[app-emulation/qemu] sync with tree
This commit is contained in:
parent
b23911b5fe
commit
207eed566a
@ -1 +1 @@
|
|||||||
DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef
|
DIST qemu-2.5.1.tar.bz2 25464539 SHA256 028752c33bb786abbfe496ba57315dc5a7d0a33b5a7a767f6d7a29020c525d2c SHA512 66959ad6a2a89f23c5daba245c76f71ddc03a33a1167bca639a042ebbf7329b2e698cd2c0e65c22a9874563a34256a48386aa9df6475b06d38db74187e3e3b3f WHIRLPOOL 32525271574692d56b7794dc63606659f46e6ae19a56dee31b3cec33dab9c4eb74147a65db4940229492d8680f38c2d05bc2a8fbcb4b6887b0c1cbe5fbbe44cf
|
||||||
|
@ -1,34 +0,0 @@
|
|||||||
From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
|
||||||
Date: Wed, 23 Dec 2015 10:56:58 +0100
|
|
||||||
Subject: [PATCH] virtio-9p: use accessor to get thread_pool
|
|
||||||
|
|
||||||
The aio_context_new() function does not allocate a thread pool. This is
|
|
||||||
deferred to the first call to the aio_get_thread_pool() accessor. It is
|
|
||||||
hence forbidden to access the thread_pool field directly, as it may be
|
|
||||||
NULL. The accessor *must* be used always.
|
|
||||||
|
|
||||||
Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e
|
|
||||||
Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
||||||
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
|
|
||||||
---
|
|
||||||
hw/9pfs/virtio-9p-coth.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c
|
|
||||||
index fb6e8f8..ab9425c 100644
|
|
||||||
--- a/hw/9pfs/virtio-9p-coth.c
|
|
||||||
+++ b/hw/9pfs/virtio-9p-coth.c
|
|
||||||
@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg)
|
|
||||||
void co_run_in_worker_bh(void *opaque)
|
|
||||||
{
|
|
||||||
Coroutine *co = opaque;
|
|
||||||
- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool,
|
|
||||||
+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()),
|
|
||||||
coroutine_enter_func, co, coroutine_enter_cb, co);
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
https://bugs.gentoo.org/568246
|
|
||||||
|
|
||||||
From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
Date: Mon, 14 Dec 2015 09:21:23 +0100
|
|
||||||
Subject: [PATCH] ehci: make idt processing more robust
|
|
||||||
|
|
||||||
Make ehci_process_itd return an error in case we didn't do any actual
|
|
||||||
iso transfer because we've found no active transaction. That'll avoid
|
|
||||||
ehci happily run in circles forever if the guest builds a loop out of
|
|
||||||
idts.
|
|
||||||
|
|
||||||
This is CVE-2015-8558.
|
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Tested-by: P J P <ppandit@redhat.com>
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
---
|
|
||||||
hw/usb/hcd-ehci.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|
||||||
index 4e2161b..d07f228 100644
|
|
||||||
--- a/hw/usb/hcd-ehci.c
|
|
||||||
+++ b/hw/usb/hcd-ehci.c
|
|
||||||
@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
||||||
{
|
|
||||||
USBDevice *dev;
|
|
||||||
USBEndpoint *ep;
|
|
||||||
- uint32_t i, len, pid, dir, devaddr, endp;
|
|
||||||
+ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
|
||||||
uint32_t pg, off, ptr1, ptr2, max, mult;
|
|
||||||
|
|
||||||
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
|
||||||
@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
||||||
ehci_raise_irq(ehci, USBSTS_INT);
|
|
||||||
}
|
|
||||||
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
|
||||||
+ xfers++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- return 0;
|
|
||||||
+ return xfers ? 0 : -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
--
|
|
||||||
2.6.2
|
|
||||||
|
|
@ -1,95 +0,0 @@
|
|||||||
https://bugs.gentoo.org/567868
|
|
||||||
|
|
||||||
From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001
|
|
||||||
From: P J P <ppandit@redhat.com>
|
|
||||||
Date: Tue, 15 Dec 2015 12:27:54 +0530
|
|
||||||
Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
|
|
||||||
|
|
||||||
Vmxnet3 device emulator does not check if the device is active
|
|
||||||
before activating it, also it did not free the transmit & receive
|
|
||||||
buffers while deactivating the device, thus resulting in memory
|
|
||||||
leakage on the host. This patch fixes both these issues to avoid
|
|
||||||
host memory leakage.
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
---
|
|
||||||
hw/net/vmxnet3.c | 24 ++++++++++++++++--------
|
|
||||||
1 file changed, 16 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
|
||||||
index a5dd79a..9c1adfc 100644
|
|
||||||
--- a/hw/net/vmxnet3.c
|
|
||||||
+++ b/hw/net/vmxnet3.c
|
|
||||||
@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
|
|
||||||
|
|
||||||
static void vmxnet3_deactivate_device(VMXNET3State *s)
|
|
||||||
{
|
|
||||||
- VMW_CBPRN("Deactivating vmxnet3...");
|
|
||||||
- s->device_active = false;
|
|
||||||
+ if (s->device_active) {
|
|
||||||
+ VMW_CBPRN("Deactivating vmxnet3...");
|
|
||||||
+ vmxnet_tx_pkt_reset(s->tx_pkt);
|
|
||||||
+ vmxnet_tx_pkt_uninit(s->tx_pkt);
|
|
||||||
+ vmxnet_rx_pkt_uninit(s->rx_pkt);
|
|
||||||
+ s->device_active = false;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
static void vmxnet3_reset(VMXNET3State *s)
|
|
||||||
@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
|
|
||||||
|
|
||||||
vmxnet3_deactivate_device(s);
|
|
||||||
vmxnet3_reset_interrupt_states(s);
|
|
||||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
|
||||||
s->drv_shmem = 0;
|
|
||||||
s->tx_sop = true;
|
|
||||||
s->skip_current_tx_pkt = false;
|
|
||||||
@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* Verify if device is active */
|
|
||||||
+ if (s->device_active) {
|
|
||||||
+ VMW_CFPRN("Vmxnet3 device is active");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
vmxnet3_adjust_by_guest_type(s);
|
|
||||||
vmxnet3_update_features(s);
|
|
||||||
vmxnet3_update_pm_state(s);
|
|
||||||
@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
|
|
||||||
break;
|
|
||||||
|
|
||||||
case VMXNET3_CMD_QUIESCE_DEV:
|
|
||||||
- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
|
|
||||||
+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
|
|
||||||
vmxnet3_deactivate_device(s);
|
|
||||||
break;
|
|
||||||
|
|
||||||
@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
|
|
||||||
* shared address only after we get the high part
|
|
||||||
*/
|
|
||||||
if (val == 0) {
|
|
||||||
- s->device_active = false;
|
|
||||||
+ vmxnet3_deactivate_device(s);
|
|
||||||
}
|
|
||||||
s->temp_shared_guest_driver_memory = val;
|
|
||||||
s->drv_shmem = 0;
|
|
||||||
@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
|
|
||||||
static void vmxnet3_net_uninit(VMXNET3State *s)
|
|
||||||
{
|
|
||||||
g_free(s->mcast_list);
|
|
||||||
- vmxnet_tx_pkt_reset(s->tx_pkt);
|
|
||||||
- vmxnet_tx_pkt_uninit(s->tx_pkt);
|
|
||||||
- vmxnet_rx_pkt_uninit(s->rx_pkt);
|
|
||||||
+ vmxnet3_deactivate_device(s);
|
|
||||||
qemu_del_nic(s->nic);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.6.2
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
|
|
||||||
From: P J P <ppandit@redhat.com>
|
|
||||||
Date: Mon, 21 Dec 2015 15:13:13 +0530
|
|
||||||
Subject: [PATCH] scsi: initialise info object with appropriate size
|
|
||||||
|
|
||||||
While processing controller 'CTRL_GET_INFO' command, the routine
|
|
||||||
'megasas_ctrl_get_info' overflows the '&info' object size. Use its
|
|
||||||
appropriate size to null initialise it.
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Signed-off-by: P J P <ppandit@redhat.com>
|
|
||||||
---
|
|
||||||
hw/scsi/megasas.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
|
||||||
index d7dc667..576f56c 100644
|
|
||||||
--- a/hw/scsi/megasas.c
|
|
||||||
+++ b/hw/scsi/megasas.c
|
|
||||||
@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
|
||||||
BusChild *kid;
|
|
||||||
int num_pd_disks = 0;
|
|
||||||
|
|
||||||
- memset(&info, 0x0, cmd->iov_size);
|
|
||||||
+ memset(&info, 0x0, dcmd_size);
|
|
||||||
if (cmd->iov_size < dcmd_size) {
|
|
||||||
trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
|
|
||||||
dcmd_size);
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,121 +0,0 @@
|
|||||||
From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
||||||
Date: Wed, 13 Jan 2016 09:09:58 +0100
|
|
||||||
Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
|
|
||||||
|
|
||||||
When processing 'sendkey' command, hmp_sendkey routine null
|
|
||||||
terminates the 'keyname_buf' array. This results in an OOB
|
|
||||||
write issue, if 'keyname_len' was to fall outside of
|
|
||||||
'keyname_buf' array.
|
|
||||||
|
|
||||||
Since the keyname's length is known the keyname_buf can be
|
|
||||||
removed altogether by adding a length parameter to
|
|
||||||
index_from_key() and using it for the error output as well.
|
|
||||||
|
|
||||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
|
||||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
|
||||||
Message-Id: <20160113080958.GA18934@olga>
|
|
||||||
[Comparison with "<" dumbed down, test for junk after strtoul()
|
|
||||||
tweaked]
|
|
||||||
Signed-off-by: Markus Armbruster <armbru@redhat.com>
|
|
||||||
---
|
|
||||||
hmp.c | 18 ++++++++----------
|
|
||||||
include/ui/console.h | 2 +-
|
|
||||||
ui/input-legacy.c | 5 +++--
|
|
||||||
3 files changed, 12 insertions(+), 13 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hmp.c b/hmp.c
|
|
||||||
index 54f2620..9c571f5 100644
|
|
||||||
--- a/hmp.c
|
|
||||||
+++ b/hmp.c
|
|
||||||
@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
|
|
||||||
int has_hold_time = qdict_haskey(qdict, "hold-time");
|
|
||||||
int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
|
|
||||||
Error *err = NULL;
|
|
||||||
- char keyname_buf[16];
|
|
||||||
char *separator;
|
|
||||||
int keyname_len;
|
|
||||||
|
|
||||||
while (1) {
|
|
||||||
separator = strchr(keys, '-');
|
|
||||||
keyname_len = separator ? separator - keys : strlen(keys);
|
|
||||||
- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
|
|
||||||
|
|
||||||
/* Be compatible with old interface, convert user inputted "<" */
|
|
||||||
- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
|
|
||||||
- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
|
|
||||||
+ if (keys[0] == '<' && keyname_len == 1) {
|
|
||||||
+ keys = "less";
|
|
||||||
keyname_len = 4;
|
|
||||||
}
|
|
||||||
- keyname_buf[keyname_len] = 0;
|
|
||||||
|
|
||||||
keylist = g_malloc0(sizeof(*keylist));
|
|
||||||
keylist->value = g_malloc0(sizeof(*keylist->value));
|
|
||||||
@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
|
|
||||||
}
|
|
||||||
tmp = keylist;
|
|
||||||
|
|
||||||
- if (strstart(keyname_buf, "0x", NULL)) {
|
|
||||||
+ if (strstart(keys, "0x", NULL)) {
|
|
||||||
char *endp;
|
|
||||||
- int value = strtoul(keyname_buf, &endp, 0);
|
|
||||||
- if (*endp != '\0') {
|
|
||||||
+ int value = strtoul(keys, &endp, 0);
|
|
||||||
+ assert(endp <= keys + keyname_len);
|
|
||||||
+ if (endp != keys + keyname_len) {
|
|
||||||
goto err_out;
|
|
||||||
}
|
|
||||||
keylist->value->type = KEY_VALUE_KIND_NUMBER;
|
|
||||||
keylist->value->u.number = value;
|
|
||||||
} else {
|
|
||||||
- int idx = index_from_key(keyname_buf);
|
|
||||||
+ int idx = index_from_key(keys, keyname_len);
|
|
||||||
if (idx == Q_KEY_CODE_MAX) {
|
|
||||||
goto err_out;
|
|
||||||
}
|
|
||||||
@@ -1789,7 +1787,7 @@ out:
|
|
||||||
return;
|
|
||||||
|
|
||||||
err_out:
|
|
||||||
- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
|
|
||||||
+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
|
|
||||||
goto out;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/include/ui/console.h b/include/ui/console.h
|
|
||||||
index adac36d..116bc2b 100644
|
|
||||||
--- a/include/ui/console.h
|
|
||||||
+++ b/include/ui/console.h
|
|
||||||
@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires)
|
|
||||||
void curses_display_init(DisplayState *ds, int full_screen);
|
|
||||||
|
|
||||||
/* input.c */
|
|
||||||
-int index_from_key(const char *key);
|
|
||||||
+int index_from_key(const char *key, size_t key_length);
|
|
||||||
|
|
||||||
/* gtk.c */
|
|
||||||
void early_gtk_display_init(int opengl);
|
|
||||||
diff --git a/ui/input-legacy.c b/ui/input-legacy.c
|
|
||||||
index 35dfc27..3454055 100644
|
|
||||||
--- a/ui/input-legacy.c
|
|
||||||
+++ b/ui/input-legacy.c
|
|
||||||
@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
|
|
||||||
static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
|
|
||||||
QTAILQ_HEAD_INITIALIZER(led_handlers);
|
|
||||||
|
|
||||||
-int index_from_key(const char *key)
|
|
||||||
+int index_from_key(const char *key, size_t key_length)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
|
|
||||||
for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
|
|
||||||
- if (!strcmp(key, QKeyCode_lookup[i])) {
|
|
||||||
+ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
|
|
||||||
+ !QKeyCode_lookup[i][key_length]) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,49 +0,0 @@
|
|||||||
https://bugs.gentoo.org/570110
|
|
||||||
|
|
||||||
From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Mon, 28 Dec 2015 16:24:08 +0530
|
|
||||||
Subject: [PATCH] net: rocker: fix an incorrect array bounds check
|
|
||||||
|
|
||||||
While processing transmit(tx) descriptors in 'tx_consume' routine
|
|
||||||
the switch emulator suffers from an off-by-one error, if a
|
|
||||||
descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
|
|
||||||
fragments. Fix an incorrect bounds check to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
---
|
|
||||||
hw/net/rocker/rocker.c | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
|
||||||
index c57f1a6..2e77e50 100644
|
|
||||||
--- a/hw/net/rocker/rocker.c
|
|
||||||
+++ b/hw/net/rocker/rocker.c
|
|
||||||
@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
|
||||||
frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
|
|
||||||
frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
|
|
||||||
|
|
||||||
+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
|
|
||||||
+ goto err_too_many_frags;
|
|
||||||
+ }
|
|
||||||
iov[iovcnt].iov_len = frag_len;
|
|
||||||
iov[iovcnt].iov_base = g_malloc(frag_len);
|
|
||||||
if (!iov[iovcnt].iov_base) {
|
|
||||||
@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
|
|
||||||
err = -ROCKER_ENXIO;
|
|
||||||
goto err_bad_io;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
|
|
||||||
- goto err_too_many_frags;
|
|
||||||
- }
|
|
||||||
+ iovcnt++;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (iovcnt) {
|
|
||||||
--
|
|
||||||
2.6.2
|
|
||||||
|
|
@ -1,50 +0,0 @@
|
|||||||
https://bugs.gentoo.org/570988
|
|
||||||
|
|
||||||
From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Thu, 31 Dec 2015 17:05:27 +0530
|
|
||||||
Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
|
|
||||||
|
|
||||||
While doing ioport r/w operations, ne2000 device emulation suffers
|
|
||||||
from OOB r/w errors. Update respective array bounds check to avoid
|
|
||||||
OOB access.
|
|
||||||
|
|
||||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
---
|
|
||||||
hw/net/ne2000.c | 10 ++++++----
|
|
||||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
|
||||||
index 010f9ef..a3dffff 100644
|
|
||||||
--- a/hw/net/ne2000.c
|
|
||||||
+++ b/hw/net/ne2000.c
|
|
||||||
@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
|
|
||||||
uint32_t val)
|
|
||||||
{
|
|
||||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
|
||||||
- if (addr < 32 ||
|
|
||||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
|
||||||
+ if (addr < 32
|
|
||||||
+ || (addr >= NE2000_PMEM_START
|
|
||||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
|
||||||
stl_le_p(s->mem + addr, val);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
|
|
||||||
static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
|
|
||||||
{
|
|
||||||
addr &= ~1; /* XXX: check exact behaviour if not even */
|
|
||||||
- if (addr < 32 ||
|
|
||||||
- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
|
|
||||||
+ if (addr < 32
|
|
||||||
+ || (addr >= NE2000_PMEM_START
|
|
||||||
+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
|
|
||||||
return ldl_le_p(s->mem + addr);
|
|
||||||
} else {
|
|
||||||
return 0xffffffff;
|
|
||||||
--
|
|
||||||
2.6.2
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
|||||||
https://bugs.gentoo.org/571566
|
|
||||||
|
|
||||||
From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Mon, 11 Jan 2016 14:10:42 -0500
|
|
||||||
Subject: [PATCH] ide: ahci: reset ncq object to unused on error
|
|
||||||
|
|
||||||
When processing NCQ commands, AHCI device emulation prepares a
|
|
||||||
NCQ transfer object; To which an aio control block(aiocb) object
|
|
||||||
is assigned in 'execute_ncq_command'. In case, when the NCQ
|
|
||||||
command is invalid, the 'aiocb' object is not assigned, and NCQ
|
|
||||||
transfer object is left as 'used'. This leads to a use after
|
|
||||||
free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
|
|
||||||
Reset NCQ transfer object to 'unused' to avoid it.
|
|
||||||
|
|
||||||
[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Reviewed-by: John Snow <jsnow@redhat.com>
|
|
||||||
Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
|
|
||||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
|
||||||
---
|
|
||||||
hw/ide/ahci.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
|
||||||
index dd1912e..17f1cbd 100644
|
|
||||||
--- a/hw/ide/ahci.c
|
|
||||||
+++ b/hw/ide/ahci.c
|
|
||||||
@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
|
|
||||||
ide_state->error = ABRT_ERR;
|
|
||||||
ide_state->status = READY_STAT | ERR_STAT;
|
|
||||||
ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
|
|
||||||
+ ncq_tfs->used = 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void ncq_finish(NCQTransferState *ncq_tfs)
|
|
||||||
--
|
|
||||||
2.6.2
|
|
||||||
|
|
@ -1,58 +0,0 @@
|
|||||||
From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Gabriel L. Somlo" <somlo@cmu.edu>
|
|
||||||
Date: Thu, 5 Nov 2015 09:32:50 -0500
|
|
||||||
Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
When calculating a pointer to the currently selected fw_cfg item, the
|
|
||||||
following is used:
|
|
||||||
|
|
||||||
FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
|
||||||
|
|
||||||
When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
|
|
||||||
a non-existent element in s->entries[arch][...], which is undefined.
|
|
||||||
|
|
||||||
This patch ensures the resulting entry pointer is set to NULL whenever
|
|
||||||
s->cur_entry is FW_CFG_INVALID.
|
|
||||||
|
|
||||||
Reported-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
|
|
||||||
Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu
|
|
||||||
Cc: Marc Marí <markmb@redhat.com>
|
|
||||||
Signed-off-by: Gabriel Somlo <somlo@cmu.edu>
|
|
||||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
---
|
|
||||||
hw/nvram/fw_cfg.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
|
|
||||||
index c2d3a0a..046fa74 100644
|
|
||||||
--- a/hw/nvram/fw_cfg.c
|
|
||||||
+++ b/hw/nvram/fw_cfg.c
|
|
||||||
@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
|
|
||||||
static uint8_t fw_cfg_read(FWCfgState *s)
|
|
||||||
{
|
|
||||||
int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
|
|
||||||
- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
|
||||||
+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
|
|
||||||
+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
|
||||||
uint8_t ret;
|
|
||||||
|
|
||||||
if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
|
|
||||||
@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
|
|
||||||
}
|
|
||||||
|
|
||||||
arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
|
|
||||||
- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
|
||||||
+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
|
|
||||||
+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
|
|
||||||
|
|
||||||
if (dma.control & FW_CFG_DMA_CTL_READ) {
|
|
||||||
read = 1;
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,65 +0,0 @@
|
|||||||
From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: P J P <ppandit@redhat.com>
|
|
||||||
Date: Fri, 18 Dec 2015 11:35:07 +0530
|
|
||||||
Subject: [PATCH] i386: avoid null pointer dereference
|
|
||||||
|
|
||||||
Hello,
|
|
||||||
|
|
||||||
A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
|
|
||||||
occurs while doing I/O port write operations via hmp interface. In that,
|
|
||||||
'current_cpu' remains null as it is not called from cpu_exec loop, which
|
|
||||||
results in the said issue.
|
|
||||||
|
|
||||||
Below is a proposed (tested)patch to fix this issue; Does it look okay?
|
|
||||||
|
|
||||||
===
|
|
||||||
From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Fri, 18 Dec 2015 11:16:07 +0530
|
|
||||||
Subject: [PATCH] i386: avoid null pointer dereference
|
|
||||||
|
|
||||||
When I/O port write operation is called from hmp interface,
|
|
||||||
'current_cpu' remains null, as it is not called from cpu_exec()
|
|
||||||
loop. This leads to a null pointer dereference in vapic_write
|
|
||||||
routine. Add check to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Ling Liu <liuling-it@360.cn>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
|
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|
||||||
Signed-off-by: P J P <ppandit@redhat.com>
|
|
||||||
---
|
|
||||||
hw/i386/kvmvapic.c | 15 ++++++++++-----
|
|
||||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
|
||||||
index c6d34b2..f0922da 100644
|
|
||||||
--- a/hw/i386/kvmvapic.c
|
|
||||||
+++ b/hw/i386/kvmvapic.c
|
|
||||||
@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
|
|
||||||
static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
|
|
||||||
unsigned int size)
|
|
||||||
{
|
|
||||||
- CPUState *cs = current_cpu;
|
|
||||||
- X86CPU *cpu = X86_CPU(cs);
|
|
||||||
- CPUX86State *env = &cpu->env;
|
|
||||||
- hwaddr rom_paddr;
|
|
||||||
VAPICROMState *s = opaque;
|
|
||||||
+ X86CPU *cpu;
|
|
||||||
+ CPUX86State *env;
|
|
||||||
+ hwaddr rom_paddr;
|
|
||||||
|
|
||||||
- cpu_synchronize_state(cs);
|
|
||||||
+ if (!current_cpu) {
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ cpu_synchronize_state(current_cpu);
|
|
||||||
+ cpu = X86_CPU(current_cpu);
|
|
||||||
+ env = &cpu->env;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,98 +0,0 @@
|
|||||||
From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001
|
|
||||||
From: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Date: Tue, 19 Jan 2016 14:17:20 +0100
|
|
||||||
Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
|
|
||||||
start
|
|
||||||
|
|
||||||
The start_xmit() and e1000_receive_iov() functions implement DMA transfers
|
|
||||||
iterating over a set of descriptors that the guest's e1000 driver
|
|
||||||
prepares:
|
|
||||||
|
|
||||||
- the TDLEN and RDLEN registers store the total size of the descriptor
|
|
||||||
area,
|
|
||||||
|
|
||||||
- while the TDH and RDH registers store the offset (in whole tx / rx
|
|
||||||
descriptors) into the area where the transfer is supposed to start.
|
|
||||||
|
|
||||||
Each time a descriptor is processed, the TDH and RDH register is bumped
|
|
||||||
(as appropriate for the transfer direction).
|
|
||||||
|
|
||||||
QEMU already contains logic to deal with bogus transfers submitted by the
|
|
||||||
guest:
|
|
||||||
|
|
||||||
- Normally, the transmit case wants to increase TDH from its initial value
|
|
||||||
to TDT. (TDT is allowed to be numerically smaller than the initial TDH
|
|
||||||
value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
|
|
||||||
that QEMU currently has here is a check against reaching the original
|
|
||||||
TDH value again -- a complete wraparound, which should never happen.
|
|
||||||
|
|
||||||
- In the receive case RDH is increased from its initial value until
|
|
||||||
"total_size" bytes have been received; preferably in a single step, or
|
|
||||||
in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
|
|
||||||
RX descriptors are skipped without receiving data, while RDH is
|
|
||||||
incremented just the same. QEMU tries to prevent an infinite loop
|
|
||||||
(processing only null RX descriptors) by detecting whether RDH assumes
|
|
||||||
its original value during the loop. (Again, wrapping from RDLEN to 0 is
|
|
||||||
normal.)
|
|
||||||
|
|
||||||
What both directions miss is that the guest could program TDLEN and RDLEN
|
|
||||||
so low, and the initial TDH and RDH so high, that these registers will
|
|
||||||
immediately be truncated to zero, and then never reassume their initial
|
|
||||||
values in the loop -- a full wraparound will never occur.
|
|
||||||
|
|
||||||
The condition that expresses this is:
|
|
||||||
|
|
||||||
xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
|
|
||||||
|
|
||||||
i.e., TDH or RDH start out after the last whole rx or tx descriptor that
|
|
||||||
fits into the TDLEN or RDLEN sized area.
|
|
||||||
|
|
||||||
This condition could be checked before we enter the loops, but
|
|
||||||
pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
|
|
||||||
bogus DMA addresses, so we just extend the existing failsafes with the
|
|
||||||
above condition.
|
|
||||||
|
|
||||||
This is CVE-2016-1981.
|
|
||||||
|
|
||||||
Cc: "Michael S. Tsirkin" <mst@redhat.com>
|
|
||||||
Cc: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
|
|
||||||
Cc: Prasad Pandit <ppandit@redhat.com>
|
|
||||||
Cc: Michael Roth <mdroth@linux.vnet.ibm.com>
|
|
||||||
Cc: Jason Wang <jasowang@redhat.com>
|
|
||||||
Cc: qemu-stable@nongnu.org
|
|
||||||
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
|
|
||||||
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
|
|
||||||
Reviewed-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
---
|
|
||||||
hw/net/e1000.c | 6 ++++--
|
|
||||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/net/e1000.c b/hw/net/e1000.c
|
|
||||||
index 4eda7a3..0387fa0 100644
|
|
||||||
--- a/hw/net/e1000.c
|
|
||||||
+++ b/hw/net/e1000.c
|
|
||||||
@@ -909,7 +909,8 @@ start_xmit(E1000State *s)
|
|
||||||
* bogus values to TDT/TDLEN.
|
|
||||||
* there's nothing too intelligent we could do about this.
|
|
||||||
*/
|
|
||||||
- if (s->mac_reg[TDH] == tdh_start) {
|
|
||||||
+ if (s->mac_reg[TDH] == tdh_start ||
|
|
||||||
+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
|
|
||||||
DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
|
|
||||||
tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
|
|
||||||
break;
|
|
||||||
@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt)
|
|
||||||
if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
|
|
||||||
s->mac_reg[RDH] = 0;
|
|
||||||
/* see comment in start_xmit; same here */
|
|
||||||
- if (s->mac_reg[RDH] == rdh_start) {
|
|
||||||
+ if (s->mac_reg[RDH] == rdh_start ||
|
|
||||||
+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
|
|
||||||
DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
|
|
||||||
rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
|
|
||||||
set_ics(s, 0, E1000_ICS_RXO);
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,43 +0,0 @@
|
|||||||
From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001
|
|
||||||
From: John Snow <jsnow@redhat.com>
|
|
||||||
Date: Wed, 10 Feb 2016 13:29:40 -0500
|
|
||||||
Subject: [PATCH] ahci: Do not unmap NULL addresses
|
|
||||||
|
|
||||||
Definitely don't try to unmap a garbage address.
|
|
||||||
|
|
||||||
Reported-by: Zuozhi fzz <zuozhi.fzz@alibaba-inc.com>
|
|
||||||
Signed-off-by: John Snow <jsnow@redhat.com>
|
|
||||||
Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com
|
|
||||||
---
|
|
||||||
hw/ide/ahci.c | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
|
|
||||||
index 7e87b18..3a95dad 100644
|
|
||||||
--- a/hw/ide/ahci.c
|
|
||||||
+++ b/hw/ide/ahci.c
|
|
||||||
@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
|
|
||||||
|
|
||||||
static void ahci_unmap_fis_address(AHCIDevice *ad)
|
|
||||||
{
|
|
||||||
+ if (ad->res_fis == NULL) {
|
|
||||||
+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
|
|
||||||
DMA_DIRECTION_FROM_DEVICE, 256);
|
|
||||||
ad->res_fis = NULL;
|
|
||||||
@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
|
|
||||||
|
|
||||||
static void ahci_unmap_clb_address(AHCIDevice *ad)
|
|
||||||
{
|
|
||||||
+ if (ad->lst == NULL) {
|
|
||||||
+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
|
|
||||||
+ return;
|
|
||||||
+ }
|
|
||||||
dma_memory_unmap(ad->hba->as, ad->lst, 1024,
|
|
||||||
DMA_DIRECTION_FROM_DEVICE, 1024);
|
|
||||||
ad->lst = NULL;
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Thu, 11 Feb 2016 16:31:20 +0530
|
|
||||||
Subject: [PATCH] usb: check USB configuration descriptor object
|
|
||||||
|
|
||||||
When processing remote NDIS control message packets, the USB Net
|
|
||||||
device emulator checks to see if the USB configuration descriptor
|
|
||||||
object is of RNDIS type(2). But it does not check if it is null,
|
|
||||||
which leads to a null dereference error. Add check to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
---
|
|
||||||
hw/usb/dev-network.c | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
|
|
||||||
index 985a629..5dc4538 100644
|
|
||||||
--- a/hw/usb/dev-network.c
|
|
||||||
+++ b/hw/usb/dev-network.c
|
|
||||||
@@ -654,7 +654,8 @@ typedef struct USBNetState {
|
|
||||||
|
|
||||||
static int is_rndis(USBNetState *s)
|
|
||||||
{
|
|
||||||
- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
|
|
||||||
+ return s->dev.config ?
|
|
||||||
+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static int ndis_query(USBNetState *s, uint32_t oid,
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Wed, 24 Feb 2016 11:41:33 +0530
|
|
||||||
Subject: [PATCH] net: ne2000: check ring buffer control registers
|
|
||||||
|
|
||||||
Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152)
|
|
||||||
bytes to process network packets. Registers PSTART & PSTOP
|
|
||||||
define ring buffer size & location. Setting these registers
|
|
||||||
to invalid values could lead to infinite loop or OOB r/w
|
|
||||||
access issues. Add check to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Yang Hongke <yanghongke@huawei.com>
|
|
||||||
Tested-by: Yang Hongke <yanghongke@huawei.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
|
||||||
---
|
|
||||||
hw/net/ne2000.c | 4 ++++
|
|
||||||
1 file changed, 4 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
|
|
||||||
index e408083..f0feaf9 100644
|
|
||||||
--- a/hw/net/ne2000.c
|
|
||||||
+++ b/hw/net/ne2000.c
|
|
||||||
@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s)
|
|
||||||
{
|
|
||||||
int avail, index, boundary;
|
|
||||||
|
|
||||||
+ if (s->stop <= s->start) {
|
|
||||||
+ return 1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
index = s->curpag << 8;
|
|
||||||
boundary = s->boundary << 8;
|
|
||||||
if (index < boundary)
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,52 +0,0 @@
|
|||||||
From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Wed, 20 Jan 2016 01:26:46 +0530
|
|
||||||
Subject: [PATCH] usb: check page select value while processing iTD
|
|
||||||
|
|
||||||
While processing isochronous transfer descriptors(iTD), the page
|
|
||||||
select(PG) field value could lead to an OOB read access. Add
|
|
||||||
check to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
---
|
|
||||||
hw/usb/hcd-ehci.c | 10 ++++++----
|
|
||||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
|
||||||
index ab00268..93601d9 100644
|
|
||||||
--- a/hw/usb/hcd-ehci.c
|
|
||||||
+++ b/hw/usb/hcd-ehci.c
|
|
||||||
@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci,
|
|
||||||
if (itd->transact[i] & ITD_XACT_ACTIVE) {
|
|
||||||
pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
|
|
||||||
off = itd->transact[i] & ITD_XACT_OFFSET_MASK;
|
|
||||||
- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
|
|
||||||
- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
|
|
||||||
len = get_field(itd->transact[i], ITD_XACT_LENGTH);
|
|
||||||
|
|
||||||
if (len > max * mult) {
|
|
||||||
len = max * mult;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- if (len > BUFF_SIZE) {
|
|
||||||
+ if (len > BUFF_SIZE || pg > 6) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
|
|
||||||
qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
|
|
||||||
if (off + len > 4096) {
|
|
||||||
/* transfer crosses page border */
|
|
||||||
+ if (pg == 6) {
|
|
||||||
+ return -1; /* avoid page pg + 1 */
|
|
||||||
+ }
|
|
||||||
+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
|
||||||
uint32_t len2 = off + len - 4096;
|
|
||||||
uint32_t len1 = len - len2;
|
|
||||||
qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Date: Wed, 17 Feb 2016 00:23:41 +0530
|
|
||||||
Subject: [PATCH] usb: check RNDIS buffer offsets & length
|
|
||||||
|
|
||||||
When processing remote NDIS control message packets,
|
|
||||||
the USB Net device emulator uses a fixed length(4096) data buffer.
|
|
||||||
The incoming informationBufferOffset & Length combination could
|
|
||||||
overflow and cross that range. Check control message buffer
|
|
||||||
offsets and length to avoid it.
|
|
||||||
|
|
||||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
|
||||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
|
||||||
Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com
|
|
||||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
|
||||||
---
|
|
||||||
hw/usb/dev-network.c | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
|
|
||||||
index 5dc4538..c6abd38 100644
|
|
||||||
--- a/hw/usb/dev-network.c
|
|
||||||
+++ b/hw/usb/dev-network.c
|
|
||||||
@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s,
|
|
||||||
|
|
||||||
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
|
|
||||||
buflen = le32_to_cpu(buf->InformationBufferLength);
|
|
||||||
- if (bufoffs + buflen > length)
|
|
||||||
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
|
|
||||||
return USB_RET_STALL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
|
|
||||||
bufoffs + (uint8_t *) buf, buflen, infobuf,
|
|
||||||
@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s,
|
|
||||||
|
|
||||||
bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
|
|
||||||
buflen = le32_to_cpu(buf->InformationBufferLength);
|
|
||||||
- if (bufoffs + buflen > length)
|
|
||||||
+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
|
|
||||||
return USB_RET_STALL;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
ret = ndis_set(s, le32_to_cpu(buf->OID),
|
|
||||||
bufoffs + (uint8_t *) buf, buflen);
|
|
||||||
@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p)
|
|
||||||
if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
|
|
||||||
uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
|
|
||||||
uint32_t size = le32_to_cpu(msg->DataLength);
|
|
||||||
- if (offs + size <= len)
|
|
||||||
+ if (offs < len && size < len && offs + size <= len) {
|
|
||||||
qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
s->out_ptr -= len;
|
|
||||||
memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
|
|
||||||
--
|
|
||||||
2.7.4
|
|
||||||
|
|
107
app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch
Normal file
107
app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch
Normal file
@ -0,0 +1,107 @@
|
|||||||
|
https://bugs.gentoo.org/580426
|
||||||
|
https://bugs.gentoo.org/568246
|
||||||
|
|
||||||
|
From a49923d2837d20510d645d3758f1ad87c32d0730 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Mon, 18 Apr 2016 09:20:54 +0200
|
||||||
|
Subject: [PATCH] Revert "ehci: make idt processing more robust"
|
||||||
|
|
||||||
|
This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254.
|
||||||
|
|
||||||
|
Breaks FreeBSD.
|
||||||
|
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index d5c0e1c..43a8f7a 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||||
|
{
|
||||||
|
USBDevice *dev;
|
||||||
|
USBEndpoint *ep;
|
||||||
|
- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
|
||||||
|
+ uint32_t i, len, pid, dir, devaddr, endp;
|
||||||
|
uint32_t pg, off, ptr1, ptr2, max, mult;
|
||||||
|
|
||||||
|
ehci->periodic_sched_active = PERIODIC_ACTIVE;
|
||||||
|
@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||||
|
ehci_raise_irq(ehci, USBSTS_INT);
|
||||||
|
}
|
||||||
|
itd->transact[i] &= ~ITD_XACT_ACTIVE;
|
||||||
|
- xfers++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- return xfers ? 0 : -1;
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
||||||
|
From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Mon, 18 Apr 2016 09:11:38 +0200
|
||||||
|
Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
|
||||||
|
DoS by the guest (create a circular iTD queue and let qemu ehci
|
||||||
|
emulation run in circles forever). Unfortunately this has two problems:
|
||||||
|
First it misses the case of siTDs, and second it reportedly breaks
|
||||||
|
FreeBSD.
|
||||||
|
|
||||||
|
So lets go for a different approach: just count the number of iTDs and
|
||||||
|
siTDs we have seen per frame and apply a limit. That should really
|
||||||
|
catch all cases now.
|
||||||
|
|
||||||
|
Reported-by: 杜少博 <dushaobo@360.cn>
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index 159f58d..d5c0e1c 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q)
|
||||||
|
static void ehci_advance_state(EHCIState *ehci, int async)
|
||||||
|
{
|
||||||
|
EHCIQueue *q = NULL;
|
||||||
|
+ int itd_count = 0;
|
||||||
|
int again;
|
||||||
|
|
||||||
|
do {
|
||||||
|
@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async)
|
||||||
|
|
||||||
|
case EST_FETCHITD:
|
||||||
|
again = ehci_state_fetchitd(ehci, async);
|
||||||
|
+ itd_count++;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case EST_FETCHSITD:
|
||||||
|
again = ehci_state_fetchsitd(ehci, async);
|
||||||
|
+ itd_count++;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case EST_ADVANCEQUEUE:
|
||||||
|
@@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int async)
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (again < 0) {
|
||||||
|
+ if (again < 0 || itd_count > 16) {
|
||||||
|
+ /* TODO: notify guest (raise HSE irq?) */
|
||||||
|
fprintf(stderr, "processing error - resetting ehci HC\n");
|
||||||
|
ehci_reset(ehci);
|
||||||
|
again = 0;
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
16
app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch
Normal file
16
app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html
|
||||||
|
https://bugs.gentoo.org/580040
|
||||||
|
|
||||||
|
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||||
|
index c69f374..ff1e31a 100644
|
||||||
|
--- a/hw/i386/kvmvapic.c
|
||||||
|
+++ b/hw/i386/kvmvapic.c
|
||||||
|
@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
|
||||||
|
CPUX86State *env = &cpu->env;
|
||||||
|
VAPICHandlers *handlers;
|
||||||
|
uint8_t opcode[2];
|
||||||
|
- uint32_t imm32;
|
||||||
|
+ uint32_t imm32 = 0;
|
||||||
|
target_ulong current_pc = 0;
|
||||||
|
target_ulong current_cs_base = 0;
|
||||||
|
int current_flags = 0;
|
@ -0,0 +1,47 @@
|
|||||||
|
From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Fri, 8 Apr 2016 11:33:48 +0530
|
||||||
|
Subject: [PATCH] net: stellaris_enet: check packet length against receive
|
||||||
|
buffer
|
||||||
|
|
||||||
|
When receiving packets over Stellaris ethernet controller, it
|
||||||
|
uses receive buffer of size 2048 bytes. In case the controller
|
||||||
|
accepts large(MTU) packets, it could lead to memory corruption.
|
||||||
|
Add check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com
|
||||||
|
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
---
|
||||||
|
hw/net/stellaris_enet.c | 12 +++++++++++-
|
||||||
|
1 file changed, 11 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
|
||||||
|
index 84cf60b..6880894 100644
|
||||||
|
--- a/hw/net/stellaris_enet.c
|
||||||
|
+++ b/hw/net/stellaris_enet.c
|
||||||
|
@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si
|
||||||
|
n = s->next_packet + s->np;
|
||||||
|
if (n >= 31)
|
||||||
|
n -= 31;
|
||||||
|
- s->np++;
|
||||||
|
|
||||||
|
+ if (size >= sizeof(s->rx[n].data) - 6) {
|
||||||
|
+ /* If the packet won't fit into the
|
||||||
|
+ * emulated 2K RAM, this is reported
|
||||||
|
+ * as a FIFO overrun error.
|
||||||
|
+ */
|
||||||
|
+ s->ris |= SE_INT_FOV;
|
||||||
|
+ stellaris_enet_update(s);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ s->np++;
|
||||||
|
s->rx[n].len = size + 6;
|
||||||
|
p = s->rx[n].data;
|
||||||
|
*(p++) = (size + 6);
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
@ -24,7 +24,7 @@ else
|
|||||||
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
|
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
|
||||||
${BACKPORTS:+
|
${BACKPORTS:+
|
||||||
https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
|
https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}"
|
||||||
KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~x86-fbsd"
|
KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
|
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
|
||||||
@ -215,11 +215,14 @@ QA_WX_LOAD="usr/bin/qemu-i386
|
|||||||
DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure
|
DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure
|
||||||
you have the kernel module loaded before running kvm. The easiest way to
|
you have the kernel module loaded before running kvm. The easiest way to
|
||||||
ensure that the kernel module is loaded is to load it on boot.\n
|
ensure that the kernel module is loaded is to load it on boot.\n
|
||||||
For AMD CPUs the module is called 'kvm-amd'\n
|
For AMD CPUs the module is called 'kvm-amd'.\n
|
||||||
For Intel CPUs the module is called 'kvm-intel'\n
|
For Intel CPUs the module is called 'kvm-intel'.\n
|
||||||
Please review /etc/conf.d/modules for how to load these\n\n
|
Please review /etc/conf.d/modules for how to load these.\n\n
|
||||||
Make sure your user is in the 'kvm' group\n
|
Make sure your user is in the 'kvm' group\n
|
||||||
Just run 'gpasswd -a <USER> kvm', then have <USER> re-login."
|
Just run 'gpasswd -a <USER> kvm', then have <USER> re-login.\n\n
|
||||||
|
For brand new installs, the default permissions on /dev/kvm might not let you
|
||||||
|
access it. You can tell udev to reset ownership/perms:\n
|
||||||
|
udevadm trigger -c add /dev/kvm"
|
||||||
|
|
||||||
qemu_support_kvm() {
|
qemu_support_kvm() {
|
||||||
if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \
|
if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \
|
||||||
@ -337,25 +340,12 @@ src_prepare() {
|
|||||||
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
|
EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \
|
||||||
epatch
|
epatch
|
||||||
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2015-8567.patch #567868
|
epatch "${FILESDIR}"/${PN}-2.5.0-CVE-2016-2198.patch #573314
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2015-8558.patch #568246
|
epatch "${FILESDIR}"/${PN}-2.5.0-rng-stack-corrupt-{0,1,2,3}.patch #576420
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110
|
epatch "${FILESDIR}"/${PN}-2.5.1-stellaris_enet-overflow.patch #579614
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988
|
epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2016-4020.patch #580040
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566
|
epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2015-8558.patch #568246 #580426
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118
|
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412
|
|
||||||
epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902
|
|
||||||
epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492
|
|
||||||
epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420
|
|
||||||
epatch "${FILESDIR}"/${P}-sysmacros.patch
|
|
||||||
epatch "${FILESDIR}"/${P}-ne2000-reg-check.patch #573816
|
|
||||||
epatch "${FILESDIR}"/${P}-9pfs-segfault.patch #578142
|
|
||||||
|
|
||||||
# Fix ld and objcopy being called directly
|
# Fix ld and objcopy being called directly
|
||||||
tc-export AR LD OBJCOPY
|
tc-export AR LD OBJCOPY
|
Loading…
Reference in New Issue
Block a user