diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index f36eb60..2d0ad86 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -1 +1 @@ -DIST qemu-2.3.0.tar.bz2 24683085 SHA256 b6bab7f763d5be73e7cb5ee7d4c8365b7a8df2972c52fa5ded18893bd8281588 SHA512 7a40d213c5696b27784abd2a3119e49d42c38c923be431826c73a8f14c19074435d7f1a652686c53baf08e81f5a3005b2ddc92d67c32f6a2b19659ab627e9eaa WHIRLPOOL 9dad6e342027c3be512b4e0b40e810e0a6f1dc84a16847aa5aac74d97f7a347e60d42e770335a090f83e90a1614294f86552a84edc1faafc7093d3e32602f5de +DIST qemu-2.4.0.tar.bz2 25070979 SHA256 72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620 SHA512 8740e0fb2c654ed897dff4649f1f83d14d57cfa9cbde723899f115982f93253ce9a2bddd60aab379d241027d2044137770efe4c0b3c83d5b20f3a2a06f05a5dc WHIRLPOOL 8c6cfae096624e01f0d5daeb86aa2dccbeaa86d2aeab626cf55cf20b7edace82d0b0f3a1d85eeb2dc1fd53abaaa9dccf8f0d7ddc657a1f5ffd72fd68301648f1 diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch deleted file mode 100644 index 885db3b..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch +++ /dev/null @@ -1,51 +0,0 @@ -https://bugs.gentoo.org/551752 - -From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -[Fixed 3-space indentation to QEMU's 4-space coding standard. ---Stefan] - -Signed-off-by: Petr Matousek -Reported-by: Matt Tait -Reviewed-by: Peter Maydell -Reviewed-by: Stefan Hajnoczi -Signed-off-by: Stefan Hajnoczi ---- - hw/net/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index bdfd38f..68b9981 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.2.0.rc0.207.ga3a616c - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch deleted file mode 100644 index 7fee8fd..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Petr Matousek -Date: Wed, 17 Jun 2015 10:46:11 +0000 (+0200) -Subject: i8254: fix out-of-bounds memory access in pit_ioport_read() -X-Git-Tag: v2.4.0-rc0~43^2~9 -X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=d4862a87e31a51de9eb260f25c9e99a75efe3235;hp=9dacf32d2cbd66cbcce7944ebdfd6b2df20e33b8 - -i8254: fix out-of-bounds memory access in pit_ioport_read() - -Due converting PIO to the new memory read/write api we no longer provide -separate I/O region lenghts for read and write operations. As a result, -reading from PIT Mode/Command register will end with accessing -pit->channels with invalid index. - -Fix this by ignoring read from the Mode/Command register. - -This is CVE-2015-3214. - -Reported-by: Matt Tait -Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052 -Cc: qemu-stable@nongnu.org -Signed-off-by: Petr Matousek -Signed-off-by: Paolo Bonzini ---- - -diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c -index 3450c98..9b65a33 100644 ---- a/hw/timer/i8254.c -+++ b/hw/timer/i8254.c -@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr, - PITChannelState *s; - - addr &= 3; -+ -+ if (addr == 3) { -+ /* Mode/Command register is write only, read is ignored */ -+ return 0; -+ } -+ - s = &pit->channels[addr]; - if (s->status_latched) { - s->status_latched = 0; diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch deleted file mode 100644 index 87697d0..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch +++ /dev/null @@ -1,86 +0,0 @@ -https://bugs.gentoo.org/549404 - -From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -1.7.0.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch deleted file mode 100644 index 759e403..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch +++ /dev/null @@ -1,75 +0,0 @@ -From d2ff85854512574e7209f295e87b0835d5b032c6 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Sun, 26 Jul 2015 23:42:53 -0400 -Subject: [PATCH] ide: Check array bounds before writing to io_buffer - (CVE-2015-5154) - -If the end_transfer_func of a command is called because enough data has -been read or written for the current PIO transfer, and it fails to -correctly call the command completion functions, the DRQ bit in the -status register and s->end_transfer_func may remain set. This allows the -guest to access further bytes in s->io_buffer beyond s->data_end, and -eventually overflowing the io_buffer. - -One case where this currently happens is emulation of the ATAPI command -START STOP UNIT. - -This patch fixes the problem by adding explicit array bounds checks -before accessing the buffer instead of relying on end_transfer_func to -function correctly. - -Cc: qemu-stable@nongnu.org -Signed-off-by: Kevin Wolf -Reviewed-by: John Snow ---- - hw/ide/core.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 122e955..44fcc23 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return; -+ } -+ - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 2 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return; -+ } -+ - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - } - - p = s->data_ptr; -+ if (p + 4 > s->data_end) { -+ return 0; -+ } -+ - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch deleted file mode 100644 index 6d7902a..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 03441c3a4a42beb25460dd11592539030337d0f8 Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Sun, 26 Jul 2015 23:42:53 -0400 -Subject: [PATCH] ide/atapi: Fix START STOP UNIT command completion - -The command must be completed on all code paths. START STOP UNIT with -pwrcnd set should succeed without doing anything. - -Signed-off-by: Kevin Wolf -Reviewed-by: John Snow ---- - hw/ide/atapi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c -index 950e311..79dd167 100644 ---- a/hw/ide/atapi.c -+++ b/hw/ide/atapi.c -@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf) - - if (pwrcnd) { - /* eject/load only happens for power condition == 0 */ -+ ide_atapi_cmd_ok(s); - return; - } - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch deleted file mode 100644 index f6f346f..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch +++ /dev/null @@ -1,69 +0,0 @@ -From cb72cba83021fa42719e73a5249c12096a4d1cfc Mon Sep 17 00:00:00 2001 -From: Kevin Wolf -Date: Sun, 26 Jul 2015 23:42:53 -0400 -Subject: [PATCH] ide: Clear DRQ after handling all expected accesses - -This is additional hardening against an end_transfer_func that fails to -clear the DRQ status bit. The bit must be unset as soon as the PIO -transfer has completed, so it's better to do this in a central place -instead of duplicating the code in all commands (and forgetting it in -some). - -Signed-off-by: Kevin Wolf -Reviewed-by: John Snow ---- - hw/ide/core.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/hw/ide/core.c b/hw/ide/core.c -index 44fcc23..50449ca 100644 ---- a/hw/ide/core.c -+++ b/hw/ide/core.c -@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val) - *(uint16_t *)p = le16_to_cpu(val); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readw(void *opaque, uint32_t addr) -@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr) - ret = cpu_to_le16(*(uint16_t *)p); - p += 2; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - -@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val) - *(uint32_t *)p = le32_to_cpu(val); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - } - - uint32_t ide_data_readl(void *opaque, uint32_t addr) -@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr) - ret = cpu_to_le32(*(uint32_t *)p); - p += 4; - s->data_ptr = p; -- if (p >= s->data_end) -+ if (p >= s->data_end) { -+ s->status &= ~DRQ_STAT; - s->end_transfer_func(s); -+ } - return ret; - } - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch deleted file mode 100644 index 9badc9b..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch +++ /dev/null @@ -1,40 +0,0 @@ -commit c170aad8b057223b1139d72e5ce7acceafab4fa9 -Author: Paolo Bonzini -Date: Tue Jul 21 08:59:39 2015 +0200 - - scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158) - - This is a guest-triggerable buffer overflow present in QEMU 2.2.0 - and newer. scsi_cdb_length returns -1 as an error value, but the - caller does not check it. - - Luckily, the massive overflow means that QEMU will just SIGSEGV, - making the impact much smaller. - - Reported-by: Zhu Donghai (朱东海) - Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173 - Reviewed-by: Fam Zheng - Cc: qemu-stable@nongnu.org - Signed-off-by: Paolo Bonzini - -diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c -index f50b2f0..f0ae462 100644 ---- a/hw/scsi/scsi-bus.c -+++ b/hw/scsi/scsi-bus.c -@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) { - int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf) - { - int rc; -+ int len; - - cmd->lba = -1; -- cmd->len = scsi_cdb_length(buf); -+ len = scsi_cdb_length(buf); -+ if (len < 0) { -+ return -1; -+ } - -+ cmd->len = len; - switch (dev->type) { - case TYPE_TAPE: - rc = scsi_req_stream_xfer(cmd, dev, buf); diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-1.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-1.patch deleted file mode 100644 index 043d189..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-1.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:16:58 +0100 -Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing - -Transmit offload needs to parse packet headers. If header fields have -unexpected values the offload processing is skipped. - -The code currently uses nested ifs because there is relatively little -input validation. The next patches will add missing input validation -and a goto label is more appropriate to avoid deep if statement nesting. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 41 ++++++++++++++++++++++------------------- - 1 file changed, 22 insertions(+), 19 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 5f0197c..91ba33b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2174,28 +2174,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - size_t eth_payload_len = 0; - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); -- if (proto == ETH_P_IP) -+ if (proto != ETH_P_IP) - { -- DPRINTF("+++ C+ mode has IP packet\n"); -- -- /* not aligned */ -- eth_payload_data = saved_buffer + ETH_HLEN; -- eth_payload_len = saved_size - ETH_HLEN; -- -- ip = (ip_header*)eth_payload_data; -- -- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -- DPRINTF("+++ C+ mode packet has bad IP version %d " -- "expected %d\n", IP_HEADER_VERSION(ip), -- IP_HEADER_VERSION_4); -- ip = NULL; -- } else { -- hlen = IP_HEADER_LENGTH(ip); -- ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -- } -+ goto skip_offload; - } - -+ DPRINTF("+++ C+ mode has IP packet\n"); -+ -+ /* not aligned */ -+ eth_payload_data = saved_buffer + ETH_HLEN; -+ eth_payload_len = saved_size - ETH_HLEN; -+ -+ ip = (ip_header*)eth_payload_data; -+ -+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { -+ DPRINTF("+++ C+ mode packet has bad IP version %d " -+ "expected %d\n", IP_HEADER_VERSION(ip), -+ IP_HEADER_VERSION_4); -+ goto skip_offload; -+ } -+ -+ hlen = IP_HEADER_LENGTH(ip); -+ ip_protocol = ip->ip_p; -+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ - if (ip) - { - if (txdw0 & CP_TX_IPCS) -@@ -2391,6 +2393,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - } - -+skip_offload: - /* update tally counter */ - ++s->tally_counters.TxOk; - --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-2.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-2.patch deleted file mode 100644 index 7a76a8a..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-2.patch +++ /dev/null @@ -1,373 +0,0 @@ -From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:16:59 +0100 -Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement - -The previous patch stopped using the ip pointer as an indicator that the -IP header is present. When we reach the if (ip) {...} statement we know -ip is always non-NULL. - -Remove the if statement to reduce nesting. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++---------------------------- - 1 file changed, 151 insertions(+), 154 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 91ba33b..2f12d42 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2198,198 +2198,195 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -- if (ip) -+ if (txdw0 & CP_TX_IPCS) - { -- if (txdw0 & CP_TX_IPCS) -- { -- DPRINTF("+++ C+ mode need IP checksum\n"); -+ DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ if (hleneth_payload_len) {/* min header length */ -+ /* bad packet header len */ -+ /* or packet too short */ - } -- -- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ else - { -- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); -+ } -+ } - -- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -- "frame data %d specified MSS=%d\n", ETH_MTU, -- ip_data_len, saved_size - ETH_HLEN, large_send_mss); -+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) -+ { -+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - -- int tcp_send_offset = 0; -- int send_count = 0; -+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " -+ "frame data %d specified MSS=%d\n", ETH_MTU, -+ ip_data_len, saved_size - ETH_HLEN, large_send_mss); - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -+ int tcp_send_offset = 0; -+ int send_count = 0; - -- /* save IP header template; data area is used in tcp checksum calculation */ -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; - -- /* a placeholder for checksum calculation routine in tcp case */ -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ /* save IP header template; data area is used in tcp checksum calculation */ -+ memcpy(saved_ip_header, eth_payload_data, hlen); - -- /* pointer to TCP header */ -- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); -+ /* a placeholder for checksum calculation routine in tcp case */ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; - -- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); -+ /* pointer to TCP header */ -+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - -- /* ETH_MTU = ip header len + tcp header len + payload */ -- int tcp_data_len = ip_data_len - tcp_hlen; -- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; -+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -- "data len %d TCP chunk size %d\n", ip_data_len, -- tcp_hlen, tcp_data_len, tcp_chunk_size); -+ /* ETH_MTU = ip header len + tcp header len + payload */ -+ int tcp_data_len = ip_data_len - tcp_hlen; -+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; - -- /* note the cycle below overwrites IP header data, -- but restores it from saved_ip_header before sending packet */ -+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP " -+ "data len %d TCP chunk size %d\n", ip_data_len, -+ tcp_hlen, tcp_data_len, tcp_chunk_size); - -- int is_last_frame = 0; -+ /* note the cycle below overwrites IP header data, -+ but restores it from saved_ip_header before sending packet */ - -- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) -- { -- uint16_t chunk_size = tcp_chunk_size; -- -- /* check if this is the last frame */ -- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -- { -- is_last_frame = 1; -- chunk_size = tcp_data_len - tcp_send_offset; -- } -- -- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -- be32_to_cpu(p_tcp_hdr->th_seq)); -- -- /* add 4 TCP pseudoheader fields */ -- /* copy IP source and destination fields */ -- memcpy(data_to_checksum, saved_ip_header + 12, 8); -- -- DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -- "packet with %d bytes data\n", tcp_hlen + -- chunk_size); -- -- if (tcp_send_offset) -- { -- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -- } -- -- /* keep PUSH and FIN flags only for the last frame */ -- if (!is_last_frame) -- { -- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -- } -- -- /* recalculate TCP checksum */ -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); -- -- p_tcp_hdr->th_sum = 0; -- -- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -- tcp_checksum); -- -- p_tcp_hdr->th_sum = tcp_checksum; -- -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -- -- /* set IP data length and recalculate IP checksum */ -- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); -- -- /* increment IP id for subsequent frames */ -- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); -- -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(eth_payload_data, hlen); -- DPRINTF("+++ C+ mode TSO IP header len=%d " -- "checksum=%04x\n", hlen, ip->ip_sum); -- -- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -- DPRINTF("+++ C+ mode TSO transferring packet size " -- "%d\n", tso_send_size); -- rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -- 0, (uint8_t *) dot1q_buffer); -- -- /* add transferred count to TCP sequence number */ -- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -- ++send_count; -- } -+ int is_last_frame = 0; - -- /* Stop sending this frame */ -- saved_size = 0; -- } -- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size) - { -- DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ uint16_t chunk_size = tcp_chunk_size; - -- /* maximum IP header length is 60 bytes */ -- uint8_t saved_ip_header[60]; -- memcpy(saved_ip_header, eth_payload_data, hlen); -+ /* check if this is the last frame */ -+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len) -+ { -+ is_last_frame = 1; -+ chunk_size = tcp_data_len - tcp_send_offset; -+ } - -- uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -- // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n", -+ be32_to_cpu(p_tcp_hdr->th_seq)); - - /* add 4 TCP pseudoheader fields */ - /* copy IP source and destination fields */ - memcpy(data_to_checksum, saved_ip_header + 12, 8); - -- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for " -+ "packet with %d bytes data\n", tcp_hlen + -+ chunk_size); -+ -+ if (tcp_send_offset) - { -- DPRINTF("+++ C+ mode calculating TCP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size); -+ } - -- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_tcpip_hdr->zeros = 0; -- p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* keep PUSH and FIN flags only for the last frame */ -+ if (!is_last_frame) -+ { -+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN); -+ } - -- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ /* recalculate TCP checksum */ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size); - -- p_tcp_hdr->th_sum = 0; -+ p_tcp_hdr->th_sum = 0; - -- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode TCP checksum %04x\n", -- tcp_checksum); -+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12); -+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n", -+ tcp_checksum); - -- p_tcp_hdr->th_sum = tcp_checksum; -- } -- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -- { -- DPRINTF("+++ C+ mode calculating UDP checksum for " -- "packet with %d bytes data\n", ip_data_len); -+ p_tcp_hdr->th_sum = tcp_checksum; - -- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -- p_udpip_hdr->zeros = 0; -- p_udpip_hdr->ip_proto = IP_PROTO_UDP; -- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - -- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ /* set IP data length and recalculate IP checksum */ -+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size); - -- p_udp_hdr->uh_sum = 0; -+ /* increment IP id for subsequent frames */ -+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id)); - -- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -- DPRINTF("+++ C+ mode UDP checksum %04x\n", -- udp_checksum); -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(eth_payload_data, hlen); -+ DPRINTF("+++ C+ mode TSO IP header len=%d " -+ "checksum=%04x\n", hlen, ip->ip_sum); - -- p_udp_hdr->uh_sum = udp_checksum; -- } -+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size; -+ DPRINTF("+++ C+ mode TSO transferring packet size " -+ "%d\n", tso_send_size); -+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size, -+ 0, (uint8_t *) dot1q_buffer); - -- /* restore IP header */ -- memcpy(eth_payload_data, saved_ip_header, hlen); -+ /* add transferred count to TCP sequence number */ -+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq)); -+ ++send_count; - } -+ -+ /* Stop sending this frame */ -+ saved_size = 0; -+ } -+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS)) -+ { -+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n"); -+ -+ /* maximum IP header length is 60 bytes */ -+ uint8_t saved_ip_header[60]; -+ memcpy(saved_ip_header, eth_payload_data, hlen); -+ -+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12; -+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12; -+ -+ /* add 4 TCP pseudoheader fields */ -+ /* copy IP source and destination fields */ -+ memcpy(data_to_checksum, saved_ip_header + 12, 8); -+ -+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP) -+ { -+ DPRINTF("+++ C+ mode calculating TCP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_tcpip_hdr->zeros = 0; -+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP; -+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12); -+ -+ p_tcp_hdr->th_sum = 0; -+ -+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode TCP checksum %04x\n", -+ tcp_checksum); -+ -+ p_tcp_hdr->th_sum = tcp_checksum; -+ } -+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP) -+ { -+ DPRINTF("+++ C+ mode calculating UDP checksum for " -+ "packet with %d bytes data\n", ip_data_len); -+ -+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum; -+ p_udpip_hdr->zeros = 0; -+ p_udpip_hdr->ip_proto = IP_PROTO_UDP; -+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len); -+ -+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12); -+ -+ p_udp_hdr->uh_sum = 0; -+ -+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12); -+ DPRINTF("+++ C+ mode UDP checksum %04x\n", -+ udp_checksum); -+ -+ p_udp_hdr->uh_sum = udp_checksum; -+ } -+ -+ /* restore IP header */ -+ memcpy(eth_payload_data, saved_ip_header, hlen); - } - } - --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-3.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-3.patch deleted file mode 100644 index 5676f46..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-3.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:00 +0100 -Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header - -Transmit offload features access Ethernet and IP headers the packet. If -the packet is too short we must not attempt to access header fields: - - int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12)); - ... - eth_payload_data = saved_buffer + ETH_HLEN; - ... - ip = (ip_header*)eth_payload_data; - if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 2f12d42..d377b6b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2164,6 +2164,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - { - DPRINTF("+++ C+ mode offloaded task checksum\n"); - -+ /* Large enough for Ethernet and IP headers? */ -+ if (saved_size < ETH_HLEN + sizeof(ip_header)) { -+ goto skip_offload; -+ } -+ - /* ip packet header */ - ip_header *ip = NULL; - int hlen = 0; --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-4.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-4.patch deleted file mode 100644 index 495d8d6..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-4.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:01 +0100 -Subject: [PATCH 4/7] rtl8139: check IP Header Length field - -The IP Header Length field was only checked in the IP checksum case, but -is used in other cases too. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 19 ++++++++----------- - 1 file changed, 8 insertions(+), 11 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index d377b6b..cd5ac05 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2200,6 +2200,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - - hlen = IP_HEADER_LENGTH(ip); -+ if (hlen < sizeof(ip_header) || hlen > eth_payload_len) { -+ goto skip_offload; -+ } -+ - ip_protocol = ip->ip_p; - ip_data_len = be16_to_cpu(ip->ip_len) - hlen; - -@@ -2207,17 +2211,10 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - { - DPRINTF("+++ C+ mode need IP checksum\n"); - -- if (hleneth_payload_len) {/* min header length */ -- /* bad packet header len */ -- /* or packet too short */ -- } -- else -- { -- ip->ip_sum = 0; -- ip->ip_sum = ip_checksum(ip, hlen); -- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -- hlen, ip->ip_sum); -- } -+ ip->ip_sum = 0; -+ ip->ip_sum = ip_checksum(ip, hlen); -+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n", -+ hlen, ip->ip_sum); - } - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-5.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-5.patch deleted file mode 100644 index e633ea6..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-5.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6c79ea275d72bc1fd88bdcf1e7d231b2c9c865de Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:02 +0100 -Subject: [PATCH 5/7] rtl8139: check IP Total Length field - -The IP Total Length field includes the IP header and data. Make sure it -is valid and does not exceed the Ethernet payload size. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index cd5ac05..ed2b23b 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2205,7 +2205,12 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - } - - ip_protocol = ip->ip_p; -- ip_data_len = be16_to_cpu(ip->ip_len) - hlen; -+ -+ ip_data_len = be16_to_cpu(ip->ip_len); -+ if (ip_data_len < hlen || ip_data_len > eth_payload_len) { -+ goto skip_offload; -+ } -+ ip_data_len -= hlen; - - if (txdw0 & CP_TX_IPCS) - { --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-6.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-6.patch deleted file mode 100644 index dd716a6..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-6.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 30aa7be430e7c982e9163f3bcc745d3aa57b6aa4 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:03 +0100 -Subject: [PATCH 6/7] rtl8139: skip offload on short TCP header - -TCP Large Segment Offload accesses the TCP header in the packet. If the -packet is too short we must not attempt to access header fields: - - tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen); - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index ed2b23b..c8f0df9 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2224,6 +2224,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - - if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP) - { -+ /* Large enough for the TCP header? */ -+ if (ip_data_len < sizeof(tcp_header)) { -+ goto skip_offload; -+ } -+ - int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK; - - DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d " --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-7.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-7.patch deleted file mode 100644 index 4c0ad79..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-7.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9a084807bf6ca7c16d997a236d304111894a6539 Mon Sep 17 00:00:00 2001 -From: Stefan Hajnoczi -Date: Wed, 15 Jul 2015 18:17:04 +0100 -Subject: [PATCH 7/7] rtl8139: check TCP Data Offset field - -The TCP Data Offset field contains the length of the header. Make sure -it is valid and does not exceed the IP data length. - -Signed-off-by: Stefan Hajnoczi ---- - hw/net/rtl8139.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index c8f0df9..2df4a51 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2253,6 +2253,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s) - - int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr); - -+ /* Invalid TCP data offset? */ -+ if (tcp_hlen < sizeof(tcp_header) || tcp_hlen > ip_data_len) { -+ goto skip_offload; -+ } -+ - /* ETH_MTU = ip header len + tcp header len + payload */ - int tcp_data_len = ip_data_len - tcp_hlen; - int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen; --- -2.1.4 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5166.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5166.patch deleted file mode 100644 index fc41d7b..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5166.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Stefano Stabellini - -Fix release_drive on unplugged devices (pci_piix3_xen_ide_unplug) - -pci_piix3_xen_ide_unplug should completely unhook the unplugged -IDEDevice from the corresponding BlockBackend, otherwise the next call -to release_drive will try to detach the drive again. - -Suggested-by: Kevin Wolf -Signed-off-by: Stefano Stabellini - -diff --git a/hw/ide/piix.c b/hw/ide/piix.c -index adb6649..5a26c86 100644 ---- a/hw/ide/piix.c -+++ b/hw/ide/piix.c -@@ -169,6 +169,7 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev) - PCIIDEState *pci_ide; - DriveInfo *di; - int i; -+ IDEDevice *idedev; - - pci_ide = PCI_IDE(dev); - -@@ -181,6 +182,12 @@ int pci_piix3_xen_ide_unplug(DeviceState *dev) - blk_detach_dev(blk, ds); - } - pci_ide->bus[di->bus].ifs[di->unit].blk = NULL; -+ if (!(i % 2)) { -+ idedev = pci_ide->bus[di->bus].master; -+ } else { -+ idedev = pci_ide->bus[di->bus].slave; -+ } -+ idedev->conf.blk = NULL; - blk_unref(blk); - } - } diff --git a/app-emulation/qemu/qemu-2.3.0-r5.ebuild b/app-emulation/qemu/qemu-2.4.0.ebuild similarity index 80% rename from app-emulation/qemu/qemu-2.3.0-r5.ebuild rename to app-emulation/qemu/qemu-2.4.0.ebuild index b689ea1..f399855 100644 --- a/app-emulation/qemu/qemu-2.3.0-r5.ebuild +++ b/app-emulation/qemu/qemu-2.4.0.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.3.0-r5.ebuild,v 1.1 2015/08/03 15:36:55 cardoe Exp $ +# $Id$ EAPI=5 @@ -34,9 +34,9 @@ IUSE="accessibility +aio alsa bluetooth +caps +curl debug +fdt glusterfs \ gtk gtk2 infiniband iscsi +jpeg \ kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png pulseaudio python \ -rbd sasl +seccomp sdl selinux smartcard snappy spice ssh static static-softmmu \ +rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu static-user systemtap tci test +threads tls usb usbredir +uuid vde +vhost-net \ -virtfs +vnc xattr xen xfs" +virtfs +vnc vte xattr xen xfs" COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32 @@ -48,18 +48,19 @@ use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) IUSE+=" ${use_softmmu_targets} ${use_user_targets}" -# Require at least one softmmu or user target. +# Allow no targets to be built so that people can get a tools-only build. # Block USE flag configurations known to not work. -REQUIRED_USE="|| ( ${use_softmmu_targets} ${use_user_targets} ) - ${PYTHON_REQUIRED_USE} +REQUIRED_USE="${PYTHON_REQUIRED_USE} gtk2? ( gtk ) qemu_softmmu_targets_arm? ( fdt ) qemu_softmmu_targets_microblaze? ( fdt ) qemu_softmmu_targets_ppc? ( fdt ) qemu_softmmu_targets_ppc64? ( fdt ) + sdl2? ( sdl ) static? ( static-softmmu static-user ) static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 ) - virtfs? ( xattr )" + virtfs? ( xattr ) + vte? ( gtk )" # Yep, you need both libcap and libcap-ng since virtfs only uses libcap. # @@ -71,29 +72,65 @@ COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)] xattr? ( sys-apps/attr[static-libs(+)] )" SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} >=x11-libs/pixman-0.28.0[static-libs(+)] + accessibility? ( app-accessibility/brltty[static-libs(+)] ) aio? ( dev-libs/libaio[static-libs(+)] ) + alsa? ( >=media-libs/alsa-lib-1.0.13 ) + bluetooth? ( net-wireless/bluez ) caps? ( sys-libs/libcap-ng[static-libs(+)] ) curl? ( >=net-misc/curl-7.15.4[static-libs(+)] ) fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) + gtk? ( + gtk2? ( + x11-libs/gtk+:2 + vte? ( x11-libs/vte:0 ) + ) + !gtk2? ( + x11-libs/gtk+:3 + vte? ( x11-libs/vte:2.90 ) + ) + ) infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] ) + iscsi? ( net-libs/libiscsi ) jpeg? ( virtual/jpeg:=[static-libs(+)] ) lzo? ( dev-libs/lzo:2[static-libs(+)] ) - ncurses? ( sys-libs/ncurses[static-libs(+)] ) + ncurses? ( sys-libs/ncurses:5=[static-libs(+)] ) nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) numa? ( sys-process/numactl[static-libs(+)] ) + opengl? ( + virtual/opengl + media-libs/libepoxy[static-libs(+)] + media-libs/mesa[static-libs(+)] + media-libs/mesa[gles2] + ) png? ( media-libs/libpng:0=[static-libs(+)] ) + pulseaudio? ( media-sound/pulseaudio ) rbd? ( sys-cluster/ceph[static-libs(+)] ) sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) - sdl? ( >=media-libs/libsdl-1.2.11[static-libs(+)] ) + sdl? ( + !sdl2? ( + media-libs/libsdl[X] + >=media-libs/libsdl-1.2.11[static-libs(+)] + ) + sdl2? ( + media-libs/libsdl2[X] + media-libs/libsdl2[static-libs(+)] + ) + ) seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) + smartcard? ( dev-libs/nss !app-emulation/libcacard ) snappy? ( app-arch/snappy[static-libs(+)] ) - spice? ( >=app-emulation/spice-0.12.0[static-libs(+)] ) + spice? ( + >=app-emulation/spice-protocol-0.12.3 + >=app-emulation/spice-0.12.0[static-libs(+)] + ) ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) tls? ( net-libs/gnutls[static-libs(+)] ) - usb? ( >=dev-libs/libusb-1.0.18[static-libs(+)] ) + usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) + usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] ) vde? ( net-misc/vde[static-libs(+)] ) + virtfs? ( sys-libs/libcap ) xfs? ( sys-fs/xfsprogs[static-libs(+)] )" USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" X86_FIRMWARE_DEPEND=" @@ -106,30 +143,15 @@ X86_FIRMWARE_DEPEND=" !pin-upstream-blobs? ( sys-firmware/seabios sys-firmware/sgabios + sys-firmware/vgabios )" CDEPEND=" !static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) ) !static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) ) qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} ) - accessibility? ( app-accessibility/brltty ) - alsa? ( >=media-libs/alsa-lib-1.0.13 ) - bluetooth? ( net-wireless/bluez ) - gtk? ( - gtk2? ( x11-libs/gtk+:2 ) - !gtk2? ( x11-libs/gtk+:3 ) - x11-libs/vte:2.90 - ) - iscsi? ( net-libs/libiscsi ) - opengl? ( virtual/opengl ) - pulseaudio? ( media-sound/pulseaudio ) python? ( ${PYTHON_DEPS} ) - sdl? ( media-libs/libsdl[X] ) - smartcard? ( dev-libs/nss !app-emulation/libcacard ) - spice? ( >=app-emulation/spice-protocol-0.12.3 ) systemtap? ( dev-util/systemtap ) - usbredir? ( >=sys-apps/usbredir-0.6 ) - virtfs? ( sys-libs/libcap ) xen? ( app-emulation/xen-tools )" DEPEND="${CDEPEND} dev-lang/perl @@ -260,21 +282,6 @@ src_prepare() { use nls || rm -f po/*.po epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch - epatch "${FILESDIR}"/${P}-CVE-2015-3456.patch #549404 - epatch "${FILESDIR}"/${P}-CVE-2015-3209.patch #551752 - epatch "${FILESDIR}"/${P}-CVE-2015-5158.patch #555680 - epatch "${FILESDIR}"/${P}-CVE-2015-3214.patch #556052 - epatch "${FILESDIR}"/${P}-CVE-2015-5154-1.patch #556050 / #555532 - epatch "${FILESDIR}"/${P}-CVE-2015-5154-2.patch #556050 / #555532 - epatch "${FILESDIR}"/${P}-CVE-2015-5154-3.patch #556050 / #555532 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-1.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-2.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-3.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-4.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-5.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-6.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5165-7.patch #556304 - epatch "${FILESDIR}"/${P}-CVE-2015-5166.patch #556304 [[ -n ${BACKPORTS} ]] && \ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ epatch @@ -296,14 +303,10 @@ qemu_src_configure() { debug-print-function ${FUNCNAME} "$@" local buildtype=$1 - local builddir=$2 + local builddir="${S}/${buildtype}-build" local static_flag="static-${buildtype}" - # audio options - local audio_opts="oss" - use alsa && audio_opts="alsa,${audio_opts}" - use sdl && audio_opts="sdl,${audio_opts}" - use pulseaudio && audio_opts="pa,${audio_opts}" + mkdir "${builddir}" local conf_opts=( --prefix=/usr @@ -361,9 +364,7 @@ qemu_src_configure() { $(conf_softmmu snappy) $(conf_softmmu spice) $(conf_softmmu ssh libssh2) - $(conf_softmmu tls quorum) $(conf_softmmu tls vnc-tls) - $(conf_softmmu tls vnc-ws) $(conf_softmmu usb libusb) $(conf_softmmu usbredir usb-redir) $(conf_softmmu uuid) @@ -371,6 +372,7 @@ qemu_src_configure() { $(conf_softmmu vhost-net) $(conf_softmmu virtfs) $(conf_softmmu vnc) + $(conf_softmmu vte) $(conf_softmmu xen) $(conf_softmmu xen xen-pci-passthrough) $(conf_softmmu xfs xfsctl) @@ -381,23 +383,39 @@ qemu_src_configure() { conf_opts+=( --enable-linux-user --disable-system - --target-list="${user_targets}" --disable-blobs --disable-tools ) ;; softmmu) + # audio options + local audio_opts="oss" + use alsa && audio_opts="alsa,${audio_opts}" + use sdl && audio_opts="sdl,${audio_opts}" + use pulseaudio && audio_opts="pa,${audio_opts}" + conf_opts+=( --disable-linux-user --enable-system - --target-list="${softmmu_targets}" --with-system-pixman --audio-drv-list="${audio_opts}" ) use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) ) + use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) ) + ;; + tools) + conf_opts+=( + --disable-linux-user + --disable-system + --disable-blobs + ) + static_flag="static" ;; esac + local targets="${buildtype}_targets" + [[ -n ${targets} ]] && conf_opts+=( --target-list="${!targets}" ) + # Add support for SystemTAP use systemtap && conf_opts+=( --enable-trace-backend=dtrace ) @@ -410,7 +428,7 @@ qemu_src_configure() { gcc-specs-pie && conf_opts+=( --enable-pie ) fi - einfo "../configure ${conf_opts[*]}" + echo "../configure ${conf_opts[*]}" cd "${builddir}" ../configure "${conf_opts[@]}" || die "configure failed" @@ -442,21 +460,12 @@ src_configure() { fi done - [[ -n ${softmmu_targets} ]] && \ - einfo "Building the following softmmu targets: ${softmmu_targets}" + softmmu_targets=${softmmu_targets#,} + user_targets=${user_targets#,} - [[ -n ${user_targets} ]] && \ - einfo "Building the following user targets: ${user_targets}" - - if [[ -n ${softmmu_targets} ]]; then - mkdir "${S}/softmmu-build" - qemu_src_configure "softmmu" "${S}/softmmu-build" - fi - - if [[ -n ${user_targets} ]]; then - mkdir "${S}/user-build" - qemu_src_configure "user" "${S}/user-build" - fi + [[ -n ${softmmu_targets} ]] && qemu_src_configure "softmmu" + [[ -n ${user_targets} ]] && qemu_src_configure "user" + [[ -z ${softmmu_targets}${user_targets} ]] && qemu_src_configure "tools" } src_compile() { @@ -469,6 +478,11 @@ src_compile() { cd "${S}/softmmu-build" default fi + + if [[ -z ${softmmu_targets}${user_targets} ]]; then + cd "${S}/tools-build" + default + fi } src_test() { @@ -514,6 +528,11 @@ src_install() { fi fi + if [[ -z ${softmmu_targets}${user_targets} ]]; then + cd "${S}/tools-build" + emake DESTDIR="${ED}" install + fi + # Disable mprotect on the qemu binaries as they use JITs to be fast #459348 pushd "${ED}"/usr/bin >/dev/null pax-mark m "${softmmu_bins[@]}" "${user_bins[@]}" @@ -531,20 +550,20 @@ src_install() { newdoc pc-bios/README README.pc-bios dodoc docs/qmp/*.txt - # Remove SeaBIOS since we're using the SeaBIOS packaged one - rm "${ED}/usr/share/qemu/bios.bin" - rm "${ED}/usr/share/qemu/bios-256k.bin" - rm "${ED}/usr/share/qemu/acpi-dsdt.aml" - rm "${ED}/usr/share/qemu/q35-acpi-dsdt.aml" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../seabios/bios.bin /usr/share/qemu/bios.bin - dosym ../seabios/bios-256k.bin /usr/share/qemu/bios-256k.bin - dosym ../seabios/acpi-dsdt.aml /usr/share/qemu/acpi-dsdt.aml - dosym ../seabios/q35-acpi-dsdt.aml /usr/share/qemu/q35-acpi-dsdt.aml - fi - - # Remove vgabios since we're using the seabios packaged one if [[ -n ${softmmu_targets} ]]; then + # Remove SeaBIOS since we're using the SeaBIOS packaged one + rm "${ED}/usr/share/qemu/bios.bin" + rm "${ED}/usr/share/qemu/bios-256k.bin" + rm "${ED}/usr/share/qemu/acpi-dsdt.aml" + rm "${ED}/usr/share/qemu/q35-acpi-dsdt.aml" + if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then + dosym ../seabios/bios.bin /usr/share/qemu/bios.bin + dosym ../seabios/bios-256k.bin /usr/share/qemu/bios-256k.bin + dosym ../seabios/acpi-dsdt.aml /usr/share/qemu/acpi-dsdt.aml + dosym ../seabios/q35-acpi-dsdt.aml /usr/share/qemu/q35-acpi-dsdt.aml + fi + + # Remove vgabios since we're using the seabios packaged one rm "${ED}/usr/share/qemu/vgabios-cirrus.bin" rm "${ED}/usr/share/qemu/vgabios-qxl.bin" rm "${ED}/usr/share/qemu/vgabios-stdvga.bin" @@ -574,27 +593,13 @@ src_install() { fi fi + qemu_support_kvm && readme.gentoo_create_doc } pkg_postinst() { if qemu_support_kvm; then readme.gentoo_print_elog - ewarn "Migration from qemu-kvm instances and loading qemu-kvm created" - ewarn "save states has been removed starting with the 1.6.2 release" - ewarn - ewarn "It is recommended that you migrate any VMs that may be running" - ewarn "on qemu-kvm to a host with a newer qemu and regenerate" - ewarn "any saved states with a newer qemu." - ewarn - ewarn "qemu-kvm was the primary qemu provider in Gentoo through 1.2.x" - - if use x86 || use amd64; then - ewarn - ewarn "The /usr/bin/kvm and /usr/bin/qemu-kvm wrappers are no longer" - ewarn "installed. In order to use kvm acceleration, pass the flag" - ewarn "-enable-kvm when running your system target." - fi fi if [[ -n ${softmmu_targets} ]] && use kernel_linux; then @@ -613,7 +618,7 @@ pkg_info() { echo " $(best_version app-emulation/spice-protocol)" echo " $(best_version sys-firmware/ipxe)" echo " $(best_version sys-firmware/seabios)" - if has_version sys-firmware/seabios[binary]; then + if has_version 'sys-firmware/seabios[binary]'; then echo " USE=binary" else echo " USE=''"