From 17a9a734122e446bd2708a4273af1fe4eacb87ae Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 10 May 2017 14:17:34 +0200 Subject: qemu: upgrade to 2.7.0 This upgrade can fix a qemuppc + openssh bug, the ssh connection maybe refused or closed randomly, and it's not easy to reproduce. RP pointed that this upgrade can fix the problem, and it does work in my local testing. * Update add-ptest-in-makefile.patch Here is the Changlog: http://wiki.qemu.org/ChangeLog/2.7 (From OE-Core rev: 056ce17e168bf856ff95a6f659098403169cb889) Signed-off-by: Robert Yang Signed-off-by: Richard Purdie Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../recipes-devtools/qemu/qemu/CVE-2016-4441.patch | 78 ---------------------- 1 file changed, 78 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch') diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch deleted file mode 100644 index 3cbe394bfd..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-4441.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 6c1fef6b59563cc415f21e03f81539ed4b33ad90 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 19 May 2016 16:09:31 +0530 -Subject: [PATCH] esp: check dma length before reading scsi command(CVE-2016-4441) - -The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte -FIFO buffer. It is used to handle command and data transfer. -Routine get_cmd() uses DMA to read scsi commands into this buffer. -Add check to validate DMA length against buffer size to avoid any -overrun. - -Fixes CVE-2016-4441. - -Upstream-Status: Backport - -Reported-by: Li Qiang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Adrian Dudau ---- - hw/scsi/esp.c | 11 +++++++---- - 1 files changed, 7 insertions(+), 4 deletions(-) - -diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c -index 01497e6..591c817 100644 ---- a/hw/scsi/esp.c -+++ b/hw/scsi/esp.c -@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) - } - } - --static uint32_t get_cmd(ESPState *s, uint8_t *buf) -+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) - { - uint32_t dmalen; - int target; -@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) - dmalen = s->rregs[ESP_TCLO]; - dmalen |= s->rregs[ESP_TCMID] << 8; - dmalen |= s->rregs[ESP_TCHI] << 16; -+ if (dmalen > buflen) { -+ return 0; -+ } - s->dma_memory_read(s->dma_opaque, buf, dmalen); - } else { - dmalen = s->ti_size; -@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) - s->dma_cb = handle_satn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) - do_cmd(s, buf); - } -@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) - s->dma_cb = handle_s_without_atn; - return; - } -- len = get_cmd(s, buf); -+ len = get_cmd(s, buf, sizeof(buf)); - if (len) { - do_busid_cmd(s, buf, 0); - } -@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) - s->dma_cb = handle_satn_stop; - return; - } -- s->cmdlen = get_cmd(s, s->cmdbuf); -+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); - if (s->cmdlen) { - trace_esp_handle_satn_stop(s->cmdlen); - s->do_cmd = 1; --- -1.7.0.4 - -- cgit v1.2.3-54-g00ecf