diff options
author | 2016-04-23 16:23:02 -0400 | |
---|---|---|
committer | 2016-04-23 16:29:50 -0400 | |
commit | 78f6468a75114af92b5f86ef97d7614b08ffdeb4 (patch) | |
tree | 28bc167696057f29b9cf0308daea8586f80263db /app-emulation/qemu/files | |
parent | dev-vcs/blogc-git-receiver: do not eautoreconf submodules (diff) | |
download | gentoo-78f6468a75114af92b5f86ef97d7614b08ffdeb4.tar.gz gentoo-78f6468a75114af92b5f86ef97d7614b08ffdeb4.tar.bz2 gentoo-78f6468a75114af92b5f86ef97d7614b08ffdeb4.zip |
app-misc/qemu: version bump & bug fixes #579614 #580040 #580426
Diffstat (limited to 'app-emulation/qemu/files')
3 files changed, 170 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch new file mode 100644 index 000000000000..cf1a4c3182ac --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch @@ -0,0 +1,107 @@ +https://bugs.gentoo.org/580426 +https://bugs.gentoo.org/568246 + +From a49923d2837d20510d645d3758f1ad87c32d0730 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 18 Apr 2016 09:20:54 +0200 +Subject: [PATCH] Revert "ehci: make idt processing more robust" + +This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254. + +Breaks FreeBSD. + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/hcd-ehci.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index d5c0e1c..43a8f7a 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; ++ uint32_t i, len, pid, dir, devaddr, endp; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; +- xfers++; + } + } +- return xfers ? 0 : -1; ++ return 0; + } + + +-- +2.7.4 + +From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 18 Apr 2016 09:11:38 +0200 +Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a +DoS by the guest (create a circular iTD queue and let qemu ehci +emulation run in circles forever). Unfortunately this has two problems: +First it misses the case of siTDs, and second it reportedly breaks +FreeBSD. + +So lets go for a different approach: just count the number of iTDs and +siTDs we have seen per frame and apply a limit. That should really +catch all cases now. + +Reported-by: 杜少博 <dushaobo@360.cn> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/hcd-ehci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 159f58d..d5c0e1c 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) + static void ehci_advance_state(EHCIState *ehci, int async) + { + EHCIQueue *q = NULL; ++ int itd_count = 0; + int again; + + do { +@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) + + case EST_FETCHITD: + again = ehci_state_fetchitd(ehci, async); ++ itd_count++; + break; + + case EST_FETCHSITD: + again = ehci_state_fetchsitd(ehci, async); ++ itd_count++; + break; + + case EST_ADVANCEQUEUE: +@@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int async) + break; + } + +- if (again < 0) { ++ if (again < 0 || itd_count > 16) { ++ /* TODO: notify guest (raise HSE irq?) */ + fprintf(stderr, "processing error - resetting ehci HC\n"); + ehci_reset(ehci); + again = 0; +-- +2.7.4 + diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch new file mode 100644 index 000000000000..e3115c1ba9a7 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch @@ -0,0 +1,16 @@ +https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html +https://bugs.gentoo.org/580040 + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c69f374..ff1e31a 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; diff --git a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch new file mode 100644 index 000000000000..ab7d3f3e2990 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch @@ -0,0 +1,47 @@ +From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Fri, 8 Apr 2016 11:33:48 +0530 +Subject: [PATCH] net: stellaris_enet: check packet length against receive + buffer + +When receiving packets over Stellaris ethernet controller, it +uses receive buffer of size 2048 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported-by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +--- + hw/net/stellaris_enet.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c +index 84cf60b..6880894 100644 +--- a/hw/net/stellaris_enet.c ++++ b/hw/net/stellaris_enet.c +@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si + n = s->next_packet + s->np; + if (n >= 31) + n -= 31; +- s->np++; + ++ if (size >= sizeof(s->rx[n].data) - 6) { ++ /* If the packet won't fit into the ++ * emulated 2K RAM, this is reported ++ * as a FIFO overrun error. ++ */ ++ s->ris |= SE_INT_FOV; ++ stellaris_enet_update(s); ++ return -1; ++ } ++ ++ s->np++; + s->rx[n].len = size + 6; + p = s->rx[n].data; + *(p++) = (size + 6); +-- +2.7.4 + |