From c86ff7a09638fc1c0c4e94e36b45697c3ee35811 Mon Sep 17 00:00:00 2001 From: David Michael Date: Fri, 16 Jun 2017 11:45:35 -0700 Subject: [PATCH] app-emulation/qemu: sync with upstream The only CoreOS changes are to add the vpc patch and stabilize arm64, despite not actually using it anywhere yet. --- .../app-emulation/qemu/Manifest | 3 +- .../app-emulation/qemu/files/65-kvm.rules | 1 - .../files/qemu-2.7.0-CVE-2016-8669-1.patch | 32 ---- .../files/qemu-2.8.0-CVE-2016-10028.patch | 40 ---- .../files/qemu-2.8.0-CVE-2016-10155.patch | 46 ----- .../qemu/files/qemu-2.8.0-CVE-2016-9908.patch | 35 ---- .../qemu/files/qemu-2.8.0-CVE-2016-9912.patch | 38 ---- .../qemu/files/qemu-2.8.0-CVE-2017-2615.patch | 48 ----- .../qemu/files/qemu-2.8.0-CVE-2017-2620.patch | 56 ------ .../qemu/files/qemu-2.8.0-CVE-2017-2630.patch | 22 --- .../files/qemu-2.8.0-CVE-2017-5525-1.patch | 52 ------ .../files/qemu-2.8.0-CVE-2017-5525-2.patch | 55 ------ .../qemu/files/qemu-2.8.0-CVE-2017-5552.patch | 41 ----- .../qemu/files/qemu-2.8.0-CVE-2017-5578.patch | 35 ---- .../qemu/files/qemu-2.8.0-CVE-2017-5579.patch | 40 ---- .../qemu/files/qemu-2.8.0-CVE-2017-5667.patch | 37 ---- .../qemu/files/qemu-2.8.0-CVE-2017-5856.patch | 64 ------- .../qemu/files/qemu-2.8.0-CVE-2017-5857.patch | 38 ---- .../qemu/files/qemu-2.8.0-CVE-2017-5898.patch | 35 ---- .../qemu/files/qemu-2.8.0-CVE-2017-5931.patch | 46 ----- .../qemu/files/qemu-2.8.0-CVE-2017-5973.patch | 87 --------- .../qemu/files/qemu-2.8.0-CVE-2017-5987.patch | 50 ----- .../qemu/files/qemu-2.8.0-CVE-2017-6058.patch | 112 ----------- .../qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 ------ .../qemu/files/qemu-2.9.0-CVE-2017-7493.patch | 174 ++++++++++++++++++ .../qemu/files/qemu-2.9.0-CVE-2017-8112.patch | 22 +++ .../qemu/files/qemu-2.9.0-CVE-2017-8309.patch | 22 +++ .../qemu/files/qemu-2.9.0-CVE-2017-8379.patch | 76 ++++++++ .../qemu/files/qemu-2.9.0-CVE-2017-8380.patch | 34 ++++ .../qemu/files/qemu-binfmt.initd-r1 | 138 -------------- ...u-2.8.0-r9.ebuild => qemu-2.9.0-r2.ebuild} | 85 ++++----- 31 files changed, 360 insertions(+), 1256 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 rename sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/{qemu-2.8.0-r9.ebuild => qemu-2.9.0-r2.ebuild} (89%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest index 411c33e179..fb4bf04409 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest @@ -1,2 +1 @@ -DIST qemu-2.8.0-CVE-2016-9602-patches.tar.xz 16264 SHA256 18ac829c6003a3f997db4030a46b422028c58fead158f0c5ffe36ad65acb84e0 SHA512 a56694d1600e4fd1ffd6bbe031a0db226fc5c88306797cc4e42d1dc6127b83d1791cb4e026988b3aad82eab84382e41077ae71e532d1d3489e179730185c0964 WHIRLPOOL 22057b001c478b2b0d97ad70393c973aefc6277d89bb5a1ae03c3c39b5182ddfbe541964761f512ed5735dc442e1f40d0a955ad5b270758e21ce815be86b24bd -DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5 +DIST qemu-2.9.0.tar.bz2 28720490 SHA256 00bfb217b1bb03c7a6c3261b819cfccbfb5a58e3e2ceff546327d271773c6c14 SHA512 4b28966eec0ca44681e35fcfb64a4eaef7c280b8d65c91d03f2efa37f76278fd8c1680e5798c7a30dbfcc8f3c05f4a803f48b8a2dfec3a4181bac079b2a5e422 WHIRLPOOL d79fe89eb271a56aee0cbd328e5f96999176b711afb5683d164b7b99d91e6dd2bfaf6e2ff4cd820a941c94f28116765cb07ffd5809d75c2f9654a67d56bfc0c1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules deleted file mode 100644 index c2f7317aac..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules +++ /dev/null @@ -1 +0,0 @@ -KERNEL=="kvm", GROUP="kvm", MODE="0660" diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch deleted file mode 100644 index cea8efc068..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch +++ /dev/null @@ -1,32 +0,0 @@ -http://bugs.gentoo.org/597108 -https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html - -From: Prasad J Pandit - -The JAZZ RC4030 chipset emulator has a periodic timer and -associated interval reload register. The reload value is used -as divider when computing timer's next tick value. If reload -value is large, it could lead to divide by zero error. Limit -the interval reload value to avoid it. - -Reported-by: Huawei PSIRT -Signed-off-by: Prasad J Pandit ---- - hw/dma/rc4030.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c -index 2f2576f..c1b4997 100644 ---- a/hw/dma/rc4030.c -+++ b/hw/dma/rc4030.c -@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data, - break; - /* Interval timer reload */ - case 0x0228: -- s->itr = val; -+ s->itr = val & 0x01FF; - qemu_irq_lower(s->timer_irq); - set_next_tick(s); - break; --- -2.5.5 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch deleted file mode 100644 index 466c819e78..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch +++ /dev/null @@ -1,40 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html -https://bugs.gentoo.org/603444 - -From: P J P -Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size -Date: Wed, 14 Dec 2016 12:31:56 +0530 -From: Prasad J Pandit - -Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' -command, retrieves the maximum capabilities size to fill in the -response object. It continues to fill in capabilities even if -retrieved 'max_size' is zero(0), thus resulting in OOB access. -Add check to avoid it. - -Reported-by: Zhenhao Hong -Signed-off-by: Prasad J Pandit ---- - hw/display/virtio-gpu-3d.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 758d33a..6ceeba3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -+ if (!max_size) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; -+ return; -+ } -+ - resp = g_malloc0(sizeof(*resp) + max_size); -- - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, - gc.capset_version, --- -2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch deleted file mode 100644 index c486295d06..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch +++ /dev/null @@ -1,46 +0,0 @@ -From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 28 Nov 2016 17:49:04 -0800 -Subject: [PATCH] watchdog: 6300esb: add exit function - -When the Intel 6300ESB watchdog is hot unplug. The timer allocated -in realize isn't freed thus leaking memory leak. This patch avoid -this through adding the exit function. - -Signed-off-by: Li Qiang -Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - hw/watchdog/wdt_i6300esb.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 ---- a/hw/watchdog/wdt_i6300esb.c -+++ b/hw/watchdog/wdt_i6300esb.c -@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) - /* qemu_register_coalesced_mmio (addr, 0x10); ? */ - } - -+static void i6300esb_exit(PCIDevice *dev) -+{ -+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); -+ -+ timer_del(d->timer); -+ timer_free(d->timer); -+} -+ - static WatchdogTimerModel model = { - .wdt_name = "i6300esb", - .wdt_description = "Intel 6300ESB", -@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) - k->config_read = i6300esb_config_read; - k->config_write = i6300esb_config_write; - k->realize = i6300esb_realize; -+ k->exit = i6300esb_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; - k->class_id = PCI_CLASS_SYSTEM_OTHER; --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch deleted file mode 100644 index 841de65d48..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html -https://bugs.gentoo.org/601826 - -From: Li Qiang -Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch -Date: Tue, 1 Nov 2016 05:37:57 -0700 -From: Li Qiang - -In virgl_cmd_get_capset function, it uses g_malloc to allocate -a response struct to the guest. As the 'resp'struct hasn't been full -initialized it will lead the 'resp->padding' field to the guest. -Use g_malloc0 to avoid this. - -Signed-off-by: Li Qiang ---- - hw/display/virtio-gpu-3d.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 23f39de..d98b140 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -- resp = g_malloc(sizeof(*resp) + max_size); -+ resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, --- -1.8.3.1 - - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch deleted file mode 100644 index 55963f70b9..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch +++ /dev/null @@ -1,38 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html -https://bugs.gentoo.org/602630 - -From: Li Qiang -Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy -Date: Mon, 28 Nov 2016 21:29:25 -0500 -If the guest destroy the resource before detach banking, the 'iov' -and 'addrs' field in resource is not freed thus leading memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang ---- - hw/display/virtio-gpu.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 60bce94..98dadf2 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -28,6 +28,8 @@ - static struct virtio_gpu_simple_resource* - virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); - -+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); -+ - #ifdef CONFIG_VIRGL - #include - #define VIRGL(_g, _virgl, _simple, ...) \ -@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, - struct virtio_gpu_simple_resource *res) - { - pixman_image_unref(res->image); -+ virtio_gpu_cleanup_mapping(res); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); - } --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch deleted file mode 100644 index f0bba80165..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 1 Feb 2017 09:35:01 +0100 -Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615) - -When doing bitblt copy in backward mode, we should minus the -blt width first just like the adding in the forward mode. This -can avoid the oob access of the front of vga's vram. - -Signed-off-by: Li Qiang - -{ kraxel: with backward blits (negative pitch) addr is the topmost - address, so check it as-is against vram size ] - -Cc: qemu-stable@nongnu.org -Cc: P J P -Cc: Laszlo Ersek -Cc: Paolo Bonzini -Cc: Wolfgang Bumiller -Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106) -Signed-off-by: Gerd Hoffmann -Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com -Reviewed-by: Laszlo Ersek ---- - hw/display/cirrus_vga.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 7db6409..16f27e8 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, - { - if (pitch < 0) { - int64_t min = addr -- + ((int64_t)s->cirrus_blt_height-1) * pitch; -- int32_t max = addr -- + s->cirrus_blt_width; -- if (min < 0 || max > s->vga.vram_size) { -+ + ((int64_t)s->cirrus_blt_height - 1) * pitch -+ - s->cirrus_blt_width; -+ if (min < -1 || addr >= s->vga.vram_size) { - return true; - } - } else { --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch deleted file mode 100644 index e2a98012d7..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Gerd Hoffmann -Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo - -CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination -and blit width, at all. Oops. Fix it. - -Security impact: high. - -The missing blit destination check allows to write to host memory. -Basically same as CVE-2014-8106 for the other blit variants. - -The missing blit width check allows to overflow cirrus_bltbuf, -with the attractive target cirrus_srcptr (current cirrus_bltbuf write -position) being located right after cirrus_bltbuf in CirrusVGAState. - -Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker -hasn't full control over cirrus_srcptr though, only one byte can be -changed. Once the first byte has been modified further writes land -elsewhere. - -[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ] - -Signed-off-by: Gerd Hoffmann ---- - hw/display/cirrus_vga.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c -index 0e47cf8..a093dc8 100644 ---- a/hw/display/cirrus_vga.c -+++ b/hw/display/cirrus_vga.c -@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - { - int w; - -+ if (blit_is_unsafe(s)) { -+ return 0; -+ } -+ - s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; - s->cirrus_srcptr = &s->cirrus_bltbuf[0]; - s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; -@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) - } - s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; - } -+ -+ /* the blit_is_unsafe call above should catch this */ -+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); -+ - s->cirrus_srcptr = s->cirrus_bltbuf; - s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; - cirrus_update_memory_access(s); --- -1.8.3.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch deleted file mode 100644 index 034b322de5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch +++ /dev/null @@ -1,22 +0,0 @@ -Comparison symbol is misused. It may lead to memory corruption. - -Signed-off-by: Vladimir Sementsov-Ogievskiy ---- - nbd/client.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/nbd/client.c b/nbd/client.c -index 6caf6bda6d..351731bc63 100644 ---- a/nbd/client.c -+++ b/nbd/client.c -@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) - char small[1024]; - char *buffer; - -- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); -+ buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size)); - while (size > 0) { - ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); - --- -2.11.0 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch deleted file mode 100644 index 24411b4dca..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 14 Dec 2016 18:30:21 -0800 -Subject: [PATCH] audio: ac97: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently the ac97 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/ac97.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 ---- a/hw/audio/ac97.c -+++ b/hw/audio/ac97.c -@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) - ac97_on_reset (&s->dev.qdev); - } - -+static void ac97_exit(PCIDevice *dev) -+{ -+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); -+ -+ AUD_close_in(&s->card, s->voice_pi); -+ AUD_close_out(&s->card, s->voice_po); -+ AUD_close_in(&s->card, s->voice_mc); -+ AUD_remove_card(&s->card); -+} -+ - static int ac97_init (PCIBus *bus) - { - pci_create_simple (bus, -1, "AC97"); -@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = ac97_realize; -+ k->exit = ac97_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; - k->revision = 0x01; --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch deleted file mode 100644 index 6bbac580c3..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 14 Dec 2016 18:32:22 -0800 -Subject: [PATCH] audio: es1370: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently the es1370 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/audio/es1370.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c -index 8449b5f..883ec69 100644 ---- a/hw/audio/es1370.c -+++ b/hw/audio/es1370.c -@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) - es1370_reset (s); - } - -+static void es1370_exit(PCIDevice *dev) -+{ -+ ES1370State *s = ES1370(dev); -+ int i; -+ -+ for (i = 0; i < 2; ++i) { -+ AUD_close_out(&s->card, s->dac_voice[i]); -+ } -+ -+ AUD_close_in(&s->card, s->adc_voice); -+ AUD_remove_card(&s->card); -+} -+ - static int es1370_init (PCIBus *bus) - { - pci_create_simple (bus, -1, TYPE_ES1370); -@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = es1370_realize; -+ k->exit = es1370_exit; - k->vendor_id = PCI_VENDOR_ID_ENSONIQ; - k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; - k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch deleted file mode 100644 index 9475f3fd2a..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 29 Dec 2016 03:11:26 -0500 -Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the virgl_renderer_resource_attach_iov function fails the -'res_iovs' will be leaked. Add check of the return value to -free the 'res_iovs' when failing. - -Signed-off-by: Li Qiang -Reviewed-by: Marc-André Lureau -Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu-3d.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..b13ced3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -- res_iovs, att_rb.nr_entries); -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ res_iovs, att_rb.nr_entries); -+ -+ if (ret != 0) -+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); - } - - static void virgl_resource_detach_backing(VirtIOGPU *g, --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch deleted file mode 100644 index f93d1e7f9e..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Thu, 29 Dec 2016 04:28:41 -0500 -Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing - -In the resource attach backing function, everytime it will -allocate 'res->iov' thus can leading a memory leak. This -patch avoid this. - -Signed-off-by: Li Qiang -Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 6a26258..ca88cf4 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch deleted file mode 100644 index e4572a8d57..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Wed, 4 Jan 2017 00:43:16 -0800 -Subject: [PATCH] serial: fix memory leak in serial exit - -The serial_exit_core function doesn't free some resources. -This can lead memory leak when hotplug and unplug. This -patch avoid this. - -Signed-off-by: Li Qiang -Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> -Signed-off-by: Paolo Bonzini ---- - hw/char/serial.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index ffbacd8..67b18ed 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) - void serial_exit_core(SerialState *s) - { - qemu_chr_fe_deinit(&s->chr); -+ -+ timer_del(s->modem_status_poll); -+ timer_free(s->modem_status_poll); -+ -+ timer_del(s->fifo_timeout_timer); -+ timer_free(s->fifo_timeout_timer); -+ -+ fifo8_destroy(&s->recv_fifo); -+ fifo8_destroy(&s->xmit_fifo); -+ - qemu_unregister_reset(serial_reset, s); - } - --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch deleted file mode 100644 index 93e9c9406c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Tue, 7 Feb 2017 18:29:59 +0000 -Subject: [PATCH] sd: sdhci: check data length during dma_memory_read - -While doing multi block SDMA transfer in routine -'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting -index 'begin' and data length 's->data_count' could end up to be same. -This could lead to an OOB access issue. Correct transfer data length -to avoid it. - -Cc: qemu-stable@nongnu.org -Reported-by: Jiang Xin -Signed-off-by: Prasad J Pandit -Reviewed-by: Peter Maydell -Message-id: 20170130064736.9236-1-ppandit@redhat.com -Signed-off-by: Peter Maydell ---- - hw/sd/sdhci.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 01fbf22..5bd5ab6 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - boundary_count -= block_size - begin; - } - dma_memory_read(&address_space_memory, s->sdmasysad, -- &s->fifo_buffer[begin], s->data_count); -+ &s->fifo_buffer[begin], s->data_count - begin); - s->sdmasysad += s->data_count - begin; - if (s->data_count == block_size) { - for (n = 0; n < block_size; n++) { --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch deleted file mode 100644 index 2ebd49fa54..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang -Signed-off-by: Paolo Bonzini ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size = 0; -- return -1; -+ return -EINVAL; - } - iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size = iov_size; -- return cmd->iov_size; -+ return 0; - } - - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval = 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len = megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { - cmdptr++; - } -+ len = cmd->iov_size; - if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval = megasas_dcmd_dummy(s, cmd); --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch deleted file mode 100644 index 664a669ffa..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch +++ /dev/null @@ -1,38 +0,0 @@ -When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the -backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) -we'll leak memory. - -This patch fixes it for 3d mode, simliar to the 2d mode fix in commit -"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". - -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann ---- - hw/display/virtio-gpu-3d.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index f96a0c2..ecb09d1 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, - struct virtio_gpu_ctrl_command *cmd) - { - struct virtio_gpu_resource_unref unref; -+ struct iovec *res_iovs = NULL; -+ int num_iovs = 0; - - VIRTIO_GPU_FILL_CMD(unref); - trace_virtio_gpu_cmd_res_unref(unref.resource_id); - -+ virgl_renderer_resource_detach_iov(unref.resource_id, -+ &res_iovs, -+ &num_iovs); -+ if (res_iovs != NULL && num_iovs != 0) { -+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); -+ } - virgl_renderer_resource_unref(unref.resource_id); - } - --- -1.8.3.1 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch deleted file mode 100644 index 9f94477a46..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 3 Feb 2017 00:52:28 +0530 -Subject: [PATCH] usb: ccid: check ccid apdu length - -CCID device emulator uses Application Protocol Data Units(APDU) -to exchange command and responses to and from the host. -The length in these units couldn't be greater than 65536. Add -check to ensure the same. It'd also avoid potential integer -overflow in emulated_apdu_from_guest. - -Reported-by: Li Qiang -Signed-off-by: Prasad J Pandit -Message-id: 20170202192228.10847-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-smartcard-reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index 89e11b6..1325ea1 100644 ---- a/hw/usb/dev-smartcard-reader.c -+++ b/hw/usb/dev-smartcard-reader.c -@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) - DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, - recv->hdr.bSeq, len); - ccid_add_pending_answer(s, (CCID_Header *)recv); -- if (s->card) { -+ if (s->card && len <= BULK_OUT_DATA_SIZE) { - ccid_card_apdu_from_guest(s->card, recv->abData, len); - } else { - DPRINTF(s, D_WARN, "warning: discarded apdu\n"); --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch deleted file mode 100644 index f24d557c96..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch +++ /dev/null @@ -1,46 +0,0 @@ -From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 -From: Gonglei -Date: Tue, 3 Jan 2017 14:50:03 +0800 -Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow - -Because the 'size_t' type is 4 bytes in 32-bit platform, which -is the same with 'int'. It's easy to make 'max_len' to zero when -integer overflow and then cause heap overflow if 'max_len' is zero. - -Using uint_64 instead of size_t to avoid the integer overflow. - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang -Signed-off-by: Gonglei -Tested-by: Li Qiang -Reviewed-by: Michael S. Tsirkin -Signed-off-by: Michael S. Tsirkin ---- - hw/virtio/virtio-crypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c -index 2f2467e..c23e1ad 100644 ---- a/hw/virtio/virtio-crypto.c -+++ b/hw/virtio/virtio-crypto.c -@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - uint32_t hash_start_src_offset = 0, len_to_hash = 0; - uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - -- size_t max_len, curr_size = 0; -+ uint64_t max_len, curr_size = 0; - size_t s; - - /* Plain cipher */ -@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - return NULL; - } - -- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; -+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; - if (unlikely(max_len > vcrypto->conf.max_size)) { - virtio_error(vdev, "virtio-crypto too big length"); - return NULL; --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch deleted file mode 100644 index 50ff3c9979..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch +++ /dev/null @@ -1,87 +0,0 @@ -Limits should be big enough that normal guest should not hit it. -Add a tracepoint to log them, just in case. Also, while being -at it, log the existing link trb limit too. - -Reported-by: 李强 -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-xhci.c | 15 ++++++++++++++- - hw/usb/trace-events | 1 + - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index fbf8a8b..28dd2f2 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -51,6 +51,8 @@ - #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS) - - #define TRB_LINK_LIMIT 4 -+#define COMMAND_LIMIT 256 -+#define TRANSFER_LIMIT 256 - - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) -@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - return type; - } else { - if (++link_cnt > TRB_LINK_LIMIT) { -+ trace_usb_xhci_enforced_limit("trb-link"); - return 0; - } - ring->dequeue = xhci_mask64(trb->parameter); -@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) - XHCIRing *ring; - USBEndpoint *ep = NULL; - uint64_t mfindex; -+ unsigned int count = 0; - int length; - int i; - -@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) - epctx->retry = xfer; - break; - } -+ if (count++ > TRANSFER_LIMIT) { -+ trace_usb_xhci_enforced_limit("transfers"); -+ break; -+ } - } - epctx->kick_active--; - -@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci) - TRBType type; - XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS}; - dma_addr_t addr; -- unsigned int i, slotid = 0; -+ unsigned int i, slotid = 0, count = 0; - - DPRINTF("xhci_process_commands()\n"); - if (!xhci_running(xhci)) { -@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci) - } - event.slotid = slotid; - xhci_event(xhci, &event, 0); -+ -+ if (count++ > COMMAND_LIMIT) { -+ trace_usb_xhci_enforced_limit("commands"); -+ return; -+ } - } - } - -diff --git a/hw/usb/trace-events b/hw/usb/trace-events -index fdd1d29..0c323d4 100644 ---- a/hw/usb/trace-events -+++ b/hw/usb/trace-events -@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p" - usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d" - usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d" - usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)" -+usb_xhci_enforced_limit(const char *item) "%s" - - # hw/usb/desc.c - usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d" --- -1.8.3.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch deleted file mode 100644 index bfde2e9d4b..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Prasad J Pandit - -In the SDHCI protocol, the transfer mode register value -is used during multi block transfer to check if block count -register is enabled and should be updated. Transfer mode -register could be set such that, block count register would -not be updated, thus leading to an infinite loop. Add check -to avoid it. - -Reported-by: Wjjzhang -Reported-by: Jiang Xin -Signed-off-by: Prasad J Pandit ---- - hw/sd/sdhci.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -Update: use qemu_log_mask(LOG_UNIMP, ...) - -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 5bd5ab6..a9c744b 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12); - uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk); - -+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) { -+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n"); -+ return; -+ } -+ - /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for - * possible stop at page boundary if initial address is not page aligned, - * allow them to work properly */ -@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque) - if (s->trnmod & SDHC_TRNS_DMA) { - switch (SDHC_DMA_TYPE(s->hostctl)) { - case SDHC_CTRL_SDMA: -- if ((s->trnmod & SDHC_TRNS_MULTI) && -- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) { -- break; -- } -- - if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) { - sdhci_sdma_transfer_single_block(s); - } else { --- -2.9.3 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch deleted file mode 100644 index 666c18ccea..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch +++ /dev/null @@ -1,112 +0,0 @@ -This patch fixed a problem that was introduced in commit eb700029. - -When net_rx_pkt_attach_iovec() calls eth_strip_vlan() -this can result in pkt->ehdr_buf being overflowed, because -ehdr_buf is only sizeof(struct eth_header) bytes large -but eth_strip_vlan() can write -sizeof(struct eth_header) + sizeof(struct vlan_header) -bytes into it. - -Devices affected by this problem: vmxnet3. - -Reported-by: Peter Maydell -Signed-off-by: Dmitry Fleytman ---- - hw/net/net_rx_pkt.c | 34 +++++++++++++++++----------------- - 1 file changed, 17 insertions(+), 17 deletions(-) - -diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c -index 1019b50..7c0beac 100644 ---- a/hw/net/net_rx_pkt.c -+++ b/hw/net/net_rx_pkt.c -@@ -23,13 +23,13 @@ - - struct NetRxPkt { - struct virtio_net_hdr virt_hdr; -- uint8_t ehdr_buf[sizeof(struct eth_header)]; -+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)]; - struct iovec *vec; - uint16_t vec_len_total; - uint16_t vec_len; - uint32_t tot_len; - uint16_t tci; -- bool vlan_stripped; -+ size_t ehdr_buf_len; - bool has_virt_hdr; - eth_pkt_types_e packet_type; - -@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt, - const struct iovec *iov, int iovcnt, - size_t ploff) - { -- if (pkt->vlan_stripped) { -+ if (pkt->ehdr_buf_len) { - net_rx_pkt_iovec_realloc(pkt, iovcnt + 1); - - pkt->vec[0].iov_base = pkt->ehdr_buf; -- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf); -- -- pkt->tot_len = -- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header); -+ pkt->vec[0].iov_len = pkt->ehdr_buf_len; - -+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len; - pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1, - iov, iovcnt, ploff, pkt->tot_len); - } else { -@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt, - uint16_t tci = 0; - uint16_t ploff = iovoff; - assert(pkt); -- pkt->vlan_stripped = false; - - if (strip_vlan) { -- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, -- &ploff, &tci); -+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf, -+ &ploff, &tci); -+ } else { -+ pkt->ehdr_buf_len = 0; - } - - pkt->tci = tci; -@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt, - uint16_t tci = 0; - uint16_t ploff = iovoff; - assert(pkt); -- pkt->vlan_stripped = false; - - if (strip_vlan) { -- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, -- pkt->ehdr_buf, -- &ploff, &tci); -+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet, -+ pkt->ehdr_buf, -+ &ploff, &tci); -+ } else { -+ pkt->ehdr_buf_len = 0; - } - - pkt->tci = tci; -@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt) - NetRxPkt *pkt = (NetRxPkt *)pkt; - assert(pkt); - -- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n", -- pkt->tot_len, pkt->vlan_stripped, pkt->tci); -+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n", -+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci); - #endif - } - -@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt) - { - assert(pkt); - -- return pkt->vlan_stripped; -+ return pkt->ehdr_buf_len ? true : false; - } - - bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt) --- -2.7.4 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch deleted file mode 100644 index a15aa96bd5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Tue, 7 Feb 2017 02:23:33 -0800 -Subject: [PATCH] usb: ohci: limit the number of link eds - -The guest may builds an infinite loop with link eds. This patch -limit the number of linked ed to avoid this. - -Signed-off-by: Li Qiang -Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ohci.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index 2cba3e3..21c93e0 100644 ---- a/hw/usb/hcd-ohci.c -+++ b/hw/usb/hcd-ohci.c -@@ -42,6 +42,8 @@ - - #define OHCI_MAX_PORTS 15 - -+#define ED_LINK_LIMIT 4 -+ - static int64_t usb_frame_time; - static int64_t usb_bit_time; - -@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - uint32_t next_ed; - uint32_t cur; - int active; -- -+ uint32_t link_cnt = 0; - active = 0; - - if (head == 0) -@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - - next_ed = ed.next & OHCI_DPTR_MASK; - -+ if (++link_cnt > ED_LINK_LIMIT) { -+ ohci_die(ohci); -+ return 0; -+ } -+ - if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { - uint32_t addr; - /* Cancel pending packets for ED that have been paused. */ --- -2.10.2 - diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch new file mode 100644 index 0000000000..346e7713f7 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch @@ -0,0 +1,174 @@ +From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001 +From: Greg Kurz +Date: Fri, 5 May 2017 14:48:08 +0200 +Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493) + +When using the mapped-file security mode, we shouldn't let the client mess +with the metadata. The current code already tries to hide the metadata dir +from the client by skipping it in local_readdir(). But the client can still +access or modify it through several other operations. This can be used to +escalate privileges in the guest. + +Affected backend operations are: +- local_mknod() +- local_mkdir() +- local_open2() +- local_symlink() +- local_link() +- local_unlinkat() +- local_renameat() +- local_rename() +- local_name_to_path() + +Other operations are safe because they are only passed a fid path, which +is computed internally in local_name_to_path(). + +This patch converts all the functions listed above to fail and return +EINVAL when being passed the name of the metadata dir. This may look +like a poor choice for errno, but there's no such thing as an illegal +path name on Linux and I could not think of anything better. + +This fixes CVE-2017-7493. + +Reported-by: Leo Gaspard +Signed-off-by: Greg Kurz +Reviewed-by: Eric Blake +--- + hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 56 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c +index f3ebca4f7a..a2486566af 100644 +--- a/hw/9pfs/9p-local.c ++++ b/hw/9pfs/9p-local.c +@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs) + return telldir(fs->dir.stream); + } + ++static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name) ++{ ++ return !strcmp(name, VIRTFS_META_DIR); ++} ++ + static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs) + { + struct dirent *entry; +@@ -465,8 +470,8 @@ again: + if (ctx->export_flags & V9FS_SM_MAPPED) { + entry->d_type = DT_UNKNOWN; + } else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) { +- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) { +- /* skp the meta data directory */ ++ if (local_is_mapped_file_metadata(ctx, entry->d_name)) { ++ /* skip the meta data directory */ + goto again; + } + entry->d_type = DT_UNKNOWN; +@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + /* + * Mark all the open to not follow symlinks + */ +@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath, + int err = -1; + int dirfd; + ++ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(fs_ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(fs_ctx, dir_path->data); + if (dirfd == -1) { + return -1; +@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath, + int ret = -1; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, odirpath); + if (odirfd == -1) { + goto out; +@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path, + static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, + const char *name, V9fsPath *target) + { ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + if (dir_path) { + v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); + } else if (strcmp(name, "/")) { +@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir, + int ret; + int odirfd, ndirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ (local_is_mapped_file_metadata(ctx, old_name) || ++ local_is_mapped_file_metadata(ctx, new_name))) { ++ errno = EINVAL; ++ return -1; ++ } ++ + odirfd = local_opendir_nofollow(ctx, olddir->data); + if (odirfd == -1) { + return -1; +@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir, + int ret; + int dirfd; + ++ if (ctx->export_flags & V9FS_SM_MAPPED_FILE && ++ local_is_mapped_file_metadata(ctx, name)) { ++ errno = EINVAL; ++ return -1; ++ } ++ + dirfd = local_opendir_nofollow(ctx, dir->data); + if (dirfd == -1) { + return -1; +-- +2.13.0 + diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch new file mode 100644 index 0000000000..31fb69bf89 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch @@ -0,0 +1,22 @@ +CVE-2017-8112 + +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html +--- + hw/scsi/vmw_pvscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 7557546..4a106da 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + uint32_t len_log2; + uint32_t ring_size; + +- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { + return -1; + } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; +-- +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch new file mode 100644 index 0000000000..4f7f870210 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch @@ -0,0 +1,22 @@ +bug #616870 + +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html +--- + audio/audio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/audio/audio.c b/audio/audio.c +index c8898d8422..beafed209b 100644 +--- a/audio/audio.c ++++ b/audio/audio.c +@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque) + sw = sw1; + } + QLIST_REMOVE (cap, entries); ++ g_free (cap->hw.mix_buf); ++ g_free (cap->buf); + g_free (cap); + } + return; +-- +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch new file mode 100644 index 0000000000..0a34dae671 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch @@ -0,0 +1,76 @@ +bug #616872 + +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html +--- + ui/input.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ui/input.c b/ui/input.c +index ed88cda6d6..fb1f404095 100644 +--- a/ui/input.c ++++ b/ui/input.c +@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue = + QTAILQ_HEAD_INITIALIZER(kbd_queue); + static QEMUTimer *kbd_timer; + static uint32_t kbd_default_delay_ms = 10; ++static uint32_t queue_count; ++static uint32_t queue_limit = 1024; + + QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev, + QemuInputHandler *handler) +@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque) + break; + } + QTAILQ_REMOVE(queue, item, node); ++ queue_count--; + g_free(item); + } + } +@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue, + item->delay_ms = delay_ms; + item->timer = timer; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + + if (start_timer) { + timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL) +@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue, + item->src = src; + item->evt = evt; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) +@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue) + + item->type = QEMU_INPUT_QUEUE_SYNC; + QTAILQ_INSERT_TAIL(queue, item, node); ++ queue_count++; + } + + void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt) +@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down) + qemu_input_event_send(src, evt); + qemu_input_event_sync(); + qapi_free_InputEvent(evt); +- } else { ++ } else if (queue_count < queue_limit) { + qemu_input_queue_event(&kbd_queue, src, evt); + qemu_input_queue_sync(&kbd_queue); + } +@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms) + kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process, + &kbd_queue); + } +- qemu_input_queue_delay(&kbd_queue, kbd_timer, +- delay_ms ? delay_ms : kbd_default_delay_ms); ++ if (queue_count < queue_limit) { ++ qemu_input_queue_delay(&kbd_queue, kbd_timer, ++ delay_ms ? delay_ms : kbd_default_delay_ms); ++ } + } + + InputEvent *qemu_input_event_new_btn(InputButton btn, bool down) +-- +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch new file mode 100644 index 0000000000..08911dd0bf --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch @@ -0,0 +1,34 @@ +bug #616874 + +https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html +--- + hw/scsi/megasas.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 84b8caf..804122a 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr, + case MFI_SEQ: + trace_megasas_mmio_writel("MFI_SEQ", val); + /* Magic sequence to start ADP reset */ +- if (adp_reset_seq[s->adp_reset] == val) { +- s->adp_reset++; ++ if (adp_reset_seq[s->adp_reset++] == val) { ++ if (s->adp_reset == 6) { ++ s->adp_reset = 0; ++ s->diag = MFI_DIAG_WRITE_ENABLE; ++ } + } else { + s->adp_reset = 0; + s->diag = 0; + } +- if (s->adp_reset == 6) { +- s->diag = MFI_DIAG_WRITE_ENABLE; +- } + break; + case MFI_DIAG: + trace_megasas_mmio_writel("MFI_DIAG", val); +-- +2.9.3 diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 deleted file mode 100644 index fe62a2a211..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 +++ /dev/null @@ -1,138 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2016 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel - -# Defaulting to OC should be safe because it comes down to: -# - do we trust the interp itself to not be malicious? yes; we built it. -# - do we trust the programs we're running? ish; same permission as native -# binaries apply. so if user can do bad stuff natively, cross isn't worse. -: ${QEMU_BINFMT_FLAGS:=OC} - -depend() { - after procfs -} - -start() { - ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})" - - if [ ! -d /proc/sys/fs/binfmt_misc ] ; then - modprobe -q binfmt_misc - fi - - if [ ! -d /proc/sys/fs/binfmt_misc ] ; then - eend $? "You need support for 'misc binaries' in your kernel!" || return - fi - - if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1 - eend $? || return - fi - - # probe cpu type - cpu=`uname -m` - case "$cpu" in - i386|i486|i586|i686|i86pc|BePC|x86_64) - cpu="i386" - ;; - m68k) - cpu="m68k" - ;; - mips*) - cpu="mips" - ;; - "Power Macintosh"|ppc|ppc64) - cpu="ppc" - ;; - armv[4-9]*) - cpu="arm" - ;; - sparc*) - cpu="sparc" - ;; - esac - - # register the interpreter for each cpu except for the native one - if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then - echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then - echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then - echo ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then - echo ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then - echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then - echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then - echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then - #echo 'Please check cpu value and header information for m68k!' - echo ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then - # FIXME: We could use the other endianness on a MIPS host. - echo ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then - echo ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then - echo ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then - echo ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then - echo ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then - echo ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then - echo ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then - echo ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then - echo ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register - fi - eend $? -} - -stop() { - ebegin "Unregistering qemu-user binaries" - local arches - - arches="${arches} i386 i486" - arches="${arches} alpha" - arches="${arches} arm armeb" - arches="${arches} aarch64" - arches="${arches} sparc" - arches="${arches} ppc" - arches="${arches} m68k" - arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el" - arches="${arches} sh4 sh4eb" - arches="${arches} s390x" - - for a in ${arches}; do - if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then - echo '-1' > /proc/sys/fs/binfmt_misc/$a - fi - done - - eend $? -} - -# vim: ts=4 : diff --git a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r9.ebuild b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.9.0-r2.ebuild similarity index 89% rename from sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r9.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.9.0-r2.ebuild index f46ff08320..3bcf97ea40 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r9.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.9.0-r2.ebuild @@ -20,10 +20,6 @@ else KEYWORDS="amd64 arm64 ~ppc ~ppc64 x86 ~x86-fbsd" fi -# bug #606088 -SRC_URI+=" - https://dev.gentoo.org/~tamiko/distfiles/${P}-CVE-2016-9602-patches.tar.xz" - DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" @@ -33,16 +29,16 @@ IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs gnutls gtk gtk2 infiniband iscsi +jpeg kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png pulseaudio python rbd sasl +seccomp sdl sdl2 selinux smartcard snappy - spice ssh static static-user systemtap tci test +threads usb usbredir - vde +vhost-net virgl virtfs +vnc vte xattr xen xfs" + spice ssh static static-user systemtap tci test usb usbredir vde + +vhost-net virgl virtfs +vnc vte xattr xen xfs" COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel - mips mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc + mips mips64 mips64el mipsel nios2 or1k ppc ppc64 s390x sh4 sh4eb sparc sparc64 x86_64" IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb" IUSE_USER_TARGETS="${COMMON_TARGETS} - armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" + armeb hppa mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) @@ -54,6 +50,7 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE} gtk2? ( gtk ) qemu_softmmu_targets_arm? ( fdt ) qemu_softmmu_targets_microblaze? ( fdt ) + qemu_softmmu_targets_mips64el? ( fdt ) qemu_softmmu_targets_ppc? ( fdt ) qemu_softmmu_targets_ppc64? ( fdt ) sdl2? ( sdl ) @@ -69,18 +66,17 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE} # The attr lib isn't always linked in (although the USE flag is always # respected). This is because qemu supports using the C library's API # when available rather than always using the extranl library. -# -# To configure and compile qemu user targets or tools alone the following -# dependencies are not strictly necessary: -# alsa? ( >=media-libs/alsa-lib-1.0.13 ) -# fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) -# pulseaudio? ( media-sound/pulseaudio ) -# seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) -# but these are so few it is not worth the effort to separate this list. -TARGETS_DEPEND=" +ALL_DEPEND=" >=dev-libs/glib-2.0[static-libs(+)] - >=x11-libs/pixman-0.28.0[static-libs(+)] sys-libs/zlib[static-libs(+)] + python? ( ${PYTHON_DEPS} ) + systemtap? ( dev-util/systemtap ) + xattr? ( sys-apps/attr[static-libs(+)] )" + +# Dependencies required for qemu tools (qemu-nbd, qemu-img, qemu-io, ...) +# softmmu targets (qemu-system-*). +SOFTMMU_TOOLS_DEPEND=" + >=x11-libs/pixman-0.28.0[static-libs(+)] accessibility? ( app-accessibility/brltty[api] app-accessibility/brltty[static-libs(+)] @@ -125,7 +121,6 @@ TARGETS_DEPEND=" ) png? ( media-libs/libpng:0=[static-libs(+)] ) pulseaudio? ( media-sound/pulseaudio ) - python? ( ${PYTHON_DEPS} ) rbd? ( sys-cluster/ceph[static-libs(+)] ) sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) sdl? ( @@ -146,13 +141,11 @@ TARGETS_DEPEND=" >=app-emulation/spice-0.12.0[static-libs(+)] ) ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) - systemtap? ( dev-util/systemtap ) - usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) + usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) vde? ( net-misc/vde[static-libs(+)] ) virgl? ( media-libs/virglrenderer[static-libs(+)] ) virtfs? ( sys-libs/libcap ) - xattr? ( sys-apps/attr[static-libs(+)] ) xen? ( app-emulation/xen-tools:= ) xfs? ( sys-fs/xfsprogs[static-libs(+)] )" @@ -170,7 +163,10 @@ X86_FIRMWARE_DEPEND=" )" CDEPEND=" - !static? ( ${TARGETS_DEPEND//\[static-libs(+)]} ) + !static? ( + ${ALL_DEPEND//\[static-libs(+)]} + ${SOFTMMU_TOOLS_DEPEND//\[static-libs(+)]} + ) qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )" DEPEND="${CDEPEND} @@ -180,8 +176,11 @@ DEPEND="${CDEPEND} virtual/pkgconfig kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) gtk? ( nls? ( sys-devel/gettext ) ) - static? ( ${TARGETS_DEPEND} ) - static-user? ( ${TARGETS_DEPEND} ) + static? ( + ${ALL_DEPEND} + ${SOFTMMU_TOOLS_DEPEND} + ) + static-user? ( ${ALL_DEPEND} ) test? ( dev-libs/glib[utils] sys-devel/bc @@ -192,29 +191,11 @@ RDEPEND="${CDEPEND} PATCHES=( "${FILESDIR}"/${PN}-2.5.0-cflags.patch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - "${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch #601826 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch #602630 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch #603444 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10155.patch #606720 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2615.patch #608034 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2630.patch #609396 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-1.patch #606264 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-2.patch - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5552.patch #606722 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5578.patch #607000 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5579.patch #607100 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5667.patch #607766 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5856.patch #608036 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5857.patch #608038 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5898.patch #608520 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5931.patch #608728 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch #609334 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220 - "${S}-CVE-2016-9602-patches" + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8309.patch # bug 616870 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8379.patch # bug 616872 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8380.patch # bug 616874 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808 # fix for vpc creation in qemu-img "${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch @@ -240,7 +221,7 @@ QA_WX_LOAD="usr/bin/qemu-i386 usr/bin/qemu-microblazeel usr/bin/qemu-mips usr/bin/qemu-mipsel - usr/bin/qemu-or32 + usr/bin/qemu-or1k usr/bin/qemu-ppc usr/bin/qemu-ppc64 usr/bin/qemu-ppc64abi32 @@ -529,7 +510,7 @@ qemu_src_configure() { if use ${static_flag}; then conf_opts+=( --static --disable-pie ) else - gcc-specs-pie && conf_opts+=( --enable-pie ) + tc-enables-pie && conf_opts+=( --enable-pie ) fi echo "../configure ${conf_opts[*]}" @@ -697,9 +678,6 @@ src_install() { insinto "/etc/qemu" doins "${FILESDIR}/bridge.conf" - # Remove the docdir placed qmp-commands.txt - mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/" || die - cd "${S}" dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt newdoc pc-bios/README README.pc-bios @@ -750,7 +728,6 @@ src_install() { pkg_postinst() { DISABLE_AUTOFORMATTING=true - FORCE_PRINT_ELOG=1 # remove for next version bump readme.gentoo_print_elog if [[ -n ${softmmu_targets} ]] && use kernel_linux; then