diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch | 57 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch | 32 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/disable-grabs.patch | 72 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch | 84 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch | 22 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/powerpc_rom.bin | bin | 0 -> 4096 bytes | |||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch | 92 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch | 48 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | 53 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/wacom.patch | 130 |
10 files changed, 590 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch new file mode 100644 index 0000000000..4f992bae14 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 12 Nov 2014 11:44:39 +0200 | ||
4 | Subject: [PATCH] migration: fix parameter validation on ram load | ||
5 | |||
6 | During migration, the values read from migration stream during ram load | ||
7 | are not validated. Especially offset in host_from_stream_offset() and | ||
8 | also the length of the writes in the callers of said function. | ||
9 | |||
10 | To fix this, we need to make sure that the [offset, offset + length] | ||
11 | range fits into one of the allocated memory regions. | ||
12 | |||
13 | Validating addr < len should be sufficient since data seems to always be | ||
14 | managed in TARGET_PAGE_SIZE chunks. | ||
15 | |||
16 | Fixes: CVE-2014-7840 | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Note: follow-up patches add extra checks on each block->host access. | ||
21 | |||
22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
24 | Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
25 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | arch_init.c | 5 +++-- | ||
29 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/arch_init.c b/arch_init.c | ||
32 | index 88a5ba0..593a990 100644 | ||
33 | --- a/arch_init.c | ||
34 | +++ b/arch_init.c | ||
35 | @@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
36 | uint8_t len; | ||
37 | |||
38 | if (flags & RAM_SAVE_FLAG_CONTINUE) { | ||
39 | - if (!block) { | ||
40 | + if (!block || block->length <= offset) { | ||
41 | error_report("Ack, bad migration stream!"); | ||
42 | return NULL; | ||
43 | } | ||
44 | @@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
45 | id[len] = 0; | ||
46 | |||
47 | QTAILQ_FOREACH(block, &ram_list.blocks, next) { | ||
48 | - if (!strncmp(id, block->idstr, sizeof(id))) | ||
49 | + if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { | ||
50 | return memory_region_get_ram_ptr(block->mr) + offset; | ||
51 | + } | ||
52 | } | ||
53 | |||
54 | error_report("Can't find block %s!", id); | ||
55 | -- | ||
56 | 1.9.1 | ||
57 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch b/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch new file mode 100644 index 0000000000..59cdc1c304 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/configure-fix-Darwin-target-detection.patch | |||
@@ -0,0 +1,32 @@ | |||
1 | Upstream-Status: Pending | ||
2 | Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> | ||
3 | |||
4 | From 9ac096d8eccf2d56ece646320c282c8369f8337c Mon Sep 17 00:00:00 2001 | ||
5 | From: Cristian Iorga <cristian.iorga@intel.com> | ||
6 | Date: Tue, 29 Jul 2014 18:35:59 +0300 | ||
7 | Subject: [PATCH] configure: fix Darwin target detection | ||
8 | |||
9 | fix Darwin target detection for qemu | ||
10 | cross-compilation. | ||
11 | |||
12 | Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> | ||
13 | --- | ||
14 | configure | 2 ++ | ||
15 | 1 file changed, 2 insertions(+) | ||
16 | |||
17 | diff --git a/configure b/configure | ||
18 | index 283c71c..1c66a11 100755 | ||
19 | --- a/configure | ||
20 | +++ b/configure | ||
21 | @@ -444,6 +444,8 @@ elif check_define __sun__ ; then | ||
22 | targetos='SunOS' | ||
23 | elif check_define __HAIKU__ ; then | ||
24 | targetos='Haiku' | ||
25 | +elif check_define __APPLE__ ; then | ||
26 | + targetos='Darwin' | ||
27 | else | ||
28 | targetos=`uname -s` | ||
29 | fi | ||
30 | -- | ||
31 | 1.9.1 | ||
32 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch new file mode 100644 index 0000000000..41726b1c87 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls | ||
2 | XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already | ||
3 | a pointer grab (screen is locked, a menu is open) then qemu will hang until the | ||
4 | grab can be taken. In the specific case of a headless X server on an autobuilder, once | ||
5 | the screensaver has kicked in any qemu instance that appears underneath the | ||
6 | pointer will hang. | ||
7 | |||
8 | I'm not entirely sure why pointer grabs are required (the documentation | ||
9 | explicitly says it doesn't do grabs when using a tablet, which we are) so wrap | ||
10 | them in a conditional that can be set by the autobuilder environment, preserving | ||
11 | the current grabbing behaviour for everyone else. | ||
12 | |||
13 | Upstream-Status: Pending | ||
14 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
15 | |||
16 | From 4b1988ecb01a178269ec0513a75f2ec620c7ef6a Mon Sep 17 00:00:00 2001 | ||
17 | From: Ross Burton <ross.burton@intel.com> | ||
18 | Date: Wed, 18 Sep 2013 14:04:54 +0100 | ||
19 | Subject: [PATCH] sdl.c: allow user to disable pointer grabs | ||
20 | |||
21 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
22 | Signed-off-by: Eric BĂ©nard <eric@eukrea.com> | ||
23 | --- | ||
24 | ui/sdl.c | 12 ++++++++++-- | ||
25 | 1 file changed, 10 insertions(+), 2 deletions(-) | ||
26 | |||
27 | diff --git a/ui/sdl.c b/ui/sdl.c | ||
28 | index 39a42d6..9b8abe5 100644 | ||
29 | --- a/ui/sdl.c | ||
30 | +++ b/ui/sdl.c | ||
31 | @@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL; | ||
32 | static SDL_PixelFormat host_format; | ||
33 | static int scaling_active = 0; | ||
34 | static Notifier mouse_mode_notifier; | ||
35 | +#ifndef True | ||
36 | +#define True 1 | ||
37 | +#endif | ||
38 | +static doing_grabs = True; | ||
39 | |||
40 | static void sdl_update(DisplayChangeListener *dcl, | ||
41 | int x, int y, int w, int h) | ||
42 | @@ -384,14 +388,16 @@ static void sdl_grab_start(void) | ||
43 | SDL_WarpMouse(guest_x, guest_y); | ||
44 | } else | ||
45 | sdl_hide_cursor(); | ||
46 | - SDL_WM_GrabInput(SDL_GRAB_ON); | ||
47 | + if (doing_grabs) | ||
48 | + SDL_WM_GrabInput(SDL_GRAB_ON); | ||
49 | gui_grab = 1; | ||
50 | sdl_update_caption(); | ||
51 | } | ||
52 | |||
53 | static void sdl_grab_end(void) | ||
54 | { | ||
55 | - SDL_WM_GrabInput(SDL_GRAB_OFF); | ||
56 | + if (doing_grabs) | ||
57 | + SDL_WM_GrabInput(SDL_GRAB_OFF); | ||
58 | gui_grab = 0; | ||
59 | sdl_show_cursor(); | ||
60 | sdl_update_caption(); | ||
61 | @@ -909,6 +915,8 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame) | ||
62 | * This requires SDL >= 1.2.14. */ | ||
63 | setenv("SDL_DISABLE_LOCK_KEYS", "1", 1); | ||
64 | |||
65 | + doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL); | ||
66 | + | ||
67 | flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE; | ||
68 | if (SDL_Init (flags)) { | ||
69 | fprintf(stderr, "Could not initialize SDL(%s) - exiting\n", | ||
70 | -- | ||
71 | 1.8.3.1 | ||
72 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch new file mode 100644 index 0000000000..13a6ea23b1 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch | |||
@@ -0,0 +1,84 @@ | |||
1 | fix libcap header issue on some distro | ||
2 | |||
3 | 1, When build qemu-native on SLED 11.2, there is an error: | ||
4 | ... | ||
5 | | In file included from /usr/include/bits/sigcontext.h:28, | ||
6 | | from /usr/include/signal.h:339, | ||
7 | | from /buildarea2/tmp/work/i686-linux/qemu-native/1.4.0-r0/ | ||
8 | qemu-1.4.0/include/qemu-common.h:42, | ||
9 | | from fsdev/virtfs-proxy-helper.c:23: | ||
10 | | /usr/include/asm/sigcontext.h:28: error: expected specifier- | ||
11 | qualifier-list before '__u64' | ||
12 | | /usr/include/asm/sigcontext.h:191: error: expected specifier- | ||
13 | qualifier-list before '__u64' | ||
14 | ... | ||
15 | |||
16 | 2, The virtfs-proxy-helper.c includes <sys/capability.h> and | ||
17 | qemu-common.h in sequence. The header include map is: | ||
18 | (`-->' presents `include') | ||
19 | ... | ||
20 | "virtfs-proxy-helper.c" --> <sys/capability.h> | ||
21 | ... | ||
22 | "virtfs-proxy-helper.c" --> "qemu-common.h" --> <signal.h> --> | ||
23 | <bits/sigcontext.h> --> <asm/sigcontext.h> --> <linux/types.h> --> | ||
24 | <asm/types.h> --> <asm-generic/types.h> --> <asm-generic/int-ll64.h> | ||
25 | ... | ||
26 | |||
27 | 3, The bug is found on SLED 11.2 x86. In libcap header file | ||
28 | /usr/include/sys/capability.h, it does evil stuff like this: | ||
29 | ... | ||
30 | 25 /* | ||
31 | 26 * Make sure we can be included from userland by preventing | ||
32 | 27 * capability.h from including other kernel headers | ||
33 | 28 */ | ||
34 | 29 #define _LINUX_TYPES_H | ||
35 | 30 #define _LINUX_FS_H | ||
36 | 31 #define __LINUX_COMPILER_H | ||
37 | 32 #define __user | ||
38 | 33 | ||
39 | 34 typedef unsigned int __u32; | ||
40 | 35 typedef __u32 __le32; | ||
41 | ... | ||
42 | This completely prevents including /usr/include/linux/types.h. | ||
43 | The above `<asm/sigcontext.h> --> <linux/types.h>' is prevented, | ||
44 | and '__u64' is defined in <asm-generic/int-ll64.h>. | ||
45 | |||
46 | 4, Modify virtfs-proxy-helper.c to include <sys/capability.h> | ||
47 | last to workaround the issue. | ||
48 | |||
49 | http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html | ||
50 | http://patchwork.linuxtv.org/patch/12748/ | ||
51 | |||
52 | Upstream-Status: Pending | ||
53 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> | ||
54 | --- | ||
55 | fsdev/virtfs-proxy-helper.c | 7 +++++-- | ||
56 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
57 | |||
58 | diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c | ||
59 | --- a/fsdev/virtfs-proxy-helper.c | ||
60 | +++ b/fsdev/virtfs-proxy-helper.c | ||
61 | @@ -12,7 +12,6 @@ | ||
62 | #include <sys/resource.h> | ||
63 | #include <getopt.h> | ||
64 | #include <syslog.h> | ||
65 | -#include <sys/capability.h> | ||
66 | #include <sys/fsuid.h> | ||
67 | #include <sys/vfs.h> | ||
68 | #include <sys/ioctl.h> | ||
69 | @@ -26,7 +25,11 @@ | ||
70 | #include "virtio-9p-marshal.h" | ||
71 | #include "hw/9pfs/virtio-9p-proxy.h" | ||
72 | #include "fsdev/virtio-9p-marshal.h" | ||
73 | - | ||
74 | +/* | ||
75 | + * Include this one last due to some versions of it being buggy: | ||
76 | + * http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html | ||
77 | + */ | ||
78 | +#include <sys/capability.h> | ||
79 | #define PROGNAME "virtfs-proxy-helper" | ||
80 | |||
81 | #ifndef XFS_SUPER_MAGIC | ||
82 | -- | ||
83 | 1.7.10.4 | ||
84 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch new file mode 100644 index 0000000000..711c36071d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch | |||
@@ -0,0 +1,22 @@ | |||
1 | This patch is taken from debian. 128M is too less sometimes if distro | ||
2 | with lot of packages is booted so this patch raises the default to 384M | ||
3 | |||
4 | It has not been applied to upstream qemu | ||
5 | |||
6 | Khem Raj <raj.khem@gmail.com> | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Index: qemu-0.14.0/vl.c | ||
11 | =================================================================== | ||
12 | --- qemu-0.14.0.orig/vl.c | ||
13 | +++ qemu-0.14.0/vl.c | ||
14 | @@ -168,7 +168,7 @@ int main(int argc, char **argv) | ||
15 | //#define DEBUG_NET | ||
16 | //#define DEBUG_SLIRP | ||
17 | |||
18 | -#define DEFAULT_RAM_SIZE 128 | ||
19 | +#define DEFAULT_RAM_SIZE 384 | ||
20 | |||
21 | #define MAX_VIRTIO_CONSOLES 1 | ||
22 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin b/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin new file mode 100644 index 0000000000..c4044296c5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin | |||
Binary files differ | |||
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch new file mode 100644 index 0000000000..f05441fce6 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch | |||
@@ -0,0 +1,92 @@ | |||
1 | qemu: CVE-2015-3456 | ||
2 | |||
3 | the patch comes from: | ||
4 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 | ||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c | ||
6 | |||
7 | fdc: force the fifo access to be in bounds of the allocated buffer | ||
8 | |||
9 | During processing of certain commands such as FD_CMD_READ_ID and | ||
10 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | ||
11 | get out of bounds leading to memory corruption with values coming | ||
12 | from the guest. | ||
13 | |||
14 | Fix this by making sure that the index is always bounded by the | ||
15 | allocated memory. | ||
16 | |||
17 | This is CVE-2015-3456. | ||
18 | |||
19 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
20 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
21 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
22 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | |||
26 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
27 | --- | ||
28 | hw/block/fdc.c | 17 +++++++++++------ | ||
29 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
30 | |||
31 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
32 | index 490d127..045459e 100644 | ||
33 | --- a/hw/block/fdc.c | ||
34 | +++ b/hw/block/fdc.c | ||
35 | @@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
36 | { | ||
37 | FDrive *cur_drv; | ||
38 | uint32_t retval = 0; | ||
39 | - int pos; | ||
40 | + uint32_t pos; | ||
41 | |||
42 | cur_drv = get_cur_drv(fdctrl); | ||
43 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | ||
44 | @@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
45 | return 0; | ||
46 | } | ||
47 | pos = fdctrl->data_pos; | ||
48 | + pos %= FD_SECTOR_LEN; | ||
49 | if (fdctrl->msr & FD_MSR_NONDMA) { | ||
50 | - pos %= FD_SECTOR_LEN; | ||
51 | if (pos == 0) { | ||
52 | if (fdctrl->data_pos != 0) | ||
53 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | ||
54 | @@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | ||
55 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | ||
56 | { | ||
57 | FDrive *cur_drv = get_cur_drv(fdctrl); | ||
58 | + uint32_t pos; | ||
59 | |||
60 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | ||
61 | + pos = fdctrl->data_pos - 1; | ||
62 | + pos %= FD_SECTOR_LEN; | ||
63 | + if (fdctrl->fifo[pos] & 0x80) { | ||
64 | /* Command parameters done */ | ||
65 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | ||
66 | + if (fdctrl->fifo[pos] & 0x40) { | ||
67 | fdctrl->fifo[0] = fdctrl->fifo[1]; | ||
68 | fdctrl->fifo[2] = 0; | ||
69 | fdctrl->fifo[3] = 0; | ||
70 | @@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; | ||
71 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
72 | { | ||
73 | FDrive *cur_drv; | ||
74 | - int pos; | ||
75 | + uint32_t pos; | ||
76 | |||
77 | /* Reset mode */ | ||
78 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | ||
79 | @@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
80 | } | ||
81 | |||
82 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | ||
83 | - fdctrl->fifo[fdctrl->data_pos++] = value; | ||
84 | + pos = fdctrl->data_pos++; | ||
85 | + pos %= FD_SECTOR_LEN; | ||
86 | + fdctrl->fifo[pos] = value; | ||
87 | if (fdctrl->data_pos == fdctrl->data_len) { | ||
88 | /* We now have all parameters | ||
89 | * and will be able to treat the command | ||
90 | -- | ||
91 | 1.7.9.5 | ||
92 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch new file mode 100644 index 0000000000..a7ecf31c01 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Thu, 18 Sep 2014 08:35:37 +0200 | ||
4 | Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of | ||
5 | uninitialized socket | ||
6 | |||
7 | When guest sends udp packet with source port and source addr 0, | ||
8 | uninitialized socket is picked up when looking for matching and already | ||
9 | created udp sockets, and later passed to sosendto() where NULL pointer | ||
10 | dereference is hit during so->slirp->vnetwork_mask.s_addr access. | ||
11 | |||
12 | Fix this by checking that the socket is not just a socket stub. | ||
13 | |||
14 | This is CVE-2014-3640. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> | ||
20 | Reported-by: Stephane Duverger <stephane.duverger@eads.net> | ||
21 | Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> | ||
22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
24 | Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com | ||
25 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
26 | (cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a) | ||
27 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
28 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
29 | --- | ||
30 | slirp/udp.c | 2 +- | ||
31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/slirp/udp.c b/slirp/udp.c | ||
34 | index 8cc6cb6..f77e00f 100644 | ||
35 | --- a/slirp/udp.c | ||
36 | +++ b/slirp/udp.c | ||
37 | @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) | ||
38 | * Locate pcb for datagram. | ||
39 | */ | ||
40 | so = slirp->udp_last_so; | ||
41 | - if (so->so_lport != uh->uh_sport || | ||
42 | + if (so == &slirp->udb || so->so_lport != uh->uh_sport || | ||
43 | so->so_laddr.s_addr != ip->ip_src.s_addr) { | ||
44 | struct socket *tmp; | ||
45 | |||
46 | -- | ||
47 | 1.9.1 | ||
48 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch new file mode 100644 index 0000000000..10a6dacbe5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch | |||
@@ -0,0 +1,53 @@ | |||
1 | From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Mon, 27 Oct 2014 12:41:44 +0100 | ||
4 | Subject: [PATCH] vnc: sanitize bits_per_pixel from the client | ||
5 | |||
6 | bits_per_pixel that are less than 8 could result in accessing | ||
7 | non-initialized buffers later in the code due to the expectation | ||
8 | that bytes_per_pixel value that is used to initialize these buffers is | ||
9 | never zero. | ||
10 | |||
11 | To fix this check that bits_per_pixel from the client is one of the | ||
12 | values that the rfb protocol specification allows. | ||
13 | |||
14 | This is CVE-2014-7815. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | |||
20 | [ kraxel: apply codestyle fix ] | ||
21 | |||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | (cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) | ||
24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
25 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
26 | --- | ||
27 | ui/vnc.c | 10 ++++++++++ | ||
28 | 1 file changed, 10 insertions(+) | ||
29 | |||
30 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
31 | index f8d9b7d..87e34ae 100644 | ||
32 | --- a/ui/vnc.c | ||
33 | +++ b/ui/vnc.c | ||
34 | @@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, | ||
35 | return; | ||
36 | } | ||
37 | |||
38 | + switch (bits_per_pixel) { | ||
39 | + case 8: | ||
40 | + case 16: | ||
41 | + case 32: | ||
42 | + break; | ||
43 | + default: | ||
44 | + vnc_client_error(vs); | ||
45 | + return; | ||
46 | + } | ||
47 | + | ||
48 | vs->client_pf.rmax = red_max; | ||
49 | vs->client_pf.rbits = hweight_long(red_max); | ||
50 | vs->client_pf.rshift = red_shift; | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch new file mode 100644 index 0000000000..fd1b4a6963 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/wacom.patch | |||
@@ -0,0 +1,130 @@ | |||
1 | The USB wacom device is missing a HID descriptor which causes it | ||
2 | to fail to operate with recent kernels (e.g. 3.17). | ||
3 | |||
4 | This patch adds a HID desriptor to the device, based upon one from | ||
5 | real wcom device. | ||
6 | |||
7 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
8 | |||
9 | Upstream-Status: Submitted | ||
10 | 2014/11/27 | ||
11 | |||
12 | Index: qemu-2.1.0/hw/usb/dev-wacom.c | ||
13 | =================================================================== | ||
14 | --- qemu-2.1.0.orig/hw/usb/dev-wacom.c 2014-08-01 15:12:17.000000000 +0100 | ||
15 | +++ qemu-2.1.0/hw/usb/dev-wacom.c 2014-10-12 12:13:30.540306042 +0100 | ||
16 | @@ -68,6 +68,89 @@ | ||
17 | [STR_SERIALNUMBER] = "1", | ||
18 | }; | ||
19 | |||
20 | +static const uint8_t qemu_tablet_hid_report_descriptor[] = { | ||
21 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ | ||
22 | + 0x09, 0x02, /* Usage (Mouse) */ | ||
23 | + 0xa1, 0x01, /* Collection (Application) */ | ||
24 | + 0x85, 0x01, /* Report ID (1) */ | ||
25 | + 0x09, 0x01, /* Usage (Pointer) */ | ||
26 | + 0xa1, 0x00, /* Collection (Physical) */ | ||
27 | + 0x05, 0x09, /* Usage Page (Button) */ | ||
28 | + 0x19, 0x01, /* Usage Minimum (1) */ | ||
29 | + 0x29, 0x05, /* Usage Maximum (5) */ | ||
30 | + 0x15, 0x00, /* Logical Minimum (0) */ | ||
31 | + 0x25, 0x01, /* Logical Maximum (1) */ | ||
32 | + 0x95, 0x05, /* Report Count (5) */ | ||
33 | + 0x75, 0x01, /* Report Size (1) */ | ||
34 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | ||
35 | + 0x95, 0x01, /* Report Count (1) */ | ||
36 | + 0x75, 0x03, /* Report Size (3) */ | ||
37 | + 0x81, 0x01, /* Input (Constant) */ | ||
38 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ | ||
39 | + 0x09, 0x30, /* Usage (X) */ | ||
40 | + 0x09, 0x31, /* Usage (Y) */ | ||
41 | + 0x15, 0x81, /* Logical Minimum (-127) */ | ||
42 | + 0x25, 0x7f, /* Logical Maximum (127) */ | ||
43 | + 0x75, 0x08, /* Report Size (8) */ | ||
44 | + 0x95, 0x02, /* Report Count (2) */ | ||
45 | + 0x81, 0x06, /* Input (Data, Variable, Relative) */ | ||
46 | + 0xc0, /* End Collection */ | ||
47 | + 0xc0, /* End Collection */ | ||
48 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ | ||
49 | + 0x09, 0x01, /* Usage (Digitizer) */ | ||
50 | + 0xa1, 0x01, /* Collection (Application) */ | ||
51 | + 0x85, 0x02, /* Report ID (2) */ | ||
52 | + 0xa1, 0x00, /* Collection (Physical) */ | ||
53 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | ||
54 | + 0x09, 0x01, /* Usage (Digitizer) */ | ||
55 | + 0x15, 0x00, /* Logical Minimum (0) */ | ||
56 | + 0x26, 0xff, 0x00, /* Logical Maximum (255) */ | ||
57 | + 0x75, 0x08, /* Report Size (8) */ | ||
58 | + 0x95, 0x08, /* Report Count (8) */ | ||
59 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | ||
60 | + 0xc0, /* End Collection */ | ||
61 | + 0x09, 0x01, /* Usage (Digitizer) */ | ||
62 | + 0x85, 0x02, /* Report ID (2) */ | ||
63 | + 0x95, 0x01, /* Report Count (1) */ | ||
64 | + 0xb1, 0x02, /* FEATURE (2) */ | ||
65 | + 0xc0, /* End Collection */ | ||
66 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | ||
67 | + 0x09, 0x01, /* Usage (Digitizer) */ | ||
68 | + 0xa1, 0x01, /* Collection (Application) */ | ||
69 | + 0x85, 0x02, /* Report ID (2) */ | ||
70 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ | ||
71 | + 0x09, 0x22, /* Usage (Finger) */ | ||
72 | + 0xa1, 0x00, /* Collection (Physical) */ | ||
73 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | ||
74 | + 0x09, 0x01, /* Usage (Digitizer) */ | ||
75 | + 0x15, 0x00, /* Logical Minimum (0) */ | ||
76 | + 0x26, 0xff, 0x00, /* Logical Maximum */ | ||
77 | + 0x75, 0x08, /* Report Size (8) */ | ||
78 | + 0x95, 0x02, /* Report Count (2) */ | ||
79 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | ||
80 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ | ||
81 | + 0x09, 0x30, /* Usage (X) */ | ||
82 | + 0x35, 0x00, /* Physical Minimum */ | ||
83 | + 0x46, 0xe0, 0x2e, /* Physical Maximum */ | ||
84 | + 0x26, 0xe0, 0x01, /* Logical Maximum */ | ||
85 | + 0x75, 0x10, /* Report Size (16) */ | ||
86 | + 0x95, 0x01, /* Report Count (1) */ | ||
87 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | ||
88 | + 0x09, 0x31, /* Usage (Y) */ | ||
89 | + 0x46, 0x40, 0x1f, /* Physical Maximum */ | ||
90 | + 0x26, 0x40, 0x01, /* Logical Maximum */ | ||
91 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | ||
92 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | ||
93 | + 0x09, 0x01, /* Usage (Digitizer) */ | ||
94 | + 0x26, 0xff, 0x00, /* Logical Maximum */ | ||
95 | + 0x75, 0x08, /* Report Size (8) */ | ||
96 | + 0x95, 0x0d, /* Report Count (13) */ | ||
97 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | ||
98 | + 0xc0, /* End Collection */ | ||
99 | + 0xc0, /* End Collection */ | ||
100 | +}; | ||
101 | + | ||
102 | + | ||
103 | static const USBDescIface desc_iface_wacom = { | ||
104 | .bInterfaceNumber = 0, | ||
105 | .bNumEndpoints = 1, | ||
106 | @@ -85,7 +168,7 @@ | ||
107 | 0x00, /* u8 country_code */ | ||
108 | 0x01, /* u8 num_descriptors */ | ||
109 | 0x22, /* u8 type: Report */ | ||
110 | - 0x6e, 0, /* u16 len */ | ||
111 | + sizeof(qemu_tablet_hid_report_descriptor), 0, /* u16 len */ | ||
112 | }, | ||
113 | }, | ||
114 | }, | ||
115 | @@ -265,6 +350,15 @@ | ||
116 | } | ||
117 | |||
118 | switch (request) { | ||
119 | + case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: | ||
120 | + switch (value >> 8) { | ||
121 | + case 0x22: | ||
122 | + memcpy(data, qemu_tablet_hid_report_descriptor, | ||
123 | + sizeof(qemu_tablet_hid_report_descriptor)); | ||
124 | + p->actual_length = sizeof(qemu_tablet_hid_report_descriptor); | ||
125 | + break; | ||
126 | + } | ||
127 | + break; | ||
128 | case WACOM_SET_REPORT: | ||
129 | if (s->mouse_grabbed) { | ||
130 | qemu_remove_mouse_event_handler(s->eh_entry); | ||