parent
d92f169ffe
commit
9bcd99ead5
@ -1 +0,0 @@ |
||||
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d |
||||
@ -1 +0,0 @@ |
||||
KERNEL=="kvm", GROUP="kvm", MODE="0660" |
||||
@ -1,14 +0,0 @@ |
||||
# This should have the following permissions: root:qemu 0640 |
||||
|
||||
# allow br0 |
||||
# Uncommenting the above would allow users in the 'qemu' group |
||||
# to add devices to 'br0' |
||||
|
||||
# allow virbr0 |
||||
# Uncommenting the above would allow users in the 'qemu' group |
||||
# to add devices to 'virbr0' |
||||
|
||||
# include /etc/qemu/bob.conf |
||||
# Uncommenting the above would allow users in the 'bob' group |
||||
# to have permissions defined in it, iff it has the following |
||||
# permissions: root:bob 0640 |
||||
@ -1,13 +0,0 @@ |
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -4468,10 +4468,6 @@ fi
|
||||
if test "$gcov" = "yes" ; then
|
||||
CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
|
||||
LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
|
||||
-elif test "$fortify_source" = "yes" ; then
|
||||
- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
|
||||
-elif test "$debug" = "no"; then
|
||||
- CFLAGS="-O2 $CFLAGS"
|
||||
fi
|
||||
|
||||
##########################################
|
||||
@ -1,15 +0,0 @@ |
||||
Linux C libs are moving away from implicit header pollution with sys/types.h
|
||||
|
||||
--- a/include/qemu/osdep.h
|
||||
+++ b/include/qemu/osdep.h
|
||||
@@ -78,6 +78,10 @@ extern int daemon(int, int);
|
||||
#include <assert.h>
|
||||
#include <signal.h>
|
||||
|
||||
+#ifdef __linux__
|
||||
+#include <sys/sysmacros.h>
|
||||
+#endif
|
||||
+
|
||||
#ifdef __OpenBSD__
|
||||
#include <sys/signal.h>
|
||||
#endif
|
||||
@ -1,27 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In Vmxnet3 device emulator while processing transmit(tx) queue,
|
||||
when it reaches end of packet, it calls vmxnet3_complete_packet.
|
||||
In that local 'txcq_descr' object is not initialised, which could
|
||||
leak host memory bytes a guest.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/vmxnet3.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 90f6943..92f6af9 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
||||
|
||||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
|
||||
|
||||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
||||
txcq_descr.txdIdx = tx_ridx;
|
||||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
|
||||
|
||||
--
|
||||
2.5.5
|
||||
@ -1,81 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the page count for these rings to
|
||||
an arbitrary value, leading to infinite loop or OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Tom Victor <address@hidden>
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 21 ++++++++++-----------
|
||||
1 file changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
Update per review
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..4245c15 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static void
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
- return -1;
|
||||
- }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||
|
||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
+ if (!rc->reqRingNumPages
|
||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||
+ || !rc->cmpRingNumPages
|
||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
+
|
||||
pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
- return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
- }
|
||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
--
|
||||
2.5.5
|
||||
@ -1,62 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation for large 'dataLen' values, when data_length is cast to uint32_t
|
||||
and chunk_size becomes always zero. Fix this by removing the incorrect
|
||||
cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
Update as per:
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 4245c15..babac5a 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
||||
--
|
||||
2.5.5
|
||||
@ -1,28 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, the format string used in 'mptsas_config_manufacturing_1'
|
||||
was wrong. It could lead to an invalid memory access.
|
||||
|
||||
Reported-by: Tom Victor <address@hidden>
|
||||
Fix-suggested-by: Paolo Bonzini <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..1ec895b 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
--
|
||||
2.5.5
|
||||
@ -1,27 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() asserts to check returned size
|
||||
value is within limit of 256 bytes. Fix that assert expression.
|
||||
|
||||
Suggested-by: Paolo Bonzini <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 1ec895b..531947f 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
||||
--
|
||||
2.5.5
|
||||
@ -1,40 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <address@hidden>
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.5
|
||||
|
||||
@ -1,34 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: address@hidden
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
Message-Id: <address@hidden>
|
||||
Signed-off-by: Paolo Bonzini <address@hidden>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index babac5a..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -247,8 +247,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,38 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference
|
||||
while un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/virtio/virtio.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 15ee3a7..0a4c5b6 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
- iov[num_sg].iov_len = len;
|
||||
- addr[num_sg] = pa;
|
||||
+ if (iov[num_sg].iov_base) {
|
||||
+ iov[num_sg].iov_len = len;
|
||||
+ addr[num_sg] = pa;
|
||||
|
||||
+ pa += len;
|
||||
+ num_sg++;
|
||||
+ }
|
||||
sz -= len;
|
||||
- pa += len;
|
||||
- num_sg++;
|
||||
}
|
||||
*p_num_sg = num_sg;
|
||||
}
|
||||
--
|
||||
2.5.5
|
||||
@ -1,31 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
Message-Id: <address@hidden>
|
||||
Cc: address@hidden
|
||||
Signed-off-by: Paolo Bonzini <address@hidden>
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,26 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 188f954..281a2a5 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,45 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set an upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/imx_fec.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
Update per
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
|
||||
|
||||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
||||
index 1c415ab..1d74827 100644
|
||||
--- a/hw/net/imx_fec.c
|
||||
+++ b/hw/net/imx_fec.c
|
||||
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
||||
#define PHY_INT_PARFAULT (1 << 2)
|
||||
#define PHY_INT_AUTONEG_PAGE (1 << 1)
|
||||
|
||||
+#define IMX_MAX_DESC 1024
|
||||
+
|
||||
static void imx_eth_update(IMXFECState *s);
|
||||
|
||||
/*
|
||||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
||||
|
||||
static void imx_fec_do_tx(IMXFECState *s)
|
||||
{
|
||||
- int frame_size = 0;
|
||||
+ int frame_size = 0, descnt = 0;
|
||||
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr = frame;
|
||||
uint32_t addr = s->tx_descriptor;
|
||||
|
||||
- while (1) {
|
||||
+ while (descnt++ < IMX_MAX_DESC) {
|
||||
IMXFECBufDesc bd;
|
||||
int len;
|
||||
|
||||
@ -1,52 +0,0 @@ |
||||
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
||||
--
|
||||
1.7.0.4
|
||||
|
||||
@ -1,32 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||
descriptor ring length respectively. This ring length could range
|
||||
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||
loop in pcnet_rdra_addr. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/pcnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 198a01f..3078de8 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||
case 47: /* POLLINT */
|
||||
case 72:
|
||||
case 74:
|
||||
+ break;
|
||||
case 76: /* RCVRL */
|
||||
case 78: /* XMTRL */
|
||||
+ val = (val > 0) ? val : 512;
|
||||
+ break;
|
||||
case 112:
|
||||
if (CSR_STOP(s) || CSR_SPND(s))
|
||||
break;
|
||||
--
|
||||
2.5.5
|
||||
@ -1,25 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||
it doesn't free the resource object allocated previously. Thus leading
|
||||
a host memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 7fe6ed8..5b6d17b 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||
qemu_log_mask(LOG_GUEST_ERROR,
|
||||
"%s: host couldn't handle guest format %d\n",
|
||||
__func__, c2d.format);
|
||||
+ g_free(res);
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
return;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,26 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||
situation the ehci's sg list doesn't be freed thus leading a memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b093db7..f4ece9a 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
if (pg == 6) {
|
||||
+ qemu_sglist_destroy(&ehci->isgl);
|
||||
return -1; /* avoid page pg + 1 */
|
||||
}
|
||||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,61 +0,0 @@ |
||||
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <address@hidden>
|
||||
Date: Fri, 7 Oct 2016 10:15:29 +0200
|
||||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <address@hidden>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 726435c..ee4fa48 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -54,6 +54,8 @@
|
||||
* to the specs when it gets them */
|
||||
#define ER_FULL_HACK
|
||||
|
||||
+#define TRB_LINK_LIMIT 4
|
||||
+
|
||||
#define LEN_CAP 0x40
|
||||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
dma_addr_t *addr)
|
||||
{
|
||||
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
ring->dequeue += TRB_SIZE;
|
||||
return type;
|
||||
} else {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
ring->dequeue = xhci_mask64(trb->parameter);
|
||||
if (trb->control & TRB_LK_TC) {
|
||||
ring->ccs = !ring->ccs;
|
||||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool ccs = ring->ccs;
|
||||
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||
bool control_td_set = 0;
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
type = TRB_TYPE(trb);
|
||||
|
||||
if (type == TR_LINK) {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return -length;
|
||||
+ }
|
||||
dequeue = xhci_mask64(trb.parameter);
|
||||
if (trb.control & TRB_LK_TC) {
|
||||
ccs = !ccs;
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,34 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
|
||||
object thus causing potential memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/9pfs/9p.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 119ee58..543a791 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
|
||||
if (len < 0) {
|
||||
/* IO error return the error */
|
||||
err = len;
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
} while (count < max_count && len > 0);
|
||||
err = pdu_marshal(pdu, offset, "d", count);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
err += offset + count;
|
||||
+out_free_iovec:
|
||||
qemu_iovec_destroy(&qiov);
|
||||
qemu_iovec_destroy(&qiov_full);
|
||||
} else if (fidp->fid_type == P9_FID_XATTR) {
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,58 +0,0 @@ |
||||
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
|
||||
|
||||
If a guest sends an empty string paramater to any 9P operation, the current
|
||||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
|
||||
|
||||
This is unfortunate because it can cause NULL pointer dereference to happen
|
||||
at various locations in the 9pfs code. And we don't want to check str->data
|
||||
everywhere we pass it to strcmp() or any other function which expects a
|
||||
dereferenceable pointer.
|
||||
|
||||
This patch enforces the allocation of genuine C empty strings instead, so
|
||||
callers don't have to bother.
|
||||
|
||||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
|
||||
the returned string is empty. It now uses v9fs_string_size() since
|
||||
name.data cannot be NULL anymore.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
[groug, rewritten title and changelog,
|
||||
fix empty string check in v9fs_xattrwalk()]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
---
|
||||
fsdev/9p-iov-marshal.c | 2 +-
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
||||
index 663cad5..1d16f8d 100644
|
||||
--- a/fsdev/9p-iov-marshal.c
|
||||
+++ b/fsdev/9p-iov-marshal.c
|
||||
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
||||
str->data = g_malloc(str->size + 1);
|
||||
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
|
||||
str->size);
|
||||
- if (copied > 0) {
|
||||
+ if (copied >= 0) {
|
||||
str->data[str->size] = 0;
|
||||
} else {
|
||||
v9fs_string_free(str);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 119ee58..39a7e1d 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
goto out;
|
||||
}
|
||||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
|
||||
- if (name.data == NULL) {
|
||||
+ if (!v9fs_string_size(&name)) {
|
||||
/*
|
||||
* listxattr request. Get the size first
|
||||
*/
|
||||
--
|
||||
2.7.3
|
||||
|
||||
@ -1,30 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Rocker network switch emulator has test registers to help debug
|
||||
DMA operations. While testing host DMA access, a buffer address
|
||||
is written to register 'TEST_DMA_ADDR' and its size is written to
|
||||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
||||
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
||||
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/rocker/rocker.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 30f2ce4..e9d215a 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
||||
rocker_msix_irq(r, val);
|
||||
break;
|
||||
case ROCKER_TEST_DMA_SIZE:
|
||||
- r->test_dma_size = val;
|
||||
+ r->test_dma_size = val & 0xFFFF;
|
||||
break;
|
||||
case ROCKER_TEST_DMA_ADDR + 4:
|
||||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
||||
--
|
||||
2.5.5
|
||||
@ -1,29 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
The JAZZ RC4030 chipset emulator has a periodic timer and
|
||||
associated interval reload register. The reload value is used
|
||||
as divider when computing timer's next tick value. If reload
|
||||
value is large, it could lead to divide by zero error. Limit
|
||||
the interval reload value to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/dma/rc4030.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
||||
index 2f2576f..c1b4997 100644
|
||||
--- a/hw/dma/rc4030.c
|
||||
+++ b/hw/dma/rc4030.c
|
||||
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
break;
|
||||
/* Interval timer reload */
|
||||
case 0x0228:
|
||||
- s->itr = val;
|
||||
+ s->itr = val & 0x01FF;
|
||||
qemu_irq_lower(s->timer_irq);
|
||||
set_next_tick(s);
|
||||
break;
|
||||
--
|
||||
2.5.5
|
||||
@ -1,34 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
16550A UART device uses an oscillator to generate frequencies
|
||||
(baud base), which decide communication speed. This speed could
|
||||
be changed by dividing it by a divider. If the divider is
|
||||
greater than the baud base, speed is set to zero, leading to a
|
||||
divide by zero error. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/char/serial.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
Update per
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index 3442f47..eec72b7 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
||||
int speed, parity, data_bits, stop_bits, frame_size;
|
||||
QEMUSerialSetParams ssp;
|
||||
|
||||
- if (s->divider == 0)
|
||||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
||||
return;
|
||||
+ }
|
||||
|
||||
/* Start bit. */
|
||||
frame_size = 1;
|
||||
--
|
||||
2.5.5
|
||||
@ -1,31 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Intel HDA emulator uses stream of buffers during DMA data
|
||||
transfers. Each entry has buffer length and buffer pointer
|
||||
position, which are used to derive bytes to 'copy'. If this
|
||||
length and buffer pointer were to be same, 'copy' could be
|
||||
set to zero(0), leading to an infinite loop. Add check to
|
||||
avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/audio/intel-hda.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
||||
index cd95340..537face 100644
|
||||
--- a/hw/audio/intel-hda.c
|
||||
+++ b/hw/audio/intel-hda.c
|
||||
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
||||
}
|
||||
|
||||
left = len;
|
||||
- while (left > 0) {
|
||||
+ s = st->bentries;
|
||||
+ while (left > 0 && s-- > 0) {
|
||||
copy = left;
|
||||
if (copy > st->bsize - st->lpib)
|
||||
copy = st->bsize - st->lpib;
|
||||
--
|
||||
2.7.4
|
||||
@ -1,29 +0,0 @@ |
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
RTL8139 ethernet controller in C+ mode supports multiple
|
||||
descriptor rings, each with maximum of 64 descriptors. While
|
||||
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
|
||||
it does not limit the descriptor count and runs forever. Add
|
||||
check to avoid it.
|
||||
|
||||
Reported-by: Andrew Henderson <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/rtl8139.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
||||
index 3345bc6..f05e59c 100644
|
||||
--- a/hw/net/rtl8139.c
|
||||
+++ b/hw/net/rtl8139.c
|
||||
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
||||
{
|
||||
int txcount = 0;
|
||||
|
||||
- while (rtl8139_cplus_transmit_one(s))
|
||||
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
||||
{
|
||||
++txcount;
|
||||
}
|
||||
--
|
||||
2.7.4
|
||||
@ -1,21 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
|
||||
situation that this field has been allocated previously. Every time, it
|
||||
will be allocated directly. This leads a host memory leak issue. This
|
||||
patch fix this.
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 75ba5f1..a4c7109 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
+ g_free(xattr_fidp->fs.xattr.value);
|
||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
||||
@ -1,27 +0,0 @@ |
||||
Author: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon Oct 17 14:13:58 2016 +0200
|
||||
|
||||
9pfs: fix information leak in xattr read
|
||||
|
||||
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
|
||||
reads this memory before writing to it, this will leak host heap memory
|
||||
to the guest. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 26aa7d5..bf23b01 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
g_free(xattr_fidp->fs.xattr.value);
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
||||
out_nofid:
|
||||
@ -1,92 +0,0 @@ |
||||
From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
|
||||
originated offset: they must ensure this offset does not go beyond
|
||||
the size of the extended attribute that was set in v9fs_xattrcreate().
|
||||
Unfortunately, the current code implement these checks with unsafe
|
||||
calculations on 32 and 64 bit values, which may allow a malicious
|
||||
guest to cause OOB access anyway.
|
||||
|
||||
Fix this by comparing the offset and the xattr size, which are
|
||||
both uint64_t, before trying to compute the effective number of bytes
|
||||
to read or write.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
---
|
||||
hw/9pfs/9p.c | 32 ++++++++++++--------------------
|
||||
1 file changed, 12 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index ab18ef2..7705ead 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
ssize_t err;
|
||||
size_t offset = 7;
|
||||
- int read_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t read_count;
|
||||
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
|
||||
VirtQueueElement *elem = v->elems[pdu->idx];
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- read_count = xattr_len - off;
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
+ read_count = 0;
|
||||
+ } else {
|
||||
+ read_count = fidp->fs.xattr.len - off;
|
||||
+ }
|
||||
if (read_count > max_count) {
|
||||
read_count = max_count;
|
||||
- } else if (read_count < 0) {
|
||||
- /*
|
||||
- * read beyond XATTR value
|
||||
- */
|
||||
- read_count = 0;
|
||||
}
|
||||
err = pdu_marshal(pdu, offset, "d", read_count);
|
||||
if (err < 0) {
|
||||
@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
int i, to_copy;
|
||||
ssize_t err = 0;
|
||||
- int write_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t write_count;
|
||||
size_t offset = 7;
|
||||
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- write_count = xattr_len - off;
|
||||
- if (write_count > count) {
|
||||
- write_count = count;
|
||||
- } else if (write_count < 0) {
|
||||
- /*
|
||||
- * write beyond XATTR value len specified in
|
||||
- * xattrcreate
|
||||
- */
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
err = -ENOSPC;
|
||||
goto out;
|
||||
}
|
||||
+ write_count = fidp->fs.xattr.len - off;
|
||||
+ if (write_count > count) {
|
||||
+ write_count = count;
|
||||
+ }
|
||||
err = pdu_marshal(pdu, offset, "d", write_count);
|
||||
if (err < 0) {
|
||||
return err;
|
||||
--
|
||||
2.7.3
|
||||
|
||||
@ -1,25 +0,0 @@ |
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In v9fs_link dispatch function, it doesn't put the 'oldfidp'
|
||||
fid object, this will make the 'oldfidp->ref' never reach to 0,
|
||||
thus leading a memory leak issue. This patch fix this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 8b50bfb..29f8b7a 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque)
|
||||
if (!err) {
|
||||
err = offset;
|
||||
}
|
||||
+ put_fid(pdu, oldfidp);
|
||||
out:
|
||||
put_fid(pdu, dfidp);
|
||||
out_nofid:
|
||||
--
|
||||
1.8.3.1
|
||||
@ -1,27 +0,0 @@ |
||||
Author: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon Oct 17 14:13:58 2016 +0200
|
||||
|
||||
9pfs: fix memory leak in v9fs_write
|
||||
|
||||
If an error occurs when marshalling the transfer length to the guest, the
|
||||
v9fs_write() function doesn't free an IO vector, thus leading to a memory
|
||||
leak. This patch fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index d43a552..e88cf25 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque)
|
||||
offset = 7;
|
||||
err = pdu_marshal(pdu, offset, "d", total);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_qiov;
|
||||
}
|
||||
err += offset;
|
||||
|
||||
@ -1,139 +0,0 @@ |
||||
#!/sbin/openrc-run |
||||
# Copyright 1999-2016 Gentoo Foundation |
||||
# Distributed under the terms of the GNU General Public License v2 |
||||
# $Id$ |
||||
|
||||
# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel |
||||
|
||||
# Defaulting to OC should be safe because it comes down to: |
||||
# - do we trust the interp itself to not be malicious? yes; we built it. |
||||
# - do we trust the programs we're running? ish; same permission as native |
||||
# binaries apply. so if user can do bad stuff natively, cross isn't worse. |
||||
: ${QEMU_BINFMT_FLAGS:=OC} |
||||
|
||||
depend() { |
||||
after procfs |
||||
} |
||||
|
||||
start() { |
||||
ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})" |
||||
|
||||
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then |
||||
modprobe -q binfmt_misc |
||||
fi |
||||
|
||||
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then |
||||
eend $? "You need support for 'misc binaries' in your kernel!" || return |
||||
fi |
||||
|
||||
if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then |
||||
mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1 |
||||
eend $? || return |
||||
fi |
||||
|
||||
# probe cpu type |
||||
cpu=`uname -m` |
||||
case "$cpu" in |
||||
i386|i486|i586|i686|i86pc|BePC|x86_64) |
||||
cpu="i386" |
||||
;; |
||||
m68k) |
||||
cpu="m68k" |
||||
;; |
||||
mips*) |
||||
cpu="mips" |
||||
;; |
||||
"Power Macintosh"|ppc|ppc64) |
||||
cpu="ppc" |
||||
;; |
||||
armv[4-9]*) |
||||
cpu="arm" |
||||
;; |
||||
sparc*) |
||||
cpu="sparc" |
||||
;; |
||||
esac |
||||
|
||||
# register the interpreter for each cpu except for the native one |
||||
if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then |
||||
echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then |
||||
echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then |
||||
echo ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then |
||||
echo ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then |
||||
echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then |
||||
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then |
||||
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then |
||||
#echo 'Please check cpu value and header information for m68k!' |
||||
echo ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then |
||||
# FIXME: We could use the other endianness on a MIPS host. |
||||
echo ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then |
||||
echo ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then |
||||
echo ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then |
||||
echo ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then |
||||
echo ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then |
||||
echo ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then |
||||
echo ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then |
||||
echo ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then |
||||
echo ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register |
||||
fi |
||||
eend $? |
||||
} |
||||
|
||||
stop() { |
||||
ebegin "Unregistering qemu-user binaries" |
||||
local arches |
||||
|
||||
arches="${arches} i386 i486" |
||||
arches="${arches} alpha" |
||||
arches="${arches} arm armeb" |
||||
arches="${arches} aarch64" |
||||
arches="${arches} sparc" |
||||
arches="${arches} ppc" |
||||
arches="${arches} m68k" |
||||
arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el" |
||||
arches="${arches} sh4 sh4eb" |
||||
arches="${arches} s390x" |
||||
|
||||
for a in ${arches}; do |
||||
if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then |
||||
echo '-1' > /proc/sys/fs/binfmt_misc/$a |
||||
fi |
||||
done |
||||
|
||||
eend $? |
||||
} |
||||
|
||||
# vim: ts=4 : |
||||
@ -1,710 +0,0 @@ |
||||
# Copyright 1999-2016 Gentoo Foundation |
||||
# Distributed under the terms of the GNU General Public License v2 |
||||
# $Id$ |
||||
|
||||
EAPI="5" |
||||
|
||||
#MY_P="${P/_/-}" |
||||
|
||||
PYTHON_COMPAT=( python2_7 ) |
||||
PYTHON_REQ_USE="ncurses,readline" |
||||
|
||||
PLOCALES="bg de_DE fr_FR hu it tr zh_CN" |
||||
|
||||
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ |
||||
user udev fcaps readme.gentoo-r1 pax-utils l10n |
||||
|
||||
if [[ ${PV} = *9999* ]]; then |
||||
EGIT_REPO_URI="git://git.qemu.org/qemu.git" |
||||
inherit git-2 |
||||
SRC_URI="" |
||||
else |
||||
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" |
||||
KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd" |
||||
fi |
||||
|
||||
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" |
||||
HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" |
||||
|
||||
LICENSE="GPL-2 LGPL-2 BSD-2" |
||||
SLOT="0" |
||||
IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs \ |
||||
gnutls gtk gtk2 infiniband iscsi +jpeg \ |
||||
kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs |
||||
+png pulseaudio python \ |
||||
rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu |
||||
static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \ |
||||
virgl virtfs +vnc vte xattr xen xfs" |
||||
|
||||
COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips |
||||
mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32 |
||||
x86_64" |
||||
IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa xtensaeb" |
||||
IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" |
||||
|
||||
use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) |
||||
use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) |
||||
IUSE+=" ${use_softmmu_targets} ${use_user_targets}" |
||||
|
||||
# Allow no targets to be built so that people can get a tools-only build. |
||||
# Block USE flag configurations known to not work. |
||||
REQUIRED_USE="${PYTHON_REQUIRED_USE} |
||||
gtk2? ( gtk ) |
||||
qemu_softmmu_targets_arm? ( fdt ) |
||||
qemu_softmmu_targets_microblaze? ( fdt ) |
||||
qemu_softmmu_targets_ppc? ( fdt ) |
||||
qemu_softmmu_targets_ppc64? ( fdt ) |
||||
sdl2? ( sdl ) |
||||
static? ( static-softmmu static-user ) |
||||
static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 ) |
||||
virtfs? ( xattr ) |
||||
vte? ( gtk )" |
||||
|
||||
# Yep, you need both libcap and libcap-ng since virtfs only uses libcap. |
||||
# |
||||
# The attr lib isn't always linked in (although the USE flag is always |
||||
# respected). This is because qemu supports using the C library's API |
||||
# when available rather than always using the extranl library. |
||||
# |
||||
# Older versions of gnutls are supported, but it's simpler to just require |
||||
# the latest versions. This is also why we require nettle. |
||||
# |
||||
# TODO: Split out tools deps into another var. e.g. bzip2 is only used by |
||||
# system binaries and tools, not user binaries. |
||||
COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)] |
||||
sys-libs/zlib[static-libs(+)] |
||||
bzip2? ( app-arch/bzip2[static-libs(+)] ) |
||||
xattr? ( sys-apps/attr[static-libs(+)] )" |
||||
SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} |
||||
>=x11-libs/pixman-0.28.0[static-libs(+)] |
||||
accessibility? ( app-accessibility/brltty[static-libs(+)] ) |
||||
aio? ( dev-libs/libaio[static-libs(+)] ) |
||||
alsa? ( >=media-libs/alsa-lib-1.0.13 ) |
||||
bluetooth? ( net-wireless/bluez ) |
||||
caps? ( sys-libs/libcap-ng[static-libs(+)] ) |
||||
curl? ( >=net-misc/curl-7.15.4[static-libs(+)] ) |
||||
fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) |
||||
glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) |
||||
gnutls? ( |
||||
dev-libs/nettle:=[static-libs(+)] |
||||
>=net-libs/gnutls-3.0:=[static-libs(+)] |
||||
) |
||||
gtk? ( |
||||
gtk2? ( |
||||
x11-libs/gtk+:2 |
||||
vte? ( x11-libs/vte:0 ) |
||||
) |
||||
!gtk2? ( |
||||
x11-libs/gtk+:3 |
||||
vte? ( x11-libs/vte:2.91 ) |
||||
) |
||||
) |
||||
infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) |
||||
iscsi? ( net-libs/libiscsi ) |
||||
jpeg? ( virtual/jpeg:0=[static-libs(+)] ) |
||||
lzo? ( dev-libs/lzo:2[static-libs(+)] ) |
||||
ncurses? ( sys-libs/ncurses:0=[static-libs(+)] ) |
||||
nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) |
||||
numa? ( sys-process/numactl[static-libs(+)] ) |
||||
opengl? ( |
||||
virtual/opengl |
||||
media-libs/libepoxy[static-libs(+)] |
||||
media-libs/mesa[static-libs(+)] |
||||
media-libs/mesa[egl,gles2,gbm] |
||||
) |
||||
png? ( media-libs/libpng:0=[static-libs(+)] ) |
||||
pulseaudio? ( media-sound/pulseaudio ) |
||||
rbd? ( sys-cluster/ceph[static-libs(+)] ) |
||||
sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) |
||||
sdl? ( |
||||
!sdl2? ( |
||||
media-libs/libsdl[X] |
||||
>=media-libs/libsdl-1.2.11[static-libs(+)] |
||||
) |
||||
sdl2? ( |
||||
media-libs/libsdl2[X] |
||||
media-libs/libsdl2[static-libs(+)] |
||||
) |
||||
) |
||||
seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) |
||||
smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) |
||||
snappy? ( app-arch/snappy[static-libs(+)] ) |
||||
spice? ( |
||||
>=app-emulation/spice-protocol-0.12.3 |
||||
>=app-emulation/spice-0.12.0[static-libs(+)] |
||||
) |
||||
ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) |
||||
usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) |
||||
usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) |
||||
uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] ) |
||||
vde? ( net-misc/vde[static-libs(+)] ) |
||||
virgl? ( media-libs/virglrenderer[static-libs(+)] ) |
||||
virtfs? ( sys-libs/libcap ) |
||||
xfs? ( sys-fs/xfsprogs[static-libs(+)] )" |
||||
USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" |
||||
X86_FIRMWARE_DEPEND=" |
||||
>=sys-firmware/ipxe-1.0.0_p20130624 |
||||
pin-upstream-blobs? ( |
||||
~sys-firmware/seabios-1.9.0 |
||||
~sys-firmware/sgabios-0.1_pre8 |
||||
~sys-firmware/vgabios-0.7a |
||||
) |
||||
!pin-upstream-blobs? ( |
||||
sys-firmware/seabios |
||||
sys-firmware/sgabios |
||||
)" |
||||
CDEPEND=" |
||||
!static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) ) |
||||
!static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) ) |
||||
qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) |
||||
qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} ) |
||||
python? ( ${PYTHON_DEPS} ) |
||||
systemtap? ( dev-util/systemtap ) |
||||
xen? ( app-emulation/xen-tools:= )" |
||||
DEPEND="${CDEPEND} |
||||
dev-lang/perl |
||||
=dev-lang/python-2* |
||||
sys-apps/texinfo |
||||
virtual/pkgconfig |
||||
kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) |
||||
gtk? ( nls? ( sys-devel/gettext ) ) |
||||
static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) " ${use_softmmu_targets}) ) |
||||
static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) " ${use_user_targets}) ) |
||||
test? ( |
||||
dev-libs/glib[utils] |
||||
sys-devel/bc |
||||
)" |
||||
RDEPEND="${CDEPEND} |
||||
selinux? ( sec-policy/selinux-qemu ) |
||||
" |
||||
|
||||
STRIP_MASK="/usr/share/qemu/palcode-clipper" |
||||
|
||||
QA_PREBUILT=" |
||||
usr/share/qemu/openbios-ppc |
||||
usr/share/qemu/openbios-sparc64 |
||||
usr/share/qemu/openbios-sparc32 |
||||
usr/share/qemu/palcode-clipper |
||||
usr/share/qemu/s390-ccw.img |
||||
usr/share/qemu/u-boot.e500 |
||||
" |
||||
|
||||
QA_WX_LOAD="usr/bin/qemu-i386 |
||||
usr/bin/qemu-x86_64 |
||||
usr/bin/qemu-alpha |
||||
usr/bin/qemu-arm |
||||
usr/bin/qemu-cris |
||||
usr/bin/qemu-m68k |
||||
usr/bin/qemu-microblaze |
||||
usr/bin/qemu-microblazeel |
||||
usr/bin/qemu-mips |
||||
usr/bin/qemu-mipsel |
||||
usr/bin/qemu-or32 |
||||
usr/bin/qemu-ppc |
||||
usr/bin/qemu-ppc64 |
||||
usr/bin/qemu-ppc64abi32 |
||||
usr/bin/qemu-sh4 |
||||
usr/bin/qemu-sh4eb |
||||
usr/bin/qemu-sparc |
||||
usr/bin/qemu-sparc64 |
||||
usr/bin/qemu-armeb |
||||
usr/bin/qemu-sparc32plus |
||||
usr/bin/qemu-s390x |
||||
usr/bin/qemu-unicore32" |
||||
|
||||
DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure |
||||
you have the kernel module loaded before running kvm. The easiest way to |
||||
ensure that the kernel module is loaded is to load it on boot.\n |
||||
For AMD CPUs the module is called 'kvm-amd'.\n |
||||