From a56d7e90eef4f1a16378dd9c9f47dfa70a9502d1 Mon Sep 17 00:00:00 2001 From: Cristian Iorga Date: Wed, 12 Aug 2015 17:48:31 +0300 Subject: qemu: upgrade to 2.4.0 All CVE patches removed, included in release. (From OE-Core rev: 3b57ca0ad44e66a1ecd39c410f63d99705c56b1e) Signed-off-by: Cristian Iorga Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- ...e-fields-should-be-readonly-CVE-2015-4106.patch | 137 --------------------- 1 file changed, 137 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch (limited to 'meta/recipes-devtools/qemu/qemu/11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch') diff --git a/meta/recipes-devtools/qemu/qemu/11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch b/meta/recipes-devtools/qemu/qemu/11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch deleted file mode 100644 index 5bfcf5e166..0000000000 --- a/meta/recipes-devtools/qemu/qemu/11-xen-pt-unknown-PCI-config-space-fields-should-be-readonly-CVE-2015-4106.patch +++ /dev/null @@ -1,137 +0,0 @@ -Upstream-Status: Backport - -Signed-off-by: Kai Kang - -From c25bbf1545a53ac051f9e51d4140e397660c10ae Mon Sep 17 00:00:00 2001 -From: Jan Beulich -Date: Tue, 2 Jun 2015 15:07:01 +0000 -Subject: xen/pt: unknown PCI config space fields should be read-only -Bug-Debian: http://bugs.debian.org/787547 - -... by default. Add a per-device "permissive" mode similar to pciback's -to allow restoring previous behavior (and hence break security again, -i.e. should be used only for trusted guests). - -This is part of XSA-131. - -Signed-off-by: Jan Beulich -Acked-by: Stefano Stabellini -Reviewed-by: Anthony PERARD ) ---- - hw/xen/xen_pt.c | 32 +++++++++++++++++++++++++++++--- - hw/xen/xen_pt.h | 2 ++ - hw/xen/xen_pt_config_init.c | 4 ++++ - 3 files changed, 35 insertions(+), 3 deletions(-) - -diff --git a/hw/xen/xen_pt.c b/hw/xen/xen_pt.c -index 8923582..9afcda8 100644 ---- a/hw/xen/xen_pt.c -+++ b/hw/xen/xen_pt.c -@@ -239,6 +239,7 @@ static void xen_pt_pci_write_config(PCIDevice *d, uint32_t addr, - XenPTReg *reg_entry = NULL; - uint32_t find_addr = addr; - XenPTRegInfo *reg = NULL; -+ bool wp_flag = false; - - if (xen_pt_pci_config_access_check(d, addr, len)) { - return; -@@ -278,6 +279,10 @@ static void xen_pt_pci_write_config(PCIDevice *d, uint32_t addr, - - /* pass directly to the real device for passthrough type register group */ - if (reg_grp_entry == NULL) { -+ if (!s->permissive) { -+ wb_mask = 0; -+ wp_flag = true; -+ } - goto out; - } - -@@ -298,12 +303,15 @@ static void xen_pt_pci_write_config(PCIDevice *d, uint32_t addr, - uint32_t real_offset = reg_grp_entry->base_offset + reg->offset; - uint32_t valid_mask = 0xFFFFFFFF >> ((4 - emul_len) << 3); - uint8_t *ptr_val = NULL; -+ uint32_t wp_mask = reg->emu_mask | reg->ro_mask; - - valid_mask <<= (find_addr - real_offset) << 3; - ptr_val = (uint8_t *)&val + (real_offset & 3); -- if (reg->emu_mask == (0xFFFFFFFF >> ((4 - reg->size) << 3))) { -- wb_mask &= ~((reg->emu_mask -- >> ((find_addr - real_offset) << 3)) -+ if (!s->permissive) { -+ wp_mask |= reg->res_mask; -+ } -+ if (wp_mask == (0xFFFFFFFF >> ((4 - reg->size) << 3))) { -+ wb_mask &= ~((wp_mask >> ((find_addr - real_offset) << 3)) - << ((len - emul_len) << 3)); - } - -@@ -347,6 +355,16 @@ static void xen_pt_pci_write_config(PCIDevice *d, uint32_t addr, - } else { - /* nothing to do with passthrough type register, - * continue to find next byte */ -+ if (!s->permissive) { -+ wb_mask &= ~(0xff << ((len - emul_len) << 3)); -+ /* Unused BARs will make it here, but we don't want to issue -+ * warnings for writes to them (bogus writes get dealt with -+ * above). -+ */ -+ if (index < 0) { -+ wp_flag = true; -+ } -+ } - emul_len--; - find_addr++; - } -@@ -358,6 +376,13 @@ static void xen_pt_pci_write_config(PCIDevice *d, uint32_t addr, - memory_region_transaction_commit(); - - out: -+ if (wp_flag && !s->permissive_warned) { -+ s->permissive_warned = true; -+ xen_pt_log(d, "Write-back to unknown field 0x%02x (partially) inhibited (0x%0*x)\n", -+ addr, len * 2, wb_mask); -+ xen_pt_log(d, "If the device doesn't work, try enabling permissive mode\n"); -+ xen_pt_log(d, "(unsafe) and if it helps report the problem to xen-devel\n"); -+ } - for (index = 0; wb_mask; index += len) { - /* unknown regs are passed through */ - while (!(wb_mask & 0xff)) { -@@ -824,6 +849,7 @@ static void xen_pt_unregister_device(PCIDevice *d) - - static Property xen_pci_passthrough_properties[] = { - DEFINE_PROP_PCI_HOST_DEVADDR("hostaddr", XenPCIPassthroughState, hostaddr), -+ DEFINE_PROP_BOOL("permissive", XenPCIPassthroughState, permissive, false), - DEFINE_PROP_END_OF_LIST(), - }; - -diff --git a/hw/xen/xen_pt.h b/hw/xen/xen_pt.h -index f9795eb..4bba559 100644 ---- a/hw/xen/xen_pt.h -+++ b/hw/xen/xen_pt.h -@@ -197,6 +197,8 @@ struct XenPCIPassthroughState { - - PCIHostDeviceAddress hostaddr; - bool is_virtfn; -+ bool permissive; -+ bool permissive_warned; - XenHostPCIDevice real_device; - XenPTRegion bases[PCI_NUM_REGIONS]; /* Access regions */ - QLIST_HEAD(, XenPTRegGroup) reg_grps; -diff --git a/hw/xen/xen_pt_config_init.c b/hw/xen/xen_pt_config_init.c -index 19f926b..f3cf069 100644 ---- a/hw/xen/xen_pt_config_init.c -+++ b/hw/xen/xen_pt_config_init.c -@@ -101,6 +101,10 @@ static uint32_t get_throughable_mask(const XenPCIPassthroughState *s, - { - uint32_t throughable_mask = ~(reg->emu_mask | reg->ro_mask); - -+ if (!s->permissive) { -+ throughable_mask &= ~reg->res_mask; -+ } -+ - return throughable_mask & valid_mask; - } - --- -2.1.4 - -- cgit v1.2.3-54-g00ecf