diff options
| author |   ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
|---|---|---|
| committer | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
| commit | 5b80bfd7bffd4c20d80b7c70a7130529e9a755dd (patch) | |
| tree | b4bb18dcd1487dbf1ea8127e5671b7bb2eded033 /external/poky/meta/recipes-devtools/qemu | |
| parent | 706ad73eb02caf8532deaf5d38995bd258725cb8 (diff) | |
agl-basesystem
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu')
37 files changed, 2507 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb b/external/poky/meta/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb new file mode 100644 index 00000000..cdc2f51c --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/nativesdk-qemu-helper_1.0.bb @@ -0,0 +1,37 @@ +SUMMARY = "Qemu helper scripts" +LICENSE = "GPLv2" +RDEPENDS_${PN} = "nativesdk-qemu \ + nativesdk-python3-shell nativesdk-python3-fcntl nativesdk-python3-logging \ + " + +PR = "r9" + +LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5d4e0b4c28f999 \ + file://${COREBASE}/scripts/runqemu;endline=19;md5=a8ad1905c709a2deaa057608ebaf705a" + + +SRC_URI = "file://${COREBASE}/scripts/runqemu \ + file://${COREBASE}/scripts/runqemu-addptable2image \ + file://${COREBASE}/scripts/runqemu-gen-tapdevs \ + file://${COREBASE}/scripts/runqemu-ifup \ + file://${COREBASE}/scripts/runqemu-ifdown \ + file://${COREBASE}/scripts/oe-find-native-sysroot \ + file://${COREBASE}/scripts/runqemu-extract-sdk \ + file://${COREBASE}/scripts/runqemu-export-rootfs \ + file://tunctl.c \ + " + +S = "${WORKDIR}" + +inherit nativesdk + +do_compile() { + ${CC} tunctl.c -o tunctl +} + +do_install() { + install -d ${D}${bindir} + install -m 0755 ${WORKDIR}${COREBASE}/scripts/oe-* ${D}${bindir}/ + install -m 0755 ${WORKDIR}${COREBASE}/scripts/runqemu* ${D}${bindir}/ + install tunctl ${D}${bindir}/ +} diff --git a/external/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb b/external/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb new file mode 100644 index 00000000..d86b1551 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb @@ -0,0 +1,24 @@ +SUMMARY = "Helper utilities needed by the runqemu script" +LICENSE = "GPLv2" +RDEPENDS_${PN} = "qemu-native" +PR = "r1" + +LIC_FILES_CHKSUM = "file://${WORKDIR}/tunctl.c;endline=4;md5=ff3a09996bc5fff6bc5d4e0b4c28f999" + +SRC_URI = "file://tunctl.c" + +S = "${WORKDIR}" + +inherit native + +do_compile() { + ${CC} tunctl.c -o tunctl +} + +do_install() { + install -d ${D}${bindir} + install tunctl ${D}${bindir}/ +} + +DEPENDS += "qemu-native" +addtask addto_recipe_sysroot after do_populate_sysroot before do_build diff --git a/external/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c b/external/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c new file mode 100644 index 00000000..16e24a2a --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c @@ -0,0 +1,156 @@ +/* Copyright 2002 Jeff Dike + * Licensed under the GPL + */ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <errno.h> +#include <fcntl.h> +#include <unistd.h> +#include <pwd.h> +#include <grp.h> +#include <net/if.h> +#include <sys/ioctl.h> +#include <linux/if_tun.h> + +/* TUNSETGROUP appeared in 2.6.23 */ +#ifndef TUNSETGROUP +#define TUNSETGROUP _IOW('T', 206, int) +#endif + +static void Usage(char *name) +{ + fprintf(stderr, "Create: %s [-b] [-u owner] [-g group] [-t device-name] " + "[-f tun-clone-device]\n", name); + fprintf(stderr, "Delete: %s -d device-name [-f tun-clone-device]\n\n", + name); + fprintf(stderr, "The default tun clone device is /dev/net/tun - some systems" + " use\n/dev/misc/net/tun instead\n\n"); + fprintf(stderr, "-b will result in brief output (just the device name)\n"); + exit(1); +} + +int main(int argc, char **argv) +{ + struct ifreq ifr; + struct passwd *pw; + struct group *gr; + uid_t owner = -1; + gid_t group = -1; + int tap_fd, opt, delete = 0, brief = 0; + char *tun = "", *file = "/dev/net/tun", *name = argv[0], *end; + + while((opt = getopt(argc, argv, "bd:f:t:u:g:")) > 0){ + switch(opt) { + case 'b': + brief = 1; + break; + case 'd': + delete = 1; + tun = optarg; + break; + case 'f': + file = optarg; + break; + case 'u': + pw = getpwnam(optarg); + if(pw != NULL){ + owner = pw->pw_uid; + break; + } + owner = strtol(optarg, &end, 0); + if(*end != '\0'){ + fprintf(stderr, "'%s' is neither a username nor a numeric uid.\n", + optarg); + Usage(name); + } + break; + case 'g': + gr = getgrnam(optarg); + if(gr != NULL){ + group = gr->gr_gid; + break; + } + group = strtol(optarg, &end, 0); + if(*end != '\0'){ + fprintf(stderr, "'%s' is neither a groupname nor a numeric group.\n", + optarg); + Usage(name); + } + break; + + case 't': + tun = optarg; + break; + case 'h': + default: + Usage(name); + } + } + + argv += optind; + argc -= optind; + + if(argc > 0) + Usage(name); + + if((tap_fd = open(file, O_RDWR)) < 0){ + fprintf(stderr, "Failed to open '%s' : ", file); + perror(""); + exit(1); + } + + memset(&ifr, 0, sizeof(ifr)); + + ifr.ifr_flags = IFF_TAP | IFF_NO_PI; + strncpy(ifr.ifr_name, tun, sizeof(ifr.ifr_name) - 1); + if(ioctl(tap_fd, TUNSETIFF, (void *) &ifr) < 0){ + perror("TUNSETIFF"); + exit(1); + } + + if(delete){ + if(ioctl(tap_fd, TUNSETPERSIST, 0) < 0){ + perror("disabling TUNSETPERSIST"); + exit(1); + } + printf("Set '%s' nonpersistent\n", ifr.ifr_name); + } + else { + /* emulate behaviour prior to TUNSETGROUP */ + if(owner == -1 && group == -1) { + owner = geteuid(); + } + + if(owner != -1) { + if(ioctl(tap_fd, TUNSETOWNER, owner) < 0){ + perror("TUNSETOWNER"); + exit(1); + } + } + if(group != -1) { + if(ioctl(tap_fd, TUNSETGROUP, group) < 0){ + perror("TUNSETGROUP"); + exit(1); + } + } + + if(ioctl(tap_fd, TUNSETPERSIST, 1) < 0){ + perror("enabling TUNSETPERSIST"); + exit(1); + } + + if(brief) + printf("%s\n", ifr.ifr_name); + else { + printf("Set '%s' persistent and owned by", ifr.ifr_name); + if(owner != -1) + printf(" uid %d", owner); + if(group != -1) + printf(" gid %d", group); + printf("\n"); + } + } + return(0); +} diff --git a/external/poky/meta/recipes-devtools/qemu/qemu-targets.inc b/external/poky/meta/recipes-devtools/qemu/qemu-targets.inc new file mode 100644 index 00000000..810401da --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu-targets.inc @@ -0,0 +1,22 @@ +# possible arch values are arm aarch64 mips mipsel mips64 mips64el ppc ppc64 ppc64abi32 +# ppcemb armeb alpha sparc32plus i386 x86_64 cris m68k microblaze sparc sparc32 +# sparc32plus + +def get_qemu_target_list(d): + import bb + archs = d.getVar('QEMU_TARGETS').split() + tos = d.getVar('HOST_OS') + softmmuonly = "" + for arch in ['ppcemb', 'lm32']: + if arch in archs: + softmmuonly += arch + "-softmmu," + archs.remove(arch) + linuxuseronly = "" + for arch in ['armeb', 'alpha', 'ppc64abi32', 'sparc32plus']: + if arch in archs: + linuxuseronly += arch + "-linux-user," + archs.remove(arch) + if 'linux' not in tos: + return softmmuonly + ''.join([arch + "-softmmu" + "," for arch in archs]).rstrip(',') + return softmmuonly + linuxuseronly + ''.join([arch + "-linux-user" + "," + arch + "-softmmu" + "," for arch in archs]).rstrip(',') + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu.inc b/external/poky/meta/recipes-devtools/qemu/qemu.inc new file mode 100644 index 00000000..b05c1cee --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu.inc @@ -0,0 +1,120 @@ +SUMMARY = "Fast open source processor emulator" +HOMEPAGE = "http://qemu.org" +LICENSE = "GPLv2 & LGPLv2.1" +DEPENDS = "glib-2.0 zlib pixman" +RDEPENDS_${PN}_class-target += "bash" + +require qemu-targets.inc +inherit pkgconfig bluetooth +BBCLASSEXTEND = "native nativesdk" + +# QEMU_TARGETS is overridable variable +QEMU_TARGETS ?= "arm aarch64 i386 mips mipsel mips64 mips64el ppc riscv32 riscv64 sh4 x86_64" + +EXTRA_OECONF = " \ + --prefix=${prefix} \ + --bindir=${bindir} \ + --includedir=${includedir} \ + --libdir=${libdir} \ + --mandir=${mandir} \ + --datadir=${datadir} \ + --docdir=${docdir}/${BPN} \ + --sysconfdir=${sysconfdir} \ + --libexecdir=${libexecdir} \ + --localstatedir=${localstatedir} \ + --with-confsuffix=/${BPN} \ + --disable-strip \ + --disable-werror \ + --target-list=${@get_qemu_target_list(d)} \ + --extra-cflags='${CFLAGS}' \ + ${PACKAGECONFIG_CONFARGS} \ + " +EXTRA_OECONF_append_class-native = " --python=python2.7" + +EXTRA_OEMAKE_append_class-native = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" + +LDFLAGS_append_class-native = " -fuse-ld=bfd" + +export LIBTOOL="${HOST_SYS}-libtool" + +B = "${WORKDIR}/build" + +do_configure_prepend_class-native() { + # Append build host pkg-config paths for native target since the host may provide sdl + BHOST_PKGCONFIG_PATH=$(PATH=/usr/bin:/bin pkg-config --variable pc_path pkg-config || echo "") + if [ ! -z "$BHOST_PKGCONFIG_PATH" ]; then + export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:$BHOST_PKGCONFIG_PATH + fi +} + +do_configure() { + ${S}/configure ${EXTRA_OECONF} +} + +do_install () { + export STRIP="" + oe_runmake 'DESTDIR=${D}' install +} + +# The following fragment will create a wrapper for qemu-mips user emulation +# binary in order to work around a segmentation fault issue. Basically, by +# default, the reserved virtual address space for 32-on-64 bit is set to 4GB. +# This will trigger a MMU access fault in the virtual CPU. With this change, +# the qemu-mips works fine. +# IMPORTANT: This piece needs to be removed once the root cause is fixed! +do_install_append() { + if [ -e "${D}/${bindir}/qemu-mips" ]; then + create_wrapper ${D}/${bindir}/qemu-mips \ + QEMU_RESERVED_VA=0x0 + fi +} +# END of qemu-mips workaround + +PACKAGECONFIG ??= " \ + fdt sdl kvm \ + ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ +" +PACKAGECONFIG_class-native ??= "fdt alsa kvm" +PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm" + +# Handle distros such as CentOS 5 32-bit that do not have kvm support +PACKAGECONFIG_class-native_remove = "${@'kvm' if not os.path.exists('/usr/include/linux/kvm.h') else ''}" + +# Disable kvm on targets that do not support it +PACKAGECONFIG_remove_darwin = "kvm" +PACKAGECONFIG_remove_mingw32 = "kvm" + +PACKAGECONFIG[sdl] = "--enable-sdl --with-sdlabi=2.0,--disable-sdl,libsdl2" +PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," +PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," +PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," +PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen,xen-libxenstore xen-libxenctrl xen-libxenguest" +PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl," +PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg," +PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng," +PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,libcurl," +PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss," +PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses," +PACKAGECONFIG[gtk+] = "--enable-gtk --with-gtkabi=3.0 --enable-vte,--disable-gtk --disable-vte,gtk+3 vte" +PACKAGECONFIG[libcap-ng] = "--enable-cap-ng,--disable-cap-ng,libcap-ng," +PACKAGECONFIG[ssh2] = "--enable-libssh2,--disable-libssh2,libssh2," +PACKAGECONFIG[gcrypt] = "--enable-gcrypt,--disable-gcrypt,libgcrypt," +PACKAGECONFIG[nettle] = "--enable-nettle,--disable-nettle,nettle" +PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" +PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" +PACKAGECONFIG[alsa] = "--audio-drv-list='oss alsa',,alsa-lib" +PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,mesa" +PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" +PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" +PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls" +PACKAGECONFIG[bzip2] = "--enable-bzip2,--disable-bzip2,bzip2" +PACKAGECONFIG[bluez] = "--enable-bluez,--disable-bluez,${BLUEZ}" +PACKAGECONFIG[libiscsi] = "--enable-libiscsi,--disable-libiscsi" +PACKAGECONFIG[kvm] = "--enable-kvm,--disable-kvm" +PACKAGECONFIG[virglrenderer] = "--enable-virglrenderer,--disable-virglrenderer,virglrenderer" +# spice will be in meta-networking layer +PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice" +# usbredir will be in meta-networking layer +PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir" + +INSANE_SKIP_${PN} = "arch" diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch new file mode 100644 index 00000000..b8a9206f --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch @@ -0,0 +1,71 @@ +From 18fb45c34a473c4ba247bb82bcea94b7c3ba493a Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Wed, 18 Sep 2013 14:04:54 +0100 +Subject: [PATCH] sdl.c: allow user to disable pointer grabs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls +XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already +a pointer grab (screen is locked, a menu is open) then qemu will hang until the +grab can be taken. In the specific case of a headless X server on an autobuilder, once +the screensaver has kicked in any qemu instance that appears underneath the +pointer will hang. + +I'm not entirely sure why pointer grabs are required (the documentation +explicitly says it doesn't do grabs when using a tablet, which we are) so wrap +them in a conditional that can be set by the autobuilder environment, preserving +the current grabbing behaviour for everyone else. + +Upstream-Status: Pending +Signed-off-by: Ross Burton <ross.burton@intel.com> +Signed-off-by: Eric Bénard <eric@eukrea.com> +--- + ui/sdl.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/ui/sdl.c b/ui/sdl.c +index a5fd503c25..ab8d1b1eb1 100644 +--- a/ui/sdl.c ++++ b/ui/sdl.c +@@ -68,6 +68,11 @@ static int idle_counter; + static const guint16 *keycode_map; + static size_t keycode_maplen; + ++#ifndef True ++#define True 1 ++#endif ++static doing_grabs = True; ++ + #define SDL_REFRESH_INTERVAL_BUSY 10 + #define SDL_MAX_IDLE_COUNT (2 * GUI_REFRESH_INTERVAL_DEFAULT \ + / SDL_REFRESH_INTERVAL_BUSY + 1) +@@ -398,14 +403,16 @@ static void sdl_grab_start(void) + } + } else + sdl_hide_cursor(); +- SDL_WM_GrabInput(SDL_GRAB_ON); ++ if (doing_grabs) ++ SDL_WM_GrabInput(SDL_GRAB_ON); + gui_grab = 1; + sdl_update_caption(); + } + + static void sdl_grab_end(void) + { +- SDL_WM_GrabInput(SDL_GRAB_OFF); ++ if (doing_grabs) ++ SDL_WM_GrabInput(SDL_GRAB_OFF); + gui_grab = 0; + sdl_show_cursor(); + sdl_update_caption(); +@@ -945,6 +952,8 @@ static void sdl1_display_init(DisplayState *ds, DisplayOptions *o) + * This requires SDL >= 1.2.14. */ + setenv("SDL_DISABLE_LOCK_KEYS", "1", 1); + ++ doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL); ++ + flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE; + if (SDL_Init (flags)) { + fprintf(stderr, "Could not initialize SDL(%s) - exiting\n", diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch new file mode 100644 index 00000000..90e4b800 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch @@ -0,0 +1,138 @@ +From 41603f745caaecdc7c9d760fb7d2df01ccc60128 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Thu, 27 Nov 2014 14:04:29 +0000 +Subject: [PATCH] qemu: Add missing wacom HID descriptor + +The USB wacom device is missing a HID descriptor which causes it +to fail to operate with recent kernels (e.g. 3.17). + +This patch adds a HID desriptor to the device, based upon one from +real wcom device. + +Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> + +Upstream-Status: Submitted +2014/11/27 +--- + hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 93 insertions(+), 1 deletion(-) + +diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c +index bf70013059..2f6e129732 100644 +--- a/hw/usb/dev-wacom.c ++++ b/hw/usb/dev-wacom.c +@@ -72,6 +72,89 @@ static const USBDescStrings desc_strings = { + [STR_SERIALNUMBER] = "1", + }; + ++static const uint8_t qemu_tablet_hid_report_descriptor[] = { ++ 0x05, 0x01, /* Usage Page (Generic Desktop) */ ++ 0x09, 0x02, /* Usage (Mouse) */ ++ 0xa1, 0x01, /* Collection (Application) */ ++ 0x85, 0x01, /* Report ID (1) */ ++ 0x09, 0x01, /* Usage (Pointer) */ ++ 0xa1, 0x00, /* Collection (Physical) */ ++ 0x05, 0x09, /* Usage Page (Button) */ ++ 0x19, 0x01, /* Usage Minimum (1) */ ++ 0x29, 0x05, /* Usage Maximum (5) */ ++ 0x15, 0x00, /* Logical Minimum (0) */ ++ 0x25, 0x01, /* Logical Maximum (1) */ ++ 0x95, 0x05, /* Report Count (5) */ ++ 0x75, 0x01, /* Report Size (1) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x95, 0x01, /* Report Count (1) */ ++ 0x75, 0x03, /* Report Size (3) */ ++ 0x81, 0x01, /* Input (Constant) */ ++ 0x05, 0x01, /* Usage Page (Generic Desktop) */ ++ 0x09, 0x30, /* Usage (X) */ ++ 0x09, 0x31, /* Usage (Y) */ ++ 0x15, 0x81, /* Logical Minimum (-127) */ ++ 0x25, 0x7f, /* Logical Maximum (127) */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x02, /* Report Count (2) */ ++ 0x81, 0x06, /* Input (Data, Variable, Relative) */ ++ 0xc0, /* End Collection */ ++ 0xc0, /* End Collection */ ++ 0x05, 0x0d, /* Usage Page (Digitizer) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0xa1, 0x01, /* Collection (Application) */ ++ 0x85, 0x02, /* Report ID (2) */ ++ 0xa1, 0x00, /* Collection (Physical) */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x15, 0x00, /* Logical Minimum (0) */ ++ 0x26, 0xff, 0x00, /* Logical Maximum (255) */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x08, /* Report Count (8) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0xc0, /* End Collection */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x85, 0x02, /* Report ID (2) */ ++ 0x95, 0x01, /* Report Count (1) */ ++ 0xb1, 0x02, /* FEATURE (2) */ ++ 0xc0, /* End Collection */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0xa1, 0x01, /* Collection (Application) */ ++ 0x85, 0x02, /* Report ID (2) */ ++ 0x05, 0x0d, /* Usage Page (Digitizer) */ ++ 0x09, 0x22, /* Usage (Finger) */ ++ 0xa1, 0x00, /* Collection (Physical) */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x15, 0x00, /* Logical Minimum (0) */ ++ 0x26, 0xff, 0x00, /* Logical Maximum */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x02, /* Report Count (2) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x05, 0x01, /* Usage Page (Generic Desktop) */ ++ 0x09, 0x30, /* Usage (X) */ ++ 0x35, 0x00, /* Physical Minimum */ ++ 0x46, 0xe0, 0x2e, /* Physical Maximum */ ++ 0x26, 0xe0, 0x01, /* Logical Maximum */ ++ 0x75, 0x10, /* Report Size (16) */ ++ 0x95, 0x01, /* Report Count (1) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x09, 0x31, /* Usage (Y) */ ++ 0x46, 0x40, 0x1f, /* Physical Maximum */ ++ 0x26, 0x40, 0x01, /* Logical Maximum */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0x06, 0x00, 0xff, /* Usage Page (Vendor 0xff00) */ ++ 0x09, 0x01, /* Usage (Digitizer) */ ++ 0x26, 0xff, 0x00, /* Logical Maximum */ ++ 0x75, 0x08, /* Report Size (8) */ ++ 0x95, 0x0d, /* Report Count (13) */ ++ 0x81, 0x02, /* Input (Data, Variable, Absolute) */ ++ 0xc0, /* End Collection */ ++ 0xc0, /* End Collection */ ++}; ++ ++ + static const USBDescIface desc_iface_wacom = { + .bInterfaceNumber = 0, + .bNumEndpoints = 1, +@@ -89,7 +172,7 @@ static const USBDescIface desc_iface_wacom = { + 0x00, /* u8 country_code */ + 0x01, /* u8 num_descriptors */ + 0x22, /* u8 type: Report */ +- 0x6e, 0, /* u16 len */ ++ sizeof(qemu_tablet_hid_report_descriptor), 0, /* u16 len */ + }, + }, + }, +@@ -269,6 +352,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, + } + + switch (request) { ++ case InterfaceRequest | USB_REQ_GET_DESCRIPTOR: ++ switch (value >> 8) { ++ case 0x22: ++ memcpy(data, qemu_tablet_hid_report_descriptor, ++ sizeof(qemu_tablet_hid_report_descriptor)); ++ p->actual_length = sizeof(qemu_tablet_hid_report_descriptor); ++ break; ++ } ++ break; + case WACOM_SET_REPORT: + if (s->mouse_grabbed) { + qemu_remove_mouse_event_handler(s->eh_entry); diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch new file mode 100644 index 00000000..0d43271c --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch @@ -0,0 +1,32 @@ +From a9a669448ba6f1b295427e271d99f61736fc5189 Mon Sep 17 00:00:00 2001 +From: Juro Bystricky <juro.bystricky@intel.com> +Date: Thu, 31 Aug 2017 11:06:56 -0700 +Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for + qemu. + +Upstream-Status: Pending + +Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> +--- + tests/Makefile.include | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/tests/Makefile.include b/tests/Makefile.include +index 3b9a5e31a2..dfbcd728d7 100644 +--- a/tests/Makefile.include ++++ b/tests/Makefile.include +@@ -972,4 +972,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) + -include $(wildcard tests/*.d) + -include $(wildcard tests/libqos/*.d) + ++buildtest-TESTS: $(check-unit-y) ++ ++runtest-TESTS: ++ for f in $(check-unit-y); do \ ++ nf=$$(echo $$f | sed 's/tests\//\.\//g'); \ ++ $$nf; \ ++ done ++ + endif diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch new file mode 100644 index 00000000..5152dcaf --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -0,0 +1,32 @@ +From dd4404a334a545e9beafa1b1e41b3a8f35ef31a9 Mon Sep 17 00:00:00 2001 +From: Jason Wessel <jason.wessel@windriver.com> +Date: Fri, 28 Mar 2014 17:42:43 +0800 +Subject: [PATCH] qemu: Add addition environment space to boot loader + qemu-system-mips + +Upstream-Status: Inappropriate - OE uses deep paths + +If you create a project with very long directory names like 128 characters +deep and use NFS, the kernel arguments will be truncated. The kernel will +accept longer strings such as 1024 bytes, but the qemu boot loader defaulted +to only 256 bytes. This patch expands the limit. + +Signed-off-by: Jason Wessel <jason.wessel@windriver.com> +Signed-off-by: Roy Li <rongqing.li@windriver.com> +--- + hw/mips/mips_malta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c +index f6513a4fd5..d5efafb1e8 100644 +--- a/hw/mips/mips_malta.c ++++ b/hw/mips/mips_malta.c +@@ -62,7 +62,7 @@ + + #define ENVP_ADDR 0x80002000l + #define ENVP_NB_ENTRIES 16 +-#define ENVP_ENTRY_SIZE 256 ++#define ENVP_ENTRY_SIZE 1024 + + /* Hardware addresses */ + #define FLASH_ADDRESS 0x1e000000ULL diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch new file mode 100644 index 00000000..70baf0fb --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch @@ -0,0 +1,33 @@ +From 4475b3d97371e588540333988a97d7df3ec2c65a Mon Sep 17 00:00:00 2001 +From: Ross Burton <ross.burton@intel.com> +Date: Tue, 20 Oct 2015 22:19:08 +0100 +Subject: [PATCH] qemu: disable Valgrind + +There isn't an option to enable or disable valgrind support, so disable it to avoid non-deterministic builds. + +Upstream-Status: Inappropriate +Signed-off-by: Ross Burton <ross.burton@intel.com> +--- + configure | 9 --------- + 1 file changed, 9 deletions(-) + +diff --git a/configure b/configure +index 0a19b033bc..69e05fb6c0 100755 +--- a/configure ++++ b/configure +@@ -4895,15 +4895,6 @@ fi + # check if we have valgrind/valgrind.h + + valgrind_h=no +-cat > $TMPC << EOF +-#include <valgrind/valgrind.h> +-int main(void) { +- return 0; +-} +-EOF +-if compile_prog "" "" ; then +- valgrind_h=yes +-fi + + ######################################## + # check if environ is declared diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch new file mode 100644 index 00000000..a9d798ce --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch @@ -0,0 +1,145 @@ +From c532bcdae8259b0f71723cda331ded4dbb0fa908 Mon Sep 17 00:00:00 2001 +From: Richard Purdie <richard.purdie@linuxfoundation.org> +Date: Wed, 9 Mar 2016 22:49:02 +0000 +Subject: [PATCH] qemu: Limit paths searched during user mode emulation + +By default qemu builds a complete list of directories within the user +emulation sysroot (-L option). The OE sysroot directory is large and +this is confusing, for example it indexes all pkgdata. In particular this +confuses strace of qemu binaries with tons of irrelevant paths. + +This patch stops the code indexing up front and instead only indexes +things if/as/when it needs to. This drastically reduces the files it +reads and reduces memory usage and cleans up strace. + +It would also avoid the infinite directory traversal bug in [YOCTO #6996] +although the code could still be vulnerable if it parsed those specific +paths. + +RP +2016/3/9 +Upstream-Status: Pending +--- + util/path.c | 44 ++++++++++++++++++++++---------------------- + 1 file changed, 22 insertions(+), 22 deletions(-) + +diff --git a/util/path.c b/util/path.c +index 7f9fc272fb..a416cd4ac2 100644 +--- a/util/path.c ++++ b/util/path.c +@@ -15,6 +15,7 @@ struct pathelem + char *name; + /* Full path name, eg. /usr/gnemul/x86-linux/lib. */ + char *pathname; ++ int populated_entries; + struct pathelem *parent; + /* Children */ + unsigned int num_entries; +@@ -45,6 +46,7 @@ static struct pathelem *new_entry(const char *root, + new->name = g_strdup(name); + new->pathname = g_strdup_printf("%s/%s", root, name); + new->num_entries = 0; ++ new->populated_entries = 0; + return new; + } + +@@ -53,15 +55,16 @@ static struct pathelem *new_entry(const char *root, + /* Not all systems provide this feature */ + #if defined(DT_DIR) && defined(DT_UNKNOWN) && defined(DT_LNK) + # define dirent_type(dirent) ((dirent)->d_type) +-# define is_dir_maybe(type) \ +- ((type) == DT_DIR || (type) == DT_UNKNOWN || (type) == DT_LNK) ++# define is_not_dir(type) \ ++ ((type) != DT_DIR && (type) != DT_UNKNOWN && (type) != DT_LNK) + #else + # define dirent_type(dirent) (1) +-# define is_dir_maybe(type) (type) ++# define is_not_dir(type) (0) + #endif + + static struct pathelem *add_dir_maybe(struct pathelem *path) + { ++ unsigned int i; + DIR *dir; + + if ((dir = opendir(path->pathname)) != NULL) { +@@ -74,6 +77,11 @@ static struct pathelem *add_dir_maybe(struct pathelem *path) + } + closedir(dir); + } ++ ++ for (i = 0; i < path->num_entries; i++) ++ (path->entries[i])->parent = path; ++ ++ path->populated_entries = 1; + return path; + } + +@@ -89,26 +97,16 @@ static struct pathelem *add_entry(struct pathelem *root, const char *name, + e = &root->entries[root->num_entries-1]; + + *e = new_entry(root->pathname, root, name); +- if (is_dir_maybe(type)) { +- *e = add_dir_maybe(*e); ++ if (is_not_dir(type)) { ++ (*e)->populated_entries = 1; + } + + return root; + } + +-/* This needs to be done after tree is stabilized (ie. no more reallocs!). */ +-static void set_parents(struct pathelem *child, struct pathelem *parent) +-{ +- unsigned int i; +- +- child->parent = parent; +- for (i = 0; i < child->num_entries; i++) +- set_parents(child->entries[i], child); +-} +- + /* FIXME: Doesn't handle DIR/.. where DIR is not in emulated dir. */ + static const char * +-follow_path(const struct pathelem *cursor, const char *name) ++follow_path(struct pathelem *cursor, struct pathelem **source, const char *name) + { + unsigned int i, namelen; + +@@ -119,14 +117,18 @@ follow_path(const struct pathelem *cursor, const char *name) + return cursor->pathname; + + if (strneq(name, namelen, "..")) +- return follow_path(cursor->parent, name + namelen); ++ return follow_path(cursor->parent, &cursor->parent, name + namelen); + + if (strneq(name, namelen, ".")) +- return follow_path(cursor, name + namelen); ++ return follow_path(cursor, source, name + namelen); ++ ++ if (!cursor->populated_entries) ++ *source = add_dir_maybe(cursor); ++ cursor = *source; + + for (i = 0; i < cursor->num_entries; i++) + if (strneq(name, namelen, cursor->entries[i]->name)) +- return follow_path(cursor->entries[i], name + namelen); ++ return follow_path(cursor->entries[i], &cursor->entries[i], name + namelen); + + /* Not found */ + return NULL; +@@ -160,8 +162,6 @@ void init_paths(const char *prefix) + g_free(base->name); + g_free(base); + base = NULL; +- } else { +- set_parents(base, base); + } + } + +@@ -173,5 +173,5 @@ const char *path(const char *name) + if (!base || !name || name[0] != '/') + return name; + +- return follow_path(base, name) ?: name; ++ return follow_path(base, &base, name) ?: name; + } diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch new file mode 100644 index 00000000..12456bb5 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch @@ -0,0 +1,25 @@ +From 2d29d52b6f755758cfca6af0bcfd78091e16a7bc Mon Sep 17 00:00:00 2001 +From: Stephen Arnold <sarnold@vctlabs.com> +Date: Sun, 12 Jun 2016 18:09:56 -0700 +Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment + +Upstream-Status: Pending +--- + configure | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/configure b/configure +index 69e05fb6c0..12fc3d8bdc 100755 +--- a/configure ++++ b/configure +@@ -5413,10 +5413,6 @@ write_c_skeleton + if test "$gcov" = "yes" ; then + CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" + LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" +-elif test "$fortify_source" = "yes" ; then +- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" +-elif test "$debug" = "no"; then +- CFLAGS="-O2 $CFLAGS" + fi + + if test "$have_asan" = "yes"; then diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch new file mode 100644 index 00000000..2afe4e93 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch @@ -0,0 +1,239 @@ +From 20a09bb18907e67565c54fc505a741cbbef53f7f Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@xilinx.com> +Date: Thu, 21 Dec 2017 11:35:16 -0800 +Subject: [PATCH] chardev: connect socket to a spawned command + +The command is started in a shell (sh -c) with stdin connect to QEMU +via a Unix domain stream socket. QEMU then exchanges data via its own +end of the socket, just like it normally does. + +"-chardev socket" supports some ways of connecting via protocols like +telnet, but that is only a subset of the functionality supported by +tools socat. To use socat instead, for example to connect via a socks +proxy, use: + + -chardev 'socket,id=socat,cmd=exec socat FD:0 SOCKS4A:socks-proxy.localdomain:example.com:9999,,socksuser=nobody' \ + -device usb-serial,chardev=socat + +Beware that commas in the command must be escaped as double commas. + +Or interactively in the console: + (qemu) chardev-add socket,id=cat,cmd=cat + (qemu) device_add usb-serial,chardev=cat + ^ac + # cat >/dev/ttyUSB0 + hello + hello + +Another usage is starting swtpm from inside QEMU. swtpm will +automatically shut down once it looses the connection to the parent +QEMU, so there is no risk of lingering processes: + + -chardev 'socket,id=chrtpm0,cmd=exec swtpm socket --terminate --ctrl type=unixio,,clientfd=0 --tpmstate dir=... --log file=swtpm.log' \ + -tpmdev emulator,id=tpm0,chardev=chrtpm0 \ + -device tpm-tis,tpmdev=tpm0 + +The patch was discussed upstream, but QEMU developers believe that the +code calling QEMU should be responsible for managing additional +processes. In OE-core, that would imply enhancing runqemu and +oeqa. This patch is a simpler solution. + +Because it is not going upstream, the patch was written so that it is +as simple as possible. + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> +--- + chardev/char-socket.c | 102 ++++++++++++++++++++++++++++++++++++++++++ + chardev/char.c | 3 ++ + qapi/char.json | 5 +++ + 3 files changed, 110 insertions(+) + +diff --git a/chardev/char-socket.c b/chardev/char-socket.c +index 159e69c3b1..84778cf31a 100644 +--- a/chardev/char-socket.c ++++ b/chardev/char-socket.c +@@ -934,6 +934,68 @@ static gboolean socket_reconnect_timeout(gpointer opaque) + return false; + } + ++#ifndef _WIN32 ++static void chardev_open_socket_cmd(Chardev *chr, ++ const char *cmd, ++ Error **errp) ++{ ++ int fds[2] = { -1, -1 }; ++ QIOChannelSocket *sioc = NULL; ++ pid_t pid = -1; ++ const char *argv[] = { "/bin/sh", "-c", cmd, NULL }; ++ ++ /* ++ * We need a Unix domain socket for commands like swtpm and a single ++ * connection, therefore we cannot use qio_channel_command_new_spawn() ++ * without patching it first. Duplicating the functionality is easier. ++ */ ++ if (socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0, fds)) { ++ error_setg_errno(errp, errno, "Error creating socketpair(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC)"); ++ goto error; ++ } ++ ++ pid = qemu_fork(errp); ++ if (pid < 0) { ++ goto error; ++ } ++ ++ if (!pid) { ++ /* child */ ++ dup2(fds[1], STDIN_FILENO); ++ execv(argv[0], (char * const *)argv); ++ _exit(1); ++ } ++ ++ /* ++ * Hand over our end of the socket pair to the qio channel. ++ * ++ * We don't reap the child because it is expected to keep ++ * running. We also don't support the "reconnect" option for the ++ * same reason. ++ */ ++ sioc = qio_channel_socket_new_fd(fds[0], errp); ++ if (!sioc) { ++ goto error; ++ } ++ fds[0] = -1; ++ ++ g_free(chr->filename); ++ chr->filename = g_strdup_printf("cmd:%s", cmd); ++ tcp_chr_new_client(chr, sioc); ++ ++ error: ++ if (fds[0] >= 0) { ++ close(fds[0]); ++ } ++ if (fds[1] >= 0) { ++ close(fds[1]); ++ } ++ if (sioc) { ++ object_unref(OBJECT(sioc)); ++ } ++} ++#endif ++ + static void qmp_chardev_open_socket(Chardev *chr, + ChardevBackend *backend, + bool *be_opened, +@@ -941,6 +1003,9 @@ static void qmp_chardev_open_socket(Chardev *chr, + { + SocketChardev *s = SOCKET_CHARDEV(chr); + ChardevSocket *sock = backend->u.socket.data; ++#ifndef _WIN32 ++ const char *cmd = sock->cmd; ++#endif + bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; + bool is_listen = sock->has_server ? sock->server : true; + bool is_telnet = sock->has_telnet ? sock->telnet : false; +@@ -1008,6 +1073,14 @@ static void qmp_chardev_open_socket(Chardev *chr, + s->reconnect_time = reconnect; + } + ++#ifndef _WIN32 ++ if (cmd) { ++ chardev_open_socket_cmd(chr, cmd, errp); ++ ++ /* everything ready (or failed permanently) before we return */ ++ *be_opened = true; ++ } else ++#endif + /* If reconnect_time is set, will do that in chr_machine_done. */ + if (!s->reconnect_time) { + if (s->is_listen) { +@@ -1065,9 +1138,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + const char *port = qemu_opt_get(opts, "port"); + const char *fd = qemu_opt_get(opts, "fd"); + const char *tls_creds = qemu_opt_get(opts, "tls-creds"); ++#ifndef _WIN32 ++ const char *cmd = qemu_opt_get(opts, "cmd"); ++#endif + SocketAddressLegacy *addr; + ChardevSocket *sock; + ++#ifndef _WIN32 ++ if (cmd) { ++ /* ++ * Here we have to ensure that no options are set which are incompatible with ++ * spawning a command, otherwise unmodified code that doesn't know about ++ * command spawning (like socket_reconnect_timeout()) might get called. ++ */ ++ if (path || is_listen || is_telnet || is_tn3270 || reconnect || host || port || tls_creds) { ++ error_setg(errp, "chardev: socket: cmd does not support any additional options"); ++ return; ++ } ++ } else ++#endif ++ + if ((!!path + !!fd + !!host) != 1) { + error_setg(errp, + "Exactly one of 'path', 'fd' or 'host' required"); +@@ -1112,12 +1202,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + sock->reconnect = reconnect; + sock->tls_creds = g_strdup(tls_creds); + ++#ifndef _WIN32 ++ sock->cmd = g_strdup(cmd); ++#endif ++ + addr = g_new0(SocketAddressLegacy, 1); ++#ifndef _WIN32 ++ if (path || cmd) { ++#else + if (path) { ++#endif + UnixSocketAddress *q_unix; + addr->type = SOCKET_ADDRESS_LEGACY_KIND_UNIX; + q_unix = addr->u.q_unix.data = g_new0(UnixSocketAddress, 1); ++#ifndef _WIN32 ++ q_unix->path = cmd ? g_strdup_printf("cmd:%s", cmd) : g_strdup(path); ++#else + q_unix->path = g_strdup(path); ++#endif + } else if (host) { + addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; + addr->u.inet.data = g_new(InetSocketAddress, 1); +diff --git a/chardev/char.c b/chardev/char.c +index 76d866e6fe..9747d51d7c 100644 +--- a/chardev/char.c ++++ b/chardev/char.c +@@ -792,6 +792,9 @@ QemuOptsList qemu_chardev_opts = { + },{ + .name = "path", + .type = QEMU_OPT_STRING, ++ },{ ++ .name = "cmd", ++ .type = QEMU_OPT_STRING, + },{ + .name = "host", + .type = QEMU_OPT_STRING, +diff --git a/qapi/char.json b/qapi/char.json +index ae19dcd1ed..6de0f29bcd 100644 +--- a/qapi/char.json ++++ b/qapi/char.json +@@ -241,6 +241,10 @@ + # + # @addr: socket address to listen on (server=true) + # or connect to (server=false) ++# @cmd: command to run via "sh -c" with stdin as one end of ++# a AF_UNIX SOCK_DSTREAM socket pair. The other end ++# is used by the chardev. Either an addr or a cmd can ++# be specified, but not both. + # @tls-creds: the ID of the TLS credentials object (since 2.6) + # @server: create server socket (default: true) + # @wait: wait for incoming connection on server +@@ -258,6 +262,7 @@ + # Since: 1.4 + ## + { 'struct': 'ChardevSocket', 'data': { 'addr' : 'SocketAddressLegacy', ++ '*cmd' : 'str', + '*tls-creds' : 'str', + '*server' : 'bool', + '*wait' : 'bool', diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch new file mode 100644 index 00000000..5969d938 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch @@ -0,0 +1,43 @@ +From 5046c21efdbc7413cddd5c5dbd9e1d53258d3e8c Mon Sep 17 00:00:00 2001 +From: Mark Asselstine <mark.asselstine@windriver.com> +Date: Tue, 26 Feb 2013 11:43:28 -0500 +Subject: [PATCH] apic: fixup fallthrough to PIC + +Commit 0e21e12bb311c4c1095d0269dc2ef81196ccb60a [Don't route PIC +interrupts through the local APIC if the local APIC config says so.] +missed a check to ensure the local APIC is enabled. Since if the local +APIC is disabled it doesn't matter what the local APIC config says. + +If this check isn't done and the guest has disabled the local APIC the +guest will receive a general protection fault, similar to what is seen +here: + +https://lists.gnu.org/archive/html/qemu-devel/2012-12/msg02304.html + +The GPF is caused by an attempt to service interrupt 0xffffffff. This +comes about since cpu_get_pic_interrupt() calls apic_accept_pic_intr() +(with the local APIC disabled apic_get_interrupt() returns -1). +apic_accept_pic_intr() returns 0 and thus the interrupt number which +is returned from cpu_get_pic_interrupt(), and which is attempted to be +serviced, is -1. + +Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html] +Signed-off-by: He Zhe <zhe.he@windriver.com> +--- + hw/intc/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/intc/apic.c b/hw/intc/apic.c +index 6fda52b86c..cd7291962d 100644 +--- a/hw/intc/apic.c ++++ b/hw/intc/apic.c +@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) + APICCommonState *s = APIC(dev); + uint32_t lvt0; + +- if (!s) ++ if (!s || !(s->spurious_vec & APIC_SV_ENABLE)) + return -1; + + lvt0 = s->lvt[APIC_LVT_LINT0]; diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch new file mode 100644 index 00000000..e110f633 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch @@ -0,0 +1,32 @@ +From 3cd92c7a885e4997ef6843313298c1d748d6ca39 Mon Sep 17 00:00:00 2001 +From: Alistair Francis <alistair.francis@xilinx.com> +Date: Wed, 17 Jan 2018 10:51:49 -0800 +Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target + +Since commit "linux-user: Tidy and enforce reserved_va initialization" +(18e80c55bb6ec17c05ec0ba717ec83933c2bfc07) the Yocto webkitgtk build +hangs when cross compiling for 32-bit x86 on a 64-bit x86 machine using +musl. + +To fix the issue reduce the MAX_RESERVED_VA macro to be a closer match +to what it was before the problematic commit. + +Upstream-Status: Submitted http://lists.gnu.org/archive/html/qemu-devel/2018-01/msg04185.html +Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> +--- + linux-user/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/linux-user/main.c b/linux-user/main.c +index 8907a84114..ea42c43610 100644 +--- a/linux-user/main.c ++++ b/linux-user/main.c +@@ -79,7 +79,7 @@ do { \ + (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) + /* There are a number of places where we assign reserved_va to a variable + of type abi_ulong and expect it to fit. Avoid the last page. */ +-# define MAX_RESERVED_VA (0xfffffffful & TARGET_PAGE_MASK) ++# define MAX_RESERVED_VA (0x7ffffffful & TARGET_PAGE_MASK) + # else + # define MAX_RESERVED_VA (1ul << TARGET_VIRT_ADDR_SPACE_BITS) + # endif diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch new file mode 100644 index 00000000..41626eb8 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch @@ -0,0 +1,141 @@ +From 3ed26be2091436296933ed2146f7269c791c7bfe Mon Sep 17 00:00:00 2001 +From: Martin Jansa <martin.jansa@lge.com> +Date: Fri, 1 Jun 2018 08:41:07 +0000 +Subject: [PATCH] Revert "linux-user: fix mmap/munmap/mprotect/mremap/shmat" + +Causes qemu-i386 to hang during gobject-introspection in webkitgtk build +when musl is used on qemux86 - the same issue as +0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch +was fixing in 2.11.0 release, but with this patch the fix no longer worked +as discussed here: +http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150302.html +http://lists.openembedded.org/pipermail/openembedded-core/2018-June/151382.html + +This reverts commit ebf9a3630c911d0cfc9c20f7cafe9ba4f88cf583. + +Upstream-Status: Pending +--- + include/exec/cpu-all.h | 6 +----- + include/exec/cpu_ldst.h | 16 +++++++++------- + linux-user/mmap.c | 17 ++++------------- + linux-user/syscall.c | 5 +---- + 4 files changed, 15 insertions(+), 29 deletions(-) + +diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h +index f4fa94e966..0b141683f0 100644 +--- a/include/exec/cpu-all.h ++++ b/include/exec/cpu-all.h +@@ -159,12 +159,8 @@ extern unsigned long guest_base; + extern int have_guest_base; + extern unsigned long reserved_va; + +-#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS +-#define GUEST_ADDR_MAX (~0ul) +-#else +-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \ ++#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ + (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) +-#endif + #else + + #include "exec/hwaddr.h" +diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h +index 5de8c8a5af..191f2e962a 100644 +--- a/include/exec/cpu_ldst.h ++++ b/include/exec/cpu_ldst.h +@@ -51,13 +51,15 @@ + /* All direct uses of g2h and h2g need to go away for usermode softmmu. */ + #define g2h(x) ((void *)((unsigned long)(target_ulong)(x) + guest_base)) + +-#define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX) +-#define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) +- +-static inline int guest_range_valid(unsigned long start, unsigned long len) +-{ +- return len - 1 <= GUEST_ADDR_MAX && start <= GUEST_ADDR_MAX - len + 1; +-} ++#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS ++#define h2g_valid(x) 1 ++#else ++#define h2g_valid(x) ({ \ ++ unsigned long __guest = (unsigned long)(x) - guest_base; \ ++ (__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \ ++ (!reserved_va || (__guest < reserved_va)); \ ++}) ++#endif + + #define h2g_nocheck(x) ({ \ + unsigned long __ret = (unsigned long)(x) - guest_base; \ +diff --git a/linux-user/mmap.c b/linux-user/mmap.c +index 9168a2051c..de85669aab 100644 +--- a/linux-user/mmap.c ++++ b/linux-user/mmap.c +@@ -80,7 +80,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) + return -TARGET_EINVAL; + len = TARGET_PAGE_ALIGN(len); + end = start + len; +- if (!guest_range_valid(start, len)) { ++ if (end < start) { + return -TARGET_ENOMEM; + } + prot &= PROT_READ | PROT_WRITE | PROT_EXEC; +@@ -482,8 +482,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, + * It can fail only on 64-bit host with 32-bit target. + * On any other target/host host mmap() handles this error correctly. + */ +- if (!guest_range_valid(start, len)) { +- errno = ENOMEM; ++ if ((unsigned long)start + len - 1 > (abi_ulong) -1) { ++ errno = EINVAL; + goto fail; + } + +@@ -623,10 +623,8 @@ int target_munmap(abi_ulong start, abi_ulong len) + if (start & ~TARGET_PAGE_MASK) + return -TARGET_EINVAL; + len = TARGET_PAGE_ALIGN(len); +- if (len == 0 || !guest_range_valid(start, len)) { ++ if (len == 0) + return -TARGET_EINVAL; +- } +- + mmap_lock(); + end = start + len; + real_start = start & qemu_host_page_mask; +@@ -681,13 +679,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, + int prot; + void *host_addr; + +- if (!guest_range_valid(old_addr, old_size) || +- ((flags & MREMAP_FIXED) && +- !guest_range_valid(new_addr, new_size))) { +- errno = ENOMEM; +- return -1; +- } +- + mmap_lock(); + + if (flags & MREMAP_FIXED) { +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index 643b8833de..271f215147 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -4919,9 +4919,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, + return -TARGET_EINVAL; + } + } +- if (!guest_range_valid(shmaddr, shm_info.shm_segsz)) { +- return -TARGET_EINVAL; +- } + + mmap_lock(); + +@@ -7497,7 +7494,7 @@ static int open_self_maps(void *cpu_env, int fd) + } + if (h2g_valid(min)) { + int flags = page_get_flags(h2g(min)); +- max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX) + 1; ++ max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX); + if (page_check_range(h2g(min), max - min, flags) == -1) { + continue; + } diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch new file mode 100644 index 00000000..aa24f729 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch @@ -0,0 +1,85 @@ +From bb9e48e331eee06d7bac1dce809c70191d1a3b4d Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Tue, 12 Mar 2013 09:54:06 +0800 +Subject: [PATCH] fix libcap header issue on some distro + +1, When build qemu-native on SLED 11.2, there is an error: +... +| In file included from /usr/include/bits/sigcontext.h:28, +| from /usr/include/signal.h:339, +| from /buildarea2/tmp/work/i686-linux/qemu-native/1.4.0-r0/ +qemu-1.4.0/include/qemu-common.h:42, +| from fsdev/virtfs-proxy-helper.c:23: +| /usr/include/asm/sigcontext.h:28: error: expected specifier- +qualifier-list before '__u64' +| /usr/include/asm/sigcontext.h:191: error: expected specifier- +qualifier-list before '__u64' +... + +2, The virtfs-proxy-helper.c includes <sys/capability.h> and +qemu-common.h in sequence. The header include map is: +(`-->' presents `include') +... +"virtfs-proxy-helper.c" --> <sys/capability.h> +... +"virtfs-proxy-helper.c" --> "qemu-common.h" --> <signal.h> --> +<bits/sigcontext.h> --> <asm/sigcontext.h> --> <linux/types.h> --> +<asm/types.h> --> <asm-generic/types.h> --> <asm-generic/int-ll64.h> +... + +3, The bug is found on SLED 11.2 x86. In libcap header file +/usr/include/sys/capability.h, it does evil stuff like this: +... + 25 /* + 26 * Make sure we can be included from userland by preventing + 27 * capability.h from including other kernel headers + 28 */ + 29 #define _LINUX_TYPES_H + 30 #define _LINUX_FS_H + 31 #define __LINUX_COMPILER_H + 32 #define __user + 33 + 34 typedef unsigned int __u32; + 35 typedef __u32 __le32; +... +This completely prevents including /usr/include/linux/types.h. +The above `<asm/sigcontext.h> --> <linux/types.h>' is prevented, +and '__u64' is defined in <asm-generic/int-ll64.h>. + +4, Modify virtfs-proxy-helper.c to include <sys/capability.h> +last to workaround the issue. + +http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html +http://patchwork.linuxtv.org/patch/12748/ + +Upstream-Status: Pending +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + fsdev/virtfs-proxy-helper.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c +index 6f132c5ff1..8329950c26 100644 +--- a/fsdev/virtfs-proxy-helper.c ++++ b/fsdev/virtfs-proxy-helper.c +@@ -13,7 +13,6 @@ + #include <sys/resource.h> + #include <getopt.h> + #include <syslog.h> +-#include <sys/capability.h> + #include <sys/fsuid.h> + #include <sys/vfs.h> + #include <sys/ioctl.h> +@@ -27,7 +26,11 @@ + #include "9p-iov-marshal.h" + #include "hw/9pfs/9p-proxy.h" + #include "fsdev/9p-iov-marshal.h" +- ++/* ++ * Include this one last due to some versions of it being buggy: ++ * http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html ++ */ ++#include <sys/capability.h> + #define PROGNAME "virtfs-proxy-helper" + + #ifndef XFS_SUPER_MAGIC diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch new file mode 100644 index 00000000..8a9141ac --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch @@ -0,0 +1,73 @@ +From edc8dba74c7a4a2121d76c982be0074183bf080a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> +Date: Wed, 12 Aug 2015 15:11:30 -0500 +Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add custom_debug.h with function for print backtrace information. +When pthread_kill fails in qemu_cpu_kick_thread display backtrace and +current cpu information. + +Upstream-Status: Inappropriate +Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> +--- + cpus.c | 5 +++++ + custom_debug.h | 24 ++++++++++++++++++++++++ + 2 files changed, 29 insertions(+) + create mode 100644 custom_debug.h + +diff --git a/cpus.c b/cpus.c +index 38eba8bff3..b84a60a4f3 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -1690,6 +1690,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) + return NULL; + } + ++#include "custom_debug.h" ++ + static void qemu_cpu_kick_thread(CPUState *cpu) + { + #ifndef _WIN32 +@@ -1702,6 +1704,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) + err = pthread_kill(cpu->thread->thread, SIG_IPI); + if (err) { + fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); ++ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); ++ cpu_dump_state(cpu, stderr, fprintf, 0); ++ backtrace_print(); + exit(1); + } + #else /* _WIN32 */ +diff --git a/custom_debug.h b/custom_debug.h +new file mode 100644 +index 0000000000..f029e45547 +--- /dev/null ++++ b/custom_debug.h +@@ -0,0 +1,24 @@ ++#include <execinfo.h> ++#include <stdio.h> ++#define BACKTRACE_MAX 128 ++static void backtrace_print(void) ++{ ++ int nfuncs = 0; ++ void *buf[BACKTRACE_MAX]; ++ char **symbols; ++ int i; ++ ++ nfuncs = backtrace(buf, BACKTRACE_MAX); ++ ++ symbols = backtrace_symbols(buf, nfuncs); ++ if (symbols == NULL) { ++ fprintf(stderr, "backtrace_print failed to get symbols"); ++ return; ++ } ++ ++ fprintf(stderr, "Backtrace ...\n"); ++ for (i = 0; i < nfuncs; i++) ++ fprintf(stderr, "%s\n", symbols[i]); ++ ++ free(symbols); ++} diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch new file mode 100644 index 00000000..7e1e442a --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch @@ -0,0 +1,52 @@ +From fdc89e90fac40c5ca2686733df17b6423fb8d8fb Mon Sep 17 00:00:00 2001 +From: Jason Wang <jasowang@redhat.com> +Date: Wed, 30 May 2018 13:08:15 +0800 +Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive + +In ne2000_receive(), we try to assign size_ to size which converts +from size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access of +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: qemu-stable@nongnu.org +Reported-by: Daniel Shapira <daniel@twistlock.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff +;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1] + +CVE: CVE-2018-10839 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + hw/net/ne2000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 07d79e3..869518e 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s) + ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + { + NE2000State *s = qemu_get_nic_opaque(nc); +- int size = size_; ++ size_t size = size_; + uint8_t *p; + unsigned int total_len, next, avail, len, index, mcast_idx; + uint8_t buf1[60]; +@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + + #if defined(DEBUG_NE2000) +- printf("NE2000: received len=%d\n", size); ++ printf("NE2000: received len=%zu\n", size); + #endif + + if (s->cmd & E8390_STOP || ne2000_buffer_full(s)) +-- +1.8.3.1 diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch new file mode 100644 index 00000000..2f61ea00 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch @@ -0,0 +1,64 @@ +From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 6 Sep 2018 14:52:12 +0800 +Subject: [PATCH] seccomp: set the seccomp filter to all threads +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When using "-seccomp on", the seccomp policy is only applied to the +main thread, the vcpu worker thread and other worker threads created +after seccomp policy is applied; the seccomp policy is not applied to +e.g. the RCU thread because it is created before the seccomp policy is +applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. + +This can be verified with +for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done +Seccomp: 2 +Seccomp: 0 +Seccomp: 0 +Seccomp: 2 +Seccomp: 2 +Seccomp: 2 + +Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use +seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy +on all threads. + +libseccomp requirement was bumped to 2.2.0 in previous patch. +libseccomp should fail to set the filter if it can't honour +SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on +kernel < 3.17. + +Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Acked-by: Eduardo Otubo <otubo@redhat.com> + +Upstream-Status: Backport[https://github.com/qemu/qemu/commit/ +70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d] + +CVE: CVE-2018-15746 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + qemu-seccomp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/qemu-seccomp.c b/qemu-seccomp.c +index 9cd8eb9..ba5500a 100644 +--- a/qemu-seccomp.c ++++ b/qemu-seccomp.c +@@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts) + goto seccomp_return; + } + ++ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); ++ if (rc != 0) { ++ goto seccomp_return; ++ } ++ + for (i = 0; i < ARRAY_SIZE(blacklist); i++) { + if (!(seccomp_opts & blacklist[i].set)) { + continue; +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch new file mode 100644 index 00000000..644459e5 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch @@ -0,0 +1,49 @@ +From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Mon, 3 Dec 2018 11:10:45 +0100 +Subject: [PATCH] usb-mtp: outlaw slashes in filenames +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Slash is unix directory separator, so they are not allowed in filenames. +Note this also stops the classic escape via "../". + +Fixes: CVE-2018-16867 +Reported-by: Michael Hanselmann <public@hansmi.ch> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Message-id: 20181203101045.27976-3-kraxel@redhat.com +(cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6) +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +CVE: CVE-2018-16867 +Affects: < 3.1.0 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/usb/dev-mtp.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 1ded7ac..899c8a3 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s) + + utf16_to_str(dataset->length, dataset->filename, filename); + ++ if (strchr(filename, '/')) { ++ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, ++ 0, 0, 0, 0); ++ return; ++ } ++ + o = usb_mtp_object_lookup_name(p, filename, dataset->length); + if (o != NULL) { + next_handle = o->handle; +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch new file mode 100644 index 00000000..9f2c5d3e --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch @@ -0,0 +1,89 @@ +From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Thu, 13 Dec 2018 13:25:11 +0100 +Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. + +Open files and directories with O_NOFOLLOW to avoid symlinks attacks. +While being at it also add O_CLOEXEC. + +usb-mtp only handles regular files and directories and ignores +everything else, so users should not see a difference. + +Because qemu ignores symlinks, carrying out a successful symlink attack +requires swapping an existing file or directory below rootdir for a +symlink and winning the race against the inotify notification to qemu. + +Fixes: CVE-2018-16872 +Cc: Prasad J Pandit <ppandit@redhat.com> +Cc: Bandan Das <bsd@redhat.com> +Reported-by: Michael Hanselmann <public@hansmi.ch> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Reviewed-by: Michael Hanselmann <public@hansmi.ch> +Message-id: 20181213122511.13853-1-kraxel@redhat.com +(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +CVE: CVE-2018-16872 +Affects: < 3.1.0 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/usb/dev-mtp.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c +index 899c8a3..f4223fb 100644 +--- a/hw/usb/dev-mtp.c ++++ b/hw/usb/dev-mtp.c +@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) + { + struct dirent *entry; + DIR *dir; ++ int fd; + + if (o->have_children) { + return; + } + o->have_children = true; + +- dir = opendir(o->path); ++ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); ++ if (fd < 0) { ++ return; ++ } ++ dir = fdopendir(fd); + if (!dir) { + return; + } +@@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, + + trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); + +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, + c->argv[1], c->argv[2]); + + d = usb_mtp_data_alloc(c); +- d->fd = open(o->path, O_RDONLY); ++ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); + if (d->fd == -1) { + usb_mtp_data_free(d); + return NULL; +@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s) + 0, 0, 0, 0); + goto done; + } +- d->fd = open(path, O_CREAT | O_WRONLY, mask); ++ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); + if (d->fd == -1) { + usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, + 0, 0, 0, 0); +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch new file mode 100644 index 00000000..af40ff27 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17958.patch @@ -0,0 +1,52 @@ +From 06e88ca78d056ea4de885e3a1496805179dc47bc Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Mon, 15 Oct 2018 16:33:04 +0800 +Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive + +In ne2000_receive(), we try to assign size_ to size which converts +from size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access of +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: address@hidden +Reported-by: Daniel Shapira <address@hidden> +Reviewed-by: Michael S. Tsirkin <address@hidden> +Signed-off-by: Jason Wang <address@hidden> + +Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03273.html] + +CVE: CVE-2018-17958 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + hw/net/ne2000.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 07d79e3..869518e 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s) + ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + { + NE2000State *s = qemu_get_nic_opaque(nc); +- int size = size_; ++ size_t size = size_; + uint8_t *p; + unsigned int total_len, next, avail, len, index, mcast_idx; + uint8_t buf1[60]; +@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + + #if defined(DEBUG_NE2000) +- printf("NE2000: received len=%d\n", size); ++ printf("NE2000: received len=%zu\n", size); + #endif + + if (s->cmd & E8390_STOP || ne2000_buffer_full(s)) +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch new file mode 100644 index 00000000..88bfd811 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch @@ -0,0 +1,70 @@ +From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Mon, 15 Oct 2018 16:38:08 +0800 +Subject: [PATCH] rtl8139: fix possible out of bound access + +In rtl8139_do_receive(), we try to assign size_ to size which converts +from size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access of +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: address@hidden +Reported-by: Daniel Shapira <address@hidden> +Reviewed-by: Michael S. Tsirkin <address@hidden> +Signed-off-by: Jason Wang <address@hidden> + +Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html] + +CVE: CVE-2018-17962 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + hw/net/rtl8139.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 46daa16..2342a09 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t + RTL8139State *s = qemu_get_nic_opaque(nc); + PCIDevice *d = PCI_DEVICE(s); + /* size is the length of the buffer passed to the driver */ +- int size = size_; ++ size_t size = size_; + const uint8_t *dot1q_buf = NULL; + + uint32_t packet_header = 0; +@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t + static const uint8_t broadcast_macaddr[6] = + { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + +- DPRINTF(">>> received len=%d\n", size); ++ DPRINTF(">>> received len=%zu\n", size); + + /* test if board clock is stopped */ + if (!s->clock_enabled) +@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t + + if (size+4 > rx_space) + { +- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n", ++ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n", + descriptor, rx_space, size); + + s->IntrStatus |= RxOverflow; +@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t + if (avail != 0 && RX_ALIGN(size + 8) >= avail) + { + DPRINTF("rx overflow: rx buffer length %d head 0x%04x " +- "read 0x%04x === available 0x%04x need 0x%04x\n", ++ "read 0x%04x === available 0x%04x need 0x%04zx\n", + s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8); + + s->IntrStatus |= RxOverflow; +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch new file mode 100644 index 00000000..054cdc86 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch @@ -0,0 +1,51 @@ +From e5ff72a8005dd1d9c0f63f8a9cc4298df5bb7551 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Mon, 15 Oct 2018 16:39:46 +0800 +Subject: [PATCH] pcnet: fix possible buffer overflow + +In pcnet_receive(), we try to assign size_ to size which converts from +size_t to integer. This will cause troubles when size_ is greater +INT_MAX, this will lead a negative value in size and it can then pass +the check of size < MIN_BUF_SIZE which may lead out of bound access +for both buf and buf1. + +Fixing by converting the type of size to size_t. + +CC: address@hidden +Reported-by: Daniel Shapira <address@hidden> +Reviewed-by: Michael S. Tsirkin <address@hidden> +Signed-off-by: Jason Wang <address@hidden> + +Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html] + +CVE: CVE-2018-17963 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + hw/net/pcnet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 0c44554..d9ba04b 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -988,14 +988,14 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) + uint8_t buf1[60]; + int remaining; + int crc_err = 0; +- int size = size_; ++ size_t size = size_; + + if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size || + (CSR_LOOP(s) && !s->looptest)) { + return -1; + } + #ifdef PCNET_DEBUG +- printf("pcnet_receive size=%d\n", size); ++ printf("pcnet_receive size=%zu\n", size); + #endif + + /* if too small buffer, then expand it */ +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch new file mode 100644 index 00000000..b632512e --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch @@ -0,0 +1,86 @@ +From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Sat, 27 Oct 2018 01:13:14 +0530 +Subject: [PATCH] lsi53c895a: check message length value is valid + +While writing a message in 'lsi_do_msgin', message length value +in 'msg_len' could be invalid due to an invalid migration stream. +Add an assertion to avoid an out of bounds access, and reject +the incoming migration data if it contains an invalid message +length. + +Discovered by Deja vu Security. Reported by Oracle. + +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20181026194314.18663-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) +*CVE-2018-18849 +*avoid context dep. on c921370b22c +Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> + +Upstream-Status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-18849 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 160657f..3758635 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) + + static void lsi_do_msgin(LSIState *s) + { +- int len; ++ uint8_t len; + DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); + s->sfbr = s->msg[0]; + len = s->msg_len; ++ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); + if (len > s->dbc) + len = s->dbc; + pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); +@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) + break; + case 0x58: /* SBDL */ + /* Some drivers peek at the data bus during the MSG IN phase. */ +- if ((s->sstat1 & PHASE_MASK) == PHASE_MI) ++ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { ++ assert(s->msg_len > 0); + return s->msg[0]; ++ } + ret = 0; + break; + case 0x59: /* SBDL high */ +@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) + return 0; + } + ++static int lsi_post_load(void *opaque, int version_id) ++{ ++ LSIState *s = opaque; ++ ++ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { ++ return -EINVAL; ++ } ++ ++ return 0; ++} ++ + static const VMStateDescription vmstate_lsi_scsi = { + .name = "lsiscsi", + .version_id = 0, + .minimum_version_id = 0, + .pre_save = lsi_pre_save, ++ .post_load = lsi_post_load, + .fields = (VMStateField[]) { + VMSTATE_PCI_DEVICE(parent_obj, LSIState), + +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch new file mode 100644 index 00000000..1d77af4e --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch @@ -0,0 +1,51 @@ +From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001 +From: Greg Kurz <groug@kaod.org> +Date: Wed, 7 Nov 2018 01:00:04 +0100 +Subject: [PATCH] 9p: write lock path in v9fs_co_open2() + +The assumption that the fid cannot be used by any other operation is +wrong. At least, nothing prevents a misbehaving client to create a +file with a given fid, and to pass this fid to some other operation +at the same time (ie, without waiting for the response to the creation +request). The call to v9fs_path_copy() performed by the worker thread +after the file was created can race with any access to the fid path +performed by some other thread. This causes use-after-free issues that +can be detected by ASAN with a custom 9p client. + +Unlike other operations that only read the fid path, v9fs_co_open2() +does modify it. It should hence take the write lock. + +Cc: P J P <ppandit@redhat.com> +Reported-by: zhibin hu <noirfate@gmail.com> +Signed-off-by: Greg Kurz <groug@kaod.org> + +Upstream-status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-19364 patch #1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/9pfs/cofile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c +index 88791bc..9c22837 100644 +--- a/hw/9pfs/cofile.c ++++ b/hw/9pfs/cofile.c +@@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp, + cred.fc_gid = gid; + /* + * Hold the directory fid lock so that directory path name +- * don't change. Read lock is fine because this fid cannot +- * be used by any other operation. ++ * don't change. Take the write lock to be sure this fid ++ * cannot be used by another operation. + */ +- v9fs_path_read_lock(s); ++ v9fs_path_write_lock(s); + v9fs_co_run_in_worker( + { + err = s->ops->open2(&s->ctx, &fidp->path, +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch new file mode 100644 index 00000000..b8d094c0 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch @@ -0,0 +1,115 @@ +From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001 +From: Greg Kurz <groug@kaod.org> +Date: Tue, 20 Nov 2018 13:00:35 +0100 +Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364) + +Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could +possibly overwrite a fid path with v9fs_path_copy() while it is being +accessed by some other thread, ie, use-after-free that can be detected +by ASAN with a custom 9p client. + +It turns out that the same can happen at several locations where +v9fs_path_copy() is used to set the fid path. The fix is again to +take the write lock. + +Fixes CVE-2018-19364. + +Cc: P J P <ppandit@redhat.com> +Reported-by: zhibin hu <noirfate@gmail.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Greg Kurz <groug@kaod.org> + +Upstream-status: Backport +Affects: < 3.1.0 +CVE: CVE-2018-19364 patch #2 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/9pfs/9p.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index eef289e..267a255 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) + err = -EINVAL; + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else { + newfidp = alloc_fid(s, newfid); + if (newfidp == NULL) { +@@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) + V9fsString extension; + int iounit; + V9fsPDU *pdu = opaque; ++ V9fsState *s = pdu->s; + + v9fs_path_init(&path); + v9fs_string_init(&name); +@@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + err = v9fs_co_opendir(pdu, fidp); + if (err < 0) { + goto out; +@@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_LINK) { + int32_t ofid = atoi(extension.data); + V9fsFidState *ofidp = get_fid(pdu, ofid); +@@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) + fidp->fid_type = P9_FID_NONE; + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); + if (err < 0) { + fidp->fid_type = P9_FID_NONE; +@@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_NAMED_PIPE) { + err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, + 0, S_IFIFO | (perm & 0777), &stbuf); +@@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else if (perm & P9_STAT_MODE_SOCKET) { + err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, + 0, S_IFSOCK | (perm & 0777), &stbuf); +@@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) + if (err < 0) { + goto out; + } ++ v9fs_path_write_lock(s); + v9fs_path_copy(&fidp->path, &path); ++ v9fs_path_unlock(s); + } else { + err = v9fs_co_open2(pdu, fidp, &name, -1, + omode_to_uflags(mode)|O_CREAT, perm, &stbuf); +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch new file mode 100644 index 00000000..7619e2a8 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch @@ -0,0 +1,83 @@ +From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001 +From: Greg Kurz <groug@kaod.org> +Date: Fri, 23 Nov 2018 13:28:03 +0100 +Subject: [PATCH] 9p: fix QEMU crash when renaming files + +When using the 9P2000.u version of the protocol, the following shell +command line in the guest can cause QEMU to crash: + + while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done + +With 9P2000.u, file renaming is handled by the WSTAT command. The +v9fs_wstat() function calls v9fs_complete_rename(), which calls +v9fs_fix_path() for every fid whose path is affected by the change. +The involved calls to v9fs_path_copy() may race with any other access +to the fid path performed by some worker thread, causing a crash like +shown below: + +Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. +0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, + flags=65536, mode=0) at hw/9pfs/9p-local.c:59 +59 while (*path && fd != -1) { +(gdb) bt +#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, + path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 +#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8, + path=0x0) at hw/9pfs/9p-local.c:92 +#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8, + fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185 +#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498, + path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53 +#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498) + at hw/9pfs/9p.c:1083 +#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767) + at util/coroutine-ucontext.c:116 +#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 +#7 0x0000000000000000 in () +(gdb) + +The fix is to take the path write lock when calling v9fs_complete_rename(), +like in v9fs_rename(). + +Impact: DoS triggered by unprivileged guest users. + +Fixes: CVE-2018-19489 +Cc: P J P <ppandit@redhat.com> +Reported-by: zhibin hu <noirfate@gmail.com> +Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Greg Kurz <groug@kaod.org> + +Upstream-Status: Backport +Affects: < 4.0.0 +CVE: CVE-2018-19489 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + hw/9pfs/9p.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 267a255..bdf7919 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque) + struct stat stbuf; + V9fsFidState *fidp; + V9fsPDU *pdu = opaque; ++ V9fsState *s = pdu->s; + + v9fs_stat_init(&v9stat); + err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat); +@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque) + } + } + if (v9stat.name.size != 0) { ++ v9fs_path_write_lock(s); + err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); ++ v9fs_path_unlock(s); + if (err < 0) { + goto out; + } +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch new file mode 100644 index 00000000..c3a59814 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch @@ -0,0 +1,42 @@ +From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001 +From: Peter Maydell <peter.maydell@linaro.org> +Date: Fri, 14 Dec 2018 13:30:52 +0000 +Subject: [PATCH] device_tree.c: Don't use load_image() + +The load_image() function is deprecated, as it does not let the +caller specify how large the buffer to read the file into is. +Instead use load_image_size(). + +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Reviewed-by: Eric Blake <eblake@redhat.com> +Message-id: 20181130151712.2312-9-peter.maydell@linaro.org + +Upstream-Status: Backport +CVE: CVE-2018-20815 +affects <= 3.0.1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + device_tree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/device_tree.c b/device_tree.c +index 6d9c972..296278e 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep) + /* First allocate space in qemu for device tree */ + fdt = g_malloc0(dt_size); + +- dt_file_load_size = load_image(filename_path, fdt); ++ dt_file_load_size = load_image_size(filename_path, fdt, dt_size); + if (dt_file_load_size < 0) { + error_report("Unable to open device tree file '%s'", + filename_path); +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch new file mode 100644 index 00000000..d01e8744 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch @@ -0,0 +1,52 @@ +From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001 +From: Markus Armbruster <armbru@redhat.com> +Date: Tue, 9 Apr 2019 19:40:18 +0200 +Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the +computation of @dt_size overflows to a negative number, which then +gets converted to a very large size_t for g_malloc0() and +load_image_size(). In the (fortunately improbable) case g_malloc0() +succeeds and load_image_size() survives, we'd assign the negative +number to *sizep. What that would do to the callers I can't say, but +it's unlikely to be good. + +Fix by rejecting images whose size would overflow. + +Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> +Signed-off-by: Markus Armbruster <armbru@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> +Message-Id: <20190409174018.25798-1-armbru@redhat.com> + +Upstream-Status: Backport +CVE: CVE-2018-20815 +affects <= 3.0.1 + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + device_tree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/device_tree.c b/device_tree.c +index 296278e..f8b46b3 100644 +--- a/device_tree.c ++++ b/device_tree.c +@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) + filename_path); + goto fail; + } ++ if (dt_size > INT_MAX / 2 - 10000) { ++ error_report("Device tree file '%s' is too large", filename_path); ++ goto fail; ++ } + + /* Expand to 2x size to give enough room for manipulation. */ + dt_size += 10000; +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch new file mode 100644 index 00000000..8a5ece51 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch @@ -0,0 +1,38 @@ +From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 25 Apr 2019 12:05:34 +0530 +Subject: [PATCH] qxl: check release info object + +When releasing spice resources in release_resource() routine, +if release info object 'ext.info' is null, it leads to null +pointer dereference. Add check to avoid it. + +Reported-by: Bugs SysSec <bugs-syssec@rub.de> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20190425063534.32747-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport +https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 + +CVE: CVE-2019-12155 +Affects: <= 4.0.0 +Signed-off-by: Armin Kuster <akuster@mvistra.com> +--- + hw/display/qxl.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: qemu-3.0.0/hw/display/qxl.c +=================================================================== +--- qemu-3.0.0.orig/hw/display/qxl.c ++++ qemu-3.0.0/hw/display/qxl.c +@@ -764,6 +764,9 @@ static void interface_release_resource(Q + QXLReleaseRing *ring; + uint64_t *item, id; + ++ if (!ext.info) { ++ return; ++ } + if (ext.group_id == MEMSLOT_GROUP_HOST) { + /* host group -> vga mode update request */ + QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id); diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch new file mode 100644 index 00000000..7f830067 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch @@ -0,0 +1,47 @@ +From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001 +From: William Bowling <will@wbowling.info> +Date: Fri, 1 Mar 2019 21:45:56 +0000 +Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +When emulating ident in tcp_emu, if the strchr checks passed but the +sscanf check failed, two uninitialized variables would be copied and +sent in the reply, so move this code inside the if(sscanf()) clause. + +Signed-off-by: William Bowling <will@wbowling.info> +Cc: qemu-stable@nongnu.org +Cc: secalert@redhat.com +Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> + +Upstream-Status: Backport +https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8 +CVE: CVE-2019-9824 +affects < 4.0.0 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: qemu-3.0.0/slirp/tcp_subr.c +=================================================================== +--- qemu-3.0.0.orig/slirp/tcp_subr.c ++++ qemu-3.0.0/slirp/tcp_subr.c +@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf * + break; + } + } ++ so_rcv->sb_cc = snprintf(so_rcv->sb_data, ++ so_rcv->sb_datalen, ++ "%d,%d\r\n", n1, n2); ++ so_rcv->sb_rptr = so_rcv->sb_data; ++ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } +- so_rcv->sb_cc = snprintf(so_rcv->sb_data, +- so_rcv->sb_datalen, +- "%d,%d\r\n", n1, n2); +- so_rcv->sb_rptr = so_rcv->sb_data; +- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; + } + m_free(m); + return 0; diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin b/external/poky/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin Binary files differnew file mode 100644 index 00000000..c4044296 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/powerpc_rom.bin diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest b/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest new file mode 100644 index 00000000..2206b319 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest @@ -0,0 +1,10 @@ +#!/bin/sh +# +#This script is used to run qemu test suites +# + +ptestdir=$(dirname "$(readlink -f "$0")") +export SRC_PATH=$ptestdir + +cd $ptestdir/tests +make -f Makefile.include -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' diff --git a/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb b/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb new file mode 100644 index 00000000..b591cc24 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu_3.0.0.bb @@ -0,0 +1,70 @@ +require qemu.inc + +inherit ptest + +RDEPENDS_${PN}-ptest = "bash make" + +LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ + file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" + +SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ + file://powerpc_rom.bin \ + file://0001-sdl.c-allow-user-to-disable-pointer-grabs.patch \ + file://0002-qemu-Add-missing-wacom-HID-descriptor.patch \ + file://0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch \ + file://run-ptest \ + file://0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch \ + file://0005-qemu-disable-Valgrind.patch \ + file://0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch \ + file://0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch \ + file://0008-chardev-connect-socket-to-a-spawned-command.patch \ + file://0009-apic-fixup-fallthrough-to-PIC.patch \ + file://0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ + file://0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch \ + file://CVE-2018-15746.patch \ + file://CVE-2018-17958.patch \ + file://CVE-2018-17962.patch \ + file://CVE-2018-17963.patch \ + file://CVE-2018-16867.patch \ + file://CVE-2018-16872.patch \ + file://CVE-2018-18849.patch \ + file://CVE-2018-19364_p1.patch \ + file://CVE-2018-19364_p2.patch \ + file://CVE-2018-19489.patch \ + file://CVE-2019-12155.patch \ + file://CVE-2018-20815_p1.patch \ + file://CVE-2018-20815_p2.patch \ + file://CVE-2019-9824.patch \ + " +UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" + +SRC_URI_append_class-native = " \ + file://0012-fix-libcap-header-issue-on-some-distro.patch \ + file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \ + " + +SRC_URI[md5sum] = "6a5c8df583406ea24ef25b239c3243e0" +SRC_URI[sha256sum] = "8d7af64fe8bd5ea5c3bdf17131a8b858491bcce1ee3839425a6d91fb821b5713" + +COMPATIBLE_HOST_mipsarchn32 = "null" +COMPATIBLE_HOST_mipsarchn64 = "null" + +do_install_append() { + # Prevent QA warnings about installed ${localstatedir}/run + if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi + install -Dm 0755 ${WORKDIR}/powerpc_rom.bin ${D}${datadir}/qemu +} + +do_compile_ptest() { + make buildtest-TESTS +} + +do_install_ptest() { + cp -rL ${B}/tests ${D}${PTEST_PATH} + find ${D}${PTEST_PATH}/tests -type f -name "*.[Sshcod]" | xargs -i rm -rf {} + + cp ${S}/tests/Makefile.include ${D}${PTEST_PATH}/tests + # Don't check the file genreated by configure + sed -i -e '/wildcard config-host.mak/d' \ + -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include +} diff --git a/external/poky/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb b/external/poky/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb new file mode 100644 index 00000000..4aada523 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemuwrapper-cross_1.0.bb @@ -0,0 +1,38 @@ +SUMMARY = "QEMU wrapper script" +HOMEPAGE = "http://qemu.org" +LICENSE = "MIT" + +S = "${WORKDIR}" + +DEPENDS += "qemu-native" + +inherit qemu + +do_populate_sysroot[depends] = "" + +do_install () { + install -d ${D}${bindir_crossscripts}/ + + qemu_binary=${@qemu_target_binary(d)} + qemu_options='${QEMU_OPTIONS} -E LD_LIBRARY_PATH=$D${libdir}:$D${base_libdir}' + + cat >> ${D}${bindir_crossscripts}/${MLPREFIX}qemuwrapper << EOF +#!/bin/sh +set -x + +if [ ${@bb.utils.contains('MACHINE_FEATURES', 'qemu-usermode', 'True', 'False', d)} = False ]; then + echo "qemuwrapper: qemu usermode is not supported" +fi + + +$qemu_binary $qemu_options "\$@" +EOF + + chmod +x ${D}${bindir_crossscripts}/${MLPREFIX}qemuwrapper +} + +SYSROOT_DIRS += "${bindir_crossscripts}" + +INHIBIT_DEFAULT_DEPS = "1" + +BBCLASSEXTEND = "nativesdk" |