diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest index 5e3e9b5718..36a9241809 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest @@ -1 +1 @@ -DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d +DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules-r1 b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules-r1 new file mode 100644 index 0000000000..ab3776ac29 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules-r1 @@ -0,0 +1,2 @@ +KERNEL=="kvm", GROUP="kvm", MODE="0660" +KERNEL=="vhost-net", GROUP="kvm", MODE="0660", OPTIONS+="static_node=vhost-net" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch deleted file mode 100644 index 56f7435df5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Li Qiang - -In Vmxnet3 device emulator while processing transmit(tx) queue, -when it reaches end of packet, it calls vmxnet3_complete_packet. -In that local 'txcq_descr' object is not initialised, which could -leak host memory bytes a guest. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/net/vmxnet3.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index 90f6943..92f6af9 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) - - VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); - -+ memset(&txcq_descr, 0, sizeof(txcq_descr)); - txcq_descr.txdIdx = tx_ridx; - txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); - --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch deleted file mode 100644 index 495faf2f1c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Prasad J Pandit - -Vmware Paravirtual SCSI emulation uses command descriptors to -process SCSI commands. These descriptors come with their ring -buffers. A guest could set the page count for these rings to -an arbitrary value, leading to infinite loop or OOB access. -Add check to avoid it. - -Reported-by: Tom Victor -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/vmw_pvscsi.c | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -Update per review - -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 5116f4a..4245c15 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input) - return log; - } - --static int -+static void - pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - { - int i; -@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - uint32_t req_ring_size, cmp_ring_size; - m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; - -- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) -- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { -- return -1; -- } - req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; - txr_len_log2 = pvscsi_log2(req_ring_size - 1); -@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) - - /* Flush ring state page changes */ - smp_wmb(); -- -- return 0; - } - - static int -@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc) - - trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); - for (i = 0; i < rc->cmpRingNumPages; i++) { -- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]); -+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]); - } - } - -@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) - - trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); - -+ if (!rc->reqRingNumPages -+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES -+ || !rc->cmpRingNumPages -+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) { -+ return PVSCSI_COMMAND_PROCESSING_FAILED; -+ } -+ - pvscsi_dbg_dump_tx_rings_config(rc); -- if (pvscsi_ring_init_data(&s->rings, rc) < 0) { -- return PVSCSI_COMMAND_PROCESSING_FAILED; -- } -+ pvscsi_ring_init_data(&s->rings, rc); - - s->rings_info_valid = TRUE; - return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch deleted file mode 100644 index 9c21a6759a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Prasad J Pandit - -In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very -long time or go into an infinite loop due to two different bugs: - -1) the request descriptor data length is defined to be 64 bit. While -building SG list from a request descriptor, it gets truncated to 32bit -in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop -situation for large 'dataLen' values, when data_length is cast to uint32_t -and chunk_size becomes always zero. Fix this by removing the incorrect -cast. - -2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the -element has a zero length. Get out of the loop early when this happens, -by introducing an upper limit on the number of SG list elements. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/scsi/vmw_pvscsi.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -Update as per: - -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index 4245c15..babac5a 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -40,6 +40,8 @@ - #define PVSCSI_MAX_DEVS (64) - #define PVSCSI_MSIX_NUM_VECTORS (1) - -+#define PVSCSI_MAX_SG_ELEM 2048 -+ - #define PVSCSI_MAX_CMD_DATA_WORDS \ - (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) - -@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, - static void - pvscsi_convert_sglist(PVSCSIRequest *r) - { -- int chunk_size; -+ uint32_t chunk_size, elmcnt = 0; - uint64_t data_length = r->req.dataLen; - PVSCSISGState sg = r->sg; -- while (data_length) { -- while (!sg.resid) { -+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { -+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { - pvscsi_get_next_sg_elem(&sg); - trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, - r->sg.resid); - } -- assert(data_length > 0); -- chunk_size = MIN((unsigned) data_length, sg.resid); -+ chunk_size = MIN(data_length, sg.resid); - if (chunk_size) { - qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); - } --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch deleted file mode 100644 index 480de308e0..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch +++ /dev/null @@ -1,28 +0,0 @@ -From: Prasad J Pandit - -When LSI SAS1068 Host Bus emulator builds configuration page -headers, the format string used in 'mptsas_config_manufacturing_1' -was wrong. It could lead to an invalid memory access. - -Reported-by: Tom Victor -Fix-suggested-by: Paolo Bonzini -Signed-off-by: Prasad J Pandit ---- - hw/scsi/mptconfig.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c -index 7071854..1ec895b 100644 ---- a/hw/scsi/mptconfig.c -+++ b/hw/scsi/mptconfig.c -@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address - { - /* VPD - all zeros */ - return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, -- "s256"); -+ "*s256"); - } - - static --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch deleted file mode 100644 index 5e796086ae..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Prasad J Pandit - -When LSI SAS1068 Host Bus emulator builds configuration page -headers, mptsas_config_pack() asserts to check returned size -value is within limit of 256 bytes. Fix that assert expression. - -Suggested-by: Paolo Bonzini -Signed-off-by: Prasad J Pandit ---- - hw/scsi/mptconfig.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c -index 1ec895b..531947f 100644 ---- a/hw/scsi/mptconfig.c -+++ b/hw/scsi/mptconfig.c -@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...) - va_end(ap); - - if (data) { -- assert(ret < 256 && (ret % 4) == 0); -+ assert(ret / 4 < 256); - stb_p(*data + 1, ret / 4); - } - return ret; --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch deleted file mode 100644 index 7eb5f76dd1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Prasad J Pandit - -When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, -the computed BITMAP and PIXMAP size are checked against the -'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. -Correct these checks to avoid OOB memory access. - -Reported-by: Qinghao Tang -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/display/vmware_vga.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c -index e51a05e..6599cf0 100644 ---- a/hw/display/vmware_vga.c -+++ b/hw/display/vmware_vga.c -@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) - cursor.bpp = vmsvga_fifo_read(s); - - args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); -- if (cursor.width > 256 || -- cursor.height > 256 || -- cursor.bpp > 32 || -- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || -- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { -+ if (cursor.width > 256 -+ || cursor.height > 256 -+ || cursor.bpp > 32 -+ || SVGA_BITMAP_SIZE(x, y) -+ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) -+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) -+ > sizeof(cursor.image) / sizeof(cursor.image[0])) { - goto badcmd; - } - --- -2.5.5 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch deleted file mode 100644 index b9f354537a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Prasad J Pandit - -Vmware Paravirtual SCSI emulator while processing IO requests -could run into an infinite loop if 'pvscsi_ring_pop_req_descr' -always returned positive value. Limit IO loop to the ring size. - -Cc: address@hidden -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: -Signed-off-by: Paolo Bonzini ---- - hw/scsi/vmw_pvscsi.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c -index babac5a..a5ce7de 100644 ---- a/hw/scsi/vmw_pvscsi.c -+++ b/hw/scsi/vmw_pvscsi.c -@@ -247,8 +247,11 @@ static hwaddr - pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) - { - uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); -+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING -+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; - -- if (ready_ptr != mgr->consumed_ptr) { -+ if (ready_ptr != mgr->consumed_ptr -+ && ready_ptr - mgr->consumed_ptr < ring_size) { - uint32_t next_ready_ptr = - mgr->consumed_ptr++ & mgr->txr_len_mask; - uint32_t next_ready_page = --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch deleted file mode 100644 index 6368e7f7e7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Prasad J Pandit - -virtio back end uses set of buffers to facilitate I/O operations. -If its size is too large, 'cpu_physical_memory_map' could return -a null address. This would result in a null dereference -while un-mapping descriptors. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit ---- - hw/virtio/virtio.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c -index 15ee3a7..0a4c5b6 100644 ---- a/hw/virtio/virtio.c -+++ b/hw/virtio/virtio.c -@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove - } - - iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); -- iov[num_sg].iov_len = len; -- addr[num_sg] = pa; -+ if (iov[num_sg].iov_base) { -+ iov[num_sg].iov_len = len; -+ addr[num_sg] = pa; - -+ pa += len; -+ num_sg++; -+ } - sz -= len; -- pa += len; -- num_sg++; - } - *p_num_sg = num_sg; - } --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch deleted file mode 100644 index fdd871b162..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Li Qiang - -When processing IO request in mptsas, it uses g_new to allocate -a 'req' object. If an error occurs before 'req->sreq' is -allocated, It could lead to an OOB write in mptsas_free_request -function. Use g_new0 to avoid it. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-Id: -Cc: address@hidden -Signed-off-by: Paolo Bonzini ---- - hw/scsi/mptsas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c -index 0e0a22f..eaae1bb 100644 ---- a/hw/scsi/mptsas.c -+++ b/hw/scsi/mptsas.c -@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, - goto bad; - } - -- req = g_new(MPTSASRequest, 1); -+ req = g_new0(MPTSASRequest, 1); - QTAILQ_INSERT_TAIL(&s->pending, req, next); - req->scsi_io = *scsi_io; - req->dev = s; --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch deleted file mode 100644 index d5028bb168..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Li Qiang - -If the xhci uses msix, it doesn't free the corresponding -memory, thus leading a memory leak. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/usb/hcd-xhci.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 188f954..281a2a5 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) - /* destroy msix memory region */ - if (dev->msix_table && dev->msix_pba - && dev->msix_entry_used) { -- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); -- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); -+ msix_uninit(dev, &xhci->mem, &xhci->mem); - } - - usb_bus_release(&xhci->bus); --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch deleted file mode 100644 index 34b095a513..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7907.patch +++ /dev/null @@ -1,45 +0,0 @@ -From: Prasad J Pandit - -i.MX Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set an upper limit to number of buffer descriptors. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/net/imx_fec.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -Update per - -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html - -diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c -index 1c415ab..1d74827 100644 ---- a/hw/net/imx_fec.c -+++ b/hw/net/imx_fec.c -@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = { - #define PHY_INT_PARFAULT (1 << 2) - #define PHY_INT_AUTONEG_PAGE (1 << 1) - -+#define IMX_MAX_DESC 1024 -+ - static void imx_eth_update(IMXFECState *s); - - /* -@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s) - - static void imx_fec_do_tx(IMXFECState *s) - { -- int frame_size = 0; -+ int frame_size = 0, descnt = 0; - uint8_t frame[ENET_MAX_FRAME_SIZE]; - uint8_t *ptr = frame; - uint32_t addr = s->tx_descriptor; - -- while (1) { -+ while (descnt++ < IMX_MAX_DESC) { - IMXFECBufDesc bd; - int len; - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch deleted file mode 100644 index 16d072fe79..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7908.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 22 Sep 2016 16:02:37 +0530 -Subject: [PATCH] net: mcf: limit buffer descriptor count - -ColdFire Fast Ethernet Controller uses buffer descriptors to manage -data flow to/fro receive & transmit queues. While transmitting -packets, it could continue to read buffer descriptors if a buffer -descriptor has length of zero and has crafted values in bd.flags. -Set upper limit to number of buffer descriptors. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Reviewed-by: Paolo Bonzini -Signed-off-by: Jason Wang ---- - hw/net/mcf_fec.c | 5 +++-- - 1 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c -index 0ee8ad9..d31fea1 100644 ---- a/hw/net/mcf_fec.c -+++ b/hw/net/mcf_fec.c -@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) - #define DPRINTF(fmt, ...) do {} while(0) - #endif - -+#define FEC_MAX_DESC 1024 - #define FEC_MAX_FRAME_SIZE 2032 - - typedef struct { -@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - uint32_t addr; - mcf_fec_bd bd; - int frame_size; -- int len; -+ int len, descnt = 0; - uint8_t frame[FEC_MAX_FRAME_SIZE]; - uint8_t *ptr; - -@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) - ptr = frame; - frame_size = 0; - addr = s->tx_descriptor; -- while (1) { -+ while (descnt++ < FEC_MAX_DESC) { - mcf_fec_read_bd(&bd, addr); - DPRINTF("tx_bd %x flags %04x len %d data %08x\n", - addr, bd.flags, bd.length, bd.data); --- -1.7.0.4 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch deleted file mode 100644 index 8e6ecff892..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7909.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Prasad J Pandit - -The AMD PC-Net II emulator has set of control and status(CSR) -registers. Of these, CSR76 and CSR78 hold receive and transmit -descriptor ring length respectively. This ring length could range -from 1 to 65535. Setting ring length to zero leads to an infinite -loop in pcnet_rdra_addr. Add check to avoid it. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit ---- - hw/net/pcnet.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 198a01f..3078de8 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) - case 47: /* POLLINT */ - case 72: - case 74: -+ break; - case 76: /* RCVRL */ - case 78: /* XMTRL */ -+ val = (val > 0) ? val : 512; -+ break; - case 112: - if (CSR_STOP(s) || CSR_SPND(s)) - break; --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch deleted file mode 100644 index 6fe77f367d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-1.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Li Qiang - -In virtio gpu resource create dispatch, if the pixman format is zero -it doesn't free the resource object allocated previously. Thus leading -a host memory leak issue. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/display/virtio-gpu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 7fe6ed8..5b6d17b 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, - qemu_log_mask(LOG_GUEST_ERROR, - "%s: host couldn't handle guest format %d\n", - __func__, c2d.format); -+ g_free(res); - cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; - return; - } --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch deleted file mode 100644 index dce1b2b2a3..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7994-2.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Li Qiang - -While processing isochronous transfer descriptors(iTD), if the page -select(PG) field value is out of bands it will return. In this -situation the ehci's sg list doesn't be freed thus leading a memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/usb/hcd-ehci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index b093db7..f4ece9a 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, - if (off + len > 4096) { - /* transfer crosses page border */ - if (pg == 6) { -+ qemu_sglist_destroy(&ehci->isgl); - return -1; /* avoid page pg + 1 */ - } - ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch deleted file mode 100644 index 9617cd5dc8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8576.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Fri, 7 Oct 2016 10:15:29 +0200 -Subject: [PATCH] xhci: limit the number of link trbs we are willing to process - -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-xhci.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index 726435c..ee4fa48 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -54,6 +54,8 @@ - * to the specs when it gets them */ - #define ER_FULL_HACK - -+#define TRB_LINK_LIMIT 4 -+ - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) - #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) -@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - dma_addr_t *addr) - { - PCIDevice *pci_dev = PCI_DEVICE(xhci); -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - ring->dequeue += TRB_SIZE; - return type; - } else { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return 0; -+ } - ring->dequeue = xhci_mask64(trb->parameter); - if (trb->control & TRB_LK_TC) { - ring->ccs = !ring->ccs; -@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - bool ccs = ring->ccs; - /* hack to bundle together the two/three TDs that make a setup transfer */ - bool control_td_set = 0; -+ uint32_t link_cnt = 0; - - while (1) { - TRBType type; -@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) - type = TRB_TYPE(trb); - - if (type == TR_LINK) { -+ if (++link_cnt > TRB_LINK_LIMIT) { -+ return -length; -+ } - dequeue = xhci_mask64(trb.parameter); - if (trb.control & TRB_LK_TC) { - ccs = !ccs; --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch deleted file mode 100644 index 8c295802c8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8577.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Li Qiang - -In 9pfs read dispatch function, it doesn't free two QEMUIOVector -object thus causing potential memory leak. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/9pfs/9p.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 119ee58..543a791 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) - if (len < 0) { - /* IO error return the error */ - err = len; -- goto out; -+ goto out_free_iovec; - } - } while (count < max_count && len > 0); - err = pdu_marshal(pdu, offset, "d", count); - if (err < 0) { -- goto out; -+ goto out_free_iovec; - } - err += offset + count; -+out_free_iovec: - qemu_iovec_destroy(&qiov); - qemu_iovec_destroy(&qiov_full); - } else if (fidp->fid_type == P9_FID_XATTR) { --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch deleted file mode 100644 index 74eee7e4d9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8578.patch +++ /dev/null @@ -1,58 +0,0 @@ -From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH] 9pfs: allocate space for guest originated empty strings - -If a guest sends an empty string paramater to any 9P operation, the current -code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. - -This is unfortunate because it can cause NULL pointer dereference to happen -at various locations in the 9pfs code. And we don't want to check str->data -everywhere we pass it to strcmp() or any other function which expects a -dereferenceable pointer. - -This patch enforces the allocation of genuine C empty strings instead, so -callers don't have to bother. - -Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if -the returned string is empty. It now uses v9fs_string_size() since -name.data cannot be NULL anymore. - -Signed-off-by: Li Qiang -[groug, rewritten title and changelog, - fix empty string check in v9fs_xattrwalk()] -Signed-off-by: Greg Kurz ---- - fsdev/9p-iov-marshal.c | 2 +- - hw/9pfs/9p.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c -index 663cad5..1d16f8d 100644 ---- a/fsdev/9p-iov-marshal.c -+++ b/fsdev/9p-iov-marshal.c -@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, - str->data = g_malloc(str->size + 1); - copied = v9fs_unpack(str->data, out_sg, out_num, offset, - str->size); -- if (copied > 0) { -+ if (copied >= 0) { - str->data[str->size] = 0; - } else { - v9fs_string_free(str); -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 119ee58..39a7e1d 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque) - goto out; - } - v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); -- if (name.data == NULL) { -+ if (!v9fs_string_size(&name)) { - /* - * listxattr request. Get the size first - */ --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch deleted file mode 100644 index a27d3a6fb1..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8668.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Prasad J Pandit - -Rocker network switch emulator has test registers to help debug -DMA operations. While testing host DMA access, a buffer address -is written to register 'TEST_DMA_ADDR' and its size is written to -register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT -test, if DMA buffer size was greater than 'INT_MAX', it leads to -an invalid buffer access. Limit the DMA buffer size to avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit ---- - hw/net/rocker/rocker.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index 30f2ce4..e9d215a 100644 ---- a/hw/net/rocker/rocker.c -+++ b/hw/net/rocker/rocker.c -@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val) - rocker_msix_irq(r, val); - break; - case ROCKER_TEST_DMA_SIZE: -- r->test_dma_size = val; -+ r->test_dma_size = val & 0xFFFF; - break; - case ROCKER_TEST_DMA_ADDR + 4: - r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch index 457f022d59..cea8efc068 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch @@ -1,3 +1,6 @@ +http://bugs.gentoo.org/597108 +https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html + From: Prasad J Pandit The JAZZ RC4030 chipset emulator has a periodic timer and diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch deleted file mode 100644 index 23393b7d59..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Prasad J Pandit - -16550A UART device uses an oscillator to generate frequencies -(baud base), which decide communication speed. This speed could -be changed by dividing it by a divider. If the divider is -greater than the baud base, speed is set to zero, leading to a -divide by zero error. Add check to avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit ---- - hw/char/serial.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -Update per - -> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index 3442f47..eec72b7 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) - int speed, parity, data_bits, stop_bits, frame_size; - QEMUSerialSetParams ssp; - -- if (s->divider == 0) -+ if (s->divider == 0 || s->divider > s->baudbase) { - return; -+ } - - /* Start bit. */ - frame_size = 1; --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch deleted file mode 100644 index ed6613f896..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8909.patch +++ /dev/null @@ -1,31 +0,0 @@ -From: Prasad J Pandit - -Intel HDA emulator uses stream of buffers during DMA data -transfers. Each entry has buffer length and buffer pointer -position, which are used to derive bytes to 'copy'. If this -length and buffer pointer were to be same, 'copy' could be -set to zero(0), leading to an infinite loop. Add check to -avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit ---- - hw/audio/intel-hda.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c -index cd95340..537face 100644 ---- a/hw/audio/intel-hda.c -+++ b/hw/audio/intel-hda.c -@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, - } - - left = len; -- while (left > 0) { -+ s = st->bentries; -+ while (left > 0 && s-- > 0) { - copy = left; - if (copy > st->bsize - st->lpib) - copy = st->bsize - st->lpib; --- -2.7.4 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch deleted file mode 100644 index c93f79631f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8910.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Prasad J Pandit - -RTL8139 ethernet controller in C+ mode supports multiple -descriptor rings, each with maximum of 64 descriptors. While -processing transmit descriptor ring in 'rtl8139_cplus_transmit', -it does not limit the descriptor count and runs forever. Add -check to avoid it. - -Reported-by: Andrew Henderson -Signed-off-by: Prasad J Pandit ---- - hw/net/rtl8139.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 3345bc6..f05e59c 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) - { - int txcount = 0; - -- while (rtl8139_cplus_transmit_one(s)) -+ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) - { - ++txcount; - } --- -2.7.4 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch deleted file mode 100644 index 963eca97f4..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9102.patch +++ /dev/null @@ -1,21 +0,0 @@ -From: Li Qiang - -The 'fs.xattr.value' field in V9fsFidState object doesn't consider the -situation that this field has been allocated previously. Every time, it -will be allocated directly. This leads a host memory leak issue. This -patch fix this. - --- -1.8.3.1 -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 75ba5f1..a4c7109 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); -+ g_free(xattr_fidp->fs.xattr.value); - xattr_fidp->fs.xattr.value = g_malloc(size); - err = offset; - put_fid(pdu, file_fidp); diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch deleted file mode 100644 index 7520863a7d..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9103.patch +++ /dev/null @@ -1,27 +0,0 @@ -Author: Li Qiang -Date: Mon Oct 17 14:13:58 2016 +0200 - - 9pfs: fix information leak in xattr read - - 9pfs uses g_malloc() to allocate the xattr memory space, if the guest - reads this memory before writing to it, this will leak host heap memory - to the guest. This patch avoid this. - - Signed-off-by: Li Qiang - Reviewed-by: Greg Kurz - Signed-off-by: Greg Kurz - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 26aa7d5..bf23b01 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); - g_free(xattr_fidp->fs.xattr.value); -- xattr_fidp->fs.xattr.value = g_malloc(size); -+ xattr_fidp->fs.xattr.value = g_malloc0(size); - err = offset; - put_fid(pdu, file_fidp); - out_nofid: diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch deleted file mode 100644 index f1aec55c22..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9104.patch +++ /dev/null @@ -1,92 +0,0 @@ -From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 1 Nov 2016 12:00:40 +0100 -Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest -originated offset: they must ensure this offset does not go beyond -the size of the extended attribute that was set in v9fs_xattrcreate(). -Unfortunately, the current code implement these checks with unsafe -calculations on 32 and 64 bit values, which may allow a malicious -guest to cause OOB access anyway. - -Fix this by comparing the offset and the xattr size, which are -both uint64_t, before trying to compute the effective number of bytes -to read or write. - -Suggested-by: Greg Kurz -Signed-off-by: Li Qiang -Reviewed-by: Greg Kurz -Reviewed-By: Guido Günther -Signed-off-by: Greg Kurz ---- - hw/9pfs/9p.c | 32 ++++++++++++-------------------- - 1 file changed, 12 insertions(+), 20 deletions(-) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index ab18ef2..7705ead 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - ssize_t err; - size_t offset = 7; -- int read_count; -- int64_t xattr_len; -+ uint64_t read_count; - V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); - VirtQueueElement *elem = v->elems[pdu->idx]; - -- xattr_len = fidp->fs.xattr.len; -- read_count = xattr_len - off; -+ if (fidp->fs.xattr.len < off) { -+ read_count = 0; -+ } else { -+ read_count = fidp->fs.xattr.len - off; -+ } - if (read_count > max_count) { - read_count = max_count; -- } else if (read_count < 0) { -- /* -- * read beyond XATTR value -- */ -- read_count = 0; - } - err = pdu_marshal(pdu, offset, "d", read_count); - if (err < 0) { -@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, - { - int i, to_copy; - ssize_t err = 0; -- int write_count; -- int64_t xattr_len; -+ uint64_t write_count; - size_t offset = 7; - - -- xattr_len = fidp->fs.xattr.len; -- write_count = xattr_len - off; -- if (write_count > count) { -- write_count = count; -- } else if (write_count < 0) { -- /* -- * write beyond XATTR value len specified in -- * xattrcreate -- */ -+ if (fidp->fs.xattr.len < off) { - err = -ENOSPC; - goto out; - } -+ write_count = fidp->fs.xattr.len - off; -+ if (write_count > count) { -+ write_count = count; -+ } - err = pdu_marshal(pdu, offset, "d", write_count); - if (err < 0) { - return err; --- -2.7.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch deleted file mode 100644 index cddff97f70..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9105.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Li Qiang - -In v9fs_link dispatch function, it doesn't put the 'oldfidp' -fid object, this will make the 'oldfidp->ref' never reach to 0, -thus leading a memory leak issue. This patch fix this. - -Signed-off-by: Li Qiang ---- - hw/9pfs/9p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 8b50bfb..29f8b7a 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque) - if (!err) { - err = offset; - } -+ put_fid(pdu, oldfidp); - out: - put_fid(pdu, dfidp); - out_nofid: --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch deleted file mode 100644 index 137272d6b8..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-9106.patch +++ /dev/null @@ -1,27 +0,0 @@ -Author: Li Qiang -Date: Mon Oct 17 14:13:58 2016 +0200 - - 9pfs: fix memory leak in v9fs_write - - If an error occurs when marshalling the transfer length to the guest, the - v9fs_write() function doesn't free an IO vector, thus leading to a memory - leak. This patch fixes the issue. - - Signed-off-by: Li Qiang - Reviewed-by: Greg Kurz - [groug, rephrased the changelog] - Signed-off-by: Greg Kurz - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index d43a552..e88cf25 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque) - offset = 7; - err = pdu_marshal(pdu, offset, "d", total); - if (err < 0) { -- goto out; -+ goto out_qiov; - } - err += offset; - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch new file mode 100644 index 0000000000..466c819e78 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch @@ -0,0 +1,40 @@ +https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html +https://bugs.gentoo.org/603444 + +From: P J P +Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size +Date: Wed, 14 Dec 2016 12:31:56 +0530 +From: Prasad J Pandit + +Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' +command, retrieves the maximum capabilities size to fill in the +response object. It continues to fill in capabilities even if +retrieved 'max_size' is zero(0), thus resulting in OOB access. +Add check to avoid it. + +Reported-by: Zhenhao Hong +Signed-off-by: Prasad J Pandit +--- + hw/display/virtio-gpu-3d.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index 758d33a..6ceeba3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); ++ if (!max_size) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; ++ return; ++ } ++ + resp = g_malloc0(sizeof(*resp) + max_size); +- + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; + virgl_renderer_fill_caps(gc.capset_id, + gc.capset_version, +-- +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch new file mode 100644 index 0000000000..c486295d06 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch @@ -0,0 +1,46 @@ +From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 28 Nov 2016 17:49:04 -0800 +Subject: [PATCH] watchdog: 6300esb: add exit function + +When the Intel 6300ESB watchdog is hot unplug. The timer allocated +in realize isn't freed thus leaking memory leak. This patch avoid +this through adding the exit function. + +Signed-off-by: Li Qiang +Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> +Signed-off-by: Paolo Bonzini +--- + hw/watchdog/wdt_i6300esb.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c +index a83d951..49b3cd1 100644 +--- a/hw/watchdog/wdt_i6300esb.c ++++ b/hw/watchdog/wdt_i6300esb.c +@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) + /* qemu_register_coalesced_mmio (addr, 0x10); ? */ + } + ++static void i6300esb_exit(PCIDevice *dev) ++{ ++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); ++ ++ timer_del(d->timer); ++ timer_free(d->timer); ++} ++ + static WatchdogTimerModel model = { + .wdt_name = "i6300esb", + .wdt_description = "Intel 6300ESB", +@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) + k->config_read = i6300esb_config_read; + k->config_write = i6300esb_config_write; + k->realize = i6300esb_realize; ++ k->exit = i6300esb_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; + k->class_id = PCI_CLASS_SYSTEM_OTHER; +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch new file mode 100644 index 0000000000..841de65d48 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch @@ -0,0 +1,35 @@ +https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html +https://bugs.gentoo.org/601826 + +From: Li Qiang +Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch +Date: Tue, 1 Nov 2016 05:37:57 -0700 +From: Li Qiang + +In virgl_cmd_get_capset function, it uses g_malloc to allocate +a response struct to the guest. As the 'resp'struct hasn't been full +initialized it will lead the 'resp->padding' field to the guest. +Use g_malloc0 to avoid this. + +Signed-off-by: Li Qiang +--- + hw/display/virtio-gpu-3d.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index 23f39de..d98b140 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, + + virgl_renderer_get_cap_set(gc.capset_id, &max_ver, + &max_size); +- resp = g_malloc(sizeof(*resp) + max_size); ++ resp = g_malloc0(sizeof(*resp) + max_size); + + resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; + virgl_renderer_fill_caps(gc.capset_id, +-- +1.8.3.1 + + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch new file mode 100644 index 0000000000..55963f70b9 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch @@ -0,0 +1,38 @@ +https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html +https://bugs.gentoo.org/602630 + +From: Li Qiang +Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy +Date: Mon, 28 Nov 2016 21:29:25 -0500 +If the guest destroy the resource before detach banking, the 'iov' +and 'addrs' field in resource is not freed thus leading memory +leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +--- + hw/display/virtio-gpu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index 60bce94..98dadf2 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -28,6 +28,8 @@ + static struct virtio_gpu_simple_resource* + virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); + ++static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); ++ + #ifdef CONFIG_VIRGL + #include + #define VIRGL(_g, _virgl, _simple, ...) \ +@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, + struct virtio_gpu_simple_resource *res) + { + pixman_image_unref(res->image); ++ virtio_gpu_cleanup_mapping(res); + QTAILQ_REMOVE(&g->reslist, res, next); + g_free(res); + } +-- +1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch new file mode 100644 index 0000000000..f0bba80165 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch @@ -0,0 +1,48 @@ +From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 1 Feb 2017 09:35:01 +0100 +Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) + +When doing bitblt copy in backward mode, we should minus the +blt width first just like the adding in the forward mode. This +can avoid the oob access of the front of vga's vram. + +Signed-off-by: Li Qiang + +{ kraxel: with backward blits (negative pitch) addr is the topmost + address, so check it as-is against vram size ] + +Cc: qemu-stable@nongnu.org +Cc: P J P +Cc: Laszlo Ersek +Cc: Paolo Bonzini +Cc: Wolfgang Bumiller +Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) +Signed-off-by: Gerd Hoffmann +Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com +Reviewed-by: Laszlo Ersek +--- + hw/display/cirrus_vga.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 7db6409..16f27e8 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + { + if (pitch < 0) { + int64_t min = addr +- + ((int64_t)s->cirrus_blt_height-1) * pitch; +- int32_t max = addr +- + s->cirrus_blt_width; +- if (min < 0 || max > s->vga.vram_size) { ++ + ((int64_t)s->cirrus_blt_height - 1) * pitch ++ - s->cirrus_blt_width; ++ if (min < -1 || addr >= s->vga.vram_size) { + return true; + } + } else { +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch new file mode 100644 index 0000000000..e2a98012d7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch @@ -0,0 +1,56 @@ +From: Gerd Hoffmann +Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +The missing blit width check allows to overflow cirrus_bltbuf, +with the attractive target cirrus_srcptr (current cirrus_bltbuf write +position) being located right after cirrus_bltbuf in CirrusVGAState. + +Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker +hasn't full control over cirrus_srcptr though, only one byte can be +changed. Once the first byte has been modified further writes land +elsewhere. + +[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] + +Signed-off-by: Gerd Hoffmann +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 0e47cf8..a093dc8 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +1.8.3.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch new file mode 100644 index 0000000000..034b322de5 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch @@ -0,0 +1,22 @@ +Comparison symbol is misused. It may lead to memory corruption. + +Signed-off-by: Vladimir Sementsov-Ogievskiy +--- + nbd/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nbd/client.c b/nbd/client.c +index 6caf6bda6d..351731bc63 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) + char small[1024]; + char *buffer; + +- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); ++ buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size)); + while (size > 0) { + ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); + +-- +2.11.0 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch new file mode 100644 index 0000000000..24411b4dca --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch @@ -0,0 +1,52 @@ +From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 14 Dec 2016 18:30:21 -0800 +Subject: [PATCH] audio: ac97: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently the ac97 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/ac97.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c +index cbd959e..c306575 100644 +--- a/hw/audio/ac97.c ++++ b/hw/audio/ac97.c +@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) + ac97_on_reset (&s->dev.qdev); + } + ++static void ac97_exit(PCIDevice *dev) ++{ ++ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); ++ ++ AUD_close_in(&s->card, s->voice_pi); ++ AUD_close_out(&s->card, s->voice_po); ++ AUD_close_in(&s->card, s->voice_mc); ++ AUD_remove_card(&s->card); ++} ++ + static int ac97_init (PCIBus *bus) + { + pci_create_simple (bus, -1, "AC97"); +@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = ac97_realize; ++ k->exit = ac97_exit; + k->vendor_id = PCI_VENDOR_ID_INTEL; + k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; + k->revision = 0x01; +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch new file mode 100644 index 0000000000..6bbac580c3 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch @@ -0,0 +1,55 @@ +From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 14 Dec 2016 18:32:22 -0800 +Subject: [PATCH] audio: es1370: add exit function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Currently the es1370 device emulation doesn't have a exit function, +hot unplug this device will leak some memory. Add a exit function to +avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com +Signed-off-by: Gerd Hoffmann +--- + hw/audio/es1370.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 8449b5f..883ec69 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) + es1370_reset (s); + } + ++static void es1370_exit(PCIDevice *dev) ++{ ++ ES1370State *s = ES1370(dev); ++ int i; ++ ++ for (i = 0; i < 2; ++i) { ++ AUD_close_out(&s->card, s->dac_voice[i]); ++ } ++ ++ AUD_close_in(&s->card, s->adc_voice); ++ AUD_remove_card(&s->card); ++} ++ + static int es1370_init (PCIBus *bus) + { + pci_create_simple (bus, -1, TYPE_ES1370); +@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) + PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); + + k->realize = es1370_realize; ++ k->exit = es1370_exit; + k->vendor_id = PCI_VENDOR_ID_ENSONIQ; + k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; + k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch new file mode 100644 index 0000000000..9475f3fd2a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch @@ -0,0 +1,41 @@ +From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Thu, 29 Dec 2016 03:11:26 -0500 +Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the virgl_renderer_resource_attach_iov function fails the +'res_iovs' will be leaked. Add check of the return value to +free the 'res_iovs' when failing. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu-3d.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index e29f099..b13ced3 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, + return; + } + +- virgl_renderer_resource_attach_iov(att_rb.resource_id, +- res_iovs, att_rb.nr_entries); ++ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, ++ res_iovs, att_rb.nr_entries); ++ ++ if (ret != 0) ++ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); + } + + static void virgl_resource_detach_backing(VirtIOGPU *g, +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch new file mode 100644 index 0000000000..f93d1e7f9e --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch @@ -0,0 +1,35 @@ +From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Thu, 29 Dec 2016 04:28:41 -0500 +Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing + +In the resource attach backing function, everytime it will +allocate 'res->iov' thus can leading a memory leak. This +patch avoid this. + +Signed-off-by: Li Qiang +Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index 6a26258..ca88cf4 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, + return; + } + ++ if (res->iov) { ++ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; ++ return; ++ } ++ + ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); + if (ret != 0) { + cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch new file mode 100644 index 0000000000..e4572a8d57 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch @@ -0,0 +1,40 @@ +From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Wed, 4 Jan 2017 00:43:16 -0800 +Subject: [PATCH] serial: fix memory leak in serial exit + +The serial_exit_core function doesn't free some resources. +This can lead memory leak when hotplug and unplug. This +patch avoid this. + +Signed-off-by: Li Qiang +Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> +Signed-off-by: Paolo Bonzini +--- + hw/char/serial.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index ffbacd8..67b18ed 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) + void serial_exit_core(SerialState *s) + { + qemu_chr_fe_deinit(&s->chr); ++ ++ timer_del(s->modem_status_poll); ++ timer_free(s->modem_status_poll); ++ ++ timer_del(s->fifo_timeout_timer); ++ timer_free(s->fifo_timeout_timer); ++ ++ fifo8_destroy(&s->recv_fifo); ++ fifo8_destroy(&s->xmit_fifo); ++ + qemu_unregister_reset(serial_reset, s); + } + +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch new file mode 100644 index 0000000000..93e9c9406c --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch @@ -0,0 +1,37 @@ +From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 7 Feb 2017 18:29:59 +0000 +Subject: [PATCH] sd: sdhci: check data length during dma_memory_read + +While doing multi block SDMA transfer in routine +'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting +index 'begin' and data length 's->data_count' could end up to be same. +This could lead to an OOB access issue. Correct transfer data length +to avoid it. + +Cc: qemu-stable@nongnu.org +Reported-by: Jiang Xin +Signed-off-by: Prasad J Pandit +Reviewed-by: Peter Maydell +Message-id: 20170130064736.9236-1-ppandit@redhat.com +Signed-off-by: Peter Maydell +--- + hw/sd/sdhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 01fbf22..5bd5ab6 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + boundary_count -= block_size - begin; + } + dma_memory_read(&address_space_memory, s->sdmasysad, +- &s->fifo_buffer[begin], s->data_count); ++ &s->fifo_buffer[begin], s->data_count - begin); + s->sdmasysad += s->data_count - begin; + if (s->data_count == block_size) { + for (n = 0; n < block_size; n++) { +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch new file mode 100644 index 0000000000..2ebd49fa54 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch @@ -0,0 +1,64 @@ +From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 2 Jan 2017 11:03:33 +0100 +Subject: [PATCH] megasas: fix guest-triggered memory leak + +If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd +will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. +Avoid this by returning only the status from map_dcmd, and loading +cmd->iov_size in the caller. + +Reported-by: Li Qiang +Signed-off-by: Paolo Bonzini +--- + hw/scsi/megasas.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 67fc1e7..6233865 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) + trace_megasas_dcmd_invalid_sge(cmd->index, + cmd->frame->header.sge_count); + cmd->iov_size = 0; +- return -1; ++ return -EINVAL; + } + iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); + iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); + pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); + qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); + cmd->iov_size = iov_size; +- return cmd->iov_size; ++ return 0; + } + + static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) +@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { + + static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) + { +- int opcode, len; ++ int opcode; + int retval = 0; ++ size_t len; + const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; + + opcode = le32_to_cpu(cmd->frame->dcmd.opcode); + trace_megasas_handle_dcmd(cmd->index, opcode); +- len = megasas_map_dcmd(s, cmd); +- if (len < 0) { ++ if (megasas_map_dcmd(s, cmd) < 0) { + return MFI_STAT_MEMORY_NOT_AVAILABLE; + } + while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { + cmdptr++; + } ++ len = cmd->iov_size; + if (cmdptr->opcode == -1) { + trace_megasas_dcmd_unhandled(cmd->index, opcode, len); + retval = megasas_dcmd_dummy(s, cmd); +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch new file mode 100644 index 0000000000..664a669ffa --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch @@ -0,0 +1,38 @@ +When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the +backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) +we'll leak memory. + +This patch fixes it for 3d mode, simliar to the 2d mode fix in commit +"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". + +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +--- + hw/display/virtio-gpu-3d.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c +index f96a0c2..ecb09d1 100644 +--- a/hw/display/virtio-gpu-3d.c ++++ b/hw/display/virtio-gpu-3d.c +@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, + struct virtio_gpu_ctrl_command *cmd) + { + struct virtio_gpu_resource_unref unref; ++ struct iovec *res_iovs = NULL; ++ int num_iovs = 0; + + VIRTIO_GPU_FILL_CMD(unref); + trace_virtio_gpu_cmd_res_unref(unref.resource_id); + ++ virgl_renderer_resource_detach_iov(unref.resource_id, ++ &res_iovs, ++ &num_iovs); ++ if (res_iovs != NULL && num_iovs != 0) { ++ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); ++ } + virgl_renderer_resource_unref(unref.resource_id); + } + +-- +1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch new file mode 100644 index 0000000000..9f94477a46 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch @@ -0,0 +1,35 @@ +From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 3 Feb 2017 00:52:28 +0530 +Subject: [PATCH] usb: ccid: check ccid apdu length + +CCID device emulator uses Application Protocol Data Units(APDU) +to exchange command and responses to and from the host. +The length in these units couldn't be greater than 65536. Add +check to ensure the same. It'd also avoid potential integer +overflow in emulated_apdu_from_guest. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 20170202192228.10847-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +--- + hw/usb/dev-smartcard-reader.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c +index 89e11b6..1325ea1 100644 +--- a/hw/usb/dev-smartcard-reader.c ++++ b/hw/usb/dev-smartcard-reader.c +@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) + DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, + recv->hdr.bSeq, len); + ccid_add_pending_answer(s, (CCID_Header *)recv); +- if (s->card) { ++ if (s->card && len <= BULK_OUT_DATA_SIZE) { + ccid_card_apdu_from_guest(s->card, recv->abData, len); + } else { + DPRINTF(s, D_WARN, "warning: discarded apdu\n"); +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch new file mode 100644 index 0000000000..f24d557c96 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch @@ -0,0 +1,46 @@ +From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 +From: Gonglei +Date: Tue, 3 Jan 2017 14:50:03 +0800 +Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow + +Because the 'size_t' type is 4 bytes in 32-bit platform, which +is the same with 'int'. It's easy to make 'max_len' to zero when +integer overflow and then cause heap overflow if 'max_len' is zero. + +Using uint_64 instead of size_t to avoid the integer overflow. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang +Signed-off-by: Gonglei +Tested-by: Li Qiang +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +--- + hw/virtio/virtio-crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 2f2467e..c23e1ad 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + uint32_t hash_start_src_offset = 0, len_to_hash = 0; + uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; + +- size_t max_len, curr_size = 0; ++ uint64_t max_len, curr_size = 0; + size_t s; + + /* Plain cipher */ +@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + +- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; ++ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); + return NULL; +-- +2.10.2 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch new file mode 100644 index 0000000000..50ff3c9979 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch @@ -0,0 +1,87 @@ +Limits should be big enough that normal guest should not hit it. +Add a tracepoint to log them, just in case. Also, while being +at it, log the existing link trb limit too. + +Reported-by: 李强 +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-xhci.c | 15 ++++++++++++++- + hw/usb/trace-events | 1 + + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index fbf8a8b..28dd2f2 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -51,6 +51,8 @@ + #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS) + + #define TRB_LINK_LIMIT 4 ++#define COMMAND_LIMIT 256 ++#define TRANSFER_LIMIT 256 + + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) +@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + return type; + } else { + if (++link_cnt > TRB_LINK_LIMIT) { ++ trace_usb_xhci_enforced_limit("trb-link"); + return 0; + } + ring->dequeue = xhci_mask64(trb->parameter); +@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) + XHCIRing *ring; + USBEndpoint *ep = NULL; + uint64_t mfindex; ++ unsigned int count = 0; + int length; + int i; + +@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) + epctx->retry = xfer; + break; + } ++ if (count++ > TRANSFER_LIMIT) { ++ trace_usb_xhci_enforced_limit("transfers"); ++ break; ++ } + } + epctx->kick_active--; + +@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci) + TRBType type; + XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS}; + dma_addr_t addr; +- unsigned int i, slotid = 0; ++ unsigned int i, slotid = 0, count = 0; + + DPRINTF("xhci_process_commands()\n"); + if (!xhci_running(xhci)) { +@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci) + } + event.slotid = slotid; + xhci_event(xhci, &event, 0); ++ ++ if (count++ > COMMAND_LIMIT) { ++ trace_usb_xhci_enforced_limit("commands"); ++ return; ++ } + } + } + +diff --git a/hw/usb/trace-events b/hw/usb/trace-events +index fdd1d29..0c323d4 100644 +--- a/hw/usb/trace-events ++++ b/hw/usb/trace-events +@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p" + usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d" + usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d" + usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)" ++usb_xhci_enforced_limit(const char *item) "%s" + + # hw/usb/desc.c + usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d" +-- +1.8.3.1 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch new file mode 100644 index 0000000000..bfde2e9d4b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch @@ -0,0 +1,50 @@ +From: Prasad J Pandit + +In the SDHCI protocol, the transfer mode register value +is used during multi block transfer to check if block count +register is enabled and should be updated. Transfer mode +register could be set such that, block count register would +not be updated, thus leading to an infinite loop. Add check +to avoid it. + +Reported-by: Wjjzhang +Reported-by: Jiang Xin +Signed-off-by: Prasad J Pandit +--- + hw/sd/sdhci.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +Update: use qemu_log_mask(LOG_UNIMP, ...) + -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html + +diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c +index 5bd5ab6..a9c744b 100644 +--- a/hw/sd/sdhci.c ++++ b/hw/sd/sdhci.c +@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) + uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12); + uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk); + ++ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) { ++ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n"); ++ return; ++ } ++ + /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for + * possible stop at page boundary if initial address is not page aligned, + * allow them to work properly */ +@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque) + if (s->trnmod & SDHC_TRNS_DMA) { + switch (SDHC_DMA_TYPE(s->hostctl)) { + case SDHC_CTRL_SDMA: +- if ((s->trnmod & SDHC_TRNS_MULTI) && +- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) { +- break; +- } +- + if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) { + sdhci_sdma_transfer_single_block(s); + } else { +-- +2.9.3 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch new file mode 100644 index 0000000000..666c18ccea --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch @@ -0,0 +1,112 @@ +This patch fixed a problem that was introduced in commit eb700029. + +When net_rx_pkt_attach_iovec() calls eth_strip_vlan() +this can result in pkt->ehdr_buf being overflowed, because +ehdr_buf is only sizeof(struct eth_header) bytes large +but eth_strip_vlan() can write +sizeof(struct eth_header) + sizeof(struct vlan_header) +bytes into it. + +Devices affected by this problem: vmxnet3. + +Reported-by: Peter Maydell +Signed-off-by: Dmitry Fleytman +--- + hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c +index 1019b50..7c0beac 100644 +--- a/hw/net/net_rx_pkt.c ++++ b/hw/net/net_rx_pkt.c +@@ -23,13 +23,13 @@ + + struct NetRxPkt { + struct virtio_net_hdr virt_hdr; +- uint8_t ehdr_buf[sizeof(struct eth_header)]; ++ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; + struct iovec *vec; + uint16_t vec_len_total; + uint16_t vec_len; + uint32_t tot_len; + uint16_t tci; +- bool vlan_stripped; ++ size_t ehdr_buf_len; + bool has_virt_hdr; + eth_pkt_types_e packet_type; + +@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, + const struct iovec *iov, int iovcnt, + size_t ploff) + { +- if (pkt->vlan_stripped) { ++ if (pkt->ehdr_buf_len) { + net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); + + pkt->vec[0].iov_base = pkt->ehdr_buf; +- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); +- +- pkt->tot_len = +- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); ++ pkt->vec[0].iov_len = pkt->ehdr_buf_len; + ++ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; + pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, + iov, iovcnt, ploff, pkt->tot_len); + } else { +@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, + uint16_t tci = 0; + uint16_t ploff = iovoff; + assert(pkt); +- pkt->vlan_stripped = false; + + if (strip_vlan) { +- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, +- &ploff, &tci); ++ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, ++ &ploff, &tci); ++ } else { ++ pkt->ehdr_buf_len = 0; + } + + pkt->tci = tci; +@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, + uint16_t tci = 0; + uint16_t ploff = iovoff; + assert(pkt); +- pkt->vlan_stripped = false; + + if (strip_vlan) { +- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, +- pkt->ehdr_buf, +- &ploff, &tci); ++ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, ++ pkt->ehdr_buf, ++ &ploff, &tci); ++ } else { ++ pkt->ehdr_buf_len = 0; + } + + pkt->tci = tci; +@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) + NetRxPkt *pkt = (NetRxPkt *)pkt; + assert(pkt); + +- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", +- pkt->tot_len, pkt->vlan_stripped, pkt->tci); ++ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", ++ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); + #endif + } + +@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) + { + assert(pkt); + +- return pkt->vlan_stripped; ++ return pkt->ehdr_buf_len ? true : false; + } + + bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt) +-- +2.7.4 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 index 18adb65c08..fe62a2a211 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 @@ -1,7 +1,6 @@ #!/sbin/openrc-run # Copyright 1999-2016 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Id$ # enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd.head b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd.head new file mode 100644 index 0000000000..858d5d7453 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd.head @@ -0,0 +1,64 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Enable automatic non-native program execution by the kernel. + +# Defaulting to OC should be safe because it comes down to: +# - do we trust the interp itself to not be malicious? yes; we built it. +# - do we trust the programs we're running? ish; same permission as native +# binaries apply. so if user can do bad stuff natively, cross isn't worse. +: ${QEMU_BINFMT_FLAGS:=OC} + +depend() { + after procfs +} + +start() { + ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})" + + if [ ! -d /proc/sys/fs/binfmt_misc ] ; then + modprobe -q binfmt_misc + fi + + if [ ! -d /proc/sys/fs/binfmt_misc ] ; then + eend 1 "You need support for 'misc binaries' in your kernel!" + return + fi + + if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then + mount -t binfmt_misc -o nodev,noexec,nosuid \ + binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1 + eend $? || return + fi + + # Probe the native cpu type so we don't try registering them. + local cpu="$(uname -m)" + case "${cpu}" in + armv[4-9]*) + cpu="arm" + ;; + i386|i486|i586|i686|i86pc|BePC|x86_64) + cpu="i386" + ;; + m68k) + cpu="m68k" + ;; + mips*) + cpu="mips" + ;; + "Power Macintosh"|ppc|ppc64) + cpu="ppc" + ;; + s390*) + cpu="s390" + ;; + sh*) + cpu="sh" + ;; + sparc*) + cpu="sparc" + ;; + esac + + # Register the interpreter for each cpu except for the native one. diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd.tail b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd.tail new file mode 100644 index 0000000000..7679481929 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd.tail @@ -0,0 +1,14 @@ + eend 0 +} + +stop() { + # We unregister everything in the "qemu-xxx" namespace. + ebegin "Unregistering qemu-user binaries" + local f + for f in /proc/sys/fs/binfmt_misc/qemu-* ; do + if [ -f "${f}" ] ; then + echo '-1' > "${f}" + fi + done + eend 0 +} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/metadata.xml index d036967f11..9a8a1a335b 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/metadata.xml @@ -32,9 +32,9 @@ Use libsdl2 instead of libsdl Enable Spice protocol support via app-emulation/spice Enable SSH based block device support via net-libs/libssh2 - Builds the Software MMU (system) targets as static binaries + Build the Software MMU (system) targets as static binaries Build the User targets as static binaries - Enables both 'static-softmmu' and 'static-user' + Build the User and Software MMU (system) targets as well as tools as static binaries Enable support for snappy compression Enable SystemTAP/DTrace tracing Enable the TCG Interpreter which can speed up or slowdown workloads depending on the host and guest CPUs being emulated. In the future it will be a runtime option but for now its compile time. @@ -42,7 +42,6 @@ Enable png image support for the VNC console server Enable USB passthrough via dev-libs/libusb Use sys-apps/usbredir to redirect USB devices to another machine over TCP - Enable UUID support in the vdi block driver Enable VDE-based networking Enable accelerated networking using vhost-net, see http://www.linux-kvm.org/page/VhostNet Enable experimental Virgil 3d (virtual software GPU) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.7.0-r8.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.7.0-r8.ebuild deleted file mode 100644 index 4db6990ad9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.7.0-r8.ebuild +++ /dev/null @@ -1,710 +0,0 @@ -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Id$ - -EAPI="5" - -PYTHON_COMPAT=( python2_7 ) -PYTHON_REQ_USE="ncurses,readline" - -PLOCALES="bg de_DE fr_FR hu it tr zh_CN" - -inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ - user udev fcaps readme.gentoo-r1 pax-utils l10n - -if [[ ${PV} = *9999* ]]; then - EGIT_REPO_URI="git://git.qemu.org/qemu.git" - inherit git-2 - SRC_URI="" -else - SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" - KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd" -fi - -DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" -HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" - -LICENSE="GPL-2 LGPL-2 BSD-2" -SLOT="0" -IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs \ -gnutls gtk gtk2 infiniband iscsi +jpeg \ -kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs -+png pulseaudio python \ -rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu -static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \ -virgl virtfs +vnc vte xattr xen xfs" - -COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips -mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32 -x86_64" -IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa xtensaeb" -IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" - -use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) -use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) -IUSE+=" ${use_softmmu_targets} ${use_user_targets}" - -# Allow no targets to be built so that people can get a tools-only build. -# Block USE flag configurations known to not work. -REQUIRED_USE="${PYTHON_REQUIRED_USE} - gtk2? ( gtk ) - qemu_softmmu_targets_arm? ( fdt ) - qemu_softmmu_targets_microblaze? ( fdt ) - qemu_softmmu_targets_ppc? ( fdt ) - qemu_softmmu_targets_ppc64? ( fdt ) - sdl2? ( sdl ) - static? ( static-softmmu static-user ) - static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 ) - virtfs? ( xattr ) - vte? ( gtk )" - -# Yep, you need both libcap and libcap-ng since virtfs only uses libcap. -# -# The attr lib isn't always linked in (although the USE flag is always -# respected). This is because qemu supports using the C library's API -# when available rather than always using the extranl library. -# -# Older versions of gnutls are supported, but it's simpler to just require -# the latest versions. This is also why we require nettle. -# -# TODO: Split out tools deps into another var. e.g. bzip2 is only used by -# system binaries and tools, not user binaries. -COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)] - sys-libs/zlib[static-libs(+)] - bzip2? ( app-arch/bzip2[static-libs(+)] ) - xattr? ( sys-apps/attr[static-libs(+)] )" -SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} - >=x11-libs/pixman-0.28.0[static-libs(+)] - accessibility? ( app-accessibility/brltty[static-libs(+)] ) - aio? ( dev-libs/libaio[static-libs(+)] ) - alsa? ( >=media-libs/alsa-lib-1.0.13 ) - bluetooth? ( net-wireless/bluez ) - caps? ( sys-libs/libcap-ng[static-libs(+)] ) - curl? ( >=net-misc/curl-7.15.4[static-libs(+)] ) - fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) - glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) - gnutls? ( - dev-libs/nettle:=[static-libs(+)] - >=net-libs/gnutls-3.0:=[static-libs(+)] - ) - gtk? ( - gtk2? ( - x11-libs/gtk+:2 - vte? ( x11-libs/vte:0 ) - ) - !gtk2? ( - x11-libs/gtk+:3 - vte? ( x11-libs/vte:2.91 ) - ) - ) - infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) - iscsi? ( net-libs/libiscsi ) - jpeg? ( virtual/jpeg:0=[static-libs(+)] ) - lzo? ( dev-libs/lzo:2[static-libs(+)] ) - ncurses? ( sys-libs/ncurses:0=[static-libs(+)] ) - nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) - numa? ( sys-process/numactl[static-libs(+)] ) - opengl? ( - virtual/opengl - media-libs/libepoxy[static-libs(+)] - media-libs/mesa[static-libs(+)] - media-libs/mesa[egl,gles2,gbm] - ) - png? ( media-libs/libpng:0=[static-libs(+)] ) - pulseaudio? ( media-sound/pulseaudio ) - rbd? ( sys-cluster/ceph[static-libs(+)] ) - sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) - sdl? ( - !sdl2? ( - media-libs/libsdl[X] - >=media-libs/libsdl-1.2.11[static-libs(+)] - ) - sdl2? ( - media-libs/libsdl2[X] - media-libs/libsdl2[static-libs(+)] - ) - ) - seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) - smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) - snappy? ( app-arch/snappy[static-libs(+)] ) - spice? ( - >=app-emulation/spice-protocol-0.12.3 - >=app-emulation/spice-0.12.0[static-libs(+)] - ) - ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) - usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) - usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) - uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] ) - vde? ( net-misc/vde[static-libs(+)] ) - virgl? ( media-libs/virglrenderer[static-libs(+)] ) - virtfs? ( sys-libs/libcap ) - xfs? ( sys-fs/xfsprogs[static-libs(+)] )" -USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" -X86_FIRMWARE_DEPEND=" - >=sys-firmware/ipxe-1.0.0_p20130624 - pin-upstream-blobs? ( - ~sys-firmware/seabios-1.8.2 - ~sys-firmware/sgabios-0.1_pre8 - ~sys-firmware/vgabios-0.7a - ) - !pin-upstream-blobs? ( - sys-firmware/seabios - sys-firmware/sgabios - sys-firmware/vgabios - )" -CDEPEND=" - !static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) ) - !static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) ) - qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) - qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} ) - python? ( ${PYTHON_DEPS} ) - systemtap? ( dev-util/systemtap ) - xen? ( app-emulation/xen-tools:= )" -DEPEND="${CDEPEND} - dev-lang/perl - =dev-lang/python-2* - sys-apps/texinfo - virtual/pkgconfig - kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) - gtk? ( nls? ( sys-devel/gettext ) ) - static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) " ${use_softmmu_targets}) ) - static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) " ${use_user_targets}) ) - test? ( - dev-libs/glib[utils] - sys-devel/bc - )" -RDEPEND="${CDEPEND} - selinux? ( sec-policy/selinux-qemu ) -" - -STRIP_MASK="/usr/share/qemu/palcode-clipper" - -QA_PREBUILT=" - usr/share/qemu/openbios-ppc - usr/share/qemu/openbios-sparc64 - usr/share/qemu/openbios-sparc32 - usr/share/qemu/palcode-clipper - usr/share/qemu/s390-ccw.img - usr/share/qemu/u-boot.e500 -" - -QA_WX_LOAD="usr/bin/qemu-i386 - usr/bin/qemu-x86_64 - usr/bin/qemu-alpha - usr/bin/qemu-arm - usr/bin/qemu-cris - usr/bin/qemu-m68k - usr/bin/qemu-microblaze - usr/bin/qemu-microblazeel - usr/bin/qemu-mips - usr/bin/qemu-mipsel - usr/bin/qemu-or32 - usr/bin/qemu-ppc - usr/bin/qemu-ppc64 - usr/bin/qemu-ppc64abi32 - usr/bin/qemu-sh4 - usr/bin/qemu-sh4eb - usr/bin/qemu-sparc - usr/bin/qemu-sparc64 - usr/bin/qemu-armeb - usr/bin/qemu-sparc32plus - usr/bin/qemu-s390x - usr/bin/qemu-unicore32" - -DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure -you have the kernel module loaded before running kvm. The easiest way to -ensure that the kernel module is loaded is to load it on boot.\n -For AMD CPUs the module is called 'kvm-amd'.\n -For Intel CPUs the module is called 'kvm-intel'.\n -Please review /etc/conf.d/modules for how to load these.\n\n -Make sure your user is in the 'kvm' group\n -Just run 'gpasswd -a kvm', then have re-login.\n\n -For brand new installs, the default permissions on /dev/kvm might not let you -access it. You can tell udev to reset ownership/perms:\n -udevadm trigger -c add /dev/kvm" - -qemu_support_kvm() { - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \ - use qemu_softmmu_targets_ppc || use qemu_softmmu_targets_ppc64 \ - use qemu_softmmu_targets_s390x; then - return 0 - fi - - return 1 -} - -pkg_pretend() { - if use kernel_linux && kernel_is lt 2 6 25; then - eerror "This version of KVM requres a host kernel of 2.6.25 or higher." - elif use kernel_linux; then - if ! linux_config_exists; then - eerror "Unable to check your kernel for KVM support" - else - CONFIG_CHECK="~KVM ~TUN ~BRIDGE" - ERROR_KVM="You must enable KVM in your kernel to continue" - ERROR_KVM_AMD="If you have an AMD CPU, you must enable KVM_AMD in" - ERROR_KVM_AMD+=" your kernel configuration." - ERROR_KVM_INTEL="If you have an Intel CPU, you must enable" - ERROR_KVM_INTEL+=" KVM_INTEL in your kernel configuration." - ERROR_TUN="You will need the Universal TUN/TAP driver compiled" - ERROR_TUN+=" into your kernel or loaded as a module to use the" - ERROR_TUN+=" virtual network device if using -net tap." - ERROR_BRIDGE="You will also need support for 802.1d" - ERROR_BRIDGE+=" Ethernet Bridging for some network configurations." - use vhost-net && CONFIG_CHECK+=" ~VHOST_NET" - ERROR_VHOST_NET="You must enable VHOST_NET to have vhost-net" - ERROR_VHOST_NET+=" support" - - if use amd64 || use x86 || use amd64-linux || use x86-linux; then - CONFIG_CHECK+=" ~KVM_AMD ~KVM_INTEL" - fi - - use python && CONFIG_CHECK+=" ~DEBUG_FS" - ERROR_DEBUG_FS="debugFS support required for kvm_stat" - - # Now do the actual checks setup above - check_extra_config - fi - fi - - if grep -qs '/usr/bin/qemu-kvm' "${EROOT}"/etc/libvirt/qemu/*.xml; then - eerror "The kvm/qemu-kvm wrappers no longer exist, but your libvirt" - eerror "instances are still pointing to it. Please update your" - eerror "configs in /etc/libvirt/qemu/ to use the -enable-kvm flag" - eerror "and the right system binary (e.g. qemu-system-x86_64)." - die "update your virt configs to not use qemu-kvm" - fi -} - -pkg_setup() { - enewgroup kvm 78 -} - -# Sanity check to make sure target lists are kept up-to-date. -check_targets() { - local var=$1 mak=$2 - local detected sorted - - pushd "${S}"/default-configs >/dev/null || die - - # Force C locale until glibc is updated. #564936 - detected=$(echo $(printf '%s\n' *-${mak}.mak | sed "s:-${mak}.mak::" | LC_COLLATE=C sort -u)) - sorted=$(echo $(printf '%s\n' ${!var} | LC_COLLATE=C sort -u)) - if [[ ${sorted} != "${detected}" ]] ; then - eerror "The ebuild needs to be kept in sync." - eerror "${var}: ${sorted}" - eerror "$(printf '%-*s' ${#var} configure): ${detected}" - die "sync ${var} to the list of targets" - fi - - popd >/dev/null -} - -handle_locales() { - # Make sure locale list is kept up-to-date. - local detected sorted - detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u)) - sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u)) - if [[ ${sorted} != "${detected}" ]] ; then - eerror "The ebuild needs to be kept in sync." - eerror "PLOCALES: ${sorted}" - eerror " po/*.po: ${detected}" - die "sync PLOCALES" - fi - - # Deal with selective install of locales. - if use nls ; then - # Delete locales the user does not want. #577814 - rm_loc() { rm po/$1.po || die; } - l10n_for_each_disabled_locale_do rm_loc - else - # Cheap hack to disable gettext .mo generation. - rm -f po/*.po - fi -} - -src_prepare() { - check_targets IUSE_SOFTMMU_TARGETS softmmu - check_targets IUSE_USER_TARGETS linux-user - - # Alter target makefiles to accept CFLAGS set via flag-o - sed -i -r \ - -e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \ - Makefile Makefile.target || die - - epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch - epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - - epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242 - epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034 - epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036 - epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038 - epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038 - epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284 - epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950 - epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956 - epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368 - epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520 - epatch "${FILESDIR}"/${P}-CVE-2016-7907.patch # bug 596048 - epatch "${FILESDIR}"/${P}-CVE-2016-7908.patch # bug 596049 - epatch "${FILESDIR}"/${P}-CVE-2016-7909.patch # bug 596048 - epatch "${FILESDIR}"/${P}-CVE-2016-7994-1.patch # bug 596738 - epatch "${FILESDIR}"/${P}-CVE-2016-7994-2.patch # bug 596738 - epatch "${FILESDIR}"/${P}-CVE-2016-8576.patch # bug 596752 - epatch "${FILESDIR}"/${P}-CVE-2016-8577.patch # bug 596776 - epatch "${FILESDIR}"/${P}-CVE-2016-8578.patch # bug 596774 - epatch "${FILESDIR}"/${P}-CVE-2016-8668.patch # bug 597110 - epatch "${FILESDIR}"/${P}-CVE-2016-8669-1.patch # bug 597108 - epatch "${FILESDIR}"/${P}-CVE-2016-8669-2.patch # bug 597108 - epatch "${FILESDIR}"/${P}-CVE-2016-8909.patch # bug 598044 - epatch "${FILESDIR}"/${P}-CVE-2016-8910.patch # bug 598046 - epatch "${FILESDIR}"/${P}-CVE-2016-9102.patch # bug 598328 - epatch "${FILESDIR}"/${P}-CVE-2016-9103.patch # bug 598328 - epatch "${FILESDIR}"/${P}-CVE-2016-9104.patch # bug 598328 - epatch "${FILESDIR}"/${P}-CVE-2016-9105.patch # bug 598328 - epatch "${FILESDIR}"/${P}-CVE-2016-9106.patch # bug 598772 - - # fix for vpc creation in qemu-img - epatch "${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch - - # Fix ld and objcopy being called directly - tc-export AR LD OBJCOPY - - # Verbose builds - MAKEOPTS+=" V=1" - - epatch_user - - # Run after we've applied all patches. - handle_locales -} - -## -# configures qemu based on the build directory and the build type -# we are using. -# -qemu_src_configure() { - debug-print-function ${FUNCNAME} "$@" - - local buildtype=$1 - local builddir="${S}/${buildtype}-build" - local static_flag="static-${buildtype}" - - mkdir "${builddir}" - - local conf_opts=( - --prefix=/usr - --sysconfdir=/etc - --libdir=/usr/$(get_libdir) - --docdir=/usr/share/doc/${PF}/html - --disable-bsd-user - --disable-guest-agent - --disable-strip - --disable-werror - # We support gnutls/nettle for crypto operations. It is possible - # to use gcrypt when gnutls/nettle are disabled (but not when they - # are enabled), but it's not really worth the hassle. Disable it - # all the time to avoid automatically detecting it. #568856 - --disable-gcrypt - --python="${PYTHON}" - --cc="$(tc-getCC)" - --cxx="$(tc-getCXX)" - --host-cc="$(tc-getBUILD_CC)" - $(use_enable debug debug-info) - $(use_enable debug debug-tcg) - --enable-docs - $(use_enable tci tcg-interpreter) - $(use_enable xattr attr) - ) - - # Disable options not used by user targets as the default configure - # options will autoprobe and try to link in a bunch of unused junk. - conf_softmmu() { - if [[ ${buildtype} == "user" ]] ; then - echo "--disable-${2:-$1}" - else - use_enable "$@" - fi - } - conf_opts+=( - $(conf_softmmu accessibility brlapi) - $(conf_softmmu aio linux-aio) - $(conf_softmmu bzip2) - $(conf_softmmu bluetooth bluez) - $(conf_softmmu caps cap-ng) - $(conf_softmmu curl) - $(conf_softmmu fdt) - $(conf_softmmu glusterfs) - $(conf_softmmu gnutls) - $(conf_softmmu gnutls nettle) - $(conf_softmmu gtk) - $(conf_softmmu infiniband rdma) - $(conf_softmmu iscsi libiscsi) - $(conf_softmmu jpeg vnc-jpeg) - $(conf_softmmu kernel_linux kvm) - $(conf_softmmu lzo) - $(conf_softmmu ncurses curses) - $(conf_softmmu nfs libnfs) - $(conf_softmmu numa) - $(conf_softmmu opengl) - $(conf_softmmu png vnc-png) - $(conf_softmmu rbd) - $(conf_softmmu sasl vnc-sasl) - $(conf_softmmu sdl) - $(conf_softmmu seccomp) - $(conf_softmmu smartcard) - $(conf_softmmu snappy) - $(conf_softmmu spice) - $(conf_softmmu ssh libssh2) - $(conf_softmmu usb libusb) - $(conf_softmmu usbredir usb-redir) - $(conf_softmmu uuid) - $(conf_softmmu vde) - $(conf_softmmu vhost-net) - $(conf_softmmu virgl virglrenderer) - $(conf_softmmu virtfs) - $(conf_softmmu vnc) - $(conf_softmmu vte) - $(conf_softmmu xen) - $(conf_softmmu xen xen-pci-passthrough) - $(conf_softmmu xfs xfsctl) - ) - - case ${buildtype} in - user) - conf_opts+=( - --enable-linux-user - --disable-system - --disable-blobs - --disable-tools - ) - ;; - softmmu) - # audio options - local audio_opts="oss" - use alsa && audio_opts="alsa,${audio_opts}" - use sdl && audio_opts="sdl,${audio_opts}" - use pulseaudio && audio_opts="pa,${audio_opts}" - - conf_opts+=( - --disable-linux-user - --enable-system - --with-system-pixman - --audio-drv-list="${audio_opts}" - ) - use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) ) - use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) ) - ;; - tools) - conf_opts+=( - --disable-linux-user - --disable-system - --disable-blobs - $(use_enable bzip2) - ) - static_flag="static" - ;; - esac - - local targets="${buildtype}_targets" - [[ -n ${targets} ]] && conf_opts+=( --target-list="${!targets}" ) - - # Add support for SystemTAP - use systemtap && conf_opts+=( --enable-trace-backend=dtrace ) - - # We always want to attempt to build with PIE support as it results - # in a more secure binary. But it doesn't work with static or if - # the current GCC doesn't have PIE support. - if use ${static_flag}; then - conf_opts+=( --static --disable-pie ) - else - gcc-specs-pie && conf_opts+=( --enable-pie ) - fi - - echo "../configure ${conf_opts[*]}" - cd "${builddir}" - ../configure "${conf_opts[@]}" || die "configure failed" - - # FreeBSD's kernel does not support QEMU assigning/grabbing - # host USB devices yet - use kernel_FreeBSD && \ - sed -i -E -e "s|^(HOST_USB=)bsd|\1stub|" "${S}"/config-host.mak -} - -src_configure() { - local target - - python_setup - - softmmu_targets= softmmu_bins=() - user_targets= user_bins=() - - for target in ${IUSE_SOFTMMU_TARGETS} ; do - if use "qemu_softmmu_targets_${target}"; then - softmmu_targets+=",${target}-softmmu" - softmmu_bins+=( "qemu-system-${target}" ) - fi - done - - for target in ${IUSE_USER_TARGETS} ; do - if use "qemu_user_targets_${target}"; then - user_targets+=",${target}-linux-user" - user_bins+=( "qemu-${target}" ) - fi - done - - softmmu_targets=${softmmu_targets#,} - user_targets=${user_targets#,} - - [[ -n ${softmmu_targets} ]] && qemu_src_configure "softmmu" - [[ -n ${user_targets} ]] && qemu_src_configure "user" - [[ -z ${softmmu_targets}${user_targets} ]] && qemu_src_configure "tools" -} - -src_compile() { - if [[ -n ${user_targets} ]]; then - cd "${S}/user-build" - default - fi - - if [[ -n ${softmmu_targets} ]]; then - cd "${S}/softmmu-build" - default - fi - - if [[ -z ${softmmu_targets}${user_targets} ]]; then - cd "${S}/tools-build" - default - fi -} - -src_test() { - if [[ -n ${softmmu_targets} ]]; then - cd "${S}/softmmu-build" - pax-mark m */qemu-system-* #515550 - emake -j1 check - emake -j1 check-report.html - fi -} - -qemu_python_install() { - python_domodule "${S}/scripts/qmp/qmp.py" - - python_doscript "${S}/scripts/kvm/vmxcap" - python_doscript "${S}/scripts/qmp/qmp-shell" - python_doscript "${S}/scripts/qmp/qemu-ga-client" -} - -src_install() { - if [[ -n ${user_targets} ]]; then - cd "${S}/user-build" - emake DESTDIR="${ED}" install - - # Install binfmt handler init script for user targets - newinitd "${FILESDIR}/qemu-binfmt.initd-r1" qemu-binfmt - fi - - if [[ -n ${softmmu_targets} ]]; then - cd "${S}/softmmu-build" - emake DESTDIR="${ED}" install - - # This might not exist if the test failed. #512010 - [[ -e check-report.html ]] && dohtml check-report.html - - if use kernel_linux; then - udev_dorules "${FILESDIR}"/65-kvm.rules - fi - - if use python; then - python_foreach_impl qemu_python_install - fi - fi - - if [[ -z ${softmmu_targets}${user_targets} ]]; then - cd "${S}/tools-build" - emake DESTDIR="${ED}" install - fi - - # Disable mprotect on the qemu binaries as they use JITs to be fast #459348 - pushd "${ED}"/usr/bin >/dev/null - pax-mark m "${softmmu_bins[@]}" "${user_bins[@]}" - popd >/dev/null - - # Install config file example for qemu-bridge-helper - insinto "/etc/qemu" - doins "${FILESDIR}/bridge.conf" - - # Remove the docdir placed qmp-commands.txt - mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/" || die - - cd "${S}" - dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt - newdoc pc-bios/README README.pc-bios - dodoc docs/qmp-*.txt - - if [[ -n ${softmmu_targets} ]]; then - # Remove SeaBIOS since we're using the SeaBIOS packaged one - rm "${ED}/usr/share/qemu/bios.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../seabios/bios.bin /usr/share/qemu/bios.bin - fi - - # Remove vgabios since we're using the vgabios packaged one - rm "${ED}/usr/share/qemu/vgabios.bin" - rm "${ED}/usr/share/qemu/vgabios-cirrus.bin" - rm "${ED}/usr/share/qemu/vgabios-qxl.bin" - rm "${ED}/usr/share/qemu/vgabios-stdvga.bin" - rm "${ED}/usr/share/qemu/vgabios-vmware.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../vgabios/vgabios.bin /usr/share/qemu/vgabios.bin - dosym ../vgabios/vgabios-cirrus.bin /usr/share/qemu/vgabios-cirrus.bin - dosym ../vgabios/vgabios-qxl.bin /usr/share/qemu/vgabios-qxl.bin - dosym ../vgabios/vgabios-stdvga.bin /usr/share/qemu/vgabios-stdvga.bin - dosym ../vgabios/vgabios-vmware.bin /usr/share/qemu/vgabios-vmware.bin - fi - - # Remove sgabios since we're using the sgabios packaged one - rm "${ED}/usr/share/qemu/sgabios.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../sgabios/sgabios.bin /usr/share/qemu/sgabios.bin - fi - - # Remove iPXE since we're using the iPXE packaged one - rm "${ED}"/usr/share/qemu/pxe-*.rom - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../ipxe/8086100e.rom /usr/share/qemu/pxe-e1000.rom - dosym ../ipxe/80861209.rom /usr/share/qemu/pxe-eepro100.rom - dosym ../ipxe/10500940.rom /usr/share/qemu/pxe-ne2k_pci.rom - dosym ../ipxe/10222000.rom /usr/share/qemu/pxe-pcnet.rom - dosym ../ipxe/10ec8139.rom /usr/share/qemu/pxe-rtl8139.rom - dosym ../ipxe/1af41000.rom /usr/share/qemu/pxe-virtio.rom - fi - fi - - qemu_support_kvm && readme.gentoo_create_doc -} - -pkg_postinst() { - if qemu_support_kvm; then - readme.gentoo_print_elog - fi - - if [[ -n ${softmmu_targets} ]] && use kernel_linux; then - udev_reload - fi - - fcaps cap_net_admin /usr/libexec/qemu-bridge-helper -} - -pkg_info() { - echo "Using:" - echo " $(best_version app-emulation/spice-protocol)" - echo " $(best_version sys-firmware/ipxe)" - echo " $(best_version sys-firmware/seabios)" - if has_version 'sys-firmware/seabios[binary]'; then - echo " USE=binary" - else - echo " USE=''" - fi - echo " $(best_version sys-firmware/vgabios)" -} diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r3.ebuild similarity index 91% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-9999.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r3.ebuild index a33eb05c08..d6ad3ad891 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-9999.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2016 Gentoo Foundation +# Copyright 1999-2017 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 EAPI="5" @@ -17,7 +17,7 @@ if [[ ${PV} = *9999* ]]; then SRC_URI="" else SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" - KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd" + KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd" fi DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" @@ -30,13 +30,13 @@ gnutls gtk gtk2 infiniband iscsi +jpeg \ kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png pulseaudio python \ rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu -static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \ +static-user systemtap tci test +threads usb usbredir vde +vhost-net \ virgl virtfs +vnc vte xattr xen xfs" COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips -mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32 +mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 x86_64" -IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa xtensaeb" +IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb" IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) @@ -100,14 +100,17 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} iscsi? ( net-libs/libiscsi ) jpeg? ( virtual/jpeg:0=[static-libs(+)] ) lzo? ( dev-libs/lzo:2[static-libs(+)] ) - ncurses? ( sys-libs/ncurses:0=[static-libs(+)] ) + ncurses? ( + sys-libs/ncurses:0=[unicode] + sys-libs/ncurses:0=[static-libs(+)] + ) nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) numa? ( sys-process/numactl[static-libs(+)] ) opengl? ( virtual/opengl media-libs/libepoxy[static-libs(+)] media-libs/mesa[static-libs(+)] - media-libs/mesa[egl,gles2,gbm] + media-libs/mesa[egl,gbm] ) png? ( media-libs/libpng:0=[static-libs(+)] ) pulseaudio? ( media-sound/pulseaudio ) @@ -133,7 +136,6 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) - uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] ) vde? ( net-misc/vde[static-libs(+)] ) virgl? ( media-libs/virglrenderer[static-libs(+)] ) virtfs? ( sys-libs/libcap ) @@ -142,7 +144,7 @@ USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" X86_FIRMWARE_DEPEND=" >=sys-firmware/ipxe-1.0.0_p20130624 pin-upstream-blobs? ( - ~sys-firmware/seabios-1.8.2 + ~sys-firmware/seabios-1.10.1 ~sys-firmware/sgabios-0.1_pre8 ~sys-firmware/vgabios-0.7a ) @@ -333,6 +335,30 @@ src_prepare() { epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch + epatch "${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch #601826 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch #602630 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch #603444 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10155.patch #606720 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2615.patch #608034 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2630.patch #609396 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-1.patch #606264 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-2.patch + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5552.patch #606722 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5578.patch #607000 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5579.patch #607100 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5667.patch #607766 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5856.patch #608036 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5857.patch #608038 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5898.patch #608520 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5931.patch #608728 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch #609334 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638 + epatch "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206 + + # fix for vpc creation in qemu-img + epatch "${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch # Fix ld and objcopy being called directly tc-export AR LD OBJCOPY @@ -425,7 +451,6 @@ qemu_src_configure() { $(conf_softmmu ssh libssh2) $(conf_softmmu usb libusb) $(conf_softmmu usbredir usb-redir) - $(conf_softmmu uuid) $(conf_softmmu vde) $(conf_softmmu vhost-net) $(conf_softmmu virgl virglrenderer) @@ -579,7 +604,7 @@ src_install() { [[ -e check-report.html ]] && dohtml check-report.html if use kernel_linux; then - udev_dorules "${FILESDIR}"/65-kvm.rules + udev_newrules "${FILESDIR}"/65-kvm.rules-r1 65-kvm.rules fi if use python; then