insertions(+) | ||
27 | |||
28 | Index: qemu-2.2.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.2.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.2.0/hw/virtio/virtio.c | ||
32 | @@ -263,6 +263,13 @@ static void virtqueue_unmap_sg(VirtQueue | ||
33 | 0, elem->out_sg[i].iov_len); | ||
34 | } | ||
35 | |||
36 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | + unsigned int len) | ||
38 | +{ | ||
39 | + vq->last_avail_idx--; | ||
40 | + virtqueue_unmap_sg(vq, elem, len); | ||
41 | +} | ||
42 | + | ||
43 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
44 | unsigned int len, unsigned int idx) | ||
45 | { | ||
46 | Index: qemu-2.2.0/include/hw/virtio/virtio.h | ||
47 | =================================================================== | ||
48 | --- qemu-2.2.0.orig/include/hw/virtio/virtio.h | ||
49 | +++ qemu-2.2.0/include/hw/virtio/virtio.h | ||
50 | @@ -180,6 +180,8 @@ void virtio_del_queue(VirtIODevice *vdev | ||
51 | void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, | ||
52 | unsigned int len); | ||
53 | void virtqueue_flush(VirtQueue *vq, unsigned int count); | ||
54 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
55 | + unsigned int len); | ||
56 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
57 | unsigned int len, unsigned int idx); | ||
58 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch new file mode 100644 index 0000000000..0f69e9c41e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:30 +0800 | ||
4 | Subject: [PATCH] virtio-net: correctly drop truncated packets | ||
5 | |||
6 | When packet is truncated during receiving, we drop the packets but | ||
7 | neither discard the descriptor nor add and signal used | ||
8 | descriptor. This will lead several issues: | ||
9 | |||
10 | - sg mappings are leaked | ||
11 | - rx will be stalled if a lots of packets were truncated | ||
12 | |||
13 | In order to be consistent with vhost, fix by discarding the descriptor | ||
14 | in this case. | ||
15 | |||
16 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
18 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
19 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | |||
23 | git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3 | ||
24 | |||
25 | CVE: CVE-2015-7295 patch #3 | ||
26 | [Yocto # 9013] | ||
27 | |||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | hw/net/virtio-net.c | 8 +------- | ||
32 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
33 | |||
34 | Index: qemu-2.2.0/hw/net/virtio-net.c | ||
35 | =================================================================== | ||
36 | --- qemu-2.2.0.orig/hw/net/virtio-net.c | ||
37 | +++ qemu-2.2.0/hw/net/virtio-net.c | ||
38 | @@ -1070,13 +1070,7 @@ static ssize_t virtio_net_receive(NetCli | ||
39 | * must have consumed the complete packet. | ||
40 | * Otherwise, drop it. */ | ||
41 | if (!n->mergeable_rx_bufs && offset < size) { | ||
42 | -#if 0 | ||
43 | - error_report("virtio-net truncated non-mergeable packet: " | ||
44 | - "i %zd mergeable %d offset %zd, size %zd, " | ||
45 | - "guest hdr len %zd, host hdr len %zd", | ||
46 | - i, n->mergeable_rx_bufs, | ||
47 | - offset, size, n->guest_hdr_len, n->host_hdr_len); | ||
48 | -#endif | ||
49 | + virtqueue_discard(q->rx_vq, &elem, total); | ||
50 | return size; | ||
51 | } | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu_2.2.0.bb b/meta/recipes-devtools/qemu/qemu_2.2.0.bb index 66e928faf9..890a9b6fb3 100644 --- a/meta/recipes-devtools/qemu/qemu_2.2.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.2.0.bb | |||
@@ -25,6 +25,9 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
25 | file://CVE-2015-7512.patch \ | 25 | file://CVE-2015-7512.patch \ |
26 | file://CVE-2015-8345.patch \ | 26 | file://CVE-2015-8345.patch \ |
27 | file://CVE-2016-1568.patch \ | 27 | file://CVE-2016-1568.patch \ |
28 | file://CVE-2015-7295_1.patch \ | ||
29 | file://CVE-2015-7295_2.patch \ | ||
30 | file://CVE-2015-7295_3.patch \ | ||
28 | " | 31 | " |
29 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 32 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
30 | SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8" | 33 | SRC_URI[md5sum] = "f7a5e2da22d057eb838a91da7aff43c8" |