summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu-native_3.1.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb)0
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc14
-rw-r--r--meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch50
-rw-r--r--meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch60
-rw-r--r--meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch54
-rw-r--r--meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch113
-rw-r--r--meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch47
-rw-r--r--meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch85
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch38
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch39
-rw-r--r--meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch215
-rw-r--r--meta/recipes-devtools/qemu/qemu_3.1.1.1.bb (renamed from meta/recipes-devtools/qemu/qemu_3.1.0.bb)0
14 files changed, 2 insertions, 798 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb
index c8acff8e19..c8acff8e19 100644
--- a/meta/recipes-devtools/qemu/qemu-native_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-native_3.1.1.1.bb
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb
index 5bf528bec1..5bf528bec1 100644
--- a/meta/recipes-devtools/qemu/qemu-system-native_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu-system-native_3.1.1.1.bb
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 40c3174903..202134b3d8 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -22,24 +22,14 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ 22 file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \
23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ 23 file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \
24 file://0001-Add-a-missing-X11-include.patch \ 24 file://0001-Add-a-missing-X11-include.patch \
25 file://0001-egl-headless-add-egl_create_context.patch \
26 file://0014-fix-CVE-2018-16872.patch \
27 file://0015-fix-CVE-2018-20124.patch \
28 file://0016-fix-CVE-2018-20125.patch \
29 file://0017-fix-CVE-2018-20126.patch \
30 file://0018-fix-CVE-2018-20191.patch \
31 file://0019-fix-CVE-2018-20216.patch \
32 file://CVE-2019-3812.patch \
33 file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \ 25 file://0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch \
34 file://CVE-2018-20815.patch \
35 file://CVE-2019-8934.patch \
36 file://0001-linux-user-assume-__NR_gettid-always-exists.patch \ 26 file://0001-linux-user-assume-__NR_gettid-always-exists.patch \
37 file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \ 27 file://0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch \
38 " 28 "
39UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" 29UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
40 30
41SRC_URI[md5sum] = "fb687ce0b02d3bf4327e36d3b99427a8" 31SRC_URI[md5sum] = "aafb005c252eb3a667c2468868348c0a"
42SRC_URI[sha256sum] = "6a0508df079a0a33c2487ca936a56c12122f105b8a96a44374704bef6c69abfc" 32SRC_URI[sha256sum] = "b148fc3c7382c5addd915db433383160ca7b840bc6ea90bb0d35c6b253526d56"
43 33
44COMPATIBLE_HOST_mipsarchn32 = "null" 34COMPATIBLE_HOST_mipsarchn32 = "null"
45COMPATIBLE_HOST_mipsarchn64 = "null" 35COMPATIBLE_HOST_mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch b/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
deleted file mode 100644
index d9326c017a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0001-egl-headless-add-egl_create_context.patch
+++ /dev/null
@@ -1,50 +0,0 @@
1From 952e5d584f5aabe41298c278065fe628f3f7aa7a Mon Sep 17 00:00:00 2001
2From: Gerd Hoffmann <kraxel@redhat.com>
3Date: Thu, 29 Nov 2018 13:35:02 +0100
4Subject: [PATCH] egl-headless: add egl_create_context
5
6We must set the correct context (via eglMakeCurrent) before
7calling qemu_egl_create_context, so we need a thin wrapper and can't
8hook qemu_egl_create_context directly as ->dpy_gl_ctx_create callback.
9
10Reported-by: Frederik Carlier <frederik.carlier@quamotion.mobi>
11Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
12Message-id: 20181129123502.30129-1-kraxel@redhat.com
13
14Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=952e5d584f5aabe41298c278065fe628f3f7aa7a]
15Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
16---
17 ui/egl-headless.c | 10 +++++++++-
18 1 file changed, 9 insertions(+), 1 deletion(-)
19
20diff --git a/ui/egl-headless.c b/ui/egl-headless.c
21index 4cf3bbc0e4..519e7bad32 100644
22--- a/ui/egl-headless.c
23+++ b/ui/egl-headless.c
24@@ -38,6 +38,14 @@ static void egl_gfx_switch(DisplayChangeListener *dcl,
25 edpy->ds = new_surface;
26 }
27
28+static QEMUGLContext egl_create_context(DisplayChangeListener *dcl,
29+ QEMUGLParams *params)
30+{
31+ eglMakeCurrent(qemu_egl_display, EGL_NO_SURFACE, EGL_NO_SURFACE,
32+ qemu_egl_rn_ctx);
33+ return qemu_egl_create_context(dcl, params);
34+}
35+
36 static void egl_scanout_disable(DisplayChangeListener *dcl)
37 {
38 egl_dpy *edpy = container_of(dcl, egl_dpy, dcl);
39@@ -150,7 +158,7 @@ static const DisplayChangeListenerOps egl_ops = {
40 .dpy_gfx_update = egl_gfx_update,
41 .dpy_gfx_switch = egl_gfx_switch,
42
43- .dpy_gl_ctx_create = qemu_egl_create_context,
44+ .dpy_gl_ctx_create = egl_create_context,
45 .dpy_gl_ctx_destroy = qemu_egl_destroy_context,
46 .dpy_gl_ctx_make_current = qemu_egl_make_context_current,
47 .dpy_gl_ctx_get_current = qemu_egl_get_current_context,
48--
492.17.1
50
diff --git a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch b/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
deleted file mode 100644
index 412aa16046..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0014-fix-CVE-2018-16872.patch
+++ /dev/null
@@ -1,85 +0,0 @@
1CVE: CVE-2018-16872
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=bab9df35]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From bab9df35ce73d1c8e19a37e2737717ea1c984dc1 Mon Sep 17 00:00:00 2001
7From: Gerd Hoffmann <kraxel@redhat.com>
8Date: Thu, 13 Dec 2018 13:25:11 +0100
9Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC.
10
11Open files and directories with O_NOFOLLOW to avoid symlinks attacks.
12While being at it also add O_CLOEXEC.
13
14usb-mtp only handles regular files and directories and ignores
15everything else, so users should not see a difference.
16
17Because qemu ignores symlinks, carrying out a successful symlink attack
18requires swapping an existing file or directory below rootdir for a
19symlink and winning the race against the inotify notification to qemu.
20
21Fixes: CVE-2018-16872
22Cc: Prasad J Pandit <ppandit@redhat.com>
23Cc: Bandan Das <bsd@redhat.com>
24Reported-by: Michael Hanselmann <public@hansmi.ch>
25Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
26Reviewed-by: Michael Hanselmann <public@hansmi.ch>
27Message-id: 20181213122511.13853-1-kraxel@redhat.com
28---
29 hw/usb/dev-mtp.c | 13 +++++++++----
30 1 file changed, 9 insertions(+), 4 deletions(-)
31
32diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c
33index 100b7171f4..36c43b8c20 100644
34--- a/hw/usb/dev-mtp.c
35+++ b/hw/usb/dev-mtp.c
36@@ -653,13 +653,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o)
37 {
38 struct dirent *entry;
39 DIR *dir;
40+ int fd;
41
42 if (o->have_children) {
43 return;
44 }
45 o->have_children = true;
46
47- dir = opendir(o->path);
48+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);
49+ if (fd < 0) {
50+ return;
51+ }
52+ dir = fdopendir(fd);
53 if (!dir) {
54 return;
55 }
56@@ -1007,7 +1012,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c,
57
58 trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path);
59
60- d->fd = open(o->path, O_RDONLY);
61+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
62 if (d->fd == -1) {
63 usb_mtp_data_free(d);
64 return NULL;
65@@ -1031,7 +1036,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c,
66 c->argv[1], c->argv[2]);
67
68 d = usb_mtp_data_alloc(c);
69- d->fd = open(o->path, O_RDONLY);
70+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW);
71 if (d->fd == -1) {
72 usb_mtp_data_free(d);
73 return NULL;
74@@ -1658,7 +1663,7 @@ static void usb_mtp_write_data(MTPState *s)
75 0, 0, 0, 0);
76 goto done;
77 }
78- d->fd = open(path, O_CREAT | O_WRONLY, mask);
79+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask);
80 if (d->fd == -1) {
81 usb_mtp_queue_result(s, RES_STORE_FULL, d->trans,
82 0, 0, 0, 0);
83--
842.20.1
85
diff --git a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch b/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
deleted file mode 100644
index 985b819409..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0015-fix-CVE-2018-20124.patch
+++ /dev/null
@@ -1,60 +0,0 @@
1CVE: CVE-2018-20124
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=0e68373]
3
4Backport patch to fix CVE-2018-20124. Update context and stay with current
5function comp_handler() which has been replaced with complete_work() in latest
6git repo.
7
8Signed-off-by: Kai Kang <kai.kang@windriver.com>
9
10From 0e68373cc2b3a063ce067bc0cc3edaf370752890 Mon Sep 17 00:00:00 2001
11From: Prasad J Pandit <pjp@fedoraproject.org>
12Date: Thu, 13 Dec 2018 01:00:34 +0530
13Subject: [PATCH] rdma: check num_sge does not exceed MAX_SGE
14
15rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set
16to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element
17with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue.
18Add check to avoid it.
19
20Reported-by: Saar Amar <saaramar5@gmail.com>
21Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
22Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
23Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
24---
25 hw/rdma/rdma_backend.c | 12 ++++++------
26 1 file changed, 6 insertions(+), 6 deletions(-)
27
28diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c
29index d7a4bbd9..7f8028f8 100644
30--- a/hw/rdma/rdma_backend.c
31+++ b/hw/rdma/rdma_backend.c
32@@ -311,9 +311,9 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev,
33 }
34
35 pr_dbg("num_sge=%d\n", num_sge);
36- if (!num_sge) {
37- pr_dbg("num_sge=0\n");
38- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
39+ if (!num_sge || num_sge > MAX_SGE) {
40+ pr_dbg("invalid num_sge=%d\n", num_sge);
41+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
42 return;
43 }
44
45@@ -390,9 +390,9 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev,
46 }
47
48 pr_dbg("num_sge=%d\n", num_sge);
49- if (!num_sge) {
50- pr_dbg("num_sge=0\n");
51- comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
52+ if (!num_sge || num_sge > MAX_SGE) {
53+ pr_dbg("invalid num_sge=%d\n", num_sge);
54+ comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx);
55 return;
56 }
57
58--
592.20.1
60
diff --git a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch b/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
deleted file mode 100644
index 56559c8388..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0016-fix-CVE-2018-20125.patch
+++ /dev/null
@@ -1,54 +0,0 @@
1CVE: CVE-2018-20125
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2c858ce]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From 2c858ce5da8ae6689c75182b73bc455a291cad41 Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:36 +0530
9Subject: [PATCH] pvrdma: check number of pages when creating rings
10
11When creating CQ/QP rings, an object can have up to
12PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
13to avoid excessive memory allocation or a null dereference.
14
15Reported-by: Li Qiang <liq3ea@163.com>
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19---
20 hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
21 1 file changed, 11 insertions(+)
22
23diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
24index 3b94545761..f236ac4795 100644
25--- a/hw/rdma/vmw/pvrdma_cmd.c
26+++ b/hw/rdma/vmw/pvrdma_cmd.c
27@@ -259,6 +259,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
28 int rc = -EINVAL;
29 char ring_name[MAX_RING_NAME_SZ];
30
31+ if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
32+ pr_dbg("invalid nchunks: %d\n", nchunks);
33+ return rc;
34+ }
35+
36 pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
37 dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
38 if (!dir) {
39@@ -372,6 +377,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
40 char ring_name[MAX_RING_NAME_SZ];
41 uint32_t wqe_sz;
42
43+ if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
44+ || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
45+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);
46+ return rc;
47+ }
48+
49 pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
50 dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
51 if (!dir) {
52--
532.20.1
54
diff --git a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch b/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
deleted file mode 100644
index 8329f2cfd0..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0017-fix-CVE-2018-20126.patch
+++ /dev/null
@@ -1,113 +0,0 @@
1CVE: CVE-2018-20126
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=509f57c]
3
4Backport and rebase patch to fix CVE-2018-20126.
5
6Signed-off-by: Kai Kang <kai.kang@windriver.com>
7
8From 509f57c98e7536905bb4902363d0cba66ce7e089 Mon Sep 17 00:00:00 2001
9From: Prasad J Pandit <pjp@fedoraproject.org>
10Date: Thu, 13 Dec 2018 01:00:37 +0530
11Subject: [PATCH] pvrdma: release ring object in case of an error
12
13create_cq and create_qp routines allocate ring object, but it's
14not released in case of an error, leading to memory leakage.
15
16Reported-by: Li Qiang <liq3ea@163.com>
17Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
18Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
19Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
20---
21 hw/rdma/vmw/pvrdma_cmd.c | 41 ++++++++++++++++++++++++++++++-----------
22 1 file changed, 30 insertions(+), 11 deletions(-)
23
24diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
25index 4faeb21..9b6796f 100644
26--- a/hw/rdma/vmw/pvrdma_cmd.c
27+++ b/hw/rdma/vmw/pvrdma_cmd.c
28@@ -310,6 +310,14 @@ out:
29 return rc;
30 }
31
32+static void destroy_cq_ring(PvrdmaRing *ring)
33+{
34+ pvrdma_ring_free(ring);
35+ /* ring_state was in slot 1, not 0 so need to jump back */
36+ rdma_pci_dma_unmap(ring->dev, --ring->ring_state, TARGET_PAGE_SIZE);
37+ g_free(ring);
38+}
39+
40 static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
41 union pvrdma_cmd_resp *rsp)
42 {
43@@ -333,6 +341,10 @@ static int create_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
44
45 resp->hdr.err = rdma_rm_alloc_cq(&dev->rdma_dev_res, &dev->backend_dev,
46 cmd->cqe, &resp->cq_handle, ring);
47+ if (resp->hdr.err) {
48+ destroy_cq_ring(ring);
49+ }
50+
51 resp->cqe = cmd->cqe;
52
53 out:
54@@ -356,10 +368,7 @@ static int destroy_cq(PVRDMADev *dev, union pvrdma_cmd_req *req,
55 }
56
57 ring = (PvrdmaRing *)cq->opaque;
58- pvrdma_ring_free(ring);
59- /* ring_state was in slot 1, not 0 so need to jump back */
60- rdma_pci_dma_unmap(PCI_DEVICE(dev), --ring->ring_state, TARGET_PAGE_SIZE);
61- g_free(ring);
62+ destroy_cq_ring(ring);
63
64 rdma_rm_dealloc_cq(&dev->rdma_dev_res, cmd->cq_handle);
65
66@@ -451,6 +460,17 @@ out:
67 return rc;
68 }
69
70+static void destroy_qp_rings(PvrdmaRing *ring)
71+{
72+ pr_dbg("sring=%p\n", &ring[0]);
73+ pvrdma_ring_free(&ring[0]);
74+ pr_dbg("rring=%p\n", &ring[1]);
75+ pvrdma_ring_free(&ring[1]);
76+
77+ rdma_pci_dma_unmap(ring->dev, ring->ring_state, TARGET_PAGE_SIZE);
78+ g_free(ring);
79+}
80+
81 static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
82 union pvrdma_cmd_resp *rsp)
83 {
84@@ -482,6 +502,11 @@ static int create_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
85 cmd->max_recv_wr, cmd->max_recv_sge,
86 cmd->recv_cq_handle, rings, &resp->qpn);
87
88+ if (resp->hdr.err) {
89+ destroy_qp_rings(rings);
90+ return resp->hdr.err;
91+ }
92+
93 resp->max_send_wr = cmd->max_send_wr;
94 resp->max_recv_wr = cmd->max_recv_wr;
95 resp->max_send_sge = cmd->max_send_sge;
96@@ -555,13 +580,7 @@ static int destroy_qp(PVRDMADev *dev, union pvrdma_cmd_req *req,
97 rdma_rm_dealloc_qp(&dev->rdma_dev_res, cmd->qp_handle);
98
99 ring = (PvrdmaRing *)qp->opaque;
100- pr_dbg("sring=%p\n", &ring[0]);
101- pvrdma_ring_free(&ring[0]);
102- pr_dbg("rring=%p\n", &ring[1]);
103- pvrdma_ring_free(&ring[1]);
104-
105- rdma_pci_dma_unmap(PCI_DEVICE(dev), ring->ring_state, TARGET_PAGE_SIZE);
106- g_free(ring);
107+ destroy_qp_rings(ring);
108
109 return 0;
110 }
111--
1122.20.1
113
diff --git a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch b/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
deleted file mode 100644
index 8f8ff0567a..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0018-fix-CVE-2018-20191.patch
+++ /dev/null
@@ -1,47 +0,0 @@
1CVE: CVE-2018-20191
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=2aa8645]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From 2aa86456fb938a11f2b7bd57c8643c213218681c Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:35 +0530
9Subject: [PATCH] pvrdma: add uar_read routine
10
11Define skeleton 'uar_read' routine. Avoid NULL dereference.
12
13Reported-by: Li Qiang <liq3ea@163.com>
14Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
15Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
16Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
17---
18 hw/rdma/vmw/pvrdma_main.c | 6 ++++++
19 1 file changed, 6 insertions(+)
20
21diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
22index 64de16fb52..838ad8a949 100644
23--- a/hw/rdma/vmw/pvrdma_main.c
24+++ b/hw/rdma/vmw/pvrdma_main.c
25@@ -448,6 +448,11 @@ static const MemoryRegionOps regs_ops = {
26 },
27 };
28
29+static uint64_t uar_read(void *opaque, hwaddr addr, unsigned size)
30+{
31+ return 0xffffffff;
32+}
33+
34 static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
35 {
36 PVRDMADev *dev = opaque;
37@@ -489,6 +494,7 @@ static void uar_write(void *opaque, hwaddr addr, uint64_t val, unsigned size)
38 }
39
40 static const MemoryRegionOps uar_ops = {
41+ .read = uar_read,
42 .write = uar_write,
43 .endianness = DEVICE_LITTLE_ENDIAN,
44 .impl = {
45--
462.20.1
47
diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
deleted file mode 100644
index c02bad3bb9..0000000000
--- a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch
+++ /dev/null
@@ -1,85 +0,0 @@
1CVE: CVE-2018-20216
2Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38]
3
4Signed-off-by: Kai Kang <kai.kang@windriver.com>
5
6From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001
7From: Prasad J Pandit <pjp@fedoraproject.org>
8Date: Thu, 13 Dec 2018 01:00:39 +0530
9Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines
10
11pvrdma_idx_ring_has_[data/space] routines also return invalid
12index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check
13return value from these routines to avoid plausible infinite loops.
14
15Reported-by: Li Qiang <liq3ea@163.com>
16Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
17Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
18Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
19---
20 hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------
21 1 file changed, 11 insertions(+), 18 deletions(-)
22
23diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
24index 01247fc041..e8e5b502f6 100644
25--- a/hw/rdma/vmw/pvrdma_dev_ring.c
26+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
27@@ -73,23 +73,16 @@ out:
28
29 void *pvrdma_ring_next_elem_read(PvrdmaRing *ring)
30 {
31+ int e;
32 unsigned int idx = 0, offset;
33
34- /*
35- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
36- ring->ring_state->cons_head);
37- */
38-
39- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) {
40+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx);
41+ if (e <= 0) {
42 pr_dbg("No more data in ring\n");
43 return NULL;
44 }
45
46 offset = idx * ring->elem_sz;
47- /*
48- pr_dbg("idx=%d\n", idx);
49- pr_dbg("offset=%d\n", offset);
50- */
51 return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
52 }
53
54@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring)
55
56 void *pvrdma_ring_next_elem_write(PvrdmaRing *ring)
57 {
58- unsigned int idx, offset, tail;
59+ int idx;
60+ unsigned int offset, tail;
61
62- /*
63- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail,
64- ring->ring_state->cons_head);
65- */
66-
67- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) {
68+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail);
69+ if (idx <= 0) {
70 pr_dbg("CQ is full\n");
71 return NULL;
72 }
73
74 idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems);
75- /* TODO: tail == idx */
76+ if (idx < 0 || tail != idx) {
77+ pr_dbg("invalid idx\n");
78+ return NULL;
79+ }
80
81 offset = idx * ring->elem_sz;
82 return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE);
83--
842.20.1
85
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch b/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
deleted file mode 100644
index c9508d9ba8..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2018-20815.patch
+++ /dev/null
@@ -1,38 +0,0 @@
1From 8bb018af1a7f2b9965f872a4b1121864e73e1b61 Mon Sep 17 00:00:00 2001
2From: Peter Maydell <peter.maydell@linaro.org>
3Date: Fri, 14 Dec 2018 13:30:52 +0000
4Subject: [PATCH] device_tree.c: Don't use load_image()
5
6The load_image() function is deprecated, as it does not let the
7caller specify how large the buffer to read the file into is.
8Instead use load_image_size().
9
10Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
11Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
12Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
13Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
14Reviewed-by: Eric Blake <eblake@redhat.com>
15Message-id: 20181130151712.2312-9-peter.maydell@linaro.org
16
17Upstream-Status: Backport [https://github.com/qemu/qemu/commit/da885fe1ee8b4589047484bd7fa05a4905b52b17]
18CVE: CVE-2018-20815
19Signed-off-by: Naveen Saini <naveen.kumar.saini@intel.com>
20---
21 device_tree.c | 2 +-
22 1 file changed, 1 insertion(+), 1 deletion(-)
23
24diff --git a/device_tree.c b/device_tree.c
25index 6d9c9726f6..296278e12a 100644
26--- a/device_tree.c
27+++ b/device_tree.c
28@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep)
29 /* First allocate space in qemu for device tree */
30 fdt = g_malloc0(dt_size);
31
32- dt_file_load_size = load_image(filename_path, fdt);
33+ dt_file_load_size = load_image_size(filename_path, fdt, dt_size);
34 if (dt_file_load_size < 0) {
35 error_report("Unable to open device tree file '%s'",
36 filename_path);
37--
382.17.1
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
deleted file mode 100644
index 7de5882b3e..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch
+++ /dev/null
@@ -1,39 +0,0 @@
1QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an
2out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc()
3function. A local attacker with permission to execute i2c commands could exploit
4this to read stack memory of the qemu process on the host.
5
6CVE: CVE-2019-3812
7Upstream-Status: Backport
8Signed-off-by: Ross Burton <ross.burton@intel.com>
9
10From b05b267840515730dbf6753495d5b7bd8b04ad1c Mon Sep 17 00:00:00 2001
11From: Gerd Hoffmann <kraxel@redhat.com>
12Date: Tue, 8 Jan 2019 11:23:01 +0100
13Subject: [PATCH] i2c-ddc: fix oob read
14MIME-Version: 1.0
15Content-Type: text/plain; charset=UTF-8
16Content-Transfer-Encoding: 8bit
17
18Suggested-by: Michael Hanselmann <public@hansmi.ch>
19Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
20Reviewed-by: Michael Hanselmann <public@hansmi.ch>
21Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
22Message-id: 20190108102301.1957-1-kraxel@redhat.com
23---
24 hw/i2c/i2c-ddc.c | 2 +-
25 1 file changed, 1 insertion(+), 1 deletion(-)
26
27diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c
28index be34fe072cf..0a0367ff38f 100644
29--- a/hw/i2c/i2c-ddc.c
30+++ b/hw/i2c/i2c-ddc.c
31@@ -56,7 +56,7 @@ static int i2c_ddc_rx(I2CSlave *i2c)
32 I2CDDCState *s = I2CDDC(i2c);
33
34 int value;
35- value = s->edid_blob[s->reg];
36+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)];
37 s->reg++;
38 return value;
39 }
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
deleted file mode 100644
index d1d7d23968..0000000000
--- a/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch
+++ /dev/null
@@ -1,215 +0,0 @@
1From 8c2e30a92d95d89e2cf45d229bce274881026cf7 Mon Sep 17 00:00:00 2001
2From: Prasad J Pandit <pjp@fedoraproject.org>
3Date: Mon, 18 Feb 2019 23:43:49 +0530
4Subject: [PATCH] ppc: add host-serial and host-model machine attributes
5 (CVE-2019-8934)
6MIME-Version: 1.0
7Content-Type: text/plain; charset=UTF-8
8Content-Transfer-Encoding: 8bit
9
10On ppc hosts, hypervisor shares following system attributes
11
12 - /proc/device-tree/system-id
13 - /proc/device-tree/model
14
15with a guest. This could lead to information leakage and misuse.[*]
16Add machine attributes to control such system information exposure
17to a guest.
18
19[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028
20
21Reported-by: Daniel P. Berrangé <berrange@redhat.com>
22Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com>
23Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
24Message-Id: <20190218181349.23885-1-ppandit@redhat.com>
25Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
26Reviewed-by: Greg Kurz <groug@kaod.org>
27Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
28
29CVE: CVE-2019-8934
30Upstream-Status: Backport
31[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b]
32
33Signed-off-by: Dan Tran <dantran@microsoft.com>
34---
35 hw/ppc/spapr.c | 128 ++++++++++++++++++++++++++++++++++++++---
36 include/hw/ppc/spapr.h | 2 +
37 2 files changed, 123 insertions(+), 7 deletions(-)
38
39diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c
40index 7afd1a175b..bcee7c162d 100644
41--- a/hw/ppc/spapr.c
42+++ b/hw/ppc/spapr.c
43@@ -1244,13 +1244,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr,
44 * Add info to guest to indentify which host is it being run on
45 * and what is the uuid of the guest
46 */
47- if (kvmppc_get_host_model(&buf)) {
48- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
49- g_free(buf);
50+ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) {
51+ if (g_str_equal(spapr->host_model, "passthrough")) {
52+ /* -M host-model=passthrough */
53+ if (kvmppc_get_host_model(&buf)) {
54+ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf));
55+ g_free(buf);
56+ }
57+ } else {
58+ /* -M host-model=<user-string> */
59+ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model));
60+ }
61 }
62- if (kvmppc_get_host_serial(&buf)) {
63- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
64- g_free(buf);
65+
66+ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) {
67+ if (g_str_equal(spapr->host_serial, "passthrough")) {
68+ /* -M host-serial=passthrough */
69+ if (kvmppc_get_host_serial(&buf)) {
70+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf));
71+ g_free(buf);
72+ }
73+ } else {
74+ /* -M host-serial=<user-string> */
75+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial));
76+ }
77 }
78
79 buf = qemu_uuid_unparse_strdup(&qemu_uuid);
80@@ -3031,6 +3048,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name,
81 visit_type_uint32(v, name, (uint32_t *)opaque, errp);
82 }
83
84+static char *spapr_get_ic_mode(Object *obj, Error **errp)
85+{
86+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
87+
88+ if (spapr->irq == &spapr_irq_xics_legacy) {
89+ return g_strdup("legacy");
90+ } else if (spapr->irq == &spapr_irq_xics) {
91+ return g_strdup("xics");
92+ } else if (spapr->irq == &spapr_irq_xive) {
93+ return g_strdup("xive");
94+ } else if (spapr->irq == &spapr_irq_dual) {
95+ return g_strdup("dual");
96+ }
97+ g_assert_not_reached();
98+}
99+
100+static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp)
101+{
102+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
103+
104+ if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) {
105+ error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode");
106+ return;
107+ }
108+
109+ /* The legacy IRQ backend can not be set */
110+ if (strcmp(value, "xics") == 0) {
111+ spapr->irq = &spapr_irq_xics;
112+ } else if (strcmp(value, "xive") == 0) {
113+ spapr->irq = &spapr_irq_xive;
114+ } else if (strcmp(value, "dual") == 0) {
115+ spapr->irq = &spapr_irq_dual;
116+ } else {
117+ error_setg(errp, "Bad value for \"ic-mode\" property");
118+ }
119+}
120+
121+static char *spapr_get_host_model(Object *obj, Error **errp)
122+{
123+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
124+
125+ return g_strdup(spapr->host_model);
126+}
127+
128+static void spapr_set_host_model(Object *obj, const char *value, Error **errp)
129+{
130+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
131+
132+ g_free(spapr->host_model);
133+ spapr->host_model = g_strdup(value);
134+}
135+
136+static char *spapr_get_host_serial(Object *obj, Error **errp)
137+{
138+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
139+
140+ return g_strdup(spapr->host_serial);
141+}
142+
143+static void spapr_set_host_serial(Object *obj, const char *value, Error **errp)
144+{
145+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
146+
147+ g_free(spapr->host_serial);
148+ spapr->host_serial = g_strdup(value);
149+}
150+
151 static void spapr_instance_init(Object *obj)
152 {
153 sPAPRMachineState *spapr = SPAPR_MACHINE(obj);
154@@ -3067,6 +3151,25 @@ static void spapr_instance_init(Object *obj)
155 " the host's SMT mode", &error_abort);
156 object_property_add_bool(obj, "vfio-no-msix-emulation",
157 spapr_get_msix_emulation, NULL, NULL);
158+
159+ /* The machine class defines the default interrupt controller mode */
160+ spapr->irq = smc->irq;
161+ object_property_add_str(obj, "ic-mode", spapr_get_ic_mode,
162+ spapr_set_ic_mode, NULL);
163+ object_property_set_description(obj, "ic-mode",
164+ "Specifies the interrupt controller mode (xics, xive, dual)",
165+ NULL);
166+
167+ object_property_add_str(obj, "host-model",
168+ spapr_get_host_model, spapr_set_host_model,
169+ &error_abort);
170+ object_property_set_description(obj, "host-model",
171+ "Set host's model-id to use - none|passthrough|string", &error_abort);
172+ object_property_add_str(obj, "host-serial",
173+ spapr_get_host_serial, spapr_set_host_serial,
174+ &error_abort);
175+ object_property_set_description(obj, "host-serial",
176+ "Set host's system-id to use - none|passthrough|string", &error_abort);
177 }
178
179 static void spapr_machine_finalizefn(Object *obj)
180@@ -3965,7 +4068,18 @@ static void spapr_machine_3_1_instance_options(MachineState *machine)
181
182 static void spapr_machine_3_1_class_options(MachineClass *mc)
183 {
184- /* Defaults for the latest behaviour inherited from the base class */
185+ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc);
186+ static GlobalProperty compat[] = {
187+ { TYPE_SPAPR_MACHINE, "host-model", "passthrough" },
188+ { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" },
189+ };
190+
191+ spapr_machine_4_0_class_options(mc);
192+ compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len);
193+ compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat));
194+
195+ mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0");
196+ smc->update_dt_enabled = false;
197 }
198
199 DEFINE_SPAPR_MACHINE(3_1, "3.1", true);
200diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h
201index 6279711fe8..63692a13bd 100644
202--- a/include/hw/ppc/spapr.h
203+++ b/include/hw/ppc/spapr.h
204@@ -171,6 +171,8 @@ struct sPAPRMachineState {
205
206 /*< public >*/
207 char *kvm_type;
208+ char *host_model;
209+ char *host_serial;
210
211 const char *icp_type;
212 int32_t irq_map_nr;
213--
2142.22.0.vfs.1.1.57.gbaf16c8
215
diff --git a/meta/recipes-devtools/qemu/qemu_3.1.0.bb b/meta/recipes-devtools/qemu/qemu_3.1.1.1.bb
index 04d8bee99f..04d8bee99f 100644
--- a/meta/recipes-devtools/qemu/qemu_3.1.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_3.1.1.1.bb