From d3d0c7af34b996b4518b26d4f3b4eff831a651af Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 27 Apr 2016 11:48:16 +0200 Subject: qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upgrade addresses following CVEs: CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 CVE-2015-8504 CVE-2016-1568 CVE-2016-2197 CVE-2016-2198 Signed-off-by: Sona Sarmadi Signed-off-by: Nora Björklund --- ...1-Back-porting-security-fix-CVE-2014-5388.patch | 30 ------- ...-Arm-versatilepb-Add-memory-size-checking.patch | 40 ---------- .../exclude-some-arm-EABI-obsolete-syscalls.patch | 93 ---------------------- .../qemu/files/qemu-enlarge-env-entry-size.patch | 31 -------- meta/recipes-devtools/qemu/qemu.inc | 51 ++++++------ .../recipes-devtools/qemu/qemu/CVE-2014-7840.patch | 57 ------------- .../qemu/qemu/CVE-2015-7295_1.patch | 63 +++++++++++++++ .../qemu/qemu/CVE-2015-7295_2.patch | 58 ++++++++++++++ .../qemu/qemu/CVE-2015-7295_3.patch | 52 ++++++++++++ .../recipes-devtools/qemu/qemu/CVE-2015-7504.patch | 56 +++++++++++++ .../recipes-devtools/qemu/qemu/CVE-2015-7512.patch | 44 ++++++++++ .../recipes-devtools/qemu/qemu/CVE-2015-8345.patch | 73 +++++++++++++++++ .../recipes-devtools/qemu/qemu/CVE-2015-8504.patch | 51 ++++++++++++ .../recipes-devtools/qemu/qemu/CVE-2016-1568.patch | 46 +++++++++++ .../recipes-devtools/qemu/qemu/CVE-2016-2197.patch | 59 ++++++++++++++ .../recipes-devtools/qemu/qemu/CVE-2016-2198.patch | 45 +++++++++++ ...-Arm-versatilepb-Add-memory-size-checking.patch | 46 +++++++++++ .../qemu/qemu/add-ptest-in-makefile.patch | 29 +++++++ .../cpus.c-qemu_cpu_kick_thread_debugging.patch | 76 ++++++++++++++++++ ..._mutex_lock_iothread-fix-race-condition-a.patch | 45 +++++++++++ .../exclude-some-arm-EABI-obsolete-syscalls.patch | 93 ++++++++++++++++++++++ .../qemu/qemu/larger_default_ram_size.patch | 22 ----- meta/recipes-devtools/qemu/qemu/no-valgrind.patch | 19 +++++ .../qemu/qemu/qemu-CVE-2015-3456.patch | 92 --------------------- .../qemu/qemu/qemu-enlarge-env-entry-size.patch | 31 ++++++++ meta/recipes-devtools/qemu/qemu/run-ptest | 8 ++ .../qemu/qemu/slirp-CVE-2014-3640.patch | 48 ----------- .../recipes-devtools/qemu/qemu/smc91c111_fix.patch | 74 +++++++++++++++++ .../qemu/qemu/smc91c111_fix1.patch | 85 ++++++++++++++++++++ .../qemu/qemu/smc91c111_fix2.patch | 46 +++++++++++ .../qemu/qemu/smc91c111_fix3.patch | 33 ++++++++ .../qemu/qemu/vnc-CVE-2014-7815.patch | 53 ------------ meta/recipes-devtools/qemu/qemu/wacom.patch | 16 ++-- meta/recipes-devtools/qemu/qemu_2.1.0.bb | 32 -------- meta/recipes-devtools/qemu/qemu_2.4.0.bb | 33 ++++++++ meta/recipes-devtools/qemu/qemu_git.bb | 15 ---- .../recipes-devtools/qemu/qemuwrapper-cross_1.0.bb | 4 +- 37 files changed, 1204 insertions(+), 545 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch delete mode 100644 meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch delete mode 100644 meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch delete mode 100644 meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch create mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch create mode 100644 meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch create mode 100644 meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch create mode 100644 meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch create mode 100644 meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch create mode 100644 meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch create mode 100644 meta/recipes-devtools/qemu/qemu/no-valgrind.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch create mode 100644 meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch create mode 100644 meta/recipes-devtools/qemu/qemu/run-ptest delete mode 100644 meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch create mode 100644 meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch create mode 100644 meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch create mode 100644 meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch create mode 100644 meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch delete mode 100644 meta/recipes-devtools/qemu/qemu_2.1.0.bb create mode 100644 meta/recipes-devtools/qemu/qemu_2.4.0.bb delete mode 100644 meta/recipes-devtools/qemu/qemu_git.bb diff --git a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch b/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch deleted file mode 100644 index ec541fa668..0000000000 --- a/meta/recipes-devtools/qemu/files/0001-Back-porting-security-fix-CVE-2014-5388.patch +++ /dev/null @@ -1,30 +0,0 @@ -Prevent out-of-bounds array access on -acpi_pcihp_pci_status. - -Upstream-Status: Backport - -Signed-off-by: Gonglei -Signed-off-by: Sona Sarmadi ---- -v2: - - change commit message. - - add 'Reviewed-by' ---- - hw/acpi/pcihp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c -index fae663a..34dedf1 100644 ---- a/hw/acpi/pcihp.c -+++ b/hw/acpi/pcihp.c -@@ -231,7 +231,7 @@ static uint64_t pci_read(void *opaque, hwaddr addr, unsigned int size) - uint32_t val = 0; - int bsel = s->hotplug_select; - -- if (bsel < 0 || bsel > ACPI_PCIHP_MAX_HOTPLUG_BUS) { -+ if (bsel < 0 || bsel >= ACPI_PCIHP_MAX_HOTPLUG_BUS) { - return 0; - } - --- -1.7.12.4 diff --git a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch deleted file mode 100644 index 7f1c5a9058..0000000000 --- a/meta/recipes-devtools/qemu/files/Qemu-Arm-versatilepb-Add-memory-size-checking.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 896fa02c24347e6e9259812cfda187b1d6ca6199 Mon Sep 17 00:00:00 2001 -From: Jiang Lu -Date: Wed, 13 Nov 2013 10:38:08 +0800 -Subject: [PATCH] Qemu:Arm:versatilepb: Add memory size checking - -The machine can not work with memory over 256M, so add a checking -at startup. If the memory size exceed 256M, just stop emulation then -throw out warning about memory limitation. - -Upstream-Status: Pending - -Signed-off-by: Jiang Lu - -Updated it on 2014-01-15 for rebasing - -Signed-off-by: Robert Yang ---- - hw/arm/versatilepb.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c -index b48d84c..ad2cd5a 100644 ---- a/hw/arm/versatilepb.c -+++ b/hw/arm/versatilepb.c -@@ -199,6 +199,12 @@ static void versatile_init(QEMUMachineInitArgs *args, int board_id) - fprintf(stderr, "Unable to find CPU definition\n"); - exit(1); - } -+ if (ram_size > (256 << 20)) { -+ fprintf(stderr, -+ "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n", -+ ((unsigned int)ram_size / (1 << 20))); -+ exit(1); -+ } - memory_region_init_ram(ram, NULL, "versatile.ram", machine->ram_size); - vmstate_register_ram_global(ram); - /* ??? RAM should repeat to fill physical memory space. */ --- -1.7.10.4 - diff --git a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch deleted file mode 100644 index 171bda7e95..0000000000 --- a/meta/recipes-devtools/qemu/files/exclude-some-arm-EABI-obsolete-syscalls.patch +++ /dev/null @@ -1,93 +0,0 @@ -[PATCH] exclude some arm EABI obsolete syscalls - -Upstream-Status: Pending - -some syscalls are obsolete and no longer available for EABI, exclude them to -fix the below error: - In file included from qemu-seccomp.c:16:0: - qemu-seccomp.c:28:7: error: '__NR_select' undeclared here (not in a function) - { SCMP_SYS(select), 252 }, - ^ - qemu-seccomp.c:36:7: error: '__NR_mmap' undeclared here (not in a function) - { SCMP_SYS(mmap), 247 }, - ^ - qemu-seccomp.c:57:7: error: '__NR_getrlimit' undeclared here (not in a function) - { SCMP_SYS(getrlimit), 245 }, - ^ - qemu-seccomp.c:96:7: error: '__NR_time' undeclared here (not in a function) - { SCMP_SYS(time), 245 }, - ^ - qemu-seccomp.c:185:7: error: '__NR_alarm' undeclared here (not in a function) - { SCMP_SYS(alarm), 241 }, - -please refer source files: - arch/arm/include/uapi/asm/unistd.h -or kernel header: - /usr/include/asm/unistd.h - -Signed-off-by: Roy.Li ---- - qemu-seccomp.c | 14 ++++++++------ - 1 file changed, 8 insertions(+), 6 deletions(-) - -diff --git a/qemu-seccomp.c b/qemu-seccomp.c -index caa926e..5a78502 100644 ---- a/qemu-seccomp.c -+++ b/qemu-seccomp.c -@@ -25,15 +25,21 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { - { SCMP_SYS(timer_settime), 255 }, - { SCMP_SYS(timer_gettime), 254 }, - { SCMP_SYS(futex), 253 }, -+#if !defined(__ARM_EABI__) - { SCMP_SYS(select), 252 }, -+ { SCMP_SYS(time), 245 }, -+ { SCMP_SYS(alarm), 241 }, -+ { SCMP_SYS(getrlimit), 245 }, -+ { SCMP_SYS(mmap), 247 }, -+ { SCMP_SYS(socketcall), 250 }, -+ { SCMP_SYS(ipc), 245 }, -+#endif - { SCMP_SYS(recvfrom), 251 }, - { SCMP_SYS(sendto), 250 }, -- { SCMP_SYS(socketcall), 250 }, - { SCMP_SYS(read), 249 }, - { SCMP_SYS(io_submit), 249 }, - { SCMP_SYS(brk), 248 }, - { SCMP_SYS(clone), 247 }, -- { SCMP_SYS(mmap), 247 }, - { SCMP_SYS(mprotect), 246 }, - { SCMP_SYS(execve), 245 }, - { SCMP_SYS(open), 245 }, -@@ -48,13 +54,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { - { SCMP_SYS(bind), 245 }, - { SCMP_SYS(listen), 245 }, - { SCMP_SYS(semget), 245 }, -- { SCMP_SYS(ipc), 245 }, - { SCMP_SYS(gettimeofday), 245 }, - { SCMP_SYS(readlink), 245 }, - { SCMP_SYS(access), 245 }, - { SCMP_SYS(prctl), 245 }, - { SCMP_SYS(signalfd), 245 }, -- { SCMP_SYS(getrlimit), 245 }, - { SCMP_SYS(set_tid_address), 245 }, - { SCMP_SYS(statfs), 245 }, - { SCMP_SYS(unlink), 245 }, -@@ -93,7 +97,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { - { SCMP_SYS(times), 245 }, - { SCMP_SYS(exit), 245 }, - { SCMP_SYS(clock_gettime), 245 }, -- { SCMP_SYS(time), 245 }, - { SCMP_SYS(restart_syscall), 245 }, - { SCMP_SYS(pwrite64), 245 }, - { SCMP_SYS(nanosleep), 245 }, -@@ -182,7 +185,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { - { SCMP_SYS(lstat64), 241 }, - { SCMP_SYS(sendfile64), 241 }, - { SCMP_SYS(ugetrlimit), 241 }, -- { SCMP_SYS(alarm), 241 }, - { SCMP_SYS(rt_sigsuspend), 241 }, - { SCMP_SYS(rt_sigqueueinfo), 241 }, - { SCMP_SYS(rt_tgsigqueueinfo), 241 }, --- -1.9.1 - diff --git a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch deleted file mode 100644 index c7425ab8d4..0000000000 --- a/meta/recipes-devtools/qemu/files/qemu-enlarge-env-entry-size.patch +++ /dev/null @@ -1,31 +0,0 @@ -qemu: Add addition environment space to boot loader qemu-system-mips - -Upstream-Status: Inappropriate - OE uses deep paths - -If you create a project with very long directory names like 128 characters -deep and use NFS, the kernel arguments will be truncated. The kernel will -accept longer strings such as 1024 bytes, but the qemu boot loader defaulted -to only 256 bytes. This patch expands the limit. - -Signed-off-by: Jason Wessel -Signed-off-by: Roy Li ---- - hw/mips/mips_malta.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c -index 9d521cc..17c0391 100644 ---- a/hw/mips/mips_malta.c -+++ b/hw/mips/mips_malta.c -@@ -53,7 +53,7 @@ - - #define ENVP_ADDR 0x80002000l - #define ENVP_NB_ENTRIES 16 --#define ENVP_ENTRY_SIZE 256 -+#define ENVP_ENTRY_SIZE 1024 - - /* Hardware addresses */ - #define FLASH_ADDRESS 0x1e000000ULL --- -1.7.10.4 - diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index c9a5d328f9..abbace8704 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -3,24 +3,30 @@ HOMEPAGE = "http://qemu.org" LICENSE = "GPLv2 & LGPLv2.1" DEPENDS = "glib-2.0 zlib pixman" RDEPENDS_${PN}_class-target += "bash python" +RDEPENDS_${PN}-ptest = "bash make" require qemu-targets.inc -inherit autotools-brokensep +inherit autotools ptest BBCLASSEXTEND = "native nativesdk" +PR = "r1" + # QEMU_TARGETS is overridable variable QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc sh4 x86_64" SRC_URI = "\ file://powerpc_rom.bin \ - file://larger_default_ram_size.patch \ file://disable-grabs.patch \ file://exclude-some-arm-EABI-obsolete-syscalls.patch \ file://wacom.patch \ + file://add-ptest-in-makefile.patch \ + file://run-ptest \ + file://cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch \ " SRC_URI_append_class-native = "\ file://fix-libcap-header-issue-on-some-distro.patch \ + file://cpus.c-qemu_cpu_kick_thread_debugging.patch \ " EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror --disable-bluez --disable-libiscsi --with-system-pixman --extra-cflags='${CFLAGS}'" @@ -35,16 +41,6 @@ do_configure_prepend_class-native() { if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH fi - - # Undo the -lX11 added by linker-flags.patch, don't assume that host has libX11 installed - sed -i 's/-lX11//g' Makefile.target -} - -do_configure_prepend_class-nativesdk() { - if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "" ] ; then - # Undo the -lX11 added by linker-flags.patch - sed -i 's/-lX11//g' Makefile.target - fi } KVMENABLE = "--enable-kvm" @@ -63,6 +59,17 @@ do_configure() { test ! -e ${S}/target-i386/beginend_funcs.sh || chmod a+x ${S}/target-i386/beginend_funcs.sh } +do_compile_ptest() { + make buildtest-TESTS +} + +do_install_ptest() { + cp -rL ${B}/tests ${D}${PTEST_PATH} + find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} + + cp ${S}/tests/Makefile ${D}${PTEST_PATH}/tests +} + do_install () { export STRIP="true" autotools_do_install @@ -84,8 +91,12 @@ do_install_append() { } # END of qemu-mips workaround -PACKAGECONFIG ??= "fdt sdl alsa" -PACKAGECONFIG_class-native ??= "fdt alsa" +PACKAGECONFIG ??= " \ + fdt sdl \ + ${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'alsa', '', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'xen', 'xen', '', d)} \ + " +PACKAGECONFIG_class-native ??= "fdt alsa uuid" PACKAGECONFIG_class-nativesdk ??= "fdt sdl" NATIVEDEPS = "" NATIVEDEPS_class-native = "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'libxext-native', '',d)}" @@ -93,10 +104,8 @@ PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl ${NATIVEDEPS}," PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," -PACKAGECONFIG[xen] = "--enable-xen, --disable-xen,," -PACKAGECONFIG[quorum] = "--enable-quorum, --disable-quorum, gnutls," +PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen,xen-libxenstore xen-libxenctrl xen-libxenguest" PACKAGECONFIG[vnc-tls] = "--enable-vnc --enable-vnc-tls,--disable-vnc-tls, gnutls," -PACKAGECONFIG[vnc-ws] = "--enable-vnc --enable-vnc-ws,--disable-vnc-ws, gnutls," PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," @@ -110,15 +119,11 @@ PACKAGECONFIG[ssh2] = "--enable-libssh2,--disable-libssh2,libssh2," PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" PACKAGECONFIG[alsa] = ",,alsa-lib" -PACKAGECONFIG[glx] = "--enable-glx,--disable-glx,mesa" +PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,mesa" PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" +PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls" EXTRA_OECONF += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', '--audio-drv-list=oss,alsa', '', d)}" -# Qemu target will not build in world build for ARM or Mips -BROKEN_qemuarm = "1" -BROKEN_qemumips64 = "1" -BROKEN_qemumips = "1" - INSANE_SKIP_${PN} = "arch" diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch b/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch deleted file mode 100644 index 4f992bae14..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2014-7840.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 0be839a2701369f669532ea5884c15bead1c6e08 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Wed, 12 Nov 2014 11:44:39 +0200 -Subject: [PATCH] migration: fix parameter validation on ram load - -During migration, the values read from migration stream during ram load -are not validated. Especially offset in host_from_stream_offset() and -also the length of the writes in the callers of said function. - -To fix this, we need to make sure that the [offset, offset + length] -range fits into one of the allocated memory regions. - -Validating addr < len should be sufficient since data seems to always be -managed in TARGET_PAGE_SIZE chunks. - -Fixes: CVE-2014-7840 - -Upstream-Status: Backport - -Note: follow-up patches add extra checks on each block->host access. - -Signed-off-by: Michael S. Tsirkin -Reviewed-by: Paolo Bonzini -Reviewed-by: Dr. David Alan Gilbert -Signed-off-by: Amit Shah -Signed-off-by: Sona Sarmadi ---- - arch_init.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/arch_init.c b/arch_init.c -index 88a5ba0..593a990 100644 ---- a/arch_init.c -+++ b/arch_init.c -@@ -1006,7 +1006,7 @@ static inline void *host_from_stream_offset(QEMUFile *f, - uint8_t len; - - if (flags & RAM_SAVE_FLAG_CONTINUE) { -- if (!block) { -+ if (!block || block->length <= offset) { - error_report("Ack, bad migration stream!"); - return NULL; - } -@@ -1019,8 +1019,9 @@ static inline void *host_from_stream_offset(QEMUFile *f, - id[len] = 0; - - QTAILQ_FOREACH(block, &ram_list.blocks, next) { -- if (!strncmp(id, block->idstr, sizeof(id))) -+ if (!strncmp(id, block->idstr, sizeof(id)) && block->length > offset) { - return memory_region_get_ram_ptr(block->mr) + offset; -+ } - } - - error_report("Can't find block %s!", id); --- -1.9.1 - diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch new file mode 100644 index 0000000000..d7ae8713ca --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_1.patch @@ -0,0 +1,63 @@ +From ce317461573bac12b10d67699b4ddf1f97cf066c Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 25 Sep 2015 13:21:28 +0800 +Subject: [PATCH] virtio: introduce virtqueue_unmap_sg() + +Factor out sg unmapping logic. This will be reused by the patch that +can discard descriptor. + +Cc: Michael S. Tsirkin +Cc: Andrew James +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Upstream-Status: Backport + +git.qemu.org/?p=qemu.git;a=commit;h=ce317461573bac12b10d67699b4ddf1f97cf066c + +CVE: CVE-2015-7295 patch #1 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/virtio/virtio.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +Index: qemu-2.4.0/hw/virtio/virtio.c +=================================================================== +--- qemu-2.4.0.orig/hw/virtio/virtio.c ++++ qemu-2.4.0/hw/virtio/virtio.c +@@ -243,14 +243,12 @@ int virtio_queue_empty(VirtQueue *vq) + return vring_avail_idx(vq) == vq->last_avail_idx; + } + +-void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, +- unsigned int len, unsigned int idx) ++static void virtqueue_unmap_sg(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) + { + unsigned int offset; + int i; + +- trace_virtqueue_fill(vq, elem, len, idx); +- + offset = 0; + for (i = 0; i < elem->in_num; i++) { + size_t size = MIN(len - offset, elem->in_sg[i].iov_len); +@@ -266,6 +264,14 @@ void virtqueue_fill(VirtQueue *vq, const + cpu_physical_memory_unmap(elem->out_sg[i].iov_base, + elem->out_sg[i].iov_len, + 0, elem->out_sg[i].iov_len); ++} ++ ++void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len, unsigned int idx) ++{ ++ trace_virtqueue_fill(vq, elem, len, idx); ++ ++ virtqueue_unmap_sg(vq, elem, len); + + idx = (idx + vring_used_idx(vq)) % vq->vring.num; + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch new file mode 100644 index 0000000000..45dfab36ef --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_2.patch @@ -0,0 +1,58 @@ +From 29b9f5efd78ae0f9cc02dd169b6e80d2c404bade Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 25 Sep 2015 13:21:29 +0800 +Subject: [PATCH] virtio: introduce virtqueue_discard() + +This patch introduces virtqueue_discard() to discard a descriptor and +unmap the sgs. This will be used by the patch that will discard +descriptor when packet is truncated. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Upstream-Status: Backport + +git.qemu.org/?p=qemu.git;a=commit;h=29b9f5efd78ae0f9cc02dd169b6e80d2c404bade + +CVE: CVE-2015-7295 patch #2 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/virtio/virtio.c | 7 +++++++ + include/hw/virtio/virtio.h | 2 ++ + 2 files changed, 9 insertions(+) + +Index: qemu-2.4.0/hw/virtio/virtio.c +=================================================================== +--- qemu-2.4.0.orig/hw/virtio/virtio.c ++++ qemu-2.4.0/hw/virtio/virtio.c +@@ -266,6 +266,13 @@ static void virtqueue_unmap_sg(VirtQueue + 0, elem->out_sg[i].iov_len); + } + ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len) ++{ ++ vq->last_avail_idx--; ++ virtqueue_unmap_sg(vq, elem, len); ++} ++ + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx) + { +Index: qemu-2.4.0/include/hw/virtio/virtio.h +=================================================================== +--- qemu-2.4.0.orig/include/hw/virtio/virtio.h ++++ qemu-2.4.0/include/hw/virtio/virtio.h +@@ -146,6 +146,8 @@ void virtio_del_queue(VirtIODevice *vdev + void virtqueue_push(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len); + void virtqueue_flush(VirtQueue *vq, unsigned int count); ++void virtqueue_discard(VirtQueue *vq, const VirtQueueElement *elem, ++ unsigned int len); + void virtqueue_fill(VirtQueue *vq, const VirtQueueElement *elem, + unsigned int len, unsigned int idx); + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch new file mode 100644 index 0000000000..74442e32f5 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7295_3.patch @@ -0,0 +1,52 @@ +From 0cf33fb6b49a19de32859e2cdc6021334f448fb3 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Fri, 25 Sep 2015 13:21:30 +0800 +Subject: [PATCH] virtio-net: correctly drop truncated packets + +When packet is truncated during receiving, we drop the packets but +neither discard the descriptor nor add and signal used +descriptor. This will lead several issues: + +- sg mappings are leaked +- rx will be stalled if a lots of packets were truncated + +In order to be consistent with vhost, fix by discarding the descriptor +in this case. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin + +Upstream-Status: Backport + +git.qemu.org/?p=qemu.git;a=commit;h=0cf33fb6b49a19de32859e2cdc6021334f448fb3 + +CVE: CVE-2015-7295 patch #3 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/net/virtio-net.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +Index: qemu-2.4.0/hw/net/virtio-net.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/virtio-net.c ++++ qemu-2.4.0/hw/net/virtio-net.c +@@ -1086,13 +1086,7 @@ static ssize_t virtio_net_receive(NetCli + * must have consumed the complete packet. + * Otherwise, drop it. */ + if (!n->mergeable_rx_bufs && offset < size) { +-#if 0 +- error_report("virtio-net truncated non-mergeable packet: " +- "i %zd mergeable %d offset %zd, size %zd, " +- "guest hdr len %zd, host hdr len %zd", +- i, n->mergeable_rx_bufs, +- offset, size, n->guest_hdr_len, n->host_hdr_len); +-#endif ++ virtqueue_discard(q->rx_vq, &elem, total); + return size; + } + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch new file mode 100644 index 0000000000..90a7947abb --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7504.patch @@ -0,0 +1,56 @@ +From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 20 Nov 2015 11:50:31 +0530 +Subject: [PATCH] net: pcnet: add check to validate receive data + size(CVE-2015-7504) + +In loopback mode, pcnet_receive routine appends CRC code to the +receive buffer. If the data size given is same as the buffer size, +the appended CRC code overwrites 4 bytes after s->buffer. Added a +check to avoid that. + +Reported by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang + +Upstream-Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7 + +CVE: CVE-2015-7504 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/net/pcnet.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +Index: qemu-2.4.0/hw/net/pcnet.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/pcnet.c ++++ qemu-2.4.0/hw/net/pcnet.c +@@ -1085,7 +1085,7 @@ ssize_t pcnet_receive(NetClientState *nc + uint32_t fcs = ~0; + uint8_t *p = src; + +- while (p != &src[size-4]) ++ while (p != &src[size]) + CRC(fcs, *p++); + crc_err = (*(uint32_t *)p != htonl(fcs)); + } +@@ -1234,8 +1234,10 @@ static void pcnet_transmit(PCNetState *s + bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); + + /* if multi-tmd packet outsizes s->buffer then skip it silently. +- Note: this is not what real hw does */ +- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { ++ * Note: this is not what real hw does. ++ * Last four bytes of s->buffer are used to store CRC FCS code. ++ */ ++ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { + s->xmit_pos = -1; + goto txdone; + } diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch new file mode 100644 index 0000000000..50b8a6cee8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-7512.patch @@ -0,0 +1,44 @@ +From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Mon, 30 Nov 2015 15:00:06 +0800 +Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) + +Backends could provide a packet whose length is greater than buffer +size. Check for this and truncate the packet to avoid rx buffer +overflow in this case. + +Cc: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Jason Wang + +Upsteam_Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343 + +CVE: CVE-2015-7512 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/net/pcnet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: qemu-2.4.0/hw/net/pcnet.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/pcnet.c ++++ qemu-2.4.0/hw/net/pcnet.c +@@ -1065,6 +1065,12 @@ ssize_t pcnet_receive(NetClientState *nc + int pktcount = 0; + + if (!s->looptest) { ++ if (size > 4092) { ++#ifdef PCNET_DEBUG_RMD ++ fprintf(stderr, "pcnet: truncates rx packet.\n"); ++#endif ++ size = 4092; ++ } + memcpy(src, buf, size); + /* no need to compute the CRC */ + src[size] = 0; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch new file mode 100644 index 0000000000..310b458a0c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8345.patch @@ -0,0 +1,73 @@ +From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001 +From: Stefan Weil +Date: Fri, 20 Nov 2015 08:42:33 +0100 +Subject: [PATCH] eepro100: Prevent two endless loops + +http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html +shows an example how an endless loop in function action_command can +be achieved. + +During my code review, I noticed a 2nd case which can result in an +endless loop. + +Reported-by: Qinghao Tang +Signed-off-by: Stefan Weil +Signed-off-by: Jason Wang + +Upstream-Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=00837731d254908a841d69298a4f9f077babaf24 + +CVE: CVE-2015-8345 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/net/eepro100.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index 60333b7..685a478 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) + #if 0 + uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); + #endif ++ if (tx_buffer_size == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } + tbd_address += 8; + TRACE(RXTX, logout + ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", +@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) + + static void action_command(EEPRO100State *s) + { ++ /* The loop below won't stop if it gets special handcrafted data. ++ Therefore we limit the number of iterations. */ ++ unsigned max_loop_count = 16; ++ + for (;;) { + bool bit_el; + bool bit_s; +@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) + #if 0 + bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); + #endif ++ ++ if (max_loop_count-- == 0) { ++ /* Prevent an endless loop. */ ++ logout("loop in %s:%u\n", __FILE__, __LINE__); ++ break; ++ } ++ + s->cu_offset = s->tx.link; + TRACE(OTHER, + logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", +-- +2.3.5 + diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch new file mode 100644 index 0000000000..9e660217ff --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2015-8504.patch @@ -0,0 +1,51 @@ +From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 3 Dec 2015 18:54:17 +0530 +Subject: [PATCH] ui: vnc: avoid floating point exception + +While sending 'SetPixelFormat' messages to a VNC server, +the client could set the 'red-max', 'green-max' and 'blue-max' +values to be zero. This leads to a floating point exception in +write_png_palette while doing frame buffer updates. + +Reported-by: Lian Yihan +Signed-off-by: Prasad J Pandit +Reviewed-by: Gerd Hoffmann +Signed-off-by: Peter Maydell + +Upstream-Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4c65fed8bdf96780735dbdb92a8 + +CVE: CVE-2015-8504 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + ui/vnc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +Index: qemu-2.4.0/ui/vnc.c +=================================================================== +--- qemu-2.4.0.orig/ui/vnc.c ++++ qemu-2.4.0/ui/vnc.c +@@ -2189,15 +2189,15 @@ static void set_pixel_format(VncState *v + return; + } + +- vs->client_pf.rmax = red_max; ++ vs->client_pf.rmax = red_max ? red_max : 0xFF; + vs->client_pf.rbits = hweight_long(red_max); + vs->client_pf.rshift = red_shift; + vs->client_pf.rmask = red_max << red_shift; +- vs->client_pf.gmax = green_max; ++ vs->client_pf.gmax = green_max ? green_max : 0xFF; + vs->client_pf.gbits = hweight_long(green_max); + vs->client_pf.gshift = green_shift; + vs->client_pf.gmask = green_max << green_shift; +- vs->client_pf.bmax = blue_max; ++ vs->client_pf.bmax = blue_max ? blue_max : 0xFF; + vs->client_pf.bbits = hweight_long(blue_max); + vs->client_pf.bshift = blue_shift; + vs->client_pf.bmask = blue_max << blue_shift; diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch new file mode 100644 index 0000000000..9c40ffb5f8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-1568.patch @@ -0,0 +1,46 @@ +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: John Snow +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow + +Upstream-Status: Backport + +http://git.qemu.org/?p=qemu.git;a=commit;h=4ab0359a8ae182a7ac5c99609667273167703fab + +CVE: CVE-2016-1568 +[Yocto # 9013] + +Signed-off-by: Armin Kuster + +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +Index: qemu-2.4.0/hw/ide/ahci.c +=================================================================== +--- qemu-2.4.0.orig/hw/ide/ahci.c ++++ qemu-2.4.0/hw/ide/ahci.c +@@ -898,6 +898,7 @@ static void ncq_err(NCQTransferState *nc + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch new file mode 100644 index 0000000000..946435c430 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2197.patch @@ -0,0 +1,59 @@ +From: Prasad J Pandit + +When IDE AHCI emulation uses Frame Information Structures(FIS) +engine for data transfer, the mapped FIS buffer address is stored +in a static 'bounce.buffer'. When a request is made to map another +memory region, address_space_map() returns NULL because +'bounce.buffer' is in_use. It leads to a null pointer dereference +error while doing 'dma_memory_unmap'. Add a check to avoid it. + +Reported-by: Zuozhi fzz +Signed-off-by: Prasad J Pandit + +Upstream-Status: Backport +https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05740.html + +CVE: CVE-2016-2197 +Signed-off-by: Armin Kuster + +--- + hw/ide/ahci.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + + Update as per review + -> https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05715.html + +Index: qemu-2.5.0/hw/ide/ahci.c +=================================================================== +--- qemu-2.5.0.orig/hw/ide/ahci.c ++++ qemu-2.5.0/hw/ide/ahci.c +@@ -661,9 +661,11 @@ static bool ahci_map_fis_address(AHCIDev + + static void ahci_unmap_fis_address(AHCIDevice *ad) + { +- dma_memory_unmap(ad->hba->as, ad->res_fis, 256, +- DMA_DIRECTION_FROM_DEVICE, 256); +- ad->res_fis = NULL; ++ if (ad->res_fis) { ++ dma_memory_unmap(ad->hba->as, ad->res_fis, 256, ++ DMA_DIRECTION_FROM_DEVICE, 256); ++ ad->res_fis = NULL; ++ } + } + + static bool ahci_map_clb_address(AHCIDevice *ad) +@@ -677,9 +679,11 @@ static bool ahci_map_clb_address(AHCIDev + + static void ahci_unmap_clb_address(AHCIDevice *ad) + { +- dma_memory_unmap(ad->hba->as, ad->lst, 1024, +- DMA_DIRECTION_FROM_DEVICE, 1024); +- ad->lst = NULL; ++ if (ad->lst) { ++ dma_memory_unmap(ad->hba->as, ad->lst, 1024, ++ DMA_DIRECTION_FROM_DEVICE, 1024); ++ ad->lst = NULL; ++ } + } + + static void ahci_write_fis_sdb(AHCIState *s, NCQTransferState *ncq_tfs) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch new file mode 100644 index 0000000000..f1201f0613 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2198.patch @@ -0,0 +1,45 @@ +From: Prasad J Pandit + +USB Ehci emulation supports host controller capability registers. +But its mmio '.write' function was missing, which lead to a null +pointer dereference issue. Add a do nothing 'ehci_caps_write' +definition to avoid it; Do nothing because capability registers +are Read Only(RO). + +Reported-by: Zuozhi Fzz +Signed-off-by: Prasad J Pandit + +Upstream-Status: Backport +https://lists.gnu.org/archive/html/qemu-devel/2016-01/msg05899.html + +CVE: CVE-2016-2198 +Signed-off-by: Armin Kuster + +--- + hw/usb/hcd-ehci.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +Index: qemu-2.5.0/hw/usb/hcd-ehci.c +=================================================================== +--- qemu-2.5.0.orig/hw/usb/hcd-ehci.c ++++ qemu-2.5.0/hw/usb/hcd-ehci.c +@@ -893,6 +893,11 @@ static uint64_t ehci_caps_read(void *ptr + return s->caps[addr]; + } + ++static void ehci_caps_write(void *ptr, hwaddr addr, ++ uint64_t val, unsigned size) ++{ ++} ++ + static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, + unsigned size) + { +@@ -2310,6 +2315,7 @@ static void ehci_frame_timer(void *opaqu + + static const MemoryRegionOps ehci_mmio_caps_ops = { + .read = ehci_caps_read, ++ .write = ehci_caps_write, + .valid.min_access_size = 1, + .valid.max_access_size = 4, + .impl.min_access_size = 1, diff --git a/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch new file mode 100644 index 0000000000..1a6cf5119b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/Qemu-Arm-versatilepb-Add-memory-size-checking.patch @@ -0,0 +1,46 @@ +From 896fa02c24347e6e9259812cfda187b1d6ca6199 Mon Sep 17 00:00:00 2001 +From: Jiang Lu +Date: Wed, 13 Nov 2013 10:38:08 +0800 +Subject: [PATCH] Qemu:Arm:versatilepb: Add memory size checking + +The machine can not work with memory over 256M, so add a checking +at startup. If the memory size exceed 256M, just stop emulation then +throw out warning about memory limitation. + +Upstream-Status: Pending + +Signed-off-by: Jiang Lu + +Updated it on 2014-01-15 for rebasing + +Signed-off-by: Robert Yang + +Update it when upgrade qemu to 2.2.0 + +Signed-off-by: Kai Kang +Signed-off-by: Cristian Iorga +--- + hw/arm/versatilepb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/hw/arm/versatilepb.c b/hw/arm/versatilepb.c +index 6c69f4e..9278d90 100644 +--- a/hw/arm/versatilepb.c ++++ b/hw/arm/versatilepb.c +@@ -204,6 +204,13 @@ static void versatile_init(MachineState *machine, int board_id) + exit(1); + } + ++ if (machine->ram_size > (256 << 20)) { ++ fprintf(stderr, ++ "qemu: Too much memory for this machine: %d MB, maximum 256 MB\n", ++ ((unsigned int)ram_size / (1 << 20))); ++ exit(1); ++ } ++ + cpuobj = object_new(object_class_get_name(cpu_oc)); + + /* By default ARM1176 CPUs have EL3 enabled. This board does not +-- +2.1.0 + diff --git a/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch new file mode 100644 index 0000000000..a99f72098c --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/add-ptest-in-makefile.patch @@ -0,0 +1,29 @@ +Upstream-Status: Pending + +Add subpackage -ptest which runs all unit test cases for qemu. + +Signed-off-by: Kai Kang +--- + tests/Makefile | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tests/Makefile b/tests/Makefile +index 88f7105..3f40b4b 100644 +--- a/tests/Makefile ++++ b/tests/Makefile +@@ -405,3 +405,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) + + -include $(wildcard tests/*.d) + -include $(wildcard tests/libqos/*.d) ++ ++buildtest-TESTS: $(check-unit-y) ++ ++runtest-TESTS: ++ for f in $(check-unit-y); do \ ++ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ ++ $$nf; \ ++ done ++ +-- +1.7.9.5 + diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch new file mode 100644 index 0000000000..6822132541 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_cpu_kick_thread_debugging.patch @@ -0,0 +1,76 @@ +From 697a834c35d19447b7dcdb9e1d9434bc6ce17c21 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= +Date: Wed, 12 Aug 2015 15:11:30 -0500 +Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add custom_debug.h with function for print backtrace information. +When pthread_kill fails in qemu_cpu_kick_thread display backtrace and +current cpu information. + +Upstream-Status: Inappropriate +Signed-off-by: Aníbal Limón +--- + cpus.c | 5 +++++ + custom_debug.h | 24 ++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + create mode 100644 custom_debug.h + +diff --git a/cpus.c b/cpus.c +index a822ce3..7e4786e 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -1080,6 +1080,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) + return NULL; + } + ++#include "custom_debug.h" ++ + static void qemu_cpu_kick_thread(CPUState *cpu) + { + #ifndef _WIN32 +@@ -1088,6 +1090,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) + err = pthread_kill(cpu->thread->thread, SIG_IPI); + if (err) { + fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); ++ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); ++ cpu_dump_state(cpu, stderr, fprintf, 0); ++ backtrace_print(); + exit(1); + } + #else /* _WIN32 */ +diff --git a/custom_debug.h b/custom_debug.h +new file mode 100644 +index 0000000..f029e45 +--- /dev/null ++++ b/custom_debug.h +@@ -0,0 +1,24 @@ ++#include ++#include ++#define BACKTRACE_MAX 128 ++static void backtrace_print(void) ++{ ++ int nfuncs = 0; ++ void *buf[BACKTRACE_MAX]; ++ char **symbols; ++ int i; ++ ++ nfuncs = backtrace(buf, BACKTRACE_MAX); ++ ++ symbols = backtrace_symbols(buf, nfuncs); ++ if (symbols == NULL) { ++ fprintf(stderr, "backtrace_print failed to get symbols"); ++ return; ++ } ++ ++ fprintf(stderr, "Backtrace ...\n"); ++ for (i = 0; i < nfuncs; i++) ++ fprintf(stderr, "%s\n", symbols[i]); ++ ++ free(symbols); ++} +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch new file mode 100644 index 0000000000..45dffabc34 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/cpus.c-qemu_mutex_lock_iothread-fix-race-condition-a.patch @@ -0,0 +1,45 @@ +Upstream-Status: Submitted + +From f354b9333408d411854af058cc44cceda60b4473 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= +Date: Thu, 3 Sep 2015 14:07:34 -0500 +Subject: [PATCH] cpus.c: qemu_mutex_lock_iothread fix race condition at cpu + thread init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When QEMU starts the RCU thread executes qemu_mutex_lock_thread +causing error "qemu:qemu_cpu_kick_thread: No such process" and exits. + +This isn't occur frequently but in glibc the thread id can exist and +this not guarantee that the thread is on active/running state. If is +inserted a sleep(1) after newthread assignment [1] the issue appears. + +So not make assumption that thread exist if first_cpu->thread is set +then change the validation of cpu to created that is set into cpu +threads (kvm, tcg, dummy). + +[1] https://sourceware.org/git/?p=glibc.git;a=blob;f=nptl/pthread_create.c;h=d10f4ea8004e1d8f3a268b95cc0f8d93b8d89867;hb=HEAD#l621 + +Signed-off-by: Aníbal Limón +--- + cpus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cpus.c b/cpus.c +index 7e4786e..05e5400 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -1171,7 +1171,7 @@ void qemu_mutex_lock_iothread(void) + * TCG code execution. + */ + if (!tcg_enabled() || qemu_in_vcpu_thread() || +- !first_cpu || !first_cpu->thread) { ++ !first_cpu || !first_cpu->created) { + qemu_mutex_lock(&qemu_global_mutex); + atomic_dec(&iothread_requesting_mutex); + } else { +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch new file mode 100644 index 0000000000..171bda7e95 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/exclude-some-arm-EABI-obsolete-syscalls.patch @@ -0,0 +1,93 @@ +[PATCH] exclude some arm EABI obsolete syscalls + +Upstream-Status: Pending + +some syscalls are obsolete and no longer available for EABI, exclude them to +fix the below error: + In file included from qemu-seccomp.c:16:0: + qemu-seccomp.c:28:7: error: '__NR_select' undeclared here (not in a function) + { SCMP_SYS(select), 252 }, + ^ + qemu-seccomp.c:36:7: error: '__NR_mmap' undeclared here (not in a function) + { SCMP_SYS(mmap), 247 }, + ^ + qemu-seccomp.c:57:7: error: '__NR_getrlimit' undeclared here (not in a function) + { SCMP_SYS(getrlimit), 245 }, + ^ + qemu-seccomp.c:96:7: error: '__NR_time' undeclared here (not in a function) + { SCMP_SYS(time), 245 }, + ^ + qemu-seccomp.c:185:7: error: '__NR_alarm' undeclared here (not in a function) + { SCMP_SYS(alarm), 241 }, + +please refer source files: + arch/arm/include/uapi/asm/unistd.h +or kernel header: + /usr/include/asm/unistd.h + +Signed-off-by: Roy.Li +--- + qemu-seccomp.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index caa926e..5a78502 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -25,15 +25,21 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { + { SCMP_SYS(timer_settime), 255 }, + { SCMP_SYS(timer_gettime), 254 }, + { SCMP_SYS(futex), 253 }, ++#if !defined(__ARM_EABI__) + { SCMP_SYS(select), 252 }, ++ { SCMP_SYS(time), 245 }, ++ { SCMP_SYS(alarm), 241 }, ++ { SCMP_SYS(getrlimit), 245 }, ++ { SCMP_SYS(mmap), 247 }, ++ { SCMP_SYS(socketcall), 250 }, ++ { SCMP_SYS(ipc), 245 }, ++#endif + { SCMP_SYS(recvfrom), 251 }, + { SCMP_SYS(sendto), 250 }, +- { SCMP_SYS(socketcall), 250 }, + { SCMP_SYS(read), 249 }, + { SCMP_SYS(io_submit), 249 }, + { SCMP_SYS(brk), 248 }, + { SCMP_SYS(clone), 247 }, +- { SCMP_SYS(mmap), 247 }, + { SCMP_SYS(mprotect), 246 }, + { SCMP_SYS(execve), 245 }, + { SCMP_SYS(open), 245 }, +@@ -48,13 +54,11 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { + { SCMP_SYS(bind), 245 }, + { SCMP_SYS(listen), 245 }, + { SCMP_SYS(semget), 245 }, +- { SCMP_SYS(ipc), 245 }, + { SCMP_SYS(gettimeofday), 245 }, + { SCMP_SYS(readlink), 245 }, + { SCMP_SYS(access), 245 }, + { SCMP_SYS(prctl), 245 }, + { SCMP_SYS(signalfd), 245 }, +- { SCMP_SYS(getrlimit), 245 }, + { SCMP_SYS(set_tid_address), 245 }, + { SCMP_SYS(statfs), 245 }, + { SCMP_SYS(unlink), 245 }, +@@ -93,7 +97,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { + { SCMP_SYS(times), 245 }, + { SCMP_SYS(exit), 245 }, + { SCMP_SYS(clock_gettime), 245 }, +- { SCMP_SYS(time), 245 }, + { SCMP_SYS(restart_syscall), 245 }, + { SCMP_SYS(pwrite64), 245 }, + { SCMP_SYS(nanosleep), 245 }, +@@ -182,7 +185,6 @@ static const struct QemuSeccompSyscall seccomp_whitelist[] = { + { SCMP_SYS(lstat64), 241 }, + { SCMP_SYS(sendfile64), 241 }, + { SCMP_SYS(ugetrlimit), 241 }, +- { SCMP_SYS(alarm), 241 }, + { SCMP_SYS(rt_sigsuspend), 241 }, + { SCMP_SYS(rt_sigqueueinfo), 241 }, + { SCMP_SYS(rt_tgsigqueueinfo), 241 }, +-- +1.9.1 + diff --git a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch b/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch deleted file mode 100644 index 711c36071d..0000000000 --- a/meta/recipes-devtools/qemu/qemu/larger_default_ram_size.patch +++ /dev/null @@ -1,22 +0,0 @@ -This patch is taken from debian. 128M is too less sometimes if distro -with lot of packages is booted so this patch raises the default to 384M - -It has not been applied to upstream qemu - -Khem Raj - -Upstream-Status: Pending - -Index: qemu-0.14.0/vl.c -=================================================================== ---- qemu-0.14.0.orig/vl.c -+++ qemu-0.14.0/vl.c -@@ -168,7 +168,7 @@ int main(int argc, char **argv) - //#define DEBUG_NET - //#define DEBUG_SLIRP - --#define DEFAULT_RAM_SIZE 128 -+#define DEFAULT_RAM_SIZE 384 - - #define MAX_VIRTIO_CONSOLES 1 - diff --git a/meta/recipes-devtools/qemu/qemu/no-valgrind.patch b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch new file mode 100644 index 0000000000..91f728042d --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/no-valgrind.patch @@ -0,0 +1,19 @@ +There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton + +diff --git a/configure b/configure +index b3c4f51..4d3929e 100755 +--- a/configure ++++ b/configure +@@ -4193,9 +4192,0 @@ valgrind_h=no +-cat > $TMPC << EOF +-#include +-int main(void) { +- return 0; +-} +-EOF +-if compile_prog "" "" ; then +- valgrind_h=yes +-fi diff --git a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch b/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch deleted file mode 100644 index f05441fce6..0000000000 --- a/meta/recipes-devtools/qemu/qemu/qemu-CVE-2015-3456.patch +++ /dev/null @@ -1,92 +0,0 @@ -qemu: CVE-2015-3456 - -the patch comes from: -https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3456 -http://git.qemu.org/?p=qemu.git;a=commit;h=e907746266721f305d67bc0718795fedee2e824c - -fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow -Signed-off-by: Li Wang - -Upstream-Status: Backport - -Signed-off-by: Kai Kang ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 490d127..045459e 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1436,7 +1436,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1445,8 +1445,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1790,10 +1790,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1893,7 +1896,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -1941,7 +1944,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -1.7.9.5 - diff --git a/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch new file mode 100644 index 0000000000..c7425ab8d4 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/qemu-enlarge-env-entry-size.patch @@ -0,0 +1,31 @@ +qemu: Add addition environment space to boot loader qemu-system-mips + +Upstream-Status: Inappropriate - OE uses deep paths + +If you create a project with very long directory names like 128 characters +deep and use NFS, the kernel arguments will be truncated. The kernel will +accept longer strings such as 1024 bytes, but the qemu boot loader defaulted +to only 256 bytes. This patch expands the limit. + +Signed-off-by: Jason Wessel +Signed-off-by: Roy Li +--- + hw/mips/mips_malta.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c +index 9d521cc..17c0391 100644 +--- a/hw/mips/mips_malta.c ++++ b/hw/mips/mips_malta.c +@@ -53,7 +53,7 @@ + + #define ENVP_ADDR 0x80002000l + #define ENVP_NB_ENTRIES 16 +-#define ENVP_ENTRY_SIZE 256 ++#define ENVP_ENTRY_SIZE 1024 + + /* Hardware addresses */ + #define FLASH_ADDRESS 0x1e000000ULL +-- +1.7.10.4 + diff --git a/meta/recipes-devtools/qemu/qemu/run-ptest b/meta/recipes-devtools/qemu/qemu/run-ptest new file mode 100644 index 0000000000..f4b8e97e1e --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/run-ptest @@ -0,0 +1,8 @@ +#!/bin/sh +# +#This script is used to run qemu test suites +ptestdir=$(pwd) +cd tests + +export SRC_PATH=$ptestdir +make -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' diff --git a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch b/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch deleted file mode 100644 index a7ecf31c01..0000000000 --- a/meta/recipes-devtools/qemu/qemu/slirp-CVE-2014-3640.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 9a72433843d912a45046959b1953861211d1838d Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Thu, 18 Sep 2014 08:35:37 +0200 -Subject: [PATCH] slirp: udp: fix NULL pointer dereference because of - uninitialized socket - -When guest sends udp packet with source port and source addr 0, -uninitialized socket is picked up when looking for matching and already -created udp sockets, and later passed to sosendto() where NULL pointer -dereference is hit during so->slirp->vnetwork_mask.s_addr access. - -Fix this by checking that the socket is not just a socket stub. - -This is CVE-2014-3640. - -Upstream-Status: Backport - -Signed-off-by: Petr Matousek -Reported-by: Xavier Mehrenberger -Reported-by: Stephane Duverger -Reviewed-by: Jan Kiszka -Reviewed-by: Michael S. Tsirkin -Reviewed-by: Michael Tokarev -Message-id: 20140918063537.GX9321@dhcp-25-225.brq.redhat.com -Signed-off-by: Peter Maydell -(cherry picked from commit 01f7cecf0037997cb0e58ec0d56bf9b5a6f7cb2a) -Signed-off-by: Michael Roth -Signed-off-by: Sona Sarmadi ---- - slirp/udp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/slirp/udp.c b/slirp/udp.c -index 8cc6cb6..f77e00f 100644 ---- a/slirp/udp.c -+++ b/slirp/udp.c -@@ -152,7 +152,7 @@ udp_input(register struct mbuf *m, int iphlen) - * Locate pcb for datagram. - */ - so = slirp->udp_last_so; -- if (so->so_lport != uh->uh_sport || -+ if (so == &slirp->udb || so->so_lport != uh->uh_sport || - so->so_laddr.s_addr != ip->ip_src.s_addr) { - struct socket *tmp; - --- -1.9.1 - diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch new file mode 100644 index 0000000000..e37e777347 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix.patch @@ -0,0 +1,74 @@ +The smc91c111.c driver appears to have several issues. The can_receive() +function can return that the driver is ready when rx_fifo has not been +freed yet. There is also no sanity check of rx_fifo() in _receive() which +can lead to corruption of the rx_fifo array. + +release_packet() can also call qemu_flush_queued_packets() before rx_fifo +has been cleaned up, resulting in cases where packets are submitted +for which there is not yet any space. + +This patch therefore: + +* fixes the logic in can_receive() +* adds logic to receive() as a sanity check +* moves the flush() calls to the correct places where data is ready + to be received + +Upstream-Status: Pending [discussion in progress on mailing list] +RP 2015/9/7 + +Index: qemu-2.4.0/hw/net/smc91c111.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/smc91c111.c ++++ qemu-2.4.0/hw/net/smc91c111.c +@@ -185,7 +185,6 @@ static void smc91c111_release_packet(smc + s->allocated &= ~(1 << packet); + if (s->tx_alloc == 0x80) + smc91c111_tx_alloc(s); +- qemu_flush_queued_packets(qemu_get_queue(s->nic)); + } + + /* Flush the TX FIFO. */ +@@ -237,9 +236,11 @@ static void smc91c111_do_tx(smc91c111_st + } + } + #endif +- if (s->ctr & CTR_AUTO_RELEASE) ++ if (s->ctr & CTR_AUTO_RELEASE) { + /* Race? */ + smc91c111_release_packet(s, packetnum); ++ qemu_flush_queued_packets(qemu_get_queue(s->nic)); ++ } + else if (s->tx_fifo_done_len < NUM_PACKETS) + s->tx_fifo_done[s->tx_fifo_done_len++] = packetnum; + qemu_send_packet(qemu_get_queue(s->nic), p, len); +@@ -379,9 +380,11 @@ static void smc91c111_writeb(void *opaqu + smc91c111_release_packet(s, s->rx_fifo[0]); + } + smc91c111_pop_rx_fifo(s); ++ qemu_flush_queued_packets(qemu_get_queue(s->nic)); + break; + case 5: /* Release. */ + smc91c111_release_packet(s, s->packet_num); ++ qemu_flush_queued_packets(qemu_get_queue(s->nic)); + break; + case 6: /* Add to TX FIFO. */ + smc91c111_queue_tx(s, s->packet_num); +@@ -642,7 +642,7 @@ static int smc91c111_can_receive(NetClie + + if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) + return 1; +- if (s->allocated == (1 << NUM_PACKETS) - 1) ++ if ((s->allocated == (1 << NUM_PACKETS) - 1) || (s->rx_fifo_len == NUM_PACKETS)) + return 0; + return 1; + } +@@ -671,6 +671,8 @@ static ssize_t smc91c111_receive(NetClie + /* TODO: Flag overrun and receive errors. */ + if (packetsize > 2048) + return -1; ++ if (s->rx_fifo_len == NUM_PACKETS) ++ return -1; + packetnum = smc91c111_allocate_packet(s); + if (packetnum == 0x80) + return -1; diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch new file mode 100644 index 0000000000..bd1223a446 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix1.patch @@ -0,0 +1,85 @@ +From: Peter Crosthwaite +Subject: [RFT PATCH v1 1/3] net: smc91c111: guard flush_queued_packets() on + can_rx() +Date: Thu, 10 Sep 2015 21:23:43 -0700 + +Check that the core can once again receive packets before asking the +net layer to do a flush. This will make it more convenient to flush +packets when adding new conditions to can_receive. + +Add missing if braces while moving the can_receive() core code. + +Signed-off-by: Peter Crosthwaite + +Upstream-Status: Submitted + +--- + + hw/net/smc91c111.c | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +Index: qemu-2.4.0/hw/net/smc91c111.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/smc91c111.c ++++ qemu-2.4.0/hw/net/smc91c111.c +@@ -124,6 +124,24 @@ static void smc91c111_update(smc91c111_s + qemu_set_irq(s->irq, level); + } + ++static int smc91c111_can_receive(smc91c111_state *s) ++{ ++ if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) { ++ return 1; ++ } ++ if (s->allocated == (1 << NUM_PACKETS) - 1) { ++ return 0; ++ } ++ return 1; ++} ++ ++static inline void smc91c111_flush_queued_packets(smc91c111_state *s) ++{ ++ if (smc91c111_can_receive(s)) { ++ qemu_flush_queued_packets(qemu_get_queue(s->nic)); ++ } ++} ++ + /* Try to allocate a packet. Returns 0x80 on failure. */ + static int smc91c111_allocate_packet(smc91c111_state *s) + { +@@ -185,7 +203,7 @@ static void smc91c111_release_packet(smc + s->allocated &= ~(1 << packet); + if (s->tx_alloc == 0x80) + smc91c111_tx_alloc(s); +- qemu_flush_queued_packets(qemu_get_queue(s->nic)); ++ smc91c111_flush_queued_packets(s); + } + + /* Flush the TX FIFO. */ +@@ -636,15 +654,11 @@ static uint32_t smc91c111_readl(void *op + return val; + } + +-static int smc91c111_can_receive(NetClientState *nc) ++static int smc91c111_can_receive_nc(NetClientState *nc) + { + smc91c111_state *s = qemu_get_nic_opaque(nc); + +- if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) +- return 1; +- if (s->allocated == (1 << NUM_PACKETS) - 1) +- return 0; +- return 1; ++ return smc91c111_can_receive(s); + } + + static ssize_t smc91c111_receive(NetClientState *nc, const uint8_t *buf, size_t size) +@@ -739,7 +753,7 @@ static const MemoryRegionOps smc91c111_m + static NetClientInfo net_smc91c111_info = { + .type = NET_CLIENT_OPTIONS_KIND_NIC, + .size = sizeof(NICState), +- .can_receive = smc91c111_can_receive, ++ .can_receive = smc91c111_can_receive_nc, + .receive = smc91c111_receive, + }; + diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch new file mode 100644 index 0000000000..018aed5f80 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch @@ -0,0 +1,46 @@ +From: Peter Crosthwaite +X-Google-Original-From: Peter Crosthwaite +To: qemu-devel@nongnu.org +Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org +Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO + having a slot +Date: Thu, 10 Sep 2015 21:23:57 -0700 + +Return false from can_receive() when the FIFO doesn't have a free RX +slot. This fixes a bug in the current code where the allocated buffer +is freed before the fifo pop, triggering a premature flush of queued RX +packets. It also will handle a corner case, where the guest manually +frees the allocated buffer before popping the rx FIFO (hence it is not +enough to just delay the flush_queued_packets()). + +Reported-by: Richard Purdie +Signed-off-by: Peter Crosthwaite + +Upstream-Status: Submitted +--- + + hw/net/smc91c111.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +Index: qemu-2.4.0/hw/net/smc91c111.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/smc91c111.c ++++ qemu-2.4.0/hw/net/smc91c111.c +@@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1 + if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) { + return 1; + } +- if (s->allocated == (1 << NUM_PACKETS) - 1) { ++ if (s->allocated == (1 << NUM_PACKETS) - 1 || ++ s->rx_fifo_len == NUM_PACKETS) { + return 0; + } + return 1; +@@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c + } else { + s->int_level &= ~INT_RCV; + } ++ smc91c111_flush_queued_packets(s); + smc91c111_update(s); + } + diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch new file mode 100644 index 0000000000..9e865f7f09 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix3.patch @@ -0,0 +1,33 @@ +From: Peter Crosthwaite +To: qemu-devel@nongnu.org +Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org +Subject: [RFT PATCH v1 3/3] net: smc91c111: flush packets on RCR register + changes +Date: Thu, 10 Sep 2015 21:24:12 -0700 + +The SOFT_RST or RXEN in the control register can be used as a condition +to unblock the net layer via can_receive(). So check for possible +flushes on RCR changes. This will drop all pending packets on soft +reset or disable which is the functional intent of the can_receive() +logic. + +Signed-off-by: Peter Crosthwaite + +Upstream-Status: Submitted +--- + + hw/net/smc91c111.c | 1 + + 1 file changed, 1 insertion(+) + +Index: qemu-2.4.0/hw/net/smc91c111.c +=================================================================== +--- qemu-2.4.0.orig/hw/net/smc91c111.c ++++ qemu-2.4.0/hw/net/smc91c111.c +@@ -331,6 +331,7 @@ static void smc91c111_writeb(void *opaqu + if (s->rcr & RCR_SOFT_RST) { + smc91c111_reset(DEVICE(s)); + } ++ smc91c111_flush_queued_packets(s); + return; + case 10: case 11: /* RPCR */ + /* Ignored */ diff --git a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch b/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch deleted file mode 100644 index 10a6dacbe5..0000000000 --- a/meta/recipes-devtools/qemu/qemu/vnc-CVE-2014-7815.patch +++ /dev/null @@ -1,53 +0,0 @@ -From b2f1d90530301d7915dddc8a750063757675b21a Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Mon, 27 Oct 2014 12:41:44 +0100 -Subject: [PATCH] vnc: sanitize bits_per_pixel from the client - -bits_per_pixel that are less than 8 could result in accessing -non-initialized buffers later in the code due to the expectation -that bytes_per_pixel value that is used to initialize these buffers is -never zero. - -To fix this check that bits_per_pixel from the client is one of the -values that the rfb protocol specification allows. - -This is CVE-2014-7815. - -Upstream-Status: Backport - -Signed-off-by: Petr Matousek - -[ kraxel: apply codestyle fix ] - -Signed-off-by: Gerd Hoffmann -(cherry picked from commit e6908bfe8e07f2b452e78e677da1b45b1c0f6829) -Signed-off-by: Michael Roth -Signed-off-by: Sona Sarmadi ---- - ui/vnc.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/ui/vnc.c b/ui/vnc.c -index f8d9b7d..87e34ae 100644 ---- a/ui/vnc.c -+++ b/ui/vnc.c -@@ -2026,6 +2026,16 @@ static void set_pixel_format(VncState *vs, - return; - } - -+ switch (bits_per_pixel) { -+ case 8: -+ case 16: -+ case 32: -+ break; -+ default: -+ vnc_client_error(vs); -+ return; -+ } -+ - vs->client_pf.rmax = red_max; - vs->client_pf.rbits = hweight_long(red_max); - vs->client_pf.rshift = red_shift; --- -1.9.1 - diff --git a/meta/recipes-devtools/qemu/qemu/wacom.patch b/meta/recipes-devtools/qemu/qemu/wacom.patch index fd1b4a6963..cd06aa4ac6 100644 --- a/meta/recipes-devtools/qemu/qemu/wacom.patch +++ b/meta/recipes-devtools/qemu/qemu/wacom.patch @@ -1,7 +1,7 @@ The USB wacom device is missing a HID descriptor which causes it to fail to operate with recent kernels (e.g. 3.17). -This patch adds a HID desriptor to the device, based upon one from +This patch adds a HID desriptor to the device, based upon one from real wcom device. Signed-off-by: Richard Purdie @@ -16,12 +16,12 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c @@ -68,6 +68,89 @@ [STR_SERIALNUMBER] = "1", }; - + +static const uint8_t qemu_tablet_hid_report_descriptor[] = { + 0x05, 0x01, /* Usage Page (Generic Desktop) */ + 0x09, 0x02, /* Usage (Mouse) */ + 0xa1, 0x01, /* Collection (Application) */ -+ 0x85, 0x01, /* Report ID (1) */ ++ 0x85, 0x01, /* Report ID (1) */ + 0x09, 0x01, /* Usage (Pointer) */ + 0xa1, 0x00, /* Collection (Physical) */ + 0x05, 0x09, /* Usage Page (Button) */ @@ -48,7 +48,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c + 0x05, 0x0d, /* Usage Page (Digitizer) */ + 0x09, 0x01, /* Usage (Digitizer) */ + 0xa1, 0x01, /* Collection (Application) */ -+ 0x85, 0x02, /* Report ID (2) */ ++ 0x85, 0x02, /* Report ID (2) */ + 0xa1, 0x00, /* Collection (Physical) */ + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ + 0x09, 0x01, /* Usage (Digitizer) */ @@ -59,14 +59,14 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ + 0xc0, /* End Collection */ + 0x09, 0x01, /* Usage (Digitizer) */ -+ 0x85, 0x02, /* Report ID (2) */ ++ 0x85, 0x02, /* Report ID (2) */ + 0x95, 0x01, /* Report Count (1) */ + 0xb1, 0x02, /* FEATURE (2) */ + 0xc0, /* End Collection */ + 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ + 0x09, 0x01, /* Usage (Digitizer) */ + 0xa1, 0x01, /* Collection (Application) */ -+ 0x85, 0x02, /* Report ID (2) */ ++ 0x85, 0x02, /* Report ID (2) */ + 0x05, 0x0d, /* Usage Page (Digitizer) */ + 0x09, 0x22, /* Usage (Finger) */ + 0xa1, 0x00, /* Collection (Physical) */ @@ -95,7 +95,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c + 0x75, 0x08, /* Report Size (8) */ + 0x95, 0x0d, /* Report Count (13) */ + 0x81, 0x02, /* Input (Data, Variable, Absolute) */ -+ 0xc0, /* End Collection */ ++ 0xc0, /* End Collection */ + 0xc0, /* End Collection */ +}; + @@ -114,7 +114,7 @@ Index: qemu-2.1.0/hw/usb/dev-wacom.c }, @@ -265,6 +350,15 @@ } - + switch (request) { + case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: + switch (value >> 8) { diff --git a/meta/recipes-devtools/qemu/qemu_2.1.0.bb b/meta/recipes-devtools/qemu/qemu_2.1.0.bb deleted file mode 100644 index 92a89d699c..0000000000 --- a/meta/recipes-devtools/qemu/qemu_2.1.0.bb +++ /dev/null @@ -1,32 +0,0 @@ -require qemu.inc - -LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ - file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" - -SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ - file://qemu-enlarge-env-entry-size.patch \ - file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ - file://0001-Back-porting-security-fix-CVE-2014-5388.patch \ - file://qemu-CVE-2015-3456.patch \ - file://CVE-2014-7840.patch \ - file://vnc-CVE-2014-7815.patch \ - file://slirp-CVE-2014-3640.patch \ - " -SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" -SRC_URI[md5sum] = "6726977292b448cbc7f89998fac6983b" -SRC_URI[sha256sum] = "397e23184f4bf613589a8fe0c6542461dc2afdf17ed337e97e6fd2f31e8f8802" - -COMPATIBLE_HOST_class-target_mips64 = "null" - -do_sanitize_sources() { - # These .git files point to a nonexistent path "../.git/modules" and will confuse git - # if it tries to recurse into those directories. - rm -f ${S}/dtc/.git ${S}/pixman/.git -} - -addtask sanitize_sources after do_unpack before do_patch - -do_install_append() { - # Prevent QA warnings about installed ${localstatedir}/run - if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi -} diff --git a/meta/recipes-devtools/qemu/qemu_2.4.0.bb b/meta/recipes-devtools/qemu/qemu_2.4.0.bb new file mode 100644 index 0000000000..8d47b16e64 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu_2.4.0.bb @@ -0,0 +1,33 @@ +require qemu.inc + +LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ + file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" + +SRC_URI += "file://configure-fix-Darwin-target-detection.patch \ + file://qemu-enlarge-env-entry-size.patch \ + file://Qemu-Arm-versatilepb-Add-memory-size-checking.patch \ + file://smc91c111_fix1.patch \ + file://smc91c111_fix2.patch \ + file://smc91c111_fix3.patch \ + file://no-valgrind.patch \ + file://CVE-2015-8504.patch \ + file://CVE-2015-7504.patch \ + file://CVE-2015-7512.patch \ + file://CVE-2015-8345.patch \ + file://CVE-2016-1568.patch \ + file://CVE-2015-7295_1.patch \ + file://CVE-2015-7295_2.patch \ + file://CVE-2015-7295_3.patch \ + file://CVE-2016-2197.patch \ + file://CVE-2016-2198.patch \ + " +SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2" +SRC_URI[md5sum] = "186ee8194140a484a455f8e3c74589f4" +SRC_URI[sha256sum] = "72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620" + +COMPATIBLE_HOST_class-target_mips64 = "null" + +do_install_append() { + # Prevent QA warnings about installed ${localstatedir}/run + if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi +} diff --git a/meta/recipes-devtools/qemu/qemu_git.bb b/meta/recipes-devtools/qemu/qemu_git.bb deleted file mode 100644 index a30932a8ba..0000000000 --- a/meta/recipes-devtools/qemu/qemu_git.bb +++ /dev/null @@ -1,15 +0,0 @@ -require qemu.inc - -SRCREV = "04024dea2674861fcf13582a77b58130c67fccd8" - -LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ - file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" - -PV = "1.3.0+git${SRCPV}" - -SRC_URI_prepend = "git://git.qemu.org/qemu.git" -S = "${WORKDIR}/git" - -DEFAULT_PREFERENCE = "-1" - -COMPATIBLE_HOST_class-target_mips64 = "null" diff --git a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb index d2981b5575..7f4c6d9349 100644 --- a/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb +++ b/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb @@ -2,6 +2,8 @@ SUMMARY = "QEMU wrapper script" LICENSE = "MIT" LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +S = "${WORKDIR}" + inherit qemu do_install () { @@ -9,7 +11,7 @@ do_install () { echo "#!/bin/sh" > ${D}${bindir_crossscripts}/qemuwrapper qemu_binary=${@qemu_target_binary(d)} - qemu_options='${@d.getVar("QEMU_OPTIONS_%s" % d.getVar('PACKAGE_ARCH', True), True) or d.getVar('QEMU_OPTIONS', True) or ""}' + qemu_options='${QEMU_OPTIONS}' echo "$qemu_binary $qemu_options \"\$@\"" >> ${D}${bindir_crossscripts}/qemuwrapper fallback_qemu_bin= case $qemu_binary in -- cgit v1.2.3-54-g00ecf