diff options
Diffstat (limited to 'meta/recipes-devtools/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch | 45 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch | 183 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/disable-grabs.patch | 4 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch | 6 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch | 138 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch | 150 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch | 101 | ||||
-rw-r--r-- | meta/recipes-devtools/qemu/qemu_2.6.0.bb (renamed from meta/recipes-devtools/qemu/qemu_2.5.1.1.bb) | 9 |
8 files changed, 7 insertions, 629 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch deleted file mode 100644 index f1201f0613..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From: Prasad J Pandit <address@hidden> | ||
2 | |||
3 | USB Ehci emulation supports host controller capability registers. | ||
4 | But its mmio '.write' function was missing, which lead to a null | ||
5 | pointer dereference issue. Add a do nothing 'ehci_caps_write' | ||
6 | definition to avoid it; Do nothing because capability registers | ||
7 | are Read Only(RO). | ||
8 | |||
9 | Reported-by: Zuozhi Fzz <address@hidden> | ||
10 | Signed-off-by: Prasad J Pandit <address@hidden> | ||
11 | |||
12 | Upstream-Status: Backport | ||
13 | https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html | ||
14 | |||
15 | CVE: CVE-2016-2198 | ||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | hw/usb/hcd-ehci.c | 6 ++++++ | ||
20 | 1 file changed, 6 insertions(+) | ||
21 | |||
22 | Index: qemu-2.5.0/hw/usb/hcd-ehci.c | ||
23 | =================================================================== | ||
24 | --- qemu-2.5.0.orig/hw/usb/hcd-ehci.c | ||
25 | +++ qemu-2.5.0/hw/usb/hcd-ehci.c | ||
26 | @@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr | ||
27 | return s->caps[addr]; | ||
28 | } | ||
29 | |||
30 | +static void ehci_caps_write(void *ptr, hwaddr addr, | ||
31 | + uint64_t val, unsigned size) | ||
32 | +{ | ||
33 | +} | ||
34 | + | ||
35 | static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, | ||
36 | unsigned size) | ||
37 | { | ||
38 | @@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu | ||
39 | |||
40 | static const MemoryRegionOps ehci_mmio_caps_ops = { | ||
41 | .read = ehci_caps_read, | ||
42 | + .write = ehci_caps_write, | ||
43 | .valid.min_access_size = 1, | ||
44 | .valid.max_access_size = 4, | ||
45 | .impl.min_access_size = 1, | ||
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch deleted file mode 100644 index d5395e6152..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch +++ /dev/null | |||
@@ -1,183 +0,0 @@ | |||
1 | From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ladi Prosek <lprosek@redhat.com> | ||
3 | Date: Thu, 3 Mar 2016 09:37:18 +0100 | ||
4 | Subject: [PATCH] rng: add request queue support to rng-random | ||
5 | |||
6 | Requests are now created in the RngBackend parent class and the | ||
7 | code path is shared by both rng-egd and rng-random. | ||
8 | |||
9 | This commit fixes the rng-random implementation which processed | ||
10 | only one request at a time and simply discarded all but the most | ||
11 | recent one. In the guest this manifested as delayed completion | ||
12 | of reads from virtio-rng, i.e. a read was completed only after | ||
13 | another read was issued. | ||
14 | |||
15 | By switching rng-random to use the same request queue as rng-egd, | ||
16 | the unsafe stack-based allocation of the entropy buffer is | ||
17 | eliminated and replaced with g_malloc. | ||
18 | |||
19 | Signed-off-by: Ladi Prosek <lprosek@redhat.com> | ||
20 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
21 | Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> | ||
22 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
23 | |||
24 | Upstream-Status: Backport | ||
25 | CVE: CVE-2016-2858 | ||
26 | |||
27 | http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475 | ||
28 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
29 | |||
30 | --- | ||
31 | backends/rng-egd.c | 16 ++-------------- | ||
32 | backends/rng-random.c | 43 +++++++++++++++++++------------------------ | ||
33 | backends/rng.c | 13 ++++++++++++- | ||
34 | include/sysemu/rng.h | 3 +-- | ||
35 | 4 files changed, 34 insertions(+), 41 deletions(-) | ||
36 | |||
37 | Index: qemu-2.5.0/backends/rng-egd.c | ||
38 | =================================================================== | ||
39 | --- qemu-2.5.0.orig/backends/rng-egd.c | ||
40 | +++ qemu-2.5.0/backends/rng-egd.c | ||
41 | @@ -26,20 +26,10 @@ typedef struct RngEgd | ||
42 | char *chr_name; | ||
43 | } RngEgd; | ||
44 | |||
45 | -static void rng_egd_request_entropy(RngBackend *b, size_t size, | ||
46 | - EntropyReceiveFunc *receive_entropy, | ||
47 | - void *opaque) | ||
48 | +static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) | ||
49 | { | ||
50 | RngEgd *s = RNG_EGD(b); | ||
51 | - RngRequest *req; | ||
52 | - | ||
53 | - req = g_malloc(sizeof(*req)); | ||
54 | - | ||
55 | - req->offset = 0; | ||
56 | - req->size = size; | ||
57 | - req->receive_entropy = receive_entropy; | ||
58 | - req->opaque = opaque; | ||
59 | - req->data = g_malloc(req->size); | ||
60 | + size_t size = req->size; | ||
61 | |||
62 | while (size > 0) { | ||
63 | uint8_t header[2]; | ||
64 | @@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB | ||
65 | |||
66 | size -= len; | ||
67 | } | ||
68 | - | ||
69 | - s->parent.requests = g_slist_append(s->parent.requests, req); | ||
70 | } | ||
71 | |||
72 | static int rng_egd_chr_can_read(void *opaque) | ||
73 | Index: qemu-2.5.0/backends/rng-random.c | ||
74 | =================================================================== | ||
75 | --- qemu-2.5.0.orig/backends/rng-random.c | ||
76 | +++ qemu-2.5.0/backends/rng-random.c | ||
77 | @@ -21,10 +21,6 @@ struct RndRandom | ||
78 | |||
79 | int fd; | ||
80 | char *filename; | ||
81 | - | ||
82 | - EntropyReceiveFunc *receive_func; | ||
83 | - void *opaque; | ||
84 | - size_t size; | ||
85 | }; | ||
86 | |||
87 | /** | ||
88 | @@ -37,36 +33,35 @@ struct RndRandom | ||
89 | static void entropy_available(void *opaque) | ||
90 | { | ||
91 | RndRandom *s = RNG_RANDOM(opaque); | ||
92 | - uint8_t buffer[s->size]; | ||
93 | - ssize_t len; | ||
94 | |||
95 | - len = read(s->fd, buffer, s->size); | ||
96 | - if (len < 0 && errno == EAGAIN) { | ||
97 | - return; | ||
98 | - } | ||
99 | - g_assert(len != -1); | ||
100 | + while (s->parent.requests != NULL) { | ||
101 | + RngRequest *req = s->parent.requests->data; | ||
102 | + ssize_t len; | ||
103 | + | ||
104 | + len = read(s->fd, req->data, req->size); | ||
105 | + if (len < 0 && errno == EAGAIN) { | ||
106 | + return; | ||
107 | + } | ||
108 | + g_assert(len != -1); | ||
109 | + | ||
110 | + req->receive_entropy(req->opaque, req->data, len); | ||
111 | |||
112 | - s->receive_func(s->opaque, buffer, len); | ||
113 | - s->receive_func = NULL; | ||
114 | + rng_backend_finalize_request(&s->parent, req); | ||
115 | + } | ||
116 | |||
117 | + /* We've drained all requests, the fd handler can be reset. */ | ||
118 | qemu_set_fd_handler(s->fd, NULL, NULL, NULL); | ||
119 | } | ||
120 | |||
121 | -static void rng_random_request_entropy(RngBackend *b, size_t size, | ||
122 | - EntropyReceiveFunc *receive_entropy, | ||
123 | - void *opaque) | ||
124 | +static void rng_random_request_entropy(RngBackend *b, RngRequest *req) | ||
125 | { | ||
126 | RndRandom *s = RNG_RANDOM(b); | ||
127 | |||
128 | - if (s->receive_func) { | ||
129 | - s->receive_func(s->opaque, NULL, 0); | ||
130 | + if (s->parent.requests == NULL) { | ||
131 | + /* If there are no pending requests yet, we need to | ||
132 | + * install our fd handler. */ | ||
133 | + qemu_set_fd_handler(s->fd, entropy_available, NULL, s); | ||
134 | } | ||
135 | - | ||
136 | - s->receive_func = receive_entropy; | ||
137 | - s->opaque = opaque; | ||
138 | - s->size = size; | ||
139 | - | ||
140 | - qemu_set_fd_handler(s->fd, entropy_available, NULL, s); | ||
141 | } | ||
142 | |||
143 | static void rng_random_opened(RngBackend *b, Error **errp) | ||
144 | Index: qemu-2.5.0/backends/rng.c | ||
145 | =================================================================== | ||
146 | --- qemu-2.5.0.orig/backends/rng.c | ||
147 | +++ qemu-2.5.0/backends/rng.c | ||
148 | @@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack | ||
149 | void *opaque) | ||
150 | { | ||
151 | RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); | ||
152 | + RngRequest *req; | ||
153 | |||
154 | if (k->request_entropy) { | ||
155 | - k->request_entropy(s, size, receive_entropy, opaque); | ||
156 | + req = g_malloc(sizeof(*req)); | ||
157 | + | ||
158 | + req->offset = 0; | ||
159 | + req->size = size; | ||
160 | + req->receive_entropy = receive_entropy; | ||
161 | + req->opaque = opaque; | ||
162 | + req->data = g_malloc(req->size); | ||
163 | + | ||
164 | + k->request_entropy(s, req); | ||
165 | + | ||
166 | + s->requests = g_slist_append(s->requests, req); | ||
167 | } | ||
168 | } | ||
169 | |||
170 | Index: qemu-2.5.0/include/sysemu/rng.h | ||
171 | =================================================================== | ||
172 | --- qemu-2.5.0.orig/include/sysemu/rng.h | ||
173 | +++ qemu-2.5.0/include/sysemu/rng.h | ||
174 | @@ -46,8 +46,7 @@ struct RngBackendClass | ||
175 | { | ||
176 | ObjectClass parent_class; | ||
177 | |||
178 | - void (*request_entropy)(RngBackend *s, size_t size, | ||
179 | - EntropyReceiveFunc *receive_entropy, void *opaque); | ||
180 | + void (*request_entropy)(RngBackend *s, RngRequest *req); | ||
181 | |||
182 | void (*opened)(RngBackend *s, Error **errp); | ||
183 | }; | ||
diff --git a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch index 41726b1c87..123833f824 100644 --- a/meta/recipes-devtools/qemu/qemu/disable-grabs.patch +++ b/meta/recipes-devtools/qemu/qemu/disable-grabs.patch | |||
@@ -29,9 +29,9 @@ index 39a42d6..9b8abe5 100644 | |||
29 | --- a/ui/sdl.c | 29 | --- a/ui/sdl.c |
30 | +++ b/ui/sdl.c | 30 | +++ b/ui/sdl.c |
31 | @@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL; | 31 | @@ -59,6 +59,10 @@ static SDL_Cursor *guest_sprite = NULL; |
32 | static SDL_PixelFormat host_format; | ||
33 | static int scaling_active = 0; | 32 | static int scaling_active = 0; |
34 | static Notifier mouse_mode_notifier; | 33 | static Notifier mouse_mode_notifier; |
34 | static int idle_counter; | ||
35 | +#ifndef True | 35 | +#ifndef True |
36 | +#define True 1 | 36 | +#define True 1 |
37 | +#endif | 37 | +#endif |
@@ -40,7 +40,7 @@ index 39a42d6..9b8abe5 100644 | |||
40 | static void sdl_update(DisplayChangeListener *dcl, | 40 | static void sdl_update(DisplayChangeListener *dcl, |
41 | int x, int y, int w, int h) | 41 | int x, int y, int w, int h) |
42 | @@ -384,14 +388,16 @@ static void sdl_grab_start(void) | 42 | @@ -384,14 +388,16 @@ static void sdl_grab_start(void) |
43 | SDL_WarpMouse(guest_x, guest_y); | 43 | } |
44 | } else | 44 | } else |
45 | sdl_hide_cursor(); | 45 | sdl_hide_cursor(); |
46 | - SDL_WM_GrabInput(SDL_GRAB_ON); | 46 | - SDL_WM_GrabInput(SDL_GRAB_ON); |
diff --git a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch index 13a6ea23b1..cee6a676ab 100644 --- a/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch +++ b/meta/recipes-devtools/qemu/qemu/fix-libcap-header-issue-on-some-distro.patch | |||
@@ -67,9 +67,9 @@ diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c | |||
67 | #include <sys/vfs.h> | 67 | #include <sys/vfs.h> |
68 | #include <sys/ioctl.h> | 68 | #include <sys/ioctl.h> |
69 | @@ -26,7 +25,11 @@ | 69 | @@ -26,7 +25,11 @@ |
70 | #include "virtio-9p-marshal.h" | 70 | #include "9p-iov-marshal.h" |
71 | #include "hw/9pfs/virtio-9p-proxy.h" | 71 | #include "hw/9pfs/9p-proxy.h" |
72 | #include "fsdev/virtio-9p-marshal.h" | 72 | #include "fsdev/9p-iov-marshal.h" |
73 | - | 73 | - |
74 | +/* | 74 | +/* |
75 | + * Include this one last due to some versions of it being buggy: | 75 | + * Include this one last due to some versions of it being buggy: |
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch deleted file mode 100644 index 01928f91e8..0000000000 --- a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch +++ /dev/null | |||
@@ -1,138 +0,0 @@ | |||
1 | From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ladi Prosek <lprosek@redhat.com> | ||
3 | Date: Thu, 3 Mar 2016 09:37:16 +0100 | ||
4 | Subject: [PATCH] rng: move request queue from RngEgd to RngBackend | ||
5 | |||
6 | The 'requests' field now lives in the RngBackend parent class. | ||
7 | There are no functional changes in this commit. | ||
8 | |||
9 | Signed-off-by: Ladi Prosek <lprosek@redhat.com> | ||
10 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
11 | Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com> | ||
12 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | in support of CVE-2016-2858 | ||
16 | |||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | backends/rng-egd.c | 28 +++++++++------------------- | ||
21 | include/sysemu/rng.h | 11 +++++++++++ | ||
22 | 2 files changed, 20 insertions(+), 19 deletions(-) | ||
23 | |||
24 | Index: qemu-2.5.0/backends/rng-egd.c | ||
25 | =================================================================== | ||
26 | --- qemu-2.5.0.orig/backends/rng-egd.c | ||
27 | +++ qemu-2.5.0/backends/rng-egd.c | ||
28 | @@ -24,19 +24,8 @@ typedef struct RngEgd | ||
29 | |||
30 | CharDriverState *chr; | ||
31 | char *chr_name; | ||
32 | - | ||
33 | - GSList *requests; | ||
34 | } RngEgd; | ||
35 | |||
36 | -typedef struct RngRequest | ||
37 | -{ | ||
38 | - EntropyReceiveFunc *receive_entropy; | ||
39 | - uint8_t *data; | ||
40 | - void *opaque; | ||
41 | - size_t offset; | ||
42 | - size_t size; | ||
43 | -} RngRequest; | ||
44 | - | ||
45 | static void rng_egd_request_entropy(RngBackend *b, size_t size, | ||
46 | EntropyReceiveFunc *receive_entropy, | ||
47 | void *opaque) | ||
48 | @@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngB | ||
49 | size -= len; | ||
50 | } | ||
51 | |||
52 | - s->requests = g_slist_append(s->requests, req); | ||
53 | + s->parent.requests = g_slist_append(s->parent.requests, req); | ||
54 | } | ||
55 | |||
56 | static void rng_egd_free_request(RngRequest *req) | ||
57 | @@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *op | ||
58 | GSList *i; | ||
59 | int size = 0; | ||
60 | |||
61 | - for (i = s->requests; i; i = i->next) { | ||
62 | + for (i = s->parent.requests; i; i = i->next) { | ||
63 | RngRequest *req = i->data; | ||
64 | size += req->size - req->offset; | ||
65 | } | ||
66 | @@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaqu | ||
67 | RngEgd *s = RNG_EGD(opaque); | ||
68 | size_t buf_offset = 0; | ||
69 | |||
70 | - while (size > 0 && s->requests) { | ||
71 | - RngRequest *req = s->requests->data; | ||
72 | + while (size > 0 && s->parent.requests) { | ||
73 | + RngRequest *req = s->parent.requests->data; | ||
74 | int len = MIN(size, req->size - req->offset); | ||
75 | |||
76 | memcpy(req->data + req->offset, buf + buf_offset, len); | ||
77 | @@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaqu | ||
78 | size -= len; | ||
79 | |||
80 | if (req->offset == req->size) { | ||
81 | - s->requests = g_slist_remove_link(s->requests, s->requests); | ||
82 | + s->parent.requests = g_slist_remove_link(s->parent.requests, | ||
83 | + s->parent.requests); | ||
84 | |||
85 | req->receive_entropy(req->opaque, req->data, req->size); | ||
86 | |||
87 | @@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd | ||
88 | { | ||
89 | GSList *i; | ||
90 | |||
91 | - for (i = s->requests; i; i = i->next) { | ||
92 | + for (i = s->parent.requests; i; i = i->next) { | ||
93 | rng_egd_free_request(i->data); | ||
94 | } | ||
95 | |||
96 | - g_slist_free(s->requests); | ||
97 | - s->requests = NULL; | ||
98 | + g_slist_free(s->parent.requests); | ||
99 | + s->parent.requests = NULL; | ||
100 | } | ||
101 | |||
102 | static void rng_egd_cancel_requests(RngBackend *b) | ||
103 | Index: qemu-2.5.0/include/sysemu/rng.h | ||
104 | =================================================================== | ||
105 | --- qemu-2.5.0.orig/include/sysemu/rng.h | ||
106 | +++ qemu-2.5.0/include/sysemu/rng.h | ||
107 | @@ -25,6 +25,7 @@ | ||
108 | #define RNG_BACKEND_CLASS(klass) \ | ||
109 | OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) | ||
110 | |||
111 | +typedef struct RngRequest RngRequest; | ||
112 | typedef struct RngBackendClass RngBackendClass; | ||
113 | typedef struct RngBackend RngBackend; | ||
114 | |||
115 | @@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void * | ||
116 | const void *data, | ||
117 | size_t size); | ||
118 | |||
119 | +struct RngRequest | ||
120 | +{ | ||
121 | + EntropyReceiveFunc *receive_entropy; | ||
122 | + uint8_t *data; | ||
123 | + void *opaque; | ||
124 | + size_t offset; | ||
125 | + size_t size; | ||
126 | +}; | ||
127 | + | ||
128 | struct RngBackendClass | ||
129 | { | ||
130 | ObjectClass parent_class; | ||
131 | @@ -49,6 +59,7 @@ struct RngBackend | ||
132 | |||
133 | /*< protected >*/ | ||
134 | bool opened; | ||
135 | + GSList *requests; | ||
136 | }; | ||
137 | |||
138 | /** | ||
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch deleted file mode 100644 index afe8bf66cf..0000000000 --- a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch +++ /dev/null | |||
@@ -1,150 +0,0 @@ | |||
1 | From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ladi Prosek <lprosek@redhat.com> | ||
3 | Date: Thu, 3 Mar 2016 09:37:17 +0100 | ||
4 | Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend | ||
5 | |||
6 | RngBackend is now in charge of cleaning up the linked list on | ||
7 | instance finalization. It also exposes a function to finalize | ||
8 | individual RngRequest instances, called by its child classes. | ||
9 | |||
10 | Signed-off-by: Ladi Prosek <lprosek@redhat.com> | ||
11 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
12 | Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com> | ||
13 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | in support of CVE-2016-2858 | ||
17 | |||
18 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
19 | |||
20 | --- | ||
21 | backends/rng-egd.c | 25 +------------------------ | ||
22 | backends/rng.c | 32 ++++++++++++++++++++++++++++++++ | ||
23 | include/sysemu/rng.h | 12 ++++++++++++ | ||
24 | 3 files changed, 45 insertions(+), 24 deletions(-) | ||
25 | |||
26 | Index: qemu-2.5.0/backends/rng-egd.c | ||
27 | =================================================================== | ||
28 | --- qemu-2.5.0.orig/backends/rng-egd.c | ||
29 | +++ qemu-2.5.0/backends/rng-egd.c | ||
30 | @@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngB | ||
31 | s->parent.requests = g_slist_append(s->parent.requests, req); | ||
32 | } | ||
33 | |||
34 | -static void rng_egd_free_request(RngRequest *req) | ||
35 | -{ | ||
36 | - g_free(req->data); | ||
37 | - g_free(req); | ||
38 | -} | ||
39 | - | ||
40 | static int rng_egd_chr_can_read(void *opaque) | ||
41 | { | ||
42 | RngEgd *s = RNG_EGD(opaque); | ||
43 | @@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaqu | ||
44 | size -= len; | ||
45 | |||
46 | if (req->offset == req->size) { | ||
47 | - s->parent.requests = g_slist_remove_link(s->parent.requests, | ||
48 | - s->parent.requests); | ||
49 | |||
50 | req->receive_entropy(req->opaque, req->data, req->size); | ||
51 | - | ||
52 | - rng_egd_free_request(req); | ||
53 | + rng_backend_finalize_request(&s->parent, req); | ||
54 | } | ||
55 | } | ||
56 | } | ||
57 | |||
58 | -static void rng_egd_free_requests(RngEgd *s) | ||
59 | -{ | ||
60 | - GSList *i; | ||
61 | - | ||
62 | - for (i = s->parent.requests; i; i = i->next) { | ||
63 | - rng_egd_free_request(i->data); | ||
64 | - } | ||
65 | - | ||
66 | - g_slist_free(s->parent.requests); | ||
67 | - s->parent.requests = NULL; | ||
68 | -} | ||
69 | - | ||
70 | static void rng_egd_opened(RngBackend *b, Error **errp) | ||
71 | { | ||
72 | RngEgd *s = RNG_EGD(b); | ||
73 | @@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj | ||
74 | } | ||
75 | |||
76 | g_free(s->chr_name); | ||
77 | - | ||
78 | - rng_egd_free_requests(s); | ||
79 | } | ||
80 | |||
81 | static void rng_egd_class_init(ObjectClass *klass, void *data) | ||
82 | Index: qemu-2.5.0/backends/rng.c | ||
83 | =================================================================== | ||
84 | --- qemu-2.5.0.orig/backends/rng.c | ||
85 | +++ qemu-2.5.0/backends/rng.c | ||
86 | @@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened( | ||
87 | s->opened = true; | ||
88 | } | ||
89 | |||
90 | +static void rng_backend_free_request(RngRequest *req) | ||
91 | +{ | ||
92 | + g_free(req->data); | ||
93 | + g_free(req); | ||
94 | +} | ||
95 | + | ||
96 | +static void rng_backend_free_requests(RngBackend *s) | ||
97 | +{ | ||
98 | + GSList *i; | ||
99 | + | ||
100 | + for (i = s->requests; i; i = i->next) { | ||
101 | + rng_backend_free_request(i->data); | ||
102 | + } | ||
103 | + | ||
104 | + g_slist_free(s->requests); | ||
105 | + s->requests = NULL; | ||
106 | +} | ||
107 | + | ||
108 | +void rng_backend_finalize_request(RngBackend *s, RngRequest *req) | ||
109 | +{ | ||
110 | + s->requests = g_slist_remove(s->requests, req); | ||
111 | + rng_backend_free_request(req); | ||
112 | +} | ||
113 | + | ||
114 | static void rng_backend_init(Object *obj) | ||
115 | { | ||
116 | object_property_add_bool(obj, "opened", | ||
117 | @@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj | ||
118 | NULL); | ||
119 | } | ||
120 | |||
121 | +static void rng_backend_finalize(Object *obj) | ||
122 | +{ | ||
123 | + RngBackend *s = RNG_BACKEND(obj); | ||
124 | + | ||
125 | + rng_backend_free_requests(s); | ||
126 | +} | ||
127 | + | ||
128 | static void rng_backend_class_init(ObjectClass *oc, void *data) | ||
129 | { | ||
130 | UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); | ||
131 | @@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info = | ||
132 | .parent = TYPE_OBJECT, | ||
133 | .instance_size = sizeof(RngBackend), | ||
134 | .instance_init = rng_backend_init, | ||
135 | + .instance_finalize = rng_backend_finalize, | ||
136 | .class_size = sizeof(RngBackendClass), | ||
137 | .class_init = rng_backend_class_init, | ||
138 | .abstract = true, | ||
139 | Index: qemu-2.5.0/include/sysemu/rng.h | ||
140 | =================================================================== | ||
141 | --- qemu-2.5.0.orig/include/sysemu/rng.h | ||
142 | +++ qemu-2.5.0/include/sysemu/rng.h | ||
143 | @@ -61,6 +61,7 @@ struct RngBackend | ||
144 | GSList *requests; | ||
145 | }; | ||
146 | |||
147 | + | ||
148 | /** | ||
149 | * rng_backend_request_entropy: | ||
150 | * @s: the backend to request entropy from | ||
diff --git a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch deleted file mode 100644 index 51296bcac8..0000000000 --- a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch +++ /dev/null | |||
@@ -1,101 +0,0 @@ | |||
1 | From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001 | ||
2 | From: Ladi Prosek <lprosek@redhat.com> | ||
3 | Date: Thu, 3 Mar 2016 09:37:15 +0100 | ||
4 | Subject: [PATCH] rng: remove the unused request cancellation code | ||
5 | |||
6 | rng_backend_cancel_requests had no callers and none of the code | ||
7 | deleted in this commit ever ran. | ||
8 | |||
9 | Signed-off-by: Ladi Prosek <lprosek@redhat.com> | ||
10 | Reviewed-by: Amit Shah <amit.shah@redhat.com> | ||
11 | Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com> | ||
12 | Signed-off-by: Amit Shah <amit.shah@redhat.com> | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | in support of CVE-2016-2858 | ||
16 | |||
17 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
18 | |||
19 | --- | ||
20 | backends/rng-egd.c | 12 ------------ | ||
21 | backends/rng.c | 9 --------- | ||
22 | include/sysemu/rng.h | 11 ----------- | ||
23 | 3 files changed, 32 deletions(-) | ||
24 | |||
25 | Index: qemu-2.5.0/backends/rng-egd.c | ||
26 | =================================================================== | ||
27 | --- qemu-2.5.0.orig/backends/rng-egd.c | ||
28 | +++ qemu-2.5.0/backends/rng-egd.c | ||
29 | @@ -114,17 +114,6 @@ static void rng_egd_free_requests(RngEgd | ||
30 | s->parent.requests = NULL; | ||
31 | } | ||
32 | |||
33 | -static void rng_egd_cancel_requests(RngBackend *b) | ||
34 | -{ | ||
35 | - RngEgd *s = RNG_EGD(b); | ||
36 | - | ||
37 | - /* We simply delete the list of pending requests. If there is data in the | ||
38 | - * queue waiting to be read, this is okay, because there will always be | ||
39 | - * more data than we requested originally | ||
40 | - */ | ||
41 | - rng_egd_free_requests(s); | ||
42 | -} | ||
43 | - | ||
44 | static void rng_egd_opened(RngBackend *b, Error **errp) | ||
45 | { | ||
46 | RngEgd *s = RNG_EGD(b); | ||
47 | @@ -202,7 +191,6 @@ static void rng_egd_class_init(ObjectCla | ||
48 | RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); | ||
49 | |||
50 | rbc->request_entropy = rng_egd_request_entropy; | ||
51 | - rbc->cancel_requests = rng_egd_cancel_requests; | ||
52 | rbc->opened = rng_egd_opened; | ||
53 | } | ||
54 | |||
55 | Index: qemu-2.5.0/backends/rng.c | ||
56 | =================================================================== | ||
57 | --- qemu-2.5.0.orig/backends/rng.c | ||
58 | +++ qemu-2.5.0/backends/rng.c | ||
59 | @@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBack | ||
60 | } | ||
61 | } | ||
62 | |||
63 | -void rng_backend_cancel_requests(RngBackend *s) | ||
64 | -{ | ||
65 | - RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); | ||
66 | - | ||
67 | - if (k->cancel_requests) { | ||
68 | - k->cancel_requests(s); | ||
69 | - } | ||
70 | -} | ||
71 | - | ||
72 | static bool rng_backend_prop_get_opened(Object *obj, Error **errp) | ||
73 | { | ||
74 | RngBackend *s = RNG_BACKEND(obj); | ||
75 | Index: qemu-2.5.0/include/sysemu/rng.h | ||
76 | =================================================================== | ||
77 | --- qemu-2.5.0.orig/include/sysemu/rng.h | ||
78 | +++ qemu-2.5.0/include/sysemu/rng.h | ||
79 | @@ -48,7 +48,6 @@ struct RngBackendClass | ||
80 | |||
81 | void (*request_entropy)(RngBackend *s, size_t size, | ||
82 | EntropyReceiveFunc *receive_entropy, void *opaque); | ||
83 | - void (*cancel_requests)(RngBackend *s); | ||
84 | |||
85 | void (*opened)(RngBackend *s, Error **errp); | ||
86 | }; | ||
87 | @@ -80,14 +79,4 @@ struct RngBackend | ||
88 | void rng_backend_request_entropy(RngBackend *s, size_t size, | ||
89 | EntropyReceiveFunc *receive_entropy, | ||
90 | void *opaque); | ||
91 | - | ||
92 | -/** | ||
93 | - * rng_backend_cancel_requests: | ||
94 | - * @s: the backend to cancel all pending requests in | ||
95 | - * | ||
96 | - * Cancels all pending requests submitted by @rng_backend_request_entropy. This | ||
97 | - * should be used by a device during reset or in preparation for live migration | ||
98 | - * to stop tracking any request. | ||
99 | - */ | ||
100 | -void rng_backend_cancel_requests(RngBackend *s); | ||
101 | #endif | ||
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.1.1.bb b/meta/recipes-devtools/qemu/qemu_2.6.0.bb index ba2dfc6de1..e39132625a 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.1.1.bb +++ b/meta/recipes-devtools/qemu/qemu_2.6.0.bb | |||
@@ -7,16 +7,11 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ | |||
7 | file://qemu-enlarge-env-entry-size.patch \ | 7 | file://qemu-enlarge-env-entry-size.patch \ |
8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ | 8 | file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ |
9 | file://no-valgrind.patch \ | 9 | file://no-valgrind.patch \ |
10 | file://CVE-2016-2198.patch \ | ||
11 | file://pathlimit.patch \ | 10 | file://pathlimit.patch \ |
12 | file://rng_move_request_from_RngEgd_to_RngBackend.patch \ | ||
13 | file://rng_remove_the_unused_request_cancellation_code.patch \ | ||
14 | file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \ | ||
15 | file://CVE-2016-2858.patch \ | ||
16 | " | 11 | " |
17 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" | 12 | SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" |
18 | SRC_URI[md5sum] = "f5ff0e71398b9e428b4f177001ba4285" | 13 | SRC_URI[md5sum] = "ca3f70b43f093e33e9e014f144067f13" |
19 | SRC_URI[sha256sum] = "28d9946e43765a44ccccca3cba5f4f9034f2759ec1f2ce16594ddb6776c8efe6" | 14 | SRC_URI[sha256sum] = "c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec" |
20 | 15 | ||
21 | COMPATIBLE_HOST_class-target_mips64 = "null" | 16 | COMPATIBLE_HOST_class-target_mips64 = "null" |
22 | 17 | ||