diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | 63 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch | 58 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch | 52 |
3 files changed, 173 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch new file mode 100644 index 0000000000..d7ae8713ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:28 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() | ||
5 | |||
6 | Factor out sg unmapping logic. This will be reused by the patch that | ||
7 | can discard descriptor. | ||
8 | |||
9 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
10 | Cc: Andrew James <andrew.james@hpe.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c | ||
18 | |||
19 | CVE: CVE-2015-7295 patch #1 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/virtio/virtio.c | 14 ++++++++++---- | ||
26 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) | ||
33 | return vring_avail_idx(vq) == vq->last_avail_idx; | ||
34 | } | ||
35 | |||
36 | -void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | - unsigned int len, unsigned int idx) | ||
38 | +static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, | ||
39 | + unsigned int len) | ||
40 | { | ||
41 | unsigned int offset; | ||
42 | int i; | ||
43 | |||
44 | - trace_virtqueue_fill(vq, elem, len, idx); | ||
45 | - | ||
46 | offset = 0; | ||
47 | for (i = 0; i < elem->in_num; i++) { | ||
48 | size_t size = MIN(len - offset, elem->in_sg[i].iov_len); | ||
49 | @@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const | ||
50 | cpu_physical_memory_unmap(elem->out_sg[i].iov_base, | ||
51 | elem->out_sg[i].iov_len, | ||
52 | 0, elem->out_sg[i].iov_len); | ||
53 | +} | ||
54 | + | ||
55 | +void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
56 | + unsigned int len, unsigned int idx) | ||
57 | +{ | ||
58 | + trace_virtqueue_fill(vq, elem, len, idx); | ||
59 | + | ||
60 | + virtqueue_unmap_sg(vq, elem, len); | ||
61 | |||
62 | idx = (idx + vring_used_idx(vq)) % vq->vring.num; | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch new file mode 100644 index 0000000000..45dfab36ef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:29 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_discard() | ||
5 | |||
6 | This patch introduces virtqueue_discard() to discard a descriptor and | ||
7 | unmap the sgs. This will be used by the patch that will discard | ||
8 | descriptor when packet is truncated. | ||
9 | |||
10 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade | ||
17 | |||
18 | CVE: CVE-2015-7295 patch #2 | ||
19 | [Yocto # 9013] | ||
20 | |||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | hw/virtio/virtio.c | 7 +++++++ | ||
25 | include/hw/virtio/virtio.h | 2 ++ | ||
26 | 2 files changed, 9 insertions(+) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue | ||
33 | 0, elem->out_sg[i].iov_len); | ||
34 | } | ||
35 | |||
36 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | + unsigned int len) | ||
38 | +{ | ||
39 | + vq->last_avail_idx--; | ||
40 | + virtqueue_unmap_sg(vq, elem, len); | ||
41 | +} | ||
42 | + | ||
43 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
44 | unsigned int len, unsigned int idx) | ||
45 | { | ||
46 | Index: qemu-2.4.0/include/hw/virtio/virtio.h | ||
47 | =================================================================== | ||
48 | --- qemu-2.4.0.orig/include/hw/virtio/virtio.h | ||
49 | +++ qemu-2.4.0/include/hw/virtio/virtio.h | ||
50 | @@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev | ||
51 | void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, | ||
52 | unsigned int len); | ||
53 | void virtqueue_flush(VirtQueue *vq, unsigned int count); | ||
54 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
55 | + unsigned int len); | ||
56 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
57 | unsigned int len, unsigned int idx); | ||
58 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch new file mode 100644 index 0000000000..74442e32f5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:30 +0800 | ||
4 | Subject: [PATCH] virtio-net: correctly drop truncated packets | ||
5 | |||
6 | When packet is truncated during receiving, we drop the packets but | ||
7 | neither discard the descriptor nor add and signal used | ||
8 | descriptor. This will lead several issues: | ||
9 | |||
10 | - sg mappings are leaked | ||
11 | - rx will be stalled if a lots of packets were truncated | ||
12 | |||
13 | In order to be consistent with vhost, fix by discarding the descriptor | ||
14 | in this case. | ||
15 | |||
16 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
18 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
19 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | |||
23 | git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3 | ||
24 | |||
25 | CVE: CVE-2015-7295 patch #3 | ||
26 | [Yocto # 9013] | ||
27 | |||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | hw/net/virtio-net.c | 8 +------- | ||
32 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
33 | |||
34 | Index: qemu-2.4.0/hw/net/virtio-net.c | ||
35 | =================================================================== | ||
36 | --- qemu-2.4.0.orig/hw/net/virtio-net.c | ||
37 | +++ qemu-2.4.0/hw/net/virtio-net.c | ||
38 | @@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetCli | ||
39 | * must have consumed the complete packet. | ||
40 | * Otherwise, drop it. */ | ||
41 | if (!n->mergeable_rx_bufs && offset < size) { | ||
42 | -#if 0 | ||
43 | - error_report("virtio-net truncated non-mergeable packet: " | ||
44 | - "i %zd mergeable %d offset %zd, size %zd, " | ||
45 | - "guest hdr len %zd, host hdr len %zd", | ||
46 | - i, n->mergeable_rx_bufs, | ||
47 | - offset, size, n->guest_hdr_len, n->host_hdr_len); | ||
48 | -#endif | ||
49 | + virtqueue_discard(q->rx_vq, &elem, total); | ||
50 | return size; | ||
51 | } | ||
52 | |||