From 4e1e733e06b88a6d8344100c0229c371f00425f7 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Tue, 29 Oct 2019 10:47:32 +0100 Subject: qemu: update to 3.1.1.1 bug fix only update. Drop patches included in update. For full set of changes, see: https://git.qemu.org/?p=qemu.git;a=shortlog;h=refs/tags/v3.1.1.1 (From OE-Core rev: 14f04e6b6c1fa40a1c39cd186627b4b8442f2d5e) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- .../qemu/qemu/0019-fix-CVE-2018-20216.patch | 85 ---------------------- 1 file changed, 85 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch (limited to 'meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch') diff --git a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch b/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch deleted file mode 100644 index c02bad3bb9..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0019-fix-CVE-2018-20216.patch +++ /dev/null @@ -1,85 +0,0 @@ -CVE: CVE-2018-20216 -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f1e2e38] - -Signed-off-by: Kai Kang - -From f1e2e38ee0136b7710a2caa347049818afd57a1b Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 13 Dec 2018 01:00:39 +0530 -Subject: [PATCH] pvrdma: check return value from pvrdma_idx_ring_has_ routines - -pvrdma_idx_ring_has_[data/space] routines also return invalid -index PVRDMA_INVALID_IDX[=-1], if ring has no data/space. Check -return value from these routines to avoid plausible infinite loops. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Reviewed-by: Yuval Shaia -Signed-off-by: Marcel Apfelbaum ---- - hw/rdma/vmw/pvrdma_dev_ring.c | 29 +++++++++++------------------ - 1 file changed, 11 insertions(+), 18 deletions(-) - -diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c -index 01247fc041..e8e5b502f6 100644 ---- a/hw/rdma/vmw/pvrdma_dev_ring.c -+++ b/hw/rdma/vmw/pvrdma_dev_ring.c -@@ -73,23 +73,16 @@ out: - - void *pvrdma_ring_next_elem_read(PvrdmaRing *ring) - { -+ int e; - unsigned int idx = 0, offset; - -- /* -- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, -- ring->ring_state->cons_head); -- */ -- -- if (!pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx)) { -+ e = pvrdma_idx_ring_has_data(ring->ring_state, ring->max_elems, &idx); -+ if (e <= 0) { - pr_dbg("No more data in ring\n"); - return NULL; - } - - offset = idx * ring->elem_sz; -- /* -- pr_dbg("idx=%d\n", idx); -- pr_dbg("offset=%d\n", offset); -- */ - return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); - } - -@@ -105,20 +98,20 @@ void pvrdma_ring_read_inc(PvrdmaRing *ring) - - void *pvrdma_ring_next_elem_write(PvrdmaRing *ring) - { -- unsigned int idx, offset, tail; -+ int idx; -+ unsigned int offset, tail; - -- /* -- pr_dbg("%s: t=%d, h=%d\n", ring->name, ring->ring_state->prod_tail, -- ring->ring_state->cons_head); -- */ -- -- if (!pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail)) { -+ idx = pvrdma_idx_ring_has_space(ring->ring_state, ring->max_elems, &tail); -+ if (idx <= 0) { - pr_dbg("CQ is full\n"); - return NULL; - } - - idx = pvrdma_idx(&ring->ring_state->prod_tail, ring->max_elems); -- /* TODO: tail == idx */ -+ if (idx < 0 || tail != idx) { -+ pr_dbg("invalid idx\n"); -+ return NULL; -+ } - - offset = idx * ring->elem_sz; - return ring->pages[offset / TARGET_PAGE_SIZE] + (offset % TARGET_PAGE_SIZE); --- -2.20.1 - -- cgit v1.2.3-54-g00ecf