[app-emulation/qemu] sync with tree
This commit is contained in:
parent
3e7ffd5141
commit
e4e0ab828b
34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
Normal file
34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||||
|
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||||
|
always returned positive value. Limit IO loop to the ring size.
|
||||||
|
|
||||||
|
Cc: address@hidden
|
||||||
|
Reported-by: Li Qiang <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
Message-Id: <address@hidden>
|
||||||
|
Signed-off-by: Paolo Bonzini <address@hidden>
|
||||||
|
---
|
||||||
|
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||||
|
index babac5a..a5ce7de 100644
|
||||||
|
--- a/hw/scsi/vmw_pvscsi.c
|
||||||
|
+++ b/hw/scsi/vmw_pvscsi.c
|
||||||
|
@@ -247,8 +247,11 @@ static hwaddr
|
||||||
|
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||||
|
{
|
||||||
|
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||||
|
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||||
|
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||||
|
|
||||||
|
- if (ready_ptr != mgr->consumed_ptr) {
|
||||||
|
+ if (ready_ptr != mgr->consumed_ptr
|
||||||
|
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||||
|
uint32_t next_ready_ptr =
|
||||||
|
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||||
|
uint32_t next_ready_page =
|
||||||
|
--
|
||||||
|
1.8.3.1
|
38
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
Normal file
38
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
virtio back end uses set of buffers to facilitate I/O operations.
|
||||||
|
If its size is too large, 'cpu_physical_memory_map' could return
|
||||||
|
a null address. This would result in a null dereference
|
||||||
|
while un-mapping descriptors. Add check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Qinghao Tang <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/virtio/virtio.c | 10 ++++++----
|
||||||
|
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||||
|
index 15ee3a7..0a4c5b6 100644
|
||||||
|
--- a/hw/virtio/virtio.c
|
||||||
|
+++ b/hw/virtio/virtio.c
|
||||||
|
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||||
|
}
|
||||||
|
|
||||||
|
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||||
|
- iov[num_sg].iov_len = len;
|
||||||
|
- addr[num_sg] = pa;
|
||||||
|
+ if (iov[num_sg].iov_base) {
|
||||||
|
+ iov[num_sg].iov_len = len;
|
||||||
|
+ addr[num_sg] = pa;
|
||||||
|
|
||||||
|
+ pa += len;
|
||||||
|
+ num_sg++;
|
||||||
|
+ }
|
||||||
|
sz -= len;
|
||||||
|
- pa += len;
|
||||||
|
- num_sg++;
|
||||||
|
}
|
||||||
|
*p_num_sg = num_sg;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.5.5
|
31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
Normal file
31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From: Li Qiang <address@hidden>
|
||||||
|
|
||||||
|
When processing IO request in mptsas, it uses g_new to allocate
|
||||||
|
a 'req' object. If an error occurs before 'req->sreq' is
|
||||||
|
allocated, It could lead to an OOB write in mptsas_free_request
|
||||||
|
function. Use g_new0 to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
Message-Id: <address@hidden>
|
||||||
|
Cc: address@hidden
|
||||||
|
Signed-off-by: Paolo Bonzini <address@hidden>
|
||||||
|
---
|
||||||
|
hw/scsi/mptsas.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||||
|
index 0e0a22f..eaae1bb 100644
|
||||||
|
--- a/hw/scsi/mptsas.c
|
||||||
|
+++ b/hw/scsi/mptsas.c
|
||||||
|
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
|
|
||||||
|
- req = g_new(MPTSASRequest, 1);
|
||||||
|
+ req = g_new0(MPTSASRequest, 1);
|
||||||
|
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||||
|
req->scsi_io = *scsi_io;
|
||||||
|
req->dev = s;
|
||||||
|
--
|
||||||
|
1.8.3.1
|
26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
Normal file
26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
From: Li Qiang <address@hidden>
|
||||||
|
|
||||||
|
If the xhci uses msix, it doesn't free the corresponding
|
||||||
|
memory, thus leading a memory leak. This patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <address@hidden>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-xhci.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||||
|
index 188f954..281a2a5 100644
|
||||||
|
--- a/hw/usb/hcd-xhci.c
|
||||||
|
+++ b/hw/usb/hcd-xhci.c
|
||||||
|
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||||
|
/* destroy msix memory region */
|
||||||
|
if (dev->msix_table && dev->msix_pba
|
||||||
|
&& dev->msix_entry_used) {
|
||||||
|
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||||
|
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||||
|
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||||
|
}
|
||||||
|
|
||||||
|
usb_bus_release(&xhci->bus);
|
||||||
|
--
|
||||||
|
1.8.3.1
|
45
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch
Normal file
45
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
||||||
|
data flow to/fro receive & transmit queues. While transmitting
|
||||||
|
packets, it could continue to read buffer descriptors if a buffer
|
||||||
|
descriptor has length of zero and has crafted values in bd.flags.
|
||||||
|
Set an upper limit to number of buffer descriptors.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/net/imx_fec.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
Update per
|
||||||
|
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
|
||||||
|
|
||||||
|
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
||||||
|
index 1c415ab..1d74827 100644
|
||||||
|
--- a/hw/net/imx_fec.c
|
||||||
|
+++ b/hw/net/imx_fec.c
|
||||||
|
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
||||||
|
#define PHY_INT_PARFAULT (1 << 2)
|
||||||
|
#define PHY_INT_AUTONEG_PAGE (1 << 1)
|
||||||
|
|
||||||
|
+#define IMX_MAX_DESC 1024
|
||||||
|
+
|
||||||
|
static void imx_eth_update(IMXFECState *s);
|
||||||
|
|
||||||
|
/*
|
||||||
|
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
||||||
|
|
||||||
|
static void imx_fec_do_tx(IMXFECState *s)
|
||||||
|
{
|
||||||
|
- int frame_size = 0;
|
||||||
|
+ int frame_size = 0, descnt = 0;
|
||||||
|
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||||
|
uint8_t *ptr = frame;
|
||||||
|
uint32_t addr = s->tx_descriptor;
|
||||||
|
|
||||||
|
- while (1) {
|
||||||
|
+ while (descnt++ < IMX_MAX_DESC) {
|
||||||
|
IMXFECBufDesc bd;
|
||||||
|
int len;
|
||||||
|
|
52
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch
Normal file
52
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||||
|
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||||
|
|
||||||
|
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||||
|
data flow to/fro receive & transmit queues. While transmitting
|
||||||
|
packets, it could continue to read buffer descriptors if a buffer
|
||||||
|
descriptor has length of zero and has crafted values in bd.flags.
|
||||||
|
Set upper limit to number of buffer descriptors.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||||
|
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||||
|
---
|
||||||
|
hw/net/mcf_fec.c | 5 +++--
|
||||||
|
1 files changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||||
|
index 0ee8ad9..d31fea1 100644
|
||||||
|
--- a/hw/net/mcf_fec.c
|
||||||
|
+++ b/hw/net/mcf_fec.c
|
||||||
|
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||||
|
#define DPRINTF(fmt, ...) do {} while(0)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#define FEC_MAX_DESC 1024
|
||||||
|
#define FEC_MAX_FRAME_SIZE 2032
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||||
|
uint32_t addr;
|
||||||
|
mcf_fec_bd bd;
|
||||||
|
int frame_size;
|
||||||
|
- int len;
|
||||||
|
+ int len, descnt = 0;
|
||||||
|
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||||
|
uint8_t *ptr;
|
||||||
|
|
||||||
|
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||||
|
ptr = frame;
|
||||||
|
frame_size = 0;
|
||||||
|
addr = s->tx_descriptor;
|
||||||
|
- while (1) {
|
||||||
|
+ while (descnt++ < FEC_MAX_DESC) {
|
||||||
|
mcf_fec_read_bd(&bd, addr);
|
||||||
|
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||||
|
addr, bd.flags, bd.length, bd.data);
|
||||||
|
--
|
||||||
|
1.7.0.4
|
||||||
|
|
32
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch
Normal file
32
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||||
|
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||||
|
descriptor ring length respectively. This ring length could range
|
||||||
|
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||||
|
loop in pcnet_rdra_addr. Add check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Li Qiang <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/net/pcnet.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||||
|
index 198a01f..3078de8 100644
|
||||||
|
--- a/hw/net/pcnet.c
|
||||||
|
+++ b/hw/net/pcnet.c
|
||||||
|
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||||
|
case 47: /* POLLINT */
|
||||||
|
case 72:
|
||||||
|
case 74:
|
||||||
|
+ break;
|
||||||
|
case 76: /* RCVRL */
|
||||||
|
case 78: /* XMTRL */
|
||||||
|
+ val = (val > 0) ? val : 512;
|
||||||
|
+ break;
|
||||||
|
case 112:
|
||||||
|
if (CSR_STOP(s) || CSR_SPND(s))
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.5.5
|
25
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch
Normal file
25
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
From: Li Qiang <address@hidden>
|
||||||
|
|
||||||
|
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||||
|
it doesn't free the resource object allocated previously. Thus leading
|
||||||
|
a host memory leak issue. This patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <address@hidden>
|
||||||
|
---
|
||||||
|
hw/display/virtio-gpu.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||||
|
index 7fe6ed8..5b6d17b 100644
|
||||||
|
--- a/hw/display/virtio-gpu.c
|
||||||
|
+++ b/hw/display/virtio-gpu.c
|
||||||
|
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||||
|
qemu_log_mask(LOG_GUEST_ERROR,
|
||||||
|
"%s: host couldn't handle guest format %d\n",
|
||||||
|
__func__, c2d.format);
|
||||||
|
+ g_free(res);
|
||||||
|
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
1.8.3.1
|
26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch
Normal file
26
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
From: Li Qiang <address@hidden>
|
||||||
|
|
||||||
|
While processing isochronous transfer descriptors(iTD), if the page
|
||||||
|
select(PG) field value is out of bands it will return. In this
|
||||||
|
situation the ehci's sg list doesn't be freed thus leading a memory
|
||||||
|
leak issue. This patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <address@hidden>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-ehci.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||||
|
index b093db7..f4ece9a 100644
|
||||||
|
--- a/hw/usb/hcd-ehci.c
|
||||||
|
+++ b/hw/usb/hcd-ehci.c
|
||||||
|
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||||
|
if (off + len > 4096) {
|
||||||
|
/* transfer crosses page border */
|
||||||
|
if (pg == 6) {
|
||||||
|
+ qemu_sglist_destroy(&ehci->isgl);
|
||||||
|
return -1; /* avoid page pg + 1 */
|
||||||
|
}
|
||||||
|
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
||||||
|
--
|
||||||
|
1.8.3.1
|
61
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch
Normal file
61
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gerd Hoffmann <address@hidden>
|
||||||
|
Date: Fri, 7 Oct 2016 10:15:29 +0200
|
||||||
|
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||||
|
|
||||||
|
Signed-off-by: Gerd Hoffmann <address@hidden>
|
||||||
|
---
|
||||||
|
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||||
|
1 file changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||||
|
index 726435c..ee4fa48 100644
|
||||||
|
--- a/hw/usb/hcd-xhci.c
|
||||||
|
+++ b/hw/usb/hcd-xhci.c
|
||||||
|
@@ -54,6 +54,8 @@
|
||||||
|
* to the specs when it gets them */
|
||||||
|
#define ER_FULL_HACK
|
||||||
|
|
||||||
|
+#define TRB_LINK_LIMIT 4
|
||||||
|
+
|
||||||
|
#define LEN_CAP 0x40
|
||||||
|
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||||
|
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||||
|
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||||
|
dma_addr_t *addr)
|
||||||
|
{
|
||||||
|
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||||
|
+ uint32_t link_cnt = 0;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
TRBType type;
|
||||||
|
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||||
|
ring->dequeue += TRB_SIZE;
|
||||||
|
return type;
|
||||||
|
} else {
|
||||||
|
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
ring->dequeue = xhci_mask64(trb->parameter);
|
||||||
|
if (trb->control & TRB_LK_TC) {
|
||||||
|
ring->ccs = !ring->ccs;
|
||||||
|
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||||
|
bool ccs = ring->ccs;
|
||||||
|
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||||
|
bool control_td_set = 0;
|
||||||
|
+ uint32_t link_cnt = 0;
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
TRBType type;
|
||||||
|
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||||
|
type = TRB_TYPE(trb);
|
||||||
|
|
||||||
|
if (type == TR_LINK) {
|
||||||
|
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||||
|
+ return -length;
|
||||||
|
+ }
|
||||||
|
dequeue = xhci_mask64(trb.parameter);
|
||||||
|
if (trb.control & TRB_LK_TC) {
|
||||||
|
ccs = !ccs;
|
||||||
|
--
|
||||||
|
1.8.3.1
|
34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch
Normal file
34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From: Li Qiang <address@hidden>
|
||||||
|
|
||||||
|
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
|
||||||
|
object thus causing potential memory leak. This patch avoid this.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <address@hidden>
|
||||||
|
---
|
||||||
|
hw/9pfs/9p.c | 5 +++--
|
||||||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||||
|
index 119ee58..543a791 100644
|
||||||
|
--- a/hw/9pfs/9p.c
|
||||||
|
+++ b/hw/9pfs/9p.c
|
||||||
|
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
|
||||||
|
if (len < 0) {
|
||||||
|
/* IO error return the error */
|
||||||
|
err = len;
|
||||||
|
- goto out;
|
||||||
|
+ goto out_free_iovec;
|
||||||
|
}
|
||||||
|
} while (count < max_count && len > 0);
|
||||||
|
err = pdu_marshal(pdu, offset, "d", count);
|
||||||
|
if (err < 0) {
|
||||||
|
- goto out;
|
||||||
|
+ goto out_free_iovec;
|
||||||
|
}
|
||||||
|
err += offset + count;
|
||||||
|
+out_free_iovec:
|
||||||
|
qemu_iovec_destroy(&qiov);
|
||||||
|
qemu_iovec_destroy(&qiov_full);
|
||||||
|
} else if (fidp->fid_type == P9_FID_XATTR) {
|
||||||
|
--
|
||||||
|
1.8.3.1
|
58
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch
Normal file
58
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch
Normal file
@ -0,0 +1,58 @@
|
|||||||
|
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||||
|
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
|
||||||
|
|
||||||
|
If a guest sends an empty string paramater to any 9P operation, the current
|
||||||
|
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
|
||||||
|
|
||||||
|
This is unfortunate because it can cause NULL pointer dereference to happen
|
||||||
|
at various locations in the 9pfs code. And we don't want to check str->data
|
||||||
|
everywhere we pass it to strcmp() or any other function which expects a
|
||||||
|
dereferenceable pointer.
|
||||||
|
|
||||||
|
This patch enforces the allocation of genuine C empty strings instead, so
|
||||||
|
callers don't have to bother.
|
||||||
|
|
||||||
|
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
|
||||||
|
the returned string is empty. It now uses v9fs_string_size() since
|
||||||
|
name.data cannot be NULL anymore.
|
||||||
|
|
||||||
|
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||||
|
[groug, rewritten title and changelog,
|
||||||
|
fix empty string check in v9fs_xattrwalk()]
|
||||||
|
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||||
|
---
|
||||||
|
fsdev/9p-iov-marshal.c | 2 +-
|
||||||
|
hw/9pfs/9p.c | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
||||||
|
index 663cad5..1d16f8d 100644
|
||||||
|
--- a/fsdev/9p-iov-marshal.c
|
||||||
|
+++ b/fsdev/9p-iov-marshal.c
|
||||||
|
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
||||||
|
str->data = g_malloc(str->size + 1);
|
||||||
|
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
|
||||||
|
str->size);
|
||||||
|
- if (copied > 0) {
|
||||||
|
+ if (copied >= 0) {
|
||||||
|
str->data[str->size] = 0;
|
||||||
|
} else {
|
||||||
|
v9fs_string_free(str);
|
||||||
|
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||||
|
index 119ee58..39a7e1d 100644
|
||||||
|
--- a/hw/9pfs/9p.c
|
||||||
|
+++ b/hw/9pfs/9p.c
|
||||||
|
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
|
||||||
|
- if (name.data == NULL) {
|
||||||
|
+ if (!v9fs_string_size(&name)) {
|
||||||
|
/*
|
||||||
|
* listxattr request. Get the size first
|
||||||
|
*/
|
||||||
|
--
|
||||||
|
2.7.3
|
||||||
|
|
30
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch
Normal file
30
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
Rocker network switch emulator has test registers to help debug
|
||||||
|
DMA operations. While testing host DMA access, a buffer address
|
||||||
|
is written to register 'TEST_DMA_ADDR' and its size is written to
|
||||||
|
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
||||||
|
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
||||||
|
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Huawei PSIRT <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/net/rocker/rocker.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||||
|
index 30f2ce4..e9d215a 100644
|
||||||
|
--- a/hw/net/rocker/rocker.c
|
||||||
|
+++ b/hw/net/rocker/rocker.c
|
||||||
|
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
||||||
|
rocker_msix_irq(r, val);
|
||||||
|
break;
|
||||||
|
case ROCKER_TEST_DMA_SIZE:
|
||||||
|
- r->test_dma_size = val;
|
||||||
|
+ r->test_dma_size = val & 0xFFFF;
|
||||||
|
break;
|
||||||
|
case ROCKER_TEST_DMA_ADDR + 4:
|
||||||
|
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
||||||
|
--
|
||||||
|
2.5.5
|
29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
Normal file
29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
The JAZZ RC4030 chipset emulator has a periodic timer and
|
||||||
|
associated interval reload register. The reload value is used
|
||||||
|
as divider when computing timer's next tick value. If reload
|
||||||
|
value is large, it could lead to divide by zero error. Limit
|
||||||
|
the interval reload value to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Huawei PSIRT <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/dma/rc4030.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
||||||
|
index 2f2576f..c1b4997 100644
|
||||||
|
--- a/hw/dma/rc4030.c
|
||||||
|
+++ b/hw/dma/rc4030.c
|
||||||
|
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
||||||
|
break;
|
||||||
|
/* Interval timer reload */
|
||||||
|
case 0x0228:
|
||||||
|
- s->itr = val;
|
||||||
|
+ s->itr = val & 0x01FF;
|
||||||
|
qemu_irq_lower(s->timer_irq);
|
||||||
|
set_next_tick(s);
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.5.5
|
34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch
Normal file
34
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
16550A UART device uses an oscillator to generate frequencies
|
||||||
|
(baud base), which decide communication speed. This speed could
|
||||||
|
be changed by dividing it by a divider. If the divider is
|
||||||
|
greater than the baud base, speed is set to zero, leading to a
|
||||||
|
divide by zero error. Add check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Huawei PSIRT <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/char/serial.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
Update per
|
||||||
|
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html
|
||||||
|
|
||||||
|
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||||
|
index 3442f47..eec72b7 100644
|
||||||
|
--- a/hw/char/serial.c
|
||||||
|
+++ b/hw/char/serial.c
|
||||||
|
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
||||||
|
int speed, parity, data_bits, stop_bits, frame_size;
|
||||||
|
QEMUSerialSetParams ssp;
|
||||||
|
|
||||||
|
- if (s->divider == 0)
|
||||||
|
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
||||||
|
return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* Start bit. */
|
||||||
|
frame_size = 1;
|
||||||
|
--
|
||||||
|
2.5.5
|
31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch
Normal file
31
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
Intel HDA emulator uses stream of buffers during DMA data
|
||||||
|
transfers. Each entry has buffer length and buffer pointer
|
||||||
|
position, which are used to derive bytes to 'copy'. If this
|
||||||
|
length and buffer pointer were to be same, 'copy' could be
|
||||||
|
set to zero(0), leading to an infinite loop. Add check to
|
||||||
|
avoid it.
|
||||||
|
|
||||||
|
Reported-by: Huawei PSIRT <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/audio/intel-hda.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
||||||
|
index cd95340..537face 100644
|
||||||
|
--- a/hw/audio/intel-hda.c
|
||||||
|
+++ b/hw/audio/intel-hda.c
|
||||||
|
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
||||||
|
}
|
||||||
|
|
||||||
|
left = len;
|
||||||
|
- while (left > 0) {
|
||||||
|
+ s = st->bentries;
|
||||||
|
+ while (left > 0 && s-- > 0) {
|
||||||
|
copy = left;
|
||||||
|
if (copy > st->bsize - st->lpib)
|
||||||
|
copy = st->bsize - st->lpib;
|
||||||
|
--
|
||||||
|
2.7.4
|
29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch
Normal file
29
app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
From: Prasad J Pandit <address@hidden>
|
||||||
|
|
||||||
|
RTL8139 ethernet controller in C+ mode supports multiple
|
||||||
|
descriptor rings, each with maximum of 64 descriptors. While
|
||||||
|
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
|
||||||
|
it does not limit the descriptor count and runs forever. Add
|
||||||
|
check to avoid it.
|
||||||
|
|
||||||
|
Reported-by: Andrew Henderson <address@hidden>
|
||||||
|
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||||
|
---
|
||||||
|
hw/net/rtl8139.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
||||||
|
index 3345bc6..f05e59c 100644
|
||||||
|
--- a/hw/net/rtl8139.c
|
||||||
|
+++ b/hw/net/rtl8139.c
|
||||||
|
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
||||||
|
{
|
||||||
|
int txcount = 0;
|
||||||
|
|
||||||
|
- while (rtl8139_cplus_transmit_one(s))
|
||||||
|
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
||||||
|
{
|
||||||
|
++txcount;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.7.4
|
@ -1,5 +1,5 @@
|
|||||||
#!/sbin/openrc-run
|
#!/sbin/openrc-run
|
||||||
# Copyright 1999-2014 Gentoo Foundation
|
# Copyright 1999-2016 Gentoo Foundation
|
||||||
# Distributed under the terms of the GNU General Public License v2
|
# Distributed under the terms of the GNU General Public License v2
|
||||||
# $Id$
|
# $Id$
|
||||||
|
|
||||||
@ -75,7 +75,7 @@ start() {
|
|||||||
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
|
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
|
||||||
fi
|
fi
|
||||||
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
|
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
|
||||||
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
|
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
|
||||||
fi
|
fi
|
||||||
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
|
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
|
||||||
#echo 'Please check cpu value and header information for m68k!'
|
#echo 'Please check cpu value and header information for m68k!'
|
||||||
|
@ -12,7 +12,7 @@ PYTHON_REQ_USE="ncurses,readline"
|
|||||||
PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
|
PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
|
||||||
|
|
||||||
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
|
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
|
||||||
user udev fcaps readme.gentoo pax-utils l10n
|
user udev fcaps readme.gentoo-r1 pax-utils l10n
|
||||||
|
|
||||||
if [[ ${PV} = *9999* ]]; then
|
if [[ ${PV} = *9999* ]]; then
|
||||||
EGIT_REPO_URI="git://git.qemu.org/qemu.git"
|
EGIT_REPO_URI="git://git.qemu.org/qemu.git"
|
||||||
@ -111,7 +111,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
|
|||||||
virtual/opengl
|
virtual/opengl
|
||||||
media-libs/libepoxy[static-libs(+)]
|
media-libs/libepoxy[static-libs(+)]
|
||||||
media-libs/mesa[static-libs(+)]
|
media-libs/mesa[static-libs(+)]
|
||||||
media-libs/mesa[egl,gles2]
|
media-libs/mesa[egl,gles2,gbm]
|
||||||
)
|
)
|
||||||
png? ( media-libs/libpng:0=[static-libs(+)] )
|
png? ( media-libs/libpng:0=[static-libs(+)] )
|
||||||
pulseaudio? ( media-sound/pulseaudio )
|
pulseaudio? ( media-sound/pulseaudio )
|
||||||
@ -282,8 +282,6 @@ pkg_setup() {
|
|||||||
enewgroup kvm 78
|
enewgroup kvm 78
|
||||||
}
|
}
|
||||||
|
|
||||||
#S="${WORKDIR}/${MY_P}"
|
|
||||||
|
|
||||||
# Sanity check to make sure target lists are kept up-to-date.
|
# Sanity check to make sure target lists are kept up-to-date.
|
||||||
check_targets() {
|
check_targets() {
|
||||||
local var=$1 mak=$2
|
local var=$1 mak=$2
|
||||||
@ -338,12 +336,30 @@ src_prepare() {
|
|||||||
|
|
||||||
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
|
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
|
||||||
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
|
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
|
||||||
|
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242
|
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034
|
epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
|
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
|
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
|
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
|
||||||
epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
|
epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7907.patch # bug 596048
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7908.patch # bug 596049
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7909.patch # bug 596048
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7994-1.patch # bug 596738
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-7994-2.patch # bug 596738
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8576.patch # bug 596752
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8577.patch # bug 596776
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8578.patch # bug 596774
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8668.patch # bug 597110
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8669-1.patch # bug 597108
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8669-2.patch # bug 597108
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8909.patch # bug 598044
|
||||||
|
epatch "${FILESDIR}"/${P}-CVE-2016-8910.patch # bug 598046
|
||||||
|
|
||||||
# Fix ld and objcopy being called directly
|
# Fix ld and objcopy being called directly
|
||||||
tc-export AR LD OBJCOPY
|
tc-export AR LD OBJCOPY
|
Loading…
Reference in New Issue
Block a user