commit: 8308b5d857fa865e06de75451acbe5c2bc359cf2
Author: Felix Janda <felix.janda <AT> posteo <DOT> de>
AuthorDate: Fri Sep 30 00:07:37 2016 +0000
Commit: Felix Janda <felix.janda <AT> posteo <DOT> de>
CommitDate: Sat Oct 1 19:35:26 2016 +0000
URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=8308b5d8
app-emulation/qemu: bump to 2.7.0
app-emulation/qemu/Manifest | 25 +--
.../qemu/files/qemu-2.2.0-_sigev_un.patch | 5 +-
.../qemu/files/qemu-2.5.0-CVE-2016-2198.patch | 46 ------
.../files/qemu-2.5.0-rng-stack-corrupt-0.patch | 98 -----------
.../files/qemu-2.5.0-rng-stack-corrupt-1.patch | 135 ----------------
.../files/qemu-2.5.0-rng-stack-corrupt-2.patch | 155 ------------------
.../files/qemu-2.5.0-rng-stack-corrupt-3.patch | 179 ---------------------
.../qemu/files/qemu-2.5.1-CVE-2015-8558.patch | 107 ------------
.../qemu/files/qemu-2.5.1-CVE-2016-4020.patch | 16 --
.../files/qemu-2.5.1-stellaris_enet-overflow.patch | 47 ------
.../qemu/files/qemu-2.5.1-xfs-linux-headers.patch | 82 ----------
.../qemu/files/qemu-2.7.0-CVE-2016-6836.patch | 27 ++++
.../qemu/files/qemu-2.7.0-CVE-2016-7155.patch | 81 ++++++++++
.../qemu/files/qemu-2.7.0-CVE-2016-7156.patch | 62 +++++++
.../qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch | 28 ++++
.../qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch | 27 ++++
.../qemu/files/qemu-2.7.0-CVE-2016-7170.patch | 40 +++++
.../qemu/files/qemu-2.7.0-CVE-2016-7421.patch | 34 ++++
.../qemu/files/qemu-2.7.0-CVE-2016-7422.patch | 38 +++++
.../qemu/files/qemu-2.7.0-CVE-2016-7423.patch | 31 ++++
.../qemu/files/qemu-2.7.0-CVE-2016-7466.patch | 26 +++
...qemu-2.5.1-r99.ebuild => qemu-2.7.0-r99.ebuild} | 46 +++---
22 files changed, 433 insertions(+), 902 deletions(-)
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest
index 5d10f94..1eb09a6 100644
--- a/app-emulation/qemu/Manifest
+++ b/app-emulation/qemu/Manifest
@@ -2,20 +2,21 @@ AUX 65-kvm.rules 40 SHA256
c16a8dc7855880b2651f1a3ff488ecc54d4ac1036c71fffd50070
AUX bridge.conf 454 SHA256
a51850dd39923f3482e4c575b48ad9fef9c9ebb2f2176225da399b79ce48c69d SHA512
a907ee86b81a1b61033bb7621ded65112504131ef7b698c53e4014b958ee6fc79e66f63069015a01e41362cb70a7d0ed26dd9a03033cf776f4846f0e1f8f1533
WHIRLPOOL
8fcbd4abf9b8f7ca3d16fe0eaf17196ebf708dfecf85ce0f020e0de22b64905114f7b310f361826c81bb961c6b1bbbf984bff1e595bb949993b8966ccb222c35
AUX qemu-2.0.0-F_SHLCK-and-F_EXLCK.patch 563 SHA256
99de67d610ad13a1dcf6c67a3c2b5b87fb909220173a956435737f9bea3c371b SHA512
a29e9a889388a6627ed492a79e66514ffb5e64f9479646982091811548fc2a9bf6682104a6c774d83e645e4b1db39e491afd4efce789fe164623442a7f3e5d00
WHIRLPOOL
d3aab06099de263c22f4c71810a3b2cb8602d17731ec76674cd1415e539306555a7b96b789f0daad473600dfa04a83224ff603f7b9a9ac63a4902f74d0e9deb5
AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930
SHA256 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac SHA512
ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea
WHIRLPOOL
06b9dd5251ac03405c97b1f5a623b4d86bda2f72fbcd52b90ae4d11a0cfb59cae62df2cb6189405fbe53ab05ff2b7ca8165fda239dbfe5f31ed70abb53b3b9f3
-AUX qemu-2.2.0-_sigev_un.patch 636 SHA256
f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512
f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb
WHIRLPOOL
9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac
-AUX qemu-2.5.0-CVE-2016-2198.patch 1540 SHA256
0d6d81a27ffac1af7c478a050aa690eb007cf9735a1a0c4b398eabeb990d5ab4 SHA512
b0b3131bb2b9b2d3f2a3f3286eeb92b527f0d3366e657cf8bcbabc6426b57893936c5a8ef66697ad1014b4525c09fa4d067195600f96ab2b005fd52b6e77d9a4
WHIRLPOOL
f5c56b87f934c573fc71169fcded579b9917285fbfff59fd9288011775f482ead2ac09e1399f325e826305fab2f7bc2cd21d333711c526c1658a069a5ee93491
+AUX qemu-2.2.0-_sigev_un.patch 465 SHA256
4d5a1359a1bc25f1f8dcb7f021efc235b9c8f2535258ca65706c5fde15946ebe SHA512
af90b8dcd8b14716df6270436ae1d77c998a04547bf17f961b2d9a594d1abfb573ca25283a633de6bcd3a81a778b88a4c7950dbd39c23ee35191626da14eb802
WHIRLPOOL
cf40379cd0c9f3a8f89823a6d9415666a99885711bdde44067d4a3a082a9b33efbe69279c0782b2e84b7586389e82845dd30668240f236266f61ba447abb8241
AUX qemu-2.5.0-cflags.patch 410 SHA256
17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512
0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3
WHIRLPOOL
5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154
-AUX qemu-2.5.0-rng-stack-corrupt-0.patch 3125 SHA256
164b155db78a9291b9f8dea71a16b5779e1a9d382a8cb0f5ff380d1f2d811cef SHA512
7da544873dbefbbc7a2ed69bd7cca0053bfe71ef7f5c2faf12cb5dc6e07b8d9104e5bcf329b3355e886edc5805509623234c9fe8fb536544d6285b04ccc59919
WHIRLPOOL
f076264ce4bae5be2f34e006e3e4dcc20042313cb6da4977b61529c3100e835952807738d53a86967f98abad68eba1c8dcbb6a04af162b048399e059b5eb9d6b
-AUX qemu-2.5.0-rng-stack-corrupt-1.patch 4110 SHA256
16966eb20072a5d16fec46e5959e32708342af9a7266fe4a90a0abaf68af3529 SHA512
530d6a5f9b6795013bbe197cf0a0d7eddfb06d18c0f8410bcf5bcc2d32c4b72c325b8b0ade2c517bd305fcbdab03124cc527d24d73ce767daf51de65d00920c8
WHIRLPOOL
c0b653c67993c6c6ed282f0c86099c8c80a241f10e23ef3fd8e33c6d86fbb5553049550e83954cfc6d3576735c4ce28099f813917966c0a05c84bb46a6bee413
-AUX qemu-2.5.0-rng-stack-corrupt-2.patch 4601 SHA256
c2b4e1ee8ee4bb2f4d42012a847c1da83a9e2349238d37bba1a3b9c440957f7f SHA512
ba299d07c7382f39f177f8094594daf131727d3d28633b426064f7cc6bf75d19b1ae78db248fc70ddbdb43fd2a6b0c5ed7793e6f42aba2763cdb4c12d6816c54
WHIRLPOOL
62b6ab75c32574a4c53193d82c7f51efdaa4789154c2d2f9acee7ede240d2920d92e31dfead7edc17aa12f938919143ce049d2c9ef9733baccc27d382506437f
-AUX qemu-2.5.0-rng-stack-corrupt-3.patch 5519 SHA256
5a3c2ed59bc30f395aee5cd0b77cdb06d868386e5bbe1b392169f8d96ae9474a SHA512
f62713130d3b989b274476a4cc2eafb95dc41de4723fe475e454132817a159eb729bbbe5a29aee755715100095670107c5762271184252e9d0cd43c4b25bc5d1
WHIRLPOOL
f8e4aa90b90b03dd6e4dd68734cb16ee5f59a9585697ef3c48e7e861968798cb3c66018ad5a788f99b99e9fddab2ae83d977ec4b1a8599596a5ce03286726e3e
AUX qemu-2.5.0-sysmacros.patch 333 SHA256
a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512
329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0
WHIRLPOOL
2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73
-AUX qemu-2.5.1-CVE-2015-8558.patch 3237 SHA256
3320c5624a33076b36f39566a4c3bbe5f95adae44207512d791175bcfc3959ff SHA512
c6ea0ca7d0ea221e9704001d26dae143861463ec45c7a543f041520874dd6e3a2d4bdb6d1eca25097f265aa2a1600858c9908b59cdd640007ab057cf7b86083f
WHIRLPOOL
0c3c683a79f68ab3073a3b5e6afe2b6184d66254bd8278e131d5aa199ff51d52e5b186521ff8799345b1f1977afc112550e1a7d4b684b2a3267e9caddd0f1576
-AUX qemu-2.5.1-CVE-2016-4020.patch 567 SHA256
6c8e933593cfbedc98de81bf01e394d1ca1d016109fcc81e91f6472d2092b1a0 SHA512
90ac43329cbbcc0451470e010a1a1bd32ef8891c1f2d7d7e54e870e740c77ea8dfdec30989d586aaea250de6ca294504bf7e88818bf35e3269cf528ea3e50ce5
WHIRLPOOL
7ea7c7af1f2a3f11bc5bfe7b708021bbcb03c00d354a733c0fad14193110559cd1561939bd5bb6597a84bc01e74a914ef9dc51f28c522473b424919edc17cdb3
-AUX qemu-2.5.1-stellaris_enet-overflow.patch 1569 SHA256
5d20aef8139068eeb63c167856c8f0004e8761227d9bb1fd67240c4b922f704a SHA512
92c015af82eb92bf5f6f4d6fd86b402636a61f0ac9572cc2f002d4c795ce133f7858a38336fd5f4a25c7157dea969d288bb73f00d9a8b3b8f517ba2aea6e4ba8
WHIRLPOOL
94c49f8f78864ac3da247b569d2afc2ee0d801482a00117a7898fb396440118ef3bc54e1b61023496184f37404c893a1ef7725ce6ca9a27ca596cdf38e747603
-AUX qemu-2.5.1-xfs-linux-headers.patch 2634 SHA256
ca1eb8d4593d794541f375cb1425861e145aa036d440b9d29c4cb7b5102d018b SHA512
88b8a6178893e3354d90ad1a7cfc370fc05ffd2e3ea7c9cc8aeda9e129ea93d45838b5816afb46c0594886fbb129e3665a738f4c195183b843caedc0302530c0
WHIRLPOOL
193f1b89710ecbbb5b645a59ac6f3b7bad8191cc3228bad0427cb80c54e1b55d11d25abe1f59173b9669452f57a52f830d074bb106bdc3c05b6659826a4d561d
+AUX qemu-2.7.0-CVE-2016-6836.patch 889 SHA256
a94812131e8baa66b81971579ab84b20bf15d544e2698448a5247ac0ddca0b3d SHA512
cf7f327f26aee5b6688eb662ced8aa07775ad9558b4a02db244303f6b7d37be9cd19b18d5725819b4708184105b98830864e0ad3af81373e59e880809036345b
WHIRLPOOL
df00627ad447162fdcac4b2c965a8cb5c916a7fb66d8c3a4f8f48bb2d869d7805cb3308cd495ff74ebf4840e7bc2d85abf8e666d78b3da9abb4e2bae22697a82
+AUX qemu-2.7.0-CVE-2016-7155.patch 2745 SHA256
addf638a53bfae8556e463e0b78a151eef0fdf171eb395a98dbdf0332ff74131 SHA512
96e9df733c5227899da7d2ecc346139df9830dd16fc16f1f14666f8be60205a43f434fd79e158c2000926656ffa137809f1cb3c57a04cb375011f816e92e2f4b
WHIRLPOOL
c04c0dda417a70e4acb289c6b296da93f3eb8e51f7cfad62351b7235512e04714fdc169a87f4cbf1ef82bfc6decc8ebb5b3958f23d001795c9ebcd08369185a3
+AUX qemu-2.7.0-CVE-2016-7156.patch 2314 SHA256
7fa0d7f1025a3435b692a6e7ed8fa3be38a918395a8253e8c27f416ff37e041d SHA512
db3009fdf6d85ffd24fd4a2a40b372b0e665274bba1ce01632aef0d583f2830b58f889166a34acd36409944ab3f7e264801bf89a78f55a586b5f43429a1c86dc
WHIRLPOOL
ce8101b7607612ed7b9c6fbe373f9b5dec07e0ea8af0b4be8e52b4add5dd0ba12c9e5eb7380d68e3d3867988e0cfc1bdd1e8357ce2b71ef19f51e316fac62161
+AUX qemu-2.7.0-CVE-2016-7157-1.patch 888 SHA256
7a1f6199b16c220df51002e1222763d1a7c7b3a08349f664e576a9facc553516 SHA512
5c104464dfa48804d94ccca9a9d881f9e22eba2c3d9a2cbf3a645c3a696e89ea3f4603ea28deba9a1cd800df9bc5ad4894606869eca3e1e9cf95414723846938
WHIRLPOOL
af42ec7ca93c92c4df060b4efd61bcc3f7cb5582d00bfe174d81f2393ad3a7f06e27cc2b2186f664860c3ee98f76dd68cd7e6de7ff7e63b778f345c32a62b495
+AUX qemu-2.7.0-CVE-2016-7157-2.patch 812 SHA256
1db3b565b4762abbc1096286c9887400591af76bf422a105e457c6bdcb887b59 SHA512
8d2177adc638d384302ec89de65a0acd4f4069580c40d6c50cb78501f25f4d171f3b92a36464711337e07dbf208f9ad93eb2f86a7361dde52026c1764341e10d
WHIRLPOOL
e815e165bb23cd42aaba2310e3fa48bba33b0344069e6f54c4b26dddad746516053221969fad855d6c827d42371494c609123b002e1e2a96c366d11131b3243a
+AUX qemu-2.7.0-CVE-2016-7170.patch 1527 SHA256
37d600b5a4ba143f1d6b26acbcf23357fa41a5f852774f68b6b6736a6ecec024 SHA512
c84494ec4ee9607cef7b230a25d10de444a29fecba57566df5394d40b88596ef91fbd5edfb51a58c5ecff7fa7ef39b7d32ba7976dbd011fb1b29a2e46e4e0080
WHIRLPOOL
ddd3d94da447556b24257c11068bef360da6cf35e22257869b09057f42ba027636e605db96d9a66253f423f5667814a1f8c551f8eece733fd997b03d6ac81e2b
+AUX qemu-2.7.0-CVE-2016-7421.patch 1183 SHA256
f3996d9d4658fb32a04ce8ae3d3510e6a51a0aa39f64b003a636f68dacef19db SHA512
51d07015e27e4dfbde2c3ffa37d91134374b49c136735845c34155238767483ede8bbc7232ea93b4e4cbcc28195cbe1986d44ac0dd96e914ec29df3a1da9dfcc
WHIRLPOOL
a4e27d329591b2a3b94a7abed81df1f87509f5a38beb490d7a4ca7c14df2a864f4126c26fc044bb4357467b0f9ed0ca5811d5e85812e318adcb3236c30bef7a1
+AUX qemu-2.7.0-CVE-2016-7422.patch 1125 SHA256
7a3d31031b8ea70be29715e8d384f47ad8758e81b9cfc3768e59dd6c6a00cb2a SHA512
6a08f661cd2b00214297570c8035042544b0e707b2f20f6c59c251a73971f2b7e1920c7242ca09a4684ea58dcb177d11d087ee5e0523792e3c446e70239498ef
WHIRLPOOL
82b38aa12e49695c1f0c67c303039afb05cc314d14e5bc8286bafebfbabd3eb3cddd41338d45f9510ea2f5074fd9028b39c251be0e5856e0221232a8b28797a9
+AUX qemu-2.7.0-CVE-2016-7423.patch 925 SHA256
2b9b1102c3c9c54ba2c311661c3222b1df246a519e9eef57d0793951c1249ae0 SHA512
e4401163d15f9ebd9057b8ddf4187f7a0a2f379cb8aea2bd92b20f132f7714a4e386733884be4568eddbd4067b6cad80275ccc101276897c4796117a9b20144f
WHIRLPOOL
9bd9f5ed067604f065d3ac7447f8135dd72e178caa6f3c5a5ca7bc531a8008ec46620c4af33bea54a35dfe52e430d48dcf5b59145c4e1efc2a14cb789e38f5bd
+AUX qemu-2.7.0-CVE-2016-7466.patch 830 SHA256
5664c091038185766a54b93495029bbf6de116e8752c2334fa1c71b8387e89c3 SHA512
d158b1f66766f33b1df561956cc3c77d40e1422e44791cfc753d3def2f1851c2c9c0aeb299bcd1ae969dde8f4249f4489ed90776ebb497db4f626217710e4f48
WHIRLPOOL
13112769ecd6420e17d2a3c0e110a2bd479fc09d8a2086d27f0703a4d6c35ded07e003f28ff14579655c5468cd02c77fa514ba7ed6543f61deb60c6de604c99b
AUX qemu-binfmt.initd-r1 6910 SHA256
2886c567589b958f450a87537cdb6c5bf95e8c1e4afbdf59139d16819e79d51d SHA512
09f399b6b559c6dd64d77843f600afad464909e72ae0924e97a5ef2eea55b3fb8abf6fbd57c380ec60e2f9d145ec365fd9a24c2e1b84cc6cef7070e4fb5bd72e
WHIRLPOOL
983f6ae733c23c0049321184e1b6738ad5d27a70265945e6b47f3fb317ba3c84918b4929e728081549062fd0bf4a46c0a7e7184911355f3ac75963e1f8b70cd4
AUX qemu-kvm-1.4 68 SHA256
8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512
706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120
WHIRLPOOL
ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067
-DIST qemu-2.5.1.tar.bz2 25464539 SHA256
028752c33bb786abbfe496ba57315dc5a7d0a33b5a7a767f6d7a29020c525d2c SHA512
66959ad6a2a89f23c5daba245c76f71ddc03a33a1167bca639a042ebbf7329b2e698cd2c0e65c22a9874563a34256a48386aa9df6475b06d38db74187e3e3b3f
WHIRLPOOL
32525271574692d56b7794dc63606659f46e6ae19a56dee31b3cec33dab9c4eb74147a65db4940229492d8680f38c2d05bc2a8fbcb4b6887b0c1cbe5fbbe44cf
-EBUILD qemu-2.5.1-r99.ebuild 21104 SHA256
92637c4d36984ff78616a2ca9a1952d453f035608357b2f212cddc4b98bed5de SHA512
0dd1b5d37448371604efb213894bfde17ab08d234affc675dc2474ba395e4b854071711304c30be4a405ed98d6cb2be7f107958487080cd8dbeb15fada2da9f8
WHIRLPOOL
cc8ed2d2140b669da67d8a5f15b93651638848f77b853d11b7e235ba37b75d945076266798fff1ccf8d74ba16113cbead260b10e9c8aaed03c07fb5d9d1f1ce3
+DIST qemu-2.7.0.tar.bz2 26867760 SHA256
326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512
654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db
WHIRLPOOL
dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d
+EBUILD qemu-2.7.0-r99.ebuild 21332 SHA256
a6d13be36bb59bf53727dba5fe1dd5f397652531d339cf622acd15aef6cd482f SHA512
fd1ef102a4b7d4554a2b864d321419413b967f9f585031f74c600dc350db541588fa98a150329aa1134dbc761933484a2ce2e14979c096fe076cf92f7bdfedee
WHIRLPOOL
50e36b66bfd83516ce4003681bcba2327da80c679aad3ab658007a87652c22f7e584eb4fb5d635b570096243abd361075c6c8e35197c2e9bbed34a4d7353537c
MISC metadata.xml 3925 SHA256
d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512
3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6
WHIRLPOOL
bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41
diff --git a/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch
b/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch
index 5827c2e..588291c 100644
--- a/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch
+++ b/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch
@@ -1,6 +1,5 @@
-diff -ur a/qemu-2.2.0/linux-user/syscall.c b/qemu-2.2.0/linux-user/syscall.c
---- a/qemu-2.2.0/linux-user/syscall.c 2014-12-09 15:45:43.000000000 -0100
-+++ b/qemu-2.2.0/linux-user/syscall.c 2015-03-16 19:09:49.050386155 -0100
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
@@ -5033,7 +5033,7 @@
host_sevp->sigev_signo =
target_to_host_signal(tswap32(target_sevp->sigev_signo));
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
deleted file mode 100644
index d179c33..0000000
--- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From dff0367cf66f489aa772320fa2937a8cac1ca30d Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <[email protected]>
-Date: Fri, 29 Jan 2016 18:30:34 +0530
-Subject: [PATCH] usb: ehci: add capability mmio write function
-
-USB Ehci emulation supports host controller capability registers.
-But its mmio '.write' function was missing, which lead to a null
-pointer dereference issue. Add a do nothing 'ehci_caps_write'
-definition to avoid it; Do nothing because capability registers
-are Read Only(RO).
-
-Reported-by: Zuozhi Fzz <[email protected]>
-Signed-off-by: Prasad J Pandit <[email protected]>
-Message-id: [email protected]
-Signed-off-by: Gerd Hoffmann <[email protected]>
----
- hw/usb/hcd-ehci.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 1b50601..0f95d0d 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -895,6 +895,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
- return s->caps[addr];
- }
-
-+static void ehci_caps_write(void *ptr, hwaddr addr,
-+ uint64_t val, unsigned size)
-+{
-+}
-+
- static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
- unsigned size)
- {
-@@ -2315,6 +2320,7 @@ static void ehci_frame_timer(void *opaque)
-
- static const MemoryRegionOps ehci_mmio_caps_ops = {
- .read = ehci_caps_read,
-+ .write = ehci_caps_write,
- .valid.min_access_size = 1,
- .valid.max_access_size = 4,
- .impl.min_access_size = 1,
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
deleted file mode 100644
index 684f6ad..0000000
--- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <[email protected]>
-Date: Thu, 3 Mar 2016 09:37:15 +0100
-Subject: [PATCH] rng: remove the unused request cancellation code
-
-rng_backend_cancel_requests had no callers and none of the code
-deleted in this commit ever ran.
-
-Signed-off-by: Ladi Prosek <[email protected]>
-Reviewed-by: Amit Shah <[email protected]>
-Message-Id: <[email protected]>
-Signed-off-by: Amit Shah <[email protected]>
----
- backends/rng-egd.c | 12 ------------
- backends/rng.c | 9 ---------
- include/sysemu/rng.h | 11 -----------
- 3 files changed, 32 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 2de5cd5..0b2976a 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s)
- s->requests = NULL;
- }
-
--static void rng_egd_cancel_requests(RngBackend *b)
--{
-- RngEgd *s = RNG_EGD(b);
--
-- /* We simply delete the list of pending requests. If there is data in
the
-- * queue waiting to be read, this is okay, because there will always be
-- * more data than we requested originally
-- */
-- rng_egd_free_requests(s);
--}
--
- static void rng_egd_opened(RngBackend *b, Error **errp)
- {
- RngEgd *s = RNG_EGD(b);
-@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void
*data)
- RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
-
- rbc->request_entropy = rng_egd_request_entropy;
-- rbc->cancel_requests = rng_egd_cancel_requests;
- rbc->opened = rng_egd_opened;
- }
-
-diff --git a/backends/rng.c b/backends/rng.c
-index b7820ef..2f2f3ee 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
- }
- }
-
--void rng_backend_cancel_requests(RngBackend *s)
--{
-- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
--
-- if (k->cancel_requests) {
-- k->cancel_requests(s);
-- }
--}
--
- static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
- {
- RngBackend *s = RNG_BACKEND(obj);
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 858be8c..87b3ebe 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -37,7 +37,6 @@ struct RngBackendClass
-
- void (*request_entropy)(RngBackend *s, size_t size,
- EntropyReceiveFunc *receive_entropy, void
*opaque);
-- void (*cancel_requests)(RngBackend *s);
-
- void (*opened)(RngBackend *s, Error **errp);
- };
-@@ -68,14 +67,4 @@ struct RngBackend
- void rng_backend_request_entropy(RngBackend *s, size_t size,
- EntropyReceiveFunc *receive_entropy,
- void *opaque);
--
--/**
-- * rng_backend_cancel_requests:
-- * @s: the backend to cancel all pending requests in
-- *
-- * Cancels all pending requests submitted by @rng_backend_request_entropy.
This
-- * should be used by a device during reset or in preparation for live
migration
-- * to stop tracking any request.
-- */
--void rng_backend_cancel_requests(RngBackend *s);
- #endif
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
deleted file mode 100644
index 44ba8a7..0000000
--- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <[email protected]>
-Date: Thu, 3 Mar 2016 09:37:16 +0100
-Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
-
-The 'requests' field now lives in the RngBackend parent class.
-There are no functional changes in this commit.
-
-Signed-off-by: Ladi Prosek <[email protected]>
-Reviewed-by: Amit Shah <[email protected]>
-Message-Id: <[email protected]>
-Signed-off-by: Amit Shah <[email protected]>
----
- backends/rng-egd.c | 28 +++++++++-------------------
- include/sysemu/rng.h | 11 +++++++++++
- 2 files changed, 20 insertions(+), 19 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 0b2976a..b061362 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -25,19 +25,8 @@ typedef struct RngEgd
-
- CharDriverState *chr;
- char *chr_name;
--
-- GSList *requests;
- } RngEgd;
-
--typedef struct RngRequest
--{
-- EntropyReceiveFunc *receive_entropy;
-- uint8_t *data;
-- void *opaque;
-- size_t offset;
-- size_t size;
--} RngRequest;
--
- static void rng_egd_request_entropy(RngBackend *b, size_t size,
- EntropyReceiveFunc *receive_entropy,
- void *opaque)
-@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t
size,
- size -= len;
- }
-
-- s->requests = g_slist_append(s->requests, req);
-+ s->parent.requests = g_slist_append(s->parent.requests, req);
- }
-
- static void rng_egd_free_request(RngRequest *req)
-@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque)
- GSList *i;
- int size = 0;
-
-- for (i = s->requests; i; i = i->next) {
-+ for (i = s->parent.requests; i; i = i->next) {
- RngRequest *req = i->data;
- size += req->size - req->offset;
- }
-@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t
*buf, int size)
- RngEgd *s = RNG_EGD(opaque);
- size_t buf_offset = 0;
-
-- while (size > 0 && s->requests) {
-- RngRequest *req = s->requests->data;
-+ while (size > 0 && s->parent.requests) {
-+ RngRequest *req = s->parent.requests->data;
- int len = MIN(size, req->size - req->offset);
-
- memcpy(req->data + req->offset, buf + buf_offset, len);
-@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t
*buf, int size)
- size -= len;
-
- if (req->offset == req->size) {
-- s->requests = g_slist_remove_link(s->requests, s->requests);
-+ s->parent.requests = g_slist_remove_link(s->parent.requests,
-+ s->parent.requests);
-
- req->receive_entropy(req->opaque, req->data, req->size);
-
-@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s)
- {
- GSList *i;
-
-- for (i = s->requests; i; i = i->next) {
-+ for (i = s->parent.requests; i; i = i->next) {
- rng_egd_free_request(i->data);
- }
-
-- g_slist_free(s->requests);
-- s->requests = NULL;
-+ g_slist_free(s->parent.requests);
-+ s->parent.requests = NULL;
- }
-
- static void rng_egd_opened(RngBackend *b, Error **errp)
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 87b3ebe..c744d82 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -24,6 +24,7 @@
- #define RNG_BACKEND_CLASS(klass) \
- OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
-
-+typedef struct RngRequest RngRequest;
- typedef struct RngBackendClass RngBackendClass;
- typedef struct RngBackend RngBackend;
-
-@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
- const void *data,
- size_t size);
-
-+struct RngRequest
-+{
-+ EntropyReceiveFunc *receive_entropy;
-+ uint8_t *data;
-+ void *opaque;
-+ size_t offset;
-+ size_t size;
-+};
-+
- struct RngBackendClass
- {
- ObjectClass parent_class;
-@@ -47,6 +57,7 @@ struct RngBackend
-
- /*< protected >*/
- bool opened;
-+ GSList *requests;
- };
-
- /**
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
deleted file mode 100644
index 1cffcc5..0000000
--- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <[email protected]>
-Date: Thu, 3 Mar 2016 09:37:17 +0100
-Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
-
-RngBackend is now in charge of cleaning up the linked list on
-instance finalization. It also exposes a function to finalize
-individual RngRequest instances, called by its child classes.
-
-Signed-off-by: Ladi Prosek <[email protected]>
-Reviewed-by: Amit Shah <[email protected]>
-Message-Id: <[email protected]>
-Signed-off-by: Amit Shah <[email protected]>
----
- backends/rng-egd.c | 25 +------------------------
- backends/rng.c | 32 ++++++++++++++++++++++++++++++++
- include/sysemu/rng.h | 12 ++++++++++++
- 3 files changed, 45 insertions(+), 24 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index b061362..8f2bd16 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t
size,
- s->parent.requests = g_slist_append(s->parent.requests, req);
- }
-
--static void rng_egd_free_request(RngRequest *req)
--{
-- g_free(req->data);
-- g_free(req);
--}
--
- static int rng_egd_chr_can_read(void *opaque)
- {
- RngEgd *s = RNG_EGD(opaque);
-@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t
*buf, int size)
- size -= len;
-
- if (req->offset == req->size) {
-- s->parent.requests = g_slist_remove_link(s->parent.requests,
-- s->parent.requests);
--
- req->receive_entropy(req->opaque, req->data, req->size);
-
-- rng_egd_free_request(req);
-+ rng_backend_finalize_request(&s->parent, req);
- }
- }
- }
-
--static void rng_egd_free_requests(RngEgd *s)
--{
-- GSList *i;
--
-- for (i = s->parent.requests; i; i = i->next) {
-- rng_egd_free_request(i->data);
-- }
--
-- g_slist_free(s->parent.requests);
-- s->parent.requests = NULL;
--}
--
- static void rng_egd_opened(RngBackend *b, Error **errp)
- {
- RngEgd *s = RNG_EGD(b);
-@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj)
- }
-
- g_free(s->chr_name);
--
-- rng_egd_free_requests(s);
- }
-
- static void rng_egd_class_init(ObjectClass *klass, void *data)
-diff --git a/backends/rng.c b/backends/rng.c
-index 2f2f3ee..014cb9d 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool
value, Error **errp)
- s->opened = true;
- }
-
-+static void rng_backend_free_request(RngRequest *req)
-+{
-+ g_free(req->data);
-+ g_free(req);
-+}
-+
-+static void rng_backend_free_requests(RngBackend *s)
-+{
-+ GSList *i;
-+
-+ for (i = s->requests; i; i = i->next) {
-+ rng_backend_free_request(i->data);
-+ }
-+
-+ g_slist_free(s->requests);
-+ s->requests = NULL;
-+}
-+
-+void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
-+{
-+ s->requests = g_slist_remove(s->requests, req);
-+ rng_backend_free_request(req);
-+}
-+
- static void rng_backend_init(Object *obj)
- {
- object_property_add_bool(obj, "opened",
-@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj)
- NULL);
- }
-
-+static void rng_backend_finalize(Object *obj)
-+{
-+ RngBackend *s = RNG_BACKEND(obj);
-+
-+ rng_backend_free_requests(s);
-+}
-+
- static void rng_backend_class_init(ObjectClass *oc, void *data)
- {
- UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
-@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = {
- .parent = TYPE_OBJECT,
- .instance_size = sizeof(RngBackend),
- .instance_init = rng_backend_init,
-+ .instance_finalize = rng_backend_finalize,
- .class_size = sizeof(RngBackendClass),
- .class_init = rng_backend_class_init,
- .abstract = true,
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index c744d82..08a2eda 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -78,4 +79,15 @@ struct RngBackend
- void rng_backend_request_entropy(RngBackend *s, size_t size,
- EntropyReceiveFunc *receive_entropy,
- void *opaque);
-+
-+/**
-+ * rng_backend_free_request:
-+ * @s: the backend that created the request
-+ * @req: the request to finalize
-+ *
-+ * Used by child rng backend classes to finalize requests once they've been
-+ * processed. The request is removed from the list of active requests and
-+ * deleted.
-+ */
-+void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
- #endif
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
deleted file mode 100644
index ca9340a..0000000
--- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
+++ /dev/null
@@ -1,179 +0,0 @@
-From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
-From: Ladi Prosek <[email protected]>
-Date: Thu, 3 Mar 2016 09:37:18 +0100
-Subject: [PATCH] rng: add request queue support to rng-random
-
-Requests are now created in the RngBackend parent class and the
-code path is shared by both rng-egd and rng-random.
-
-This commit fixes the rng-random implementation which processed
-only one request at a time and simply discarded all but the most
-recent one. In the guest this manifested as delayed completion
-of reads from virtio-rng, i.e. a read was completed only after
-another read was issued.
-
-By switching rng-random to use the same request queue as rng-egd,
-the unsafe stack-based allocation of the entropy buffer is
-eliminated and replaced with g_malloc.
-
-Signed-off-by: Ladi Prosek <[email protected]>
-Reviewed-by: Amit Shah <[email protected]>
-Message-Id: <[email protected]>
-Signed-off-by: Amit Shah <[email protected]>
----
- backends/rng-egd.c | 16 ++--------------
- backends/rng-random.c | 43 +++++++++++++++++++------------------------
- backends/rng.c | 13 ++++++++++++-
- include/sysemu/rng.h | 3 +--
- 4 files changed, 34 insertions(+), 41 deletions(-)
-
-diff --git a/backends/rng-egd.c b/backends/rng-egd.c
-index 8f2bd16..30332ed 100644
---- a/backends/rng-egd.c
-+++ b/backends/rng-egd.c
-@@ -27,20 +27,10 @@ typedef struct RngEgd
- char *chr_name;
- } RngEgd;
-
--static void rng_egd_request_entropy(RngBackend *b, size_t size,
-- EntropyReceiveFunc *receive_entropy,
-- void *opaque)
-+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
- {
- RngEgd *s = RNG_EGD(b);
-- RngRequest *req;
--
-- req = g_malloc(sizeof(*req));
--
-- req->offset = 0;
-- req->size = size;
-- req->receive_entropy = receive_entropy;
-- req->opaque = opaque;
-- req->data = g_malloc(req->size);
-+ size_t size = req->size;
-
- while (size > 0) {
- uint8_t header[2];
-@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t
size,
-
- size -= len;
- }
--
-- s->parent.requests = g_slist_append(s->parent.requests, req);
- }
-
- static int rng_egd_chr_can_read(void *opaque)
-diff --git a/backends/rng-random.c b/backends/rng-random.c
-index 8cdad6a..a6cb385 100644
---- a/backends/rng-random.c
-+++ b/backends/rng-random.c
-@@ -22,10 +22,6 @@ struct RndRandom
-
- int fd;
- char *filename;
--
-- EntropyReceiveFunc *receive_func;
-- void *opaque;
-- size_t size;
- };
-
- /**
-@@ -38,36 +34,35 @@ struct RndRandom
- static void entropy_available(void *opaque)
- {
- RndRandom *s = RNG_RANDOM(opaque);
-- uint8_t buffer[s->size];
-- ssize_t len;
-
-- len = read(s->fd, buffer, s->size);
-- if (len < 0 && errno == EAGAIN) {
-- return;
-- }
-- g_assert(len != -1);
-+ while (s->parent.requests != NULL) {
-+ RngRequest *req = s->parent.requests->data;
-+ ssize_t len;
-+
-+ len = read(s->fd, req->data, req->size);
-+ if (len < 0 && errno == EAGAIN) {
-+ return;
-+ }
-+ g_assert(len != -1);
-
-- s->receive_func(s->opaque, buffer, len);
-- s->receive_func = NULL;
-+ req->receive_entropy(req->opaque, req->data, len);
-
-+ rng_backend_finalize_request(&s->parent, req);
-+ }
-+
-+ /* We've drained all requests, the fd handler can be reset. */
- qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
- }
-
--static void rng_random_request_entropy(RngBackend *b, size_t size,
-- EntropyReceiveFunc *receive_entropy,
-- void *opaque)
-+static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
- {
- RndRandom *s = RNG_RANDOM(b);
-
-- if (s->receive_func) {
-- s->receive_func(s->opaque, NULL, 0);
-+ if (s->parent.requests == NULL) {
-+ /* If there are no pending requests yet, we need to
-+ * install our fd handler. */
-+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
- }
--
-- s->receive_func = receive_entropy;
-- s->opaque = opaque;
-- s->size = size;
--
-- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
- }
-
- static void rng_random_opened(RngBackend *b, Error **errp)
-diff --git a/backends/rng.c b/backends/rng.c
-index 014cb9d..277a41b 100644
---- a/backends/rng.c
-+++ b/backends/rng.c
-@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
- void *opaque)
- {
- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
-+ RngRequest *req;
-
- if (k->request_entropy) {
-- k->request_entropy(s, size, receive_entropy, opaque);
-+ req = g_malloc(sizeof(*req));
-+
-+ req->offset = 0;
-+ req->size = size;
-+ req->receive_entropy = receive_entropy;
-+ req->opaque = opaque;
-+ req->data = g_malloc(req->size);
-+
-+ k->request_entropy(s, req);
-+
-+ s->requests = g_slist_append(s->requests, req);
- }
- }
-
-diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
-index 08a2eda..4fffd68 100644
---- a/include/sysemu/rng.h
-+++ b/include/sysemu/rng.h
-@@ -45,8 +45,7 @@ struct RngBackendClass
- {
- ObjectClass parent_class;
-
-- void (*request_entropy)(RngBackend *s, size_t size,
-- EntropyReceiveFunc *receive_entropy, void
*opaque);
-+ void (*request_entropy)(RngBackend *s, RngRequest *req);
-
- void (*opened)(RngBackend *s, Error **errp);
- };
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch
b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch
deleted file mode 100644
index cf1a4c3..0000000
--- a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-https://bugs.gentoo.org/580426
-https://bugs.gentoo.org/568246
-
-From a49923d2837d20510d645d3758f1ad87c32d0730 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <[email protected]>
-Date: Mon, 18 Apr 2016 09:20:54 +0200
-Subject: [PATCH] Revert "ehci: make idt processing more robust"
-
-This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254.
-
-Breaks FreeBSD.
-
-Signed-off-by: Gerd Hoffmann <[email protected]>
----
- hw/usb/hcd-ehci.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index d5c0e1c..43a8f7a 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci,
- {
- USBDevice *dev;
- USBEndpoint *ep;
-- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
-+ uint32_t i, len, pid, dir, devaddr, endp;
- uint32_t pg, off, ptr1, ptr2, max, mult;
-
- ehci->periodic_sched_active = PERIODIC_ACTIVE;
-@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci,
- ehci_raise_irq(ehci, USBSTS_INT);
- }
- itd->transact[i] &= ~ITD_XACT_ACTIVE;
-- xfers++;
- }
- }
-- return xfers ? 0 : -1;
-+ return 0;
- }
-
-
---
-2.7.4
-
-From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <[email protected]>
-Date: Mon, 18 Apr 2016 09:11:38 +0200
-Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a
-DoS by the guest (create a circular iTD queue and let qemu ehci
-emulation run in circles forever). Unfortunately this has two problems:
-First it misses the case of siTDs, and second it reportedly breaks
-FreeBSD.
-
-So lets go for a different approach: just count the number of iTDs and
-siTDs we have seen per frame and apply a limit. That should really
-catch all cases now.
-
-Reported-by: 杜少博 <[email protected]>
-Signed-off-by: Gerd Hoffmann <[email protected]>
----
- hw/usb/hcd-ehci.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
-index 159f58d..d5c0e1c 100644
---- a/hw/usb/hcd-ehci.c
-+++ b/hw/usb/hcd-ehci.c
-@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q)
- static void ehci_advance_state(EHCIState *ehci, int async)
- {
- EHCIQueue *q = NULL;
-+ int itd_count = 0;
- int again;
-
- do {
-@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int
async)
-
- case EST_FETCHITD:
- again = ehci_state_fetchitd(ehci, async);
-+ itd_count++;
- break;
-
- case EST_FETCHSITD:
- again = ehci_state_fetchsitd(ehci, async);
-+ itd_count++;
- break;
-
- case EST_ADVANCEQUEUE:
-@@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int
async)
- break;
- }
-
-- if (again < 0) {
-+ if (again < 0 || itd_count > 16) {
-+ /* TODO: notify guest (raise HSE irq?) */
- fprintf(stderr, "processing error - resetting ehci HC\n");
- ehci_reset(ehci);
- again = 0;
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch
b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch
deleted file mode 100644
index e3115c1..0000000
--- a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html
-https://bugs.gentoo.org/580040
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index c69f374..ff1e31a 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU
*cpu, target_ulong ip)
- CPUX86State *env = &cpu->env;
- VAPICHandlers *handlers;
- uint8_t opcode[2];
-- uint32_t imm32;
-+ uint32_t imm32 = 0;
- target_ulong current_pc = 0;
- target_ulong current_cs_base = 0;
- int current_flags = 0;
diff --git a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch
b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch
deleted file mode 100644
index ab7d3f3..0000000
--- a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <[email protected]>
-Date: Fri, 8 Apr 2016 11:33:48 +0530
-Subject: [PATCH] net: stellaris_enet: check packet length against receive
- buffer
-
-When receiving packets over Stellaris ethernet controller, it
-uses receive buffer of size 2048 bytes. In case the controller
-accepts large(MTU) packets, it could lead to memory corruption.
-Add check to avoid it.
-
-Reported-by: Oleksandr Bazhaniuk <[email protected]>
-Signed-off-by: Prasad J Pandit <[email protected]>
-Message-id: [email protected]
-Reviewed-by: Peter Maydell <[email protected]>
-Signed-off-by: Peter Maydell <[email protected]>
----
- hw/net/stellaris_enet.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c
-index 84cf60b..6880894 100644
---- a/hw/net/stellaris_enet.c
-+++ b/hw/net/stellaris_enet.c
-@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc,
const uint8_t *buf, si
- n = s->next_packet + s->np;
- if (n >= 31)
- n -= 31;
-- s->np++;
-
-+ if (size >= sizeof(s->rx[n].data) - 6) {
-+ /* If the packet won't fit into the
-+ * emulated 2K RAM, this is reported
-+ * as a FIFO overrun error.
-+ */
-+ s->ris |= SE_INT_FOV;
-+ stellaris_enet_update(s);
-+ return -1;
-+ }
-+
-+ s->np++;
- s->rx[n].len = size + 6;
- p = s->rx[n].data;
- *(p++) = (size + 6);
---
-2.7.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch
b/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch
deleted file mode 100644
index 743171b..0000000
--- a/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-https://bugs.gentoo.org/577810
-
-From 277abf15a60f7653bfb05ffb513ed74ffdaea1b7 Mon Sep 17 00:00:00 2001
-From: Jan Vesely <[email protected]>
-Date: Fri, 29 Apr 2016 13:15:23 -0400
-Subject: [PATCH] configure: Check if struct fsxattr is available from linux
- header
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes build failure with --enable-xfsctl and
-new linux headers (>=4.5) and older xfsprogs(<4.5):
-In file included from /usr/include/xfs/xfs.h:38:0,
- from
/var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:97:
-/usr/include/xfs/xfs_fs.h:42:8: error: redefinition of ‘struct fsxattr’
- struct fsxattr {
- ^
-In file included from
/var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:60:0:
-/usr/include/linux/fs.h:155:8: note: originally defined here
- struct fsxattr {
-
-This is really a bug in the system headers, but we can work around it
-by defining HAVE_FSXATTR in the QEMU headers if linux/fs.h provides
-the struct, so that xfs_fs.h doesn't try to define it as well.
-
-CC: [email protected]
-CC: Markus Armbruster <[email protected]>
-CC: Peter Maydell <[email protected]>
-CC: Stefan Weil <[email protected]>
-Tested-by: Stefan Weil <[email protected]>
-Signed-off-by: Jan Vesely <[email protected]>
-[PMM: adjusted commit message, comments]
-Signed-off-by: Peter Maydell <[email protected]>
----
- configure | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/configure b/configure
-index ab54f3c..c37fc5f 100755
---- a/configure
-+++ b/configure
-@@ -4494,6 +4494,21 @@ if test "$fortify_source" != "no"; then
- fi
-
- ##########################################
-+# check if struct fsxattr is available via linux/fs.h
-+
-+have_fsxattr=no
-+cat > $TMPC << EOF
-+#include <linux/fs.h>
-+struct fsxattr foo;
-+int main(void) {
-+ return 0;
-+}
-+EOF
-+if compile_prog "" "" ; then
-+ have_fsxattr=yes
-+fi
-+
-+##########################################
- # End of CC checks
- # After here, no more $cc or $ld runs
-
-@@ -5160,6 +5175,14 @@ fi
- if test "$have_ifaddrs_h" = "yes" ; then
- echo "HAVE_IFADDRS_H=y" >> $config_host_mak
- fi
-+
-+# Work around a system header bug with some kernel/XFS header
-+# versions where they both try to define 'struct fsxattr':
-+# xfs headers will not try to redefine structs from linux headers
-+# if this macro is set.
-+if test "$have_fsxattr" = "yes" ; then
-+ echo "HAVE_FSXATTR=y" >> $config_host_mak
-+fi
- if test "$vte" = "yes" ; then
- echo "CONFIG_VTE=y" >> $config_host_mak
- echo "VTE_CFLAGS=$vte_cflags" >> $config_host_mak
---
-2.8.2
-
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
new file mode 100644
index 0000000..56f7435
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch
@@ -0,0 +1,27 @@
+From: Li Qiang <address@hidden>
+
+In Vmxnet3 device emulator while processing transmit(tx) queue,
+when it reaches end of packet, it calls vmxnet3_complete_packet.
+In that local 'txcq_descr' object is not initialised, which could
+leak host memory bytes a guest.
+
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/net/vmxnet3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index 90f6943..92f6af9 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int
qidx, uint32_t tx_ridx)
+
+ VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
+
++ memset(&txcq_descr, 0, sizeof(txcq_descr));
+ txcq_descr.txdIdx = tx_ridx;
+ txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
+
+--
+2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch
new file mode 100644
index 0000000..495faf2
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch
@@ -0,0 +1,81 @@
+From: Prasad J Pandit <address@hidden>
+
+Vmware Paravirtual SCSI emulation uses command descriptors to
+process SCSI commands. These descriptors come with their ring
+buffers. A guest could set the page count for these rings to
+an arbitrary value, leading to infinite loop or OOB access.
+Add check to avoid it.
+
+Reported-by: Tom Victor <address@hidden>
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/vmw_pvscsi.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+Update per review
+ -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 5116f4a..4245c15 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
+ return log;
+ }
+
+-static int
++static void
+ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
+ {
+ int i;
+@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m,
PVSCSICmdDescSetupRings *ri)
+ uint32_t req_ring_size, cmp_ring_size;
+ m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
+
+- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
+- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
+- return -1;
+- }
+ req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+ cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
+ txr_len_log2 = pvscsi_log2(req_ring_size - 1);
+@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m,
PVSCSICmdDescSetupRings *ri)
+
+ /* Flush ring state page changes */
+ smp_wmb();
+-
+- return 0;
+ }
+
+ static int
+@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings
*rc)
+
+ trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
+ for (i = 0; i < rc->cmpRingNumPages; i++) {
+- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
++ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
+ }
+ }
+
+@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
+
+ trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
+
++ if (!rc->reqRingNumPages
++ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
++ || !rc->cmpRingNumPages
++ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
++ return PVSCSI_COMMAND_PROCESSING_FAILED;
++ }
++
+ pvscsi_dbg_dump_tx_rings_config(rc);
+- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+- return PVSCSI_COMMAND_PROCESSING_FAILED;
+- }
++ pvscsi_ring_init_data(&s->rings, rc);
+
+ s->rings_info_valid = TRUE;
+ return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
+--
+2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch
new file mode 100644
index 0000000..9c21a67
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch
@@ -0,0 +1,62 @@
+From: Prasad J Pandit <address@hidden>
+
+In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
+long time or go into an infinite loop due to two different bugs:
+
+1) the request descriptor data length is defined to be 64 bit. While
+building SG list from a request descriptor, it gets truncated to 32bit
+in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
+situation for large 'dataLen' values, when data_length is cast to uint32_t
+and chunk_size becomes always zero. Fix this by removing the incorrect
+cast.
+
+2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
+element has a zero length. Get out of the loop early when this happens,
+by introducing an upper limit on the number of SG list elements.
+
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/vmw_pvscsi.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+Update as per:
+ -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index 4245c15..babac5a 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -40,6 +40,8 @@
+ #define PVSCSI_MAX_DEVS (64)
+ #define PVSCSI_MSIX_NUM_VECTORS (1)
+
++#define PVSCSI_MAX_SG_ELEM 2048
++
+ #define PVSCSI_MAX_CMD_DATA_WORDS \
+ (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
+
+@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s,
SCSIDevice **d,
+ static void
+ pvscsi_convert_sglist(PVSCSIRequest *r)
+ {
+- int chunk_size;
++ uint32_t chunk_size, elmcnt = 0;
+ uint64_t data_length = r->req.dataLen;
+ PVSCSISGState sg = r->sg;
+- while (data_length) {
+- while (!sg.resid) {
++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
+ pvscsi_get_next_sg_elem(&sg);
+ trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
+ r->sg.resid);
+ }
+- assert(data_length > 0);
+- chunk_size = MIN((unsigned) data_length, sg.resid);
++ chunk_size = MIN(data_length, sg.resid);
+ if (chunk_size) {
+ qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
+ }
+--
+2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch
new file mode 100644
index 0000000..480de30
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch
@@ -0,0 +1,28 @@
+From: Prasad J Pandit <address@hidden>
+
+When LSI SAS1068 Host Bus emulator builds configuration page
+headers, the format string used in 'mptsas_config_manufacturing_1'
+was wrong. It could lead to an invalid memory access.
+
+Reported-by: Tom Victor <address@hidden>
+Fix-suggested-by: Paolo Bonzini <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/mptconfig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
+index 7071854..1ec895b 100644
+--- a/hw/scsi/mptconfig.c
++++ b/hw/scsi/mptconfig.c
+@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s,
uint8_t **data, int address
+ {
+ /* VPD - all zeros */
+ return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
+- "s256");
++ "*s256");
+ }
+
+ static
+--
+2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch
new file mode 100644
index 0000000..5e79608
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch
@@ -0,0 +1,27 @@
+From: Prasad J Pandit <address@hidden>
+
+When LSI SAS1068 Host Bus emulator builds configuration page
+headers, mptsas_config_pack() asserts to check returned size
+value is within limit of 256 bytes. Fix that assert expression.
+
+Suggested-by: Paolo Bonzini <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/scsi/mptconfig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
+index 1ec895b..531947f 100644
+--- a/hw/scsi/mptconfig.c
++++ b/hw/scsi/mptconfig.c
+@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const
char *fmt, ...)
+ va_end(ap);
+
+ if (data) {
+- assert(ret < 256 && (ret % 4) == 0);
++ assert(ret / 4 < 256);
+ stb_p(*data + 1, ret / 4);
+ }
+ return ret;
+--
+2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
new file mode 100644
index 0000000..7eb5f76
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch
@@ -0,0 +1,40 @@
+From: Prasad J Pandit <address@hidden>
+
+When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
+the computed BITMAP and PIXMAP size are checked against the
+'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
+Correct these checks to avoid OOB memory access.
+
+Reported-by: Qinghao Tang <address@hidden>
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/display/vmware_vga.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
+index e51a05e..6599cf0 100644
+--- a/hw/display/vmware_vga.c
++++ b/hw/display/vmware_vga.c
+@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
+ cursor.bpp = vmsvga_fifo_read(s);
+
+ args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y,
cursor.bpp);
+- if (cursor.width > 256 ||
+- cursor.height > 256 ||
+- cursor.bpp > 32 ||
+- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
+- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
++ if (cursor.width > 256
++ || cursor.height > 256
++ || cursor.bpp > 32
++ || SVGA_BITMAP_SIZE(x, y)
++ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
++ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
+ goto badcmd;
+ }
+
+--
+2.5.5
+
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
new file mode 100644
index 0000000..b9f3545
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch
@@ -0,0 +1,34 @@
+From: Prasad J Pandit <address@hidden>
+
+Vmware Paravirtual SCSI emulator while processing IO requests
+could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
+always returned positive value. Limit IO loop to the ring size.
+
+Cc: address@hidden
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Message-Id: <address@hidden>
+Signed-off-by: Paolo Bonzini <address@hidden>
+---
+ hw/scsi/vmw_pvscsi.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
+index babac5a..a5ce7de 100644
+--- a/hw/scsi/vmw_pvscsi.c
++++ b/hw/scsi/vmw_pvscsi.c
+@@ -247,8 +247,11 @@ static hwaddr
+ pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
+ {
+ uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
+
+- if (ready_ptr != mgr->consumed_ptr) {
++ if (ready_ptr != mgr->consumed_ptr
++ && ready_ptr - mgr->consumed_ptr < ring_size) {
+ uint32_t next_ready_ptr =
+ mgr->consumed_ptr++ & mgr->txr_len_mask;
+ uint32_t next_ready_page =
+--
+1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
new file mode 100644
index 0000000..6368e7f
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch
@@ -0,0 +1,38 @@
+From: Prasad J Pandit <address@hidden>
+
+virtio back end uses set of buffers to facilitate I/O operations.
+If its size is too large, 'cpu_physical_memory_map' could return
+a null address. This would result in a null dereference
+while un-mapping descriptors. Add check to avoid it.
+
+Reported-by: Qinghao Tang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+---
+ hw/virtio/virtio.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
+index 15ee3a7..0a4c5b6 100644
+--- a/hw/virtio/virtio.c
++++ b/hw/virtio/virtio.c
+@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg,
hwaddr *addr, struct iove
+ }
+
+ iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
+- iov[num_sg].iov_len = len;
+- addr[num_sg] = pa;
++ if (iov[num_sg].iov_base) {
++ iov[num_sg].iov_len = len;
++ addr[num_sg] = pa;
+
++ pa += len;
++ num_sg++;
++ }
+ sz -= len;
+- pa += len;
+- num_sg++;
+ }
+ *p_num_sg = num_sg;
+ }
+--
+2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
new file mode 100644
index 0000000..fdd871b
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch
@@ -0,0 +1,31 @@
+From: Li Qiang <address@hidden>
+
+When processing IO request in mptsas, it uses g_new to allocate
+a 'req' object. If an error occurs before 'req->sreq' is
+allocated, It could lead to an OOB write in mptsas_free_request
+function. Use g_new0 to avoid it.
+
+Reported-by: Li Qiang <address@hidden>
+Signed-off-by: Prasad J Pandit <address@hidden>
+Message-Id: <address@hidden>
+Cc: address@hidden
+Signed-off-by: Paolo Bonzini <address@hidden>
+---
+ hw/scsi/mptsas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
+index 0e0a22f..eaae1bb 100644
+--- a/hw/scsi/mptsas.c
++++ b/hw/scsi/mptsas.c
+@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
+ goto bad;
+ }
+
+- req = g_new(MPTSASRequest, 1);
++ req = g_new0(MPTSASRequest, 1);
+ QTAILQ_INSERT_TAIL(&s->pending, req, next);
+ req->scsi_io = *scsi_io;
+ req->dev = s;
+--
+1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
new file mode 100644
index 0000000..d5028bb
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch
@@ -0,0 +1,26 @@
+From: Li Qiang <address@hidden>
+
+If the xhci uses msix, it doesn't free the corresponding
+memory, thus leading a memory leak. This patch avoid this.
+
+Signed-off-by: Li Qiang <address@hidden>
+---
+ hw/usb/hcd-xhci.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 188f954..281a2a5 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
+ /* destroy msix memory region */
+ if (dev->msix_table && dev->msix_pba
+ && dev->msix_entry_used) {
+- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
+- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
++ msix_uninit(dev, &xhci->mem, &xhci->mem);
+ }
+
+ usb_bus_release(&xhci->bus);
+--
+1.8.3.1
diff --git a/app-emulation/qemu/qemu-2.5.1-r99.ebuild
b/app-emulation/qemu/qemu-2.7.0-r99.ebuild
similarity index 94%
rename from app-emulation/qemu/qemu-2.5.1-r99.ebuild
rename to app-emulation/qemu/qemu-2.7.0-r99.ebuild
index 1d169e8..f8432d3 100644
--- a/app-emulation/qemu/qemu-2.5.1-r99.ebuild
+++ b/app-emulation/qemu/qemu-2.7.0-r99.ebuild
@@ -2,26 +2,22 @@
# Distributed under the terms of the GNU General Public License v2
# $Id$
-EAPI=5
+EAPI="5"
PYTHON_COMPAT=( python2_7 )
PYTHON_REQ_USE="ncurses,readline"
-PLOCALES="de_DE fr_FR hu it tr zh_CN"
+PLOCALES="bg de_DE fr_FR hu it tr zh_CN"
inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
- user udev fcaps readme.gentoo pax-utils l10n
-
-BACKPORTS=
+ user udev fcaps readme.gentoo-r1 pax-utils l10n
if [[ ${PV} = *9999* ]]; then
EGIT_REPO_URI="git://git.qemu.org/qemu.git"
inherit git-2
SRC_URI=""
else
- SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
- ${BACKPORTS:+
-
https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}";
+ SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2";
KEYWORDS="amd64 ~ppc x86"
fi
@@ -30,7 +26,7 @@ HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org";
LICENSE="GPL-2 LGPL-2 BSD-2"
SLOT="0"
-IUSE="accessibility +aio alsa bluetooth +caps +curl debug +fdt glusterfs \
+IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs
\
gnutls gtk gtk2 infiniband iscsi +jpeg \
kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs
+png pulseaudio python \
@@ -70,8 +66,13 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE}
#
# Older versions of gnutls are supported, but it's simpler to just require
# the latest versions. This is also why we require nettle.
+#
+# TODO: Split out tools deps into another var. e.g. bzip2 is only used by
+# system binaries and tools, not user binaries.
COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)]
+ dev-libs/libpcre[static-libs(+)]
sys-libs/zlib[static-libs(+)]
+ bzip2? ( app-arch/bzip2[static-libs(+)] )
xattr? ( sys-apps/attr[static-libs(+)] )"
SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
>=x11-libs/pixman-0.28.0[static-libs(+)]
@@ -108,7 +109,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
virtual/opengl
media-libs/libepoxy[static-libs(+)]
media-libs/mesa[static-libs(+)]
- media-libs/mesa[egl,gles2]
+ media-libs/mesa[egl,gles2,gbm]
)
png? ( media-libs/libpng:0=[static-libs(+)] )
pulseaudio? ( media-sound/pulseaudio )
@@ -337,18 +338,18 @@ src_prepare() {
epatch
"${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch
epatch "${FILESDIR}"/${PN}-2.2.0-_sigev_un.patch
- epatch "${FILESDIR}"/qemu-2.5.0-cflags.patch
- [[ -n ${BACKPORTS} ]] && \
- EPATCH_FORCE=yes EPATCH_SUFFIX="patch"
EPATCH_SOURCE="${S}/patches" \
- epatch
-
- epatch "${FILESDIR}"/${PN}-2.5.0-CVE-2016-2198.patch #573314
- epatch "${FILESDIR}"/${PN}-2.5.0-rng-stack-corrupt-{0,1,2,3}.patch
#576420
- epatch "${FILESDIR}"/${PN}-2.5.1-stellaris_enet-overflow.patch #579614
- epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2016-4020.patch #580040
- epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2015-8558.patch #568246 #580426
+ epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch
epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch
- epatch "${FILESDIR}"/${PN}-2.5.1-xfs-linux-headers.patch #577810
+ epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242
+ epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034
+ epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036
+ epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038
+ epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038
+ epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284
+ epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950
+ epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956
+ epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520
+ epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368
# Fix ld and objcopy being called directly
tc-export AR LD OBJCOPY
@@ -412,6 +413,7 @@ qemu_src_configure() {
conf_opts+=(
$(conf_softmmu accessibility brlapi)
$(conf_softmmu aio linux-aio)
+ $(conf_softmmu bzip2)
$(conf_softmmu bluetooth bluez)
$(conf_softmmu caps cap-ng)
$(conf_softmmu curl)
@@ -482,6 +484,7 @@ qemu_src_configure() {
--disable-linux-user
--disable-system
--disable-blobs
+ $(use_enable bzip2)
)
static_flag="static"
;;
@@ -571,7 +574,6 @@ src_test() {
qemu_python_install() {
python_domodule "${S}/scripts/qmp/qmp.py"
- python_doscript "${S}/scripts/kvm/kvm_stat"
python_doscript "${S}/scripts/kvm/vmxcap"
python_doscript "${S}/scripts/qmp/qmp-shell"
python_doscript "${S}/scripts/qmp/qemu-ga-client"
