mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-22 15:01:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

app-emulation/qemu: sync with upstream

Browse Source 
The only CoreOS changes are to add the vpc patch and stabilize
arm64, despite not actually using it anywhere yet.
This commit is contained in:
David Michael 2017-06-16 11:45:35 -07:00
parent ab0b7b38eb
commit c86ff7a096
31 changed files with 360 additions and 1256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/Manifest vendored
View File

@ -1,2 +1 @@
DIST qemu-2.8.0-CVE-2016-9602-patches.tar.xz 16264 SHA256 18ac829c6003a3f997db4030a46b422028c58fead158f0c5ffe36ad65acb84e0 SHA512 a56694d1600e4fd1ffd6bbe031a0db226fc5c88306797cc4e42d1dc6127b83d1791cb4e026988b3aad82eab84382e41077ae71e532d1d3489e179730185c0964 WHIRLPOOL 22057b001c478b2b0d97ad70393c973aefc6277d89bb5a1ae03c3c39b5182ddfbe541964761f512ed5735dc442e1f40d0a955ad5b270758e21ce815be86b24bd DIST qemu-2.9.0.tar.bz2 28720490 SHA256 00bfb217b1bb03c7a6c3261b819cfccbfb5a58e3e2ceff546327d271773c6c14 SHA512 4b28966eec0ca44681e35fcfb64a4eaef7c280b8d65c91d03f2efa37f76278fd8c1680e5798c7a30dbfcc8f3c05f4a803f48b8a2dfec3a4181bac079b2a5e422 WHIRLPOOL d79fe89eb271a56aee0cbd328e5f96999176b711afb5683d164b7b99d91e6dd2bfaf6e2ff4cd820a941c94f28116765cb07ffd5809d75c2f9654a67d56bfc0c1
DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5

1
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/65-kvm.rules vendored
View File

@ -1 +0,0 @@
KERNEL=="kvm", GROUP="kvm", MODE="0660"

32
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch vendored
View File

@ -1,32 +0,0 @@
http://bugs.gentoo.org/597108
https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html
From: Prasad J Pandit <address@hidden>
The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.
Reported-by: Huawei PSIRT <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/dma/rc4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
break;
/* Interval timer reload */
case 0x0228:
- s->itr = val;
+ s->itr = val & 0x01FF;
qemu_irq_lower(s->timer_irq);
set_next_tick(s);
break;
--
2.5.5

40
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch vendored
View File

@ -1,40 +0,0 @@
https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
https://bugs.gentoo.org/603444
From: P J P
Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
Date: Wed, 14 Dec 2016 12:31:56 +0530
From: Prasad J Pandit <address@hidden>
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
command, retrieves the maximum capabilities size to fill in the
response object. It continues to fill in capabilities even if
retrieved 'max_size' is zero(0), thus resulting in OOB access.
Add check to avoid it.
Reported-by: Zhenhao Hong <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/display/virtio-gpu-3d.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..6ceeba3 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
+ if (!max_size) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+ return;
+ }
+
resp = g_malloc0(sizeof(*resp) + max_size);
-
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,
gc.capset_version,
--
2.9.3

46
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch vendored
View File

@ -1,46 +0,0 @@
From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 28 Nov 2016 17:49:04 -0800
Subject: [PATCH] watchdog: 6300esb: add exit function
When the Intel 6300ESB watchdog is hot unplug. The timer allocated
in realize isn't freed thus leaking memory leak. This patch avoid
this through adding the exit function.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/watchdog/wdt_i6300esb.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
index a83d951..49b3cd1 100644
--- a/hw/watchdog/wdt_i6300esb.c
+++ b/hw/watchdog/wdt_i6300esb.c
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
/* qemu_register_coalesced_mmio (addr, 0x10); ? */
}
+static void i6300esb_exit(PCIDevice *dev)
+{
+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
+
+ timer_del(d->timer);
+ timer_free(d->timer);
+}
+
static WatchdogTimerModel model = {
.wdt_name = "i6300esb",
.wdt_description = "Intel 6300ESB",
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
k->config_read = i6300esb_config_read;
k->config_write = i6300esb_config_write;
k->realize = i6300esb_realize;
+ k->exit = i6300esb_exit;
k->vendor_id = PCI_VENDOR_ID_INTEL;
k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
k->class_id = PCI_CLASS_SYSTEM_OTHER;
--
2.10.2

35
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch vendored
View File

@ -1,35 +0,0 @@
https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html
https://bugs.gentoo.org/601826
From: Li Qiang
Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch
Date: Tue, 1 Nov 2016 05:37:57 -0700
From: Li Qiang <address@hidden>
In virgl_cmd_get_capset function, it uses g_malloc to allocate
a response struct to the guest. As the 'resp'struct hasn't been full
initialized it will lead the 'resp->padding' field to the guest.
Use g_malloc0 to avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/display/virtio-gpu-3d.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 23f39de..d98b140 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
&max_size);
- resp = g_malloc(sizeof(*resp) + max_size);
+ resp = g_malloc0(sizeof(*resp) + max_size);
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
virgl_renderer_fill_caps(gc.capset_id,
--
1.8.3.1

38
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch vendored
View File

@ -1,38 +0,0 @@
https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
https://bugs.gentoo.org/602630
From: Li Qiang
Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
Date: Mon, 28 Nov 2016 21:29:25 -0500
If the guest destroy the resource before detach banking, the 'iov'
and 'addrs' field in resource is not freed thus leading memory
leak issue. This patch avoid this.
Signed-off-by: Li Qiang <address@hidden>
---
hw/display/virtio-gpu.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 60bce94..98dadf2 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -28,6 +28,8 @@
static struct virtio_gpu_simple_resource*
virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
+
#ifdef CONFIG_VIRGL
#include <virglrenderer.h>
#define VIRGL(_g, _virgl, _simple, ...) \
@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
struct virtio_gpu_simple_resource *res)
{
pixman_image_unref(res->image);
+ virtio_gpu_cleanup_mapping(res);
QTAILQ_REMOVE(&g->reslist, res, next);
g_free(res);
}
--
1.8.3.1

48
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch vendored
View File

@ -1,48 +0,0 @@
From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 1 Feb 2017 09:35:01 +0100
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
When doing bitblt copy in backward mode, we should minus the
blt width first just like the adding in the forward mode. This
can avoid the oob access of the front of vga's vram.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
{ kraxel: with backward blits (negative pitch) addr is the topmost
address, so check it as-is against vram size ]
Cc: qemu-stable@nongnu.org
Cc: P J P <ppandit@redhat.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
hw/display/cirrus_vga.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 7db6409..16f27e8 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
{
if (pitch < 0) {
int64_t min = addr
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
- int32_t max = addr
- + s->cirrus_blt_width;
- if (min < 0 || max > s->vga.vram_size) {
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
+ - s->cirrus_blt_width;
+ if (min < -1 || addr >= s->vga.vram_size) {
return true;
}
} else {
--
2.10.2

56
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch vendored
View File

@ -1,56 +0,0 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
and blit width, at all. Oops. Fix it.
Security impact: high.
The missing blit destination check allows to write to host memory.
Basically same as CVE-2014-8106 for the other blit variants.
The missing blit width check allows to overflow cirrus_bltbuf,
with the attractive target cirrus_srcptr (current cirrus_bltbuf write
position) being located right after cirrus_bltbuf in CirrusVGAState.
Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
hasn't full control over cirrus_srcptr though, only one byte can be
changed. Once the first byte has been modified further writes land
elsewhere.
[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/cirrus_vga.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 0e47cf8..a093dc8 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
{
int w;
+ if (blit_is_unsafe(s)) {
+ return 0;
+ }
+
s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
s->cirrus_srcptr = &s->cirrus_bltbuf[0];
s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
}
s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
}
+
+ /* the blit_is_unsafe call above should catch this */
+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
+
s->cirrus_srcptr = s->cirrus_bltbuf;
s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
cirrus_update_memory_access(s);
--
1.8.3.1

22
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch vendored
View File

@ -1,22 +0,0 @@
Comparison symbol is misused. It may lead to memory corruption.
Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
---
nbd/client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nbd/client.c b/nbd/client.c
index 6caf6bda6d..351731bc63 100644
--- a/nbd/client.c
+++ b/nbd/client.c
@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
char small[1024];
char *buffer;
- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
+ buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
while (size > 0) {
ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
--
2.11.0

52
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch vendored
View File

@ -1,52 +0,0 @@
From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 14 Dec 2016 18:30:21 -0800
Subject: [PATCH] audio: ac97: add exit function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently the ac97 device emulation doesn't have a exit function,
hot unplug this device will leak some memory. Add a exit function to
avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/audio/ac97.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
index cbd959e..c306575 100644
--- a/hw/audio/ac97.c
+++ b/hw/audio/ac97.c
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
ac97_on_reset (&s->dev.qdev);
}
+static void ac97_exit(PCIDevice *dev)
+{
+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
+
+ AUD_close_in(&s->card, s->voice_pi);
+ AUD_close_out(&s->card, s->voice_po);
+ AUD_close_in(&s->card, s->voice_mc);
+ AUD_remove_card(&s->card);
+}
+
static int ac97_init (PCIBus *bus)
{
pci_create_simple (bus, -1, "AC97");
@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
k->realize = ac97_realize;
+ k->exit = ac97_exit;
k->vendor_id = PCI_VENDOR_ID_INTEL;
k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
k->revision = 0x01;
--
2.10.2

55
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch vendored
View File

@ -1,55 +0,0 @@
From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 14 Dec 2016 18:32:22 -0800
Subject: [PATCH] audio: es1370: add exit function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Currently the es1370 device emulation doesn't have a exit function,
hot unplug this device will leak some memory. Add a exit function to
avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/audio/es1370.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 8449b5f..883ec69 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
es1370_reset (s);
}
+static void es1370_exit(PCIDevice *dev)
+{
+ ES1370State *s = ES1370(dev);
+ int i;
+
+ for (i = 0; i < 2; ++i) {
+ AUD_close_out(&s->card, s->dac_voice[i]);
+ }
+
+ AUD_close_in(&s->card, s->adc_voice);
+ AUD_remove_card(&s->card);
+}
+
static int es1370_init (PCIBus *bus)
{
pci_create_simple (bus, -1, TYPE_ES1370);
@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
k->realize = es1370_realize;
+ k->exit = es1370_exit;
k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
--
2.10.2

41
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch vendored
View File

@ -1,41 +0,0 @@
From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 29 Dec 2016 03:11:26 -0500
Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If the virgl_renderer_resource_attach_iov function fails the
'res_iovs' will be leaked. Add check of the return value to
free the 'res_iovs' when failing.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu-3d.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index e29f099..b13ced3 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
return;
}
- virgl_renderer_resource_attach_iov(att_rb.resource_id,
- res_iovs, att_rb.nr_entries);
+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
+ res_iovs, att_rb.nr_entries);
+
+ if (ret != 0)
+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
}
static void virgl_resource_detach_backing(VirtIOGPU *g,
--
2.10.2

35
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch vendored
View File

@ -1,35 +0,0 @@
From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 29 Dec 2016 04:28:41 -0500
Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
In the resource attach backing function, everytime it will
allocate 'res->iov' thus can leading a memory leak. This
patch avoid this.
Signed-off-by: Li Qiang <liq3ea@gmail.com>
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/display/virtio-gpu.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 6a26258..ca88cf4 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
return;
}
+ if (res->iov) {
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
+ return;
+ }
+
ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
if (ret != 0) {
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
--
2.10.2

40
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch vendored
View File

@ -1,40 +0,0 @@
From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 4 Jan 2017 00:43:16 -0800
Subject: [PATCH] serial: fix memory leak in serial exit
The serial_exit_core function doesn't free some resources.
This can lead memory leak when hotplug and unplug. This
patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/char/serial.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/char/serial.c b/hw/char/serial.c
index ffbacd8..67b18ed 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
void serial_exit_core(SerialState *s)
{
qemu_chr_fe_deinit(&s->chr);
+
+ timer_del(s->modem_status_poll);
+ timer_free(s->modem_status_poll);
+
+ timer_del(s->fifo_timeout_timer);
+ timer_free(s->fifo_timeout_timer);
+
+ fifo8_destroy(&s->recv_fifo);
+ fifo8_destroy(&s->xmit_fifo);
+
qemu_unregister_reset(serial_reset, s);
}
--
2.10.2

37
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch vendored
View File

@ -1,37 +0,0 @@
From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 7 Feb 2017 18:29:59 +0000
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
While doing multi block SDMA transfer in routine
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
index 'begin' and data length 's->data_count' could end up to be same.
This could lead to an OOB access issue. Correct transfer data length
to avoid it.
Cc: qemu-stable@nongnu.org
Reported-by: Jiang Xin <jiangxin1@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20170130064736.9236-1-ppandit@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
hw/sd/sdhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 01fbf22..5bd5ab6 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
boundary_count -= block_size - begin;
}
dma_memory_read(&address_space_memory, s->sdmasysad,
- &s->fifo_buffer[begin], s->data_count);
+ &s->fifo_buffer[begin], s->data_count - begin);
s->sdmasysad += s->data_count - begin;
if (s->data_count == block_size) {
for (n = 0; n < block_size; n++) {
--
2.10.2

64
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch vendored
View File

@ -1,64 +0,0 @@
From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 2 Jan 2017 11:03:33 +0100
Subject: [PATCH] megasas: fix guest-triggered memory leak
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
Avoid this by returning only the status from map_dcmd, and loading
cmd->iov_size in the caller.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/scsi/megasas.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 67fc1e7..6233865 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
trace_megasas_dcmd_invalid_sge(cmd->index,
cmd->frame->header.sge_count);
cmd->iov_size = 0;
- return -1;
+ return -EINVAL;
}
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
cmd->iov_size = iov_size;
- return cmd->iov_size;
+ return 0;
}
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
{
- int opcode, len;
+ int opcode;
int retval = 0;
+ size_t len;
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
trace_megasas_handle_dcmd(cmd->index, opcode);
- len = megasas_map_dcmd(s, cmd);
- if (len < 0) {
+ if (megasas_map_dcmd(s, cmd) < 0) {
return MFI_STAT_MEMORY_NOT_AVAILABLE;
}
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
cmdptr++;
}
+ len = cmd->iov_size;
if (cmdptr->opcode == -1) {
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
retval = megasas_dcmd_dummy(s, cmd);
--
2.10.2

38
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch vendored
View File

@ -1,38 +0,0 @@
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
we'll leak memory.
This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/display/virtio-gpu-3d.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index f96a0c2..ecb09d1 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
struct virtio_gpu_ctrl_command *cmd)
{
struct virtio_gpu_resource_unref unref;
+ struct iovec *res_iovs = NULL;
+ int num_iovs = 0;
VIRTIO_GPU_FILL_CMD(unref);
trace_virtio_gpu_cmd_res_unref(unref.resource_id);
+ virgl_renderer_resource_detach_iov(unref.resource_id,
+ &res_iovs,
+ &num_iovs);
+ if (res_iovs != NULL && num_iovs != 0) {
+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
+ }
virgl_renderer_resource_unref(unref.resource_id);
}
--
1.8.3.1

35
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch vendored
View File

@ -1,35 +0,0 @@
From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Fri, 3 Feb 2017 00:52:28 +0530
Subject: [PATCH] usb: ccid: check ccid apdu length
CCID device emulator uses Application Protocol Data Units(APDU)
to exchange command and responses to and from the host.
The length in these units couldn't be greater than 65536. Add
check to ensure the same. It'd also avoid potential integer
overflow in emulated_apdu_from_guest.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170202192228.10847-1-ppandit@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/dev-smartcard-reader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index 89e11b6..1325ea1 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
recv->hdr.bSeq, len);
ccid_add_pending_answer(s, (CCID_Header *)recv);
- if (s->card) {
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
ccid_card_apdu_from_guest(s->card, recv->abData, len);
} else {
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
--
2.10.2

46
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch vendored
View File

@ -1,46 +0,0 @@
From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
From: Gonglei <arei.gonglei@huawei.com>
Date: Tue, 3 Jan 2017 14:50:03 +0800
Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
Because the 'size_t' type is 4 bytes in 32-bit platform, which
is the same with 'int'. It's easy to make 'max_len' to zero when
integer overflow and then cause heap overflow if 'max_len' is zero.
Using uint_64 instead of size_t to avoid the integer overflow.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/virtio/virtio-crypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 2f2467e..c23e1ad 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- size_t max_len, curr_size = 0;
+ uint64_t max_len, curr_size = 0;
size_t s;
/* Plain cipher */
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
return NULL;
}
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
if (unlikely(max_len > vcrypto->conf.max_size)) {
virtio_error(vdev, "virtio-crypto too big length");
return NULL;
--
2.10.2

87
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch vendored
View File

@ -1,87 +0,0 @@
Limits should be big enough that normal guest should not hit it.
Add a tracepoint to log them, just in case. Also, while being
at it, log the existing link trb limit too.
Reported-by: 李强 <address@hidden>
Signed-off-by: Gerd Hoffmann <address@hidden>
---
hw/usb/hcd-xhci.c | 15 ++++++++++++++-
hw/usb/trace-events | 1 +
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index fbf8a8b..28dd2f2 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -51,6 +51,8 @@
#define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS)
#define TRB_LINK_LIMIT 4
+#define COMMAND_LIMIT 256
+#define TRANSFER_LIMIT 256
#define LEN_CAP 0x40
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
return type;
} else {
if (++link_cnt > TRB_LINK_LIMIT) {
+ trace_usb_xhci_enforced_limit("trb-link");
return 0;
}
ring->dequeue = xhci_mask64(trb->parameter);
@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
XHCIRing *ring;
USBEndpoint *ep = NULL;
uint64_t mfindex;
+ unsigned int count = 0;
int length;
int i;
@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
epctx->retry = xfer;
break;
}
+ if (count++ > TRANSFER_LIMIT) {
+ trace_usb_xhci_enforced_limit("transfers");
+ break;
+ }
}
epctx->kick_active--;
@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci)
TRBType type;
XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS};
dma_addr_t addr;
- unsigned int i, slotid = 0;
+ unsigned int i, slotid = 0, count = 0;
DPRINTF("xhci_process_commands()\n");
if (!xhci_running(xhci)) {
@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci)
}
event.slotid = slotid;
xhci_event(xhci, &event, 0);
+
+ if (count++ > COMMAND_LIMIT) {
+ trace_usb_xhci_enforced_limit("commands");
+ return;
+ }
}
}
diff --git a/hw/usb/trace-events b/hw/usb/trace-events
index fdd1d29..0c323d4 100644
--- a/hw/usb/trace-events
+++ b/hw/usb/trace-events
@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p"
usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d"
usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d"
usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)"
+usb_xhci_enforced_limit(const char *item) "%s"
# hw/usb/desc.c
usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
--
1.8.3.1

50
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch vendored
View File

@ -1,50 +0,0 @@
From: Prasad J Pandit <address@hidden>
In the SDHCI protocol, the transfer mode register value
is used during multi block transfer to check if block count
register is enabled and should be updated. Transfer mode
register could be set such that, block count register would
not be updated, thus leading to an infinite loop. Add check
to avoid it.
Reported-by: Wjjzhang <address@hidden>
Reported-by: Jiang Xin <address@hidden>
Signed-off-by: Prasad J Pandit <address@hidden>
---
hw/sd/sdhci.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
Update: use qemu_log_mask(LOG_UNIMP, ...)
-> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 5bd5ab6..a9c744b 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
+ return;
+ }
+
/* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
* possible stop at page boundary if initial address is not page aligned,
* allow them to work properly */
@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque)
if (s->trnmod & SDHC_TRNS_DMA) {
switch (SDHC_DMA_TYPE(s->hostctl)) {
case SDHC_CTRL_SDMA:
- if ((s->trnmod & SDHC_TRNS_MULTI) &&
- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
- break;
- }
-
if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
sdhci_sdma_transfer_single_block(s);
} else {
--
2.9.3

112
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch vendored
View File

@ -1,112 +0,0 @@
This patch fixed a problem that was introduced in commit eb700029.
When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
this can result in pkt->ehdr_buf being overflowed, because
ehdr_buf is only sizeof(struct eth_header) bytes large
but eth_strip_vlan() can write
sizeof(struct eth_header) + sizeof(struct vlan_header)
bytes into it.
Devices affected by this problem: vmxnet3.
Reported-by: Peter Maydell <address@hidden>
Signed-off-by: Dmitry Fleytman <address@hidden>
---
hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 1019b50..7c0beac 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -23,13 +23,13 @@
struct NetRxPkt {
struct virtio_net_hdr virt_hdr;
- uint8_t ehdr_buf[sizeof(struct eth_header)];
+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
struct iovec *vec;
uint16_t vec_len_total;
uint16_t vec_len;
uint32_t tot_len;
uint16_t tci;
- bool vlan_stripped;
+ size_t ehdr_buf_len;
bool has_virt_hdr;
eth_pkt_types_e packet_type;
@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
const struct iovec *iov, int iovcnt,
size_t ploff)
{
- if (pkt->vlan_stripped) {
+ if (pkt->ehdr_buf_len) {
net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
pkt->vec[0].iov_base = pkt->ehdr_buf;
- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
-
- pkt->tot_len =
- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
iov, iovcnt, ploff, pkt->tot_len);
} else {
@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
uint16_t tci = 0;
uint16_t ploff = iovoff;
assert(pkt);
- pkt->vlan_stripped = false;
if (strip_vlan) {
- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
- pkt->ehdr_buf,
- &ploff, &tci);
+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
+ pkt->ehdr_buf,
+ &ploff, &tci);
+ } else {
+ pkt->ehdr_buf_len = 0;
}
pkt->tci = tci;
@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
NetRxPkt *pkt = (NetRxPkt *)pkt;
assert(pkt);
- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
#endif
}
@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
{
assert(pkt);
- return pkt->vlan_stripped;
+ return pkt->ehdr_buf_len ? true : false;
}
bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
--
2.7.4

52
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch vendored
View File

@ -1,52 +0,0 @@
From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 7 Feb 2017 02:23:33 -0800
Subject: [PATCH] usb: ohci: limit the number of link eds
The guest may builds an infinite loop with link eds. This patch
limit the number of linked ed to avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
hw/usb/hcd-ohci.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 2cba3e3..21c93e0 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -42,6 +42,8 @@
#define OHCI_MAX_PORTS 15
+#define ED_LINK_LIMIT 4
+
static int64_t usb_frame_time;
static int64_t usb_bit_time;
@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
uint32_t next_ed;
uint32_t cur;
int active;
-
+ uint32_t link_cnt = 0;
active = 0;
if (head == 0)
@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
next_ed = ed.next & OHCI_DPTR_MASK;
+ if (++link_cnt > ED_LINK_LIMIT) {
+ ohci_die(ohci);
+ return 0;
+ }
+
if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
uint32_t addr;
/* Cancel pending packets for ED that have been paused. */
--
2.10.2

174
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7493.patch vendored Normal file
View File

@ -0,0 +1,174 @@
From 7a95434e0ca8a037fd8aa1a2e2461f92585eb77b Mon Sep 17 00:00:00 2001
From: Greg Kurz <groug@kaod.org>
Date: Fri, 5 May 2017 14:48:08 +0200
Subject: [PATCH] 9pfs: local: forbid client access to metadata (CVE-2017-7493)
When using the mapped-file security mode, we shouldn't let the client mess
with the metadata. The current code already tries to hide the metadata dir
from the client by skipping it in local_readdir(). But the client can still
access or modify it through several other operations. This can be used to
escalate privileges in the guest.
Affected backend operations are:
- local_mknod()
- local_mkdir()
- local_open2()
- local_symlink()
- local_link()
- local_unlinkat()
- local_renameat()
- local_rename()
- local_name_to_path()
Other operations are safe because they are only passed a fid path, which
is computed internally in local_name_to_path().
This patch converts all the functions listed above to fail and return
EINVAL when being passed the name of the metadata dir. This may look
like a poor choice for errno, but there's no such thing as an illegal
path name on Linux and I could not think of anything better.
This fixes CVE-2017-7493.
Reported-by: Leo Gaspard <leo@gaspard.io>
Signed-off-by: Greg Kurz <groug@kaod.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
---
hw/9pfs/9p-local.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 56 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
index f3ebca4f7a..a2486566af 100644
--- a/hw/9pfs/9p-local.c
+++ b/hw/9pfs/9p-local.c
@@ -452,6 +452,11 @@ static off_t local_telldir(FsContext *ctx, V9fsFidOpenState *fs)
return telldir(fs->dir.stream);
}
+static bool local_is_mapped_file_metadata(FsContext *fs_ctx, const char *name)
+{
+ return !strcmp(name, VIRTFS_META_DIR);
+}
+
static struct dirent *local_readdir(FsContext *ctx, V9fsFidOpenState *fs)
{
struct dirent *entry;
@@ -465,8 +470,8 @@ again:
if (ctx->export_flags & V9FS_SM_MAPPED) {
entry->d_type = DT_UNKNOWN;
} else if (ctx->export_flags & V9FS_SM_MAPPED_FILE) {
- if (!strcmp(entry->d_name, VIRTFS_META_DIR)) {
- /* skp the meta data directory */
+ if (local_is_mapped_file_metadata(ctx, entry->d_name)) {
+ /* skip the meta data directory */
goto again;
}
entry->d_type = DT_UNKNOWN;
@@ -559,6 +564,12 @@ static int local_mknod(FsContext *fs_ctx, V9fsPath *dir_path,
int err = -1;
int dirfd;
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(fs_ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
if (dirfd == -1) {
return -1;
@@ -605,6 +616,12 @@ static int local_mkdir(FsContext *fs_ctx, V9fsPath *dir_path,
int err = -1;
int dirfd;
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(fs_ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
if (dirfd == -1) {
return -1;
@@ -694,6 +711,12 @@ static int local_open2(FsContext *fs_ctx, V9fsPath *dir_path, const char *name,
int err = -1;
int dirfd;
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(fs_ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
/*
* Mark all the open to not follow symlinks
*/
@@ -752,6 +775,12 @@ static int local_symlink(FsContext *fs_ctx, const char *oldpath,
int err = -1;
int dirfd;
+ if (fs_ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(fs_ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
dirfd = local_opendir_nofollow(fs_ctx, dir_path->data);
if (dirfd == -1) {
return -1;
@@ -826,6 +855,12 @@ static int local_link(FsContext *ctx, V9fsPath *oldpath,
int ret = -1;
int odirfd, ndirfd;
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
odirfd = local_opendir_nofollow(ctx, odirpath);
if (odirfd == -1) {
goto out;
@@ -1096,6 +1131,12 @@ static int local_lremovexattr(FsContext *ctx, V9fsPath *fs_path,
static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
const char *name, V9fsPath *target)
{
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
if (dir_path) {
v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
} else if (strcmp(name, "/")) {
@@ -1116,6 +1157,13 @@ static int local_renameat(FsContext *ctx, V9fsPath *olddir,
int ret;
int odirfd, ndirfd;
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ (local_is_mapped_file_metadata(ctx, old_name) ||
+ local_is_mapped_file_metadata(ctx, new_name))) {
+ errno = EINVAL;
+ return -1;
+ }
+
odirfd = local_opendir_nofollow(ctx, olddir->data);
if (odirfd == -1) {
return -1;
@@ -1206,6 +1254,12 @@ static int local_unlinkat(FsContext *ctx, V9fsPath *dir,
int ret;
int dirfd;
+ if (ctx->export_flags & V9FS_SM_MAPPED_FILE &&
+ local_is_mapped_file_metadata(ctx, name)) {
+ errno = EINVAL;
+ return -1;
+ }
+
dirfd = local_opendir_nofollow(ctx, dir->data);
if (dirfd == -1) {
return -1;
--
2.13.0

22
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8112.patch vendored Normal file
View File

@ -0,0 +1,22 @@
CVE-2017-8112
https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04494.html
---
hw/scsi/vmw_pvscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 7557546..4a106da 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
uint32_t len_log2;
uint32_t ring_size;
- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
return -1;
}
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
--
2.9.3

22
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8309.patch vendored Normal file
View File

@ -0,0 +1,22 @@
bug #616870
https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
---
audio/audio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/audio/audio.c b/audio/audio.c
index c8898d8422..beafed209b 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -2028,6 +2028,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
sw = sw1;
}
QLIST_REMOVE (cap, entries);
+ g_free (cap->hw.mix_buf);
+ g_free (cap->buf);
g_free (cap);
}
return;
--
2.9.3

76
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8379.patch vendored Normal file
View File

@ -0,0 +1,76 @@
bug #616872
https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
---
ui/input.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ui/input.c b/ui/input.c
index ed88cda6d6..fb1f404095 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
QTAILQ_HEAD_INITIALIZER(kbd_queue);
static QEMUTimer *kbd_timer;
static uint32_t kbd_default_delay_ms = 10;
+static uint32_t queue_count;
+static uint32_t queue_limit = 1024;
QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
QemuInputHandler *handler)
@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
break;
}
QTAILQ_REMOVE(queue, item, node);
+ queue_count--;
g_free(item);
}
}
@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
item->delay_ms = delay_ms;
item->timer = timer;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
if (start_timer) {
timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
item->src = src;
item->evt = evt;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
item->type = QEMU_INPUT_QUEUE_SYNC;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
qemu_input_event_send(src, evt);
qemu_input_event_sync();
qapi_free_InputEvent(evt);
- } else {
+ } else if (queue_count < queue_limit) {
qemu_input_queue_event(&kbd_queue, src, evt);
qemu_input_queue_sync(&kbd_queue);
}
@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
&kbd_queue);
}
- qemu_input_queue_delay(&kbd_queue, kbd_timer,
- delay_ms ? delay_ms : kbd_default_delay_ms);
+ if (queue_count < queue_limit) {
+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
+ delay_ms ? delay_ms : kbd_default_delay_ms);
+ }
}
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)
--
2.9.3

34
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-8380.patch vendored Normal file
View File

@ -0,0 +1,34 @@
bug #616874
https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
---
hw/scsi/megasas.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 84b8caf..804122a 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -2138,15 +2138,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
case MFI_SEQ:
trace_megasas_mmio_writel("MFI_SEQ", val);
/* Magic sequence to start ADP reset */
- if (adp_reset_seq[s->adp_reset] == val) {
- s->adp_reset++;
+ if (adp_reset_seq[s->adp_reset++] == val) {
+ if (s->adp_reset == 6) {
+ s->adp_reset = 0;
+ s->diag = MFI_DIAG_WRITE_ENABLE;
+ }
} else {
s->adp_reset = 0;
s->diag = 0;
}
- if (s->adp_reset == 6) {
- s->diag = MFI_DIAG_WRITE_ENABLE;
- }
break;
case MFI_DIAG:
trace_megasas_mmio_writel("MFI_DIAG", val);
--
2.9.3

138
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/files/qemu-binfmt.initd-r1 vendored
View File

@ -1,138 +0,0 @@
#!/sbin/openrc-run
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# enable automatic i386/ARM/M68K/MIPS/SPARC/PPC/s390 program execution by the kernel
# Defaulting to OC should be safe because it comes down to:
# - do we trust the interp itself to not be malicious? yes; we built it.
# - do we trust the programs we're running? ish; same permission as native
# binaries apply. so if user can do bad stuff natively, cross isn't worse.
: ${QEMU_BINFMT_FLAGS:=OC}
depend() {
after procfs
}
start() {
ebegin "Registering qemu-user binaries (flags: ${QEMU_BINFMT_FLAGS})"
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
modprobe -q binfmt_misc
fi
if [ ! -d /proc/sys/fs/binfmt_misc ] ; then
eend $? "You need support for 'misc binaries' in your kernel!" || return
fi
if [ ! -f /proc/sys/fs/binfmt_misc/register ] ; then
mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc >/dev/null 2>&1
eend $? || return
fi
# probe cpu type
cpu=`uname -m`
case "$cpu" in
i386|i486|i586|i686|i86pc|BePC|x86_64)
cpu="i386"
;;
m68k)
cpu="m68k"
;;
mips*)
cpu="mips"
;;
"Power Macintosh"|ppc|ppc64)
cpu="ppc"
;;
armv[4-9]*)
cpu="arm"
;;
sparc*)
cpu="sparc"
;;
esac
# register the interpreter for each cpu except for the native one
if [ $cpu != "i386" -a -x "/usr/bin/qemu-i386" ] ; then
echo ':i386:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
echo ':i486:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x06\x00:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-i386:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "alpha" -a -x "/usr/bin/qemu-alpha" ] ; then
echo ':alpha:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x26\x90:\xff\xff\xff\xff\xff\xfe\xfe\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-alpha:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "arm" -a -x "/usr/bin/qemu-arm" ] ; then
echo ':arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\x00\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "arm" -a -x "/usr/bin/qemu-armeb" ] ; then
echo ':armeb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-armeb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "aarch64" -a -x "/usr/bin/qemu-aarch64" ] ; then
echo ':aarch64:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\xb7\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-aarch64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "sparc" -a -x "/usr/bin/qemu-sparc" ] ; then
echo ':sparc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x02:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sparc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "ppc" -a -x "/usr/bin/qemu-ppc" ] ; then
echo ':ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-ppc:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "m68k" -a -x "/usr/bin/qemu-m68k" ] ; then
#echo 'Please check cpu value and header information for m68k!'
echo ':m68k:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-m68k:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips" ] ; then
# FIXME: We could use the other endianness on a MIPS host.
echo ':mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsel" ] ; then
echo ':mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32" ] ; then
echo ':mipsn32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mipsn32:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mipsn32el" ] ; then
echo ':mipsn32el:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mipsn32el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64" ] ; then
echo ':mips64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-mips64:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "mips" -a -x "/usr/bin/qemu-mips64el" ] ; then
echo ':mips64el:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-mips64el:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4" ] ; then
echo ':sh4:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a\x00:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-sh4:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "sh" -a -x "/usr/bin/qemu-sh4eb" ] ; then
echo ':sh4eb:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x2a:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-sh4eb:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
if [ $cpu != "s390x" -a -x "/usr/bin/qemu-s390x" ] ; then
echo ':s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff:/usr/bin/qemu-s390x:'"${QEMU_BINFMT_FLAGS}" > /proc/sys/fs/binfmt_misc/register
fi
eend $?
}
stop() {
ebegin "Unregistering qemu-user binaries"
local arches
arches="${arches} i386 i486"
arches="${arches} alpha"
arches="${arches} arm armeb"
arches="${arches} aarch64"
arches="${arches} sparc"
arches="${arches} ppc"
arches="${arches} m68k"
arches="${arches} mips mipsel mipsn32 mipsn32el mips64 mips64el"
arches="${arches} sh4 sh4eb"
arches="${arches} s390x"
for a in ${arches}; do
if [ -f /proc/sys/fs/binfmt_misc/$a ] ; then
echo '-1' > /proc/sys/fs/binfmt_misc/$a
fi
done
eend $?
}
# vim: ts=4 :

85
sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.8.0-r9.ebuild → sdk_container/src/third_party/coreos-overlay/app-emulation/qemu/qemu-2.9.0-r2.ebuild vendored
View File

@ -20,10 +20,6 @@ else
KEYWORDS="amd64 arm64 ~ppc ~ppc64 x86 ~x86-fbsd" KEYWORDS="amd64 arm64 ~ppc ~ppc64 x86 ~x86-fbsd"
fi fi
# bug #606088
SRC_URI+="
https://dev.gentoo.org/~tamiko/distfiles/${P}-CVE-2016-9602-patches.tar.xz"
DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org"
@ -33,16 +29,16 @@ IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt
glusterfs gnutls gtk gtk2 infiniband iscsi +jpeg kernel_linux glusterfs gnutls gtk gtk2 infiniband iscsi +jpeg kernel_linux
kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png
pulseaudio python rbd sasl +seccomp sdl sdl2 selinux smartcard snappy pulseaudio python rbd sasl +seccomp sdl sdl2 selinux smartcard snappy
spice ssh static static-user systemtap tci test +threads usb usbredir spice ssh static static-user systemtap tci test usb usbredir vde
vde +vhost-net virgl virtfs +vnc vte xattr xen xfs" +vhost-net virgl virtfs +vnc vte xattr xen xfs"
COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel
mips mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc mips mips64 mips64el mipsel nios2 or1k ppc ppc64 s390x sh4 sh4eb sparc
sparc64 x86_64" sparc64 x86_64"
IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS}
lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb" lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb"
IUSE_USER_TARGETS="${COMMON_TARGETS} IUSE_USER_TARGETS="${COMMON_TARGETS}
armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" armeb hppa mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx"
use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS})
use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS})
@ -54,6 +50,7 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE}
gtk2? ( gtk ) gtk2? ( gtk )
qemu_softmmu_targets_arm? ( fdt ) qemu_softmmu_targets_arm? ( fdt )
qemu_softmmu_targets_microblaze? ( fdt ) qemu_softmmu_targets_microblaze? ( fdt )
qemu_softmmu_targets_mips64el? ( fdt )
qemu_softmmu_targets_ppc? ( fdt ) qemu_softmmu_targets_ppc? ( fdt )
qemu_softmmu_targets_ppc64? ( fdt ) qemu_softmmu_targets_ppc64? ( fdt )
sdl2? ( sdl ) sdl2? ( sdl )
@ -69,18 +66,17 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE}
# The attr lib isn't always linked in (although the USE flag is always # The attr lib isn't always linked in (although the USE flag is always
# respected). This is because qemu supports using the C library's API # respected). This is because qemu supports using the C library's API
# when available rather than always using the extranl library. # when available rather than always using the extranl library.
# ALL_DEPEND="
# To configure and compile qemu user targets or tools alone the following
# dependencies are not strictly necessary:
# alsa? ( >=media-libs/alsa-lib-1.0.13 )
# fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
# pulseaudio? ( media-sound/pulseaudio )
# seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] )
# but these are so few it is not worth the effort to separate this list.
TARGETS_DEPEND="
>=dev-libs/glib-2.0[static-libs(+)] >=dev-libs/glib-2.0[static-libs(+)]
>=x11-libs/pixman-0.28.0[static-libs(+)]
sys-libs/zlib[static-libs(+)] sys-libs/zlib[static-libs(+)]
python? ( ${PYTHON_DEPS} )
systemtap? ( dev-util/systemtap )
xattr? ( sys-apps/attr[static-libs(+)] )"
# Dependencies required for qemu tools (qemu-nbd, qemu-img, qemu-io, ...)
# softmmu targets (qemu-system-*).
SOFTMMU_TOOLS_DEPEND="
>=x11-libs/pixman-0.28.0[static-libs(+)]
accessibility? ( accessibility? (
app-accessibility/brltty[api] app-accessibility/brltty[api]
app-accessibility/brltty[static-libs(+)] app-accessibility/brltty[static-libs(+)]
@ -125,7 +121,6 @@ TARGETS_DEPEND="
) )
png? ( media-libs/libpng:0=[static-libs(+)] ) png? ( media-libs/libpng:0=[static-libs(+)] )
pulseaudio? ( media-sound/pulseaudio ) pulseaudio? ( media-sound/pulseaudio )
python? ( ${PYTHON_DEPS} )
rbd? ( sys-cluster/ceph[static-libs(+)] ) rbd? ( sys-cluster/ceph[static-libs(+)] )
sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
sdl? ( sdl? (
@ -146,13 +141,11 @@ TARGETS_DEPEND="
>=app-emulation/spice-0.12.0[static-libs(+)] >=app-emulation/spice-0.12.0[static-libs(+)]
) )
ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] )
systemtap? ( dev-util/systemtap )
usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] )
usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) usb? ( >=virtual/libusb-1-r2[static-libs(+)] )
usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] )
vde? ( net-misc/vde[static-libs(+)] ) vde? ( net-misc/vde[static-libs(+)] )
virgl? ( media-libs/virglrenderer[static-libs(+)] ) virgl? ( media-libs/virglrenderer[static-libs(+)] )
virtfs? ( sys-libs/libcap ) virtfs? ( sys-libs/libcap )
xattr? ( sys-apps/attr[static-libs(+)] )
xen? ( app-emulation/xen-tools:= ) xen? ( app-emulation/xen-tools:= )
xfs? ( sys-fs/xfsprogs[static-libs(+)] )" xfs? ( sys-fs/xfsprogs[static-libs(+)] )"
@ -170,7 +163,10 @@ X86_FIRMWARE_DEPEND="
)" )"
CDEPEND=" CDEPEND="
!static? ( ${TARGETS_DEPEND//\[static-libs(+)]} ) !static? (
${ALL_DEPEND//\[static-libs(+)]}
${SOFTMMU_TOOLS_DEPEND//\[static-libs(+)]}
)
qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} )
qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )" qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )"
DEPEND="${CDEPEND} DEPEND="${CDEPEND}
@ -180,8 +176,11 @@ DEPEND="${CDEPEND}
virtual/pkgconfig virtual/pkgconfig
kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 )
gtk? ( nls? ( sys-devel/gettext ) ) gtk? ( nls? ( sys-devel/gettext ) )
static? ( ${TARGETS_DEPEND} ) static? (
static-user? ( ${TARGETS_DEPEND} ) ${ALL_DEPEND}
${SOFTMMU_TOOLS_DEPEND}
)
static-user? ( ${ALL_DEPEND} )
test? ( test? (
dev-libs/glib[utils] dev-libs/glib[utils]
sys-devel/bc sys-devel/bc
@ -192,29 +191,11 @@ RDEPEND="${CDEPEND}
PATCHES=( PATCHES=(
"${FILESDIR}"/${PN}-2.5.0-cflags.patch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
"${FILESDIR}"/${PN}-2.5.0-sysmacros.patch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
"${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108 "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8309.patch # bug 616870
"${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch #601826 "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8379.patch # bug 616872
"${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch #602630 "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8380.patch # bug 616874
"${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch #603444 "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636
"${FILESDIR}"/${PN}-2.8.0-CVE-2016-10155.patch #606720 "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2615.patch #608034
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2630.patch #609396
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-1.patch #606264
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-2.patch
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5552.patch #606722
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5578.patch #607000
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5579.patch #607100
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5667.patch #607766
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5856.patch #608036
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5857.patch #608038
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5898.patch #608520
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5931.patch #608728
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch #609334
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6058.patch #609638
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-2620.patch #609206
"${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220
"${S}-CVE-2016-9602-patches"
# fix for vpc creation in qemu-img # fix for vpc creation in qemu-img
"${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch "${FILESDIR}"/0001-block-fix-vpc-max_table_entries-computation.patch
@ -240,7 +221,7 @@ QA_WX_LOAD="usr/bin/qemu-i386
usr/bin/qemu-microblazeel usr/bin/qemu-microblazeel
usr/bin/qemu-mips usr/bin/qemu-mips
usr/bin/qemu-mipsel usr/bin/qemu-mipsel
usr/bin/qemu-or32 usr/bin/qemu-or1k
usr/bin/qemu-ppc usr/bin/qemu-ppc
usr/bin/qemu-ppc64 usr/bin/qemu-ppc64
usr/bin/qemu-ppc64abi32 usr/bin/qemu-ppc64abi32
@ -529,7 +510,7 @@ qemu_src_configure() {
if use ${static_flag}; then if use ${static_flag}; then
conf_opts+=( --static --disable-pie ) conf_opts+=( --static --disable-pie )
else else
gcc-specs-pie && conf_opts+=( --enable-pie ) tc-enables-pie && conf_opts+=( --enable-pie )
fi fi
echo "../configure ${conf_opts[*]}" echo "../configure ${conf_opts[*]}"
@ -697,9 +678,6 @@ src_install() {
insinto "/etc/qemu" insinto "/etc/qemu"
doins "${FILESDIR}/bridge.conf" doins "${FILESDIR}/bridge.conf"
# Remove the docdir placed qmp-commands.txt
mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/" || die
cd "${S}" cd "${S}"
dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt
newdoc pc-bios/README README.pc-bios newdoc pc-bios/README README.pc-bios
@ -750,7 +728,6 @@ src_install() {
pkg_postinst() { pkg_postinst() {
DISABLE_AUTOFORMATTING=true DISABLE_AUTOFORMATTING=true
FORCE_PRINT_ELOG=1 # remove for next version bump
readme.gentoo_print_elog readme.gentoo_print_elog
if [[ -n ${softmmu_targets} ]] && use kernel_linux; then if [[ -n ${softmmu_targets} ]] && use kernel_linux; then