diff options
-rw-r--r-- | meta/recipes-devtools/qemu/qemu.inc | 3 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch | 39 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch | 46 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch | 105 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch | 67 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch | 75 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch | 60 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch | 19 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.7.0.bb (renamed from meta/recipes-devtools/qemu/qemu_2.6.0.bb) | 12 |
10 files changed, 13 insertions, 491 deletions
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 36d600f0ea..509bc95972 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -66,7 +66,8 @@ do_install_ptest() { | |||
66 | cp -rL ${B}/tests ${D}${PTEST_PATH} | 66 | cp -rL ${B}/tests ${D}${PTEST_PATH} |
67 | find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} | 67 | find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} |
68 | 68 | ||
69 | cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests | 69 | cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests |
70 | |||
70 | } | 71 | } |
71 | 72 | ||
72 | do_install () { | 73 | do_install () { |
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch deleted file mode 100644 index 69c11e27d9..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4002.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 7a2c32ec06533c54ddaf70136bfbd89eeaf6db16 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 7 Apr 2016 15:56:02 +0530 | ||
4 | Subject: [PATCH] net: mipsnet: check packet length against buffer | ||
5 | |||
6 | When receiving packets over MIPSnet network device, it uses | ||
7 | receive buffer of size 1514 bytes. In case the controller | ||
8 | accepts large(MTU) packets, it could lead to memory corruption. | ||
9 | Add check to avoid it. | ||
10 | |||
11 | Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | (cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f) | ||
16 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2016-4002 | ||
20 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
21 | |||
22 | --- | ||
23 | hw/net/mipsnet.c | 3 +++ | ||
24 | 1 file changed, 3 insertions(+) | ||
25 | |||
26 | Index: qemu-2.4.0/hw/net/mipsnet.c | ||
27 | =================================================================== | ||
28 | --- qemu-2.4.0.orig/hw/net/mipsnet.c | ||
29 | +++ qemu-2.4.0/hw/net/mipsnet.c | ||
30 | @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClient | ||
31 | if (!mipsnet_can_receive(nc)) | ||
32 | return 0; | ||
33 | |||
34 | + if (size >= sizeof(s->rx_buffer)) { | ||
35 | + return 0; | ||
36 | + } | ||
37 | s->busy = 1; | ||
38 | |||
39 | /* Just accept everything. */ | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch deleted file mode 100644 index 5d3b9a92d5..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4439.patch +++ /dev/null | |||
@@ -1,46 +0,0 @@ | |||
1 | From 0a5e3685ea10c578f8063ca0dbb009af45693d85 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 19 May 2016 16:09:30 +0530 | ||
4 | Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) | ||
5 | |||
6 | The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte | ||
7 | FIFO buffer. It is used to handle command and data transfer. While | ||
8 | writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check | ||
9 | was missing to validate input length. Add check to avoid OOB write | ||
10 | access. | ||
11 | |||
12 | Fixes CVE-2016-4439. | ||
13 | |||
14 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
15 | Cc: qemu-stable@nongnu.org | ||
16 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
17 | Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> | ||
18 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
19 | (cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) | ||
20 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | CVE: CVE-2016-4439 | ||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | hw/scsi/esp.c | 6 +++++- | ||
28 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
29 | |||
30 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
31 | =================================================================== | ||
32 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
33 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
34 | @@ -446,7 +446,11 @@ void esp_reg_write(ESPState *s, uint32_t | ||
35 | break; | ||
36 | case ESP_FIFO: | ||
37 | if (s->do_cmd) { | ||
38 | - s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
39 | + if (s->cmdlen < TI_BUFSZ) { | ||
40 | + s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
41 | + } else { | ||
42 | + trace_esp_error_fifo_overrun(); | ||
43 | + } | ||
44 | } else if (s->ti_size == TI_BUFSZ - 1) { | ||
45 | trace_esp_error_fifo_overrun(); | ||
46 | } else { | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch deleted file mode 100644 index 3cbe394bfd..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch +++ /dev/null | |||
@@ -1,78 +0,0 @@ | |||
1 | From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 19 May 2016 16:09:31 +0530 | ||
4 | Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441) | ||
5 | |||
6 | The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte | ||
7 | FIFO buffer. It is used to handle command and data transfer. | ||
8 | Routine get_cmd() uses DMA to read scsi commands into this buffer. | ||
9 | Add check to validate DMA length against buffer size to avoid any | ||
10 | overrun. | ||
11 | |||
12 | Fixes CVE-2016-4441. | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
17 | Cc: qemu-stable@nongnu.org | ||
18 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
19 | Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> | ||
20 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
21 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
22 | --- | ||
23 | hw/scsi/esp.c | 11 +++++++---- | ||
24 | 1 files changed, 7 insertions(+), 4 deletions(-) | ||
25 | |||
26 | diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c | ||
27 | index 01497e6..591c817 100644 | ||
28 | --- a/hw/scsi/esp.c | ||
29 | +++ b/hw/scsi/esp.c | ||
30 | @@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) | ||
31 | } | ||
32 | } | ||
33 | |||
34 | -static uint32_t get_cmd(ESPState *s, uint8_t *buf) | ||
35 | +static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) | ||
36 | { | ||
37 | uint32_t dmalen; | ||
38 | int target; | ||
39 | @@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) | ||
40 | dmalen = s->rregs[ESP_TCLO]; | ||
41 | dmalen |= s->rregs[ESP_TCMID] << 8; | ||
42 | dmalen |= s->rregs[ESP_TCHI] << 16; | ||
43 | + if (dmalen > buflen) { | ||
44 | + return 0; | ||
45 | + } | ||
46 | s->dma_memory_read(s->dma_opaque, buf, dmalen); | ||
47 | } else { | ||
48 | dmalen = s->ti_size; | ||
49 | @@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) | ||
50 | s->dma_cb = handle_satn; | ||
51 | return; | ||
52 | } | ||
53 | - len = get_cmd(s, buf); | ||
54 | + len = get_cmd(s, buf, sizeof(buf)); | ||
55 | if (len) | ||
56 | do_cmd(s, buf); | ||
57 | } | ||
58 | @@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) | ||
59 | s->dma_cb = handle_s_without_atn; | ||
60 | return; | ||
61 | } | ||
62 | - len = get_cmd(s, buf); | ||
63 | + len = get_cmd(s, buf, sizeof(buf)); | ||
64 | if (len) { | ||
65 | do_busid_cmd(s, buf, 0); | ||
66 | } | ||
67 | @@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) | ||
68 | s->dma_cb = handle_satn_stop; | ||
69 | return; | ||
70 | } | ||
71 | - s->cmdlen = get_cmd(s, s->cmdbuf); | ||
72 | + s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); | ||
73 | if (s->cmdlen) { | ||
74 | trace_esp_handle_satn_stop(s->cmdlen); | ||
75 | s->do_cmd = 1; | ||
76 | -- | ||
77 | 1.7.0.4 | ||
78 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch deleted file mode 100644 index 52d2a1e3d0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4952.patch +++ /dev/null | |||
@@ -1,105 +0,0 @@ | |||
1 | From 3e831b40e015ba34dfb55ff11f767001839425ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Mon, 23 May 2016 16:18:05 +0530 | ||
4 | Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size (CVE-2016-4952) | ||
5 | |||
6 | Vmware Paravirtual SCSI emulation uses command descriptors to | ||
7 | process SCSI commands. These descriptors come with their ring | ||
8 | buffers. A guest could set the ring buffer size to an arbitrary | ||
9 | value leading to OOB access issue. Add check to avoid it. | ||
10 | |||
11 | Upstream-Status: Backported | ||
12 | |||
13 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
14 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
15 | Cc: qemu-stable@nongnu.org | ||
16 | Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com> | ||
17 | Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com> | ||
18 | Reviewed-by: Dmitry Fleytman <dmitry@daynix.com> | ||
19 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
20 | Signed-off-by: Adrian Dudau <adrian.dudau@enea.com> | ||
21 | --- | ||
22 | hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- | ||
23 | 1 files changed, 20 insertions(+), 4 deletions(-) | ||
24 | |||
25 | diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c | ||
26 | index f67b5bf..2d7528d 100644 | ||
27 | --- a/hw/scsi/vmw_pvscsi.c | ||
28 | +++ b/hw/scsi/vmw_pvscsi.c | ||
29 | @@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input) | ||
30 | return log; | ||
31 | } | ||
32 | |||
33 | -static void | ||
34 | +static int | ||
35 | pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) | ||
36 | { | ||
37 | int i; | ||
38 | @@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) | ||
39 | uint32_t req_ring_size, cmp_ring_size; | ||
40 | m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; | ||
41 | |||
42 | + if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) | ||
43 | + || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { | ||
44 | + return -1; | ||
45 | + } | ||
46 | req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; | ||
47 | cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; | ||
48 | txr_len_log2 = pvscsi_log2(req_ring_size - 1); | ||
49 | @@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) | ||
50 | |||
51 | /* Flush ring state page changes */ | ||
52 | smp_wmb(); | ||
53 | + | ||
54 | + return 0; | ||
55 | } | ||
56 | |||
57 | -static void | ||
58 | +static int | ||
59 | pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) | ||
60 | { | ||
61 | int i; | ||
62 | uint32_t len_log2; | ||
63 | uint32_t ring_size; | ||
64 | |||
65 | + if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { | ||
66 | + return -1; | ||
67 | + } | ||
68 | ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; | ||
69 | len_log2 = pvscsi_log2(ring_size - 1); | ||
70 | |||
71 | @@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) | ||
72 | |||
73 | /* Flush ring state page changes */ | ||
74 | smp_wmb(); | ||
75 | + | ||
76 | + return 0; | ||
77 | } | ||
78 | |||
79 | static void | ||
80 | @@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) | ||
81 | trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); | ||
82 | |||
83 | pvscsi_dbg_dump_tx_rings_config(rc); | ||
84 | - pvscsi_ring_init_data(&s->rings, rc); | ||
85 | + if (pvscsi_ring_init_data(&s->rings, rc) < 0) { | ||
86 | + return PVSCSI_COMMAND_PROCESSING_FAILED; | ||
87 | + } | ||
88 | + | ||
89 | s->rings_info_valid = TRUE; | ||
90 | return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; | ||
91 | } | ||
92 | @@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) | ||
93 | } | ||
94 | |||
95 | if (s->rings_info_valid) { | ||
96 | - pvscsi_ring_init_msg(&s->rings, rc); | ||
97 | + if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { | ||
98 | + return PVSCSI_COMMAND_PROCESSING_FAILED; | ||
99 | + } | ||
100 | s->msg_ring_info_valid = TRUE; | ||
101 | } | ||
102 | return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); | ||
103 | -- | ||
104 | 1.7.0.4 | ||
105 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch deleted file mode 100644 index fe084f5b08..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-5403.patch +++ /dev/null | |||
@@ -1,67 +0,0 @@ | |||
1 | From afd9096eb1882f23929f5b5c177898ed231bac66 Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Hajnoczi <stefanha@redhat.com> | ||
3 | Date: Tue, 19 Jul 2016 13:07:13 +0100 | ||
4 | Subject: [PATCH] virtio: error out if guest exceeds virtqueue size | ||
5 | |||
6 | A broken or malicious guest can submit more requests than the virtqueue | ||
7 | size permits, causing unbounded memory allocation in QEMU. | ||
8 | |||
9 | The guest can submit requests without bothering to wait for completion | ||
10 | and is therefore not bound by virtqueue size. This requires reusing | ||
11 | vring descriptors in more than one request, which is not allowed by the | ||
12 | VIRTIO 1.0 specification. | ||
13 | |||
14 | In "3.2.1 Supplying Buffers to The Device", the VIRTIO 1.0 specification | ||
15 | says: | ||
16 | |||
17 | 1. The driver places the buffer into free descriptor(s) in the | ||
18 | descriptor table, chaining as necessary | ||
19 | |||
20 | and | ||
21 | |||
22 | Note that the above code does not take precautions against the | ||
23 | available ring buffer wrapping around: this is not possible since the | ||
24 | ring buffer is the same size as the descriptor table, so step (1) will | ||
25 | prevent such a condition. | ||
26 | |||
27 | This implies that placing more buffers into the virtqueue than the | ||
28 | descriptor table size is not allowed. | ||
29 | |||
30 | QEMU is missing the check to prevent this case. Processing a request | ||
31 | allocates a VirtQueueElement leading to unbounded memory allocation | ||
32 | controlled by the guest. | ||
33 | |||
34 | Exit with an error if the guest provides more requests than the | ||
35 | virtqueue size permits. This bounds memory allocation and makes the | ||
36 | buggy guest visible to the user. | ||
37 | |||
38 | This patch fixes CVE-2016-5403 and was reported by Zhenhao Hong from 360 | ||
39 | Marvel Team, China. | ||
40 | |||
41 | Reported-by: Zhenhao Hong <hongzhenhao@360.cn> | ||
42 | Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> | ||
43 | |||
44 | Upstream-Status: Backport | ||
45 | CVE: CVE-2106-5403 | ||
46 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
47 | |||
48 | --- | ||
49 | hw/virtio/virtio.c | 5 +++++ | ||
50 | 1 file changed, 5 insertions(+) | ||
51 | |||
52 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
53 | =================================================================== | ||
54 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
55 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
56 | @@ -483,6 +483,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue | ||
57 | |||
58 | max = vq->vring.num; | ||
59 | |||
60 | + if (vq->inuse >= vq->vring.num) { | ||
61 | + error_report("Virtqueue size exceeded"); | ||
62 | + exit(1); | ||
63 | + } | ||
64 | + | ||
65 | i = head = virtqueue_get_head(vq, vq->last_avail_idx++); | ||
66 | if (virtio_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { | ||
67 | vring_set_avail_event(vq, vq->last_avail_idx); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch deleted file mode 100644 index 350ae2becc..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p1.patch +++ /dev/null | |||
@@ -1,75 +0,0 @@ | |||
1 | From 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 16 Jun 2016 00:22:35 +0200 | ||
4 | Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size | ||
5 | |||
6 | While doing DMA read into ESP command buffer 's->cmdbuf', it could | ||
7 | write past the 's->cmdbuf' area, if it was transferring more than 16 | ||
8 | bytes. Increase the command buffer size to 32, which is maximum when | ||
9 | 's->do_cmd' is set, and add a check on 'len' to avoid OOB access. | ||
10 | |||
11 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | CVE: CVE-2016-6351 patch1 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | hw/scsi/esp.c | 6 ++++-- | ||
21 | include/hw/scsi/esp.h | 3 ++- | ||
22 | 2 files changed, 6 insertions(+), 3 deletions(-) | ||
23 | |||
24 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
25 | =================================================================== | ||
26 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
27 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
28 | @@ -241,6 +241,8 @@ static void esp_do_dma(ESPState *s) | ||
29 | len = s->dma_left; | ||
30 | if (s->do_cmd) { | ||
31 | trace_esp_do_dma(s->cmdlen, len); | ||
32 | + assert (s->cmdlen <= sizeof(s->cmdbuf) && | ||
33 | + len <= sizeof(s->cmdbuf) - s->cmdlen); | ||
34 | s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len); | ||
35 | s->ti_size = 0; | ||
36 | s->cmdlen = 0; | ||
37 | @@ -340,7 +342,7 @@ static void handle_ti(ESPState *s) | ||
38 | s->dma_counter = dmalen; | ||
39 | |||
40 | if (s->do_cmd) | ||
41 | - minlen = (dmalen < 32) ? dmalen : 32; | ||
42 | + minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ; | ||
43 | else if (s->ti_size < 0) | ||
44 | minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size; | ||
45 | else | ||
46 | @@ -446,7 +448,7 @@ void esp_reg_write(ESPState *s, uint32_t | ||
47 | break; | ||
48 | case ESP_FIFO: | ||
49 | if (s->do_cmd) { | ||
50 | - if (s->cmdlen < TI_BUFSZ) { | ||
51 | + if (s->cmdlen < ESP_CMDBUF_SZ) { | ||
52 | s->cmdbuf[s->cmdlen++] = val & 0xff; | ||
53 | } else { | ||
54 | trace_esp_error_fifo_overrun(); | ||
55 | Index: qemu-2.4.0/include/hw/scsi/esp.h | ||
56 | =================================================================== | ||
57 | --- qemu-2.4.0.orig/include/hw/scsi/esp.h | ||
58 | +++ qemu-2.4.0/include/hw/scsi/esp.h | ||
59 | @@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shi | ||
60 | |||
61 | #define ESP_REGS 16 | ||
62 | #define TI_BUFSZ 16 | ||
63 | +#define ESP_CMDBUF_SZ 32 | ||
64 | |||
65 | typedef struct ESPState ESPState; | ||
66 | |||
67 | @@ -31,7 +32,7 @@ struct ESPState { | ||
68 | SCSIBus bus; | ||
69 | SCSIDevice *current_dev; | ||
70 | SCSIRequest *current_req; | ||
71 | - uint8_t cmdbuf[TI_BUFSZ]; | ||
72 | + uint8_t cmdbuf[ESP_CMDBUF_SZ]; | ||
73 | uint32_t cmdlen; | ||
74 | uint32_t do_cmd; | ||
75 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch deleted file mode 100644 index c4ed354e8e..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch +++ /dev/null | |||
@@ -1,60 +0,0 @@ | |||
1 | From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Paolo Bonzini <pbonzini@redhat.com> | ||
3 | Date: Mon, 20 Jun 2016 16:32:39 +0200 | ||
4 | Subject: [PATCH] scsi: esp: fix migration | ||
5 | |||
6 | Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size", | ||
7 | 2016-06-16) changed the size of a migrated field. Split it in two | ||
8 | parts, and only migrate the second part in a new vmstate version. | ||
9 | |||
10 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | CVE: CVE-2016-6351 patch1 | ||
14 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
15 | |||
16 | --- | ||
17 | hw/scsi/esp.c | 5 +++-- | ||
18 | include/migration/vmstate.h | 5 ++++- | ||
19 | 2 files changed, 7 insertions(+), 3 deletions(-) | ||
20 | |||
21 | Index: qemu-2.4.0/hw/scsi/esp.c | ||
22 | =================================================================== | ||
23 | --- qemu-2.4.0.orig/hw/scsi/esp.c | ||
24 | +++ qemu-2.4.0/hw/scsi/esp.c | ||
25 | @@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque | ||
26 | |||
27 | const VMStateDescription vmstate_esp = { | ||
28 | .name ="esp", | ||
29 | - .version_id = 3, | ||
30 | + .version_id = 4, | ||
31 | .minimum_version_id = 3, | ||
32 | .fields = (VMStateField[]) { | ||
33 | VMSTATE_BUFFER(rregs, ESPState), | ||
34 | @@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = { | ||
35 | VMSTATE_BUFFER(ti_buf, ESPState), | ||
36 | VMSTATE_UINT32(status, ESPState), | ||
37 | VMSTATE_UINT32(dma, ESPState), | ||
38 | - VMSTATE_BUFFER(cmdbuf, ESPState), | ||
39 | + VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16), | ||
40 | + VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4), | ||
41 | VMSTATE_UINT32(cmdlen, ESPState), | ||
42 | VMSTATE_UINT32(do_cmd, ESPState), | ||
43 | VMSTATE_UINT32(dma_left, ESPState), | ||
44 | Index: qemu-2.4.0/include/migration/vmstate.h | ||
45 | =================================================================== | ||
46 | --- qemu-2.4.0.orig/include/migration/vmstate.h | ||
47 | +++ qemu-2.4.0/include/migration/vmstate.h | ||
48 | @@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi | ||
49 | #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \ | ||
50 | VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size) | ||
51 | |||
52 | +#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \ | ||
53 | + VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f))) | ||
54 | + | ||
55 | #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \ | ||
56 | - VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f))) | ||
57 | + VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0) | ||
58 | |||
59 | #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \ | ||
60 | VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch index a99f72098c..2ce3478e4a 100644 --- a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch +++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch | |||
@@ -4,14 +4,14 @@ Add subpackage -ptest which runs all unit test cases for qemu. | |||
4 | 4 | ||
5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | 5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
6 | --- | 6 | --- |
7 | tests/Makefile | 10 ++++++++++ | 7 | tests/Makefile.include | 8 ++++++++ |
8 | 1 file changed, 10 insertions(+) | 8 | 1 file changed, 8 insertions(+) |
9 | 9 | ||
10 | diff --git a/tests/Makefile b/tests/Makefile | 10 | diff --git a/tests/Makefile.include b/tests/Makefile.include |
11 | index 88f7105..3f40b4b 100644 | 11 | index 14be491..0fce37a 100644 |
12 | --- a/tests/Makefile | 12 | --- a/tests/Makefile.include |
13 | +++ b/tests/Makefile | 13 | +++ b/tests/Makefile.include |
14 | @@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) | 14 | @@ -776,3 +776,11 @@ all: $(QEMU_IOTESTS_HELPERS-y) |
15 | 15 | ||
16 | -include $(wildcard tests/*.d) | 16 | -include $(wildcard tests/*.d) |
17 | -include $(wildcard tests/libqos/*.d) | 17 | -include $(wildcard tests/libqos/*.d) |
@@ -23,7 +23,6 @@ index 88f7105..3f40b4b 100644 | |||
23 | + nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ | 23 | + nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ |
24 | + $$nf; \ | 24 | + $$nf; \ |
25 | + done | 25 | + done |
26 | + | 26 | -- |
27 | -- | 27 | 2.9.0 |
28 | 1.7.9.5 | ||
29 | 28 | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.6.0.bb b/meta/recipes-devtools/qemu/qemu_2.7.0.bb index 837e6aef6b..5be9768a1c 100644 --- a/meta/recipes-devtools/qemu/qemu_2.6.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.7.0.bb | |||
@@ -8,19 +8,11 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://no-valgrind.patch \ | 9 | file://no-valgrind.patch \ |
10 | file://pathlimit.patch \ | 10 | file://pathlimit.patch \ |
11 | file://CVE-2016-4439.patch \ | ||
12 | file://CVE-2016-6351_p1.patch \ | ||
13 | file://CVE-2016-6351_p2.patch \ | ||
14 | file://CVE-2016-4002.patch \ | ||
15 | file://CVE-2016-5403.patch \ | ||
16 | file://CVE-2016-4441.patch \ | ||
17 | file://CVE-2016-4952.patch \ | ||
18 | " | 11 | " |
19 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 12 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
20 | 13 | ||
21 | SRC_URI[md5sum] = "ca3f70b43f093e33e9e014f144067f13" | 14 | SRC_URI[md5sum] = "08d4d06d1cb598efecd796137f4844ab" |
22 | SRC_URI[sha256sum] = "c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec" | 15 | SRC_URI[sha256sum] = "326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53" |
23 | |||
24 | 16 | ||
25 | COMPATIBLE_HOST_class-target_mips64 = "null" | 17 | COMPATIBLE_HOST_class-target_mips64 = "null" |
26 | 18 | ||