From d3d0c7af34b996b4518b26d4f3b4eff831a651af Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Wed, 27 Apr 2016 11:48:16 +0200
Subject: qemu: Upgrade 2.1.0 to 2.4.0 to address some CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The upgrade addresses following CVEs:
CVE-2015-7295
CVE-2015-7504
CVE-2015-7512
CVE-2015-8345
CVE-2015-8504
CVE-2016-1568
CVE-2016-2197
CVE-2016-2198

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Nora Björklund <nora.bjorklund@enea.com>
---
 .../qemu/qemu/smc91c111_fix2.patch                 | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch

(limited to 'meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch')

diff --git a/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
new file mode 100644
index 0000000000..018aed5f80
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/smc91c111_fix2.patch
@@ -0,0 +1,46 @@
+From: Peter Crosthwaite <crosthwaitepeter@gmail.com>
+X-Google-Original-From: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+To: qemu-devel@nongnu.org
+Cc: peter.maydell@linaro.org, richard.purdie@linuxfoundation.org
+Subject: [RFT PATCH v1 2/3] net: smc91c111: gate can_receive() on rx FIFO
+ having a slot
+Date: Thu, 10 Sep 2015 21:23:57 -0700
+
+Return false from can_receive() when the FIFO doesn't have a free RX
+slot. This fixes a bug in the current code where the allocated buffer
+is freed before the fifo pop, triggering a premature flush of queued RX
+packets. It also will handle a corner case, where the guest manually
+frees the allocated buffer before popping the rx FIFO (hence it is not
+enough to just delay the flush_queued_packets()).
+
+Reported-by: Richard Purdie <richard.purdie@linuxfoundation.org>
+Signed-off-by: Peter Crosthwaite <crosthwaite.peter@gmail.com>
+
+Upstream-Status: Submitted
+---
+
+ hw/net/smc91c111.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Index: qemu-2.4.0/hw/net/smc91c111.c
+===================================================================
+--- qemu-2.4.0.orig/hw/net/smc91c111.c
++++ qemu-2.4.0/hw/net/smc91c111.c
+@@ -129,7 +129,8 @@ static int smc91c111_can_receive(smc91c1
+     if ((s->rcr & RCR_RXEN) == 0 || (s->rcr & RCR_SOFT_RST)) {
+         return 1;
+     }
+-    if (s->allocated == (1 << NUM_PACKETS) - 1) {
++    if (s->allocated == (1 << NUM_PACKETS) - 1 ||
++        s->rx_fifo_len == NUM_PACKETS) {
+         return 0;
+     }
+     return 1;
+@@ -182,6 +183,7 @@ static void smc91c111_pop_rx_fifo(smc91c
+     } else {
+         s->int_level &= ~INT_RCV;
+     }
++    smc91c111_flush_queued_packets(s);
+     smc91c111_update(s);
+ }
+ 
-- 
cgit v1.2.3-54-g00ecf