qemu: Security fix CVE-2016-2858

(From OE-Core rev: 48909052e7b19ba108ee7813c1efdbed0c2e06ab) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-28 11:23:31 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-04-29 07:41:44 +0100
commit: 90f204043b646be0a6d5001e147735978d156d5c (patch)
tree: 40ea6d8265e3e26df4a80ed736fc32a85c38cdef
parent: dbdf9bfe206a0260984d5240537e875491aa2429 (diff)
download: poky-90f204043b646be0a6d5001e147735978d156d5c.tar.gz
5 files changed, 576 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
new file mode 100644
index 0000000000..d5395e6152
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
@@ -0,0 +1,183 @@
+From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:18 +0100
+Subject: [PATCH] rng: add request queue support to rng-random
+Requests are now created in the RngBackend parent class and the
+code path is shared by both rng-egd and rng-random.
+This commit fixes the rng-random implementation which processed
+only one request at a time and simply discarded all but the most
+recent one. In the guest this manifested as delayed completion
+of reads from virtio-rng, i.e. a read was completed only after
+another read was issued.
+By switching rng-random to use the same request queue as rng-egd,
+the unsafe stack-based allocation of the entropy buffer is
+eliminated and replaced with g_malloc.
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Upstream-Status: Backport
+CVE: CVE-2016-2858
+http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ backends/rng-egd.c    | 16 ++--------------
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------
+ backends/rng.c        | 13 ++++++++++++-
+ include/sysemu/rng.h  |  3 +--
+ 4 files changed, 34 insertions(+), 41 deletions(-)
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
+++ qemu-2.5.0/backends/rng-egd.c
+@@ -26,20 +26,10 @@ typedef struct RngEgd
+     char *chr_name;
+ } RngEgd;
+ 
+-static void rng_egd_request_entropy(RngBackend *b, size_t size,
+-                                    EntropyReceiveFunc *receive_entropy,
+-                                    void *opaque)
+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RngEgd *s = RNG_EGD(b);
+-    RngRequest *req;
+-
+-    req = g_malloc(sizeof(*req));
+-
+-    req->offset = 0;
+-    req->size = size;
+-    req->receive_entropy = receive_entropy;
+-    req->opaque = opaque;
+-    req->data = g_malloc(req->size);
+    size_t size = req->size;
+ 
+     while (size > 0) {
+         uint8_t header[2];
+@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB
+ 
+         size -= len;
+     }
+-
+-    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static int rng_egd_chr_can_read(void *opaque)
+Index: qemu-2.5.0/backends/rng-random.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-random.c
+++ qemu-2.5.0/backends/rng-random.c
+@@ -21,10 +21,6 @@ struct RndRandom
+ 
+     int fd;
+     char *filename;
+-
+-    EntropyReceiveFunc *receive_func;
+-    void *opaque;
+-    size_t size;
+ };
+ 
+ /**
+@@ -37,36 +33,35 @@ struct RndRandom
+ static void entropy_available(void *opaque)
+ {
+     RndRandom *s = RNG_RANDOM(opaque);
+-    uint8_t buffer[s->size];
+-    ssize_t len;
+ 
+-    len = read(s->fd, buffer, s->size);
+-    if (len < 0 && errno == EAGAIN) {
+-        return;
+-    }
+-    g_assert(len != -1);
+    while (s->parent.requests != NULL) {
+        RngRequest *req = s->parent.requests->data;
+        ssize_t len;
+
+        len = read(s->fd, req->data, req->size);
+        if (len < 0 && errno == EAGAIN) {
+            return;
+        }
+        g_assert(len != -1);
+
+        req->receive_entropy(req->opaque, req->data, len);
+ 
+-    s->receive_func(s->opaque, buffer, len);
+-    s->receive_func = NULL;
+        rng_backend_finalize_request(&s->parent, req);
+    }
+ 
+    /* We've drained all requests, the fd handler can be reset. */
+     qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
+ }
+ 
+-static void rng_random_request_entropy(RngBackend *b, size_t size,
+-                                        EntropyReceiveFunc *receive_entropy,
+-                                        void *opaque)
+static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
+ {
+     RndRandom *s = RNG_RANDOM(b);
+ 
+-    if (s->receive_func) {
+-        s->receive_func(s->opaque, NULL, 0);
+    if (s->parent.requests == NULL) {
+        /* If there are no pending requests yet, we need to
+         * install our fd handler. */
+        qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+     }
+-
+-    s->receive_func = receive_entropy;
+-    s->opaque = opaque;
+-    s->size = size;
+-
+-    qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+ 
+ static void rng_random_opened(RngBackend *b, Error **errp)
+Index: qemu-2.5.0/backends/rng.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng.c
+++ qemu-2.5.0/backends/rng.c
+@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack
+                                  void *opaque)
+ {
+     RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+    RngRequest *req;
+ 
+     if (k->request_entropy) {
+-        k->request_entropy(s, size, receive_entropy, opaque);
+        req = g_malloc(sizeof(*req));
+
+        req->offset = 0;
+        req->size = size;
+        req->receive_entropy = receive_entropy;
+        req->opaque = opaque;
+        req->data = g_malloc(req->size);
+
+        k->request_entropy(s, req);
+
+        s->requests = g_slist_append(s->requests, req);
+     }
+ }
+ 
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
+++ qemu-2.5.0/include/sysemu/rng.h
+@@ -46,8 +46,7 @@ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+ 
+-    void (*request_entropy)(RngBackend *s, size_t size,
+-                            EntropyReceiveFunc *receive_entropy, void *opaque);
+    void (*request_entropy)(RngBackend *s, RngRequest *req);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
new file mode 100644
index 0000000000..01928f91e8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,138 @@
+From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Upstream-Status: Backport
+in support of CVE-2016-2858
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ backends/rng-egd.c   | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
+++ qemu-2.5.0/backends/rng-egd.c
+@@ -24,19 +24,8 @@ typedef struct RngEgd
+ 
+     CharDriverState *chr;
+     char *chr_name;
+-
+-    GSList *requests;
+ } RngEgd;
+ 
+-typedef struct RngRequest
+-{
+-    EntropyReceiveFunc *receive_entropy;
+-    uint8_t *data;
+-    void *opaque;
+-    size_t offset;
+-    size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+                                     EntropyReceiveFunc *receive_entropy,
+                                     void *opaque)
+@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngB
+         size -= len;
+     }
+ 
+-    s->requests = g_slist_append(s->requests, req);
+    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static void rng_egd_free_request(RngRequest *req)
+@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *op
+     GSList *i;
+     int size = 0;
+ 
+-    for (i = s->requests; i; i = i->next) {
+    for (i = s->parent.requests; i; i = i->next) {
+         RngRequest *req = i->data;
+         size += req->size - req->offset;
+     }
+@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaqu
+     RngEgd *s = RNG_EGD(opaque);
+     size_t buf_offset = 0;
+ 
+-    while (size > 0 && s->requests) {
+-        RngRequest *req = s->requests->data;
+    while (size > 0 && s->parent.requests) {
+        RngRequest *req = s->parent.requests->data;
+         int len = MIN(size, req->size - req->offset);
+ 
+         memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaqu
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->requests = g_slist_remove_link(s->requests, s->requests);
+            s->parent.requests = g_slist_remove_link(s->parent.requests,
+                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd
+ {
+     GSList *i;
+ 
+-    for (i = s->requests; i; i = i->next) {
+    for (i = s->parent.requests; i; i = i->next) {
+         rng_egd_free_request(i->data);
+     }
+ 
+-    g_slist_free(s->requests);
+-    s->requests = NULL;
+    g_slist_free(s->parent.requests);
+    s->parent.requests = NULL;
+ }
+ 
+ static void rng_egd_cancel_requests(RngBackend *b)
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
+++ qemu-2.5.0/include/sysemu/rng.h
+@@ -25,6 +25,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+     OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+ 
+typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+ 
+@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *
+                                   const void *data,
+                                   size_t size);
+ 
+struct RngRequest
+{
+    EntropyReceiveFunc *receive_entropy;
+    uint8_t *data;
+    void *opaque;
+    size_t offset;
+    size_t size;
+};
+
+ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+@@ -49,6 +59,7 @@ struct RngBackend
+ 
+     /*< protected >*/
+     bool opened;
+    GSList *requests;
+ };
+ 
+ /**
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
new file mode 100644
index 0000000000..afe8bf66cf
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,150 @@
+From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:17 +0100
+Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
+RngBackend is now in charge of cleaning up the linked list on
+instance finalization. It also exposes a function to finalize
+individual RngRequest instances, called by its child classes.
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Upstream-Status: Backport
+in support of CVE-2016-2858
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ backends/rng-egd.c   | 25 +------------------------
+ backends/rng.c       | 32 ++++++++++++++++++++++++++++++++
+ include/sysemu/rng.h | 12 ++++++++++++
+ 3 files changed, 45 insertions(+), 24 deletions(-)
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
+++ qemu-2.5.0/backends/rng-egd.c
+@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngB
+     s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+-static void rng_egd_free_request(RngRequest *req)
+-{
+-    g_free(req->data);
+-    g_free(req);
+-}
+-
+ static int rng_egd_chr_can_read(void *opaque)
+ {
+     RngEgd *s = RNG_EGD(opaque);
+@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaqu
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->parent.requests = g_slist_remove_link(s->parent.requests,
+-                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+-
+-            rng_egd_free_request(req);
+            rng_backend_finalize_request(&s->parent, req);
+         }
+     }
+ }
+ 
+-static void rng_egd_free_requests(RngEgd *s)
+-{
+-    GSList *i;
+-
+-    for (i = s->parent.requests; i; i = i->next) {
+-        rng_egd_free_request(i->data);
+-    }
+-
+-    g_slist_free(s->parent.requests);
+-    s->parent.requests = NULL;
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj
+     }
+ 
+     g_free(s->chr_name);
+-
+-    rng_egd_free_requests(s);
+ }
+ 
+ static void rng_egd_class_init(ObjectClass *klass, void *data)
+Index: qemu-2.5.0/backends/rng.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng.c
+++ qemu-2.5.0/backends/rng.c
+@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(
+     s->opened = true;
+ }
+ 
+static void rng_backend_free_request(RngRequest *req)
+{
+    g_free(req->data);
+    g_free(req);
+}
+
+static void rng_backend_free_requests(RngBackend *s)
+{
+    GSList *i;
+
+    for (i = s->requests; i; i = i->next) {
+        rng_backend_free_request(i->data);
+    }
+
+    g_slist_free(s->requests);
+    s->requests = NULL;
+}
+
+void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
+{
+    s->requests = g_slist_remove(s->requests, req);
+    rng_backend_free_request(req);
+}
+
+ static void rng_backend_init(Object *obj)
+ {
+     object_property_add_bool(obj, "opened",
+@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj
+                              NULL);
+ }
+ 
+static void rng_backend_finalize(Object *obj)
+{
+    RngBackend *s = RNG_BACKEND(obj);
+
+    rng_backend_free_requests(s);
+}
+
+ static void rng_backend_class_init(ObjectClass *oc, void *data)
+ {
+     UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info =
+     .parent = TYPE_OBJECT,
+     .instance_size = sizeof(RngBackend),
+     .instance_init = rng_backend_init,
+    .instance_finalize = rng_backend_finalize,
+     .class_size = sizeof(RngBackendClass),
+     .class_init = rng_backend_class_init,
+     .abstract = true,
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
+++ qemu-2.5.0/include/sysemu/rng.h
+@@ -61,6 +61,7 @@ struct RngBackend
+     GSList *requests;
+ };
+ 
+
+ /**
+  * rng_backend_request_entropy:
+  * @s: the backend to request entropy from
diff --git a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
new file mode 100644
index 0000000000..51296bcac8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
@@ -0,0 +1,101 @@
+From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:15 +0100
+Subject: [PATCH] rng: remove the unused request cancellation code
+rng_backend_cancel_requests had no callers and none of the code
+deleted in this commit ever ran.
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+Upstream-Status: Backport
+in support of CVE-2016-2858
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ backends/rng-egd.c   | 12 ------------
+ backends/rng.c       |  9 ---------
+ include/sysemu/rng.h | 11 -----------
+ 3 files changed, 32 deletions(-)
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
+++ qemu-2.5.0/backends/rng-egd.c
+@@ -114,17 +114,6 @@ static void rng_egd_free_requests(RngEgd
+     s->parent.requests = NULL;
+ }
+ 
+-static void rng_egd_cancel_requests(RngBackend *b)
+-{
+-    RngEgd *s = RNG_EGD(b);
+-
+-    /* We simply delete the list of pending requests.  If there is data in the 
+-     * queue waiting to be read, this is okay, because there will always be
+-     * more data than we requested originally
+-     */
+-    rng_egd_free_requests(s);
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+     RngEgd *s = RNG_EGD(b);
+@@ -202,7 +191,6 @@ static void rng_egd_class_init(ObjectCla
+     RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
+ 
+     rbc->request_entropy = rng_egd_request_entropy;
+-    rbc->cancel_requests = rng_egd_cancel_requests;
+     rbc->opened = rng_egd_opened;
+ }
+ 
+Index: qemu-2.5.0/backends/rng.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng.c
+++ qemu-2.5.0/backends/rng.c
+@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBack
+     }
+ }
+ 
+-void rng_backend_cancel_requests(RngBackend *s)
+-{
+-    RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+-
+-    if (k->cancel_requests) {
+-        k->cancel_requests(s);
+-    }
+-}
+-
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
+ {
+     RngBackend *s = RNG_BACKEND(obj);
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
+++ qemu-2.5.0/include/sysemu/rng.h
+@@ -48,7 +48,6 @@ struct RngBackendClass
+ 
+     void (*request_entropy)(RngBackend *s, size_t size,
+                             EntropyReceiveFunc *receive_entropy, void *opaque);
+-    void (*cancel_requests)(RngBackend *s);
+ 
+     void (*opened)(RngBackend *s, Error **errp);
+ };
+@@ -80,14 +79,4 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+                                  EntropyReceiveFunc *receive_entropy,
+                                  void *opaque);
+-
+-/**
+- * rng_backend_cancel_requests:
+- * @s: the backend to cancel all pending requests in
+- *
+- * Cancels all pending requests submitted by @rng_backend_request_entropy.  This
+- * should be used by a device during reset or in preparation for live migration
+- * to stop tracking any request.
+- */
+-void rng_backend_cancel_requests(RngBackend *s);
+ #endif
diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
index 76223869b0..03a6cbe331 100644
--- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb
+++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -12,6 +12,10 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
            file://CVE-2016-2198.patch \
            file://pathlimit.patch \
            file://CVE-2016-2857.patch \
+            file://rng_move_request_from_RngEgd_to_RngBackend.patch \
+            file://rng_remove_the_unused_request_cancellation_code.patch \
+            file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
+            file://CVE-2016-2858.patch \
           "
 SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
 SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"
author	Armin Kuster <akuster@mvista.com>	2016-04-28 11:23:31 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-04-29 07:41:44 +0100
commit	90f204043b646be0a6d5001e147735978d156d5c (patch)
tree	40ea6d8265e3e26df4a80ed736fc32a85c38cdef
parent	dbdf9bfe206a0260984d5240537e875491aa2429 (diff)
download	poky-90f204043b646be0a6d5001e147735978d156d5c.tar.gz

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch new file mode 100644 index 0000000000..d5395e6152 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch
@@ -0,0 +1,183 @@
		1	From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
		2	From: Ladi Prosek <lprosek@redhat.com>
		3	Date: Thu, 3 Mar 2016 09:37:18 +0100
		4	Subject: [PATCH] rng: add request queue support to rng-random
		5
		6	Requests are now created in the RngBackend parent class and the
		7	code path is shared by both rng-egd and rng-random.
		8
		9	This commit fixes the rng-random implementation which processed
		10	only one request at a time and simply discarded all but the most
		11	recent one. In the guest this manifested as delayed completion
		12	of reads from virtio-rng, i.e. a read was completed only after
		13	another read was issued.
		14
		15	By switching rng-random to use the same request queue as rng-egd,
		16	the unsafe stack-based allocation of the entropy buffer is
		17	eliminated and replaced with g_malloc.
		18
		19	Signed-off-by: Ladi Prosek <lprosek@redhat.com>
		20	Reviewed-by: Amit Shah <amit.shah@redhat.com>
		21	Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com>
		22	Signed-off-by: Amit Shah <amit.shah@redhat.com>
		23
		24	Upstream-Status: Backport
		25	CVE: CVE-2016-2858
		26
		27	http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475
		28	Signed-off-by: Armin Kuster <akuster@mvista.com>
		29
		30	---
		31	backends/rng-egd.c \| 16 ++--------------
		32	backends/rng-random.c \| 43 +++++++++++++++++++------------------------
		33	backends/rng.c \| 13 ++++++++++++-
		34	include/sysemu/rng.h \| 3 +--
		35	4 files changed, 34 insertions(+), 41 deletions(-)
		36
		37	Index: qemu-2.5.0/backends/rng-egd.c
		38	===================================================================
		39	--- qemu-2.5.0.orig/backends/rng-egd.c
		40	+++ qemu-2.5.0/backends/rng-egd.c
		41	@@ -26,20 +26,10 @@ typedef struct RngEgd
		42	char *chr_name;
		43	} RngEgd;
		44
		45	-static void rng_egd_request_entropy(RngBackend *b, size_t size,
		46	- EntropyReceiveFunc *receive_entropy,
		47	- void *opaque)
		48	+static void rng_egd_request_entropy(RngBackend b, RngRequest req)
		49	{
		50	RngEgd *s = RNG_EGD(b);
		51	- RngRequest *req;
		52	-
		53	- req = g_malloc(sizeof(*req));
		54	-
		55	- req->offset = 0;
		56	- req->size = size;
		57	- req->receive_entropy = receive_entropy;
		58	- req->opaque = opaque;
		59	- req->data = g_malloc(req->size);
		60	+ size_t size = req->size;
		61
		62	while (size > 0) {
		63	uint8_t header[2];
		64	@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB
		65
		66	size -= len;
		67	}
		68	-
		69	- s->parent.requests = g_slist_append(s->parent.requests, req);
		70	}
		71
		72	static int rng_egd_chr_can_read(void *opaque)
		73	Index: qemu-2.5.0/backends/rng-random.c
		74	===================================================================
		75	--- qemu-2.5.0.orig/backends/rng-random.c
		76	+++ qemu-2.5.0/backends/rng-random.c
		77	@@ -21,10 +21,6 @@ struct RndRandom
		78
		79	int fd;
		80	char *filename;
		81	-
		82	- EntropyReceiveFunc *receive_func;
		83	- void *opaque;
		84	- size_t size;
		85	};
		86
		87	/**
		88	@@ -37,36 +33,35 @@ struct RndRandom
		89	static void entropy_available(void *opaque)
		90	{
		91	RndRandom *s = RNG_RANDOM(opaque);
		92	- uint8_t buffer[s->size];
		93	- ssize_t len;
		94
		95	- len = read(s->fd, buffer, s->size);
		96	- if (len < 0 && errno == EAGAIN) {
		97	- return;
		98	- }
		99	- g_assert(len != -1);
		100	+ while (s->parent.requests != NULL) {
		101	+ RngRequest *req = s->parent.requests->data;
		102	+ ssize_t len;
		103	+
		104	+ len = read(s->fd, req->data, req->size);
		105	+ if (len < 0 && errno == EAGAIN) {
		106	+ return;
		107	+ }
		108	+ g_assert(len != -1);
		109	+
		110	+ req->receive_entropy(req->opaque, req->data, len);
		111
		112	- s->receive_func(s->opaque, buffer, len);
		113	- s->receive_func = NULL;
		114	+ rng_backend_finalize_request(&s->parent, req);
		115	+ }
		116
		117	+ /* We've drained all requests, the fd handler can be reset. */
		118	qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
		119	}
		120
		121	-static void rng_random_request_entropy(RngBackend *b, size_t size,
		122	- EntropyReceiveFunc *receive_entropy,
		123	- void *opaque)
		124	+static void rng_random_request_entropy(RngBackend b, RngRequest req)
		125	{
		126	RndRandom *s = RNG_RANDOM(b);
		127
		128	- if (s->receive_func) {
		129	- s->receive_func(s->opaque, NULL, 0);
		130	+ if (s->parent.requests == NULL) {
		131	+ /* If there are no pending requests yet, we need to
		132	+ * install our fd handler. */
		133	+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
		134	}
		135	-
		136	- s->receive_func = receive_entropy;
		137	- s->opaque = opaque;
		138	- s->size = size;
		139	-
		140	- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
		141	}
		142
		143	static void rng_random_opened(RngBackend b, Error *errp)
		144	Index: qemu-2.5.0/backends/rng.c
		145	===================================================================
		146	--- qemu-2.5.0.orig/backends/rng.c
		147	+++ qemu-2.5.0/backends/rng.c
		148	@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack
		149	void *opaque)
		150	{
		151	RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
		152	+ RngRequest *req;
		153
		154	if (k->request_entropy) {
		155	- k->request_entropy(s, size, receive_entropy, opaque);
		156	+ req = g_malloc(sizeof(*req));
		157	+
		158	+ req->offset = 0;
		159	+ req->size = size;
		160	+ req->receive_entropy = receive_entropy;
		161	+ req->opaque = opaque;
		162	+ req->data = g_malloc(req->size);
		163	+
		164	+ k->request_entropy(s, req);
		165	+
		166	+ s->requests = g_slist_append(s->requests, req);
		167	}
		168	}
		169
		170	Index: qemu-2.5.0/include/sysemu/rng.h
		171	===================================================================
		172	--- qemu-2.5.0.orig/include/sysemu/rng.h
		173	+++ qemu-2.5.0/include/sysemu/rng.h
		174	@@ -46,8 +46,7 @@ struct RngBackendClass
		175	{
		176	ObjectClass parent_class;
		177
		178	- void (request_entropy)(RngBackend s, size_t size,
		179	- EntropyReceiveFunc receive_entropy, void opaque);
		180	+ void (request_entropy)(RngBackend s, RngRequest *req);
		181
		182	void (opened)(RngBackend s, Error **errp);
		183	};


diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch new file mode 100644 index 0000000000..01928f91e8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,138 @@
		1	From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
		2	From: Ladi Prosek <lprosek@redhat.com>
		3	Date: Thu, 3 Mar 2016 09:37:16 +0100
		4	Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
		5
		6	The 'requests' field now lives in the RngBackend parent class.
		7	There are no functional changes in this commit.
		8
		9	Signed-off-by: Ladi Prosek <lprosek@redhat.com>
		10	Reviewed-by: Amit Shah <amit.shah@redhat.com>
		11	Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
		12	Signed-off-by: Amit Shah <amit.shah@redhat.com>
		13
		14	Upstream-Status: Backport
		15	in support of CVE-2016-2858
		16
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	backends/rng-egd.c \| 28 +++++++++-------------------
		21	include/sysemu/rng.h \| 11 +++++++++++
		22	2 files changed, 20 insertions(+), 19 deletions(-)
		23
		24	Index: qemu-2.5.0/backends/rng-egd.c
		25	===================================================================
		26	--- qemu-2.5.0.orig/backends/rng-egd.c
		27	+++ qemu-2.5.0/backends/rng-egd.c
		28	@@ -24,19 +24,8 @@ typedef struct RngEgd
		29
		30	CharDriverState *chr;
		31	char *chr_name;
		32	-
		33	- GSList *requests;
		34	} RngEgd;
		35
		36	-typedef struct RngRequest
		37	-{
		38	- EntropyReceiveFunc *receive_entropy;
		39	- uint8_t *data;
		40	- void *opaque;
		41	- size_t offset;
		42	- size_t size;
		43	-} RngRequest;
		44	-
		45	static void rng_egd_request_entropy(RngBackend *b, size_t size,
		46	EntropyReceiveFunc *receive_entropy,
		47	void *opaque)
		48	@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngB
		49	size -= len;
		50	}
		51
		52	- s->requests = g_slist_append(s->requests, req);
		53	+ s->parent.requests = g_slist_append(s->parent.requests, req);
		54	}
		55
		56	static void rng_egd_free_request(RngRequest *req)
		57	@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *op
		58	GSList *i;
		59	int size = 0;
		60
		61	- for (i = s->requests; i; i = i->next) {
		62	+ for (i = s->parent.requests; i; i = i->next) {
		63	RngRequest *req = i->data;
		64	size += req->size - req->offset;
		65	}
		66	@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaqu
		67	RngEgd *s = RNG_EGD(opaque);
		68	size_t buf_offset = 0;
		69
		70	- while (size > 0 && s->requests) {
		71	- RngRequest *req = s->requests->data;
		72	+ while (size > 0 && s->parent.requests) {
		73	+ RngRequest *req = s->parent.requests->data;
		74	int len = MIN(size, req->size - req->offset);
		75
		76	memcpy(req->data + req->offset, buf + buf_offset, len);
		77	@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaqu
		78	size -= len;
		79
		80	if (req->offset == req->size) {
		81	- s->requests = g_slist_remove_link(s->requests, s->requests);
		82	+ s->parent.requests = g_slist_remove_link(s->parent.requests,
		83	+ s->parent.requests);
		84
		85	req->receive_entropy(req->opaque, req->data, req->size);
		86
		87	@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd
		88	{
		89	GSList *i;
		90
		91	- for (i = s->requests; i; i = i->next) {
		92	+ for (i = s->parent.requests; i; i = i->next) {
		93	rng_egd_free_request(i->data);
		94	}
		95
		96	- g_slist_free(s->requests);
		97	- s->requests = NULL;
		98	+ g_slist_free(s->parent.requests);
		99	+ s->parent.requests = NULL;
		100	}
		101
		102	static void rng_egd_cancel_requests(RngBackend *b)
		103	Index: qemu-2.5.0/include/sysemu/rng.h
		104	===================================================================
		105	--- qemu-2.5.0.orig/include/sysemu/rng.h
		106	+++ qemu-2.5.0/include/sysemu/rng.h
		107	@@ -25,6 +25,7 @@
		108	#define RNG_BACKEND_CLASS(klass) \
		109	OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
		110
		111	+typedef struct RngRequest RngRequest;
		112	typedef struct RngBackendClass RngBackendClass;
		113	typedef struct RngBackend RngBackend;
		114
		115	@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *
		116	const void *data,
		117	size_t size);
		118
		119	+struct RngRequest
		120	+{
		121	+ EntropyReceiveFunc *receive_entropy;
		122	+ uint8_t *data;
		123	+ void *opaque;
		124	+ size_t offset;
		125	+ size_t size;
		126	+};
		127	+
		128	struct RngBackendClass
		129	{
		130	ObjectClass parent_class;
		131	@@ -49,6 +59,7 @@ struct RngBackend
		132
		133	/< protected >/
		134	bool opened;
		135	+ GSList *requests;
		136	};
		137
		138	/**


diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch new file mode 100644 index 0000000000..afe8bf66cf --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,150 @@
		1	From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
		2	From: Ladi Prosek <lprosek@redhat.com>
		3	Date: Thu, 3 Mar 2016 09:37:17 +0100
		4	Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
		5
		6	RngBackend is now in charge of cleaning up the linked list on
		7	instance finalization. It also exposes a function to finalize
		8	individual RngRequest instances, called by its child classes.
		9
		10	Signed-off-by: Ladi Prosek <lprosek@redhat.com>
		11	Reviewed-by: Amit Shah <amit.shah@redhat.com>
		12	Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com>
		13	Signed-off-by: Amit Shah <amit.shah@redhat.com>
		14
		15	Upstream-Status: Backport
		16	in support of CVE-2016-2858
		17
		18	Signed-off-by: Armin Kuster <akuster@mvista.com>
		19
		20	---
		21	backends/rng-egd.c \| 25 +------------------------
		22	backends/rng.c \| 32 ++++++++++++++++++++++++++++++++
		23	include/sysemu/rng.h \| 12 ++++++++++++
		24	3 files changed, 45 insertions(+), 24 deletions(-)
		25
		26	Index: qemu-2.5.0/backends/rng-egd.c
		27	===================================================================
		28	--- qemu-2.5.0.orig/backends/rng-egd.c
		29	+++ qemu-2.5.0/backends/rng-egd.c
		30	@@ -57,12 +57,6 @@ static void rng_egd_request_entropy(RngB
		31	s->parent.requests = g_slist_append(s->parent.requests, req);
		32	}
		33
		34	-static void rng_egd_free_request(RngRequest *req)
		35	-{
		36	- g_free(req->data);
		37	- g_free(req);
		38	-}
		39	-
		40	static int rng_egd_chr_can_read(void *opaque)
		41	{
		42	RngEgd *s = RNG_EGD(opaque);
		43	@@ -92,28 +86,13 @@ static void rng_egd_chr_read(void *opaqu
		44	size -= len;
		45
		46	if (req->offset == req->size) {
		47	- s->parent.requests = g_slist_remove_link(s->parent.requests,
		48	- s->parent.requests);
		49
		50	req->receive_entropy(req->opaque, req->data, req->size);
		51	-
		52	- rng_egd_free_request(req);
		53	+ rng_backend_finalize_request(&s->parent, req);
		54	}
		55	}
		56	}
		57
		58	-static void rng_egd_free_requests(RngEgd *s)
		59	-{
		60	- GSList *i;
		61	-
		62	- for (i = s->parent.requests; i; i = i->next) {
		63	- rng_egd_free_request(i->data);
		64	- }
		65	-
		66	- g_slist_free(s->parent.requests);
		67	- s->parent.requests = NULL;
		68	-}
		69	-
		70	static void rng_egd_opened(RngBackend b, Error *errp)
		71	{
		72	RngEgd *s = RNG_EGD(b);
		73	@@ -182,8 +161,6 @@ static void rng_egd_finalize(Object *obj
		74	}
		75
		76	g_free(s->chr_name);
		77	-
		78	- rng_egd_free_requests(s);
		79	}
		80
		81	static void rng_egd_class_init(ObjectClass klass, void data)
		82	Index: qemu-2.5.0/backends/rng.c
		83	===================================================================
		84	--- qemu-2.5.0.orig/backends/rng.c
		85	+++ qemu-2.5.0/backends/rng.c
		86	@@ -63,6 +63,30 @@ static void rng_backend_prop_set_opened(
		87	s->opened = true;
		88	}
		89
		90	+static void rng_backend_free_request(RngRequest *req)
		91	+{
		92	+ g_free(req->data);
		93	+ g_free(req);
		94	+}
		95	+
		96	+static void rng_backend_free_requests(RngBackend *s)
		97	+{
		98	+ GSList *i;
		99	+
		100	+ for (i = s->requests; i; i = i->next) {
		101	+ rng_backend_free_request(i->data);
		102	+ }
		103	+
		104	+ g_slist_free(s->requests);
		105	+ s->requests = NULL;
		106	+}
		107	+
		108	+void rng_backend_finalize_request(RngBackend s, RngRequest req)
		109	+{
		110	+ s->requests = g_slist_remove(s->requests, req);
		111	+ rng_backend_free_request(req);
		112	+}
		113	+
		114	static void rng_backend_init(Object *obj)
		115	{
		116	object_property_add_bool(obj, "opened",
		117	@@ -71,6 +95,13 @@ static void rng_backend_init(Object *obj
		118	NULL);
		119	}
		120
		121	+static void rng_backend_finalize(Object *obj)
		122	+{
		123	+ RngBackend *s = RNG_BACKEND(obj);
		124	+
		125	+ rng_backend_free_requests(s);
		126	+}
		127	+
		128	static void rng_backend_class_init(ObjectClass oc, void data)
		129	{
		130	UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
		131	@@ -83,6 +114,7 @@ static const TypeInfo rng_backend_info =
		132	.parent = TYPE_OBJECT,
		133	.instance_size = sizeof(RngBackend),
		134	.instance_init = rng_backend_init,
		135	+ .instance_finalize = rng_backend_finalize,
		136	.class_size = sizeof(RngBackendClass),
		137	.class_init = rng_backend_class_init,
		138	.abstract = true,
		139	Index: qemu-2.5.0/include/sysemu/rng.h
		140	===================================================================
		141	--- qemu-2.5.0.orig/include/sysemu/rng.h
		142	+++ qemu-2.5.0/include/sysemu/rng.h
		143	@@ -61,6 +61,7 @@ struct RngBackend
		144	GSList *requests;
		145	};
		146
		147	+
		148	/**
		149	* rng_backend_request_entropy:
		150	* @s: the backend to request entropy from


diff --git a/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch new file mode 100644 index 0000000000..51296bcac8 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/rng_remove_the_unused_request_cancellation_code.patch
@@ -0,0 +1,101 @@
		1	From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
		2	From: Ladi Prosek <lprosek@redhat.com>
		3	Date: Thu, 3 Mar 2016 09:37:15 +0100
		4	Subject: [PATCH] rng: remove the unused request cancellation code
		5
		6	rng_backend_cancel_requests had no callers and none of the code
		7	deleted in this commit ever ran.
		8
		9	Signed-off-by: Ladi Prosek <lprosek@redhat.com>
		10	Reviewed-by: Amit Shah <amit.shah@redhat.com>
		11	Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com>
		12	Signed-off-by: Amit Shah <amit.shah@redhat.com>
		13
		14	Upstream-Status: Backport
		15	in support of CVE-2016-2858
		16
		17	Signed-off-by: Armin Kuster <akuster@mvista.com>
		18
		19	---
		20	backends/rng-egd.c \| 12 ------------
		21	backends/rng.c \| 9 ---------
		22	include/sysemu/rng.h \| 11 -----------
		23	3 files changed, 32 deletions(-)
		24
		25	Index: qemu-2.5.0/backends/rng-egd.c
		26	===================================================================
		27	--- qemu-2.5.0.orig/backends/rng-egd.c
		28	+++ qemu-2.5.0/backends/rng-egd.c
		29	@@ -114,17 +114,6 @@ static void rng_egd_free_requests(RngEgd
		30	s->parent.requests = NULL;
		31	}
		32
		33	-static void rng_egd_cancel_requests(RngBackend *b)
		34	-{
		35	- RngEgd *s = RNG_EGD(b);
		36	-
		37	- /* We simply delete the list of pending requests. If there is data in the
		38	- * queue waiting to be read, this is okay, because there will always be
		39	- * more data than we requested originally
		40	- */
		41	- rng_egd_free_requests(s);
		42	-}
		43	-
		44	static void rng_egd_opened(RngBackend b, Error *errp)
		45	{
		46	RngEgd *s = RNG_EGD(b);
		47	@@ -202,7 +191,6 @@ static void rng_egd_class_init(ObjectCla
		48	RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
		49
		50	rbc->request_entropy = rng_egd_request_entropy;
		51	- rbc->cancel_requests = rng_egd_cancel_requests;
		52	rbc->opened = rng_egd_opened;
		53	}
		54
		55	Index: qemu-2.5.0/backends/rng.c
		56	===================================================================
		57	--- qemu-2.5.0.orig/backends/rng.c
		58	+++ qemu-2.5.0/backends/rng.c
		59	@@ -25,15 +25,6 @@ void rng_backend_request_entropy(RngBack
		60	}
		61	}
		62
		63	-void rng_backend_cancel_requests(RngBackend *s)
		64	-{
		65	- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
		66	-
		67	- if (k->cancel_requests) {
		68	- k->cancel_requests(s);
		69	- }
		70	-}
		71	-
		72	static bool rng_backend_prop_get_opened(Object obj, Error *errp)
		73	{
		74	RngBackend *s = RNG_BACKEND(obj);
		75	Index: qemu-2.5.0/include/sysemu/rng.h
		76	===================================================================
		77	--- qemu-2.5.0.orig/include/sysemu/rng.h
		78	+++ qemu-2.5.0/include/sysemu/rng.h
		79	@@ -48,7 +48,6 @@ struct RngBackendClass
		80
		81	void (request_entropy)(RngBackend s, size_t size,
		82	EntropyReceiveFunc receive_entropy, void opaque);
		83	- void (cancel_requests)(RngBackend s);
		84
		85	void (opened)(RngBackend s, Error **errp);
		86	};
		87	@@ -80,14 +79,4 @@ struct RngBackend
		88	void rng_backend_request_entropy(RngBackend *s, size_t size,
		89	EntropyReceiveFunc *receive_entropy,
		90	void *opaque);
		91	-
		92	-/**
		93	- * rng_backend_cancel_requests:
		94	- * @s: the backend to cancel all pending requests in
		95	- *
		96	- * Cancels all pending requests submitted by @rng_backend_request_entropy. This
		97	- * should be used by a device during reset or in preparation for live migration
		98	- * to stop tracking any request.
		99	- */
		100	-void rng_backend_cancel_requests(RngBackend *s);
		101	#endif


diff --git a/meta/recipes-devtools/qemu/qemu_2.5.0.bb b/meta/recipes-devtools/qemu/qemu_2.5.0.bb index 76223869b0..03a6cbe331 100644 --- a/meta/recipes-devtools/qemu/qemu_2.5.0.bb +++ b/meta/recipes-devtools/qemu/qemu_2.5.0.bb
@@ -12,6 +12,10 @@ SRC_URI += "file://configure-fix-Darwin-target-detection.patch \
12	file://CVE-2016-2198.patch \	12	file://CVE-2016-2198.patch \
13	file://pathlimit.patch \	13	file://pathlimit.patch \
14	file://CVE-2016-2857.patch \	14	file://CVE-2016-2857.patch \
		15	file://rng_move_request_from_RngEgd_to_RngBackend.patch \
		16	file://rng_remove_the_unused_request_cancellation_code.patch \
		17	file://rng_move_request_queue_cleanup_from_RngEgd_to_RngBackend.patch \
		18	file://CVE-2016-2858.patch \
15	"	19	"
16	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"	20	SRC_URI_prepend = "http://wiki.qemu-project.org/download/${BP}.tar.bz2"
17	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"	21	SRC_URI[md5sum] = "f469f2330bbe76e3e39db10e9ac4f8db"