1 files changed, 60 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
new file mode 100644
index 0000000000..c4ed354e8e
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
@@ -0,0 +1,60 @@
+From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Mon, 20 Jun 2016 16:32:39 +0200
+Subject: [PATCH] scsi: esp: fix migration
+Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
+2016-06-16) changed the size of a migrated field.  Split it in two
+parts, and only migrate the second part in a new vmstate version.
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2016-6351 patch1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ hw/scsi/esp.c               | 5 +++--
+ include/migration/vmstate.h | 5 ++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+Index: qemu-2.4.0/hw/scsi/esp.c
+===================================================================
+--- qemu-2.4.0.orig/hw/scsi/esp.c
+++ qemu-2.4.0/hw/scsi/esp.c
+@@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque
+ 
+ const VMStateDescription vmstate_esp = {
+     .name ="esp",
+-    .version_id = 3,
+    .version_id = 4,
+     .minimum_version_id = 3,
+     .fields = (VMStateField[]) {
+         VMSTATE_BUFFER(rregs, ESPState),
+@@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = {
+         VMSTATE_BUFFER(ti_buf, ESPState),
+         VMSTATE_UINT32(status, ESPState),
+         VMSTATE_UINT32(dma, ESPState),
+-        VMSTATE_BUFFER(cmdbuf, ESPState),
+        VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
+        VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
+         VMSTATE_UINT32(cmdlen, ESPState),
+         VMSTATE_UINT32(do_cmd, ESPState),
+         VMSTATE_UINT32(dma_left, ESPState),
+Index: qemu-2.4.0/include/migration/vmstate.h
+===================================================================
+--- qemu-2.4.0.orig/include/migration/vmstate.h
+++ qemu-2.4.0/include/migration/vmstate.h
+@@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi
+ #define VMSTATE_PARTIAL_BUFFER(_f, _s, _size)                         \
+     VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
+ 
+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
+    VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
+
+ #define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
+-    VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
+    VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
+ 
+ #define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size)                        \
+     VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch new file mode 100644 index 0000000000..c4ed354e8e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-6351_p2.patch
@@ -0,0 +1,60 @@
	1	From cc96677469388bad3d66479379735cf75db069e3 Mon Sep 17 00:00:00 2001
	2	From: Paolo Bonzini <pbonzini@redhat.com>
	3	Date: Mon, 20 Jun 2016 16:32:39 +0200
	4	Subject: [PATCH] scsi: esp: fix migration
	5
	6	Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
	7	2016-06-16) changed the size of a migrated field. Split it in two
	8	parts, and only migrate the second part in a new vmstate version.
	9
	10	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	11
	12	Upstream-Status: Backport
	13	CVE: CVE-2016-6351 patch1
	14	Signed-off-by: Armin Kuster <akuster@mvista.com>
	15
	16	---
	17	hw/scsi/esp.c \| 5 +++--
	18	include/migration/vmstate.h \| 5 ++++-
	19	2 files changed, 7 insertions(+), 3 deletions(-)
	20
	21	Index: qemu-2.4.0/hw/scsi/esp.c
	22	===================================================================
	23	--- qemu-2.4.0.orig/hw/scsi/esp.c
	24	+++ qemu-2.4.0/hw/scsi/esp.c
	25	@@ -571,7 +571,7 @@ static bool esp_mem_accepts(void *opaque
	26
	27	const VMStateDescription vmstate_esp = {
	28	.name ="esp",
	29	- .version_id = 3,
	30	+ .version_id = 4,
	31	.minimum_version_id = 3,
	32	.fields = (VMStateField[]) {
	33	VMSTATE_BUFFER(rregs, ESPState),
	34	@@ -582,7 +582,8 @@ const VMStateDescription vmstate_esp = {
	35	VMSTATE_BUFFER(ti_buf, ESPState),
	36	VMSTATE_UINT32(status, ESPState),
	37	VMSTATE_UINT32(dma, ESPState),
	38	- VMSTATE_BUFFER(cmdbuf, ESPState),
	39	+ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
	40	+ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
	41	VMSTATE_UINT32(cmdlen, ESPState),
	42	VMSTATE_UINT32(do_cmd, ESPState),
	43	VMSTATE_UINT32(dma_left, ESPState),
	44	Index: qemu-2.4.0/include/migration/vmstate.h
	45	===================================================================
	46	--- qemu-2.4.0.orig/include/migration/vmstate.h
	47	+++ qemu-2.4.0/include/migration/vmstate.h
	48	@@ -778,8 +778,11 @@ extern const VMStateInfo vmstate_info_bi
	49	#define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \
	50	VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
	51
	52	+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
	53	+ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
	54	+
	55	#define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
	56	- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
	57	+ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
	58
	59	#define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \
	60	VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)