Browse Source

[app-emulation/qemu] use in-tree now

master
Robert Förster 6 years ago
parent
commit
9bcd99ead5
  1. 1
      app-emulation/qemu/Manifest
  2. 1
      app-emulation/qemu/files/65-kvm.rules
  3. 14
      app-emulation/qemu/files/bridge.conf
  4. 13
      app-emulation/qemu/files/qemu-2.5.0-cflags.patch
  5. 15
      app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
  6. 27
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
  7. 81
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch
  8. 62
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch
  9. 28
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch
  10. 27
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch
  11. 40
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
  12. 34
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
  13. 38
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
  14. 31
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
  15. 26
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
  16. 45
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch
  17. 52
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch
  18. 32
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch
  19. 25
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch
  20. 26
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch
  21. 61
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch
  22. 34
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch
  23. 58
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch
  24. 30
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch
  25. 29
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
  26. 34
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch
  27. 31
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch
  28. 29
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch
  29. 21
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch
  30. 27
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch
  31. 92
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch
  32. 25
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch
  33. 27
      app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch
  34. 139
      app-emulation/qemu/files/qemu-binfmt.initd-r1
  35. 710
      app-emulation/qemu/qemu-2.7.0-r7.ebuild

1
app-emulation/qemu/Manifest

@ -1 +0,0 @@
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d

1
app-emulation/qemu/files/65-kvm.rules

@ -1 +0,0 @@
KERNEL=="kvm", GROUP="kvm", MODE="0660"

14
app-emulation/qemu/files/bridge.conf

@ -1,14 +0,0 @@
# This should have the following permissions: root:qemu 0640
# allow br0
# Uncommenting the above would allow users in the 'qemu' group
# to add devices to 'br0'
# allow virbr0
# Uncommenting the above would allow users in the 'qemu' group
# to add devices to 'virbr0'
# include /etc/qemu/bob.conf
# Uncommenting the above would allow users in the 'bob' group
# to have permissions defined in it, iff it has the following
# permissions: root:bob 0640

13
app-emulation/qemu/files/qemu-2.5.0-cflags.patch

@ -1,13 +0,0 @@
--- a/configure
+++ b/configure
@@ -4468,10 +4468,6 @@ fi
if test "$gcov" = "yes" ; then
CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
-elif test "$fortify_source" = "yes" ; then
- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
-elif test "$debug" = "no"; then
- CFLAGS="-O2 $CFLAGS"
fi
##########################################

15
app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch

@ -1,15 +0,0 @@
Linux C libs are moving away from implicit header pollution with sys/types.h
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -78,6 +78,10 @@ extern int daemon(int, int);
#include <assert.h>
#include <signal.h>
+#ifdef __linux__
+#include <sys/sysmacros.h>
+#endif
+
#ifdef __OpenBSD__
#include <sys/signal.h>
#endif

27
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch

@ -1,27 +0,0 @@
From: Li Qiang <address@hidden>
In Vmxnet3 device emulator while processing transmit(tx) queue,
when it reaches end of packet, it calls vmxnet3_complete_packet.
In that local 'txcq_descr' object is not initialised, which could
leak host memory bytes a guest.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/vmxnet3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 90f6943..92f6af9 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
txcq_descr.txdIdx = tx_ridx;
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
--
2.5.5

81
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch

@ -1,81 +0,0 @@
From: Prasad J Pandit <address@hidden>
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.
Reported-by: Tom Victor <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
Update per review
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 5116f4a..4245c15 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
return log;
}
-static int
+static void
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
{
int i;
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
uint32_t req_ring_size, cmp_ring_size;
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
- return -1;
- }
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
/* Flush ring state page changes */
smp_wmb();
-
- return 0;
}
static int
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
for (i = 0; i < rc->cmpRingNumPages; i++) {
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
}
}
@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+ if (!rc->reqRingNumPages
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
+ || !rc->cmpRingNumPages
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
+ }
+
pvscsi_dbg_dump_tx_rings_config(rc);
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
- return PVSCSI_COMMAND_PROCESSING_FAILED;
- }
+ pvscsi_ring_init_data(&s->rings, rc);
s->rings_info_valid = TRUE;
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
--
2.5.5

62
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch

@ -1,62 +0,0 @@
From: Prasad J Pandit <address@hidden>
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
long time or go into an infinite loop due to two different bugs:
1) the request descriptor data length is defined to be 64 bit. While
building SG list from a request descriptor, it gets truncated to 32bit
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
situation for large 'dataLen' values, when data_length is cast to uint32_t
and chunk_size becomes always zero. Fix this by removing the incorrect
cast.
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
element has a zero length. Get out of the loop early when this happens,
by introducing an upper limit on the number of SG list elements.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Update as per:
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 4245c15..babac5a 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@
#define PVSCSI_MAX_DEVS (64)
#define PVSCSI_MSIX_NUM_VECTORS (1)
+#define PVSCSI_MAX_SG_ELEM 2048
+
#define PVSCSI_MAX_CMD_DATA_WORDS \
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
static void
pvscsi_convert_sglist(PVSCSIRequest *r)
{
- int chunk_size;
+ uint32_t chunk_size, elmcnt = 0;
uint64_t data_length = r->req.dataLen;
PVSCSISGState sg = r->sg;
- while (data_length) {
- while (!sg.resid) {
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
pvscsi_get_next_sg_elem(&sg);
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
r->sg.resid);
}
- assert(data_length > 0);
- chunk_size = MIN((unsigned) data_length, sg.resid);
+ chunk_size = MIN(data_length, sg.resid);
if (chunk_size) {
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
}
--
2.5.5

28
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch

@ -1,28 +0,0 @@
From: Prasad J Pandit <address@hidden>
When LSI SAS1068 Host Bus emulator builds configuration page
headers, the format string used in 'mptsas_config_manufacturing_1'
was wrong. It could lead to an invalid memory access.
Reported-by: Tom Victor <address@hidden>
Fix-suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 7071854..1ec895b 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
{
/* VPD - all zeros */
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
- "s256");
+ "*s256");
}
static
--
2.5.5

27
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch

@ -1,27 +0,0 @@
From: Prasad J Pandit <address@hidden>
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() asserts to check returned size
value is within limit of 256 bytes. Fix that assert expression.
Suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 1ec895b..531947f 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
va_end(ap);
if (data) {
- assert(ret < 256 && (ret % 4) == 0);
+ assert(ret / 4 < 256);
stb_p(*data + 1, ret / 4);
}
return ret;
--
2.5.5

40
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch

@ -1,40 +0,0 @@
From: Prasad J Pandit <address@hidden>
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.
Reported-by: Qinghao Tang <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/display/vmware_vga.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.bpp = vmsvga_fifo_read(s);
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
- if (cursor.width > 256 ||
- cursor.height > 256 ||
- cursor.bpp > 32 ||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+ if (cursor.width > 256
+ || cursor.height > 256
+ || cursor.bpp > 32
+ || SVGA_BITMAP_SIZE(x, y)
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
goto badcmd;
}
--
2.5.5

34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch

@ -1,34 +0,0 @@
From: Prasad J Pandit <address@hidden>
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: address@hidden
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index babac5a..a5ce7de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -247,8 +247,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =
--
1.8.3.1

38
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch

@ -1,38 +0,0 @@
From: Prasad J Pandit <address@hidden>
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference
while un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/virtio/virtio.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 15ee3a7..0a4c5b6 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
- iov[num_sg].iov_len = len;
- addr[num_sg] = pa;
+ if (iov[num_sg].iov_base) {
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+ pa += len;
+ num_sg++;
+ }
sz -= len;
- pa += len;
- num_sg++;
}
*p_num_sg = num_sg;
}
--
2.5.5

31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch

@ -1,31 +0,0 @@
From: Li Qiang <address@hidden>
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;
--
1.8.3.1

26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch

@ -1,26 +0,0 @@
From: Li Qiang <address@hidden>
If the xhci uses msix, it doesn't free the corresponding
memory, thus leading a memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/usb/hcd-xhci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
/* destroy msix memory region */
if (dev->msix_table && dev->msix_pba
&& dev->msix_entry_used) {
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
}
usb_bus_release(&xhci->bus);
--
1.8.3.1

45
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch

@ -1,45 +0,0 @@
From: Prasad J Pandit <address@hidden>
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/imx_fec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Update per
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..1d74827 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
#define PHY_INT_PARFAULT (1 << 2)
#define PHY_INT_AUTONEG_PAGE (1 << 1)
+#define IMX_MAX_DESC 1024
+
static void imx_eth_update(IMXFECState *s);
/*
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;

52
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch

@ -1,52 +0,0 @@
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/mcf_fec.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);
--
1.7.0.4

32
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch

@ -1,32 +0,0 @@
From: Prasad J Pandit <address@hidden>
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;
--
2.5.5

25
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch

@ -1,25 +0,0 @@
From: Li Qiang <address@hidden>
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7fe6ed8..5b6d17b 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
qemu_log_mask(LOG_GUEST_ERROR,
"%s: host couldn't handle guest format %d\n",
__func__, c2d.format);
+ g_free(res);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
return;
}
--
1.8.3.1

26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch

@ -1,26 +0,0 @@
From: Li Qiang <address@hidden>
While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list doesn't be freed thus leading a memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/usb/hcd-ehci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
if (off + len > 4096) {
/* transfer crosses page border */
if (pg == 6) {
+ qemu_sglist_destroy(&ehci->isgl);
return -1; /* avoid page pg + 1 */
}
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
--
1.8.3.1

61
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch

@ -1,61 +0,0 @@
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Fri, 7 Oct 2016 10:15:29 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 726435c..ee4fa48 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;
--
1.8.3.1

34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch

@ -1,34 +0,0 @@
From: Li Qiang <address@hidden>
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
object thus causing potential memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/9pfs/9p.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..543a791 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
if (len < 0) {
/* IO error return the error */
err = len;
- goto out;
+ goto out_free_iovec;
}
} while (count < max_count && len > 0);
err = pdu_marshal(pdu, offset, "d", count);
if (err < 0) {
- goto out;
+ goto out_free_iovec;
}
err += offset + count;
+out_free_iovec:
qemu_iovec_destroy(&qiov);
qemu_iovec_destroy(&qiov_full);
} else if (fidp->fid_type == P9_FID_XATTR) {
--
1.8.3.1

58
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch

@ -1,58 +0,0 @@
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
If a guest sends an empty string paramater to any 9P operation, the current
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
This is unfortunate because it can cause NULL pointer dereference to happen
at various locations in the 9pfs code. And we don't want to check str->data
everywhere we pass it to strcmp() or any other function which expects a
dereferenceable pointer.
This patch enforces the allocation of genuine C empty strings instead, so
callers don't have to bother.
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
the returned string is empty. It now uses v9fs_string_size() since
name.data cannot be NULL anymore.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
[groug, rewritten title and changelog,
fix empty string check in v9fs_xattrwalk()]
Signed-off-by: Greg Kurz <groug@kaod.org>
---
fsdev/9p-iov-marshal.c | 2 +-
hw/9pfs/9p.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..39a7e1d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
goto out;
}
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
- if (name.data == NULL) {
+ if (!v9fs_string_size(&name)) {
/*
* listxattr request. Get the size first
*/
--
2.7.3

30
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch

@ -1,30 +0,0 @@
From: Prasad J Pandit <address@hidden>
Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rocker/rocker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
rocker_msix_irq(r, val);
break;
case ROCKER_TEST_DMA_SIZE:
- r->test_dma_size = val;
+ r->test_dma_size = val & 0xFFFF;
break;
case ROCKER_TEST_DMA_ADDR + 4:
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
--
2.5.5

29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch

@ -1,29 +0,0 @@
From: Prasad J Pandit <address@hidden>
The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/dma/rc4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
break;
/* Interval timer reload */
case 0x0228:
- s->itr = val;
+ s->itr = val & 0x01FF;
qemu_irq_lower(s->timer_irq);
set_next_tick(s);
break;
--
2.5.5

34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch

@ -1,34 +0,0 @@
From: Prasad J Pandit <address@hidden>
16550A UART device uses an oscillator to generate frequencies
(baud base), which decide communication speed. This speed could
be changed by dividing it by a divider. If the divider is
greater than the baud base, speed is set to zero, leading to a
divide by zero error. Add check to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/char/serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Update per
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47..eec72b7 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
int speed, parity, data_bits, stop_bits, frame_size;
QEMUSerialSetParams ssp;
- if (s->divider == 0)
+ if (s->divider == 0 || s->divider > s->baudbase) {
return;
+ }
/* Start bit. */
frame_size = 1;
--
2.5.5

31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch

@ -1,31 +0,0 @@
From: Prasad J Pandit <address@hidden>
Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/audio/intel-hda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
}
left = len;
- while (left > 0) {
+ s = st->bentries;
+ while (left > 0 && s-- > 0) {
copy = left;
if (copy > st->bsize - st->lpib)
copy = st->bsize - st->lpib;
--
2.7.4

29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch

@ -1,29 +0,0 @@
From: Prasad J Pandit <address@hidden>
RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: Andrew Henderson <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 3345bc6..f05e59c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
{
int txcount = 0;
- while (rtl8139_cplus_transmit_one(s))
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
{
++txcount;
}
--
2.7.4

21
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch

@ -1,21 +0,0 @@
From: Li Qiang <address@hidden>
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
situation that this field has been allocated previously. Every time, it
will be allocated directly. This leads a host memory leak issue. This
patch fix this.
--
1.8.3.1
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 75ba5f1..a4c7109 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+ g_free(xattr_fidp->fs.xattr.value);
xattr_fidp->fs.xattr.value = g_malloc(size);
err = offset;
put_fid(pdu, file_fidp);

27
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch

@ -1,27 +0,0 @@
Author: Li Qiang <liqiang6-s@360.cn>
Date: Mon Oct 17 14:13:58 2016 +0200
9pfs: fix information leak in xattr read
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
reads this memory before writing to it, this will leak host heap memory
to the guest. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 26aa7d5..bf23b01 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
g_free(xattr_fidp->fs.xattr.value);
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = offset;
put_fid(pdu, file_fidp);
out_nofid:

92
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch

@ -1,92 +0,0 @@
From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 12:00:40 +0100
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/9pfs/9p.c | 32 ++++++++++++--------------------
1 file changed, 12 insertions(+), 20 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index ab18ef2..7705ead 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
ssize_t err;
size_t offset = 7;
- int read_count;
- int64_t xattr_len;
+ uint64_t read_count;
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
VirtQueueElement *elem = v->elems[pdu->idx];
- xattr_len = fidp->fs.xattr.len;
- read_count = xattr_len - off;
+ if (fidp->fs.xattr.len < off) {
+ read_count = 0;
+ } else {
+ read_count = fidp->fs.xattr.len - off;
+ }
if (read_count > max_count) {
read_count = max_count;
- } else if (read_count < 0) {
- /*
- * read beyond XATTR value
- */
- read_count = 0;
}
err = pdu_marshal(pdu, offset, "d", read_count);
if (err < 0) {
@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
int i, to_copy;
ssize_t err = 0;
- int write_count;
- int64_t xattr_len;
+ uint64_t write_count;
size_t offset = 7;
- xattr_len = fidp->fs.xattr.len;
- write_count = xattr_len - off;
- if (write_count > count) {
- write_count = count;
- } else if (write_count < 0) {
- /*
- * write beyond XATTR value len specified in
- * xattrcreate
- */
+ if (fidp->fs.xattr.len < off) {
err = -ENOSPC;
goto out;
}
+ write_count = fidp->fs.xattr.len - off;
+ if (write_count > count) {
+ write_count = count;
+ }
err = pdu_marshal(pdu, offset, "d", write_count);
if (err < 0) {
return err;
--
2.7.3

25
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch

@ -1,25 +0,0 @@
From: Li Qiang <address@hidden>
In v9fs_link dispatch function, it doesn't put the 'oldfidp'
fid object, this will make the 'oldfidp->ref' never reach to 0,
thus leading a memory leak issue. This patch fix this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/9pfs/9p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 8b50bfb..29f8b7a 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque)
if (!err) {
err = offset;
}
+ put_fid(pdu, oldfidp);
out:
put_fid(pdu, dfidp);
out_nofid:
--
1.8.3.1

27
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch

@ -1,27 +0,0 @@
Author: Li Qiang <liqiang6-s@360.cn>
Date: Mon Oct 17 14:13:58 2016 +0200
9pfs: fix memory leak in v9fs_write
If an error occurs when marshalling the transfer length to the guest, the
v9fs_write() function doesn't free an IO vector, thus leading to a memory
leak. This patch fixes the issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, rephrased the changelog]
Signed-off-by: Greg Kurz <groug@kaod.org>
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index d43a552..e88cf25 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque)
offset = 7;
err = pdu_marshal(pdu, offset, "d", total);
if (err < 0) {
- goto out;
+ goto out_qiov;
}
err += offset;

139
app-emulation/qemu/files/qemu-binfmt.initd-r1

@ -1,139 +0,0 @@
#!/sbin/openrc-run
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel
# Defaulting to OC should be safe because it comes down to:
# - do we trust the interp itself to not be malicious? yes; we built it.
# - do we trust the programs we're running? ish; same permission as native
# binaries apply. so if user can do bad stuff natively, cross isn't worse.
: ${QEMU_BINFMT_FLAGS:=OC}
depend() {
after procfs
}
start() {
ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})"
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
modprobe -q binfmt_misc
fi
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
eend $? "You need support for 'misc binaries' in your kernel!" || return
fi
if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then
mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1
eend $? || return
fi
# probe cpu type
cpu=`uname -m`
case "$cpu" in
i386|i486|i586|i686|i86pc|BePC|x86_64)
cpu="i386"
;;
m68k)
cpu="m68k"
;;
mips*)
cpu="mips"
;;
"Power Macintosh"|ppc|ppc64)
cpu="ppc"
;;
armv[4-9]*)
cpu="arm"
;;
sparc*)
cpu="sparc"
;;
esac
# register the interpreter for each cpu except for the native one
if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then
echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then
echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then
echo ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then
echo ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then
echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
#echo 'Please check cpu value and header information for m68k!'
echo ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then
# FIXME: We could use the other endianness on a MIPS host.
echo ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then
echo ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then
echo ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then
echo ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then
echo ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then
echo ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then
echo ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then
echo ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then
echo ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
eend $?
}
stop() {
ebegin "Unregistering qemu-user binaries"
local arches
arches="${arches} i386 i486"
arches="${arches} alpha"
arches="${arches} arm armeb"
arches="${arches} aarch64"
arches="${arches} sparc"
arches="${arches} ppc"
arches="${arches} m68k"
arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el"
arches="${arches} sh4 sh4eb"
arches="${arches} s390x"
for a in ${arches}; do
if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then
echo '-1' > /proc/sys/fs/binfmt_misc/$a
fi
done
eend $?
}
# vim: ts=4 :

710
app-emulation/qemu/qemu-2.7.0-r7.ebuild

@ -1,710 +0,0 @@
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
#MY_P="${P/_/-}"
PYTHON_COMPAT=( python2_7 )
PYTHON_REQ_USE="ncurses,readline"
PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
user udev fcaps readme.gentoo-r1 pax-utils l10n
if [[ ${PV} = *9999* ]]; then
EGIT_REPO_URI="git://git.qemu.org/qemu.git"
inherit git-2
SRC_URI=""
else
SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2"
KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd"
fi
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org"
LICENSE="GPL-2 LGPL-2 BSD-2"
SLOT="0"
IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs \
gnutls gtk gtk2 infiniband iscsi +jpeg \
kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs
+png pulseaudio python \
rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu
static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \
virgl virtfs +vnc vte xattr xen xfs"
COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips
mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32
x86_64"
IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa xtensaeb"
IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx"
use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS})
use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS})
IUSE+=" ${use_softmmu_targets} ${use_user_targets}"
# Allow no targets to be built so that people can get a tools-only build.
# Block USE flag configurations known to not work.
REQUIRED_USE="${PYTHON_REQUIRED_USE}
gtk2? ( gtk )
qemu_softmmu_targets_arm? ( fdt )
qemu_softmmu_targets_microblaze? ( fdt )
qemu_softmmu_targets_ppc? ( fdt )
qemu_softmmu_targets_ppc64? ( fdt )
sdl2? ( sdl )
static? ( static-softmmu static-user )
static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 )
virtfs? ( xattr )
vte? ( gtk )"
# Yep, you need both libcap and libcap-ng since virtfs only uses libcap.
#
# The attr lib isn't always linked in (although the USE flag is always
# respected). This is because qemu supports using the C library's API
# when available rather than always using the extranl library.
#
# Older versions of gnutls are supported, but it's simpler to just require
# the latest versions. This is also why we require nettle.
#
# TODO: Split out tools deps into another var. e.g. bzip2 is only used by
# system binaries and tools, not user binaries.
COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)]
sys-libs/zlib[static-libs(+)]
bzip2? ( app-arch/bzip2[static-libs(+)] )
xattr? ( sys-apps/attr[static-libs(+)] )"
SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
>=x11-libs/pixman-0.28.0[static-libs(+)]
accessibility? ( app-accessibility/brltty[static-libs(+)] )
aio? ( dev-libs/libaio[static-libs(+)] )
alsa? ( >=media-libs/alsa-lib-1.0.13 )
bluetooth? ( net-wireless/bluez )
caps? ( sys-libs/libcap-ng[static-libs(+)] )
curl? ( >=net-misc/curl-7.15.4[static-libs(+)] )
fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] )
gnutls? (
dev-libs/nettle:=[static-libs(+)]
>=net-libs/gnutls-3.0:=[static-libs(+)]
)
gtk? (
gtk2? (
x11-libs/gtk+:2
vte? ( x11-libs/vte:0 )
)
!gtk2? (
x11-libs/gtk+:3
vte? ( x11-libs/vte:2.91 )
)
)
infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] )
iscsi? ( net-libs/libiscsi )
jpeg? ( virtual/jpeg:0=[static-libs(+)] )
lzo? ( dev-libs/lzo:2[static-libs(+)] )
ncurses? ( sys-libs/ncurses:0=[static-libs(+)] )
nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] )
numa? ( sys-process/numactl[static-libs(+)] )
opengl? (
virtual/opengl
media-libs/libepoxy[static-libs(+)]
media-libs/mesa[static-libs(+)]
media-libs/mesa[egl,gles2,gbm]
)
png? ( media-libs/libpng:0=[static-libs(+)] )
pulseaudio? ( media-sound/pulseaudio )
rbd? ( sys-cluster/ceph[static-libs(+)] )
sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
sdl? (
!sdl2? (
media-libs/libsdl[X]
>=media-libs/libsdl-1.2.11[static-libs(+)]
)
sdl2? (
media-libs/libsdl2[X]
media-libs/libsdl2[static-libs(+)]
)
)
seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] )
smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] )
snappy? ( app-arch/snappy[static-libs(+)] )
spice? (
>=app-emulation/spice-protocol-0.12.3
>=app-emulation/spice-0.12.0[static-libs(+)]
)
ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] )
usb? ( >=virtual/libusb-1-r2[static-libs(+)] )
usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] )
uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] )
vde? ( net-misc/vde[static-libs(+)] )
virgl? ( media-libs/virglrenderer[static-libs(+)] )
virtfs? ( sys-libs/libcap )
xfs? ( sys-fs/xfsprogs[static-libs(+)] )"
USER_LIB_DEPEND="${COMMON_LIB_DEPEND}"
X86_FIRMWARE_DEPEND="
>=sys-firmware/ipxe-1.0.0_p20130624
pin-upstream-blobs? (
~sys-firmware/seabios-1.9.0
~sys-firmware/sgabios-0.1_pre8
~sys-firmware/vgabios-0.7a
)
!pin-upstream-blobs? (
sys-firmware/seabios
sys-firmware/sgabios
)"
CDEPEND="
!static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) )
!static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) )
qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} )
qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )
python? ( ${PYTHON_DEPS} )
systemtap? ( dev-util/systemtap )
xen? ( app-emulation/xen-tools:= )"
DEPEND="${CDEPEND}
dev-lang/perl
=dev-lang/python-2*
sys-apps/texinfo
virtual/pkgconfig
kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 )
gtk? ( nls? ( sys-devel/gettext ) )
static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) " ${use_softmmu_targets}) )
static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) " ${use_user_targets}) )
test? (
dev-libs/glib[utils]
sys-devel/bc
)"
RDEPEND="${CDEPEND}
selinux? ( sec-policy/selinux-qemu )
"
STRIP_MASK="/usr/share/qemu/palcode-clipper"
QA_PREBUILT="
usr/share/qemu/openbios-ppc
usr/share/qemu/openbios-sparc64
usr/share/qemu/openbios-sparc32
usr/share/qemu/palcode-clipper
usr/share/qemu/s390-ccw.img
usr/share/qemu/u-boot.e500
"
QA_WX_LOAD="usr/bin/qemu-i386
usr/bin/qemu-x86_64
usr/bin/qemu-alpha
usr/bin/qemu-arm
usr/bin/qemu-cris
usr/bin/qemu-m68k
usr/bin/qemu-microblaze
usr/bin/qemu-microblazeel
usr/bin/qemu-mips
usr/bin/qemu-mipsel
usr/bin/qemu-or32
usr/bin/qemu-ppc
usr/bin/qemu-ppc64
usr/bin/qemu-ppc64abi32
usr/bin/qemu-sh4
usr/bin/qemu-sh4eb
usr/bin/qemu-sparc
usr/bin/qemu-sparc64
usr/bin/qemu-armeb
usr/bin/qemu-sparc32plus
usr/bin/qemu-s390x
usr/bin/qemu-unicore32"
DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure
you have the kernel module loaded before running kvm. The easiest way to
ensure that the kernel module is loaded is to load it on boot.\n
For AMD CPUs the module is called 'kvm-amd'.\n
For Intel CPUs the module is called 'kvm-intel'.\n
Please review /etc/conf.d/modules for how to load these.\n\n
Make sure your user is in the 'kvm' group\n
Just run 'gpasswd -a <USER> kvm', then have <USER> re-login.\n\n
For brand new installs, the default permissions on /dev/kvm might not let you
access it. You can tell udev to reset ownership/perms:\n
udevadm trigger -c add /dev/kvm"
qemu_support_kvm() {
if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \
use qemu_softmmu_targets_ppc || use qemu_softmmu_targets_ppc64 \
use qemu_softmmu_targets_s390x; then
return 0
fi
return 1
}
pkg_pretend() {
if use kernel_linux && kernel_is lt 2 6 25; then
eerror "This version of KVM requres a host kernel of 2.6.25 or higher."
elif use kernel_linux; then
if ! linux_config_exists; then
eerror "Unable to check your kernel for KVM support"
else
CONFIG_CHECK="~KVM ~TUN ~BRIDGE"
ERROR_KVM="You must enable KVM in your kernel to continue"
ERROR_KVM_AMD="If you have an AMD CPU, you must enable KVM_AMD in"
ERROR_KVM_AMD+=" your kernel configuration."
ERROR_KVM_INTEL="If you have an Intel CPU, you must enable"
ERROR_KVM_INTEL+=" KVM_INTEL in your kernel configuration."
ERROR_TUN="You will need the Universal TUN/TAP driver compiled"
ERROR_TUN+=" into your kernel or loaded as a module to use the"
ERROR_TUN+=" virtual network device if using -net tap."
ERROR_BRIDGE="You will also need support for 802.1d"
ERROR_BRIDGE+=" Ethernet Bridging for some network configurations."
use vhost-net && CONFIG_CHECK+=" ~VHOST_NET"
ERROR_VHOST_NET="You must enable VHOST_NET to have vhost-net"
ERROR_VHOST_NET+=" support"
if use amd64 || use x86 || use amd64-linux || use x86-linux; then
CONFIG_CHECK+=" ~KVM_AMD ~KVM_INTEL"
fi
use python && CONFIG_CHECK+=" ~DEBUG_FS"
ERROR_DEBUG_FS="debugFS support required for kvm_stat"
# Now do the actual checks setup above
check_extra_config
fi
fi
if grep -qs '/usr/bin/qemu-kvm' "${EROOT}"/etc/libvirt/qemu/*.xml; then
eerror "The kvm/qemu-kvm wrappers no longer exist, but your libvirt"
eerror "instances are still pointing to it. Please update your"
eerror "configs in /etc/libvirt/qemu/ to use the -enable-kvm flag"
eerror "and the right system binary (e.g. qemu-system-x86_64)."
die "update your virt configs to not use qemu-kvm"
fi
}
pkg_setup() {
enewgroup kvm 78
}
# Sanity check to make sure target lists are kept up-to-date.
check_targets() {
local var=$1 mak=$2
local detected sorted
pushd "${S}"/default-configs >/dev/null || die
# Force C locale until glibc is updated. #564936
detected=$(echo $(printf '%s\n' *-${mak}.mak | sed "s:-${mak}.mak::" | LC_COLLATE=C sort -u))
sorted=$(echo $(printf '%s\n' ${!var} | LC_COLLATE=C sort -u))
if [[ ${sorted} != "${detected}" ]] ; then
eerror "The ebuild needs to be kept in sync."
eerror "${var}: ${sorted}"
eerror "$(printf '%-*s' ${#var} configure): ${detected}"
die "sync ${var} to the list of targets"
fi
popd >/dev/null
}
handle_locales() {
# Make sure locale list is kept up-to-date.
local detected sorted
detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u))
sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u))
if [[ ${sorted} != "${detected}" ]] ; then
eerror "The ebuild needs to be kept in sync."
eerror "PLOCALES: ${sorted}"
eerror " po/*.po: ${detected}"
die "sync PLOCALES"
fi
# Deal with selective install of locales.
if use nls ; then
# Delete locales the user does not want. #577814
rm_loc() { rm po/$1.po || die; }
l10n_for_each_disabled_locale_do rm_loc
else
# Cheap hack to disable gettext .mo generation.
rm -f po/*.po
fi
}
src_prepare() {
check_targets IUSE_SOFTMMU_TARGETS softmmu
check_targets IUSE_USER_TARGETS linux-user
# Alter target makefiles to accept CFLAGS set via flag-o
sed -i -r \
-e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \
Makefile Makefile.target || die
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242
epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950
epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956
epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368
epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520
epatch "${FILESDIR}"/${P}-CVE-2016-7907.patch # bug 596048
epatch "${FILESDIR}"/${P}-CVE-2016-7908.patch # bug 596049
epatch "${FILESDIR}"/${P}-CVE-2016-7909.patch # bug 596048
epatch "${FILESDIR}"/${P}-CVE-2016-7994-1.patch # bug 596738
epatch "${FILESDIR}"/${P}-CVE-2016-7994-2.patch # bug 596738
epatch "${FILESDIR}"/${P}-CVE-2016-8576.patch # bug 596752
epatch "${FILESDIR}"/${P}-CVE-2016-8577.patch # bug 596776
epatch "${FILESDIR}"/${P}-CVE-2016-8578.patch # bug 596774
epatch "${FILESDIR}"/${P}-CVE-2016-8668.patch # bug 597110
epatch "${FILESDIR}"/${P}-CVE-2016-8669-1.patch # bug 597108
epatch "${FILESDIR}"/${P}-CVE-2016-8669-2.patch # bug 597108
epatch "${FILESDIR}"/${P}-CVE-2016-8909.patch # bug 598044
epatch "${FILESDIR}"/${P}-CVE-2016-8910.patch # bug 598046
epatch "${FILESDIR}"/${P}-CVE-2016-9102.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9103.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9104.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9105.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9106.patch # bug 598772
# Fix ld and objcopy being called directly
tc-export AR LD OBJCOPY
# Verbose builds
MAKEOPTS+=" V=1"
epatch_user
# Run after we've applied all patches.
handle_locales
}
##
# configures qemu based on the build directory and the build type
# we are using.
#
qemu_src_configure() {
debug-print-function ${FUNCNAME} "$@"
local buildtype=$1
local builddir="${S}/${buildtype}-build"
local static_flag="static-${buildtype}"
mkdir "${builddir}"
local conf_opts=(
--prefix=/usr
--sysconfdir=/etc
--libdir=/usr/$(get_libdir)
--docdir=/usr/share/doc/${PF}/html
--disable-bsd-user
--disable-guest-agent
--disable-strip
--disable-werror
# We support gnutls/nettle for crypto operations. It is possible
# to use gcrypt when gnutls/nettle are disabled (but not when they
# are enabled), but it's not really worth the hassle. Disable it
# all the time to avoid automatically detecting it. #568856
--disable-gcrypt
--python="${PYTHON}"
--cc="$(tc-getCC)"
--cxx="$(tc-getCXX)"
--host-cc="$(tc-getBUILD_CC)"
$(use_enable debug debug-info)
$(use_enable debug debug-tcg)
--enable-docs
$(use_enable tci tcg-interpreter)
$(use_enable xattr attr)
)
# Disable options not used by user targets as the default configure
# options will autoprobe and try to link in a bunch of unused junk.
conf_softmmu() {
if [[ ${buildtype} == "user" ]] ; then
echo "--disable-${2:-$1}"
else
use_enable "$@"
fi
}
conf_opts+=(
$(conf_softmmu accessibility brlapi)
$(conf_softmmu aio linux-aio)
$(conf_softmmu bzip2)
$(conf_softmmu bluetooth bluez)
$(conf_softmmu caps cap-ng)
$(conf_softmmu curl)
$(conf_softmmu fdt)
$(conf_softmmu glusterfs)
$(conf_softmmu gnutls)
$(conf_softmmu gnutls nettle)
$(conf_softmmu gtk)
$(conf_softmmu infiniband rdma)
$(conf_softmmu iscsi libiscsi)
$(conf_softmmu jpeg vnc-jpeg)
$(conf_softmmu kernel_linux kvm)
$(conf_softmmu lzo)
$(conf_softmmu ncurses curses)
$(conf_softmmu nfs libnfs)
$(conf_softmmu numa)
$(conf_softmmu opengl)
$(conf_softmmu png vnc-png)
$(conf_softmmu rbd)
$(conf_softmmu sasl vnc-sasl)
$(conf_softmmu sdl)
$(conf_softmmu seccomp)
$(conf_softmmu smartcard)
$(conf_softmmu snappy)
$(conf_softmmu spice)
$(conf_softmmu ssh libssh2)
$(conf_softmmu usb libusb)