diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
28 files changed, 1140 insertions, 280 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch deleted file mode 100644 index 4f992bae14..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch +++ /dev/null | |||
@@ -1,57 +0,0 @@ | |||
1 | From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001 | ||
2 | From: "Michael S. Tsirkin" <mst@redhat.com> | ||
3 | Date: Wed, 12 Nov 2014 11:44:39 +0200 | ||
4 | Subject: [PATCH] migration: fix parameter validation on ram load | ||
5 | |||
6 | During migration, the values read from migration stream during ram load | ||
7 | are not validated. Especially offset in host_from_stream_offset() and | ||
8 | also the length of the writes in the callers of said function. | ||
9 | |||
10 | To fix this, we need to make sure that the [offset, offset + length] | ||
11 | range fits into one of the allocated memory regions. | ||
12 | |||
13 | Validating addr < len should be sufficient since data seems to always be | ||
14 | managed in TARGET_PAGE_SIZE chunks. | ||
15 | |||
16 | Fixes: CVE-2014-7840 | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | Note: follow-up patches add extra checks on each block->host access. | ||
21 | |||
22 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> | ||
24 | Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com> | ||
25 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
26 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
27 | --- | ||
28 | arch_init.c | 5 +++-- | ||
29 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/arch_init.c b/arch_init.c | ||
32 | index 88a5ba0..593a990 100644 | ||
33 | --- a/arch_init.c | ||
34 | +++ b/arch_init.c | ||
35 | @@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
36 | uint8_t len; | ||
37 | |||
38 | if (flags & RAM_SAVE_FLAG_CONTINUE) { | ||
39 | - if (!block) { | ||
40 | + if (!block || block->length <= offset) { | ||
41 | error_report("Ack, bad migration stream!"); | ||
42 | return NULL; | ||
43 | } | ||
44 | @@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, | ||
45 | id[len] = 0; | ||
46 | |||
47 | QTAILQ_FOREACH(block, &ram_list.blocks, next) { | ||
48 | - if (!strncmp(id, block->idstr, sizeof(id))) | ||
49 | + if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { | ||
50 | return memory_region_get_ram_ptr(block->mr) + offset; | ||
51 | + } | ||
52 | } | ||
53 | |||
54 | error_report("Can't find block %s!", id); | ||
55 | -- | ||
56 | 1.9.1 | ||
57 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch new file mode 100644 index 0000000000..d7ae8713ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch | |||
@@ -0,0 +1,63 @@ | |||
1 | From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:28 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() | ||
5 | |||
6 | Factor out sg unmapping logic. This will be reused by the patch that | ||
7 | can discard descriptor. | ||
8 | |||
9 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
10 | Cc: Andrew James <andrew.james@hpe.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | |||
17 | git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c | ||
18 | |||
19 | CVE: CVE-2015-7295 patch #1 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/virtio/virtio.c | 14 ++++++++++---- | ||
26 | 1 file changed, 10 insertions(+), 4 deletions(-) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) | ||
33 | return vring_avail_idx(vq) == vq->last_avail_idx; | ||
34 | } | ||
35 | |||
36 | -void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | - unsigned int len, unsigned int idx) | ||
38 | +static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, | ||
39 | + unsigned int len) | ||
40 | { | ||
41 | unsigned int offset; | ||
42 | int i; | ||
43 | |||
44 | - trace_virtqueue_fill(vq, elem, len, idx); | ||
45 | - | ||
46 | offset = 0; | ||
47 | for (i = 0; i < elem->in_num; i++) { | ||
48 | size_t size = MIN(len - offset, elem->in_sg[i].iov_len); | ||
49 | @@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const | ||
50 | cpu_physical_memory_unmap(elem->out_sg[i].iov_base, | ||
51 | elem->out_sg[i].iov_len, | ||
52 | 0, elem->out_sg[i].iov_len); | ||
53 | +} | ||
54 | + | ||
55 | +void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
56 | + unsigned int len, unsigned int idx) | ||
57 | +{ | ||
58 | + trace_virtqueue_fill(vq, elem, len, idx); | ||
59 | + | ||
60 | + virtqueue_unmap_sg(vq, elem, len); | ||
61 | |||
62 | idx = (idx + vring_used_idx(vq)) % vq->vring.num; | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch new file mode 100644 index 0000000000..45dfab36ef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:29 +0800 | ||
4 | Subject: [PATCH] virtio: introduce virtqueue_discard() | ||
5 | |||
6 | This patch introduces virtqueue_discard() to discard a descriptor and | ||
7 | unmap the sgs. This will be used by the patch that will discard | ||
8 | descriptor when packet is truncated. | ||
9 | |||
10 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
11 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade | ||
17 | |||
18 | CVE: CVE-2015-7295 patch #2 | ||
19 | [Yocto # 9013] | ||
20 | |||
21 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
22 | |||
23 | --- | ||
24 | hw/virtio/virtio.c | 7 +++++++ | ||
25 | include/hw/virtio/virtio.h | 2 ++ | ||
26 | 2 files changed, 9 insertions(+) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/virtio/virtio.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/virtio/virtio.c | ||
31 | +++ qemu-2.4.0/hw/virtio/virtio.c | ||
32 | @@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue | ||
33 | 0, elem->out_sg[i].iov_len); | ||
34 | } | ||
35 | |||
36 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
37 | + unsigned int len) | ||
38 | +{ | ||
39 | + vq->last_avail_idx--; | ||
40 | + virtqueue_unmap_sg(vq, elem, len); | ||
41 | +} | ||
42 | + | ||
43 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
44 | unsigned int len, unsigned int idx) | ||
45 | { | ||
46 | Index: qemu-2.4.0/include/hw/virtio/virtio.h | ||
47 | =================================================================== | ||
48 | --- qemu-2.4.0.orig/include/hw/virtio/virtio.h | ||
49 | +++ qemu-2.4.0/include/hw/virtio/virtio.h | ||
50 | @@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev | ||
51 | void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, | ||
52 | unsigned int len); | ||
53 | void virtqueue_flush(VirtQueue *vq, unsigned int count); | ||
54 | +void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, | ||
55 | + unsigned int len); | ||
56 | void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, | ||
57 | unsigned int len, unsigned int idx); | ||
58 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch new file mode 100644 index 0000000000..74442e32f5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Fri, 25 Sep 2015 13:21:30 +0800 | ||
4 | Subject: [PATCH] virtio-net: correctly drop truncated packets | ||
5 | |||
6 | When packet is truncated during receiving, we drop the packets but | ||
7 | neither discard the descriptor nor add and signal used | ||
8 | descriptor. This will lead several issues: | ||
9 | |||
10 | - sg mappings are leaked | ||
11 | - rx will be stalled if a lots of packets were truncated | ||
12 | |||
13 | In order to be consistent with vhost, fix by discarding the descriptor | ||
14 | in this case. | ||
15 | |||
16 | Cc: Michael S. Tsirkin <mst@redhat.com> | ||
17 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
18 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
19 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | |||
21 | Upstream-Status: Backport | ||
22 | |||
23 | git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3 | ||
24 | |||
25 | CVE: CVE-2015-7295 patch #3 | ||
26 | [Yocto # 9013] | ||
27 | |||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | hw/net/virtio-net.c | 8 +------- | ||
32 | 1 file changed, 1 insertion(+), 7 deletions(-) | ||
33 | |||
34 | Index: qemu-2.4.0/hw/net/virtio-net.c | ||
35 | =================================================================== | ||
36 | --- qemu-2.4.0.orig/hw/net/virtio-net.c | ||
37 | +++ qemu-2.4.0/hw/net/virtio-net.c | ||
38 | @@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetCli | ||
39 | * must have consumed the complete packet. | ||
40 | * Otherwise, drop it. */ | ||
41 | if (!n->mergeable_rx_bufs && offset < size) { | ||
42 | -#if 0 | ||
43 | - error_report("virtio-net truncated non-mergeable packet: " | ||
44 | - "i %zd mergeable %d offset %zd, size %zd, " | ||
45 | - "guest hdr len %zd, host hdr len %zd", | ||
46 | - i, n->mergeable_rx_bufs, | ||
47 | - offset, size, n->guest_hdr_len, n->host_hdr_len); | ||
48 | -#endif | ||
49 | + virtqueue_discard(q->rx_vq, &elem, total); | ||
50 | return size; | ||
51 | } | ||
52 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch new file mode 100644 index 0000000000..90a7947abb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch | |||
@@ -0,0 +1,56 @@ | |||
1 | From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Fri, 20 Nov 2015 11:50:31 +0530 | ||
4 | Subject: [PATCH] net: pcnet: add check to validate receive data | ||
5 | size(CVE-2015-7504) | ||
6 | |||
7 | In loopback mode, pcnet_receive routine appends CRC code to the | ||
8 | receive buffer. If the data size given is same as the buffer size, | ||
9 | the appended CRC code overwrites 4 bytes after s->buffer. Added a | ||
10 | check to avoid that. | ||
11 | |||
12 | Reported by: Qinghao Tang <luodalongde@gmail.com> | ||
13 | Cc: qemu-stable@nongnu.org | ||
14 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
15 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
16 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | |||
20 | http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7 | ||
21 | |||
22 | CVE: CVE-2015-7504 | ||
23 | [Yocto # 9013] | ||
24 | |||
25 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
26 | |||
27 | --- | ||
28 | hw/net/pcnet.c | 8 +++++--- | ||
29 | 1 file changed, 5 insertions(+), 3 deletions(-) | ||
30 | |||
31 | Index: qemu-2.4.0/hw/net/pcnet.c | ||
32 | =================================================================== | ||
33 | --- qemu-2.4.0.orig/hw/net/pcnet.c | ||
34 | +++ qemu-2.4.0/hw/net/pcnet.c | ||
35 | @@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc | ||
36 | uint32_t fcs = ~0; | ||
37 | uint8_t *p = src; | ||
38 | |||
39 | - while (p != &src[size-4]) | ||
40 | + while (p != &src[size]) | ||
41 | CRC(fcs, *p++); | ||
42 | crc_err = (*(uint32_t *)p != htonl(fcs)); | ||
43 | } | ||
44 | @@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s | ||
45 | bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); | ||
46 | |||
47 | /* if multi-tmd packet outsizes s->buffer then skip it silently. | ||
48 | - Note: this is not what real hw does */ | ||
49 | - if (s->xmit_pos + bcnt > sizeof(s->buffer)) { | ||
50 | + * Note: this is not what real hw does. | ||
51 | + * Last four bytes of s->buffer are used to store CRC FCS code. | ||
52 | + */ | ||
53 | + if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { | ||
54 | s->xmit_pos = -1; | ||
55 | goto txdone; | ||
56 | } | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch new file mode 100644 index 0000000000..50b8a6cee8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jason Wang <jasowang@redhat.com> | ||
3 | Date: Mon, 30 Nov 2015 15:00:06 +0800 | ||
4 | Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) | ||
5 | |||
6 | Backends could provide a packet whose length is greater than buffer | ||
7 | size. Check for this and truncate the packet to avoid rx buffer | ||
8 | overflow in this case. | ||
9 | |||
10 | Cc: Prasad J Pandit <pjp@fedoraproject.org> | ||
11 | Cc: qemu-stable@nongnu.org | ||
12 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | Upsteam_Status: Backport | ||
16 | |||
17 | http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343 | ||
18 | |||
19 | CVE: CVE-2015-7512 | ||
20 | [Yocto # 9013] | ||
21 | |||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | hw/net/pcnet.c | 6 ++++++ | ||
26 | 1 file changed, 6 insertions(+) | ||
27 | |||
28 | Index: qemu-2.4.0/hw/net/pcnet.c | ||
29 | =================================================================== | ||
30 | --- qemu-2.4.0.orig/hw/net/pcnet.c | ||
31 | +++ qemu-2.4.0/hw/net/pcnet.c | ||
32 | @@ -1065,6 +1065,12 @@ ssize_t pcnet_receive(NetClientState *nc | ||
33 | int pktcount = 0; | ||
34 | |||
35 | if (!s->looptest) { | ||
36 | + if (size > 4092) { | ||
37 | +#ifdef PCNET_DEBUG_RMD | ||
38 | + fprintf(stderr, "pcnet: truncates rx packet.\n"); | ||
39 | +#endif | ||
40 | + size = 4092; | ||
41 | + } | ||
42 | memcpy(src, buf, size); | ||
43 | /* no need to compute the CRC */ | ||
44 | src[size] = 0; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch new file mode 100644 index 0000000000..310b458a0c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001 | ||
2 | From: Stefan Weil <sw@weilnetz.de> | ||
3 | Date: Fri, 20 Nov 2015 08:42:33 +0100 | ||
4 | Subject: [PATCH] eepro100: Prevent two endless loops | ||
5 | |||
6 | http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html | ||
7 | shows an example how an endless loop in function action_command can | ||
8 | be achieved. | ||
9 | |||
10 | During my code review, I noticed a 2nd case which can result in an | ||
11 | endless loop. | ||
12 | |||
13 | Reported-by: Qinghao Tang <luodalongde@gmail.com> | ||
14 | Signed-off-by: Stefan Weil <sw@weilnetz.de> | ||
15 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
16 | |||
17 | Upstream-Status: Backport | ||
18 | |||
19 | http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24 | ||
20 | |||
21 | CVE: CVE-2015-8345 | ||
22 | [Yocto # 9013] | ||
23 | |||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | hw/net/eepro100.c | 16 ++++++++++++++++ | ||
28 | 1 file changed, 16 insertions(+) | ||
29 | |||
30 | diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c | ||
31 | index 60333b7..685a478 100644 | ||
32 | --- a/hw/net/eepro100.c | ||
33 | +++ b/hw/net/eepro100.c | ||
34 | @@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) | ||
35 | #if 0 | ||
36 | uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); | ||
37 | #endif | ||
38 | + if (tx_buffer_size == 0) { | ||
39 | + /* Prevent an endless loop. */ | ||
40 | + logout("loop in %s:%u\n", __FILE__, __LINE__); | ||
41 | + break; | ||
42 | + } | ||
43 | tbd_address += 8; | ||
44 | TRACE(RXTX, logout | ||
45 | ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", | ||
46 | @@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) | ||
47 | |||
48 | static void action_command(EEPRO100State *s) | ||
49 | { | ||
50 | + /* The loop below won't stop if it gets special handcrafted data. | ||
51 | + Therefore we limit the number of iterations. */ | ||
52 | + unsigned max_loop_count = 16; | ||
53 | + | ||
54 | for (;;) { | ||
55 | bool bit_el; | ||
56 | bool bit_s; | ||
57 | @@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) | ||
58 | #if 0 | ||
59 | bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); | ||
60 | #endif | ||
61 | + | ||
62 | + if (max_loop_count-- == 0) { | ||
63 | + /* Prevent an endless loop. */ | ||
64 | + logout("loop in %s:%u\n", __FILE__, __LINE__); | ||
65 | + break; | ||
66 | + } | ||
67 | + | ||
68 | s->cu_offset = s->tx.link; | ||
69 | TRACE(OTHER, | ||
70 | logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", | ||
71 | -- | ||
72 | 2.3.5 | ||
73 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch new file mode 100644 index 0000000000..9e660217ff --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch | |||
@@ -0,0 +1,51 @@ | |||
1 | From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 3 Dec 2015 18:54:17 +0530 | ||
4 | Subject: [PATCH] ui: vnc: avoid floating point exception | ||
5 | |||
6 | While sending 'SetPixelFormat' messages to a VNC server, | ||
7 | the client could set the 'red-max', 'green-max' and 'blue-max' | ||
8 | values to be zero. This leads to a floating point exception in | ||
9 | write_png_palette while doing frame buffer updates. | ||
10 | |||
11 | Reported-by: Lian Yihan <lianyihan@360.cn> | ||
12 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
13 | Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> | ||
14 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8 | ||
19 | |||
20 | CVE: CVE-2015-8504 | ||
21 | [Yocto # 9013] | ||
22 | |||
23 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
24 | |||
25 | --- | ||
26 | ui/vnc.c | 6 +++--- | ||
27 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
28 | |||
29 | Index: qemu-2.4.0/ui/vnc.c | ||
30 | =================================================================== | ||
31 | --- qemu-2.4.0.orig/ui/vnc.c | ||
32 | +++ qemu-2.4.0/ui/vnc.c | ||
33 | @@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *v | ||
34 | return; | ||
35 | } | ||
36 | |||
37 | - vs->client_pf.rmax = red_max; | ||
38 | + vs->client_pf.rmax = red_max ? red_max : 0xFF; | ||
39 | vs->client_pf.rbits = hweight_long(red_max); | ||
40 | vs->client_pf.rshift = red_shift; | ||
41 | vs->client_pf.rmask = red_max << red_shift; | ||
42 | - vs->client_pf.gmax = green_max; | ||
43 | + vs->client_pf.gmax = green_max ? green_max : 0xFF; | ||
44 | vs->client_pf.gbits = hweight_long(green_max); | ||
45 | vs->client_pf.gshift = green_shift; | ||
46 | vs->client_pf.gmask = green_max << green_shift; | ||
47 | - vs->client_pf.bmax = blue_max; | ||
48 | + vs->client_pf.bmax = blue_max ? blue_max : 0xFF; | ||
49 | vs->client_pf.bbits = hweight_long(blue_max); | ||
50 | vs->client_pf.bshift = blue_shift; | ||
51 | vs->client_pf.bmask = blue_max << blue_shift; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch new file mode 100644 index 0000000000..9c40ffb5f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Mon, 11 Jan 2016 14:10:42 -0500 | ||
4 | Subject: [PATCH] ide: ahci: reset ncq object to unused on error | ||
5 | |||
6 | When processing NCQ commands, AHCI device emulation prepares a | ||
7 | NCQ transfer object; To which an aio control block(aiocb) object | ||
8 | is assigned in 'execute_ncq_command'. In case, when the NCQ | ||
9 | command is invalid, the 'aiocb' object is not assigned, and NCQ | ||
10 | transfer object is left as 'used'. This leads to a use after | ||
11 | free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. | ||
12 | Reset NCQ transfer object to 'unused' to avoid it. | ||
13 | |||
14 | [Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] | ||
15 | |||
16 | Reported-by: Qinghao Tang <luodalongde@gmail.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
19 | Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com | ||
20 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport | ||
23 | |||
24 | http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab | ||
25 | |||
26 | CVE: CVE-2016-1568 | ||
27 | [Yocto # 9013] | ||
28 | |||
29 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
30 | |||
31 | --- | ||
32 | hw/ide/ahci.c | 1 + | ||
33 | 1 file changed, 1 insertion(+) | ||
34 | |||
35 | Index: qemu-2.4.0/hw/ide/ahci.c | ||
36 | =================================================================== | ||
37 | --- qemu-2.4.0.orig/hw/ide/ahci.c | ||
38 | +++ qemu-2.4.0/hw/ide/ahci.c | ||
39 | @@ -898,6 +898,7 @@ static void ncq_err(NCQTransferState *nc | ||
40 | ide_state->error = ABRT_ERR; | ||
41 | ide_state->status = READY_STAT | ERR_STAT; | ||
42 | ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); | ||
43 | + ncq_tfs->used = 0; | ||
44 | } | ||
45 | |||
46 | static void ncq_finish(NCQTransferState *ncq_tfs) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch new file mode 100644 index 0000000000..946435c430 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From: Prasad J Pandit <address@hidden> | ||
2 | |||
3 | When IDE AHCI emulation uses Frame Information Structures(FIS) | ||
4 | engine for data transfer, the mapped FIS buffer address is stored | ||
5 | in a static 'bounce.buffer'. When a request is made to map another | ||
6 | memory region, address_space_map() returns NULL because | ||
7 | 'bounce.buffer' is in_use. It leads to a null pointer dereference | ||
8 | error while doing 'dma_memory_unmap'. Add a check to avoid it. | ||
9 | |||
10 | Reported-by: Zuozhi fzz <address@hidden> | ||
11 | Signed-off-by: Prasad J Pandit <address@hidden> | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05740.html | ||
15 | |||
16 | CVE: CVE-2016-2197 | ||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | hw/ide/ahci.c | 16 ++++++++++------ | ||
21 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
22 | |||
23 | Update as per review | ||
24 | -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05715.html | ||
25 | |||
26 | Index: qemu-2.5.0/hw/ide/ahci.c | ||
27 | =================================================================== | ||
28 | --- qemu-2.5.0.orig/hw/ide/ahci.c | ||
29 | +++ qemu-2.5.0/hw/ide/ahci.c | ||
30 | @@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDev | ||
31 | |||
32 | static void ahci_unmap_fis_address(AHCIDevice *ad) | ||
33 | { | ||
34 | - dma_memory_unmap(ad->hba->as, ad->res_fis, 256, | ||
35 | - DMA_DIRECTION_FROM_DEVICE, 256); | ||
36 | - ad->res_fis = NULL; | ||
37 | + if (ad->res_fis) { | ||
38 | + dma_memory_unmap(ad->hba->as, ad->res_fis, 256, | ||
39 | + DMA_DIRECTION_FROM_DEVICE, 256); | ||
40 | + ad->res_fis = NULL; | ||
41 | + } | ||
42 | } | ||
43 | |||
44 | static bool ahci_map_clb_address(AHCIDevice *ad) | ||
45 | @@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDev | ||
46 | |||
47 | static void ahci_unmap_clb_address(AHCIDevice *ad) | ||
48 | { | ||
49 | - dma_memory_unmap(ad->hba->as, ad->lst, 1024, | ||
50 | - DMA_DIRECTION_FROM_DEVICE, 1024); | ||
51 | - ad->lst = NULL; | ||
52 | + if (ad->lst) { | ||
53 | + dma_memory_unmap(ad->hba->as, ad->lst, 1024, | ||
54 | + DMA_DIRECTION_FROM_DEVICE, 1024); | ||
55 | + ad->lst = NULL; | ||
56 | + } | ||
57 | } | ||
58 | |||
59 | static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs) | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch new file mode 100644 index 0000000000..f1201f0613 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | From: Prasad J Pandit <address@hidden> | ||
2 | |||
3 | USB Ehci emulation supports host controller capability registers. | ||
4 | But its mmio '.write' function was missing, which lead to a null | ||
5 | pointer dereference issue. Add a do nothing 'ehci_caps_write' | ||
6 | definition to avoid it; Do nothing because capability registers | ||
7 | are Read Only(RO). | ||
8 | |||
9 | Reported-by: Zuozhi Fzz <address@hidden> | ||
10 | Signed-off-by: Prasad J Pandit <address@hidden> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html | ||
14 | |||
15 | CVE: CVE-2016-2198 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | hw/usb/hcd-ehci.c | 6 ++++++ | ||
20 | 1 file changed, 6 insertions(+) | ||
21 | |||
22 | Index: qemu-2.5.0/hw/usb/hcd-ehci.c | ||
23 | =================================================================== | ||
24 | --- qemu-2.5.0.orig/hw/usb/hcd-ehci.c | ||
25 | +++ qemu-2.5.0/hw/usb/hcd-ehci.c | ||
26 | @@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr | ||
27 | return s->caps[addr]; | ||
28 | } | ||
29 | |||
30 | +static void ehci_caps_write(void *ptr, hwaddr addr, | ||
31 | + uint64_t val, unsigned size) | ||
32 | +{ | ||
33 | +} | ||
34 | + | ||
35 | static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, | ||
36 | unsigned size) | ||
37 | { | ||
38 | @@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu | ||
39 | |||
40 | static const MemoryRegionOps ehci_mmio_caps_ops = { | ||
41 | .read = ehci_caps_read, | ||
42 | + .write = ehci_caps_write, | ||
43 | .valid.min_access_size = 1, | ||
44 | .valid.max_access_size = 4, | ||
45 | .impl.min_access_size = 1, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch new file mode 100644 index 0000000000..1a6cf5119b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From 896fa02c24347e6e9259812cfda187b1d6ca6199 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jiang Lu <lu.jiang@windriver.com> | ||
3 | Date: Wed, 13 Nov 2013 10:38:08 +0800 | ||
4 | Subject: [PATCH] Qemu:Arm:versatilepb: Add memory size checking | ||
5 | |||
6 | The machine can not work with memory over 256M, so add a checking | ||
7 | at startup. If the memory size exceed 256M, just stop emulation then | ||
8 | throw out warning about memory limitation. | ||
9 | |||
10 | Upstream-Status: Pending | ||
11 | |||
12 | Signed-off-by: Jiang Lu <lu.jiang@windriver.com> | ||
13 | |||
14 | Updated it on 2014-01-15 for rebasing | ||
15 | |||
16 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | ||
17 | |||
18 | Update it when upgrade qemu to 2.2.0 | ||
19 | |||
20 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
21 | Signed-off-by: Cristian Iorga <cristian.iorga@intel.com> | ||
22 | --- | ||
23 | hw/arm/versatilepb.c | 7 +++++++ | ||
24 | 1 file changed, 7 insertions(+) | ||
25 | |||
26 | diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c | ||
27 | index 6c69f4e..9278d90 100644 | ||
28 | --- a/hw/arm/versatilepb.c | ||
29 | +++ b/hw/arm/versatilepb.c | ||
30 | @@ -204,6 +204,13 @@ static void versatile_init(MachineState *machine, int board_id) | ||
31 | exit(1); | ||
32 | } | ||
33 | |||
34 | + if (machine->ram_size > (256 << 20)) { | ||
35 | + fprintf(stderr, | ||
36 | + "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n", | ||
37 | + ((unsigned int)ram_size / (1 << 20))); | ||
38 | + exit(1); | ||
39 | + } | ||
40 | + | ||
41 | cpuobj = object_new(object_class_get_name(cpu_oc)); | ||
42 | |||
43 | /* By default ARM1176 CPUs have EL3 enabled. This board does not | ||
44 | -- | ||
45 | 2.1.0 | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch new file mode 100644 index 0000000000..a99f72098c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch | |||
@@ -0,0 +1,29 @@ | |||
1 | Upstream-Status: Pending | ||
2 | |||
3 | Add subpackage -ptest which runs all unit test cases for qemu. | ||
4 | |||
5 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
6 | --- | ||
7 | tests/Makefile | 10 ++++++++++ | ||
8 | 1 file changed, 10 insertions(+) | ||
9 | |||
10 | diff --git a/tests/Makefile b/tests/Makefile | ||
11 | index 88f7105..3f40b4b 100644 | ||
12 | --- a/tests/Makefile | ||
13 | +++ b/tests/Makefile | ||
14 | @@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) | ||
15 | |||
16 | -include $(wildcard tests/*.d) | ||
17 | -include $(wildcard tests/libqos/*.d) | ||
18 | + | ||
19 | +buildtest-TESTS: $(check-unit-y) | ||
20 | + | ||
21 | +runtest-TESTS: | ||
22 | + for f in $(check-unit-y); do \ | ||
23 | + nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ | ||
24 | + $$nf; \ | ||
25 | + done | ||
26 | + | ||
27 | -- | ||
28 | 1.7.9.5 | ||
29 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch new file mode 100644 index 0000000000..6822132541 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 697a834c35d19447b7dcdb9e1d9434bc6ce17c21 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> | ||
3 | Date: Wed, 12 Aug 2015 15:11:30 -0500 | ||
4 | Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Add custom_debug.h with function for print backtrace information. | ||
10 | When pthread_kill fails in qemu_cpu_kick_thread display backtrace and | ||
11 | current cpu information. | ||
12 | |||
13 | Upstream-Status: Inappropriate | ||
14 | Signed-off-by: AnÃbal Limón <anibal.limon@linux.intel.com> | ||
15 | --- | ||
16 | cpus.c | 5 +++++ | ||
17 | custom_debug.h | 24 ++++++++++++++++++++++++ | ||
18 | 2 files changed, 29 insertions(+) | ||
19 | create mode 100644 custom_debug.h | ||
20 | |||
21 | diff --git a/cpus.c b/cpus.c | ||
22 | index a822ce3..7e4786e 100644 | ||
23 | --- a/cpus.c | ||
24 | +++ b/cpus.c | ||
25 | @@ -1080,6 +1080,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) | ||
26 | return NULL; | ||
27 | } | ||
28 | |||
29 | +#include "custom_debug.h" | ||
30 | + | ||
31 | static void qemu_cpu_kick_thread(CPUState *cpu) | ||
32 | { | ||
33 | #ifndef _WIN32 | ||
34 | @@ -1088,6 +1090,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) | ||
35 | err = pthread_kill(cpu->thread->thread, SIG_IPI); | ||
36 | if (err) { | ||
37 | fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); | ||
38 | + fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); | ||
39 | + cpu_dump_state(cpu, stderr, fprintf, 0); | ||
40 | + backtrace_print(); | ||
41 | exit(1); | ||
42 | } | ||
43 | #else /* _WIN32 */ | ||
44 | diff --git a/custom_debug.h b/custom_debug.h | ||
45 | new file mode 100644 | ||
46 | index 0000000..f029e45 | ||
47 | --- /dev/null | ||
48 | +++ b/custom_debug.h | ||
49 | @@ -0,0 +1,24 @@ | ||
50 | +#include <execinfo.h> | ||
51 | +#include <stdio.h> | ||
52 | +#define BACKTRACE_MAX 128 | ||
53 | +static void backtrace_print(void) | ||
54 | +{ | ||
55 | + int nfuncs = 0; | ||
56 | + void *buf[BACKTRACE_MAX]; | ||
57 | + char **symbols; | ||
58 | + int i; | ||
59 | + | ||
60 | + nfuncs = backtrace(buf, BACKTRACE_MAX); | ||
61 | + | ||
62 | + symbols = backtrace_symbols(buf, nfuncs); | ||
63 | + if (symbols == NULL) { | ||
64 | + fprintf(stderr, "backtrace_print failed to get symbols"); | ||
65 | + return; | ||
66 | + } | ||
67 | + | ||
68 | + fprintf(stderr, "Backtrace ...\n"); | ||
69 | + for (i = 0; i < nfuncs; i++) | ||
70 | + fprintf(stderr, "%s\n", symbols[i]); | ||
71 | + | ||
72 | + free(symbols); | ||
73 | +} | ||
74 | -- | ||
75 | 1.9.1 | ||
76 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch new file mode 100644 index 0000000000..45dffabc34 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch | |||
@@ -0,0 +1,45 @@ | |||
1 | Upstream-Status: Submitted | ||
2 | |||
3 | From f354b9333408d411854af058cc44cceda60b4473 Mon Sep 17 00:00:00 2001 | ||
4 | From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> | ||
5 | Date: Thu, 3 Sep 2015 14:07:34 -0500 | ||
6 | Subject: [PATCH] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu | ||
7 | thread init | ||
8 | MIME-Version: 1.0 | ||
9 | Content-Type: text/plain; charset=UTF-8 | ||
10 | Content-Transfer-Encoding: 8bit | ||
11 | |||
12 | When QEMU starts the RCU thread executes qemu_mutex_lock_thread | ||
13 | causing error "qemu:qemu_cpu_kick_thread: No such process" and exits. | ||
14 | |||
15 | This isn't occur frequently but in glibc the thread id can exist and | ||
16 | this not guarantee that the thread is on active/running state. If is | ||
17 | inserted a sleep(1) after newthread assignment [1] the issue appears. | ||
18 | |||
19 | So not make assumption that thread exist if first_cpu->thread is set | ||
20 | then change the validation of cpu to created that is set into cpu | ||
21 | threads (kvm, tcg, dummy). | ||
22 | |||
23 | [1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621 | ||
24 | |||
25 | Signed-off-by: AnÃbal Limón <anibal.limon@linux.intel.com> | ||
26 | --- | ||
27 | cpus.c | 2 +- | ||
28 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/cpus.c b/cpus.c | ||
31 | index 7e4786e..05e5400 100644 | ||
32 | --- a/cpus.c | ||
33 | +++ b/cpus.c | ||
34 | @@ -1171,7 +1171,7 @@ void qemu_mutex_lock_iothread(void) | ||
35 | * TCG code execution. | ||
36 | */ | ||
37 | if (!tcg_enabled() || qemu_in_vcpu_thread() || | ||
38 | - !first_cpu || !first_cpu->thread) { | ||
39 | + !first_cpu || !first_cpu->created) { | ||
40 | qemu_mutex_lock(&qemu_global_mutex); | ||
41 | atomic_dec(&iothread_requesting_mutex); | ||
42 | } else { | ||
43 | -- | ||
44 | 1.9.1 | ||
45 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch new file mode 100644 index 0000000000..171bda7e95 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch | |||
@@ -0,0 +1,93 @@ | |||
1 | [PATCH] exclude some arm EABI obsolete syscalls | ||
2 | |||
3 | Upstream-Status: Pending | ||
4 | |||
5 | some syscalls are obsolete and no longer available for EABI, exclude them to | ||
6 | fix the below error: | ||
7 | In file included from qemu-seccomp.c:16:0: | ||
8 | qemu-seccomp.c:28:7: error: '__NR_select' undeclared here (not in a function) | ||
9 | { SCMP_SYS(select), 252 }, | ||
10 | ^ | ||
11 | qemu-seccomp.c:36:7: error: '__NR_mmap' undeclared here (not in a function) | ||
12 | { SCMP_SYS(mmap), 247 }, | ||
13 | ^ | ||
14 | qemu-seccomp.c:57:7: error: '__NR_getrlimit' undeclared here (not in a function) | ||
15 | { SCMP_SYS(getrlimit), 245 }, | ||
16 | ^ | ||
17 | qemu-seccomp.c:96:7: error: '__NR_time' undeclared here (not in a function) | ||
18 | { SCMP_SYS(time), 245 }, | ||
19 | ^ | ||
20 | qemu-seccomp.c:185:7: error: '__NR_alarm' undeclared here (not in a function) | ||
21 | { SCMP_SYS(alarm), 241 }, | ||
22 | |||
23 | please refer source files: | ||
24 | arch/arm/include/uapi/asm/unistd.h | ||
25 | or kernel header: | ||
26 | /usr/include/asm/unistd.h | ||
27 | |||
28 | Signed-off-by: Roy.Li <rongqing.li@windriver.com> | ||
29 | --- | ||
30 | qemu-seccomp.c | 14 ++++++++------ | ||
31 | 1 file changed, 8 insertions(+), 6 deletions(-) | ||
32 | |||
33 | diff --git a/qemu-seccomp.c b/qemu-seccomp.c | ||
34 | index caa926e..5a78502 100644 | ||
35 | --- a/qemu-seccomp.c | ||
36 | +++ b/qemu-seccomp.c | ||
37 | @@ -25,15 +25,21 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { | ||
38 | { SCMP_SYS(timer_settime), 255 }, | ||
39 | { SCMP_SYS(timer_gettime), 254 }, | ||
40 | { SCMP_SYS(futex), 253 }, | ||
41 | +#if !defined(__ARM_EABI__) | ||
42 | { SCMP_SYS(select), 252 }, | ||
43 | + { SCMP_SYS(time), 245 }, | ||
44 | + { SCMP_SYS(alarm), 241 }, | ||
45 | + { SCMP_SYS(getrlimit), 245 }, | ||
46 | + { SCMP_SYS(mmap), 247 }, | ||
47 | + { SCMP_SYS(socketcall), 250 }, | ||
48 | + { SCMP_SYS(ipc), 245 }, | ||
49 | +#endif | ||
50 | { SCMP_SYS(recvfrom), 251 }, | ||
51 | { SCMP_SYS(sendto), 250 }, | ||
52 | - { SCMP_SYS(socketcall), 250 }, | ||
53 | { SCMP_SYS(read), 249 }, | ||
54 | { SCMP_SYS(io_submit), 249 }, | ||
55 | { SCMP_SYS(brk), 248 }, | ||
56 | { SCMP_SYS(clone), 247 }, | ||
57 | - { SCMP_SYS(mmap), 247 }, | ||
58 | { SCMP_SYS(mprotect), 246 }, | ||
59 | { SCMP_SYS(execve), 245 }, | ||
60 | { SCMP_SYS(open), 245 }, | ||
61 | @@ -48,13 +54,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { | ||
62 | { SCMP_SYS(bind), 245 }, | ||
63 | { SCMP_SYS(listen), 245 }, | ||
64 | { SCMP_SYS(semget), 245 }, | ||
65 | - { SCMP_SYS(ipc), 245 }, | ||
66 | { SCMP_SYS(gettimeofday), 245 }, | ||
67 | { SCMP_SYS(readlink), 245 }, | ||
68 | { SCMP_SYS(access), 245 }, | ||
69 | { SCMP_SYS(prctl), 245 }, | ||
70 | { SCMP_SYS(signalfd), 245 }, | ||
71 | - { SCMP_SYS(getrlimit), 245 }, | ||
72 | { SCMP_SYS(set_tid_address), 245 }, | ||
73 | { SCMP_SYS(statfs), 245 }, | ||
74 | { SCMP_SYS(unlink), 245 }, | ||
75 | @@ -93,7 +97,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { | ||
76 | { SCMP_SYS(times), 245 }, | ||
77 | { SCMP_SYS(exit), 245 }, | ||
78 | { SCMP_SYS(clock_gettime), 245 }, | ||
79 | - { SCMP_SYS(time), 245 }, | ||
80 | { SCMP_SYS(restart_syscall), 245 }, | ||
81 | { SCMP_SYS(pwrite64), 245 }, | ||
82 | { SCMP_SYS(nanosleep), 245 }, | ||
83 | @@ -182,7 +185,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { | ||
84 | { SCMP_SYS(lstat64), 241 }, | ||
85 | { SCMP_SYS(sendfile64), 241 }, | ||
86 | { SCMP_SYS(ugetrlimit), 241 }, | ||
87 | - { SCMP_SYS(alarm), 241 }, | ||
88 | { SCMP_SYS(rt_sigsuspend), 241 }, | ||
89 | { SCMP_SYS(rt_sigqueueinfo), 241 }, | ||
90 | { SCMP_SYS(rt_tgsigqueueinfo), 241 }, | ||
91 | -- | ||
92 | 1.9.1 | ||
93 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch deleted file mode 100644 index 711c36071d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch +++ /dev/null | |||
@@ -1,22 +0,0 @@ | |||
1 | This patch is taken from debian. 128M is too less sometimes if distro | ||
2 | with lot of packages is booted so this patch raises the default to 384M | ||
3 | |||
4 | It has not been applied to upstream qemu | ||
5 | |||
6 | Khem Raj <raj.khem@gmail.com> | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Index: qemu-0.14.0/vl.c | ||
11 | =================================================================== | ||
12 | --- qemu-0.14.0.orig/vl.c | ||
13 | +++ qemu-0.14.0/vl.c | ||
14 | @@ -168,7 +168,7 @@ int main(int argc, char **argv) | ||
15 | //#define DEBUG_NET | ||
16 | //#define DEBUG_SLIRP | ||
17 | |||
18 | -#define DEFAULT_RAM_SIZE 128 | ||
19 | +#define DEFAULT_RAM_SIZE 384 | ||
20 | |||
21 | #define MAX_VIRTIO_CONSOLES 1 | ||
22 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/no-valgrind.patch b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch new file mode 100644 index 0000000000..91f728042d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch | |||
@@ -0,0 +1,19 @@ | |||
1 | There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds. | ||
2 | |||
3 | Upstream-Status: Inappropriate | ||
4 | Signed-off-by: Ross Burton <ross.burton@intel.com> | ||
5 | |||
6 | diff --git a/configure b/configure | ||
7 | index b3c4f51..4d3929e 100755 | ||
8 | --- a/configure | ||
9 | +++ b/configure | ||
10 | @@ -4193,9 +4192,0 @@ valgrind_h=no | ||
11 | -cat > $TMPC << EOF | ||
12 | -#include <valgrind/valgrind.h> | ||
13 | -int main(void) { | ||
14 | - return 0; | ||
15 | -} | ||
16 | -EOF | ||
17 | -if compile_prog "" "" ; then | ||
18 | - valgrind_h=yes | ||
19 | -fi | ||
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch deleted file mode 100644 index f05441fce6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch +++ /dev/null | |||
@@ -1,92 +0,0 @@ | |||
1 | qemu: CVE-2015-3456 | ||
2 | |||
3 | the patch comes from: | ||
4 | https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 | ||
5 | http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c | ||
6 | |||
7 | fdc: force the fifo access to be in bounds of the allocated buffer | ||
8 | |||
9 | During processing of certain commands such as FD_CMD_READ_ID and | ||
10 | FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could | ||
11 | get out of bounds leading to memory corruption with values coming | ||
12 | from the guest. | ||
13 | |||
14 | Fix this by making sure that the index is always bounded by the | ||
15 | allocated memory. | ||
16 | |||
17 | This is CVE-2015-3456. | ||
18 | |||
19 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
20 | Reviewed-by: John Snow <jsnow@redhat.com> | ||
21 | Signed-off-by: John Snow <jsnow@redhat.com> | ||
22 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | |||
26 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
27 | --- | ||
28 | hw/block/fdc.c | 17 +++++++++++------ | ||
29 | 1 file changed, 11 insertions(+), 6 deletions(-) | ||
30 | |||
31 | diff --git a/hw/block/fdc.c b/hw/block/fdc.c | ||
32 | index 490d127..045459e 100644 | ||
33 | --- a/hw/block/fdc.c | ||
34 | +++ b/hw/block/fdc.c | ||
35 | @@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
36 | { | ||
37 | FDrive *cur_drv; | ||
38 | uint32_t retval = 0; | ||
39 | - int pos; | ||
40 | + uint32_t pos; | ||
41 | |||
42 | cur_drv = get_cur_drv(fdctrl); | ||
43 | fdctrl->dsr &= ~FD_DSR_PWRDOWN; | ||
44 | @@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) | ||
45 | return 0; | ||
46 | } | ||
47 | pos = fdctrl->data_pos; | ||
48 | + pos %= FD_SECTOR_LEN; | ||
49 | if (fdctrl->msr & FD_MSR_NONDMA) { | ||
50 | - pos %= FD_SECTOR_LEN; | ||
51 | if (pos == 0) { | ||
52 | if (fdctrl->data_pos != 0) | ||
53 | if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { | ||
54 | @@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) | ||
55 | static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) | ||
56 | { | ||
57 | FDrive *cur_drv = get_cur_drv(fdctrl); | ||
58 | + uint32_t pos; | ||
59 | |||
60 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { | ||
61 | + pos = fdctrl->data_pos - 1; | ||
62 | + pos %= FD_SECTOR_LEN; | ||
63 | + if (fdctrl->fifo[pos] & 0x80) { | ||
64 | /* Command parameters done */ | ||
65 | - if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { | ||
66 | + if (fdctrl->fifo[pos] & 0x40) { | ||
67 | fdctrl->fifo[0] = fdctrl->fifo[1]; | ||
68 | fdctrl->fifo[2] = 0; | ||
69 | fdctrl->fifo[3] = 0; | ||
70 | @@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; | ||
71 | static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
72 | { | ||
73 | FDrive *cur_drv; | ||
74 | - int pos; | ||
75 | + uint32_t pos; | ||
76 | |||
77 | /* Reset mode */ | ||
78 | if (!(fdctrl->dor & FD_DOR_nRESET)) { | ||
79 | @@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) | ||
80 | } | ||
81 | |||
82 | FLOPPY_DPRINTF("%s: %02x\n", __func__, value); | ||
83 | - fdctrl->fifo[fdctrl->data_pos++] = value; | ||
84 | + pos = fdctrl->data_pos++; | ||
85 | + pos %= FD_SECTOR_LEN; | ||
86 | + fdctrl->fifo[pos] = value; | ||
87 | if (fdctrl->data_pos == fdctrl->data_len) { | ||
88 | /* We now have all parameters | ||
89 | * and will be able to treat the command | ||
90 | -- | ||
91 | 1.7.9.5 | ||
92 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch new file mode 100644 index 0000000000..c7425ab8d4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | qemu: Add addition environment space to boot loader qemu-system-mips | ||
2 | |||
3 | Upstream-Status: Inappropriate - OE uses deep paths | ||
4 | |||
5 | If you create a project with very long directory names like 128 characters | ||
6 | deep and use NFS, the kernel arguments will be truncated. The kernel will | ||
7 | accept longer strings such as 1024 bytes, but the qemu boot loader defaulted | ||
8 | to only 256 bytes. This patch expands the limit. | ||
9 | |||
10 | Signed-off-by: Jason Wessel <jason.wessel@windriver.com> | ||
11 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
12 | --- | ||
13 | hw/mips/mips_malta.c | 2 +- | ||
14 | 1 files changed, 1 insertions(+), 1 deletions(-) | ||
15 | |||
16 | diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c | ||
17 | index 9d521cc..17c0391 100644 | ||
18 | --- a/hw/mips/mips_malta.c | ||
19 | +++ b/hw/mips/mips_malta.c | ||
20 | @@ -53,7 +53,7 @@ | ||
21 | |||
22 | #define ENVP_ADDR 0x80002000l | ||
23 | #define ENVP_NB_ENTRIES 16 | ||
24 | -#define ENVP_ENTRY_SIZE 256 | ||
25 | +#define ENVP_ENTRY_SIZE 1024 | ||
26 | |||
27 | /* Hardware addresses */ | ||
28 | #define FLASH_ADDRESS 0x1e000000ULL | ||
29 | -- | ||
30 | 1.7.10.4 | ||
31 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest new file mode 100644 index 0000000000..f4b8e97e1e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/run-ptest | |||
@@ -0,0 +1,8 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | #This script is used to run qemu test suites | ||
4 | ptestdir=$(pwd) | ||
5 | cd tests | ||
6 | |||
7 | export SRC_PATH=$ptestdir | ||
8 | make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' | ||
diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch deleted file mode 100644 index a7ecf31c01..0000000000 --- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch +++ /dev/null | |||
@@ -1,48 +0,0 @@ | |||
1 | From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Thu, 18 Sep 2014 08:35:37 +0200 | ||
4 | Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of | ||
5 | uninitialized socket | ||
6 | |||
7 | When guest sends udp packet with source port and source addr 0, | ||
8 | uninitialized socket is picked up when looking for matching and already | ||
9 | created udp sockets, and later passed to sosendto() where NULL pointer | ||
10 | dereference is hit during so->slirp->vnetwork_mask.s_addr access. | ||
11 | |||
12 | Fix this by checking that the socket is not just a socket stub. | ||
13 | |||
14 | This is CVE-2014-3640. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | Reported-by: Xavier Mehrenberger <xavier.mehrenberger@airbus.com> | ||
20 | Reported-by: Stephane Duverger <stephane.duverger@eads.net> | ||
21 | Reviewed-by: Jan Kiszka <jan.kiszka@siemens.com> | ||
22 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
23 | Reviewed-by: Michael Tokarev <mjt@tls.msk.ru> | ||
24 | Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com | ||
25 | Signed-off-by: Peter Maydell <peter.maydell@linaro.org> | ||
26 | (cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a) | ||
27 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
28 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
29 | --- | ||
30 | slirp/udp.c | 2 +- | ||
31 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
32 | |||
33 | diff --git a/slirp/udp.c b/slirp/udp.c | ||
34 | index 8cc6cb6..f77e00f 100644 | ||
35 | --- a/slirp/udp.c | ||
36 | +++ b/slirp/udp.c | ||
37 | @@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) | ||
38 | * Locate pcb for datagram. | ||
39 | */ | ||
40 | so = slirp->udp_last_so; | ||
41 | - if (so->so_lport != uh->uh_sport || | ||
42 | + if (so == &slirp->udb || so->so_lport != uh->uh_sport || | ||
43 | so->so_laddr.s_addr != ip->ip_src.s_addr) { | ||
44 | struct socket *tmp; | ||
45 | |||
46 | -- | ||
47 | 1.9.1 | ||
48 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch new file mode 100644 index 0000000000..e37e777347 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | The smc91c111.c driver appears to have several issues. The can_receive() | ||
2 | function can return that the driver is ready when rx_fifo has not been | ||
3 | freed yet. There is also no sanity check of rx_fifo() in _receive() which | ||
4 | can lead to corruption of the rx_fifo array. | ||
5 | |||
6 | release_packet() can also call qemu_flush_queued_packets() before rx_fifo | ||
7 | has been cleaned up, resulting in cases where packets are submitted | ||
8 | for which there is not yet any space. | ||
9 | |||
10 | This patch therefore: | ||
11 | |||
12 | * fixes the logic in can_receive() | ||
13 | * adds logic to receive() as a sanity check | ||
14 | * moves the flush() calls to the correct places where data is ready | ||
15 | to be received | ||
16 | |||
17 | Upstream-Status: Pending [discussion in progress on mailing list] | ||
18 | RP 2015/9/7 | ||
19 | |||
20 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
21 | =================================================================== | ||
22 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
23 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
24 | @@ -185,7 +185,6 @@ static void smc91c111_release_packet(smc | ||
25 | s->allocated &= ~(1 << packet); | ||
26 | if (s->tx_alloc == 0x80) | ||
27 | smc91c111_tx_alloc(s); | ||
28 | - qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
29 | } | ||
30 | |||
31 | /* Flush the TX FIFO. */ | ||
32 | @@ -237,9 +236,11 @@ static void smc91c111_do_tx(smc91c111_st | ||
33 | } | ||
34 | } | ||
35 | #endif | ||
36 | - if (s->ctr & CTR_AUTO_RELEASE) | ||
37 | + if (s->ctr & CTR_AUTO_RELEASE) { | ||
38 | /* Race? */ | ||
39 | smc91c111_release_packet(s, packetnum); | ||
40 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
41 | + } | ||
42 | else if (s->tx_fifo_done_len < NUM_PACKETS) | ||
43 | s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; | ||
44 | qemu_send_packet(qemu_get_queue(s->nic), p, len); | ||
45 | @@ -379,9 +380,11 @@ static void smc91c111_writeb(void *opaqu | ||
46 | smc91c111_release_packet(s, s->rx_fifo[0]); | ||
47 | } | ||
48 | smc91c111_pop_rx_fifo(s); | ||
49 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
50 | break; | ||
51 | case 5: /* Release. */ | ||
52 | smc91c111_release_packet(s, s->packet_num); | ||
53 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
54 | break; | ||
55 | case 6: /* Add to TX FIFO. */ | ||
56 | smc91c111_queue_tx(s, s->packet_num); | ||
57 | @@ -642,7 +642,7 @@ static int smc91c111_can_receive(NetClie | ||
58 | |||
59 | if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) | ||
60 | return 1; | ||
61 | - if (s->allocated == (1 << NUM_PACKETS) - 1) | ||
62 | + if ((s->allocated == (1 << NUM_PACKETS) - 1) || (s->rx_fifo_len == NUM_PACKETS)) | ||
63 | return 0; | ||
64 | return 1; | ||
65 | } | ||
66 | @@ -671,6 +671,8 @@ static ssize_t smc91c111_receive(NetClie | ||
67 | /* TODO: Flag overrun and receive errors. */ | ||
68 | if (packetsize > 2048) | ||
69 | return -1; | ||
70 | + if (s->rx_fifo_len == NUM_PACKETS) | ||
71 | + return -1; | ||
72 | packetnum = smc91c111_allocate_packet(s); | ||
73 | if (packetnum == 0x80) | ||
74 | return -1; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch new file mode 100644 index 0000000000..bd1223a446 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch | |||
@@ -0,0 +1,85 @@ | |||
1 | From: Peter Crosthwaite <crosthwaitepeter@gmail.com> | ||
2 | Subject: [RFT PATCH v1 1/3] net: smc91c111: guard flush_queued_packets() on | ||
3 | can_rx() | ||
4 | Date: Thu, 10 Sep 2015 21:23:43 -0700 | ||
5 | |||
6 | Check that the core can once again receive packets before asking the | ||
7 | net layer to do a flush. This will make it more convenient to flush | ||
8 | packets when adding new conditions to can_receive. | ||
9 | |||
10 | Add missing if braces while moving the can_receive() core code. | ||
11 | |||
12 | Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
13 | |||
14 | Upstream-Status: Submitted | ||
15 | |||
16 | --- | ||
17 | |||
18 | hw/net/smc91c111.c | 30 ++++++++++++++++++++++-------- | ||
19 | 1 file changed, 22 insertions(+), 8 deletions(-) | ||
20 | |||
21 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
22 | =================================================================== | ||
23 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
24 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
25 | @@ -124,6 +124,24 @@ static void smc91c111_update(smc91c111_s | ||
26 | qemu_set_irq(s->irq, level); | ||
27 | } | ||
28 | |||
29 | +static int smc91c111_can_receive(smc91c111_state *s) | ||
30 | +{ | ||
31 | + if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) { | ||
32 | + return 1; | ||
33 | + } | ||
34 | + if (s->allocated == (1 << NUM_PACKETS) - 1) { | ||
35 | + return 0; | ||
36 | + } | ||
37 | + return 1; | ||
38 | +} | ||
39 | + | ||
40 | +static inline void smc91c111_flush_queued_packets(smc91c111_state *s) | ||
41 | +{ | ||
42 | + if (smc91c111_can_receive(s)) { | ||
43 | + qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
44 | + } | ||
45 | +} | ||
46 | + | ||
47 | /* Try to allocate a packet. Returns 0x80 on failure. */ | ||
48 | static int smc91c111_allocate_packet(smc91c111_state *s) | ||
49 | { | ||
50 | @@ -185,7 +203,7 @@ static void smc91c111_release_packet(smc | ||
51 | s->allocated &= ~(1 << packet); | ||
52 | if (s->tx_alloc == 0x80) | ||
53 | smc91c111_tx_alloc(s); | ||
54 | - qemu_flush_queued_packets(qemu_get_queue(s->nic)); | ||
55 | + smc91c111_flush_queued_packets(s); | ||
56 | } | ||
57 | |||
58 | /* Flush the TX FIFO. */ | ||
59 | @@ -636,15 +654,11 @@ static uint32_t smc91c111_readl(void *op | ||
60 | return val; | ||
61 | } | ||
62 | |||
63 | -static int smc91c111_can_receive(NetClientState *nc) | ||
64 | +static int smc91c111_can_receive_nc(NetClientState *nc) | ||
65 | { | ||
66 | smc91c111_state *s = qemu_get_nic_opaque(nc); | ||
67 | |||
68 | - if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) | ||
69 | - return 1; | ||
70 | - if (s->allocated == (1 << NUM_PACKETS) - 1) | ||
71 | - return 0; | ||
72 | - return 1; | ||
73 | + return smc91c111_can_receive(s); | ||
74 | } | ||
75 | |||
76 | static ssize_t smc91c111_receive(NetClientState *nc, const uint8_t *buf, size_t size) | ||
77 | @@ -739,7 +753,7 @@ static const MemoryRegionOps smc91c111_m | ||
78 | static NetClientInfo net_smc91c111_info = { | ||
79 | .type = NET_CLIENT_OPTIONS_KIND_NIC, | ||
80 | .size = sizeof(NICState), | ||
81 | - .can_receive = smc91c111_can_receive, | ||
82 | + .can_receive = smc91c111_can_receive_nc, | ||
83 | .receive = smc91c111_receive, | ||
84 | }; | ||
85 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch new file mode 100644 index 0000000000..018aed5f80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch | |||
@@ -0,0 +1,46 @@ | |||
1 | From: Peter Crosthwaite <crosthwaitepeter@gmail.com> | ||
2 | X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
3 | To: qemu-devel@nongnu.org | ||
4 | Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org | ||
5 | Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO | ||
6 | having a slot | ||
7 | Date: Thu, 10 Sep 2015 21:23:57 -0700 | ||
8 | |||
9 | Return false from can_receive() when the FIFO doesn't have a free RX | ||
10 | slot. This fixes a bug in the current code where the allocated buffer | ||
11 | is freed before the fifo pop, triggering a premature flush of queued RX | ||
12 | packets. It also will handle a corner case, where the guest manually | ||
13 | frees the allocated buffer before popping the rx FIFO (hence it is not | ||
14 | enough to just delay the flush_queued_packets()). | ||
15 | |||
16 | Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
17 | Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
18 | |||
19 | Upstream-Status: Submitted | ||
20 | --- | ||
21 | |||
22 | hw/net/smc91c111.c | 4 +++- | ||
23 | 1 file changed, 3 insertions(+), 1 deletion(-) | ||
24 | |||
25 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
26 | =================================================================== | ||
27 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
28 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
29 | @@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1 | ||
30 | if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) { | ||
31 | return 1; | ||
32 | } | ||
33 | - if (s->allocated == (1 << NUM_PACKETS) - 1) { | ||
34 | + if (s->allocated == (1 << NUM_PACKETS) - 1 || | ||
35 | + s->rx_fifo_len == NUM_PACKETS) { | ||
36 | return 0; | ||
37 | } | ||
38 | return 1; | ||
39 | @@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c | ||
40 | } else { | ||
41 | s->int_level &= ~INT_RCV; | ||
42 | } | ||
43 | + smc91c111_flush_queued_packets(s); | ||
44 | smc91c111_update(s); | ||
45 | } | ||
46 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch new file mode 100644 index 0000000000..9e865f7f09 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From: Peter Crosthwaite <crosthwaitepeter@gmail.com> | ||
2 | To: qemu-devel@nongnu.org | ||
3 | Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org | ||
4 | Subject: [RFT PATCH v1 3/3] net: smc91c111: flush packets on RCR register | ||
5 | changes | ||
6 | Date: Thu, 10 Sep 2015 21:24:12 -0700 | ||
7 | |||
8 | The SOFT_RST or RXEN in the control register can be used as a condition | ||
9 | to unblock the net layer via can_receive(). So check for possible | ||
10 | flushes on RCR changes. This will drop all pending packets on soft | ||
11 | reset or disable which is the functional intent of the can_receive() | ||
12 | logic. | ||
13 | |||
14 | Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com> | ||
15 | |||
16 | Upstream-Status: Submitted | ||
17 | --- | ||
18 | |||
19 | hw/net/smc91c111.c | 1 + | ||
20 | 1 file changed, 1 insertion(+) | ||
21 | |||
22 | Index: qemu-2.4.0/hw/net/smc91c111.c | ||
23 | =================================================================== | ||
24 | --- qemu-2.4.0.orig/hw/net/smc91c111.c | ||
25 | +++ qemu-2.4.0/hw/net/smc91c111.c | ||
26 | @@ -331,6 +331,7 @@ static void smc91c111_writeb(void *opaqu | ||
27 | if (s->rcr & RCR_SOFT_RST) { | ||
28 | smc91c111_reset(DEVICE(s)); | ||
29 | } | ||
30 | + smc91c111_flush_queued_packets(s); | ||
31 | return; | ||
32 | case 10: case 11: /* RPCR */ | ||
33 | /* Ignored */ | ||
diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch deleted file mode 100644 index 10a6dacbe5..0000000000 --- a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch +++ /dev/null | |||
@@ -1,53 +0,0 @@ | |||
1 | From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001 | ||
2 | From: Petr Matousek <pmatouse@redhat.com> | ||
3 | Date: Mon, 27 Oct 2014 12:41:44 +0100 | ||
4 | Subject: [PATCH] vnc: sanitize bits_per_pixel from the client | ||
5 | |||
6 | bits_per_pixel that are less than 8 could result in accessing | ||
7 | non-initialized buffers later in the code due to the expectation | ||
8 | that bytes_per_pixel value that is used to initialize these buffers is | ||
9 | never zero. | ||
10 | |||
11 | To fix this check that bits_per_pixel from the client is one of the | ||
12 | values that the rfb protocol specification allows. | ||
13 | |||
14 | This is CVE-2014-7815. | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Petr Matousek <pmatouse@redhat.com> | ||
19 | |||
20 | [ kraxel: apply codestyle fix ] | ||
21 | |||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | (cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) | ||
24 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
25 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
26 | --- | ||
27 | ui/vnc.c | 10 ++++++++++ | ||
28 | 1 file changed, 10 insertions(+) | ||
29 | |||
30 | diff --git a/ui/vnc.c b/ui/vnc.c | ||
31 | index f8d9b7d..87e34ae 100644 | ||
32 | --- a/ui/vnc.c | ||
33 | +++ b/ui/vnc.c | ||
34 | @@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, | ||
35 | return; | ||
36 | } | ||
37 | |||
38 | + switch (bits_per_pixel) { | ||
39 | + case 8: | ||
40 | + case 16: | ||
41 | + case 32: | ||
42 | + break; | ||
43 | + default: | ||
44 | + vnc_client_error(vs); | ||
45 | + return; | ||
46 | + } | ||
47 | + | ||
48 | vs->client_pf.rmax = red_max; | ||
49 | vs->client_pf.rbits = hweight_long(red_max); | ||
50 | vs->client_pf.rshift = red_shift; | ||
51 | -- | ||
52 | 1.9.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch index fd1b4a6963..cd06aa4ac6 100644 --- a/meta/recipes-devtools/qemu/qemu/wacom.patch +++ b/meta/recipes-devtools/qemu/qemu/wacom.patch | |||
@@ -1,7 +1,7 @@ | |||
1 | The USB wacom device is missing a HID descriptor which causes it | 1 | The USB wacom device is missing a HID descriptor which causes it |
2 | to fail to operate with recent kernels (e.g. 3.17). | 2 | to fail to operate with recent kernels (e.g. 3.17). |
3 | 3 | ||
4 | This patch adds a HID desriptor to the device, based upon one from | 4 | This patch adds a HID desriptor to the device, based upon one from |
5 | real wcom device. | 5 | real wcom device. |
6 | 6 | ||
7 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | 7 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> |
@@ -16,12 +16,12 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
16 | @@ -68,6 +68,89 @@ | 16 | @@ -68,6 +68,89 @@ |
17 | [STR_SERIALNUMBER] = "1", | 17 | [STR_SERIALNUMBER] = "1", |
18 | }; | 18 | }; |
19 | 19 | ||
20 | +static const uint8_t qemu_tablet_hid_report_descriptor[] = { | 20 | +static const uint8_t qemu_tablet_hid_report_descriptor[] = { |
21 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ | 21 | + 0x05, 0x01, /* Usage Page (Generic Desktop) */ |
22 | + 0x09, 0x02, /* Usage (Mouse) */ | 22 | + 0x09, 0x02, /* Usage (Mouse) */ |
23 | + 0xa1, 0x01, /* Collection (Application) */ | 23 | + 0xa1, 0x01, /* Collection (Application) */ |
24 | + 0x85, 0x01, /* Report ID (1) */ | 24 | + 0x85, 0x01, /* Report ID (1) */ |
25 | + 0x09, 0x01, /* Usage (Pointer) */ | 25 | + 0x09, 0x01, /* Usage (Pointer) */ |
26 | + 0xa1, 0x00, /* Collection (Physical) */ | 26 | + 0xa1, 0x00, /* Collection (Physical) */ |
27 | + 0x05, 0x09, /* Usage Page (Button) */ | 27 | + 0x05, 0x09, /* Usage Page (Button) */ |
@@ -48,7 +48,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
48 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ | 48 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ |
49 | + 0x09, 0x01, /* Usage (Digitizer) */ | 49 | + 0x09, 0x01, /* Usage (Digitizer) */ |
50 | + 0xa1, 0x01, /* Collection (Application) */ | 50 | + 0xa1, 0x01, /* Collection (Application) */ |
51 | + 0x85, 0x02, /* Report ID (2) */ | 51 | + 0x85, 0x02, /* Report ID (2) */ |
52 | + 0xa1, 0x00, /* Collection (Physical) */ | 52 | + 0xa1, 0x00, /* Collection (Physical) */ |
53 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | 53 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ |
54 | + 0x09, 0x01, /* Usage (Digitizer) */ | 54 | + 0x09, 0x01, /* Usage (Digitizer) */ |
@@ -59,14 +59,14 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
59 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | 59 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ |
60 | + 0xc0, /* End Collection */ | 60 | + 0xc0, /* End Collection */ |
61 | + 0x09, 0x01, /* Usage (Digitizer) */ | 61 | + 0x09, 0x01, /* Usage (Digitizer) */ |
62 | + 0x85, 0x02, /* Report ID (2) */ | 62 | + 0x85, 0x02, /* Report ID (2) */ |
63 | + 0x95, 0x01, /* Report Count (1) */ | 63 | + 0x95, 0x01, /* Report Count (1) */ |
64 | + 0xb1, 0x02, /* FEATURE (2) */ | 64 | + 0xb1, 0x02, /* FEATURE (2) */ |
65 | + 0xc0, /* End Collection */ | 65 | + 0xc0, /* End Collection */ |
66 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ | 66 | + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ |
67 | + 0x09, 0x01, /* Usage (Digitizer) */ | 67 | + 0x09, 0x01, /* Usage (Digitizer) */ |
68 | + 0xa1, 0x01, /* Collection (Application) */ | 68 | + 0xa1, 0x01, /* Collection (Application) */ |
69 | + 0x85, 0x02, /* Report ID (2) */ | 69 | + 0x85, 0x02, /* Report ID (2) */ |
70 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ | 70 | + 0x05, 0x0d, /* Usage Page (Digitizer) */ |
71 | + 0x09, 0x22, /* Usage (Finger) */ | 71 | + 0x09, 0x22, /* Usage (Finger) */ |
72 | + 0xa1, 0x00, /* Collection (Physical) */ | 72 | + 0xa1, 0x00, /* Collection (Physical) */ |
@@ -95,7 +95,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
95 | + 0x75, 0x08, /* Report Size (8) */ | 95 | + 0x75, 0x08, /* Report Size (8) */ |
96 | + 0x95, 0x0d, /* Report Count (13) */ | 96 | + 0x95, 0x0d, /* Report Count (13) */ |
97 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ | 97 | + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ |
98 | + 0xc0, /* End Collection */ | 98 | + 0xc0, /* End Collection */ |
99 | + 0xc0, /* End Collection */ | 99 | + 0xc0, /* End Collection */ |
100 | +}; | 100 | +}; |
101 | + | 101 | + |
@@ -114,7 +114,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c | |||
114 | }, | 114 | }, |
115 | @@ -265,6 +350,15 @@ | 115 | @@ -265,6 +350,15 @@ |
116 | } | 116 | } |
117 | 117 | ||
118 | switch (request) { | 118 | switch (request) { |
119 | + case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: | 119 | + case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: |
120 | + switch (value >> 8) { | 120 | + switch (value >> 8) { |