diff options
Diffstat (limited to 'external/poky/meta/recipes-devtools/qemu/qemu')
54 files changed, 1397 insertions, 2055 deletions
diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch new file mode 100644 index 00000000..c2c5849d --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch @@ -0,0 +1,29 @@ +From a471cf4e4c73350e090eb2cd87ec959d138012e5 Mon Sep 17 00:00:00 2001 +From: Jeremy Puhlman <jpuhlman@mvista.com> +Date: Thu, 19 Mar 2020 11:54:26 -0700 +Subject: [PATCH] Add enable/disable libudev + +Upstream-Status: Pending +Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> +--- + configure | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/configure b/configure +index cac271c..bd116eb 100755 +--- a/configure ++++ b/configure +@@ -1539,6 +1539,10 @@ for opt do + ;; + --disable-plugins) plugins="no" + ;; ++ --enable-libudev) libudev="yes" ++ ;; ++ --disable-libudev) libudev="no" ++ ;; + *) + echo "ERROR: unknown option $opt" + echo "Try '$0 --help' for more information" +-- +1.8.3.1 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch deleted file mode 100644 index 767b200b..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-assume-__NR_gettid-always-exists.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 184943d827ce09375284e6fbb9fd5eeb9e369529 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Wed, 20 Mar 2019 16:18:41 +0000 -Subject: [PATCH] linux-user: assume __NR_gettid always exists -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The gettid syscall was introduced in Linux 2.4.11. This is old enough -that we can assume it always exists and thus not bother with the -conditional backcompat logic. - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -Reviewed-by: Richard Henderson <richard.henderson@linaro.org> -Reviewed-by: Laurent Vivier <laurent@vivier.eu> -Message-Id: <20190320161842.13908-2-berrange@redhat.com> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> - -Upstream-Status: Backport -dependancy patch for fix - -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - - - linux-user/syscall.c | 8 -------- - 1 file changed, 8 deletions(-) - -Index: qemu-3.0.0/linux-user/syscall.c -=================================================================== ---- qemu-3.0.0.orig/linux-user/syscall.c -+++ qemu-3.0.0/linux-user/syscall.c -@@ -251,15 +251,7 @@ static type name (type1 arg1,type2 arg2, - #define TARGET_NR__llseek TARGET_NR_llseek - #endif - --#ifdef __NR_gettid - _syscall0(int, gettid) --#else --/* This is a replacement for the host gettid() and must return a host -- errno. */ --static int gettid(void) { -- return -ENOSYS; --} --#endif - - /* For the 64-bit guest on 32-bit host case we must emulate - * getdents using getdents64, because otherwise the host diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch deleted file mode 100644 index ab3b71d7..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0001-linux-user-rename-gettid-to-sys_gettid-to-avoid-clas.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 71ba74f67eaca21b0cc9d96f534ad3b9a7161400 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Wed, 20 Mar 2019 16:18:42 +0000 -Subject: [PATCH] linux-user: rename gettid() to sys_gettid() to avoid clash - with glibc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The glibc-2.29.9000-6.fc31.x86_64 package finally includes the gettid() -function as part of unistd.h when __USE_GNU is defined. This clashes -with linux-user code which unconditionally defines this function name -itself. - -/home/berrange/src/virt/qemu/linux-user/syscall.c:253:16: error: static declaration of ‘gettid’ follows non-static declaration - 253 | _syscall0(int, gettid) - | ^~~~~~ -/home/berrange/src/virt/qemu/linux-user/syscall.c:184:13: note: in definition of macro ‘_syscall0’ - 184 | static type name (void) \ - | ^~~~ -In file included from /usr/include/unistd.h:1170, - from /home/berrange/src/virt/qemu/include/qemu/osdep.h:107, - from /home/berrange/src/virt/qemu/linux-user/syscall.c:20: -/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here - 34 | extern __pid_t gettid (void) __THROW; - | ^~~~~~ - CC aarch64-linux-user/linux-user/signal.o -make[1]: *** [/home/berrange/src/virt/qemu/rules.mak:69: linux-user/syscall.o] Error 1 -make[1]: *** Waiting for unfinished jobs.... -make: *** [Makefile:449: subdir-aarch64-linux-user] Error 2 - -While we could make our definition conditional and rely on glibc's impl, -this patch simply renames our definition to sys_gettid() which is a -common pattern in this file. - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -Reviewed-by: Richard Henderson <richard.henderson@linaro.org> -Reviewed-by: Laurent Vivier <laurent@vivier.eu> -Message-Id: <20190320161842.13908-3-berrange@redhat.com> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> - -Upstream-status: Backport - -Fixes issue found on tumbleweed-ty-1 -Yocto bug: https://bugzilla.yoctoproject.org/show_bug.cgi?id=13577 -Signed-off-by: Armin Kuster <akuster808@gmail.com> - ---- - linux-user/syscall.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -Index: qemu-3.0.0/linux-user/syscall.c -=================================================================== ---- qemu-3.0.0.orig/linux-user/syscall.c -+++ qemu-3.0.0/linux-user/syscall.c -@@ -251,7 +251,8 @@ static type name (type1 arg1,type2 arg2, - #define TARGET_NR__llseek TARGET_NR_llseek - #endif - --_syscall0(int, gettid) -+#define __NR_sys_gettid __NR_gettid -+_syscall0(int, sys_gettid) - - /* For the 64-bit guest on 32-bit host case we must emulate - * getdents using getdents64, because otherwise the host -@@ -6483,7 +6484,7 @@ static void *clone_func(void *arg) - cpu = ENV_GET_CPU(env); - thread_cpu = cpu; - ts = (TaskState *)cpu->opaque; -- info->tid = gettid(); -+ info->tid = sys_gettid(); - task_settid(ts); - if (info->child_tidptr) - put_user_u32(info->tid, info->child_tidptr); -@@ -6628,9 +6629,9 @@ static int do_fork(CPUArchState *env, un - mapping. We can't repeat the spinlock hack used above because - the child process gets its own copy of the lock. */ - if (flags & CLONE_CHILD_SETTID) -- put_user_u32(gettid(), child_tidptr); -+ put_user_u32(sys_gettid(), child_tidptr); - if (flags & CLONE_PARENT_SETTID) -- put_user_u32(gettid(), parent_tidptr); -+ put_user_u32(sys_gettid(), parent_tidptr); - ts = (TaskState *)cpu->opaque; - if (flags & CLONE_SETTLS) - cpu_set_tls (env, newtls); -@@ -11876,7 +11877,7 @@ abi_long do_syscall(void *cpu_env, int n - break; - #endif - case TARGET_NR_gettid: -- ret = get_errno(gettid()); -+ ret = get_errno(sys_gettid()); - break; - #ifdef TARGET_NR_readahead - case TARGET_NR_readahead: diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch index 90e4b800..66ff9965 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0002-qemu-Add-missing-wacom-HID-descriptor.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch @@ -1,4 +1,4 @@ -From 41603f745caaecdc7c9d760fb7d2df01ccc60128 Mon Sep 17 00:00:00 2001 +From 526cb7e26f6dd96c9ee2ffa05ce0a358d3bfbfb3 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Thu, 27 Nov 2014 14:04:29 +0000 Subject: [PATCH] qemu: Add missing wacom HID descriptor @@ -13,15 +13,16 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Upstream-Status: Submitted 2014/11/27 + --- hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c -index bf70013059..2f6e129732 100644 +index 8ed57b3b..1502928b 100644 --- a/hw/usb/dev-wacom.c +++ b/hw/usb/dev-wacom.c -@@ -72,6 +72,89 @@ static const USBDescStrings desc_strings = { +@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings = { [STR_SERIALNUMBER] = "1", }; @@ -111,7 +112,7 @@ index bf70013059..2f6e129732 100644 static const USBDescIface desc_iface_wacom = { .bInterfaceNumber = 0, .bNumEndpoints = 1, -@@ -89,7 +172,7 @@ static const USBDescIface desc_iface_wacom = { +@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wacom = { 0x00, /* u8 country_code */ 0x01, /* u8 num_descriptors */ 0x22, /* u8 type: Report */ @@ -120,7 +121,7 @@ index bf70013059..2f6e129732 100644 }, }, }, -@@ -269,6 +352,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, +@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, } switch (request) { diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch new file mode 100644 index 00000000..eccac050 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch @@ -0,0 +1,31 @@ +From 98c2da129db19ee63d7e21b77a0ef70822c95069 Mon Sep 17 00:00:00 2001 +From: Oleksiy Obitotskyy <oobitots@cisco.com> +Date: Wed, 25 Mar 2020 21:21:35 +0200 +Subject: [PATCH] qemu: Do not include file if not exists + +Script configure checks for if_alg.h and check failed but +if_alg.h still included. + +Upstream-status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html] +Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> +--- + linux-user/syscall.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index fc18f244..68d62666 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -106,7 +106,9 @@ + #include <linux/blkpg.h> + #include <netpacket/packet.h> + #include <linux/netlink.h> ++#if defined(CONFIG_AF_ALG) + #include <linux/if_alg.h> ++#endif + #include "linux_loop.h" + #include "uname.h" + +-- +2.20.1 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch deleted file mode 100644 index b8a9206f..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0001-sdl.c-allow-user-to-disable-pointer-grabs.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 18fb45c34a473c4ba247bb82bcea94b7c3ba493a Mon Sep 17 00:00:00 2001 -From: Ross Burton <ross.burton@intel.com> -Date: Wed, 18 Sep 2013 14:04:54 +0100 -Subject: [PATCH] sdl.c: allow user to disable pointer grabs -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When the pointer enters the Qemu window it calls SDL_WM_GrabInput, which calls -XGrabPointer in a busyloop until it returns GrabSuccess. However if there's already -a pointer grab (screen is locked, a menu is open) then qemu will hang until the -grab can be taken. In the specific case of a headless X server on an autobuilder, once -the screensaver has kicked in any qemu instance that appears underneath the -pointer will hang. - -I'm not entirely sure why pointer grabs are required (the documentation -explicitly says it doesn't do grabs when using a tablet, which we are) so wrap -them in a conditional that can be set by the autobuilder environment, preserving -the current grabbing behaviour for everyone else. - -Upstream-Status: Pending -Signed-off-by: Ross Burton <ross.burton@intel.com> -Signed-off-by: Eric Bénard <eric@eukrea.com> ---- - ui/sdl.c | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/ui/sdl.c b/ui/sdl.c -index a5fd503c25..ab8d1b1eb1 100644 ---- a/ui/sdl.c -+++ b/ui/sdl.c -@@ -68,6 +68,11 @@ static int idle_counter; - static const guint16 *keycode_map; - static size_t keycode_maplen; - -+#ifndef True -+#define True 1 -+#endif -+static doing_grabs = True; -+ - #define SDL_REFRESH_INTERVAL_BUSY 10 - #define SDL_MAX_IDLE_COUNT (2 * GUI_REFRESH_INTERVAL_DEFAULT \ - / SDL_REFRESH_INTERVAL_BUSY + 1) -@@ -398,14 +403,16 @@ static void sdl_grab_start(void) - } - } else - sdl_hide_cursor(); -- SDL_WM_GrabInput(SDL_GRAB_ON); -+ if (doing_grabs) -+ SDL_WM_GrabInput(SDL_GRAB_ON); - gui_grab = 1; - sdl_update_caption(); - } - - static void sdl_grab_end(void) - { -- SDL_WM_GrabInput(SDL_GRAB_OFF); -+ if (doing_grabs) -+ SDL_WM_GrabInput(SDL_GRAB_OFF); - gui_grab = 0; - sdl_show_cursor(); - sdl_update_caption(); -@@ -945,6 +952,8 @@ static void sdl1_display_init(DisplayState *ds, DisplayOptions *o) - * This requires SDL >= 1.2.14. */ - setenv("SDL_DISABLE_LOCK_KEYS", "1", 1); - -+ doing_grabs = (getenv("QEMU_DONT_GRAB") == NULL); -+ - flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE; - if (SDL_Init (flags)) { - fprintf(stderr, "Could not initialize SDL(%s) - exiting\n", diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch index 0d43271c..7f7da510 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0003-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch @@ -1,4 +1,4 @@ -From a9a669448ba6f1b295427e271d99f61736fc5189 Mon Sep 17 00:00:00 2001 +From 8ee6281516bd9210e75e91d705da8916bab3bf51 Mon Sep 17 00:00:00 2001 From: Juro Bystricky <juro.bystricky@intel.com> Date: Thu, 31 Aug 2017 11:06:56 -0700 Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for @@ -9,15 +9,16 @@ Upstream-Status: Pending Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> + --- tests/Makefile.include | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/Makefile.include b/tests/Makefile.include -index 3b9a5e31a2..dfbcd728d7 100644 +index 8566f5f1..52d0320b 100644 --- a/tests/Makefile.include +++ b/tests/Makefile.include -@@ -972,4 +972,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) +@@ -1210,4 +1210,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) -include $(wildcard tests/*.d) -include $(wildcard tests/libqos/*.d) diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch index 5152dcaf..012d60d8 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -1,4 +1,4 @@ -From dd4404a334a545e9beafa1b1e41b3a8f35ef31a9 Mon Sep 17 00:00:00 2001 +From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001 From: Jason Wessel <jason.wessel@windriver.com> Date: Fri, 28 Mar 2014 17:42:43 +0800 Subject: [PATCH] qemu: Add addition environment space to boot loader @@ -13,20 +13,21 @@ to only 256 bytes. This patch expands the limit. Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> + --- hw/mips/mips_malta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c -index f6513a4fd5..d5efafb1e8 100644 +index 92e9ca5b..3a7f3954 100644 --- a/hw/mips/mips_malta.c +++ b/hw/mips/mips_malta.c -@@ -62,7 +62,7 @@ +@@ -59,7 +59,7 @@ - #define ENVP_ADDR 0x80002000l - #define ENVP_NB_ENTRIES 16 --#define ENVP_ENTRY_SIZE 256 -+#define ENVP_ENTRY_SIZE 1024 + #define ENVP_ADDR 0x80002000l + #define ENVP_NB_ENTRIES 16 +-#define ENVP_ENTRY_SIZE 256 ++#define ENVP_ENTRY_SIZE 1024 /* Hardware addresses */ - #define FLASH_ADDRESS 0x1e000000ULL + #define FLASH_ADDRESS 0x1e000000ULL diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch index 70baf0fb..bc30397e 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-disable-Valgrind.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch @@ -1,4 +1,4 @@ -From 4475b3d97371e588540333988a97d7df3ec2c65a Mon Sep 17 00:00:00 2001 +From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001 From: Ross Burton <ross.burton@intel.com> Date: Tue, 20 Oct 2015 22:19:08 +0100 Subject: [PATCH] qemu: disable Valgrind @@ -7,15 +7,16 @@ There isn't an option to enable or disable valgrind support, so disable it to av Upstream-Status: Inappropriate Signed-off-by: Ross Burton <ross.burton@intel.com> + --- configure | 9 --------- 1 file changed, 9 deletions(-) diff --git a/configure b/configure -index 0a19b033bc..69e05fb6c0 100755 +index 6099be1d..a766017b 100755 --- a/configure +++ b/configure -@@ -4895,15 +4895,6 @@ fi +@@ -5390,15 +5390,6 @@ fi # check if we have valgrind/valgrind.h valgrind_h=no diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch index 12456bb5..ec303371 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0007-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch @@ -1,18 +1,19 @@ -From 2d29d52b6f755758cfca6af0bcfd78091e16a7bc Mon Sep 17 00:00:00 2001 +From 6cdf82af2eba312b9b8da86dda28b98d3d51f4d4 Mon Sep 17 00:00:00 2001 From: Stephen Arnold <sarnold@vctlabs.com> Date: Sun, 12 Jun 2016 18:09:56 -0700 Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment Upstream-Status: Pending + --- configure | 4 ---- 1 file changed, 4 deletions(-) diff --git a/configure b/configure -index 69e05fb6c0..12fc3d8bdc 100755 +index a766017b..72f11aca 100755 --- a/configure +++ b/configure -@@ -5413,10 +5413,6 @@ write_c_skeleton +@@ -6085,10 +6085,6 @@ write_c_skeleton if test "$gcov" = "yes" ; then CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch index 2afe4e93..0810ae84 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0008-chardev-connect-socket-to-a-spawned-command.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch @@ -1,4 +1,4 @@ -From 20a09bb18907e67565c54fc505a741cbbef53f7f Mon Sep 17 00:00:00 2001 +From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001 From: Alistair Francis <alistair.francis@xilinx.com> Date: Thu, 21 Dec 2017 11:35:16 -0800 Subject: [PATCH] chardev: connect socket to a spawned command @@ -44,18 +44,19 @@ as simple as possible. Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> + --- - chardev/char-socket.c | 102 ++++++++++++++++++++++++++++++++++++++++++ + chardev/char-socket.c | 101 ++++++++++++++++++++++++++++++++++++++++++ chardev/char.c | 3 ++ qapi/char.json | 5 +++ - 3 files changed, 110 insertions(+) + 3 files changed, 109 insertions(+) diff --git a/chardev/char-socket.c b/chardev/char-socket.c -index 159e69c3b1..84778cf31a 100644 +index 185fe38d..54fa4234 100644 --- a/chardev/char-socket.c +++ b/chardev/char-socket.c -@@ -934,6 +934,68 @@ static gboolean socket_reconnect_timeout(gpointer opaque) - return false; +@@ -1288,6 +1288,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock, + return true; } +#ifndef _WIN32 @@ -119,11 +120,10 @@ index 159e69c3b1..84778cf31a 100644 + } +} +#endif -+ + static void qmp_chardev_open_socket(Chardev *chr, ChardevBackend *backend, - bool *be_opened, -@@ -941,6 +1003,9 @@ static void qmp_chardev_open_socket(Chardev *chr, +@@ -1296,6 +1357,9 @@ static void qmp_chardev_open_socket(Chardev *chr, { SocketChardev *s = SOCKET_CHARDEV(chr); ChardevSocket *sock = backend->u.socket.data; @@ -133,9 +133,9 @@ index 159e69c3b1..84778cf31a 100644 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; bool is_listen = sock->has_server ? sock->server : true; bool is_telnet = sock->has_telnet ? sock->telnet : false; -@@ -1008,6 +1073,14 @@ static void qmp_chardev_open_socket(Chardev *chr, - s->reconnect_time = reconnect; - } +@@ -1361,6 +1425,14 @@ static void qmp_chardev_open_socket(Chardev *chr, + + update_disconnected_filename(s); +#ifndef _WIN32 + if (cmd) { @@ -145,13 +145,13 @@ index 159e69c3b1..84778cf31a 100644 + *be_opened = true; + } else +#endif - /* If reconnect_time is set, will do that in chr_machine_done. */ - if (!s->reconnect_time) { - if (s->is_listen) { -@@ -1065,9 +1138,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + if (s->is_listen) { + if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, + is_waitconnect, errp) < 0) { +@@ -1380,9 +1452,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + const char *host = qemu_opt_get(opts, "host"); const char *port = qemu_opt_get(opts, "port"); const char *fd = qemu_opt_get(opts, "fd"); - const char *tls_creds = qemu_opt_get(opts, "tls-creds"); +#ifndef _WIN32 + const char *cmd = qemu_opt_get(opts, "cmd"); +#endif @@ -165,7 +165,7 @@ index 159e69c3b1..84778cf31a 100644 + * spawning a command, otherwise unmodified code that doesn't know about + * command spawning (like socket_reconnect_timeout()) might get called. + */ -+ if (path || is_listen || is_telnet || is_tn3270 || reconnect || host || port || tls_creds) { ++ if (path || sock->server || sock->has_telnet || sock->has_tn3270 || sock->reconnect || host || port || sock->tls_creds) { + error_setg(errp, "chardev: socket: cmd does not support any additional options"); + return; + } @@ -175,14 +175,14 @@ index 159e69c3b1..84778cf31a 100644 if ((!!path + !!fd + !!host) != 1) { error_setg(errp, "Exactly one of 'path', 'fd' or 'host' required"); -@@ -1112,12 +1202,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, - sock->reconnect = reconnect; - sock->tls_creds = g_strdup(tls_creds); +@@ -1425,12 +1514,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, + sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); + sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); +#ifndef _WIN32 + sock->cmd = g_strdup(cmd); +#endif -+ ++ addr = g_new0(SocketAddressLegacy, 1); +#ifndef _WIN32 + if (path || cmd) { @@ -201,10 +201,10 @@ index 159e69c3b1..84778cf31a 100644 addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; addr->u.inet.data = g_new(InetSocketAddress, 1); diff --git a/chardev/char.c b/chardev/char.c -index 76d866e6fe..9747d51d7c 100644 +index 7b6b2cb1..0c2ca64b 100644 --- a/chardev/char.c +++ b/chardev/char.c -@@ -792,6 +792,9 @@ QemuOptsList qemu_chardev_opts = { +@@ -837,6 +837,9 @@ QemuOptsList qemu_chardev_opts = { },{ .name = "path", .type = QEMU_OPT_STRING, @@ -215,10 +215,10 @@ index 76d866e6fe..9747d51d7c 100644 .name = "host", .type = QEMU_OPT_STRING, diff --git a/qapi/char.json b/qapi/char.json -index ae19dcd1ed..6de0f29bcd 100644 +index a6e81ac7..517962c6 100644 --- a/qapi/char.json +++ b/qapi/char.json -@@ -241,6 +241,10 @@ +@@ -247,6 +247,10 @@ # # @addr: socket address to listen on (server=true) # or connect to (server=false) @@ -227,13 +227,13 @@ index ae19dcd1ed..6de0f29bcd 100644 +# is used by the chardev. Either an addr or a cmd can +# be specified, but not both. # @tls-creds: the ID of the TLS credentials object (since 2.6) - # @server: create server socket (default: true) - # @wait: wait for incoming connection on server -@@ -258,6 +262,7 @@ - # Since: 1.4 + # @tls-authz: the ID of the QAuthZ authorization object against which + # the client's x509 distinguished name will be validated. This +@@ -272,6 +276,7 @@ ## - { 'struct': 'ChardevSocket', 'data': { 'addr' : 'SocketAddressLegacy', -+ '*cmd' : 'str', - '*tls-creds' : 'str', - '*server' : 'bool', - '*wait' : 'bool', + { 'struct': 'ChardevSocket', + 'data': { 'addr': 'SocketAddressLegacy', ++ '*cmd': 'str', + '*tls-creds': 'str', + '*tls-authz' : 'str', + '*server': 'bool', diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch deleted file mode 100644 index a9d798ce..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0006-qemu-Limit-paths-searched-during-user-mode-emulation.patch +++ /dev/null @@ -1,145 +0,0 @@ -From c532bcdae8259b0f71723cda331ded4dbb0fa908 Mon Sep 17 00:00:00 2001 -From: Richard Purdie <richard.purdie@linuxfoundation.org> -Date: Wed, 9 Mar 2016 22:49:02 +0000 -Subject: [PATCH] qemu: Limit paths searched during user mode emulation - -By default qemu builds a complete list of directories within the user -emulation sysroot (-L option). The OE sysroot directory is large and -this is confusing, for example it indexes all pkgdata. In particular this -confuses strace of qemu binaries with tons of irrelevant paths. - -This patch stops the code indexing up front and instead only indexes -things if/as/when it needs to. This drastically reduces the files it -reads and reduces memory usage and cleans up strace. - -It would also avoid the infinite directory traversal bug in [YOCTO #6996] -although the code could still be vulnerable if it parsed those specific -paths. - -RP -2016/3/9 -Upstream-Status: Pending ---- - util/path.c | 44 ++++++++++++++++++++++---------------------- - 1 file changed, 22 insertions(+), 22 deletions(-) - -diff --git a/util/path.c b/util/path.c -index 7f9fc272fb..a416cd4ac2 100644 ---- a/util/path.c -+++ b/util/path.c -@@ -15,6 +15,7 @@ struct pathelem - char *name; - /* Full path name, eg. /usr/gnemul/x86-linux/lib. */ - char *pathname; -+ int populated_entries; - struct pathelem *parent; - /* Children */ - unsigned int num_entries; -@@ -45,6 +46,7 @@ static struct pathelem *new_entry(const char *root, - new->name = g_strdup(name); - new->pathname = g_strdup_printf("%s/%s", root, name); - new->num_entries = 0; -+ new->populated_entries = 0; - return new; - } - -@@ -53,15 +55,16 @@ static struct pathelem *new_entry(const char *root, - /* Not all systems provide this feature */ - #if defined(DT_DIR) && defined(DT_UNKNOWN) && defined(DT_LNK) - # define dirent_type(dirent) ((dirent)->d_type) --# define is_dir_maybe(type) \ -- ((type) == DT_DIR || (type) == DT_UNKNOWN || (type) == DT_LNK) -+# define is_not_dir(type) \ -+ ((type) != DT_DIR && (type) != DT_UNKNOWN && (type) != DT_LNK) - #else - # define dirent_type(dirent) (1) --# define is_dir_maybe(type) (type) -+# define is_not_dir(type) (0) - #endif - - static struct pathelem *add_dir_maybe(struct pathelem *path) - { -+ unsigned int i; - DIR *dir; - - if ((dir = opendir(path->pathname)) != NULL) { -@@ -74,6 +77,11 @@ static struct pathelem *add_dir_maybe(struct pathelem *path) - } - closedir(dir); - } -+ -+ for (i = 0; i < path->num_entries; i++) -+ (path->entries[i])->parent = path; -+ -+ path->populated_entries = 1; - return path; - } - -@@ -89,26 +97,16 @@ static struct pathelem *add_entry(struct pathelem *root, const char *name, - e = &root->entries[root->num_entries-1]; - - *e = new_entry(root->pathname, root, name); -- if (is_dir_maybe(type)) { -- *e = add_dir_maybe(*e); -+ if (is_not_dir(type)) { -+ (*e)->populated_entries = 1; - } - - return root; - } - --/* This needs to be done after tree is stabilized (ie. no more reallocs!). */ --static void set_parents(struct pathelem *child, struct pathelem *parent) --{ -- unsigned int i; -- -- child->parent = parent; -- for (i = 0; i < child->num_entries; i++) -- set_parents(child->entries[i], child); --} -- - /* FIXME: Doesn't handle DIR/.. where DIR is not in emulated dir. */ - static const char * --follow_path(const struct pathelem *cursor, const char *name) -+follow_path(struct pathelem *cursor, struct pathelem **source, const char *name) - { - unsigned int i, namelen; - -@@ -119,14 +117,18 @@ follow_path(const struct pathelem *cursor, const char *name) - return cursor->pathname; - - if (strneq(name, namelen, "..")) -- return follow_path(cursor->parent, name + namelen); -+ return follow_path(cursor->parent, &cursor->parent, name + namelen); - - if (strneq(name, namelen, ".")) -- return follow_path(cursor, name + namelen); -+ return follow_path(cursor, source, name + namelen); -+ -+ if (!cursor->populated_entries) -+ *source = add_dir_maybe(cursor); -+ cursor = *source; - - for (i = 0; i < cursor->num_entries; i++) - if (strneq(name, namelen, cursor->entries[i]->name)) -- return follow_path(cursor->entries[i], name + namelen); -+ return follow_path(cursor->entries[i], &cursor->entries[i], name + namelen); - - /* Not found */ - return NULL; -@@ -160,8 +162,6 @@ void init_paths(const char *prefix) - g_free(base->name); - g_free(base); - base = NULL; -- } else { -- set_parents(base, base); - } - } - -@@ -173,5 +173,5 @@ const char *path(const char *name) - if (!base || !name || name[0] != '/') - return name; - -- return follow_path(base, name) ?: name; -+ return follow_path(base, &base, name) ?: name; - } diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch index 5969d938..89baad9b 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0009-apic-fixup-fallthrough-to-PIC.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch @@ -1,4 +1,4 @@ -From 5046c21efdbc7413cddd5c5dbd9e1d53258d3e8c Mon Sep 17 00:00:00 2001 +From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001 From: Mark Asselstine <mark.asselstine@windriver.com> Date: Tue, 26 Feb 2013 11:43:28 -0500 Subject: [PATCH] apic: fixup fallthrough to PIC @@ -24,12 +24,13 @@ serviced, is -1. Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com> Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2013-04/msg00878.html] Signed-off-by: He Zhe <zhe.he@windriver.com> + --- hw/intc/apic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/intc/apic.c b/hw/intc/apic.c -index 6fda52b86c..cd7291962d 100644 +index 2a74f7b4..4d5da365 100644 --- a/hw/intc/apic.c +++ b/hw/intc/apic.c @@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch index e110f633..30bb4ddf 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch @@ -1,4 +1,4 @@ -From 3cd92c7a885e4997ef6843313298c1d748d6ca39 Mon Sep 17 00:00:00 2001 +From cf8c9aac5243f506a1a3e8e284414f311cde04f5 Mon Sep 17 00:00:00 2001 From: Alistair Francis <alistair.francis@xilinx.com> Date: Wed, 17 Jan 2018 10:51:49 -0800 Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target @@ -13,20 +13,21 @@ to what it was before the problematic commit. Upstream-Status: Submitted http://lists.gnu.org/archive/html/qemu-devel/2018-01/msg04185.html Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> + --- linux-user/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linux-user/main.c b/linux-user/main.c -index 8907a84114..ea42c43610 100644 +index 6ff7851e..ebff0485 100644 --- a/linux-user/main.c +++ b/linux-user/main.c -@@ -79,7 +79,7 @@ do { \ +@@ -78,7 +78,7 @@ int have_guest_base; (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) /* There are a number of places where we assign reserved_va to a variable of type abi_ulong and expect it to fit. Avoid the last page. */ --# define MAX_RESERVED_VA (0xfffffffful & TARGET_PAGE_MASK) -+# define MAX_RESERVED_VA (0x7ffffffful & TARGET_PAGE_MASK) +-# define MAX_RESERVED_VA(CPU) (0xfffffffful & TARGET_PAGE_MASK) ++# define MAX_RESERVED_VA(CPU) (0x7ffffffful & TARGET_PAGE_MASK) # else - # define MAX_RESERVED_VA (1ul << TARGET_VIRT_ADDR_SPACE_BITS) + # define MAX_RESERVED_VA(CPU) (1ul << TARGET_VIRT_ADDR_SPACE_BITS) # endif diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch index 41626eb8..7e273eec 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0011-Revert-linux-user-fix-mmap-munmap-mprotect-mremap-sh.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch @@ -1,31 +1,36 @@ -From 3ed26be2091436296933ed2146f7269c791c7bfe Mon Sep 17 00:00:00 2001 +From 613166007e3b852c99caf2cd34a972e2c8460737 Mon Sep 17 00:00:00 2001 From: Martin Jansa <martin.jansa@lge.com> Date: Fri, 1 Jun 2018 08:41:07 +0000 -Subject: [PATCH] Revert "linux-user: fix mmap/munmap/mprotect/mremap/shmat" +Subject: [PATCH] Fix webkitgtk builds -Causes qemu-i386 to hang during gobject-introspection in webkitgtk build -when musl is used on qemux86 - the same issue as -0010-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch -was fixing in 2.11.0 release, but with this patch the fix no longer worked -as discussed here: -http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150302.html -http://lists.openembedded.org/pipermail/openembedded-core/2018-June/151382.html +This is a partial revert of "linux-user: fix mmap/munmap/mprotect/mremap/shmat". + +This patch fixes qemu-i386 hangs during gobject-introspection in webkitgtk build +when musl is used on qemux86. This is the same issue that +0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch was +fixing in the 2.11 release. + +This patch also fixes a build failure when building webkitgtk for +qemumips. A QEMU assert is seen while building webkitgtk: +page_check_range: Assertion `start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)' failed. This reverts commit ebf9a3630c911d0cfc9c20f7cafe9ba4f88cf583. Upstream-Status: Pending +Signed-off-by: Alistair Francis <alistair.francis@wdc.com> + --- include/exec/cpu-all.h | 6 +----- - include/exec/cpu_ldst.h | 16 +++++++++------- + include/exec/cpu_ldst.h | 5 ++++- linux-user/mmap.c | 17 ++++------------- linux-user/syscall.c | 5 +---- - 4 files changed, 15 insertions(+), 29 deletions(-) + 4 files changed, 10 insertions(+), 23 deletions(-) diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h -index f4fa94e966..0b141683f0 100644 +index e96781a4..a369f81a 100644 --- a/include/exec/cpu-all.h +++ b/include/exec/cpu-all.h -@@ -159,12 +159,8 @@ extern unsigned long guest_base; +@@ -162,12 +162,8 @@ extern unsigned long guest_base; extern int have_guest_base; extern unsigned long reserved_va; @@ -40,37 +45,26 @@ index f4fa94e966..0b141683f0 100644 #include "exec/hwaddr.h" diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h -index 5de8c8a5af..191f2e962a 100644 +index fd499f7e..30575f60 100644 --- a/include/exec/cpu_ldst.h +++ b/include/exec/cpu_ldst.h -@@ -51,13 +51,15 @@ - /* All direct uses of g2h and h2g need to go away for usermode softmmu. */ - #define g2h(x) ((void *)((unsigned long)(target_ulong)(x) + guest_base)) - +@@ -65,7 +65,10 @@ typedef uint64_t abi_ptr; + #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS + #define guest_addr_valid(x) (1) + #else -#define guest_addr_valid(x) ((x) <= GUEST_ADDR_MAX) --#define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) -- --static inline int guest_range_valid(unsigned long start, unsigned long len) --{ -- return len - 1 <= GUEST_ADDR_MAX && start <= GUEST_ADDR_MAX - len + 1; --} -+#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS -+#define h2g_valid(x) 1 -+#else -+#define h2g_valid(x) ({ \ -+ unsigned long __guest = (unsigned long)(x) - guest_base; \ -+ (__guest < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \ -+ (!reserved_va || (__guest < reserved_va)); \ ++#define guest_addr_valid(x) ({ \ ++ ((x) < (1ul << TARGET_VIRT_ADDR_SPACE_BITS)) && \ ++ (!reserved_va || ((x) < reserved_va)); \ +}) -+#endif + #endif + #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) - #define h2g_nocheck(x) ({ \ - unsigned long __ret = (unsigned long)(x) - guest_base; \ diff --git a/linux-user/mmap.c b/linux-user/mmap.c -index 9168a2051c..de85669aab 100644 +index 46a6e3a7..77354654 100644 --- a/linux-user/mmap.c +++ b/linux-user/mmap.c -@@ -80,7 +80,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) +@@ -78,7 +78,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) return -TARGET_EINVAL; len = TARGET_PAGE_ALIGN(len); end = start + len; @@ -79,10 +73,10 @@ index 9168a2051c..de85669aab 100644 return -TARGET_ENOMEM; } prot &= PROT_READ | PROT_WRITE | PROT_EXEC; -@@ -482,8 +482,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, - * It can fail only on 64-bit host with 32-bit target. - * On any other target/host host mmap() handles this error correctly. - */ +@@ -495,8 +495,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, + * It can fail only on 64-bit host with 32-bit target. + * On any other target/host host mmap() handles this error correctly. + */ - if (!guest_range_valid(start, len)) { - errno = ENOMEM; + if ((unsigned long)start + len - 1 > (abi_ulong) -1) { @@ -90,7 +84,7 @@ index 9168a2051c..de85669aab 100644 goto fail; } -@@ -623,10 +623,8 @@ int target_munmap(abi_ulong start, abi_ulong len) +@@ -636,10 +636,8 @@ int target_munmap(abi_ulong start, abi_ulong len) if (start & ~TARGET_PAGE_MASK) return -TARGET_EINVAL; len = TARGET_PAGE_ALIGN(len); @@ -102,7 +96,7 @@ index 9168a2051c..de85669aab 100644 mmap_lock(); end = start + len; real_start = start & qemu_host_page_mask; -@@ -681,13 +679,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, +@@ -694,13 +692,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, int prot; void *host_addr; @@ -117,10 +111,10 @@ index 9168a2051c..de85669aab 100644 if (flags & MREMAP_FIXED) { diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 643b8833de..271f215147 100644 +index 171c0cae..fc18f244 100644 --- a/linux-user/syscall.c +++ b/linux-user/syscall.c -@@ -4919,9 +4919,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, +@@ -4138,9 +4138,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, return -TARGET_EINVAL; } } @@ -130,7 +124,7 @@ index 643b8833de..271f215147 100644 mmap_lock(); -@@ -7497,7 +7494,7 @@ static int open_self_maps(void *cpu_env, int fd) +@@ -6990,7 +6987,7 @@ static int open_self_maps(void *cpu_env, int fd) } if (h2g_valid(min)) { int flags = page_get_flags(h2g(min)); diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch new file mode 100644 index 00000000..34df78b7 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -0,0 +1,91 @@ +From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001 +From: He Zhe <zhe.he@windriver.com> +Date: Wed, 28 Aug 2019 19:56:28 +0800 +Subject: [PATCH] configure: Add pkg-config handling for libgcrypt + +libgcrypt may also be controlled by pkg-config, this patch adds pkg-config +handling for libgcrypt. + +Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html] + +Signed-off-by: He Zhe <zhe.he@windriver.com> + +--- + configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 40 insertions(+), 8 deletions(-) + +diff --git a/configure b/configure +index 72f11aca..cac271ce 100755 +--- a/configure ++++ b/configure +@@ -2875,6 +2875,30 @@ has_libgcrypt() { + return 0 + } + ++has_libgcrypt_pkgconfig() { ++ if ! has $pkg_config ; then ++ return 1 ++ fi ++ ++ if ! $pkg_config --list-all | grep libgcrypt > /dev/null 2>&1 ; then ++ return 1 ++ fi ++ ++ if test -n "$cross_prefix" ; then ++ host=$($pkg_config --variable=host libgcrypt) ++ if test "${host%-gnu}-" != "${cross_prefix%-gnu}" ; then ++ print_error "host($host) does not match cross_prefix($cross_prefix)" ++ return 1 ++ fi ++ fi ++ ++ if ! $pkg_config --atleast-version=1.5.0 libgcrypt ; then ++ print_error "libgcrypt version is $($pkg_config --modversion libgcrypt)" ++ return 1 ++ fi ++ ++ return 0 ++} + + if test "$nettle" != "no"; then + pass="no" +@@ -2915,7 +2939,14 @@ fi + + if test "$gcrypt" != "no"; then + pass="no" +- if has_libgcrypt; then ++ if has_libgcrypt_pkgconfig; then ++ gcrypt_cflags=$($pkg_config --cflags libgcrypt) ++ if test "$static" = "yes" ; then ++ gcrypt_libs=$($pkg_config --libs --static libgcrypt) ++ else ++ gcrypt_libs=$($pkg_config --libs libgcrypt) ++ fi ++ elif has_libgcrypt; then + gcrypt_cflags=$(libgcrypt-config --cflags) + gcrypt_libs=$(libgcrypt-config --libs) + # Debian has removed -lgpg-error from libgcrypt-config +@@ -2925,15 +2956,16 @@ if test "$gcrypt" != "no"; then + then + gcrypt_libs="$gcrypt_libs -lgpg-error" + fi ++ fi + +- # Link test to make sure the given libraries work (e.g for static). +- write_c_skeleton +- if compile_prog "" "$gcrypt_libs" ; then +- LIBS="$gcrypt_libs $LIBS" +- QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" +- pass="yes" +- fi ++ # Link test to make sure the given libraries work (e.g for static). ++ write_c_skeleton ++ if compile_prog "" "$gcrypt_libs" ; then ++ LIBS="$gcrypt_libs $LIBS" ++ QEMU_CFLAGS="$QEMU_CFLAGS $gcrypt_cflags" ++ pass="yes" + fi ++ + if test "$pass" = "yes"; then + gcrypt="yes" + cat > $TMPC << EOF diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch new file mode 100644 index 00000000..2fe0850a --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch @@ -0,0 +1,54 @@ +From a88c40f02ace88f09b2a85a64831b277b2ebc88c Mon Sep 17 00:00:00 2001 +From: Peter Wu <peter@lekensteyn.nl> +Date: Sat, 21 Dec 2019 17:21:24 +0100 +Subject: [PATCH] hw/i386/pc: fix regression in parsing vga cmdline parameter + +When the 'vga=' parameter is succeeded by another parameter, QEMU 4.2.0 +would refuse to start with a rather cryptic message: + + $ qemu-system-x86_64 -kernel /boot/vmlinuz-linux -append 'vga=792 quiet' + qemu: can't parse 'vga' parameter: Invalid argument + +It was not clear whether this applied to the '-vga std' parameter or the +'-append' one. Fix the parsing regression and clarify the error. + +Fixes: 133ef074bd ("hw/i386/pc: replace use of strtol with qemu_strtoui in x86_load_linux()") +Cc: Sergio Lopez <slp@redhat.com> +Signed-off-by: Peter Wu <peter@lekensteyn.nl> +Message-Id: <20191221162124.1159291-1-peter@lekensteyn.nl> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a88c40f02ace88f09b2a85a64831b277b2ebc88c] +--- + hw/i386/x86.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/i386/x86.c b/hw/i386/x86.c +index d8bb5c2a96..9b9a4d5837 100644 +--- a/hw/i386/x86.c ++++ b/hw/i386/x86.c +@@ -612,6 +612,7 @@ void x86_load_linux(X86MachineState *x86ms, + vmode = strstr(kernel_cmdline, "vga="); + if (vmode) { + unsigned int video_mode; ++ const char *end; + int ret; + /* skip "vga=" */ + vmode += 4; +@@ -622,10 +623,9 @@ void x86_load_linux(X86MachineState *x86ms, + } else if (!strncmp(vmode, "ask", 3)) { + video_mode = 0xfffd; + } else { +- ret = qemu_strtoui(vmode, NULL, 0, &video_mode); +- if (ret != 0) { +- fprintf(stderr, "qemu: can't parse 'vga' parameter: %s\n", +- strerror(-ret)); ++ ret = qemu_strtoui(vmode, &end, 0, &video_mode); ++ if (ret != 0 || (*end && *end != ' ')) { ++ fprintf(stderr, "qemu: invalid 'vga=' kernel parameter.\n"); + exit(1); + } + } +-- +2.25.0 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch index aa24f729..3a7d7bbd 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch @@ -1,4 +1,4 @@ -From bb9e48e331eee06d7bac1dce809c70191d1a3b4d Mon Sep 17 00:00:00 2001 +From 9125afb733d8c96416bb83c5adad39bb8d0803a1 Mon Sep 17 00:00:00 2001 From: Hongxu Jia <hongxu.jia@windriver.com> Date: Tue, 12 Mar 2013 09:54:06 +0800 Subject: [PATCH] fix libcap header issue on some distro @@ -54,12 +54,13 @@ http://patchwork.linuxtv.org/patch/12748/ Upstream-Status: Pending Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> + --- fsdev/virtfs-proxy-helper.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c -index 6f132c5ff1..8329950c26 100644 +index 6f132c5f..8329950c 100644 --- a/fsdev/virtfs-proxy-helper.c +++ b/fsdev/virtfs-proxy-helper.c @@ -13,7 +13,6 @@ diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch index 03ec2c90..e5ebfc12 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch +++ b/external/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch @@ -1,4 +1,4 @@ -From edc8dba74c7a4a2121d76c982be0074183bf080a Mon Sep 17 00:00:00 2001 +From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> Date: Wed, 12 Aug 2015 15:11:30 -0500 Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. @@ -12,17 +12,18 @@ current cpu information. Upstream-Status: Inappropriate Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> + --- cpus.c | 5 +++++ custom_debug.h | 24 ++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 custom_debug.h -Index: qemu-3.0.0/cpus.c -=================================================================== ---- qemu-3.0.0.orig/cpus.c -+++ qemu-3.0.0/cpus.c -@@ -1693,6 +1693,8 @@ static void *qemu_tcg_cpu_thread_fn(void +diff --git a/cpus.c b/cpus.c +index e83f72b4..e6e2576e 100644 +--- a/cpus.c ++++ b/cpus.c +@@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) return NULL; } @@ -31,20 +32,21 @@ Index: qemu-3.0.0/cpus.c static void qemu_cpu_kick_thread(CPUState *cpu) { #ifndef _WIN32 -@@ -1705,6 +1707,9 @@ static void qemu_cpu_kick_thread(CPUStat +@@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) err = pthread_kill(cpu->thread->thread, SIG_IPI); - if (err) { + if (err && err != ESRCH) { fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); + fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); -+ cpu_dump_state(cpu, stderr, fprintf, 0); ++ cpu_dump_state(cpu, stderr, 0); + backtrace_print(); exit(1); } #else /* _WIN32 */ -Index: qemu-3.0.0/custom_debug.h -=================================================================== +diff --git a/custom_debug.h b/custom_debug.h +new file mode 100644 +index 00000000..f029e455 --- /dev/null -+++ qemu-3.0.0/custom_debug.h ++++ b/custom_debug.h @@ -0,0 +1,24 @@ +#include <execinfo.h> +#include <stdio.h> diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch b/external/poky/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch deleted file mode 100644 index 31a7c948..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/0014-linux-user-fix-to-handle-variably-sized-SIOCGSTAMP-w.patch +++ /dev/null @@ -1,336 +0,0 @@ -From 8104018ba4c66e568d2583a3a0ee940851ee7471 Mon Sep 17 00:00:00 2001 -From: Daniel P. Berrangé <berrange@redhat.com> -Date: Tue, 23 Jul 2019 17:50:00 +0200 -Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new - kernels -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The SIOCGSTAMP symbol was previously defined in the -asm-generic/sockios.h header file. QEMU sees that header -indirectly via sys/socket.h - -In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115 -the asm-generic/sockios.h header no longer defines SIOCGSTAMP. -Instead it provides only SIOCGSTAMP_OLD, which only uses a -32-bit time_t on 32-bit architectures. - -The linux/sockios.h header then defines SIOCGSTAMP using -either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If -SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even -on 32-bit architectures - -To cope with this we must now convert the old and new type from -the target to the host one. - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> -Reviewed-by: Arnd Bergmann <arnd@arndb.de> -Message-Id: <20190718130641.15294-1-laurent@vivier.eu> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> -Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com> ---- -Uptream-status: Backport (upstream commit: 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2) - - linux-user/ioctls.h | 21 +++++- - linux-user/syscall.c | 140 +++++++++++++++++++++++++++++-------- - linux-user/syscall_defs.h | 30 +++++++- - linux-user/syscall_types.h | 6 -- - 4 files changed, 159 insertions(+), 38 deletions(-) - -Index: qemu-3.0.0/linux-user/ioctls.h -=================================================================== ---- qemu-3.0.0.orig/linux-user/ioctls.h -+++ qemu-3.0.0/linux-user/ioctls.h -@@ -173,8 +173,25 @@ - IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq))) - IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq))) - IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */ -- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval))) -- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec))) -+ -+ /* -+ * We can't use IOCTL_SPECIAL() because it will set -+ * host_cmd to XXX_OLD and XXX_NEW and these macros -+ * are not defined with kernel prior to 5.2. -+ * We must set host_cmd to the same value as in target_cmd -+ * otherwise the consistency check in syscall_init() -+ * will trigger an error. -+ * host_cmd is ignored by the do_ioctl_XXX() helpers. -+ * FIXME: create a macro to define this kind of entry -+ */ -+ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD, -+ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP }, -+ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD, -+ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS }, -+ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW, -+ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP }, -+ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW, -+ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS }, - - IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT)) - IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT)) -Index: qemu-3.0.0/linux-user/syscall.c -=================================================================== ---- qemu-3.0.0.orig/linux-user/syscall.c -+++ qemu-3.0.0/linux-user/syscall.c -@@ -37,6 +37,7 @@ - #include <sched.h> - #include <sys/timex.h> - #include <sys/socket.h> -+#include <linux/sockios.h> - #include <sys/un.h> - #include <sys/uio.h> - #include <poll.h> -@@ -1391,8 +1392,9 @@ static inline abi_long copy_from_user_ti - { - struct target_timeval *target_tv; - -- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) -+ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) { - return -TARGET_EFAULT; -+ } - - __get_user(tv->tv_sec, &target_tv->tv_sec); - __get_user(tv->tv_usec, &target_tv->tv_usec); -@@ -1407,8 +1409,26 @@ static inline abi_long copy_to_user_time - { - struct target_timeval *target_tv; - -- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) -+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ -+ __put_user(tv->tv_sec, &target_tv->tv_sec); -+ __put_user(tv->tv_usec, &target_tv->tv_usec); -+ -+ unlock_user_struct(target_tv, target_tv_addr, 1); -+ -+ return 0; -+} -+ -+static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr, -+ const struct timeval *tv) -+{ -+ struct target__kernel_sock_timeval *target_tv; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) { - return -TARGET_EFAULT; -+ } - - __put_user(tv->tv_sec, &target_tv->tv_sec); - __put_user(tv->tv_usec, &target_tv->tv_usec); -@@ -1418,6 +1438,48 @@ static inline abi_long copy_to_user_time - return 0; - } - -+static inline abi_long target_to_host_timespec(struct timespec *host_ts, -+ abi_ulong target_addr) -+{ -+ struct target_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) { -+ return -TARGET_EFAULT; -+ } -+ __get_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 0); -+ return 0; -+} -+ -+static inline abi_long host_to_target_timespec(abi_ulong target_addr, -+ struct timespec *host_ts) -+{ -+ struct target_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ __put_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 1); -+ return 0; -+} -+ -+static inline abi_long host_to_target_timespec64(abi_ulong target_addr, -+ struct timespec *host_ts) -+{ -+ struct target__kernel_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ __put_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 1); -+ return 0; -+} -+ - static inline abi_long copy_from_user_timezone(struct timezone *tz, - abi_ulong target_tz_addr) - { -@@ -5733,6 +5795,54 @@ static abi_long do_ioctl_kdsigaccept(con - return get_errno(safe_ioctl(fd, ie->host_cmd, sig)); - } - -+static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp, -+ int fd, int cmd, abi_long arg) -+{ -+ struct timeval tv; -+ abi_long ret; -+ -+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv)); -+ if (is_error(ret)) { -+ return ret; -+ } -+ -+ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) { -+ if (copy_to_user_timeval(arg, &tv)) { -+ return -TARGET_EFAULT; -+ } -+ } else { -+ if (copy_to_user_timeval64(arg, &tv)) { -+ return -TARGET_EFAULT; -+ } -+ } -+ -+ return ret; -+} -+ -+static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp, -+ int fd, int cmd, abi_long arg) -+{ -+ struct timespec ts; -+ abi_long ret; -+ -+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts)); -+ if (is_error(ret)) { -+ return ret; -+ } -+ -+ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) { -+ if (host_to_target_timespec(arg, &ts)) { -+ return -TARGET_EFAULT; -+ } -+ } else{ -+ if (host_to_target_timespec64(arg, &ts)) { -+ return -TARGET_EFAULT; -+ } -+ } -+ -+ return ret; -+} -+ - #ifdef TIOCGPTPEER - static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp, - int fd, int cmd, abi_long arg) -@@ -7106,32 +7216,6 @@ static inline abi_long target_ftruncate6 - } - #endif - --static inline abi_long target_to_host_timespec(struct timespec *host_ts, -- abi_ulong target_addr) --{ -- struct target_timespec *target_ts; -- -- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) -- return -TARGET_EFAULT; -- __get_user(host_ts->tv_sec, &target_ts->tv_sec); -- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec); -- unlock_user_struct(target_ts, target_addr, 0); -- return 0; --} -- --static inline abi_long host_to_target_timespec(abi_ulong target_addr, -- struct timespec *host_ts) --{ -- struct target_timespec *target_ts; -- -- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) -- return -TARGET_EFAULT; -- __put_user(host_ts->tv_sec, &target_ts->tv_sec); -- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -- unlock_user_struct(target_ts, target_addr, 1); -- return 0; --} -- - static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec, - abi_ulong target_addr) - { -Index: qemu-3.0.0/linux-user/syscall_defs.h -=================================================================== ---- qemu-3.0.0.orig/linux-user/syscall_defs.h -+++ qemu-3.0.0/linux-user/syscall_defs.h -@@ -203,16 +203,34 @@ struct target_ip_mreq_source { - uint32_t imr_sourceaddr; - }; - -+#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32) -+struct target_timeval { -+ abi_long tv_sec; -+ abi_int tv_usec; -+}; -+#define target__kernel_sock_timeval target_timeval -+#else - struct target_timeval { - abi_long tv_sec; - abi_long tv_usec; - }; - -+struct target__kernel_sock_timeval { -+ abi_llong tv_sec; -+ abi_llong tv_usec; -+}; -+#endif -+ - struct target_timespec { - abi_long tv_sec; - abi_long tv_nsec; - }; - -+struct target__kernel_timespec { -+ abi_llong tv_sec; -+ abi_llong tv_nsec; -+}; -+ - struct target_timezone { - abi_int tz_minuteswest; - abi_int tz_dsttime; -@@ -738,8 +756,16 @@ struct target_pollfd { - #define TARGET_SIOCATMARK 0x8905 - #define TARGET_SIOCGPGRP 0x8904 - #endif --#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */ --#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */ -+#if defined(TARGET_SH4) -+#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval) -+#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec) -+#else -+#define TARGET_SIOCGSTAMP_OLD 0x8906 -+#define TARGET_SIOCGSTAMPNS_OLD 0x8907 -+#endif -+ -+#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2]) -+#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2]) - - /* Networking ioctls */ - #define TARGET_SIOCADDRT 0x890B /* add routing table entry */ -Index: qemu-3.0.0/linux-user/syscall_types.h -=================================================================== ---- qemu-3.0.0.orig/linux-user/syscall_types.h -+++ qemu-3.0.0/linux-user/syscall_types.h -@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct, - STRUCT(sockaddr, - TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14)) - --STRUCT(timeval, -- MK_ARRAY(TYPE_LONG, 2)) -- --STRUCT(timespec, -- MK_ARRAY(TYPE_LONG, 2)) -- - STRUCT(rtentry, - TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), - TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID, diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch deleted file mode 100644 index 81607c95..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-10839.patch +++ /dev/null @@ -1,52 +0,0 @@ -From fdc89e90fac40c5ca2686733df17b6423fb8d8fb Mon Sep 17 00:00:00 2001 -From: Jason Wang <jasowang@redhat.com> -Date: Wed, 30 May 2018 13:08:15 +0800 -Subject: [PATCH] ne2000: fix possible out of bound access in ne2000_receive - -In ne2000_receive(), we try to assign size_ to size which converts -from size_t to integer. This will cause troubles when size_ is greater -INT_MAX, this will lead a negative value in size and it can then pass -the check of size < MIN_BUF_SIZE which may lead out of bound access of -for both buf and buf1. - -Fixing by converting the type of size to size_t. - -CC: qemu-stable@nongnu.org -Reported-by: Daniel Shapira <daniel@twistlock.com> -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Jason Wang <jasowang@redhat.com> - -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff -;h=fdc89e90fac40c5ca2686733df17b6423fb8d8fb#patch1] - -CVE: CVE-2018-10839 CVE-2018-17958 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - hw/net/ne2000.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 07d79e3..869518e 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -174,7 +174,7 @@ static int ne2000_buffer_full(NE2000State *s) - ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - { - NE2000State *s = qemu_get_nic_opaque(nc); -- int size = size_; -+ size_t size = size_; - uint8_t *p; - unsigned int total_len, next, avail, len, index, mcast_idx; - uint8_t buf1[60]; -@@ -182,7 +182,7 @@ ssize_t ne2000_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - - #if defined(DEBUG_NE2000) -- printf("NE2000: received len=%d\n", size); -+ printf("NE2000: received len=%zu\n", size); - #endif - - if (s->cmd & E8390_STOP || ne2000_buffer_full(s)) --- -1.8.3.1 diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch deleted file mode 100644 index 2f61ea00..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-15746.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9acf4c64dd4560bd268006d7356c7455fab7e5b1 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 6 Sep 2018 14:52:12 +0800 -Subject: [PATCH] seccomp: set the seccomp filter to all threads -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When using "-seccomp on", the seccomp policy is only applied to the -main thread, the vcpu worker thread and other worker threads created -after seccomp policy is applied; the seccomp policy is not applied to -e.g. the RCU thread because it is created before the seccomp policy is -applied and SECCOMP_FILTER_FLAG_TSYNC isn't used. - -This can be verified with -for task in /proc/`pidof qemu`/task/*; do cat $task/status | grep Secc ; done -Seccomp: 2 -Seccomp: 0 -Seccomp: 0 -Seccomp: 2 -Seccomp: 2 -Seccomp: 2 - -Starting with libseccomp 2.2.0 and kernel >= 3.17, we can use -seccomp_attr_set(ctx, > SCMP_FLTATR_CTL_TSYNC, 1) to update the policy -on all threads. - -libseccomp requirement was bumped to 2.2.0 in previous patch. -libseccomp should fail to set the filter if it can't honour -SCMP_FLTATR_CTL_TSYNC (untested), and thus -sandbox will now fail on -kernel < 3.17. - -Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Acked-by: Eduardo Otubo <otubo@redhat.com> - -Upstream-Status: Backport[https://github.com/qemu/qemu/commit/ -70dfabeaa79ba4d7a3b699abe1a047c8012db114#diff-18106d3b47a2d249f9d41e772b7db22d] - -CVE: CVE-2018-15746 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - qemu-seccomp.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/qemu-seccomp.c b/qemu-seccomp.c -index 9cd8eb9..ba5500a 100644 ---- a/qemu-seccomp.c -+++ b/qemu-seccomp.c -@@ -120,6 +120,11 @@ static int seccomp_start(uint32_t seccomp_opts) - goto seccomp_return; - } - -+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_TSYNC, 1); -+ if (rc != 0) { -+ goto seccomp_return; -+ } -+ - for (i = 0; i < ARRAY_SIZE(blacklist); i++) { - if (!(seccomp_opts & blacklist[i].set)) { - continue; --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch deleted file mode 100644 index 644459e5..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16867.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 61f87388af0af72ad61dee00ddd267b8047049f2 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Mon, 3 Dec 2018 11:10:45 +0100 -Subject: [PATCH] usb-mtp: outlaw slashes in filenames -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Slash is unix directory separator, so they are not allowed in filenames. -Note this also stops the classic escape via "../". - -Fixes: CVE-2018-16867 -Reported-by: Michael Hanselmann <public@hansmi.ch> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-id: 20181203101045.27976-3-kraxel@redhat.com -(cherry picked from commit c52d46e041b42bb1ee6f692e00a0abe37a9659f6) -Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> - -Upstream-Status: Backport -CVE: CVE-2018-16867 -Affects: < 3.1.0 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/usb/dev-mtp.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 1ded7ac..899c8a3 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -1667,6 +1667,12 @@ static void usb_mtp_write_metadata(MTPState *s) - - utf16_to_str(dataset->length, dataset->filename, filename); - -+ if (strchr(filename, '/')) { -+ usb_mtp_queue_result(s, RES_PARAMETER_NOT_SUPPORTED, d->trans, -+ 0, 0, 0, 0); -+ return; -+ } -+ - o = usb_mtp_object_lookup_name(p, filename, dataset->length); - if (o != NULL) { - next_handle = o->handle; --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch deleted file mode 100644 index 9f2c5d3e..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-16872.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 7347a04da35ec6284ce83e8bcd72dc4177d17b10 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Thu, 13 Dec 2018 13:25:11 +0100 -Subject: [PATCH] usb-mtp: use O_NOFOLLOW and O_CLOEXEC. - -Open files and directories with O_NOFOLLOW to avoid symlinks attacks. -While being at it also add O_CLOEXEC. - -usb-mtp only handles regular files and directories and ignores -everything else, so users should not see a difference. - -Because qemu ignores symlinks, carrying out a successful symlink attack -requires swapping an existing file or directory below rootdir for a -symlink and winning the race against the inotify notification to qemu. - -Fixes: CVE-2018-16872 -Cc: Prasad J Pandit <ppandit@redhat.com> -Cc: Bandan Das <bsd@redhat.com> -Reported-by: Michael Hanselmann <public@hansmi.ch> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Michael Hanselmann <public@hansmi.ch> -Message-id: 20181213122511.13853-1-kraxel@redhat.com -(cherry picked from commit bab9df35ce73d1c8e19a37e2737717ea1c984dc1) -Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> - -Upstream-Status: Backport -CVE: CVE-2018-16872 -Affects: < 3.1.0 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/usb/dev-mtp.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/hw/usb/dev-mtp.c b/hw/usb/dev-mtp.c -index 899c8a3..f4223fb 100644 ---- a/hw/usb/dev-mtp.c -+++ b/hw/usb/dev-mtp.c -@@ -649,13 +649,18 @@ static void usb_mtp_object_readdir(MTPState *s, MTPObject *o) - { - struct dirent *entry; - DIR *dir; -+ int fd; - - if (o->have_children) { - return; - } - o->have_children = true; - -- dir = opendir(o->path); -+ fd = open(o->path, O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); -+ if (fd < 0) { -+ return; -+ } -+ dir = fdopendir(fd); - if (!dir) { - return; - } -@@ -1003,7 +1008,7 @@ static MTPData *usb_mtp_get_object(MTPState *s, MTPControl *c, - - trace_usb_mtp_op_get_object(s->dev.addr, o->handle, o->path); - -- d->fd = open(o->path, O_RDONLY); -+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); - if (d->fd == -1) { - usb_mtp_data_free(d); - return NULL; -@@ -1027,7 +1032,7 @@ static MTPData *usb_mtp_get_partial_object(MTPState *s, MTPControl *c, - c->argv[1], c->argv[2]); - - d = usb_mtp_data_alloc(c); -- d->fd = open(o->path, O_RDONLY); -+ d->fd = open(o->path, O_RDONLY | O_CLOEXEC | O_NOFOLLOW); - if (d->fd == -1) { - usb_mtp_data_free(d); - return NULL; -@@ -1608,7 +1613,7 @@ static void usb_mtp_write_data(MTPState *s) - 0, 0, 0, 0); - goto done; - } -- d->fd = open(path, O_CREAT | O_WRONLY, mask); -+ d->fd = open(path, O_CREAT | O_WRONLY | O_CLOEXEC | O_NOFOLLOW, mask); - if (d->fd == -1) { - usb_mtp_queue_result(s, RES_STORE_FULL, d->trans, - 0, 0, 0, 0); --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch deleted file mode 100644 index 88bfd811..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17962.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 20abe443ad9464b18ac494f71f7d53f19ee3748f Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Mon, 15 Oct 2018 16:38:08 +0800 -Subject: [PATCH] rtl8139: fix possible out of bound access - -In rtl8139_do_receive(), we try to assign size_ to size which converts -from size_t to integer. This will cause troubles when size_ is greater -INT_MAX, this will lead a negative value in size and it can then pass -the check of size < MIN_BUF_SIZE which may lead out of bound access of -for both buf and buf1. - -Fixing by converting the type of size to size_t. - -CC: address@hidden -Reported-by: Daniel Shapira <address@hidden> -Reviewed-by: Michael S. Tsirkin <address@hidden> -Signed-off-by: Jason Wang <address@hidden> - -Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html] - -CVE: CVE-2018-17962 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - hw/net/rtl8139.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c -index 46daa16..2342a09 100644 ---- a/hw/net/rtl8139.c -+++ b/hw/net/rtl8139.c -@@ -817,7 +817,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - RTL8139State *s = qemu_get_nic_opaque(nc); - PCIDevice *d = PCI_DEVICE(s); - /* size is the length of the buffer passed to the driver */ -- int size = size_; -+ size_t size = size_; - const uint8_t *dot1q_buf = NULL; - - uint32_t packet_header = 0; -@@ -826,7 +826,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - static const uint8_t broadcast_macaddr[6] = - { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - -- DPRINTF(">>> received len=%d\n", size); -+ DPRINTF(">>> received len=%zu\n", size); - - /* test if board clock is stopped */ - if (!s->clock_enabled) -@@ -1035,7 +1035,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - - if (size+4 > rx_space) - { -- DPRINTF("C+ Rx mode : descriptor %d size %d received %d + 4\n", -+ DPRINTF("C+ Rx mode : descriptor %d size %d received %zu + 4\n", - descriptor, rx_space, size); - - s->IntrStatus |= RxOverflow; -@@ -1148,7 +1148,7 @@ static ssize_t rtl8139_do_receive(NetClientState *nc, const uint8_t *buf, size_t - if (avail != 0 && RX_ALIGN(size + 8) >= avail) - { - DPRINTF("rx overflow: rx buffer length %d head 0x%04x " -- "read 0x%04x === available 0x%04x need 0x%04x\n", -+ "read 0x%04x === available 0x%04x need 0x%04zx\n", - s->RxBufferSize, s->RxBufAddr, s->RxBufPtr, avail, size + 8); - - s->IntrStatus |= RxOverflow; --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch deleted file mode 100644 index 054cdc86..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-17963.patch +++ /dev/null @@ -1,51 +0,0 @@ -From e5ff72a8005dd1d9c0f63f8a9cc4298df5bb7551 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Mon, 15 Oct 2018 16:39:46 +0800 -Subject: [PATCH] pcnet: fix possible buffer overflow - -In pcnet_receive(), we try to assign size_ to size which converts from -size_t to integer. This will cause troubles when size_ is greater -INT_MAX, this will lead a negative value in size and it can then pass -the check of size < MIN_BUF_SIZE which may lead out of bound access -for both buf and buf1. - -Fixing by converting the type of size to size_t. - -CC: address@hidden -Reported-by: Daniel Shapira <address@hidden> -Reviewed-by: Michael S. Tsirkin <address@hidden> -Signed-off-by: Jason Wang <address@hidden> - -Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html] - -CVE: CVE-2018-17963 - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - hw/net/pcnet.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 0c44554..d9ba04b 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -988,14 +988,14 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - uint8_t buf1[60]; - int remaining; - int crc_err = 0; -- int size = size_; -+ size_t size = size_; - - if (CSR_DRX(s) || CSR_STOP(s) || CSR_SPND(s) || !size || - (CSR_LOOP(s) && !s->looptest)) { - return -1; - } - #ifdef PCNET_DEBUG -- printf("pcnet_receive size=%d\n", size); -+ printf("pcnet_receive size=%zu\n", size); - #endif - - /* if too small buffer, then expand it */ --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch deleted file mode 100644 index b632512e..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18849.patch +++ /dev/null @@ -1,86 +0,0 @@ -From bd6dd4eaa6f7fe0c4d797d4e59803d295313b7a7 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Sat, 27 Oct 2018 01:13:14 +0530 -Subject: [PATCH] lsi53c895a: check message length value is valid - -While writing a message in 'lsi_do_msgin', message length value -in 'msg_len' could be invalid due to an invalid migration stream. -Add an assertion to avoid an out of bounds access, and reject -the incoming migration data if it contains an invalid message -length. - -Discovered by Deja vu Security. Reported by Oracle. - -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20181026194314.18663-1-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -(cherry picked from commit e58ccf039650065a9442de43c9816f81e88f27f6) -*CVE-2018-18849 -*avoid context dep. on c921370b22c -Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> - -Upstream-Status: Backport -Affects: < 3.1.0 -CVE: CVE-2018-18849 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/scsi/lsi53c895a.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c -index 160657f..3758635 100644 ---- a/hw/scsi/lsi53c895a.c -+++ b/hw/scsi/lsi53c895a.c -@@ -865,10 +865,11 @@ static void lsi_do_status(LSIState *s) - - static void lsi_do_msgin(LSIState *s) - { -- int len; -+ uint8_t len; - DPRINTF("Message in len=%d/%d\n", s->dbc, s->msg_len); - s->sfbr = s->msg[0]; - len = s->msg_len; -+ assert(len > 0 && len <= LSI_MAX_MSGIN_LEN); - if (len > s->dbc) - len = s->dbc; - pci_dma_write(PCI_DEVICE(s), s->dnad, s->msg, len); -@@ -1703,8 +1704,10 @@ static uint8_t lsi_reg_readb(LSIState *s, int offset) - break; - case 0x58: /* SBDL */ - /* Some drivers peek at the data bus during the MSG IN phase. */ -- if ((s->sstat1 & PHASE_MASK) == PHASE_MI) -+ if ((s->sstat1 & PHASE_MASK) == PHASE_MI) { -+ assert(s->msg_len > 0); - return s->msg[0]; -+ } - ret = 0; - break; - case 0x59: /* SBDL high */ -@@ -2096,11 +2099,23 @@ static int lsi_pre_save(void *opaque) - return 0; - } - -+static int lsi_post_load(void *opaque, int version_id) -+{ -+ LSIState *s = opaque; -+ -+ if (s->msg_len < 0 || s->msg_len > LSI_MAX_MSGIN_LEN) { -+ return -EINVAL; -+ } -+ -+ return 0; -+} -+ - static const VMStateDescription vmstate_lsi_scsi = { - .name = "lsiscsi", - .version_id = 0, - .minimum_version_id = 0, - .pre_save = lsi_pre_save, -+ .post_load = lsi_post_load, - .fields = (VMStateField[]) { - VMSTATE_PCI_DEVICE(parent_obj, LSIState), - --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch deleted file mode 100644 index 9fe13645..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-18954.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 3c9fd43da473a324f6cc7a0d3db58f651a2d262c Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Fri, 26 Oct 2018 18:03:58 +0530 -Subject: [PATCH] ppc/pnv: check size before data buffer access -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While performing PowerNV memory r/w operations, the access length -'sz' could exceed the data[4] buffer size. Add check to avoid OOB -access. - -Reported-by: Moguofang <moguofang@huawei.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Cédric Le Goater <clg@kaod.org> -Signed-off-by: David Gibson <david@gibson.dropbear.id.au> - -CVE: CVE-2018-18954 -Upstream-Status: Backport -[https://git.qemu.org/?p=qemu.git;a=commit;h=d07945e78eb6b593cd17a4640c1fc9eb35e3245d] - -Signed-off-by: Dan Tran <dantran@microsoft.com> ---- - hw/ppc/pnv_lpc.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/hw/ppc/pnv_lpc.c b/hw/ppc/pnv_lpc.c -index d7721320a2..172a915cfc 100644 ---- a/hw/ppc/pnv_lpc.c -+++ b/hw/ppc/pnv_lpc.c -@@ -155,9 +155,15 @@ static void pnv_lpc_do_eccb(PnvLpcController *lpc, uint64_t cmd) - /* XXX Check for magic bits at the top, addr size etc... */ - unsigned int sz = (cmd & ECCB_CTL_SZ_MASK) >> ECCB_CTL_SZ_LSH; - uint32_t opb_addr = cmd & ECCB_CTL_ADDR_MASK; -- uint8_t data[4]; -+ uint8_t data[8]; - bool success; - -+ if (sz > sizeof(data)) { -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "ECCB: invalid operation at @0x%08x size %d\n", opb_addr, sz); -+ return; -+ } -+ - if (cmd & ECCB_CTL_READ) { - success = opb_read(lpc, opb_addr, data, sz); - if (success) { --- -2.22.0.vfs.1.1.57.gbaf16c8 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch deleted file mode 100644 index 1d77af4e..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p1.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 5b76ef50f62079a2389ba28cacaf6cce68b1a0ed Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Wed, 7 Nov 2018 01:00:04 +0100 -Subject: [PATCH] 9p: write lock path in v9fs_co_open2() - -The assumption that the fid cannot be used by any other operation is -wrong. At least, nothing prevents a misbehaving client to create a -file with a given fid, and to pass this fid to some other operation -at the same time (ie, without waiting for the response to the creation -request). The call to v9fs_path_copy() performed by the worker thread -after the file was created can race with any access to the fid path -performed by some other thread. This causes use-after-free issues that -can be detected by ASAN with a custom 9p client. - -Unlike other operations that only read the fid path, v9fs_co_open2() -does modify it. It should hence take the write lock. - -Cc: P J P <ppandit@redhat.com> -Reported-by: zhibin hu <noirfate@gmail.com> -Signed-off-by: Greg Kurz <groug@kaod.org> - -Upstream-status: Backport -Affects: < 3.1.0 -CVE: CVE-2018-19364 patch #1 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/9pfs/cofile.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/hw/9pfs/cofile.c b/hw/9pfs/cofile.c -index 88791bc..9c22837 100644 ---- a/hw/9pfs/cofile.c -+++ b/hw/9pfs/cofile.c -@@ -140,10 +140,10 @@ int coroutine_fn v9fs_co_open2(V9fsPDU *pdu, V9fsFidState *fidp, - cred.fc_gid = gid; - /* - * Hold the directory fid lock so that directory path name -- * don't change. Read lock is fine because this fid cannot -- * be used by any other operation. -+ * don't change. Take the write lock to be sure this fid -+ * cannot be used by another operation. - */ -- v9fs_path_read_lock(s); -+ v9fs_path_write_lock(s); - v9fs_co_run_in_worker( - { - err = s->ops->open2(&s->ctx, &fidp->path, --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch deleted file mode 100644 index b8d094c0..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19364_p2.patch +++ /dev/null @@ -1,115 +0,0 @@ -From 5b3c77aa581ebb215125c84b0742119483571e55 Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Tue, 20 Nov 2018 13:00:35 +0100 -Subject: [PATCH] 9p: take write lock on fid path updates (CVE-2018-19364) - -Recent commit 5b76ef50f62079a fixed a race where v9fs_co_open2() could -possibly overwrite a fid path with v9fs_path_copy() while it is being -accessed by some other thread, ie, use-after-free that can be detected -by ASAN with a custom 9p client. - -It turns out that the same can happen at several locations where -v9fs_path_copy() is used to set the fid path. The fix is again to -take the write lock. - -Fixes CVE-2018-19364. - -Cc: P J P <ppandit@redhat.com> -Reported-by: zhibin hu <noirfate@gmail.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Greg Kurz <groug@kaod.org> - -Upstream-status: Backport -Affects: < 3.1.0 -CVE: CVE-2018-19364 patch #2 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/9pfs/9p.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index eef289e..267a255 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1391,7 +1391,9 @@ static void coroutine_fn v9fs_walk(void *opaque) - err = -EINVAL; - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - } else { - newfidp = alloc_fid(s, newfid); - if (newfidp == NULL) { -@@ -2160,6 +2162,7 @@ static void coroutine_fn v9fs_create(void *opaque) - V9fsString extension; - int iounit; - V9fsPDU *pdu = opaque; -+ V9fsState *s = pdu->s; - - v9fs_path_init(&path); - v9fs_string_init(&name); -@@ -2200,7 +2203,9 @@ static void coroutine_fn v9fs_create(void *opaque) - if (err < 0) { - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - err = v9fs_co_opendir(pdu, fidp); - if (err < 0) { - goto out; -@@ -2216,7 +2221,9 @@ static void coroutine_fn v9fs_create(void *opaque) - if (err < 0) { - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - } else if (perm & P9_STAT_MODE_LINK) { - int32_t ofid = atoi(extension.data); - V9fsFidState *ofidp = get_fid(pdu, ofid); -@@ -2234,7 +2241,9 @@ static void coroutine_fn v9fs_create(void *opaque) - fidp->fid_type = P9_FID_NONE; - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - err = v9fs_co_lstat(pdu, &fidp->path, &stbuf); - if (err < 0) { - fidp->fid_type = P9_FID_NONE; -@@ -2272,7 +2281,9 @@ static void coroutine_fn v9fs_create(void *opaque) - if (err < 0) { - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - } else if (perm & P9_STAT_MODE_NAMED_PIPE) { - err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, - 0, S_IFIFO | (perm & 0777), &stbuf); -@@ -2283,7 +2294,9 @@ static void coroutine_fn v9fs_create(void *opaque) - if (err < 0) { - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - } else if (perm & P9_STAT_MODE_SOCKET) { - err = v9fs_co_mknod(pdu, fidp, &name, fidp->uid, -1, - 0, S_IFSOCK | (perm & 0777), &stbuf); -@@ -2294,7 +2307,9 @@ static void coroutine_fn v9fs_create(void *opaque) - if (err < 0) { - goto out; - } -+ v9fs_path_write_lock(s); - v9fs_path_copy(&fidp->path, &path); -+ v9fs_path_unlock(s); - } else { - err = v9fs_co_open2(pdu, fidp, &name, -1, - omode_to_uflags(mode)|O_CREAT, perm, &stbuf); --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch deleted file mode 100644 index 7619e2a8..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-19489.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 1d20398694a3b67a388d955b7a945ba4aa90a8a8 Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Fri, 23 Nov 2018 13:28:03 +0100 -Subject: [PATCH] 9p: fix QEMU crash when renaming files - -When using the 9P2000.u version of the protocol, the following shell -command line in the guest can cause QEMU to crash: - - while true; do rm -rf aa; mkdir -p a/b & touch a/b/c & mv a aa; done - -With 9P2000.u, file renaming is handled by the WSTAT command. The -v9fs_wstat() function calls v9fs_complete_rename(), which calls -v9fs_fix_path() for every fid whose path is affected by the change. -The involved calls to v9fs_path_copy() may race with any other access -to the fid path performed by some worker thread, causing a crash like -shown below: - -Thread 12 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. -0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, path=0x0, - flags=65536, mode=0) at hw/9pfs/9p-local.c:59 -59 while (*path && fd != -1) { -(gdb) bt -#0 0x0000555555a25da2 in local_open_nofollow (fs_ctx=0x555557d958b8, - path=0x0, flags=65536, mode=0) at hw/9pfs/9p-local.c:59 -#1 0x0000555555a25e0c in local_opendir_nofollow (fs_ctx=0x555557d958b8, - path=0x0) at hw/9pfs/9p-local.c:92 -#2 0x0000555555a261b8 in local_lstat (fs_ctx=0x555557d958b8, - fs_path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/9p-local.c:185 -#3 0x0000555555a2b367 in v9fs_co_lstat (pdu=0x555557d97498, - path=0x555556b56858, stbuf=0x7fff84830ef0) at hw/9pfs/cofile.c:53 -#4 0x0000555555a1e9e2 in v9fs_stat (opaque=0x555557d97498) - at hw/9pfs/9p.c:1083 -#5 0x0000555555e060a2 in coroutine_trampoline (i0=-669165424, i1=32767) - at util/coroutine-ucontext.c:116 -#6 0x00007fffef4f5600 in __start_context () at /lib64/libc.so.6 -#7 0x0000000000000000 in () -(gdb) - -The fix is to take the path write lock when calling v9fs_complete_rename(), -like in v9fs_rename(). - -Impact: DoS triggered by unprivileged guest users. - -Fixes: CVE-2018-19489 -Cc: P J P <ppandit@redhat.com> -Reported-by: zhibin hu <noirfate@gmail.com> -Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Greg Kurz <groug@kaod.org> - -Upstream-Status: Backport -Affects: < 4.0.0 -CVE: CVE-2018-19489 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - hw/9pfs/9p.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index 267a255..bdf7919 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -2855,6 +2855,7 @@ static void coroutine_fn v9fs_wstat(void *opaque) - struct stat stbuf; - V9fsFidState *fidp; - V9fsPDU *pdu = opaque; -+ V9fsState *s = pdu->s; - - v9fs_stat_init(&v9stat); - err = pdu_unmarshal(pdu, offset, "dwS", &fid, &unused, &v9stat); -@@ -2920,7 +2921,9 @@ static void coroutine_fn v9fs_wstat(void *opaque) - } - } - if (v9stat.name.size != 0) { -+ v9fs_path_write_lock(s); - err = v9fs_complete_rename(pdu, fidp, -1, &v9stat.name); -+ v9fs_path_unlock(s); - if (err < 0) { - goto out; - } --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch deleted file mode 100644 index c3a59814..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p1.patch +++ /dev/null @@ -1,42 +0,0 @@ -From da885fe1ee8b4589047484bd7fa05a4905b52b17 Mon Sep 17 00:00:00 2001 -From: Peter Maydell <peter.maydell@linaro.org> -Date: Fri, 14 Dec 2018 13:30:52 +0000 -Subject: [PATCH] device_tree.c: Don't use load_image() - -The load_image() function is deprecated, as it does not let the -caller specify how large the buffer to read the file into is. -Instead use load_image_size(). - -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> -Reviewed-by: Richard Henderson <richard.henderson@linaro.org> -Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Reviewed-by: Eric Blake <eblake@redhat.com> -Message-id: 20181130151712.2312-9-peter.maydell@linaro.org - -Upstream-Status: Backport -CVE: CVE-2018-20815 -affects <= 3.0.1 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - device_tree.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/device_tree.c b/device_tree.c -index 6d9c972..296278e 100644 ---- a/device_tree.c -+++ b/device_tree.c -@@ -91,7 +91,7 @@ void *load_device_tree(const char *filename_path, int *sizep) - /* First allocate space in qemu for device tree */ - fdt = g_malloc0(dt_size); - -- dt_file_load_size = load_image(filename_path, fdt); -+ dt_file_load_size = load_image_size(filename_path, fdt, dt_size); - if (dt_file_load_size < 0) { - error_report("Unable to open device tree file '%s'", - filename_path); --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch deleted file mode 100644 index d01e8744..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2018-20815_p2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 065e6298a75164b4347682b63381dbe752c2b156 Mon Sep 17 00:00:00 2001 -From: Markus Armbruster <armbru@redhat.com> -Date: Tue, 9 Apr 2019 19:40:18 +0200 -Subject: [PATCH] device_tree: Fix integer overflowing in load_device_tree() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the -computation of @dt_size overflows to a negative number, which then -gets converted to a very large size_t for g_malloc0() and -load_image_size(). In the (fortunately improbable) case g_malloc0() -succeeds and load_image_size() survives, we'd assign the negative -number to *sizep. What that would do to the callers I can't say, but -it's unlikely to be good. - -Fix by rejecting images whose size would overflow. - -Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com> -Signed-off-by: Markus Armbruster <armbru@redhat.com> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Signed-off-by: Alistair Francis <alistair.francis@wdc.com> -Message-Id: <20190409174018.25798-1-armbru@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2018-20815 -affects <= 3.0.1 - -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - device_tree.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/device_tree.c b/device_tree.c -index 296278e..f8b46b3 100644 ---- a/device_tree.c -+++ b/device_tree.c -@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep) - filename_path); - goto fail; - } -+ if (dt_size > INT_MAX / 2 - 10000) { -+ error_report("Device tree file '%s' is too large", filename_path); -+ goto fail; -+ } - - /* Expand to 2x size to give enough room for manipulation. */ - dt_size += 10000; --- -2.7.4 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch deleted file mode 100644 index 8a5ece51..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12155.patch +++ /dev/null @@ -1,38 +0,0 @@ -From d52680fc932efb8a2f334cc6993e705ed1e31e99 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 25 Apr 2019 12:05:34 +0530 -Subject: [PATCH] qxl: check release info object - -When releasing spice resources in release_resource() routine, -if release info object 'ext.info' is null, it leads to null -pointer dereference. Add check to avoid it. - -Reported-by: Bugs SysSec <bugs-syssec@rub.de> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-id: 20190425063534.32747-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> - -Upstream-Status: Backport -https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 - -CVE: CVE-2019-12155 -Affects: <= 4.0.0 -Signed-off-by: Armin Kuster <akuster@mvistra.com> ---- - hw/display/qxl.c | 3 +++ - 1 file changed, 3 insertions(+) - -Index: qemu-3.0.0/hw/display/qxl.c -=================================================================== ---- qemu-3.0.0.orig/hw/display/qxl.c -+++ qemu-3.0.0/hw/display/qxl.c -@@ -764,6 +764,9 @@ static void interface_release_resource(Q - QXLReleaseRing *ring; - uint64_t *item, id; - -+ if (!ext.info) { -+ return; -+ } - if (ext.group_id == MEMSLOT_GROUP_HOST) { - /* host group -> vga mode update request */ - QXLCommandExt *cmdext = (void *)(intptr_t)(ext.info->id); diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch new file mode 100644 index 00000000..1d89431b --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch @@ -0,0 +1,48 @@ +From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001 +From: Li Zhou <li.zhou@windriver.com> +Date: Tue, 10 Sep 2019 20:02:15 -0700 +Subject: [PATCH] ip_reass: Fix use after free + +Using ip_deq after m_free might read pointers from an allocation reuse. + +This would be difficult to exploit, but that is still related with +CVE-2019-14378 which generates fragmented IP packets that would trigger this +issue and at least produce a DoS. + +Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> + +Upstream-Status: Backport +CVE: CVE-2019-15890 +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + slirp/src/ip_input.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c +index 8c75d914..c07d7d40 100644 +--- a/slirp/src/ip_input.c ++++ b/slirp/src/ip_input.c +@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) + */ + while (q != (struct ipasfrag *)&fp->frag_link && + ip->ip_off + ip->ip_len > q->ipf_off) { ++ struct ipasfrag *prev; + i = (ip->ip_off + ip->ip_len) - q->ipf_off; + if (i < q->ipf_len) { + q->ipf_len -= i; +@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) + m_adj(dtom(slirp, q), i); + break; + } ++ prev = q; + q = q->ipf_next; +- m_free(dtom(slirp, q->ipf_prev)); +- ip_deq(q->ipf_prev); ++ ip_deq(prev); ++ m_free(dtom(slirp, prev)); + } + + insert: +-- +2.23.0 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch deleted file mode 100644 index 0e11ad28..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-3812.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b664d9d003d1a98642dcfb8e6fceef6dbf3d52d8 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann <kraxel@redhat.com> -Date: Tue, 8 Jan 2019 11:23:01 +0100 -Subject: [PATCH] i2c-ddc: fix oob read -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Suggested-by: Michael Hanselmann <public@hansmi.ch> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> -Reviewed-by: Michael Hanselmann <public@hansmi.ch> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Message-id: 20190108102301.1957-1-kraxel@redhat.com - -CVE: CVE-2019-3812 -Upstream-Status: Backport -[https://git.qemu.org/?p=qemu.git;a=commit;h=b05b267840515730dbf6753495d5b7bd8b04ad1c] - -Signed-off-by: Dan Tran <dantran@microsoft.com> ---- - hw/i2c/i2c-ddc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/i2c/i2c-ddc.c b/hw/i2c/i2c-ddc.c -index bec0c91e2d..89e659288e 100644 ---- a/hw/i2c/i2c-ddc.c -+++ b/hw/i2c/i2c-ddc.c -@@ -247,7 +247,7 @@ static int i2c_ddc_rx(I2CSlave *i2c) - I2CDDCState *s = I2CDDC(i2c); - - int value; -- value = s->edid_blob[s->reg]; -+ value = s->edid_blob[s->reg % sizeof(s->edid_blob)]; - s->reg++; - return value; - } --- -2.22.0.vfs.1.1.57.gbaf16c8 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch deleted file mode 100644 index 5b145960..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-6778.patch +++ /dev/null @@ -1,41 +0,0 @@ -From b6c0fa3b435375918714e107b22de2ef13a41c26 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Sun, 13 Jan 2019 23:29:48 +0530 -Subject: [PATCH] slirp: check data length while emulating ident function - -While emulating identification protocol, tcp_emu() does not check -available space in the 'sc_rcv->sb_data' buffer. It could lead to -heap buffer overflow issue. Add check to avoid it. - -Reported-by: Kira <864786842@qq.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> - -CVE: CVE-2019-6778 -Upstream-Status: Backport -[https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905] - -Signed-off-by: Dan Tran <dantran@microsoft.com> ---- - slirp/tcp_subr.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c -index 8d0f94b75f..7277aadfdf 100644 ---- a/slirp/tcp_subr.c -+++ b/slirp/tcp_subr.c -@@ -640,6 +640,11 @@ tcp_emu(struct socket *so, struct mbuf *m) - socklen_t addrlen = sizeof(struct sockaddr_in); - struct sbuf *so_rcv = &so->so_rcv; - -+ if (m->m_len > so_rcv->sb_datalen -+ - (so_rcv->sb_wptr - so_rcv->sb_data)) { -+ return 1; -+ } -+ - memcpy(so_rcv->sb_wptr, m->m_data, m->m_len); - so_rcv->sb_wptr += m->m_len; - so_rcv->sb_rptr += m->m_len; --- -2.22.0.vfs.1.1.57.gbaf16c8 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch deleted file mode 100644 index db3201c5..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-8934.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 13e153f01b4f2a3e199202b34a247d83c176f21a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 18 Feb 2019 23:43:49 +0530 -Subject: [PATCH] ppc: add host-serial and host-model machine attributes - (CVE-2019-8934) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On ppc hosts, hypervisor shares following system attributes - - - /proc/device-tree/system-id - - /proc/device-tree/model - -with a guest. This could lead to information leakage and misuse.[*] -Add machine attributes to control such system information exposure -to a guest. - -[*] https://wiki.openstack.org/wiki/OSSN/OSSN-0028 - -Reported-by: Daniel P. Berrangé <berrange@redhat.com> -Fix-suggested-by: Daniel P. Berrangé <berrange@redhat.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-Id: <20190218181349.23885-1-ppandit@redhat.com> -Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> -Reviewed-by: Greg Kurz <groug@kaod.org> -Signed-off-by: David Gibson <david@gibson.dropbear.id.au> - -CVE: CVE-2019-8934 -Upstream-Status: Backport -[https://github.com/qemu/qemu/commit/27461d69a0f108dea756419251acc3ea65198f1b] - -Signed-off-by: Dan Tran <dantran@microsoft.com> ---- - hw/ppc/spapr.c | 128 ++++++++++++++++++++++++++++++++++++++--- - include/hw/ppc/spapr.h | 2 + - 2 files changed, 123 insertions(+), 7 deletions(-) - -diff --git a/hw/ppc/spapr.c b/hw/ppc/spapr.c -index 421b2dd09b..069d678ee0 100644 ---- a/hw/ppc/spapr.c -+++ b/hw/ppc/spapr.c -@@ -1266,13 +1266,30 @@ static void *spapr_build_fdt(sPAPRMachineState *spapr, - * Add info to guest to indentify which host is it being run on - * and what is the uuid of the guest - */ -- if (kvmppc_get_host_model(&buf)) { -- _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); -- g_free(buf); -+ if (spapr->host_model && !g_str_equal(spapr->host_model, "none")) { -+ if (g_str_equal(spapr->host_model, "passthrough")) { -+ /* -M host-model=passthrough */ -+ if (kvmppc_get_host_model(&buf)) { -+ _FDT(fdt_setprop_string(fdt, 0, "host-model", buf)); -+ g_free(buf); -+ } -+ } else { -+ /* -M host-model=<user-string> */ -+ _FDT(fdt_setprop_string(fdt, 0, "host-model", spapr->host_model)); -+ } - } -- if (kvmppc_get_host_serial(&buf)) { -- _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); -- g_free(buf); -+ -+ if (spapr->host_serial && !g_str_equal(spapr->host_serial, "none")) { -+ if (g_str_equal(spapr->host_serial, "passthrough")) { -+ /* -M host-serial=passthrough */ -+ if (kvmppc_get_host_serial(&buf)) { -+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", buf)); -+ g_free(buf); -+ } -+ } else { -+ /* -M host-serial=<user-string> */ -+ _FDT(fdt_setprop_string(fdt, 0, "host-serial", spapr->host_serial)); -+ } - } - - buf = qemu_uuid_unparse_strdup(&qemu_uuid); -@@ -3027,6 +3044,73 @@ static void spapr_set_vsmt(Object *obj, Visitor *v, const char *name, - visit_type_uint32(v, name, (uint32_t *)opaque, errp); - } - -+static char *spapr_get_ic_mode(Object *obj, Error **errp) -+{ -+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -+ -+ if (spapr->irq == &spapr_irq_xics_legacy) { -+ return g_strdup("legacy"); -+ } else if (spapr->irq == &spapr_irq_xics) { -+ return g_strdup("xics"); -+ } else if (spapr->irq == &spapr_irq_xive) { -+ return g_strdup("xive"); -+ } else if (spapr->irq == &spapr_irq_dual) { -+ return g_strdup("dual"); -+ } -+ g_assert_not_reached(); -+} -+ -+static void spapr_set_ic_mode(Object *obj, const char *value, Error **errp) -+{ -+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -+ -+ if (SPAPR_MACHINE_GET_CLASS(spapr)->legacy_irq_allocation) { -+ error_setg(errp, "This machine only uses the legacy XICS backend, don't pass ic-mode"); -+ return; -+ } -+ -+ /* The legacy IRQ backend can not be set */ -+ if (strcmp(value, "xics") == 0) { -+ spapr->irq = &spapr_irq_xics; -+ } else if (strcmp(value, "xive") == 0) { -+ spapr->irq = &spapr_irq_xive; -+ } else if (strcmp(value, "dual") == 0) { -+ spapr->irq = &spapr_irq_dual; -+ } else { -+ error_setg(errp, "Bad value for \"ic-mode\" property"); -+ } -+} -+ -+static char *spapr_get_host_model(Object *obj, Error **errp) -+{ -+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -+ -+ return g_strdup(spapr->host_model); -+} -+ -+static void spapr_set_host_model(Object *obj, const char *value, Error **errp) -+{ -+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -+ -+ g_free(spapr->host_model); -+ spapr->host_model = g_strdup(value); -+} -+ -+static char *spapr_get_host_serial(Object *obj, Error **errp) -+{ -+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -+ -+ return g_strdup(spapr->host_serial); -+} -+ -+static void spapr_set_host_serial(Object *obj, const char *value, Error **errp) -+{ -+ sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -+ -+ g_free(spapr->host_serial); -+ spapr->host_serial = g_strdup(value); -+} -+ - static void spapr_instance_init(Object *obj) - { - sPAPRMachineState *spapr = SPAPR_MACHINE(obj); -@@ -3063,6 +3147,25 @@ static void spapr_instance_init(Object *obj) - " the host's SMT mode", &error_abort); - object_property_add_bool(obj, "vfio-no-msix-emulation", - spapr_get_msix_emulation, NULL, NULL); -+ -+ /* The machine class defines the default interrupt controller mode */ -+ spapr->irq = smc->irq; -+ object_property_add_str(obj, "ic-mode", spapr_get_ic_mode, -+ spapr_set_ic_mode, NULL); -+ object_property_set_description(obj, "ic-mode", -+ "Specifies the interrupt controller mode (xics, xive, dual)", -+ NULL); -+ -+ object_property_add_str(obj, "host-model", -+ spapr_get_host_model, spapr_set_host_model, -+ &error_abort); -+ object_property_set_description(obj, "host-model", -+ "Set host's model-id to use - none|passthrough|string", &error_abort); -+ object_property_add_str(obj, "host-serial", -+ spapr_get_host_serial, spapr_set_host_serial, -+ &error_abort); -+ object_property_set_description(obj, "host-serial", -+ "Set host's system-id to use - none|passthrough|string", &error_abort); - } - - static void spapr_machine_finalizefn(Object *obj) -@@ -4067,7 +4170,18 @@ static void spapr_machine_3_0_instance_options(MachineState *machine) - - static void spapr_machine_3_0_class_options(MachineClass *mc) - { -- /* Defaults for the latest behaviour inherited from the base class */ -+ sPAPRMachineClass *smc = SPAPR_MACHINE_CLASS(mc); -+ static GlobalProperty compat[] = { -+ { TYPE_SPAPR_MACHINE, "host-model", "passthrough" }, -+ { TYPE_SPAPR_MACHINE, "host-serial", "passthrough" }, -+ }; -+ -+ spapr_machine_4_0_class_options(mc); -+ compat_props_add(mc->compat_props, hw_compat_3_1, hw_compat_3_1_len); -+ compat_props_add(mc->compat_props, compat, G_N_ELEMENTS(compat)); -+ -+ mc->default_cpu_type = POWERPC_CPU_TYPE_NAME("power8_v2.0"); -+ smc->update_dt_enabled = false; - } - - DEFINE_SPAPR_MACHINE(3_0, "3.0", true); -diff --git a/include/hw/ppc/spapr.h b/include/hw/ppc/spapr.h -index 7e5de1a6fd..4c69a55374 100644 ---- a/include/hw/ppc/spapr.h -+++ b/include/hw/ppc/spapr.h -@@ -165,6 +165,8 @@ struct sPAPRMachineState { - - /*< public >*/ - char *kvm_type; -+ char *host_model; -+ char *host_serial; - - const char *icp_type; - --- -2.22.0.vfs.1.1.57.gbaf16c8 - diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch deleted file mode 100644 index 7f830067..00000000 --- a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-9824.patch +++ /dev/null @@ -1,47 +0,0 @@ -From d3222975c7d6cda9e25809dea05241188457b113 Mon Sep 17 00:00:00 2001 -From: William Bowling <will@wbowling.info> -Date: Fri, 1 Mar 2019 21:45:56 +0000 -Subject: [PATCH 1/1] slirp: check sscanf result when emulating ident -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -When emulating ident in tcp_emu, if the strchr checks passed but the -sscanf check failed, two uninitialized variables would be copied and -sent in the reply, so move this code inside the if(sscanf()) clause. - -Signed-off-by: William Bowling <will@wbowling.info> -Cc: qemu-stable@nongnu.org -Cc: secalert@redhat.com -Message-Id: <1551476756-25749-1-git-send-email-will@wbowling.info> -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> - -Upstream-Status: Backport -https://git.qemu.org/?p=qemu.git;a=commitdiff;h=d3222975c7d6cda9e25809dea05241188457b113;hp=6c419a1e06c21c4568d5a12a9c5cafcdb00f6aa8 -CVE: CVE-2019-9824 -affects < 4.0.0 -Signed-off-by: Armin Kuster <akuster@mvista.com> - -Index: qemu-3.0.0/slirp/tcp_subr.c -=================================================================== ---- qemu-3.0.0.orig/slirp/tcp_subr.c -+++ qemu-3.0.0/slirp/tcp_subr.c -@@ -662,12 +662,12 @@ tcp_emu(struct socket *so, struct mbuf * - break; - } - } -+ so_rcv->sb_cc = snprintf(so_rcv->sb_data, -+ so_rcv->sb_datalen, -+ "%d,%d\r\n", n1, n2); -+ so_rcv->sb_rptr = so_rcv->sb_data; -+ so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; - } -- so_rcv->sb_cc = snprintf(so_rcv->sb_data, -- so_rcv->sb_datalen, -- "%d,%d\r\n", n1, n2); -- so_rcv->sb_rptr = so_rcv->sb_data; -- so_rcv->sb_wptr = so_rcv->sb_data + so_rcv->sb_cc; - } - m_free(m); - return 0; diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch new file mode 100644 index 00000000..0931489a --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-10702.patch @@ -0,0 +1,52 @@ +From de0b1bae6461f67243282555475f88b2384a1eb9 Mon Sep 17 00:00:00 2001 +From: Vincent Dehors <vincent.dehors@smile.fr> +Date: Thu, 23 Jan 2020 15:22:38 +0000 +Subject: [PATCH] target/arm: Fix PAuth sbox functions + +In the PAC computation, sbox was applied over wrong bits. +As this is a 4-bit sbox, bit index should be incremented by 4 instead of 16. + +Test vector from QARMA paper (https://eprint.iacr.org/2016/444.pdf) was +used to verify one computation of the pauth_computepac() function which +uses sbox2. + +Launchpad: https://bugs.launchpad.net/bugs/1859713 +Reviewed-by: Richard Henderson <richard.henderson@linaro.org> +Signed-off-by: Vincent DEHORS <vincent.dehors@smile.fr> +Signed-off-by: Adrien GRASSEIN <adrien.grassein@smile.fr> +Message-id: 20200116230809.19078-2-richard.henderson@linaro.org +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=de0b1bae6461f67243282555475f88b2384a1eb9] +CVE: CVE-2020-10702 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + target/arm/pauth_helper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/arm/pauth_helper.c b/target/arm/pauth_helper.c +index d3194f2..0a5f41e 100644 +--- a/target/arm/pauth_helper.c ++++ b/target/arm/pauth_helper.c +@@ -89,7 +89,7 @@ static uint64_t pac_sub(uint64_t i) + uint64_t o = 0; + int b; + +- for (b = 0; b < 64; b += 16) { ++ for (b = 0; b < 64; b += 4) { + o |= (uint64_t)sub[(i >> b) & 0xf] << b; + } + return o; +@@ -104,7 +104,7 @@ static uint64_t pac_inv_sub(uint64_t i) + uint64_t o = 0; + int b; + +- for (b = 0; b < 64; b += 16) { ++ for (b = 0; b < 64; b += 4) { + o |= (uint64_t)inv_sub[(i >> b) & 0xf] << b; + } + return o; +-- +1.8.3.1 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch new file mode 100644 index 00000000..e5e336a2 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-10761.patch @@ -0,0 +1,150 @@ +From 5c4fe018c025740fef4a0a4421e8162db0c3eefd Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Mon, 8 Jun 2020 13:26:37 -0500 +Subject: [PATCH] nbd/server: Avoid long error message assertions + CVE-2020-10761 + +Ever since commit 36683283 (v2.8), the server code asserts that error +strings sent to the client are well-formed per the protocol by not +exceeding the maximum string length of 4096. At the time the server +first started sending error messages, the assertion could not be +triggered, because messages were completely under our control. +However, over the years, we have added latent scenarios where a client +could trigger the server to attempt an error message that would +include the client's information if it passed other checks first: + +- requesting NBD_OPT_INFO/GO on an export name that is not present + (commit 0cfae925 in v2.12 echoes the name) + +- requesting NBD_OPT_LIST/SET_META_CONTEXT on an export name that is + not present (commit e7b1948d in v2.12 echoes the name) + +At the time, those were still safe because we flagged names larger +than 256 bytes with a different message; but that changed in commit +93676c88 (v4.2) when we raised the name limit to 4096 to match the NBD +string limit. (That commit also failed to change the magic number +4096 in nbd_negotiate_send_rep_err to the just-introduced named +constant.) So with that commit, long client names appended to server +text can now trigger the assertion, and thus be used as a denial of +service attack against a server. As a mitigating factor, if the +server requires TLS, the client cannot trigger the problematic paths +unless it first supplies TLS credentials, and such trusted clients are +less likely to try to intentionally crash the server. + +We may later want to further sanitize the user-supplied strings we +place into our error messages, such as scrubbing out control +characters, but that is less important to the CVE fix, so it can be a +later patch to the new nbd_sanitize_name. + +Consideration was given to changing the assertion in +nbd_negotiate_send_rep_verr to instead merely log a server error and +truncate the message, to avoid leaving a latent path that could +trigger a future CVE DoS on any new error message. However, this +merely complicates the code for something that is already (correctly) +flagging coding errors, and now that we are aware of the long message +pitfall, we are less likely to introduce such errors in the future, +which would make such error handling dead code. + +Reported-by: Xueqiang Wei <xuwei@redhat.com> +CC: qemu-stable@nongnu.org +Fixes: https://bugzilla.redhat.com/1843684 CVE-2020-10761 +Fixes: 93676c88d7 +Signed-off-by: Eric Blake <eblake@redhat.com> +Message-Id: <20200610163741.3745251-2-eblake@redhat.com> +Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/5c4fe018c025740fef4a0a4421e8162db0c3eefd] +CVE: CVE-2020-10761 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + nbd/server.c | 23 ++++++++++++++++++++--- + tests/qemu-iotests/143 | 4 ++++ + tests/qemu-iotests/143.out | 2 ++ + 3 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/nbd/server.c b/nbd/server.c +index 02b1ed08014..20754e9ebc3 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -217,7 +217,7 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, + + msg = g_strdup_vprintf(fmt, va); + len = strlen(msg); +- assert(len < 4096); ++ assert(len < NBD_MAX_STRING_SIZE); + trace_nbd_negotiate_send_rep_err(msg); + ret = nbd_negotiate_send_rep_len(client, type, len, errp); + if (ret < 0) { +@@ -231,6 +231,19 @@ nbd_negotiate_send_rep_verr(NBDClient *client, uint32_t type, + return 0; + } + ++/* ++ * Return a malloc'd copy of @name suitable for use in an error reply. ++ */ ++static char * ++nbd_sanitize_name(const char *name) ++{ ++ if (strnlen(name, 80) < 80) { ++ return g_strdup(name); ++ } ++ /* XXX Should we also try to sanitize any control characters? */ ++ return g_strdup_printf("%.80s...", name); ++} ++ + /* Send an error reply. + * Return -errno on error, 0 on success. */ + static int GCC_FMT_ATTR(4, 5) +@@ -595,9 +608,11 @@ static int nbd_negotiate_handle_info(NBDClient *client, Error **errp) + + exp = nbd_export_find(name); + if (!exp) { ++ g_autofree char *sane_name = nbd_sanitize_name(name); ++ + return nbd_negotiate_send_rep_err(client, NBD_REP_ERR_UNKNOWN, + errp, "export '%s' not present", +- name); ++ sane_name); + } + + /* Don't bother sending NBD_INFO_NAME unless client requested it */ +@@ -995,8 +1010,10 @@ static int nbd_negotiate_meta_queries(NBDClient *client, + + meta->exp = nbd_export_find(export_name); + if (meta->exp == NULL) { ++ g_autofree char *sane_name = nbd_sanitize_name(export_name); ++ + return nbd_opt_drop(client, NBD_REP_ERR_UNKNOWN, errp, +- "export '%s' not present", export_name); ++ "export '%s' not present", sane_name); + } + + ret = nbd_opt_read(client, &nb_queries, sizeof(nb_queries), errp); +diff --git a/tests/qemu-iotests/143 b/tests/qemu-iotests/143 +index f649b361950..d2349903b1b 100755 +--- a/tests/qemu-iotests/143 ++++ b/tests/qemu-iotests/143 +@@ -58,6 +58,10 @@ _send_qemu_cmd $QEMU_HANDLE \ + $QEMU_IO_PROG -f raw -c quit \ + "nbd+unix:///no_such_export?socket=$SOCK_DIR/nbd" 2>&1 \ + | _filter_qemu_io | _filter_nbd ++# Likewise, with longest possible name permitted in NBD protocol ++$QEMU_IO_PROG -f raw -c quit \ ++ "nbd+unix:///$(printf %4096d 1 | tr ' ' a)?socket=$SOCK_DIR/nbd" 2>&1 \ ++ | _filter_qemu_io | _filter_nbd | sed 's/aaaa*aa/aa--aa/' + + _send_qemu_cmd $QEMU_HANDLE \ + "{ 'execute': 'quit' }" \ +diff --git a/tests/qemu-iotests/143.out b/tests/qemu-iotests/143.out +index 1f4001c6013..fc9c0a761fa 100644 +--- a/tests/qemu-iotests/143.out ++++ b/tests/qemu-iotests/143.out +@@ -5,6 +5,8 @@ QA output created by 143 + {"return": {}} + qemu-io: can't open device nbd+unix:///no_such_export?socket=SOCK_DIR/nbd: Requested export not available + server reported: export 'no_such_export' not present ++qemu-io: can't open device nbd+unix:///aa--aa1?socket=SOCK_DIR/nbd: Requested export not available ++server reported: export 'aa--aa...' not present + { 'execute': 'quit' } + {"return": {}} + {"timestamp": {"seconds": TIMESTAMP, "microseconds": TIMESTAMP}, "event": "SHUTDOWN", "data": {"guest": false, "reason": "host-qmp-quit"}} diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch new file mode 100644 index 00000000..e8f3e1db --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch @@ -0,0 +1,148 @@ +From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 24 Mar 2020 22:57:22 +0530 +Subject: [PATCH] net: tulip: check frame size and r/w data length + +Tulip network driver while copying tx/rx buffers does not check +frame size against r/w data length. This may lead to OOB buffer +access. Add check to avoid it. + +Limit iterations over descriptors to avoid potential infinite +loop issue in tulip_xmit_list_update. + +Reported-by: Li Qiang <pangpei.lq@antfin.com> +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Reported-by: Jason Wang <jasowang@redhat.com> +Tested-by: Li Qiang <liq3ea@gmail.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850] +CVE: CVE-2020-11102 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/hw/net/tulip.c b/hw/net/tulip.c +index cfac271..1295f51 100644 +--- a/hw/net/tulip.c ++++ b/hw/net/tulip.c +@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) + } else { + len = s->rx_frame_len; + } ++ ++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { ++ return; ++ } + pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + + (s->rx_frame_size - s->rx_frame_len), len); + s->rx_frame_len -= len; +@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) + + trace_tulip_receive(buf, size); + +- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { ++ if (size < 14 || size > sizeof(s->rx_frame) - 4 ++ || s->rx_frame_len || tulip_rx_stopped(s)) { + return 0; + } + +@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, + return tulip_receive(qemu_get_nic_opaque(nc), buf, size); + } + +- + static NetClientInfo net_tulip_info = { + .type = NET_CLIENT_DRIVER_NIC, + .size = sizeof(NICState), +@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { + /* Internal or external Loopback */ + tulip_receive(s, s->tx_frame, s->tx_frame_len); +- } else { ++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { + qemu_send_packet(qemu_get_queue(s->nic), + s->tx_frame, s->tx_frame_len); + } +@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) + } + } + +-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) + { + int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; + int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; + ++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len1) { + pci_dma_read(&s->dev, desc->buf_addr1, + s->tx_frame + s->tx_frame_len, len1); + s->tx_frame_len += len1; + } + ++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { ++ return -1; ++ } + if (len2) { + pci_dma_read(&s->dev, desc->buf_addr2, + s->tx_frame + s->tx_frame_len, len2); + s->tx_frame_len += len2; + } + desc->status = (len1 + len2) ? 0 : 0x7fffffff; ++ ++ return 0; + } + + static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) +@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) + + static void tulip_xmit_list_update(TULIPState *s) + { ++#define TULIP_DESC_MAX 128 ++ uint8_t i = 0; + struct tulip_descriptor desc; + + if (tulip_ts(s) != CSR5_TS_SUSPENDED) { + return; + } + +- for (;;) { ++ for (i = 0; i < TULIP_DESC_MAX; i++) { + tulip_desc_read(s, s->current_tx_desc, &desc); + tulip_dump_tx_descriptor(s, &desc); + +@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) + s->tx_frame_len = 0; + } + +- tulip_copy_tx_buffers(s, &desc); +- +- if (desc.control & TDES1_LS) { +- tulip_tx(s, &desc); ++ if (!tulip_copy_tx_buffers(s, &desc)) { ++ if (desc.control & TDES1_LS) { ++ tulip_tx(s, &desc); ++ } + } + } + tulip_desc_write(s, s->current_tx_desc, &desc); +-- +1.8.3.1 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch new file mode 100644 index 00000000..ca7ffed9 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch @@ -0,0 +1,97 @@ +From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Mon, 6 Apr 2020 22:34:26 +0200 +Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash + +In some corner cases (that never happen during normal operation but a +malicious guest could program wrong values) pixman functions were +called with parameters that result in a crash. Fix this and add more +checks to disallow such cases. + +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7] +CVE: CVE-2020-11869 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c +index 42e8231..23a8ae0 100644 +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) + s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), + surface_bits_per_pixel(ds), + (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); +- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); +- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); ++ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); ++ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); + int bpp = ati_bpp_from_datatype(s); ++ if (!bpp) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); ++ return; ++ } + int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; ++ if (!dst_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); ++ return; ++ } + uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.dst_offset : s->regs.default_offset); + +@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) + switch (s->regs.dp_mix & GMC_ROP3_MASK) { + case ROP3_SRCCOPY: + { +- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); +- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); ++ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); ++ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); + int src_stride = DEFAULT_CNTL ? + s->regs.src_pitch : s->regs.default_pitch; ++ if (!src_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); ++ return; ++ } + uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.src_offset : s->regs.default_offset); + +@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_x += s->regs.dst_width; +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ dst_x + s->regs.dst_width : dst_x); ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + case ROP3_PATCOPY: +@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + default: +-- +1.8.3.1 diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch new file mode 100644 index 00000000..e0acc70f --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13361.patch @@ -0,0 +1,61 @@ +From 369ff955a8497988d079c4e3fa1e93c2570c1c69 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Fri, 15 May 2020 01:36:08 +0530 +Subject: [PATCH] es1370: check total frame count against current frame + +A guest user may set channel frame count via es1370_write() +such that, in es1370_transfer_audio(), total frame count +'size' is lesser than the number of frames that are processed +'cnt'. + + int cnt = d->frame_cnt >> 16; + int size = d->frame_cnt & 0xffff; + +if (size < cnt), it results in incorrect calculations leading +to OOB access issue(s). Add check to avoid it. + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-id: 20200514200608.1744203-1-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport [https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html] +CVE: CVE-2020-13361 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/audio/es1370.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c +index 89c4dabcd44..5f8a83ff562 100644 +--- a/hw/audio/es1370.c ++++ b/hw/audio/es1370.c +@@ -643,6 +643,9 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + int csc_bytes = (csc + 1) << d->shift; + int cnt = d->frame_cnt >> 16; + int size = d->frame_cnt & 0xffff; ++ if (size < cnt) { ++ return; ++ } + int left = ((size - cnt + 1) << 2) + d->leftover; + int transferred = 0; + int temp = MIN (max, MIN (left, csc_bytes)); +@@ -651,7 +654,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + addr += (cnt << 2) + d->leftover; + + if (index == ADC_CHANNEL) { +- while (temp) { ++ while (temp > 0) { + int acquired, to_copy; + + to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); +@@ -669,7 +672,7 @@ static void es1370_transfer_audio (ES1370State *s, struct chan *d, int loop_sel, + else { + SWVoiceOut *voice = s->dac_voice[index]; + +- while (temp) { ++ while (temp > 0) { + int copied, to_copy; + + to_copy = MIN ((size_t) temp, sizeof (tmpbuf)); diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch new file mode 100644 index 00000000..7c92d762 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch @@ -0,0 +1,52 @@ +From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 14 May 2020 00:55:38 +0530 +Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check + index + +A guest user may set 'reply_queue_head' field of MegasasState to +a negative value. Later in 'megasas_lookup_frame' it is used to +index into s->frames[] array. Use unsigned type to avoid OOB +access issue. + +Also check that 'index' value stays within s->frames[] bounds +through the while() loop in 'megasas_lookup_frame' to avoid OOB +access. + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Acked-by: Alexander Bulekov <alxndr@bu.edu> +Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=f50ab86a2620bd7e8507af865b164655ee921661] +CVE: CVE-2020-13362 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/scsi/megasas.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index af18c88b656..6ce598cd690 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -112,7 +112,7 @@ typedef struct MegasasState { + uint64_t reply_queue_pa; + void *reply_queue; + int reply_queue_len; +- int reply_queue_head; ++ uint16_t reply_queue_head; + int reply_queue_tail; + uint64_t consumer_pa; + uint64_t producer_pa; +@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, + + index = s->reply_queue_head; + +- while (num < s->fw_cmds) { ++ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { + if (s->frames[index].pa && s->frames[index].pa == frame) { + cmd = &s->frames[index]; + break; diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch new file mode 100644 index 00000000..f1e9345e --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13659.patch @@ -0,0 +1,55 @@ +From 77f55eac6c433e23e82a1b88b2d74f385c4c7d82 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Tue, 26 May 2020 16:47:43 +0530 +Subject: [PATCH] exec: set map length to zero when returning NULL +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When mapping physical memory into host's virtual address space, +'address_space_map' may return NULL if BounceBuffer is in_use. +Set and return '*plen = 0' to avoid later NULL pointer dereference. + +Reported-by: Alexander Bulekov <alxndr@bu.edu> +Fixes: https://bugs.launchpad.net/qemu/+bug/1878259 +Suggested-by: Paolo Bonzini <pbonzini@redhat.com> +Suggested-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Message-Id: <20200526111743.428367-1-ppandit@redhat.com> +Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/77f55eac6c433e23e82a1b88b2d74f385c4c7d82] +CVE: CVE-2020-13659 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + exec.c | 1 + + include/exec/memory.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/exec.c b/exec.c +index 9cbde85d8c1..778263f1c6a 100644 +--- a/exec.c ++++ b/exec.c +@@ -3540,6 +3540,7 @@ void *address_space_map(AddressSpace *as, + + if (!memory_access_is_direct(mr, is_write)) { + if (atomic_xchg(&bounce.in_use, true)) { ++ *plen = 0; + return NULL; + } + /* Avoid unbounded allocations */ +diff --git a/include/exec/memory.h b/include/exec/memory.h +index bd7fdd60810..af8ca7824e0 100644 +--- a/include/exec/memory.h ++++ b/include/exec/memory.h +@@ -2314,7 +2314,8 @@ bool address_space_access_valid(AddressSpace *as, hwaddr addr, hwaddr len, + /* address_space_map: map a physical memory region into a host virtual address + * + * May map a subset of the requested range, given by and returned in @plen. +- * May return %NULL if resources needed to perform the mapping are exhausted. ++ * May return %NULL and set *@plen to zero(0), if resources needed to perform ++ * the mapping are exhausted. + * Use only for reads OR writes - not for read-modify-write operations. + * Use cpu_register_map_client() to know when retrying the map operation is + * likely to succeed. diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch new file mode 100644 index 00000000..84b2f068 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch @@ -0,0 +1,60 @@ +From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Thu, 4 Jun 2020 14:38:30 +0530 +Subject: [PATCH] ati-vga: check mm_index before recursive call + (CVE-2020-13800) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +While accessing VGA registers via ati_mm_read/write routines, +a guest may set 's->regs.mm_index' such that it leads to infinite +recursion. Check mm_index value to avoid such recursion. Log an +error message for wrong values. + +Reported-by: Ren Ding <rding@gatech.edu> +Reported-by: Hanqing Zhao <hanqing@gatech.edu> +Reported-by: Yi Ren <c4tren@gmail.com> +Message-id: 20200604090830.33885-1-ppandit@redhat.com +Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> +Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> + +Upstream-Status: Backport [https://github.com/qemu/qemu/commit/a98610c429d52db0937c1e48659428929835c455] +CVE: CVE-2020-13800 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> +--- + hw/display/ati.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/hw/display/ati.c b/hw/display/ati.c +index 065f197678e..67604e68deb 100644 +--- a/hw/display/ati.c ++++ b/hw/display/ati.c +@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) + if (idx <= s->vga.vram_size - size) { + val = ldn_le_p(s->vga.vram_ptr + idx, size); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: +@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, + if (idx <= s->vga.vram_size - size) { + stn_le_p(s->vga.vram_ptr + idx, size, data); + } +- } else { ++ } else if (s->regs.mm_index > MM_DATA + 3) { + ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); ++ } else { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); + } + break; + case BIOS_0_SCRATCH ... BUS_CNTL - 1: diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch new file mode 100644 index 00000000..1505c7ee --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-15863.patch @@ -0,0 +1,63 @@ +From 5519724a13664b43e225ca05351c60b4468e4555 Mon Sep 17 00:00:00 2001 +From: Mauro Matteo Cascella <mcascell@redhat.com> +Date: Fri, 10 Jul 2020 11:19:41 +0200 +Subject: [PATCH] hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() + +A buffer overflow issue was reported by Mr. Ziming Zhang, CC'd here. It +occurs while sending an Ethernet frame due to missing break statements +and improper checking of the buffer size. + +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com> +Reviewed-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Jason Wang <jasowang@redhat.com> + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=5519724a13664b43e225ca05351c60b4468e4555] +CVE: CVE-2020-15863 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + hw/net/xgmac.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/hw/net/xgmac.c b/hw/net/xgmac.c +index 574dd47..5bf1b61 100644 +--- a/hw/net/xgmac.c ++++ b/hw/net/xgmac.c +@@ -220,21 +220,31 @@ static void xgmac_enet_send(XgmacState *s) + } + len = (bd.buffer1_size & 0xfff) + (bd.buffer2_size & 0xfff); + ++ /* ++ * FIXME: these cases of malformed tx descriptors (bad sizes) ++ * should probably be reported back to the guest somehow ++ * rather than simply silently stopping processing, but we ++ * don't know what the hardware does in this situation. ++ * This will only happen for buggy guests anyway. ++ */ + if ((bd.buffer1_size & 0xfff) > 2048) { + DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " + "xgmac buffer 1 len on send > 2048 (0x%x)\n", + __func__, bd.buffer1_size & 0xfff); ++ break; + } + if ((bd.buffer2_size & 0xfff) != 0) { + DEBUGF_BRK("qemu:%s:ERROR...ERROR...ERROR... -- " + "xgmac buffer 2 len on send != 0 (0x%x)\n", + __func__, bd.buffer2_size & 0xfff); ++ break; + } +- if (len >= sizeof(frame)) { ++ if (frame_size + len >= sizeof(frame)) { + DEBUGF_BRK("qemu:%s: buffer overflow %d read into %zu " +- "buffer\n" , __func__, len, sizeof(frame)); ++ "buffer\n" , __func__, frame_size + len, sizeof(frame)); + DEBUGF_BRK("qemu:%s: buffer1.size=%d; buffer2.size=%d\n", + __func__, bd.buffer1_size, bd.buffer2_size); ++ break; + } + + cpu_physical_memory_read(bd.buffer1_addr, ptr, len); +-- +1.8.3.1 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch new file mode 100644 index 00000000..aa7bc823 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch @@ -0,0 +1,64 @@ +From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 +From: Felipe Franciosi <felipe@nutanix.com> +Date: Thu, 23 Jan 2020 12:44:59 +0000 +Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) + +When querying an iSCSI server for the provisioning status of blocks (via +GET LBA STATUS), Qemu only validates that the response descriptor zero's +LBA matches the one requested. Given the SCSI spec allows servers to +respond with the status of blocks beyond the end of the LUN, Qemu may +have its heap corrupted by clearing/setting too many bits at the end of +its allocmap for the LUN. + +A malicious guest in control of the iSCSI server could carefully program +Qemu's heap (by selectively setting the bitmap) and then smash it. + +This limits the number of bits that iscsi_co_block_status() will try to +update in the allocmap so it can't overflow the bitmap. + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc] +CVE: CVE-2020-1711 + +Fixes: CVE-2020-1711 +Cc: qemu-stable@nongnu.org +Signed-off-by: Felipe Franciosi <felipe@nutanix.com> +Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> +Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> +Signed-off-by: Kevin Wolf <kwolf@redhat.com> +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + block/iscsi.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/block/iscsi.c b/block/iscsi.c +index 2aea7e3..cbd5729 100644 +--- a/block/iscsi.c ++++ b/block/iscsi.c +@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + struct scsi_get_lba_status *lbas = NULL; + struct scsi_lba_status_descriptor *lbasd = NULL; + struct IscsiTask iTask; +- uint64_t lba; ++ uint64_t lba, max_bytes; + int ret; + + iscsi_co_init_iscsitask(iscsilun, &iTask); +@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, + } + + lba = offset / iscsilun->block_size; ++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; + + qemu_mutex_lock(&iscsilun->mutex); + retry: +@@ -764,7 +765,7 @@ retry: + goto out_unlock; + } + +- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; ++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); + + if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || + lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { +-- +1.8.3.1 diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch new file mode 100644 index 00000000..df6bca6d --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch @@ -0,0 +1,44 @@ +From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 27 Feb 2020 12:07:35 +0800 +Subject: [PATCH] tcp_emu: Fix oob access + +The main loop only checks for one available byte, while we sometimes +need two bytes. + +CVE: CVE-2020-7039 +Upstream-Status: Backport +[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + slirp/src/tcp_subr.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index d6dd133..4bea2d4 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + break; + + case 5: ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ + /* + * The difference between versions 1.0 and + * 2.0 is here. For future versions of +@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) + /* This is the field containing the port + * number that RA-player is listening to. + */ ++ ++ if (bptr == m->m_data + m->m_len - 1) ++ return 1; /* We need two bytes */ ++ + lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; + if (lport < 6970) + lport += 256; /* don't know why */ +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch new file mode 100644 index 00000000..4a00fa2a --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch @@ -0,0 +1,59 @@ +From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 27 Feb 2020 12:10:34 +0800 +Subject: [PATCH] slirp: use correct size while emulating commands + +While emulating services in tcp_emu(), it uses 'mbuf' size +'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) +size to avoid possible OOB access. +Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Samuel Thibault's avatarSamuel Thibault +<samuel.thibault@ens-lyon.org> +Message-Id: <20200109094228.79764-3-ppandit@redhat.com> + +CVE: CVE-2020-7039 +Upstream-Status: Backport +[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + slirp/src/tcp_subr.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index 4bea2d4..e8ed4ef 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, + n5, n6, x == 7 ? buff : ""); + return 1; +@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) + n4 = (laddr & 0xff); + + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size - m->m_len, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), + "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", + n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); + +@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && + (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, + htons(lport), SS_FACCEPTONCE)) != NULL) +- m->m_len = +- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; ++ m->m_len = snprintf(m->m_data, M_ROOM(m), ++ "%d", ntohs(so->so_fport)) + 1; + return 1; + + case EMU_IRC: +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch new file mode 100644 index 00000000..70ce480d --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch @@ -0,0 +1,64 @@ +From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001 +From: Changqing Li <changqing.li@windriver.com> +Date: Thu, 27 Feb 2020 12:15:04 +0800 +Subject: [PATCH] slirp: use correct size while emulating IRC commands + +While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size +'m->m_size' to write DCC commands via snprintf(3). This may +lead to OOB write access, because 'bptr' points somewhere in +the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) +size to avoid OOB access. +Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com> +Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Samuel Thibault's avatarSamuel Thibault +<samuel.thibault@ens-lyon.org> +Message-Id: <20200109094228.79764-2-ppandit@redhat.com> + +CVE: CVE-2020-7039 +Upstream-Status: Backport +[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + slirp/src/tcp_subr.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c +index e8ed4ef..3a4a8ee 100644 +--- a/slirp/src/tcp_subr.c ++++ b/slirp/src/tcp_subr.c +@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC CHAT chat %lu %u%c\n", + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), 1); + } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, +@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC SEND %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, +@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) + return 1; + } + m->m_len = bptr - m->m_data; /* Adjust length */ +- m->m_len += +- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, ++ m->m_len += snprintf(bptr, M_FREEROOM(m), ++ "DCC MOVE %s %lu %u %u%c\n", buff, + (unsigned long)ntohl(so->so_faddr.s_addr), + ntohs(so->so_fport), n1, 1); + } +-- +2.7.4 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch new file mode 100644 index 00000000..11be4c92 --- /dev/null +++ b/external/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch @@ -0,0 +1,46 @@ +From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit <pjp@fedoraproject.org> +Date: Mon, 13 Jan 2020 17:44:31 +0530 +Subject: [PATCH] slirp: tftp: restrict relative path access + +tftp restricts relative or directory path access on Linux systems. +Apply same restrictions on Windows systems too. It helps to avoid +directory traversal issue. + +Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 +Reported-by: Peter Maydell <peter.maydell@linaro.org> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> +Message-Id: <20200113121431.156708-1-ppandit@redhat.com> + +Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch] +CVE: CVE-2020-7211 +Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> + +--- + slirp/src/tftp.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c +index 093c2e0..e52e71b 100644 +--- a/slirp/src/tftp.c ++++ b/slirp/src/tftp.c +@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, + k += 6; /* skipping octet */ + + /* do sanity checks on the filename */ +- if (!strncmp(req_fname, "../", 3) || +- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { ++ if ( ++#ifdef G_OS_WIN32 ++ strstr(req_fname, "..\\") || ++ req_fname[strlen(req_fname) - 1] == '\\' || ++#endif ++ strstr(req_fname, "../") || ++ req_fname[strlen(req_fname) - 1] == '/') { + tftp_send_error(spt, 2, "Access violation", tp); + return; + } +-- +2.24.1 + diff --git a/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest b/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest index 2206b319..b25a792d 100644 --- a/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest +++ b/external/poky/meta/recipes-devtools/qemu/qemu/run-ptest @@ -7,4 +7,4 @@ ptestdir=$(dirname "$(readlink -f "$0")") export SRC_PATH=$ptestdir cd $ptestdir/tests -make -f Makefile.include -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g' +make -f Makefile.include -k runtest-TESTS | sed '/^ok /s/ok /PASS: /g' |