diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index 70a4faa..06e2397 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -1 +1 @@ -DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef +DIST qemu-2.5.1.tar.bz2 25464539 SHA256 028752c33bb786abbfe496ba57315dc5a7d0a33b5a7a767f6d7a29020c525d2c SHA512 66959ad6a2a89f23c5daba245c76f71ddc03a33a1167bca639a042ebbf7329b2e698cd2c0e65c22a9874563a34256a48386aa9df6475b06d38db74187e3e3b3f WHIRLPOOL 32525271574692d56b7794dc63606659f46e6ae19a56dee31b3cec33dab9c4eb74147a65db4940229492d8680f38c2d05bc2a8fbcb4b6887b0c1cbe5fbbe44cf diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch deleted file mode 100644 index 0e27684..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Wed, 23 Dec 2015 10:56:58 +0100 -Subject: [PATCH] virtio-9p: use accessor to get thread_pool - -The aio_context_new() function does not allocate a thread pool. This is -deferred to the first call to the aio_get_thread_pool() accessor. It is -hence forbidden to access the thread_pool field directly, as it may be -NULL. The accessor *must* be used always. - -Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e -Reviewed-by: Michael Tokarev -Tested-by: Michael Tokarev -Cc: qemu-stable@nongnu.org -Signed-off-by: Greg Kurz ---- - hw/9pfs/virtio-9p-coth.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c -index fb6e8f8..ab9425c 100644 ---- a/hw/9pfs/virtio-9p-coth.c -+++ b/hw/9pfs/virtio-9p-coth.c -@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) - void co_run_in_worker_bh(void *opaque) - { - Coroutine *co = opaque; -- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, -+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), - coroutine_enter_func, co, coroutine_enter_cb, co); - } --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch deleted file mode 100644 index fbc6a0a..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch +++ /dev/null @@ -1,50 +0,0 @@ -https://bugs.gentoo.org/568246 - -From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 14 Dec 2015 09:21:23 +0100 -Subject: [PATCH] ehci: make idt processing more robust - -Make ehci_process_itd return an error in case we didn't do any actual -iso transfer because we've found no active transaction. That'll avoid -ehci happily run in circles forever if the guest builds a loop out of -idts. - -This is CVE-2015-8558. - -Cc: qemu-stable@nongnu.org -Reported-by: Qinghao Tang -Tested-by: P J P -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index 4e2161b..d07f228 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, - { - USBDevice *dev; - USBEndpoint *ep; -- uint32_t i, len, pid, dir, devaddr, endp; -+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; - uint32_t pg, off, ptr1, ptr2, max, mult; - - ehci->periodic_sched_active = PERIODIC_ACTIVE; -@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, - ehci_raise_irq(ehci, USBSTS_INT); - } - itd->transact[i] &= ~ITD_XACT_ACTIVE; -+ xfers++; - } - } -- return 0; -+ return xfers ? 0 : -1; - } - - --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch deleted file mode 100644 index e196043..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch +++ /dev/null @@ -1,95 +0,0 @@ -https://bugs.gentoo.org/567868 - -From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 -From: P J P -Date: Tue, 15 Dec 2015 12:27:54 +0530 -Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device - -Vmxnet3 device emulator does not check if the device is active -before activating it, also it did not free the transmit & receive -buffers while deactivating the device, thus resulting in memory -leakage on the host. This patch fixes both these issues to avoid -host memory leakage. - -Reported-by: Qinghao Tang -Reviewed-by: Dmitry Fleytman -Signed-off-by: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang ---- - hw/net/vmxnet3.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index a5dd79a..9c1adfc 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) - - static void vmxnet3_deactivate_device(VMXNET3State *s) - { -- VMW_CBPRN("Deactivating vmxnet3..."); -- s->device_active = false; -+ if (s->device_active) { -+ VMW_CBPRN("Deactivating vmxnet3..."); -+ vmxnet_tx_pkt_reset(s->tx_pkt); -+ vmxnet_tx_pkt_uninit(s->tx_pkt); -+ vmxnet_rx_pkt_uninit(s->rx_pkt); -+ s->device_active = false; -+ } - } - - static void vmxnet3_reset(VMXNET3State *s) -@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) - - vmxnet3_deactivate_device(s); - vmxnet3_reset_interrupt_states(s); -- vmxnet_tx_pkt_reset(s->tx_pkt); - s->drv_shmem = 0; - s->tx_sop = true; - s->skip_current_tx_pkt = false; -@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) - return; - } - -+ /* Verify if device is active */ -+ if (s->device_active) { -+ VMW_CFPRN("Vmxnet3 device is active"); -+ return; -+ } -+ - vmxnet3_adjust_by_guest_type(s); - vmxnet3_update_features(s); - vmxnet3_update_pm_state(s); -@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) - break; - - case VMXNET3_CMD_QUIESCE_DEV: -- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); -+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); - vmxnet3_deactivate_device(s); - break; - -@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, - * shared address only after we get the high part - */ - if (val == 0) { -- s->device_active = false; -+ vmxnet3_deactivate_device(s); - } - s->temp_shared_guest_driver_memory = val; - s->drv_shmem = 0; -@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) - static void vmxnet3_net_uninit(VMXNET3State *s) - { - g_free(s->mcast_list); -- vmxnet_tx_pkt_reset(s->tx_pkt); -- vmxnet_tx_pkt_uninit(s->tx_pkt); -- vmxnet_rx_pkt_uninit(s->rx_pkt); -+ vmxnet3_deactivate_device(s); - qemu_del_nic(s->nic); - } - --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch deleted file mode 100644 index 61a52ee..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 -From: P J P -Date: Mon, 21 Dec 2015 15:13:13 +0530 -Subject: [PATCH] scsi: initialise info object with appropriate size - -While processing controller 'CTRL_GET_INFO' command, the routine -'megasas_ctrl_get_info' overflows the '&info' object size. Use its -appropriate size to null initialise it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-Id: -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -Signed-off-by: P J P ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index d7dc667..576f56c 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) - BusChild *kid; - int num_pd_disks = 0; - -- memset(&info, 0x0, cmd->iov_size); -+ memset(&info, 0x0, dcmd_size); - if (cmd->iov_size < dcmd_size) { - trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, - dcmd_size); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch deleted file mode 100644 index be67336..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 13 Jan 2016 09:09:58 +0100 -Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) - -When processing 'sendkey' command, hmp_sendkey routine null -terminates the 'keyname_buf' array. This results in an OOB -write issue, if 'keyname_len' was to fall outside of -'keyname_buf' array. - -Since the keyname's length is known the keyname_buf can be -removed altogether by adding a length parameter to -index_from_key() and using it for the error output as well. - -Reported-by: Ling Liu -Signed-off-by: Wolfgang Bumiller -Message-Id: <20160113080958.GA18934@olga> -[Comparison with "<" dumbed down, test for junk after strtoul() -tweaked] -Signed-off-by: Markus Armbruster ---- - hmp.c | 18 ++++++++---------- - include/ui/console.h | 2 +- - ui/input-legacy.c | 5 +++-- - 3 files changed, 12 insertions(+), 13 deletions(-) - -diff --git a/hmp.c b/hmp.c -index 54f2620..9c571f5 100644 ---- a/hmp.c -+++ b/hmp.c -@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) - int has_hold_time = qdict_haskey(qdict, "hold-time"); - int hold_time = qdict_get_try_int(qdict, "hold-time", -1); - Error *err = NULL; -- char keyname_buf[16]; - char *separator; - int keyname_len; - - while (1) { - separator = strchr(keys, '-'); - keyname_len = separator ? separator - keys : strlen(keys); -- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); - - /* Be compatible with old interface, convert user inputted "<" */ -- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { -- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); -+ if (keys[0] == '<' && keyname_len == 1) { -+ keys = "less"; - keyname_len = 4; - } -- keyname_buf[keyname_len] = 0; - - keylist = g_malloc0(sizeof(*keylist)); - keylist->value = g_malloc0(sizeof(*keylist->value)); -@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) - } - tmp = keylist; - -- if (strstart(keyname_buf, "0x", NULL)) { -+ if (strstart(keys, "0x", NULL)) { - char *endp; -- int value = strtoul(keyname_buf, &endp, 0); -- if (*endp != '\0') { -+ int value = strtoul(keys, &endp, 0); -+ assert(endp <= keys + keyname_len); -+ if (endp != keys + keyname_len) { - goto err_out; - } - keylist->value->type = KEY_VALUE_KIND_NUMBER; - keylist->value->u.number = value; - } else { -- int idx = index_from_key(keyname_buf); -+ int idx = index_from_key(keys, keyname_len); - if (idx == Q_KEY_CODE_MAX) { - goto err_out; - } -@@ -1789,7 +1787,7 @@ out: - return; - - err_out: -- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); -+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); - goto out; - } - -diff --git a/include/ui/console.h b/include/ui/console.h -index adac36d..116bc2b 100644 ---- a/include/ui/console.h -+++ b/include/ui/console.h -@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) - void curses_display_init(DisplayState *ds, int full_screen); - - /* input.c */ --int index_from_key(const char *key); -+int index_from_key(const char *key, size_t key_length); - - /* gtk.c */ - void early_gtk_display_init(int opengl); -diff --git a/ui/input-legacy.c b/ui/input-legacy.c -index 35dfc27..3454055 100644 ---- a/ui/input-legacy.c -+++ b/ui/input-legacy.c -@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { - static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = - QTAILQ_HEAD_INITIALIZER(led_handlers); - --int index_from_key(const char *key) -+int index_from_key(const char *key, size_t key_length) - { - int i; - - for (i = 0; QKeyCode_lookup[i] != NULL; i++) { -- if (!strcmp(key, QKeyCode_lookup[i])) { -+ if (!strncmp(key, QKeyCode_lookup[i], key_length) && -+ !QKeyCode_lookup[i][key_length]) { - break; - } - } --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch deleted file mode 100644 index 0dab1c3..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch +++ /dev/null @@ -1,49 +0,0 @@ -https://bugs.gentoo.org/570110 - -From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 28 Dec 2015 16:24:08 +0530 -Subject: [PATCH] net: rocker: fix an incorrect array bounds check - -While processing transmit(tx) descriptors in 'tx_consume' routine -the switch emulator suffers from an off-by-one error, if a -descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) -fragments. Fix an incorrect bounds check to avoid it. - -Reported-by: Qinghao Tang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/rocker/rocker.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index c57f1a6..2e77e50 100644 ---- a/hw/net/rocker/rocker.c -+++ b/hw/net/rocker/rocker.c -@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) - frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); - frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); - -+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { -+ goto err_too_many_frags; -+ } - iov[iovcnt].iov_len = frag_len; - iov[iovcnt].iov_base = g_malloc(frag_len); - if (!iov[iovcnt].iov_base) { -@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) - err = -ROCKER_ENXIO; - goto err_bad_io; - } -- -- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { -- goto err_too_many_frags; -- } -+ iovcnt++; - } - - if (iovcnt) { --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch deleted file mode 100644 index b2bca56..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch +++ /dev/null @@ -1,50 +0,0 @@ -https://bugs.gentoo.org/570988 - -From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 31 Dec 2015 17:05:27 +0530 -Subject: [PATCH] net: ne2000: fix bounds check in ioport operations - -While doing ioport r/w operations, ne2000 device emulation suffers -from OOB r/w errors. Update respective array bounds check to avoid -OOB access. - -Reported-by: Ling Liu -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/ne2000.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 010f9ef..a3dffff 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, - uint32_t val) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - stl_le_p(s->mem + addr, val); - } - } -@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) - static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - return ldl_le_p(s->mem + addr); - } else { - return 0xffffffff; --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch deleted file mode 100644 index 4ce9a35..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch +++ /dev/null @@ -1,41 +0,0 @@ -https://bugs.gentoo.org/571566 - -From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 11 Jan 2016 14:10:42 -0500 -Subject: [PATCH] ide: ahci: reset ncq object to unused on error - -When processing NCQ commands, AHCI device emulation prepares a -NCQ transfer object; To which an aio control block(aiocb) object -is assigned in 'execute_ncq_command'. In case, when the NCQ -command is invalid, the 'aiocb' object is not assigned, and NCQ -transfer object is left as 'used'. This leads to a use after -free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. -Reset NCQ transfer object to 'unused' to avoid it. - -[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Reviewed-by: John Snow -Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com -Signed-off-by: John Snow ---- - hw/ide/ahci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c -index dd1912e..17f1cbd 100644 ---- a/hw/ide/ahci.c -+++ b/hw/ide/ahci.c -@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) - ide_state->error = ABRT_ERR; - ide_state->status = READY_STAT | ERR_STAT; - ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); -+ ncq_tfs->used = 0; - } - - static void ncq_finish(NCQTransferState *ncq_tfs) --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch deleted file mode 100644 index 917fa2f..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 -From: "Gabriel L. Somlo" -Date: Thu, 5 Nov 2015 09:32:50 -0500 -Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When calculating a pointer to the currently selected fw_cfg item, the -following is used: - - FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - -When s->cur_entry is FW_CFG_INVALID, we are calculating the address of -a non-existent element in s->entries[arch][...], which is undefined. - -This patch ensures the resulting entry pointer is set to NULL whenever -s->cur_entry is FW_CFG_INVALID. - -Reported-by: Laszlo Ersek -Reviewed-by: Laszlo Ersek -Signed-off-by: Gabriel Somlo -Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu -Cc: Marc Marí -Signed-off-by: Gabriel Somlo -Reviewed-by: Laszlo Ersek -Signed-off-by: Gerd Hoffmann ---- - hw/nvram/fw_cfg.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c -index c2d3a0a..046fa74 100644 ---- a/hw/nvram/fw_cfg.c -+++ b/hw/nvram/fw_cfg.c -@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) - static uint8_t fw_cfg_read(FWCfgState *s) - { - int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); -- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; -+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - uint8_t ret; - - if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) -@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) - } - - arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); -- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; -+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - - if (dma.control & FW_CFG_DMA_CTL_READ) { - read = 1; --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch deleted file mode 100644 index 23c2341..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 -From: P J P -Date: Fri, 18 Dec 2015 11:35:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - - Hello, - -A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It -occurs while doing I/O port write operations via hmp interface. In that, -'current_cpu' remains null as it is not called from cpu_exec loop, which -results in the said issue. - -Below is a proposed (tested)patch to fix this issue; Does it look okay? - -=== -From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 18 Dec 2015 11:16:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - -When I/O port write operation is called from hmp interface, -'current_cpu' remains null, as it is not called from cpu_exec() -loop. This leads to a null pointer dereference in vapic_write -routine. Add check to avoid it. - -Reported-by: Ling Liu -Signed-off-by: Prasad J Pandit -Message-Id: -Signed-off-by: Paolo Bonzini -Signed-off-by: P J P ---- - hw/i386/kvmvapic.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c6d34b2..f0922da 100644 ---- a/hw/i386/kvmvapic.c -+++ b/hw/i386/kvmvapic.c -@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) - static void vapic_write(void *opaque, hwaddr addr, uint64_t data, - unsigned int size) - { -- CPUState *cs = current_cpu; -- X86CPU *cpu = X86_CPU(cs); -- CPUX86State *env = &cpu->env; -- hwaddr rom_paddr; - VAPICROMState *s = opaque; -+ X86CPU *cpu; -+ CPUX86State *env; -+ hwaddr rom_paddr; - -- cpu_synchronize_state(cs); -+ if (!current_cpu) { -+ return; -+ } -+ -+ cpu_synchronize_state(current_cpu); -+ cpu = X86_CPU(current_cpu); -+ env = &cpu->env; - - /* - * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch deleted file mode 100644 index 2922193..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch +++ /dev/null @@ -1,98 +0,0 @@ -From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 19 Jan 2016 14:17:20 +0100 -Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer - start - -The start_xmit() and e1000_receive_iov() functions implement DMA transfers -iterating over a set of descriptors that the guest's e1000 driver -prepares: - -- the TDLEN and RDLEN registers store the total size of the descriptor - area, - -- while the TDH and RDH registers store the offset (in whole tx / rx - descriptors) into the area where the transfer is supposed to start. - -Each time a descriptor is processed, the TDH and RDH register is bumped -(as appropriate for the transfer direction). - -QEMU already contains logic to deal with bogus transfers submitted by the -guest: - -- Normally, the transmit case wants to increase TDH from its initial value - to TDT. (TDT is allowed to be numerically smaller than the initial TDH - value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe - that QEMU currently has here is a check against reaching the original - TDH value again -- a complete wraparound, which should never happen. - -- In the receive case RDH is increased from its initial value until - "total_size" bytes have been received; preferably in a single step, or - in "s->rxbuf_size" byte steps, if the latter is smaller. However, null - RX descriptors are skipped without receiving data, while RDH is - incremented just the same. QEMU tries to prevent an infinite loop - (processing only null RX descriptors) by detecting whether RDH assumes - its original value during the loop. (Again, wrapping from RDLEN to 0 is - normal.) - -What both directions miss is that the guest could program TDLEN and RDLEN -so low, and the initial TDH and RDH so high, that these registers will -immediately be truncated to zero, and then never reassume their initial -values in the loop -- a full wraparound will never occur. - -The condition that expresses this is: - - xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) - -i.e., TDH or RDH start out after the last whole rx or tx descriptor that -fits into the TDLEN or RDLEN sized area. - -This condition could be checked before we enter the loops, but -pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for -bogus DMA addresses, so we just extend the existing failsafes with the -above condition. - -This is CVE-2016-1981. - -Cc: "Michael S. Tsirkin" -Cc: Petr Matousek -Cc: Stefano Stabellini -Cc: Prasad Pandit -Cc: Michael Roth -Cc: Jason Wang -Cc: qemu-stable@nongnu.org -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 -Signed-off-by: Laszlo Ersek -Reviewed-by: Jason Wang -Signed-off-by: Jason Wang ---- - hw/net/e1000.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index 4eda7a3..0387fa0 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -909,7 +909,8 @@ start_xmit(E1000State *s) - * bogus values to TDT/TDLEN. - * there's nothing too intelligent we could do about this. - */ -- if (s->mac_reg[TDH] == tdh_start) { -+ if (s->mac_reg[TDH] == tdh_start || -+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { - DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", - tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); - break; -@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) - if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) - s->mac_reg[RDH] = 0; - /* see comment in start_xmit; same here */ -- if (s->mac_reg[RDH] == rdh_start) { -+ if (s->mac_reg[RDH] == rdh_start || -+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { - DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", - rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); - set_ics(s, 0, E1000_ICS_RXO); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch deleted file mode 100644 index 0ab7b02..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001 -From: John Snow -Date: Wed, 10 Feb 2016 13:29:40 -0500 -Subject: [PATCH] ahci: Do not unmap NULL addresses - -Definitely don't try to unmap a garbage address. - -Reported-by: Zuozhi fzz -Signed-off-by: John Snow -Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com ---- - hw/ide/ahci.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c -index 7e87b18..3a95dad 100644 ---- a/hw/ide/ahci.c -+++ b/hw/ide/ahci.c -@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad) - - static void ahci_unmap_fis_address(AHCIDevice *ad) - { -+ if (ad->res_fis == NULL) { -+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n"); -+ return; -+ } - dma_memory_unmap(ad->hba->as, ad->res_fis, 256, - DMA_DIRECTION_FROM_DEVICE, 256); - ad->res_fis = NULL; -@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad) - - static void ahci_unmap_clb_address(AHCIDevice *ad) - { -+ if (ad->lst == NULL) { -+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n"); -+ return; -+ } - dma_memory_unmap(ad->hba->as, ad->lst, 1024, - DMA_DIRECTION_FROM_DEVICE, 1024); - ad->lst = NULL; --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch deleted file mode 100644 index e7aa5ca..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 11 Feb 2016 16:31:20 +0530 -Subject: [PATCH] usb: check USB configuration descriptor object - -When processing remote NDIS control message packets, the USB Net -device emulator checks to see if the USB configuration descriptor -object is of RNDIS type(2). But it does not check if it is null, -which leads to a null dereference error. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-network.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 985a629..5dc4538 100644 ---- a/hw/usb/dev-network.c -+++ b/hw/usb/dev-network.c -@@ -654,7 +654,8 @@ typedef struct USBNetState { - - static int is_rndis(USBNetState *s) - { -- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; -+ return s->dev.config ? -+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; - } - - static int ndis_query(USBNetState *s, uint32_t oid, --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch deleted file mode 100644 index 2874b75..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 24 Feb 2016 11:41:33 +0530 -Subject: [PATCH] net: ne2000: check ring buffer control registers - -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) -bytes to process network packets. Registers PSTART & PSTOP -define ring buffer size & location. Setting these registers -to invalid values could lead to infinite loop or OOB r/w -access issues. Add check to avoid it. - -Reported-by: Yang Hongke -Tested-by: Yang Hongke -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/ne2000.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index e408083..f0feaf9 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s) - { - int avail, index, boundary; - -+ if (s->stop <= s->start) { -+ return 1; -+ } -+ - index = s->curpag << 8; - boundary = s->boundary << 8; - if (index < boundary) --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch deleted file mode 100644 index 2ddca3e..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 20 Jan 2016 01:26:46 +0530 -Subject: [PATCH] usb: check page select value while processing iTD - -While processing isochronous transfer descriptors(iTD), the page -select(PG) field value could lead to an OOB read access. Add -check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index ab00268..93601d9 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci, - if (itd->transact[i] & ITD_XACT_ACTIVE) { - pg = get_field(itd->transact[i], ITD_XACT_PGSEL); - off = itd->transact[i] & ITD_XACT_OFFSET_MASK; -- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); -- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); - len = get_field(itd->transact[i], ITD_XACT_LENGTH); - - if (len > max * mult) { - len = max * mult; - } -- -- if (len > BUFF_SIZE) { -+ if (len > BUFF_SIZE || pg > 6) { - return -1; - } - -+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); - qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); - if (off + len > 4096) { - /* transfer crosses page border */ -+ if (pg == 6) { -+ return -1; /* avoid page pg + 1 */ -+ } -+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); - uint32_t len2 = off + len - 4096; - uint32_t len1 = len - len2; - qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch deleted file mode 100644 index da643fd..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch +++ /dev/null @@ -1,59 +0,0 @@ -From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 17 Feb 2016 00:23:41 +0530 -Subject: [PATCH] usb: check RNDIS buffer offsets & length - -When processing remote NDIS control message packets, -the USB Net device emulator uses a fixed length(4096) data buffer. -The incoming informationBufferOffset & Length combination could -overflow and cross that range. Check control message buffer -offsets and length to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-network.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 5dc4538..c6abd38 100644 ---- a/hw/usb/dev-network.c -+++ b/hw/usb/dev-network.c -@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - infobuflen = ndis_query(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen, infobuf, -@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - ret = ndis_set(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen); -@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) - if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { - uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); - uint32_t size = le32_to_cpu(msg->DataLength); -- if (offs + size <= len) -+ if (offs < len && size < len && offs + size <= len) { - qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); -+ } - } - s->out_ptr -= len; - memmove(s->out_buf, &s->out_buf[len], s->out_ptr); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch new file mode 100644 index 0000000..cf1a4c3 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch @@ -0,0 +1,107 @@ +https://bugs.gentoo.org/580426 +https://bugs.gentoo.org/568246 + +From a49923d2837d20510d645d3758f1ad87c32d0730 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 18 Apr 2016 09:20:54 +0200 +Subject: [PATCH] Revert "ehci: make idt processing more robust" + +This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254. + +Breaks FreeBSD. + +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index d5c0e1c..43a8f7a 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; ++ uint32_t i, len, pid, dir, devaddr, endp; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; +- xfers++; + } + } +- return xfers ? 0 : -1; ++ return 0; + } + + +-- +2.7.4 + +From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 18 Apr 2016 09:11:38 +0200 +Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a +DoS by the guest (create a circular iTD queue and let qemu ehci +emulation run in circles forever). Unfortunately this has two problems: +First it misses the case of siTDs, and second it reportedly breaks +FreeBSD. + +So lets go for a different approach: just count the number of iTDs and +siTDs we have seen per frame and apply a limit. That should really +catch all cases now. + +Reported-by: 杜少博 +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 159f58d..d5c0e1c 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) + static void ehci_advance_state(EHCIState *ehci, int async) + { + EHCIQueue *q = NULL; ++ int itd_count = 0; + int again; + + do { +@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) + + case EST_FETCHITD: + again = ehci_state_fetchitd(ehci, async); ++ itd_count++; + break; + + case EST_FETCHSITD: + again = ehci_state_fetchsitd(ehci, async); ++ itd_count++; + break; + + case EST_ADVANCEQUEUE: +@@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int async) + break; + } + +- if (again < 0) { ++ if (again < 0 || itd_count > 16) { ++ /* TODO: notify guest (raise HSE irq?) */ + fprintf(stderr, "processing error - resetting ehci HC\n"); + ehci_reset(ehci); + again = 0; +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch new file mode 100644 index 0000000..e3115c1 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch @@ -0,0 +1,16 @@ +https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html +https://bugs.gentoo.org/580040 + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c69f374..ff1e31a 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; diff --git a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch new file mode 100644 index 0000000..ab7d3f3 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch @@ -0,0 +1,47 @@ +From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 8 Apr 2016 11:33:48 +0530 +Subject: [PATCH] net: stellaris_enet: check packet length against receive + buffer + +When receiving packets over Stellaris ethernet controller, it +uses receive buffer of size 2048 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported-by: Oleksandr Bazhaniuk +Signed-off-by: Prasad J Pandit +Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell +Signed-off-by: Peter Maydell +--- + hw/net/stellaris_enet.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c +index 84cf60b..6880894 100644 +--- a/hw/net/stellaris_enet.c ++++ b/hw/net/stellaris_enet.c +@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si + n = s->next_packet + s->np; + if (n >= 31) + n -= 31; +- s->np++; + ++ if (size >= sizeof(s->rx[n].data) - 6) { ++ /* If the packet won't fit into the ++ * emulated 2K RAM, this is reported ++ * as a FIFO overrun error. ++ */ ++ s->ris |= SE_INT_FOV; ++ stellaris_enet_update(s); ++ return -1; ++ } ++ ++ s->np++; + s->rx[n].len = size + 6; + p = s->rx[n].data; + *(p++) = (size + 6); +-- +2.7.4 + diff --git a/app-emulation/qemu/qemu-2.5.0-r3.ebuild b/app-emulation/qemu/qemu-2.5.1.ebuild similarity index 93% rename from app-emulation/qemu/qemu-2.5.0-r3.ebuild rename to app-emulation/qemu/qemu-2.5.1.ebuild index dc2a9a1..0a25d7b 100644 --- a/app-emulation/qemu/qemu-2.5.0-r3.ebuild +++ b/app-emulation/qemu/qemu-2.5.1.ebuild @@ -24,7 +24,7 @@ else SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2 ${BACKPORTS:+ https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}" - KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~x86-fbsd" + KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd" fi DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" @@ -215,11 +215,14 @@ QA_WX_LOAD="usr/bin/qemu-i386 DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure you have the kernel module loaded before running kvm. The easiest way to ensure that the kernel module is loaded is to load it on boot.\n -For AMD CPUs the module is called 'kvm-amd'\n -For Intel CPUs the module is called 'kvm-intel'\n -Please review /etc/conf.d/modules for how to load these\n\n +For AMD CPUs the module is called 'kvm-amd'.\n +For Intel CPUs the module is called 'kvm-intel'.\n +Please review /etc/conf.d/modules for how to load these.\n\n Make sure your user is in the 'kvm' group\n -Just run 'gpasswd -a kvm', then have re-login." +Just run 'gpasswd -a kvm', then have re-login.\n\n +For brand new installs, the default permissions on /dev/kvm might not let you +access it. You can tell udev to reset ownership/perms:\n +udevadm trigger -c add /dev/kvm" qemu_support_kvm() { if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \ @@ -337,25 +340,12 @@ src_prepare() { EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ epatch - epatch "${FILESDIR}"/${P}-CVE-2015-8567.patch #567868 - epatch "${FILESDIR}"/${P}-CVE-2015-8558.patch #568246 - epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110 - epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988 - epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566 - epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118 - epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300 - epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560 - epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082 - epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412 - epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454 - epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280 - epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314 - epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902 - epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492 - epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420 - epatch "${FILESDIR}"/${P}-sysmacros.patch - epatch "${FILESDIR}"/${P}-ne2000-reg-check.patch #573816 - epatch "${FILESDIR}"/${P}-9pfs-segfault.patch #578142 + epatch "${FILESDIR}"/${PN}-2.5.0-CVE-2016-2198.patch #573314 + epatch "${FILESDIR}"/${PN}-2.5.0-rng-stack-corrupt-{0,1,2,3}.patch #576420 + epatch "${FILESDIR}"/${PN}-2.5.1-stellaris_enet-overflow.patch #579614 + epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2016-4020.patch #580040 + epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2015-8558.patch #568246 #580426 + epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch # Fix ld and objcopy being called directly tc-export AR LD OBJCOPY