diff options
Diffstat (limited to 'meta/recipes-devtools/qemu')
26 files changed, 129 insertions, 732 deletions
diff --git a/meta/recipes-devtools/qemu/qemu-native.inc b/meta/recipes-devtools/qemu/qemu-native.inc index dcf140ea1b..aa5c9b9a72 100644 --- a/meta/recipes-devtools/qemu/qemu-native.inc +++ b/meta/recipes-devtools/qemu/qemu-native.inc | |||
@@ -2,10 +2,6 @@ inherit native | |||
2 | 2 | ||
3 | require qemu.inc | 3 | require qemu.inc |
4 | 4 | ||
5 | SRC_URI_append = " \ | ||
6 | file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \ | ||
7 | " | ||
8 | |||
9 | EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" | 5 | EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" |
10 | 6 | ||
11 | LDFLAGS_append = " -fuse-ld=bfd" | 7 | LDFLAGS_append = " -fuse-ld=bfd" |
diff --git a/meta/recipes-devtools/qemu/qemu-native_5.0.0.bb b/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb index c8acff8e19..c8acff8e19 100644 --- a/meta/recipes-devtools/qemu/qemu-native_5.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb | |||
diff --git a/meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb b/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb index 7394385d30..7394385d30 100644 --- a/meta/recipes-devtools/qemu/qemu-system-native_5.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb | |||
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 5d38ff1fa4..5599382a92 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc | |||
@@ -29,19 +29,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ | |||
29 | file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ | 29 | file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ |
30 | file://0001-Add-enable-disable-udev.patch \ | 30 | file://0001-Add-enable-disable-udev.patch \ |
31 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ | 31 | file://0001-qemu-Do-not-include-file-if-not-exists.patch \ |
32 | file://CVE-2020-13361.patch \ | ||
33 | file://find_datadir.patch \ | 32 | file://find_datadir.patch \ |
34 | file://CVE-2020-10761.patch \ | ||
35 | file://CVE-2020-13362.patch \ | ||
36 | file://CVE-2020-13659.patch \ | ||
37 | file://CVE-2020-13800.patch \ | ||
38 | file://CVE-2020-13791.patch \ | ||
39 | file://CVE-2020-15863.patch \ | ||
40 | " | 33 | " |
41 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" | 34 | UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" |
42 | 35 | ||
43 | SRC_URI[md5sum] = "ede6005d7143fe994dd089d31dc2cf6c" | 36 | SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5" |
44 | SRC_URI[sha256sum] = "2f13a92a0fa5c8b69ff0796b59b86b080bbb92ebad5d301a7724dd06b5e78cb6" | ||
45 | 37 | ||
46 | COMPATIBLE_HOST_mipsarchn32 = "null" | 38 | COMPATIBLE_HOST_mipsarchn32 = "null" |
47 | COMPATIBLE_HOST_mipsarchn64 = "null" | 39 | COMPATIBLE_HOST_mipsarchn64 = "null" |
@@ -65,6 +57,7 @@ do_install_ptest() { | |||
65 | -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include | 57 | -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include |
66 | sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ | 58 | sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ |
67 | ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env | 59 | ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env |
60 | sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh | ||
68 | } | 61 | } |
69 | 62 | ||
70 | # QEMU_TARGETS is overridable variable | 63 | # QEMU_TARGETS is overridable variable |
diff --git a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch index 40d83fcfa3..1304ee3bfd 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch | |||
@@ -12,13 +12,13 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
12 | configure | 4 ++++ | 12 | configure | 4 ++++ |
13 | 1 file changed, 4 insertions(+) | 13 | 1 file changed, 4 insertions(+) |
14 | 14 | ||
15 | diff --git a/configure b/configure | 15 | Index: qemu-5.1.0/configure |
16 | index 36646e7b..48912a94 100755 | 16 | =================================================================== |
17 | --- a/configure | 17 | --- qemu-5.1.0.orig/configure |
18 | +++ b/configure | 18 | +++ qemu-5.1.0/configure |
19 | @@ -1601,6 +1601,10 @@ for opt do | 19 | @@ -1640,6 +1640,10 @@ for opt do |
20 | ;; | 20 | ;; |
21 | --gdb=*) gdb_bin="$optarg" | 21 | --disable-libdaxctl) libdaxctl=no |
22 | ;; | 22 | ;; |
23 | + --enable-libudev) libudev="yes" | 23 | + --enable-libudev) libudev="yes" |
24 | + ;; | 24 | + ;; |
@@ -27,6 +27,3 @@ index 36646e7b..48912a94 100755 | |||
27 | *) | 27 | *) |
28 | echo "ERROR: unknown option $opt" | 28 | echo "ERROR: unknown option $opt" |
29 | echo "Try '$0 --help' for more information" | 29 | echo "Try '$0 --help' for more information" |
30 | -- | ||
31 | 2.24.0 | ||
32 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch index ae89ae09dd..46c9da08a5 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch | |||
@@ -20,11 +20,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
20 | hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- | 20 | hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- |
21 | 1 file changed, 93 insertions(+), 1 deletion(-) | 21 | 1 file changed, 93 insertions(+), 1 deletion(-) |
22 | 22 | ||
23 | diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c | 23 | Index: qemu-5.1.0/hw/usb/dev-wacom.c |
24 | index 8ed57b3b..1502928b 100644 | 24 | =================================================================== |
25 | --- a/hw/usb/dev-wacom.c | 25 | --- qemu-5.1.0.orig/hw/usb/dev-wacom.c |
26 | +++ b/hw/usb/dev-wacom.c | 26 | +++ qemu-5.1.0/hw/usb/dev-wacom.c |
27 | @@ -74,6 +74,89 @@ static const USBDescStrings desc_strings = { | 27 | @@ -74,6 +74,89 @@ static const USBDescStrings desc_strings |
28 | [STR_SERIALNUMBER] = "1", | 28 | [STR_SERIALNUMBER] = "1", |
29 | }; | 29 | }; |
30 | 30 | ||
@@ -114,7 +114,7 @@ index 8ed57b3b..1502928b 100644 | |||
114 | static const USBDescIface desc_iface_wacom = { | 114 | static const USBDescIface desc_iface_wacom = { |
115 | .bInterfaceNumber = 0, | 115 | .bInterfaceNumber = 0, |
116 | .bNumEndpoints = 1, | 116 | .bNumEndpoints = 1, |
117 | @@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wacom = { | 117 | @@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac |
118 | 0x00, /* u8 country_code */ | 118 | 0x00, /* u8 country_code */ |
119 | 0x01, /* u8 num_descriptors */ | 119 | 0x01, /* u8 num_descriptors */ |
120 | 0x22, /* u8 type: Report */ | 120 | 0x22, /* u8 type: Report */ |
@@ -123,7 +123,7 @@ index 8ed57b3b..1502928b 100644 | |||
123 | }, | 123 | }, |
124 | }, | 124 | }, |
125 | }, | 125 | }, |
126 | @@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, | 126 | @@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB |
127 | } | 127 | } |
128 | 128 | ||
129 | switch (request) { | 129 | switch (request) { |
@@ -139,6 +139,3 @@ index 8ed57b3b..1502928b 100644 | |||
139 | case WACOM_SET_REPORT: | 139 | case WACOM_SET_REPORT: |
140 | if (s->mouse_grabbed) { | 140 | if (s->mouse_grabbed) { |
141 | qemu_remove_mouse_event_handler(s->eh_entry); | 141 | qemu_remove_mouse_event_handler(s->eh_entry); |
142 | -- | ||
143 | 2.24.0 | ||
144 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch index 6e38d814cd..678e059463 100644 --- a/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch +++ b/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch | |||
@@ -15,10 +15,10 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
15 | linux-user/syscall.c | 2 ++ | 15 | linux-user/syscall.c | 2 ++ |
16 | 1 file changed, 2 insertions(+) | 16 | 1 file changed, 2 insertions(+) |
17 | 17 | ||
18 | diff --git a/linux-user/syscall.c b/linux-user/syscall.c | 18 | Index: qemu-5.1.0/linux-user/syscall.c |
19 | index d6f8cc97..a61420e7 100644 | 19 | =================================================================== |
20 | --- a/linux-user/syscall.c | 20 | --- qemu-5.1.0.orig/linux-user/syscall.c |
21 | +++ b/linux-user/syscall.c | 21 | +++ qemu-5.1.0/linux-user/syscall.c |
22 | @@ -109,7 +109,9 @@ | 22 | @@ -109,7 +109,9 @@ |
23 | #include <linux/blkpg.h> | 23 | #include <linux/blkpg.h> |
24 | #include <netpacket/packet.h> | 24 | #include <netpacket/packet.h> |
@@ -28,7 +28,4 @@ index d6f8cc97..a61420e7 100644 | |||
28 | +#endif | 28 | +#endif |
29 | #include <linux/rtc.h> | 29 | #include <linux/rtc.h> |
30 | #include <sound/asound.h> | 30 | #include <sound/asound.h> |
31 | #include "linux_loop.h" | 31 | #ifdef HAVE_DRM_H |
32 | -- | ||
33 | 2.24.0 | ||
34 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch index 3d268870fc..f379948f14 100644 --- a/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch +++ b/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch | |||
@@ -16,11 +16,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
16 | tests/Makefile.include | 8 ++++++++ | 16 | tests/Makefile.include | 8 ++++++++ |
17 | 1 file changed, 8 insertions(+) | 17 | 1 file changed, 8 insertions(+) |
18 | 18 | ||
19 | diff --git a/tests/Makefile.include b/tests/Makefile.include | 19 | Index: qemu-5.1.0/tests/Makefile.include |
20 | index 51de6762..1ea4d322 100644 | 20 | =================================================================== |
21 | --- a/tests/Makefile.include | 21 | --- qemu-5.1.0.orig/tests/Makefile.include |
22 | +++ b/tests/Makefile.include | 22 | +++ qemu-5.1.0/tests/Makefile.include |
23 | @@ -941,4 +941,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) | 23 | @@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) |
24 | -include $(wildcard tests/qtest/*.d) | 24 | -include $(wildcard tests/qtest/*.d) |
25 | -include $(wildcard tests/qtest/libqos/*.d) | 25 | -include $(wildcard tests/qtest/libqos/*.d) |
26 | 26 | ||
@@ -33,6 +33,3 @@ index 51de6762..1ea4d322 100644 | |||
33 | + done | 33 | + done |
34 | + | 34 | + |
35 | endif | 35 | endif |
36 | -- | ||
37 | 2.24.0 | ||
38 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch index 012d60d8f0..33cef42217 100644 --- a/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch | |||
@@ -15,13 +15,13 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> | |||
15 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | 15 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
16 | 16 | ||
17 | --- | 17 | --- |
18 | hw/mips/mips_malta.c | 2 +- | 18 | hw/mips/malta.c | 2 +- |
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | 19 | 1 file changed, 1 insertion(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c | 21 | Index: qemu-5.1.0/hw/mips/malta.c |
22 | index 92e9ca5b..3a7f3954 100644 | 22 | =================================================================== |
23 | --- a/hw/mips/mips_malta.c | 23 | --- qemu-5.1.0.orig/hw/mips/malta.c |
24 | +++ b/hw/mips/mips_malta.c | 24 | +++ qemu-5.1.0/hw/mips/malta.c |
25 | @@ -59,7 +59,7 @@ | 25 | @@ -59,7 +59,7 @@ |
26 | 26 | ||
27 | #define ENVP_ADDR 0x80002000l | 27 | #define ENVP_ADDR 0x80002000l |
diff --git a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch index bc30397e8c..71f537f9b0 100644 --- a/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch +++ b/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch | |||
@@ -12,11 +12,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> | |||
12 | configure | 9 --------- | 12 | configure | 9 --------- |
13 | 1 file changed, 9 deletions(-) | 13 | 1 file changed, 9 deletions(-) |
14 | 14 | ||
15 | diff --git a/configure b/configure | 15 | Index: qemu-5.1.0/configure |
16 | index 6099be1d..a766017b 100755 | 16 | =================================================================== |
17 | --- a/configure | 17 | --- qemu-5.1.0.orig/configure |
18 | +++ b/configure | 18 | +++ qemu-5.1.0/configure |
19 | @@ -5390,15 +5390,6 @@ fi | 19 | @@ -5751,15 +5751,6 @@ fi |
20 | # check if we have valgrind/valgrind.h | 20 | # check if we have valgrind/valgrind.h |
21 | 21 | ||
22 | valgrind_h=no | 22 | valgrind_h=no |
diff --git a/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch index 2c5b241e41..02ebbee1a0 100644 --- a/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch +++ b/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch | |||
@@ -11,11 +11,11 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
11 | configure | 4 ---- | 11 | configure | 4 ---- |
12 | 1 file changed, 4 deletions(-) | 12 | 1 file changed, 4 deletions(-) |
13 | 13 | ||
14 | diff --git a/configure b/configure | 14 | Index: qemu-5.1.0/configure |
15 | index 83c65439..6bdf488c 100755 | 15 | =================================================================== |
16 | --- a/configure | 16 | --- qemu-5.1.0.orig/configure |
17 | +++ b/configure | 17 | +++ qemu-5.1.0/configure |
18 | @@ -6251,10 +6251,6 @@ write_c_skeleton | 18 | @@ -6515,10 +6515,6 @@ write_c_skeleton |
19 | if test "$gcov" = "yes" ; then | 19 | if test "$gcov" = "yes" ; then |
20 | QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" | 20 | QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" |
21 | QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" | 21 | QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" |
@@ -26,6 +26,3 @@ index 83c65439..6bdf488c 100755 | |||
26 | fi | 26 | fi |
27 | 27 | ||
28 | if test "$have_asan" = "yes"; then | 28 | if test "$have_asan" = "yes"; then |
29 | -- | ||
30 | 2.24.0 | ||
31 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch index 0810ae84c0..98fd5e9133 100644 --- a/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch +++ b/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch | |||
@@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> | |||
51 | qapi/char.json | 5 +++ | 51 | qapi/char.json | 5 +++ |
52 | 3 files changed, 109 insertions(+) | 52 | 3 files changed, 109 insertions(+) |
53 | 53 | ||
54 | diff --git a/chardev/char-socket.c b/chardev/char-socket.c | 54 | Index: qemu-5.1.0/chardev/char-socket.c |
55 | index 185fe38d..54fa4234 100644 | 55 | =================================================================== |
56 | --- a/chardev/char-socket.c | 56 | --- qemu-5.1.0.orig/chardev/char-socket.c |
57 | +++ b/chardev/char-socket.c | 57 | +++ qemu-5.1.0/chardev/char-socket.c |
58 | @@ -1288,6 +1288,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock, | 58 | @@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket( |
59 | return true; | 59 | return true; |
60 | } | 60 | } |
61 | 61 | ||
@@ -123,7 +123,7 @@ index 185fe38d..54fa4234 100644 | |||
123 | 123 | ||
124 | static void qmp_chardev_open_socket(Chardev *chr, | 124 | static void qmp_chardev_open_socket(Chardev *chr, |
125 | ChardevBackend *backend, | 125 | ChardevBackend *backend, |
126 | @@ -1296,6 +1357,9 @@ static void qmp_chardev_open_socket(Chardev *chr, | 126 | @@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char |
127 | { | 127 | { |
128 | SocketChardev *s = SOCKET_CHARDEV(chr); | 128 | SocketChardev *s = SOCKET_CHARDEV(chr); |
129 | ChardevSocket *sock = backend->u.socket.data; | 129 | ChardevSocket *sock = backend->u.socket.data; |
@@ -133,7 +133,7 @@ index 185fe38d..54fa4234 100644 | |||
133 | bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; | 133 | bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; |
134 | bool is_listen = sock->has_server ? sock->server : true; | 134 | bool is_listen = sock->has_server ? sock->server : true; |
135 | bool is_telnet = sock->has_telnet ? sock->telnet : false; | 135 | bool is_telnet = sock->has_telnet ? sock->telnet : false; |
136 | @@ -1361,6 +1425,14 @@ static void qmp_chardev_open_socket(Chardev *chr, | 136 | @@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char |
137 | 137 | ||
138 | update_disconnected_filename(s); | 138 | update_disconnected_filename(s); |
139 | 139 | ||
@@ -148,13 +148,15 @@ index 185fe38d..54fa4234 100644 | |||
148 | if (s->is_listen) { | 148 | if (s->is_listen) { |
149 | if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, | 149 | if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, |
150 | is_waitconnect, errp) < 0) { | 150 | is_waitconnect, errp) < 0) { |
151 | @@ -1380,9 +1452,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, | 151 | @@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp |
152 | const char *host = qemu_opt_get(opts, "host"); | 152 | const char *host = qemu_opt_get(opts, "host"); |
153 | const char *port = qemu_opt_get(opts, "port"); | 153 | const char *port = qemu_opt_get(opts, "port"); |
154 | const char *fd = qemu_opt_get(opts, "fd"); | 154 | const char *fd = qemu_opt_get(opts, "fd"); |
155 | +#ifndef _WIN32 | 155 | +#ifndef _WIN32 |
156 | + const char *cmd = qemu_opt_get(opts, "cmd"); | 156 | + const char *cmd = qemu_opt_get(opts, "cmd"); |
157 | +#endif | 157 | +#endif |
158 | bool tight = qemu_opt_get_bool(opts, "tight", true); | ||
159 | bool abstract = qemu_opt_get_bool(opts, "abstract", false); | ||
158 | SocketAddressLegacy *addr; | 160 | SocketAddressLegacy *addr; |
159 | ChardevSocket *sock; | 161 | ChardevSocket *sock; |
160 | 162 | ||
@@ -171,19 +173,19 @@ index 185fe38d..54fa4234 100644 | |||
171 | + } | 173 | + } |
172 | + } else | 174 | + } else |
173 | +#endif | 175 | +#endif |
174 | + | ||
175 | if ((!!path + !!fd + !!host) != 1) { | 176 | if ((!!path + !!fd + !!host) != 1) { |
176 | error_setg(errp, | 177 | error_setg(errp, |
177 | "Exactly one of 'path', 'fd' or 'host' required"); | 178 | "Exactly one of 'path', 'fd' or 'host' required"); |
178 | @@ -1425,12 +1514,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, | 179 | @@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp |
179 | sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); | 180 | sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); |
180 | sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); | 181 | sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); |
181 | 182 | ||
183 | - addr = g_new0(SocketAddressLegacy, 1); | ||
182 | +#ifndef _WIN32 | 184 | +#ifndef _WIN32 |
183 | + sock->cmd = g_strdup(cmd); | 185 | + sock->cmd = g_strdup(cmd); |
184 | +#endif | 186 | +#endif |
185 | + | 187 | + |
186 | addr = g_new0(SocketAddressLegacy, 1); | 188 | + addr = g_new0(SocketAddressLegacy, 1); |
187 | +#ifndef _WIN32 | 189 | +#ifndef _WIN32 |
188 | + if (path || cmd) { | 190 | + if (path || cmd) { |
189 | +#else | 191 | +#else |
@@ -197,28 +199,28 @@ index 185fe38d..54fa4234 100644 | |||
197 | +#else | 199 | +#else |
198 | q_unix->path = g_strdup(path); | 200 | q_unix->path = g_strdup(path); |
199 | +#endif | 201 | +#endif |
202 | q_unix->tight = tight; | ||
203 | q_unix->abstract = abstract; | ||
200 | } else if (host) { | 204 | } else if (host) { |
201 | addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; | 205 | Index: qemu-5.1.0/chardev/char.c |
202 | addr->u.inet.data = g_new(InetSocketAddress, 1); | 206 | =================================================================== |
203 | diff --git a/chardev/char.c b/chardev/char.c | 207 | --- qemu-5.1.0.orig/chardev/char.c |
204 | index 7b6b2cb1..0c2ca64b 100644 | 208 | +++ qemu-5.1.0/chardev/char.c |
205 | --- a/chardev/char.c | 209 | @@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = { |
206 | +++ b/chardev/char.c | ||
207 | @@ -837,6 +837,9 @@ QemuOptsList qemu_chardev_opts = { | ||
208 | },{ | ||
209 | .name = "path", | 210 | .name = "path", |
210 | .type = QEMU_OPT_STRING, | 211 | .type = QEMU_OPT_STRING, |
211 | + },{ | 212 | },{ |
212 | + .name = "cmd", | 213 | + .name = "cmd", |
213 | + .type = QEMU_OPT_STRING, | 214 | + .type = QEMU_OPT_STRING, |
214 | },{ | 215 | + },{ |
215 | .name = "host", | 216 | .name = "host", |
216 | .type = QEMU_OPT_STRING, | 217 | .type = QEMU_OPT_STRING, |
217 | diff --git a/qapi/char.json b/qapi/char.json | 218 | },{ |
218 | index a6e81ac7..517962c6 100644 | 219 | Index: qemu-5.1.0/qapi/char.json |
219 | --- a/qapi/char.json | 220 | =================================================================== |
220 | +++ b/qapi/char.json | 221 | --- qemu-5.1.0.orig/qapi/char.json |
221 | @@ -247,6 +247,10 @@ | 222 | +++ qemu-5.1.0/qapi/char.json |
223 | @@ -250,6 +250,10 @@ | ||
222 | # | 224 | # |
223 | # @addr: socket address to listen on (server=true) | 225 | # @addr: socket address to listen on (server=true) |
224 | # or connect to (server=false) | 226 | # or connect to (server=false) |
@@ -229,7 +231,7 @@ index a6e81ac7..517962c6 100644 | |||
229 | # @tls-creds: the ID of the TLS credentials object (since 2.6) | 231 | # @tls-creds: the ID of the TLS credentials object (since 2.6) |
230 | # @tls-authz: the ID of the QAuthZ authorization object against which | 232 | # @tls-authz: the ID of the QAuthZ authorization object against which |
231 | # the client's x509 distinguished name will be validated. This | 233 | # the client's x509 distinguished name will be validated. This |
232 | @@ -272,6 +276,7 @@ | 234 | @@ -276,6 +280,7 @@ |
233 | ## | 235 | ## |
234 | { 'struct': 'ChardevSocket', | 236 | { 'struct': 'ChardevSocket', |
235 | 'data': { 'addr': 'SocketAddressLegacy', | 237 | 'data': { 'addr': 'SocketAddressLegacy', |
diff --git a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch index 89baad9b7f..034ac57821 100644 --- a/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch +++ b/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch | |||
@@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> | |||
29 | hw/intc/apic.c | 2 +- | 29 | hw/intc/apic.c | 2 +- |
30 | 1 file changed, 1 insertion(+), 1 deletion(-) | 30 | 1 file changed, 1 insertion(+), 1 deletion(-) |
31 | 31 | ||
32 | diff --git a/hw/intc/apic.c b/hw/intc/apic.c | 32 | Index: qemu-5.1.0/hw/intc/apic.c |
33 | index 2a74f7b4..4d5da365 100644 | 33 | =================================================================== |
34 | --- a/hw/intc/apic.c | 34 | --- qemu-5.1.0.orig/hw/intc/apic.c |
35 | +++ b/hw/intc/apic.c | 35 | +++ qemu-5.1.0/hw/intc/apic.c |
36 | @@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) | 36 | @@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de |
37 | APICCommonState *s = APIC(dev); | 37 | APICCommonState *s = APIC(dev); |
38 | uint32_t lvt0; | 38 | uint32_t lvt0; |
39 | 39 | ||
diff --git a/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch index 30bb4ddf26..d20f04ee59 100644 --- a/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch +++ b/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch | |||
@@ -18,11 +18,11 @@ Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> | |||
18 | linux-user/main.c | 2 +- | 18 | linux-user/main.c | 2 +- |
19 | 1 file changed, 1 insertion(+), 1 deletion(-) | 19 | 1 file changed, 1 insertion(+), 1 deletion(-) |
20 | 20 | ||
21 | diff --git a/linux-user/main.c b/linux-user/main.c | 21 | Index: qemu-5.1.0/linux-user/main.c |
22 | index 6ff7851e..ebff0485 100644 | 22 | =================================================================== |
23 | --- a/linux-user/main.c | 23 | --- qemu-5.1.0.orig/linux-user/main.c |
24 | +++ b/linux-user/main.c | 24 | +++ qemu-5.1.0/linux-user/main.c |
25 | @@ -78,7 +78,7 @@ int have_guest_base; | 25 | @@ -92,7 +92,7 @@ static int last_log_mask; |
26 | (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) | 26 | (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) |
27 | /* There are a number of places where we assign reserved_va to a variable | 27 | /* There are a number of places where we assign reserved_va to a variable |
28 | of type abi_ulong and expect it to fit. Avoid the last page. */ | 28 | of type abi_ulong and expect it to fit. Avoid the last page. */ |
diff --git a/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch index eef3f3f97f..f2a44986b7 100644 --- a/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch +++ b/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch | |||
@@ -28,29 +28,29 @@ Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | |||
28 | linux-user/syscall.c | 5 +---- | 28 | linux-user/syscall.c | 5 +---- |
29 | 4 files changed, 10 insertions(+), 23 deletions(-) | 29 | 4 files changed, 10 insertions(+), 23 deletions(-) |
30 | 30 | ||
31 | diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h | 31 | Index: qemu-5.1.0/include/exec/cpu-all.h |
32 | index 49384bb6..93b12519 100644 | 32 | =================================================================== |
33 | --- a/include/exec/cpu-all.h | 33 | --- qemu-5.1.0.orig/include/exec/cpu-all.h |
34 | +++ b/include/exec/cpu-all.h | 34 | +++ qemu-5.1.0/include/exec/cpu-all.h |
35 | @@ -162,12 +162,8 @@ extern unsigned long guest_base; | 35 | @@ -176,11 +176,8 @@ extern unsigned long reserved_va; |
36 | extern int have_guest_base; | 36 | * avoid setting bits at the top of guest addresses that might need |
37 | extern unsigned long reserved_va; | 37 | * to be used for tags. |
38 | 38 | */ | |
39 | -#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS | 39 | -#define GUEST_ADDR_MAX_ \ |
40 | -#define GUEST_ADDR_MAX (~0ul) | 40 | - ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \ |
41 | -#else | 41 | - UINT32_MAX : ~0ul) |
42 | -#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \ | 42 | -#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_) |
43 | - | ||
43 | +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ | 44 | +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ |
44 | (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) | 45 | + (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) |
45 | -#endif | ||
46 | #else | 46 | #else |
47 | 47 | ||
48 | #include "exec/hwaddr.h" | 48 | #include "exec/hwaddr.h" |
49 | diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h | 49 | Index: qemu-5.1.0/include/exec/cpu_ldst.h |
50 | index 53de1975..cf19ed2e 100644 | 50 | =================================================================== |
51 | --- a/include/exec/cpu_ldst.h | 51 | --- qemu-5.1.0.orig/include/exec/cpu_ldst.h |
52 | +++ b/include/exec/cpu_ldst.h | 52 | +++ qemu-5.1.0/include/exec/cpu_ldst.h |
53 | @@ -70,7 +70,10 @@ typedef uint64_t abi_ptr; | 53 | @@ -75,7 +75,10 @@ typedef uint64_t abi_ptr; |
54 | #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS | 54 | #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS |
55 | #define guest_addr_valid(x) (1) | 55 | #define guest_addr_valid(x) (1) |
56 | #else | 56 | #else |
@@ -62,11 +62,11 @@ index 53de1975..cf19ed2e 100644 | |||
62 | #endif | 62 | #endif |
63 | #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) | 63 | #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) |
64 | 64 | ||
65 | diff --git a/linux-user/mmap.c b/linux-user/mmap.c | 65 | Index: qemu-5.1.0/linux-user/mmap.c |
66 | index e3780337..1d4aba95 100644 | 66 | =================================================================== |
67 | --- a/linux-user/mmap.c | 67 | --- qemu-5.1.0.orig/linux-user/mmap.c |
68 | +++ b/linux-user/mmap.c | 68 | +++ qemu-5.1.0/linux-user/mmap.c |
69 | @@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) | 69 | @@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi |
70 | return -TARGET_EINVAL; | 70 | return -TARGET_EINVAL; |
71 | len = TARGET_PAGE_ALIGN(len); | 71 | len = TARGET_PAGE_ALIGN(len); |
72 | end = start + len; | 72 | end = start + len; |
@@ -75,18 +75,18 @@ index e3780337..1d4aba95 100644 | |||
75 | return -TARGET_ENOMEM; | 75 | return -TARGET_ENOMEM; |
76 | } | 76 | } |
77 | prot &= PROT_READ | PROT_WRITE | PROT_EXEC; | 77 | prot &= PROT_READ | PROT_WRITE | PROT_EXEC; |
78 | @@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, | 78 | @@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab |
79 | * It can fail only on 64-bit host with 32-bit target. | 79 | * It can fail only on 64-bit host with 32-bit target. |
80 | * On any other target/host host mmap() handles this error correctly. | 80 | * On any other target/host host mmap() handles this error correctly. |
81 | */ | 81 | */ |
82 | - if (!guest_range_valid(start, len)) { | 82 | - if (end < start || !guest_range_valid(start, len)) { |
83 | - errno = ENOMEM; | 83 | - errno = ENOMEM; |
84 | + if ((unsigned long)start + len - 1 > (abi_ulong) -1) { | 84 | + if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) { |
85 | + errno = EINVAL; | 85 | + errno = EINVAL; |
86 | goto fail; | 86 | goto fail; |
87 | } | 87 | } |
88 | 88 | ||
89 | @@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_ulong len) | 89 | @@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u |
90 | if (start & ~TARGET_PAGE_MASK) | 90 | if (start & ~TARGET_PAGE_MASK) |
91 | return -TARGET_EINVAL; | 91 | return -TARGET_EINVAL; |
92 | len = TARGET_PAGE_ALIGN(len); | 92 | len = TARGET_PAGE_ALIGN(len); |
@@ -98,7 +98,7 @@ index e3780337..1d4aba95 100644 | |||
98 | mmap_lock(); | 98 | mmap_lock(); |
99 | end = start + len; | 99 | end = start + len; |
100 | real_start = start & qemu_host_page_mask; | 100 | real_start = start & qemu_host_page_mask; |
101 | @@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, | 101 | @@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add |
102 | int prot; | 102 | int prot; |
103 | void *host_addr; | 103 | void *host_addr; |
104 | 104 | ||
@@ -112,11 +112,11 @@ index e3780337..1d4aba95 100644 | |||
112 | mmap_lock(); | 112 | mmap_lock(); |
113 | 113 | ||
114 | if (flags & MREMAP_FIXED) { | 114 | if (flags & MREMAP_FIXED) { |
115 | diff --git a/linux-user/syscall.c b/linux-user/syscall.c | 115 | Index: qemu-5.1.0/linux-user/syscall.c |
116 | index 05f03919..d6f8cc97 100644 | 116 | =================================================================== |
117 | --- a/linux-user/syscall.c | 117 | --- qemu-5.1.0.orig/linux-user/syscall.c |
118 | +++ b/linux-user/syscall.c | 118 | +++ qemu-5.1.0/linux-user/syscall.c |
119 | @@ -4287,9 +4287,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, | 119 | @@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch |
120 | return -TARGET_EINVAL; | 120 | return -TARGET_EINVAL; |
121 | } | 121 | } |
122 | } | 122 | } |
@@ -126,7 +126,7 @@ index 05f03919..d6f8cc97 100644 | |||
126 | 126 | ||
127 | mmap_lock(); | 127 | mmap_lock(); |
128 | 128 | ||
129 | @@ -7247,7 +7244,7 @@ static int open_self_maps(void *cpu_env, int fd) | 129 | @@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env, |
130 | const char *path; | 130 | const char *path; |
131 | 131 | ||
132 | max = h2g_valid(max - 1) ? | 132 | max = h2g_valid(max - 1) ? |
@@ -135,6 +135,3 @@ index 05f03919..d6f8cc97 100644 | |||
135 | 135 | ||
136 | if (page_check_range(h2g(min), max - min, flags) == -1) { | 136 | if (page_check_range(h2g(min), max - min, flags) == -1) { |
137 | continue; | 137 | continue; |
138 | -- | ||
139 | 2.24.0 | ||
140 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch index 34df78b7fe..d7e3fffdd0 100644 --- a/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch +++ b/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch | |||
@@ -14,11 +14,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> | |||
14 | configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- | 14 | configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- |
15 | 1 file changed, 40 insertions(+), 8 deletions(-) | 15 | 1 file changed, 40 insertions(+), 8 deletions(-) |
16 | 16 | ||
17 | diff --git a/configure b/configure | 17 | Index: qemu-5.1.0/configure |
18 | index 72f11aca..cac271ce 100755 | 18 | =================================================================== |
19 | --- a/configure | 19 | --- qemu-5.1.0.orig/configure |
20 | +++ b/configure | 20 | +++ qemu-5.1.0/configure |
21 | @@ -2875,6 +2875,30 @@ has_libgcrypt() { | 21 | @@ -3084,6 +3084,30 @@ has_libgcrypt() { |
22 | return 0 | 22 | return 0 |
23 | } | 23 | } |
24 | 24 | ||
@@ -49,7 +49,7 @@ index 72f11aca..cac271ce 100755 | |||
49 | 49 | ||
50 | if test "$nettle" != "no"; then | 50 | if test "$nettle" != "no"; then |
51 | pass="no" | 51 | pass="no" |
52 | @@ -2915,7 +2939,14 @@ fi | 52 | @@ -3124,7 +3148,14 @@ fi |
53 | 53 | ||
54 | if test "$gcrypt" != "no"; then | 54 | if test "$gcrypt" != "no"; then |
55 | pass="no" | 55 | pass="no" |
@@ -65,7 +65,7 @@ index 72f11aca..cac271ce 100755 | |||
65 | gcrypt_cflags=$(libgcrypt-config --cflags) | 65 | gcrypt_cflags=$(libgcrypt-config --cflags) |
66 | gcrypt_libs=$(libgcrypt-config --libs) | 66 | gcrypt_libs=$(libgcrypt-config --libs) |
67 | # Debian has removed -lgpg-error from libgcrypt-config | 67 | # Debian has removed -lgpg-error from libgcrypt-config |
68 | @@ -2925,15 +2956,16 @@ if test "$gcrypt" != "no"; then | 68 | @@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then |
69 | then | 69 | then |
70 | gcrypt_libs="$gcrypt_libs -lgpg-error" | 70 | gcrypt_libs="$gcrypt_libs -lgpg-error" |
71 | fi | 71 | fi |
diff --git a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch deleted file mode 100644 index e5ebfc1267..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch +++ /dev/null | |||
@@ -1,74 +0,0 @@ | |||
1 | From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> | ||
3 | Date: Wed, 12 Aug 2015 15:11:30 -0500 | ||
4 | Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Add custom_debug.h with function for print backtrace information. | ||
10 | When pthread_kill fails in qemu_cpu_kick_thread display backtrace and | ||
11 | current cpu information. | ||
12 | |||
13 | Upstream-Status: Inappropriate | ||
14 | Signed-off-by: AnÃbal Limón <anibal.limon@linux.intel.com> | ||
15 | |||
16 | --- | ||
17 | cpus.c | 5 +++++ | ||
18 | custom_debug.h | 24 ++++++++++++++++++++++++ | ||
19 | 2 files changed, 29 insertions(+) | ||
20 | create mode 100644 custom_debug.h | ||
21 | |||
22 | diff --git a/cpus.c b/cpus.c | ||
23 | index e83f72b4..e6e2576e 100644 | ||
24 | --- a/cpus.c | ||
25 | +++ b/cpus.c | ||
26 | @@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) | ||
27 | return NULL; | ||
28 | } | ||
29 | |||
30 | +#include "custom_debug.h" | ||
31 | + | ||
32 | static void qemu_cpu_kick_thread(CPUState *cpu) | ||
33 | { | ||
34 | #ifndef _WIN32 | ||
35 | @@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) | ||
36 | err = pthread_kill(cpu->thread->thread, SIG_IPI); | ||
37 | if (err && err != ESRCH) { | ||
38 | fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); | ||
39 | + fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); | ||
40 | + cpu_dump_state(cpu, stderr, 0); | ||
41 | + backtrace_print(); | ||
42 | exit(1); | ||
43 | } | ||
44 | #else /* _WIN32 */ | ||
45 | diff --git a/custom_debug.h b/custom_debug.h | ||
46 | new file mode 100644 | ||
47 | index 00000000..f029e455 | ||
48 | --- /dev/null | ||
49 | +++ b/custom_debug.h | ||
50 | @@ -0,0 +1,24 @@ | ||
51 | +#include <execinfo.h> | ||
52 | +#include <stdio.h> | ||
53 | +#define BACKTRACE_MAX 128 | ||
54 | +static void backtrace_print(void) | ||
55 | +{ | ||
56 | + int nfuncs = 0; | ||
57 | + void *buf[BACKTRACE_MAX]; | ||
58 | + char **symbols; | ||
59 | + int i; | ||
60 | + | ||
61 | + nfuncs = backtrace(buf, BACKTRACE_MAX); | ||
62 | + | ||
63 | + symbols = backtrace_symbols(buf, nfuncs); | ||
64 | + if (symbols == NULL) { | ||
65 | + fprintf(stderr, "backtrace_print failed to get symbols"); | ||
66 | + return; | ||
67 | + } | ||
68 | + | ||
69 | + fprintf(stderr, "Backtrace ...\n"); | ||
70 | + for (i = 0; i < nfuncs; i++) | ||
71 | + fprintf(stderr, "%s\n", symbols[i]); | ||
72 | + | ||
73 | + free(symbols); | ||
74 | +} | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch deleted file mode 100644 index 19f26ae5b0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch +++ /dev/null | |||
@@ -1,151 +0,0 @@ | |||
1 | From 5c4fe018c025740fef4a0a4421e8162db0c3eefd Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Blake <eblake@redhat.com> | ||
3 | Date: Mon, 8 Jun 2020 13:26:37 -0500 | ||
4 | Subject: [PATCH] nbd/server: Avoid long error message assertions | ||
5 | CVE-2020-10761 | ||
6 | |||
7 | Ever since commit 36683283 (v2.8), the server code asserts that error | ||
8 | strings sent to the client are well-formed per the protocol by not | ||
9 | exceeding the maximum string length of 4096. At the time the server | ||
10 | first started sending error messages, the assertion could not be | ||
11 | triggered, because messages were completely under our control. | ||
12 | However, over the years, we have added latent scenarios where a client | ||
13 | could trigger the server to attempt an error message that would | ||
14 | include the client's information if it passed other checks first: | ||
15 | |||
16 | - requesting NBD_OPT_INFO/GO on an export name that is not present | ||
17 | (commit 0cfae925 in v2.12 echoes the name) | ||
18 | |||
19 | - requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is | ||
20 | not present (commit e7b1948d in v2.12 echoes the name) | ||
21 | |||
22 | At the time, those were still safe because we flagged names larger | ||
23 | than 256 bytes with a different message; but that changed in commit | ||
24 | 93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD | ||
25 | string limit. (That commit also failed to change the magic number | ||
26 | 4096 in nbd_negotiate_send_rep_err to the just-introduced named | ||
27 | constant.) So with that commit, long client names appended to server | ||
28 | text can now trigger the assertion, and thus be used as a denial of | ||
29 | service attack against a server. As a mitigating factor, if the | ||
30 | server requires TLS, the client cannot trigger the problematic paths | ||
31 | unless it first supplies TLS credentials, and such trusted clients are | ||
32 | less likely to try to intentionally crash the server. | ||
33 | |||
34 | We may later want to further sanitize the user-supplied strings we | ||
35 | place into our error messages, such as scrubbing out control | ||
36 | characters, but that is less important to the CVE fix, so it can be a | ||
37 | later patch to the new nbd_sanitize_name. | ||
38 | |||
39 | Consideration was given to changing the assertion in | ||
40 | nbd_negotiate_send_rep_verr to instead merely log a server error and | ||
41 | truncate the message, to avoid leaving a latent path that could | ||
42 | trigger a future CVE DoS on any new error message. However, this | ||
43 | merely complicates the code for something that is already (correctly) | ||
44 | flagging coding errors, and now that we are aware of the long message | ||
45 | pitfall, we are less likely to introduce such errors in the future, | ||
46 | which would make such error handling dead code. | ||
47 | |||
48 | Reported-by: Xueqiang Wei <xuwei@redhat.com> | ||
49 | CC: qemu-stable@nongnu.org | ||
50 | Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761 | ||
51 | Fixes: 93676c88d7 | ||
52 | Signed-off-by: Eric Blake <eblake@redhat.com> | ||
53 | Message-Id: <20200610163741.3745251-2-eblake@redhat.com> | ||
54 | Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> | ||
55 | |||
56 | Upstream-Status: Backport [https://github.com/qemu/qemu/commit/5c4fe018c025740fef4a0a4421e8162db0c3eefd] | ||
57 | CVE: CVE-2020-10761 | ||
58 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
59 | |||
60 | --- | ||
61 | nbd/server.c | 23 ++++++++++++++++++++--- | ||
62 | tests/qemu-iotests/143 | 4 ++++ | ||
63 | tests/qemu-iotests/143.out | 2 ++ | ||
64 | 3 files changed, 26 insertions(+), 3 deletions(-) | ||
65 | |||
66 | diff --git a/nbd/server.c b/nbd/server.c | ||
67 | index 02b1ed08014..20754e9ebc3 100644 | ||
68 | --- a/nbd/server.c | ||
69 | +++ b/nbd/server.c | ||
70 | @@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
71 | |||
72 | msg = g_strdup_vprintf(fmt, va); | ||
73 | len = strlen(msg); | ||
74 | - assert(len < 4096); | ||
75 | + assert(len < NBD_MAX_STRING_SIZE); | ||
76 | trace_nbd_negotiate_send_rep_err(msg); | ||
77 | ret = nbd_negotiate_send_rep_len(client, type, len, errp); | ||
78 | if (ret < 0) { | ||
79 | @@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | +/* | ||
84 | + * Return a malloc'd copy of @name suitable for use in an error reply. | ||
85 | + */ | ||
86 | +static char * | ||
87 | +nbd_sanitize_name(const char *name) | ||
88 | +{ | ||
89 | + if (strnlen(name, 80) < 80) { | ||
90 | + return g_strdup(name); | ||
91 | + } | ||
92 | + /* XXX Should we also try to sanitize any control characters? */ | ||
93 | + return g_strdup_printf("%.80s...", name); | ||
94 | +} | ||
95 | + | ||
96 | /* Send an error reply. | ||
97 | * Return -errno on error, 0 on success. */ | ||
98 | static int GCC_FMT_ATTR(4, 5) | ||
99 | @@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) | ||
100 | |||
101 | exp = nbd_export_find(name); | ||
102 | if (!exp) { | ||
103 | + g_autofree char *sane_name = nbd_sanitize_name(name); | ||
104 | + | ||
105 | return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, | ||
106 | errp, "export '%s' not present", | ||
107 | - name); | ||
108 | + sane_name); | ||
109 | } | ||
110 | |||
111 | /* Don't bother sending NBD_INFO_NAME unless client requested it */ | ||
112 | @@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client, | ||
113 | |||
114 | meta->exp = nbd_export_find(export_name); | ||
115 | if (meta->exp == NULL) { | ||
116 | + g_autofree char *sane_name = nbd_sanitize_name(export_name); | ||
117 | + | ||
118 | return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, | ||
119 | - "export '%s' not present", export_name); | ||
120 | + "export '%s' not present", sane_name); | ||
121 | } | ||
122 | |||
123 | ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); | ||
124 | diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143 | ||
125 | index f649b361950..d2349903b1b 100755 | ||
126 | --- a/tests/qemu-iotests/143 | ||
127 | +++ b/tests/qemu-iotests/143 | ||
128 | @@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \ | ||
129 | $QEMU_IO_PROG -f raw -c quit \ | ||
130 | "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
131 | | _filter_qemu_io | _filter_nbd | ||
132 | +# Likewise, with longest possible name permitted in NBD protocol | ||
133 | +$QEMU_IO_PROG -f raw -c quit \ | ||
134 | + "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \ | ||
135 | + | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/' | ||
136 | |||
137 | _send_qemu_cmd $QEMU_HANDLE \ | ||
138 | "{ 'execute': 'quit' }" \ | ||
139 | diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out | ||
140 | index 1f4001c6013..fc9c0a761fa 100644 | ||
141 | --- a/tests/qemu-iotests/143.out | ||
142 | +++ b/tests/qemu-iotests/143.out | ||
143 | @@ -5,6 +5,8 @@ QA output created by 143 | ||
144 | {"return": {}} | ||
145 | qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available | ||
146 | server reported: export 'no_such_export' not present | ||
147 | +qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available | ||
148 | +server reported: export 'aa--aa...' not present | ||
149 | { 'execute': 'quit' } | ||
150 | {"return": {}} | ||
151 | {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch deleted file mode 100644 index e0acc70f3c..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch +++ /dev/null | |||
@@ -1,61 +0,0 @@ | |||
1 | From 369ff955a8497988d079c4e3fa1e93c2570c1c69 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Fri, 15 May 2020 01:36:08 +0530 | ||
4 | Subject: [PATCH] es1370: check total frame count against current frame | ||
5 | |||
6 | A guest user may set channel frame count via es1370_write() | ||
7 | such that, in es1370_transfer_audio(), total frame count | ||
8 | 'size' is lesser than the number of frames that are processed | ||
9 | 'cnt'. | ||
10 | |||
11 | int cnt = d->frame_cnt >> 16; | ||
12 | int size = d->frame_cnt & 0xffff; | ||
13 | |||
14 | if (size < cnt), it results in incorrect calculations leading | ||
15 | to OOB access issue(s). Add check to avoid it. | ||
16 | |||
17 | Reported-by: Ren Ding <rding@gatech.edu> | ||
18 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Message-id: 20200514200608.1744203-1-ppandit@redhat.com | ||
21 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
22 | |||
23 | Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html] | ||
24 | CVE: CVE-2020-13361 | ||
25 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
26 | --- | ||
27 | hw/audio/es1370.c | 7 +++++-- | ||
28 | 1 file changed, 5 insertions(+), 2 deletions(-) | ||
29 | |||
30 | diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c | ||
31 | index 89c4dabcd44..5f8a83ff562 100644 | ||
32 | --- a/hw/audio/es1370.c | ||
33 | +++ b/hw/audio/es1370.c | ||
34 | @@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
35 | int csc_bytes = (csc + 1) << d->shift; | ||
36 | int cnt = d->frame_cnt >> 16; | ||
37 | int size = d->frame_cnt & 0xffff; | ||
38 | + if (size < cnt) { | ||
39 | + return; | ||
40 | + } | ||
41 | int left = ((size - cnt + 1) << 2) + d->leftover; | ||
42 | int transferred = 0; | ||
43 | int temp = MIN (max, MIN (left, csc_bytes)); | ||
44 | @@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
45 | addr += (cnt << 2) + d->leftover; | ||
46 | |||
47 | if (index == ADC_CHANNEL) { | ||
48 | - while (temp) { | ||
49 | + while (temp > 0) { | ||
50 | int acquired, to_copy; | ||
51 | |||
52 | to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); | ||
53 | @@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, | ||
54 | else { | ||
55 | SWVoiceOut *voice = s->dac_voice[index]; | ||
56 | |||
57 | - while (temp) { | ||
58 | + while (temp > 0) { | ||
59 | int copied, to_copy; | ||
60 | |||
61 | to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch deleted file mode 100644 index af8d4ba8f4..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch +++ /dev/null | |||
@@ -1,55 +0,0 @@ | |||
1 | From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 14 May 2020 00:55:38 +0530 | ||
4 | Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check | ||
5 | index | ||
6 | |||
7 | A guest user may set 'reply_queue_head' field of MegasasState to | ||
8 | a negative value. Later in 'megasas_lookup_frame' it is used to | ||
9 | index into s->frames[] array. Use unsigned type to avoid OOB | ||
10 | access issue. | ||
11 | |||
12 | Also check that 'index' value stays within s->frames[] bounds | ||
13 | through the while() loop in 'megasas_lookup_frame' to avoid OOB | ||
14 | access. | ||
15 | |||
16 | Reported-by: Ren Ding <rding@gatech.edu> | ||
17 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
18 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
19 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
20 | Acked-by: Alexander Bulekov <alxndr@bu.edu> | ||
21 | Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> | ||
22 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661] | ||
25 | CVE: CVE-2020-13362 | ||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/scsi/megasas.c | 4 ++-- | ||
29 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c | ||
32 | index af18c88b65..6ce598cd69 100644 | ||
33 | --- a/hw/scsi/megasas.c | ||
34 | +++ b/hw/scsi/megasas.c | ||
35 | @@ -112,7 +112,7 @@ typedef struct MegasasState { | ||
36 | uint64_t reply_queue_pa; | ||
37 | void *reply_queue; | ||
38 | int reply_queue_len; | ||
39 | - int reply_queue_head; | ||
40 | + uint16_t reply_queue_head; | ||
41 | int reply_queue_tail; | ||
42 | uint64_t consumer_pa; | ||
43 | uint64_t producer_pa; | ||
44 | @@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, | ||
45 | |||
46 | index = s->reply_queue_head; | ||
47 | |||
48 | - while (num < s->fw_cmds) { | ||
49 | + while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { | ||
50 | if (s->frames[index].pa && s->frames[index].pa == frame) { | ||
51 | cmd = &s->frames[index]; | ||
52 | break; | ||
53 | -- | ||
54 | 2.20.1 | ||
55 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch deleted file mode 100644 index 4d12ae8f16..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch +++ /dev/null | |||
@@ -1,58 +0,0 @@ | |||
1 | From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Tue, 26 May 2020 16:47:43 +0530 | ||
4 | Subject: [PATCH] exec: set map length to zero when returning NULL | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | When mapping physical memory into host's virtual address space, | ||
10 | 'address_space_map' may return NULL if BounceBuffer is in_use. | ||
11 | Set and return '*plen = 0' to avoid later NULL pointer dereference. | ||
12 | |||
13 | Reported-by: Alexander Bulekov <alxndr@bu.edu> | ||
14 | Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 | ||
15 | Suggested-by: Paolo Bonzini <pbonzini@redhat.com> | ||
16 | Suggested-by: Peter Maydell <peter.maydell@linaro.org> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Message-Id: <20200526111743.428367-1-ppandit@redhat.com> | ||
19 | Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
20 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [77f55eac6c433e23e82a1b88b2d74f385c4c7d82] | ||
23 | CVE: CVE-2020-13659 | ||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | exec.c | 1 + | ||
27 | include/exec/memory.h | 3 ++- | ||
28 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/exec.c b/exec.c | ||
31 | index 9cbde85d8c..778263f1c6 100644 | ||
32 | --- a/exec.c | ||
33 | +++ b/exec.c | ||
34 | @@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, | ||
35 | |||
36 | if (!memory_access_is_direct(mr, is_write)) { | ||
37 | if (atomic_xchg(&bounce.in_use, true)) { | ||
38 | + *plen = 0; | ||
39 | return NULL; | ||
40 | } | ||
41 | /* Avoid unbounded allocations */ | ||
42 | diff --git a/include/exec/memory.h b/include/exec/memory.h | ||
43 | index bd7fdd6081..af8ca7824e 100644 | ||
44 | --- a/include/exec/memory.h | ||
45 | +++ b/include/exec/memory.h | ||
46 | @@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, | ||
47 | /* address_space_map: map a physical memory region into a host virtual address | ||
48 | * | ||
49 | * May map a subset of the requested range, given by and returned in @plen. | ||
50 | - * May return %NULL if resources needed to perform the mapping are exhausted. | ||
51 | + * May return %NULL and set *@plen to zero(0), if resources needed to perform | ||
52 | + * the mapping are exhausted. | ||
53 | * Use only for reads OR writes - not for read-modify-write operations. | ||
54 | * Use cpu_register_map_client() to know when retrying the map operation is | ||
55 | * likely to succeed. | ||
56 | -- | ||
57 | 2.20.1 | ||
58 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch deleted file mode 100644 index 049dab914d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13791.patch +++ /dev/null | |||
@@ -1,53 +0,0 @@ | |||
1 | From f7d6a635fa3b7797f9d072e280f065bf3cfcd24d Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 4 Jun 2020 17:05:25 +0530 | ||
4 | Subject: [PATCH] pci: assert configuration access is within bounds | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | While accessing PCI configuration bytes, assert that | ||
10 | 'address + len' is within PCI configuration space. | ||
11 | |||
12 | Generally it is within bounds. This is more of a defensive | ||
13 | assert, in case a buggy device was to send 'address' which | ||
14 | may go out of bounds. | ||
15 | |||
16 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
17 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
18 | Message-Id: <20200604113525.58898-1-ppandit@redhat.com> | ||
19 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
21 | |||
22 | Upstream-Status: Backport [f7d6a635fa3b7797f9d072e280f065bf3cfcd24d] | ||
23 | CVE: CVE-2020-13791 | ||
24 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
25 | --- | ||
26 | hw/pci/pci.c | 4 ++++ | ||
27 | 1 file changed, 4 insertions(+) | ||
28 | |||
29 | diff --git a/hw/pci/pci.c b/hw/pci/pci.c | ||
30 | index 70c66965f5..7bf2ae6d92 100644 | ||
31 | --- a/hw/pci/pci.c | ||
32 | +++ b/hw/pci/pci.c | ||
33 | @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, | ||
34 | { | ||
35 | uint32_t val = 0; | ||
36 | |||
37 | + assert(address + len <= pci_config_size(d)); | ||
38 | + | ||
39 | if (pci_is_express_downstream_port(d) && | ||
40 | ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { | ||
41 | pcie_sync_bridge_lnk(d); | ||
42 | @@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t addr, uint32_t val_in, int | ||
43 | int i, was_irq_disabled = pci_irq_disabled(d); | ||
44 | uint32_t val = val_in; | ||
45 | |||
46 | + assert(addr + l <= pci_config_size(d)); | ||
47 | + | ||
48 | for (i = 0; i < l; val >>= 8, ++i) { | ||
49 | uint8_t wmask = d->wmask[addr + i]; | ||
50 | uint8_t w1cmask = d->w1cmask[addr + i]; | ||
51 | -- | ||
52 | 2.20.1 | ||
53 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch deleted file mode 100644 index 52bfafbbae..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 | ||
2 | From: Prasad J Pandit <pjp@fedoraproject.org> | ||
3 | Date: Thu, 4 Jun 2020 14:38:30 +0530 | ||
4 | Subject: [PATCH] ati-vga: check mm_index before recursive call | ||
5 | (CVE-2020-13800) | ||
6 | MIME-Version: 1.0 | ||
7 | Content-Type: text/plain; charset=UTF-8 | ||
8 | Content-Transfer-Encoding: 8bit | ||
9 | |||
10 | While accessing VGA registers via ati_mm_read/write routines, | ||
11 | a guest may set 's->regs.mm_index' such that it leads to infinite | ||
12 | recursion. Check mm_index value to avoid such recursion. Log an | ||
13 | error message for wrong values. | ||
14 | |||
15 | Reported-by: Ren Ding <rding@gatech.edu> | ||
16 | Reported-by: Hanqing Zhao <hanqing@gatech.edu> | ||
17 | Reported-by: Yi Ren <c4tren@gmail.com> | ||
18 | Message-id: 20200604090830.33885-1-ppandit@redhat.com | ||
19 | Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> | ||
20 | Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> | ||
21 | Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> | ||
22 | Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] | ||
25 | CVE: CVE-2020-13800 | ||
26 | Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> | ||
27 | --- | ||
28 | hw/display/ati.c | 10 ++++++++-- | ||
29 | 1 file changed, 8 insertions(+), 2 deletions(-) | ||
30 | |||
31 | diff --git a/hw/display/ati.c b/hw/display/ati.c | ||
32 | index 065f197678..67604e68de 100644 | ||
33 | --- a/hw/display/ati.c | ||
34 | +++ b/hw/display/ati.c | ||
35 | @@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) | ||
36 | if (idx <= s->vga.vram_size - size) { | ||
37 | val = ldn_le_p(s->vga.vram_ptr + idx, size); | ||
38 | } | ||
39 | - } else { | ||
40 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
41 | val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); | ||
42 | + } else { | ||
43 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
44 | + "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); | ||
45 | } | ||
46 | break; | ||
47 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
48 | @@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, | ||
49 | if (idx <= s->vga.vram_size - size) { | ||
50 | stn_le_p(s->vga.vram_ptr + idx, size, data); | ||
51 | } | ||
52 | - } else { | ||
53 | + } else if (s->regs.mm_index > MM_DATA + 3) { | ||
54 | ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); | ||
55 | + } else { | ||
56 | + qemu_log_mask(LOG_GUEST_ERROR, | ||
57 | + "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); | ||
58 | } | ||
59 | break; | ||
60 | case BIOS_0_SCRATCH ... BUS_CNTL - 1: | ||
61 | -- | ||
62 | 2.20.1 | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch deleted file mode 100644 index 1505c7eed0..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch +++ /dev/null | |||
@@ -1,63 +0,0 @@ | |||
1 | From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mauro Matteo Cascella <mcascell@redhat.com> | ||
3 | Date: Fri, 10 Jul 2020 11:19:41 +0200 | ||
4 | Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() | ||
5 | |||
6 | A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It | ||
7 | occurs while sending an Ethernet frame due to missing break statements | ||
8 | and improper checking of the buffer size. | ||
9 | |||
10 | Reported-by: Ziming Zhang <ezrakiez@gmail.com> | ||
11 | Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
12 | Reviewed-by: Peter Maydell <peter.maydell@linaro.org> | ||
13 | Signed-off-by: Jason Wang <jasowang@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555] | ||
16 | CVE: CVE-2020-15863 | ||
17 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
18 | |||
19 | --- | ||
20 | hw/net/xgmac.c | 14 ++++++++++++-- | ||
21 | 1 file changed, 12 insertions(+), 2 deletions(-) | ||
22 | |||
23 | diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c | ||
24 | index 574dd47..5bf1b61 100644 | ||
25 | --- a/hw/net/xgmac.c | ||
26 | +++ b/hw/net/xgmac.c | ||
27 | @@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) | ||
28 | } | ||
29 | len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); | ||
30 | |||
31 | + /* | ||
32 | + * FIXME: these cases of malformed tx descriptors (bad sizes) | ||
33 | + * should probably be reported back to the guest somehow | ||
34 | + * rather than simply silently stopping processing, but we | ||
35 | + * don't know what the hardware does in this situation. | ||
36 | + * This will only happen for buggy guests anyway. | ||
37 | + */ | ||
38 | if ((bd.buffer1_size & 0xfff) > 2048) { | ||
39 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
40 | "xgmac buffer 1 len on send > 2048 (0x%x)\n", | ||
41 | __func__, bd.buffer1_size & 0xfff); | ||
42 | + break; | ||
43 | } | ||
44 | if ((bd.buffer2_size & 0xfff) != 0) { | ||
45 | DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " | ||
46 | "xgmac buffer 2 len on send != 0 (0x%x)\n", | ||
47 | __func__, bd.buffer2_size & 0xfff); | ||
48 | + break; | ||
49 | } | ||
50 | - if (len >= sizeof(frame)) { | ||
51 | + if (frame_size + len >= sizeof(frame)) { | ||
52 | DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " | ||
53 | - "buffer\n" , __func__, len, sizeof(frame)); | ||
54 | + "buffer\n" , __func__, frame_size + len, sizeof(frame)); | ||
55 | DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", | ||
56 | __func__, bd.buffer1_size, bd.buffer2_size); | ||
57 | + break; | ||
58 | } | ||
59 | |||
60 | cpu_physical_memory_read(bd.buffer1_addr, ptr, len); | ||
61 | -- | ||
62 | 1.8.3.1 | ||
63 | |||
diff --git a/meta/recipes-devtools/qemu/qemu/find_datadir.patch b/meta/recipes-devtools/qemu/qemu/find_datadir.patch index 74e9ba56ce..9a4c11267a 100644 --- a/meta/recipes-devtools/qemu/qemu/find_datadir.patch +++ b/meta/recipes-devtools/qemu/qemu/find_datadir.patch | |||
@@ -9,8 +9,10 @@ Upstream-Status: Submitted [qemu-devel@nongnu.org] | |||
9 | Signed-off-by: Joe Slater <joe.slater@windriver.com> | 9 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
10 | 10 | ||
11 | 11 | ||
12 | --- a/os-posix.c | 12 | Index: qemu-5.1.0/os-posix.c |
13 | +++ b/os-posix.c | 13 | =================================================================== |
14 | --- qemu-5.1.0.orig/os-posix.c | ||
15 | +++ qemu-5.1.0/os-posix.c | ||
14 | @@ -82,8 +82,9 @@ void os_setup_signal_handling(void) | 16 | @@ -82,8 +82,9 @@ void os_setup_signal_handling(void) |
15 | 17 | ||
16 | /* | 18 | /* |
@@ -19,10 +21,10 @@ Signed-off-by: Joe Slater <joe.slater@windriver.com> | |||
19 | * When running from the build tree this will be "$bindir/../pc-bios". | 21 | * When running from the build tree this will be "$bindir/../pc-bios". |
20 | - * Otherwise, this is CONFIG_QEMU_DATADIR. | 22 | - * Otherwise, this is CONFIG_QEMU_DATADIR. |
21 | + * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. | 23 | + * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. |
22 | */ | 24 | * |
23 | char *os_find_datadir(void) | 25 | * The caller must use g_free() to free the returned data when it is |
24 | { | 26 | * no longer required. |
25 | @@ -93,6 +94,12 @@ char *os_find_datadir(void) | 27 | @@ -96,6 +97,12 @@ char *os_find_datadir(void) |
26 | exec_dir = qemu_get_exec_dir(); | 28 | exec_dir = qemu_get_exec_dir(); |
27 | g_return_val_if_fail(exec_dir != NULL, NULL); | 29 | g_return_val_if_fail(exec_dir != NULL, NULL); |
28 | 30 | ||
diff --git a/meta/recipes-devtools/qemu/qemu_5.0.0.bb b/meta/recipes-devtools/qemu/qemu_5.1.0.bb index 9b09490269..9b09490269 100644 --- a/meta/recipes-devtools/qemu/qemu_5.0.0.bb +++ b/meta/recipes-devtools/qemu/qemu_5.1.0.bb | |||