diff options
Diffstat (limited to 'app-emulation/qemu')
25 files changed, 0 insertions, 1202 deletions
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch deleted file mode 100644 index cea8efc06864..000000000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch +++ /dev/null @@ -1,32 +0,0 @@ -http://bugs.gentoo.org/597108 -https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html - -From: Prasad J Pandit <address@hidden> - -The JAZZ RC4030 chipset emulator has a periodic timer and -associated interval reload register. The reload value is used -as divider when computing timer's next tick value. If reload -value is large, it could lead to divide by zero error. Limit -the interval reload value to avoid it. - -Reported-by: Huawei PSIRT <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/dma/rc4030.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c -index 2f2576f..c1b4997 100644 ---- a/hw/dma/rc4030.c -+++ b/hw/dma/rc4030.c -@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data, - break; - /* Interval timer reload */ - case 0x0228: -- s->itr = val; -+ s->itr = val & 0x01FF; - qemu_irq_lower(s->timer_irq); - set_next_tick(s); - break; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch deleted file mode 100644 index 466c819e78a7..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch +++ /dev/null @@ -1,40 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html -https://bugs.gentoo.org/603444 - -From: P J P -Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size -Date: Wed, 14 Dec 2016 12:31:56 +0530 -From: Prasad J Pandit <address@hidden> - -Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' -command, retrieves the maximum capabilities size to fill in the -response object. It continues to fill in capabilities even if -retrieved 'max_size' is zero(0), thus resulting in OOB access. -Add check to avoid it. - -Reported-by: Zhenhao Hong <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 758d33a..6ceeba3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -+ if (!max_size) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; -+ return; -+ } -+ - resp = g_malloc0(sizeof(*resp) + max_size); -- - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, - gc.capset_version, --- -2.9.3 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch deleted file mode 100644 index c486295d06fd..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch +++ /dev/null @@ -1,46 +0,0 @@ -From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Mon, 28 Nov 2016 17:49:04 -0800 -Subject: [PATCH] watchdog: 6300esb: add exit function - -When the Intel 6300ESB watchdog is hot unplug. The timer allocated -in realize isn't freed thus leaking memory leak. This patch avoid -this through adding the exit function. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/watchdog/wdt_i6300esb.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 ---- a/hw/watchdog/wdt_i6300esb.c -+++ b/hw/watchdog/wdt_i6300esb.c -@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) - /* qemu_register_coalesced_mmio (addr, 0x10); ? */ - } - -+static void i6300esb_exit(PCIDevice *dev) -+{ -+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); -+ -+ timer_del(d->timer); -+ timer_free(d->timer); -+} -+ - static WatchdogTimerModel model = { - .wdt_name = "i6300esb", - .wdt_description = "Intel 6300ESB", -@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) - k->config_read = i6300esb_config_read; - k->config_write = i6300esb_config_write; - k->realize = i6300esb_realize; -+ k->exit = i6300esb_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; - k->class_id = PCI_CLASS_SYSTEM_OTHER; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch deleted file mode 100644 index 841de65d48c0..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html -https://bugs.gentoo.org/601826 - -From: Li Qiang -Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch -Date: Tue, 1 Nov 2016 05:37:57 -0700 -From: Li Qiang <address@hidden> - -In virgl_cmd_get_capset function, it uses g_malloc to allocate -a response struct to the guest. As the 'resp'struct hasn't been full -initialized it will lead the 'resp->padding' field to the guest. -Use g_malloc0 to avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 23f39de..d98b140 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -- resp = g_malloc(sizeof(*resp) + max_size); -+ resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, --- -1.8.3.1 - - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch deleted file mode 100644 index 55963f70b98b..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch +++ /dev/null @@ -1,38 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html -https://bugs.gentoo.org/602630 - -From: Li Qiang -Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy -Date: Mon, 28 Nov 2016 21:29:25 -0500 -If the guest destroy the resource before detach banking, the 'iov' -and 'addrs' field in resource is not freed thus leading memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/display/virtio-gpu.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 60bce94..98dadf2 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -28,6 +28,8 @@ - static struct virtio_gpu_simple_resource* - virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); - -+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); -+ - #ifdef CONFIG_VIRGL - #include <virglrenderer.h> - #define VIRGL(_g, _virgl, _simple, ...) \ -@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, - struct virtio_gpu_simple_resource *res) - { - pixman_image_unref(res->image); -+ virtio_gpu_cleanup_mapping(res); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); - } --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch deleted file mode 100644 index f0bba8016576..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 1 Feb 2017 09:35:01 +0100 -Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -Cc: qemu-stable@nongnu.org -Cc: P J P <ppandit@redhat.com> -Cc: Laszlo Ersek <lersek@redhat.com> -Cc: Paolo Bonzini <pbonzini@redhat.com> -Cc: Wolfgang Bumiller <w.bumiller@proxmox.com> -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com -Reviewed-by: Laszlo Ersek <lersek@redhat.com> ---- - hw/display/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 7db6409..16f27e8 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - { - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max > s->vga.vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vga.vram_size) { - return true; - } - } else { --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch deleted file mode 100644 index e2a98012d7cc..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Gerd Hoffmann <kraxel@redhat.com> -Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -The missing blit width check allows to overflow cirrus_bltbuf, -with the attractive target cirrus_srcptr (current cirrus_bltbuf write -position) being located right after cirrus_bltbuf in CirrusVGAState. - -Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker -hasn't full control over cirrus_srcptr though, only one byte can be -changed. Once the first byte has been modified further writes land -elsewhere. - -[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] - -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 0e47cf8..a093dc8 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -1.8.3.1 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch deleted file mode 100644 index 034b322de5f9..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch +++ /dev/null @@ -1,22 +0,0 @@ -Comparison symbol is misused. It may lead to memory corruption. - -Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden> ---- - nbd/client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nbd/client.c b/nbd/client.c -index 6caf6bda6d..351731bc63 100644 ---- a/nbd/client.c -+++ b/nbd/client.c -@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) - char small[1024]; - char *buffer; - -- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); -+ buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size)); - while (size > 0) { - ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); - --- -2.11.0 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch deleted file mode 100644 index 24411b4dca35..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 14 Dec 2016 18:30:21 -0800 -Subject: [PATCH] audio: ac97: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently the ac97 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/audio/ac97.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 ---- a/hw/audio/ac97.c -+++ b/hw/audio/ac97.c -@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) - ac97_on_reset (&s->dev.qdev); - } - -+static void ac97_exit(PCIDevice *dev) -+{ -+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); -+ -+ AUD_close_in(&s->card, s->voice_pi); -+ AUD_close_out(&s->card, s->voice_po); -+ AUD_close_in(&s->card, s->voice_mc); -+ AUD_remove_card(&s->card); -+} -+ - static int ac97_init (PCIBus *bus) - { - pci_create_simple (bus, -1, "AC97"); -@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = ac97_realize; -+ k->exit = ac97_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; - k->revision = 0x01; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch deleted file mode 100644 index 6bbac580c3cd..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 14 Dec 2016 18:32:22 -0800 -Subject: [PATCH] audio: es1370: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently the es1370 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/audio/es1370.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c -index 8449b5f..883ec69 100644 ---- a/hw/audio/es1370.c -+++ b/hw/audio/es1370.c -@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) - es1370_reset (s); - } - -+static void es1370_exit(PCIDevice *dev) -+{ -+ ES1370State *s = ES1370(dev); -+ int i; -+ -+ for (i = 0; i < 2; ++i) { -+ AUD_close_out(&s->card, s->dac_voice[i]); -+ } -+ -+ AUD_close_in(&s->card, s->adc_voice); -+ AUD_remove_card(&s->card); -+} -+ - static int es1370_init (PCIBus *bus) - { - pci_create_simple (bus, -1, TYPE_ES1370); -@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = es1370_realize; -+ k->exit = es1370_exit; - k->vendor_id = PCI_VENDOR_ID_ENSONIQ; - k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; - k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch deleted file mode 100644 index 9475f3fd2a29..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Thu, 29 Dec 2016 03:11:26 -0500 -Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the virgl_renderer_resource_attach_iov function fails the -'res_iovs' will be leaked. Add check of the return value to -free the 'res_iovs' when failing. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/virtio-gpu-3d.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..b13ced3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -- res_iovs, att_rb.nr_entries); -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ res_iovs, att_rb.nr_entries); -+ -+ if (ret != 0) -+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); - } - - static void virgl_resource_detach_backing(VirtIOGPU *g, --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch deleted file mode 100644 index f93d1e7f9e9d..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Thu, 29 Dec 2016 04:28:41 -0500 -Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing - -In the resource attach backing function, everytime it will -allocate 'res->iov' thus can leading a memory leak. This -patch avoid this. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/virtio-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 6a26258..ca88cf4 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch deleted file mode 100644 index e4572a8d5710..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 4 Jan 2017 00:43:16 -0800 -Subject: [PATCH] serial: fix memory leak in serial exit - -The serial_exit_core function doesn't free some resources. -This can lead memory leak when hotplug and unplug. This -patch avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/char/serial.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index ffbacd8..67b18ed 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) - void serial_exit_core(SerialState *s) - { - qemu_chr_fe_deinit(&s->chr); -+ -+ timer_del(s->modem_status_poll); -+ timer_free(s->modem_status_poll); -+ -+ timer_del(s->fifo_timeout_timer); -+ timer_free(s->fifo_timeout_timer); -+ -+ fifo8_destroy(&s->recv_fifo); -+ fifo8_destroy(&s->xmit_fifo); -+ - qemu_unregister_reset(serial_reset, s); - } - --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch deleted file mode 100644 index 93e9c9406c47..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Tue, 7 Feb 2017 18:29:59 +0000 -Subject: [PATCH] sd: sdhci: check data length during dma_memory_read - -While doing multi block SDMA transfer in routine -'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting -index 'begin' and data length 's->data_count' could end up to be same. -This could lead to an OOB access issue. Correct transfer data length -to avoid it. - -Cc: qemu-stable@nongnu.org -Reported-by: Jiang Xin <jiangxin1@huawei.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Peter Maydell <peter.maydell@linaro.org> -Message-id: 20170130064736.9236-1-ppandit@redhat.com -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> ---- - hw/sd/sdhci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 01fbf22..5bd5ab6 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - boundary_count -= block_size - begin; - } - dma_memory_read(&address_space_memory, s->sdmasysad, -- &s->fifo_buffer[begin], s->data_count); -+ &s->fifo_buffer[begin], s->data_count - begin); - s->sdmasysad += s->data_count - begin; - if (s->data_count == block_size) { - for (n = 0; n < block_size; n++) { --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch deleted file mode 100644 index 2ebd49fa54da..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size = 0; -- return -1; -+ return -EINVAL; - } - iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size = iov_size; -- return cmd->iov_size; -+ return 0; - } - - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval = 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len = megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { - cmdptr++; - } -+ len = cmd->iov_size; - if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval = megasas_dcmd_dummy(s, cmd); --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch deleted file mode 100644 index 664a669ffaa5..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch +++ /dev/null @@ -1,38 +0,0 @@ -When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the -backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) -we'll leak memory. - -This patch fixes it for 3d mode, simliar to the 2d mode fix in commit -"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". - -Reported-by: 李强 <address@hidden> -Signed-off-by: Gerd Hoffmann <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index f96a0c2..ecb09d1 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, - struct virtio_gpu_ctrl_command *cmd) - { - struct virtio_gpu_resource_unref unref; -+ struct iovec *res_iovs = NULL; -+ int num_iovs = 0; - - VIRTIO_GPU_FILL_CMD(unref); - trace_virtio_gpu_cmd_res_unref(unref.resource_id); - -+ virgl_renderer_resource_detach_iov(unref.resource_id, -+ &res_iovs, -+ &num_iovs); -+ if (res_iovs != NULL && num_iovs != 0) { -+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); -+ } - virgl_renderer_resource_unref(unref.resource_id); - } - --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch deleted file mode 100644 index 9f94477a46bf..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Fri, 3 Feb 2017 00:52:28 +0530 -Subject: [PATCH] usb: ccid: check ccid apdu length - -CCID device emulator uses Application Protocol Data Units(APDU) -to exchange command and responses to and from the host. -The length in these units couldn't be greater than 65536. Add -check to ensure the same. It'd also avoid potential integer -overflow in emulated_apdu_from_guest. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-id: 20170202192228.10847-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/dev-smartcard-reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index 89e11b6..1325ea1 100644 ---- a/hw/usb/dev-smartcard-reader.c -+++ b/hw/usb/dev-smartcard-reader.c -@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) - DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, - recv->hdr.bSeq, len); - ccid_add_pending_answer(s, (CCID_Header *)recv); -- if (s->card) { -+ if (s->card && len <= BULK_OUT_DATA_SIZE) { - ccid_card_apdu_from_guest(s->card, recv->abData, len); - } else { - DPRINTF(s, D_WARN, "warning: discarded apdu\n"); --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch deleted file mode 100644 index f24d557c96df..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 -From: Gonglei <arei.gonglei@huawei.com> -Date: Tue, 3 Jan 2017 14:50:03 +0800 -Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow - -Because the 'size_t' type is 4 bytes in 32-bit platform, which -is the same with 'int'. It's easy to make 'max_len' to zero when -integer overflow and then cause heap overflow if 'max_len' is zero. - -Using uint_64 instead of size_t to avoid the integer overflow. - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Tested-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> ---- - hw/virtio/virtio-crypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c -index 2f2467e..c23e1ad 100644 ---- a/hw/virtio/virtio-crypto.c -+++ b/hw/virtio/virtio-crypto.c -@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - uint32_t hash_start_src_offset = 0, len_to_hash = 0; - uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - -- size_t max_len, curr_size = 0; -+ uint64_t max_len, curr_size = 0; - size_t s; - - /* Plain cipher */ -@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - return NULL; - } - -- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; -+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; - if (unlikely(max_len > vcrypto->conf.max_size)) { - virtio_error(vdev, "virtio-crypto too big length"); - return NULL; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch deleted file mode 100644 index 50ff3c997924..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch +++ /dev/null @@ -1,87 +0,0 @@ -Limits should be big enough that normal guest should not hit it. -Add a tracepoint to log them, just in case. Also, while being -at it, log the existing link trb limit too. - -Reported-by: 李强 <address@hidden> -Signed-off-by: Gerd Hoffmann <address@hidden> ---- - hw/usb/hcd-xhci.c | 15 ++++++++++++++- - hw/usb/trace-events | 1 + - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index fbf8a8b..28dd2f2 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -51,6 +51,8 @@ - #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS) - - #define TRB_LINK_LIMIT 4 -+#define COMMAND_LIMIT 256 -+#define TRANSFER_LIMIT 256 - - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) -@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - return type; - } else { - if (++link_cnt > TRB_LINK_LIMIT) { -+ trace_usb_xhci_enforced_limit("trb-link"); - return 0; - } - ring->dequeue = xhci_mask64(trb->parameter); -@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) - XHCIRing *ring; - USBEndpoint *ep = NULL; - uint64_t mfindex; -+ unsigned int count = 0; - int length; - int i; - -@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) - epctx->retry = xfer; - break; - } -+ if (count++ > TRANSFER_LIMIT) { -+ trace_usb_xhci_enforced_limit("transfers"); -+ break; -+ } - } - epctx->kick_active--; - -@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci) - TRBType type; - XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS}; - dma_addr_t addr; -- unsigned int i, slotid = 0; -+ unsigned int i, slotid = 0, count = 0; - - DPRINTF("xhci_process_commands()\n"); - if (!xhci_running(xhci)) { -@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci) - } - event.slotid = slotid; - xhci_event(xhci, &event, 0); -+ -+ if (count++ > COMMAND_LIMIT) { -+ trace_usb_xhci_enforced_limit("commands"); -+ return; -+ } - } - } - -diff --git a/hw/usb/trace-events b/hw/usb/trace-events -index fdd1d29..0c323d4 100644 ---- a/hw/usb/trace-events -+++ b/hw/usb/trace-events -@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p" - usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d" - usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d" - usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)" -+usb_xhci_enforced_limit(const char *item) "%s" - - # hw/usb/desc.c - usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d" --- -1.8.3.1 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch deleted file mode 100644 index bfde2e9d4b78..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -In the SDHCI protocol, the transfer mode register value -is used during multi block transfer to check if block count -register is enabled and should be updated. Transfer mode -register could be set such that, block count register would -not be updated, thus leading to an infinite loop. Add check -to avoid it. - -Reported-by: Wjjzhang <address@hidden> -Reported-by: Jiang Xin <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/sd/sdhci.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -Update: use qemu_log_mask(LOG_UNIMP, ...) - -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 5bd5ab6..a9c744b 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12); - uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk); - -+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) { -+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n"); -+ return; -+ } -+ - /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for - * possible stop at page boundary if initial address is not page aligned, - * allow them to work properly */ -@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque) - if (s->trnmod & SDHC_TRNS_DMA) { - switch (SDHC_DMA_TYPE(s->hostctl)) { - case SDHC_CTRL_SDMA: -- if ((s->trnmod & SDHC_TRNS_MULTI) && -- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) { -- break; -- } -- - if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) { - sdhci_sdma_transfer_single_block(s); - } else { --- -2.9.3 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch deleted file mode 100644 index 666c18ccea17..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch +++ /dev/null @@ -1,112 +0,0 @@ -This patch fixed a problem that was introduced in commit eb700029. - -When net_rx_pkt_attach_iovec() calls eth_strip_vlan() -this can result in pkt->ehdr_buf being overflowed, because -ehdr_buf is only sizeof(struct eth_header) bytes large -but eth_strip_vlan() can write -sizeof(struct eth_header) + sizeof(struct vlan_header) -bytes into it. - -Devices affected by this problem: vmxnet3. - -Reported-by: Peter Maydell <address@hidden> -Signed-off-by: Dmitry Fleytman <address@hidden> ---- - hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c -index 1019b50..7c0beac 100644 ---- a/hw/net/net_rx_pkt.c -+++ b/hw/net/net_rx_pkt.c -@@ -23,13 +23,13 @@ - - struct NetRxPkt { - struct virtio_net_hdr virt_hdr; -- uint8_t ehdr_buf[sizeof(struct eth_header)]; -+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; - struct iovec *vec; - uint16_t vec_len_total; - uint16_t vec_len; - uint32_t tot_len; - uint16_t tci; -- bool vlan_stripped; -+ size_t ehdr_buf_len; - bool has_virt_hdr; - eth_pkt_types_e packet_type; - -@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, - const struct iovec *iov, int iovcnt, - size_t ploff) - { -- if (pkt->vlan_stripped) { -+ if (pkt->ehdr_buf_len) { - net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); - - pkt->vec[0].iov_base = pkt->ehdr_buf; -- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); -- -- pkt->tot_len = -- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); -+ pkt->vec[0].iov_len = pkt->ehdr_buf_len; - -+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; - pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, - iov, iovcnt, ploff, pkt->tot_len); - } else { -@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, - uint16_t tci = 0; - uint16_t ploff = iovoff; - assert(pkt); -- pkt->vlan_stripped = false; - - if (strip_vlan) { -- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, -- &ploff, &tci); -+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, -+ &ploff, &tci); -+ } else { -+ pkt->ehdr_buf_len = 0; - } - - pkt->tci = tci; -@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, - uint16_t tci = 0; - uint16_t ploff = iovoff; - assert(pkt); -- pkt->vlan_stripped = false; - - if (strip_vlan) { -- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, -- pkt->ehdr_buf, -- &ploff, &tci); -+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, -+ pkt->ehdr_buf, -+ &ploff, &tci); -+ } else { -+ pkt->ehdr_buf_len = 0; - } - - pkt->tci = tci; -@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) - NetRxPkt *pkt = (NetRxPkt *)pkt; - assert(pkt); - -- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", -- pkt->tot_len, pkt->vlan_stripped, pkt->tci); -+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", -+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); - #endif - } - -@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) - { - assert(pkt); - -- return pkt->vlan_stripped; -+ return pkt->ehdr_buf_len ? true : false; - } - - bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt) --- -2.7.4 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch deleted file mode 100644 index a15aa96bd56f..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Tue, 7 Feb 2017 02:23:33 -0800 -Subject: [PATCH] usb: ohci: limit the number of link eds - -The guest may builds an infinite loop with link eds. This patch -limit the number of linked ed to avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/hcd-ohci.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index 2cba3e3..21c93e0 100644 ---- a/hw/usb/hcd-ohci.c -+++ b/hw/usb/hcd-ohci.c -@@ -42,6 +42,8 @@ - - #define OHCI_MAX_PORTS 15 - -+#define ED_LINK_LIMIT 4 -+ - static int64_t usb_frame_time; - static int64_t usb_bit_time; - -@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - uint32_t next_ed; - uint32_t cur; - int active; -- -+ uint32_t link_cnt = 0; - active = 0; - - if (head == 0) -@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - - next_ed = ed.next & OHCI_DPTR_MASK; - -+ if (++link_cnt > ED_LINK_LIMIT) { -+ ohci_die(ohci); -+ return 0; -+ } -+ - if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { - uint32_t addr; - /* Cancel pending packets for ED that have been paused. */ --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch deleted file mode 100644 index f2d317c3c946..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch +++ /dev/null @@ -1,49 +0,0 @@ -From d63fb193e71644a073b77ff5ac6f1216f2f6cf6e Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Mon, 27 Mar 2017 21:13:19 +0200 -Subject: [PATCH] 9pfs: fix file descriptor leak - -The v9fs_create() and v9fs_lcreate() functions are used to create a file -on the backend and to associate it to a fid. The fid shouldn't be already -in-use, otherwise both functions may silently leak a file descriptor or -allocated memory. The current code doesn't check that. - -This patch ensures that the fid isn't already associated to anything -before using it. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -(reworded the changelog, Greg Kurz) -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index b8c0b99..48babce 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque) - err = -ENOENT; - goto out_nofid; - } -+ if (fidp->fid_type != P9_FID_NONE) { -+ err = -EINVAL; -+ goto out; -+ } - - flags = get_dotl_openflags(pdu->s, flags); - err = v9fs_co_open2(pdu, fidp, &name, gid, -@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque) - err = -EINVAL; - goto out_nofid; - } -+ if (fidp->fid_type != P9_FID_NONE) { -+ err = -EINVAL; -+ goto out; -+ } - if (perm & P9_STAT_MODE_DIR) { - err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777, - fidp->uid, -1, &stbuf); --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch deleted file mode 100644 index c5366f5758e7..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Mon, 17 Apr 2017 10:53:23 +0200 -Subject: [PATCH] 9pfs: local: set the path of the export root to "." -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The local backend was recently converted to using "at*()" syscalls in order -to ensure all accesses happen below the shared directory. This requires that -we only pass relative paths, otherwise the dirfd argument to the "at*()" -syscalls is ignored and the path is treated as an absolute path in the host. -This is actually the case for paths in all fids, with the notable exception -of the root fid, whose path is "/". This causes the following backend ops to -act on the "/" directory of the host instead of the virtfs shared directory -when the export root is involved: -- lstat -- chmod -- chown -- utimensat - -ie, chmod /9p_mount_point in the guest will be converted to chmod / in the -host for example. This could cause security issues with a privileged QEMU. - -All "*at()" syscalls are being passed an open file descriptor. In the case -of the export root, this file descriptor points to the path in the host that -was passed to -fsdev. - -The fix is thus as simple as changing the path of the export root fid to be -"." instead of "/". - -This is CVE-2017-7471. - -Cc: qemu-stable@nongnu.org -Reported-by: Léo Gaspard <leo@gaspard.io> -Signed-off-by: Greg Kurz <groug@kaod.org> -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> ---- - hw/9pfs/9p-local.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index 45e9a1f..f3ebca4 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, - { - if (dir_path) { - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); -- } else { -+ } else if (strcmp(name, "/")) { - v9fs_path_sprintf(target, "%s", name); -+ } else { -+ /* We want the path of the export root to be relative, otherwise -+ * "*at()" syscalls would treat it as "/" in the host. -+ */ -+ v9fs_path_sprintf(target, "%s", "."); - } - return 0; - } --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch deleted file mode 100644 index eac72f3dcb59..000000000000 --- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Fri, 7 Apr 2017 03:48:52 -0700 -Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr - -Free 'orig_value' in error path. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p-xattr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c -index eec160b..d05c1a1 100644 ---- a/hw/9pfs/9p-xattr.c -+++ b/hw/9pfs/9p-xattr.c -@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path, - g_free(name); - close_preserve_errno(dirfd); - if (xattr_len < 0) { -+ g_free(orig_value); - return -1; - } - --- -2.10.2 - |