diff --git a/0001-XXX-dont-dump-core-on-sigabort.patch b/0001-XXX-dont-dump-core-on-sigabort.patch index 53ccc16c..719fdf25 100644 --- a/0001-XXX-dont-dump-core-on-sigabort.patch +++ b/0001-XXX-dont-dump-core-on-sigabort.patch @@ -1,4 +1,4 @@ -From 0cc25b3cd019821123bb03e031787b885694c563 Mon Sep 17 00:00:00 2001 +From d1591b68524b12fa4c9cb7d2fd6fcdf021137ede Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 21 Nov 2011 23:50:36 +0100 Subject: [PATCH] XXX dont dump core on sigabort diff --git a/0002-XXX-work-around-SA_RESTART-race-wit.patch b/0002-XXX-work-around-SA_RESTART-race-wit.patch index 2815778b..b1777394 100644 --- a/0002-XXX-work-around-SA_RESTART-race-wit.patch +++ b/0002-XXX-work-around-SA_RESTART-race-wit.patch @@ -1,4 +1,4 @@ -From b70c1de50710a307563b51b92996b5d0ce2687cc Mon Sep 17 00:00:00 2001 +From 44e9a6c05ea73441354e54b0029cdf0e835ed735 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 1 Dec 2011 19:00:01 +0100 Subject: [PATCH] XXX work around SA_RESTART race with boehm-gc (ARM only) diff --git a/0003-qemu-0.9.0.cvs-binfmt.patch b/0003-qemu-0.9.0.cvs-binfmt.patch index e8cfdb2e..ccde2358 100644 --- a/0003-qemu-0.9.0.cvs-binfmt.patch +++ b/0003-qemu-0.9.0.cvs-binfmt.patch @@ -1,4 +1,4 @@ -From 1b2df489a2809e1e8bef5f8cf846373c95934aa1 Mon Sep 17 00:00:00 2001 +From 2d978c9adfe0bb7dadbb21e9f606f33b9f70bf1c Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:18:44 +0200 Subject: [PATCH] qemu-0.9.0.cvs-binfmt diff --git a/0004-qemu-cvs-alsa_bitfield.patch b/0004-qemu-cvs-alsa_bitfield.patch index 7565bc8e..27b3dce6 100644 --- a/0004-qemu-cvs-alsa_bitfield.patch +++ b/0004-qemu-cvs-alsa_bitfield.patch @@ -1,4 +1,4 @@ -From 86f0e5770aa18b28d0f43f514dc3f4c563b73ce2 Mon Sep 17 00:00:00 2001 +From 68b848ab76ac2d150b4ed899d46dabac85b248a2 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:20:50 +0200 Subject: [PATCH] qemu-cvs-alsa_bitfield diff --git a/0005-qemu-cvs-alsa_ioctl.patch b/0005-qemu-cvs-alsa_ioctl.patch index d3b54a31..fb04e39c 100644 --- a/0005-qemu-cvs-alsa_ioctl.patch +++ b/0005-qemu-cvs-alsa_ioctl.patch @@ -1,4 +1,4 @@ -From e8f69a4b03d1892bcc63fe686857e66da9bbe5eb Mon Sep 17 00:00:00 2001 +From 12ea4c0a49f8fd0b3b594f80fa78bf943b7d3c20 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:23:27 +0200 Subject: [PATCH] qemu-cvs-alsa_ioctl diff --git a/0006-qemu-cvs-alsa_mmap.patch b/0006-qemu-cvs-alsa_mmap.patch index 05e582df..9b7fd090 100644 --- a/0006-qemu-cvs-alsa_mmap.patch +++ b/0006-qemu-cvs-alsa_mmap.patch @@ -1,4 +1,4 @@ -From 8cce17b453f1c48d6cb476bda4c775c859b8be12 Mon Sep 17 00:00:00 2001 +From f66983c05b20792b6bf5690bc46a4a60618b0425 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:24:15 +0200 Subject: [PATCH] qemu-cvs-alsa_mmap diff --git a/0007-qemu-cvs-gettimeofday.patch b/0007-qemu-cvs-gettimeofday.patch index 0bd63848..eebac451 100644 --- a/0007-qemu-cvs-gettimeofday.patch +++ b/0007-qemu-cvs-gettimeofday.patch @@ -1,4 +1,4 @@ -From 6a9bb134ff9465b1c85f52aef40a3be5d41230d0 Mon Sep 17 00:00:00 2001 +From cda1328ad68fbb163f786e4ad5dd818c3a54bc4e Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:25:41 +0200 Subject: [PATCH] qemu-cvs-gettimeofday diff --git a/0008-qemu-cvs-ioctl_debug.patch b/0008-qemu-cvs-ioctl_debug.patch index e6d03563..7a5a7000 100644 --- a/0008-qemu-cvs-ioctl_debug.patch +++ b/0008-qemu-cvs-ioctl_debug.patch @@ -1,4 +1,4 @@ -From f947d45896b9eed4bc54837653d3920a5a46e5e6 Mon Sep 17 00:00:00 2001 +From 02d53ba7f7e370b1b67f6adc9b5497b4a262503a Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:26:33 +0200 Subject: [PATCH] qemu-cvs-ioctl_debug diff --git a/0009-qemu-cvs-ioctl_nodirection.patch b/0009-qemu-cvs-ioctl_nodirection.patch index 90bfe528..6436c8f6 100644 --- a/0009-qemu-cvs-ioctl_nodirection.patch +++ b/0009-qemu-cvs-ioctl_nodirection.patch @@ -1,4 +1,4 @@ -From 52fb54142b48ac628585b64abaff7317a6d87cff Mon Sep 17 00:00:00 2001 +From 720dcded9e7c7ebce002e562644bf0b8896f5869 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 14 Apr 2009 16:27:36 +0200 Subject: [PATCH] qemu-cvs-ioctl_nodirection diff --git a/0010-block-vmdk-Support-creation-of-SCSI.patch b/0010-block-vmdk-Support-creation-of-SCSI.patch index 91dacd18..fb9a73f9 100644 --- a/0010-block-vmdk-Support-creation-of-SCSI.patch +++ b/0010-block-vmdk-Support-creation-of-SCSI.patch @@ -1,4 +1,4 @@ -From 6d9dd264d6ac4687fafb7555fcffa1c83d9485e5 Mon Sep 17 00:00:00 2001 +From 592fcd424bad943c37f895f98e873fff69763709 Mon Sep 17 00:00:00 2001 From: Ulrich Hecht Date: Tue, 14 Apr 2009 16:37:42 +0200 Subject: [PATCH] block/vmdk: Support creation of SCSI VMDK images in qemu-img @@ -82,10 +82,10 @@ index 10d8759..7c0b99c 100644 #define BLOCK_OPT_BACKING_FMT "backing_fmt" #define BLOCK_OPT_CLUSTER_SIZE "cluster_size" diff --git a/qemu-img.c b/qemu-img.c -index 1697762..72c2863 100644 +index 46f2a6d..01e6f4a 100644 --- a/qemu-img.c +++ b/qemu-img.c -@@ -2034,6 +2034,13 @@ static int img_convert(int argc, char **argv) +@@ -2027,6 +2027,13 @@ static int img_convert(int argc, char **argv) } } diff --git a/0011-linux-user-add-binfmt-wrapper-for-a.patch b/0011-linux-user-add-binfmt-wrapper-for-a.patch index 9c5dfa5e..bc9c2925 100644 --- a/0011-linux-user-add-binfmt-wrapper-for-a.patch +++ b/0011-linux-user-add-binfmt-wrapper-for-a.patch @@ -1,4 +1,4 @@ -From 3017006a56470c5e4cc273b3189fc6e12557d5a5 Mon Sep 17 00:00:00 2001 +From d115d3eff851640ed1b6caf43836504fed2bc67f Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 30 Sep 2011 19:40:36 +0200 Subject: [PATCH] linux-user: add binfmt wrapper for argv[0] handling diff --git a/0012-PPC-KVM-Disable-mmu-notifier-check.patch b/0012-PPC-KVM-Disable-mmu-notifier-check.patch index 9b8adaa4..decfe298 100644 --- a/0012-PPC-KVM-Disable-mmu-notifier-check.patch +++ b/0012-PPC-KVM-Disable-mmu-notifier-check.patch @@ -1,4 +1,4 @@ -From c362d4d7e4337bd4a1fcf1f5c6143e09e9bbdb61 Mon Sep 17 00:00:00 2001 +From 2c7559dd752daedcfef00a88923a3df6a913dfd8 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 6 Jan 2012 01:05:55 +0100 Subject: [PATCH] PPC: KVM: Disable mmu notifier check diff --git a/0013-linux-user-fix-segfault-deadlock.patch b/0013-linux-user-fix-segfault-deadlock.patch index 2e5f4999..d21a8d72 100644 --- a/0013-linux-user-fix-segfault-deadlock.patch +++ b/0013-linux-user-fix-segfault-deadlock.patch @@ -1,4 +1,4 @@ -From 0c366b537171e56990a88570ab9fa3ccfab85f82 Mon Sep 17 00:00:00 2001 +From d308696040ad59d4418b398512bd6ca1a072a215 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Fri, 13 Jan 2012 17:05:41 +0100 Subject: [PATCH] linux-user: fix segfault deadlock diff --git a/0014-linux-user-binfmt-support-host-bina.patch b/0014-linux-user-binfmt-support-host-bina.patch index cfa5ed94..b22c57ec 100644 --- a/0014-linux-user-binfmt-support-host-bina.patch +++ b/0014-linux-user-binfmt-support-host-bina.patch @@ -1,4 +1,4 @@ -From 9ad6846ed12aff64816568b2b906caf64186be0c Mon Sep 17 00:00:00 2001 +From 88f40fc3cbb0608938135e66f84a054e4c71f3e4 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 2 Feb 2012 18:02:33 +0100 Subject: [PATCH] linux-user: binfmt: support host binaries diff --git a/0015-linux-user-Ignore-broken-loop-ioctl.patch b/0015-linux-user-Ignore-broken-loop-ioctl.patch index 566506d5..dd2399fd 100644 --- a/0015-linux-user-Ignore-broken-loop-ioctl.patch +++ b/0015-linux-user-Ignore-broken-loop-ioctl.patch @@ -1,4 +1,4 @@ -From 47c09c52eeba52e67e2e60b8e2a920f182de8144 Mon Sep 17 00:00:00 2001 +From 338fec615a0deb8c3fced6a0f50fa8df40f136b3 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 12 Jun 2012 04:41:10 +0200 Subject: [PATCH] linux-user: Ignore broken loop ioctl diff --git a/0016-linux-user-lock-tcg.patch b/0016-linux-user-lock-tcg.patch index 36c3d5c9..e13c28fe 100644 --- a/0016-linux-user-lock-tcg.patch +++ b/0016-linux-user-lock-tcg.patch @@ -1,4 +1,4 @@ -From 7b4e229d286e5c4081a78d55bbab068a17fddcbf Mon Sep 17 00:00:00 2001 +From f70582028f2a2da536e05f059cb82a6dcdcce2cb Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 5 Jul 2012 17:31:39 +0200 Subject: [PATCH] linux-user: lock tcg diff --git a/0017-linux-user-Run-multi-threaded-code-.patch b/0017-linux-user-Run-multi-threaded-code-.patch index 1695fc7e..f62629a0 100644 --- a/0017-linux-user-Run-multi-threaded-code-.patch +++ b/0017-linux-user-Run-multi-threaded-code-.patch @@ -1,4 +1,4 @@ -From 52a87acece5dc608eb05cfe35368e6dcb63ed21c Mon Sep 17 00:00:00 2001 +From 63f9ad9031029a99e2207ce13af0c3888bdc3c77 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 10 Jul 2012 20:40:55 +0200 Subject: [PATCH] linux-user: Run multi-threaded code on a single core diff --git a/0018-linux-user-lock-tb-flushing-too.patch b/0018-linux-user-lock-tb-flushing-too.patch index 62eb1e98..46fb12a7 100644 --- a/0018-linux-user-lock-tb-flushing-too.patch +++ b/0018-linux-user-lock-tb-flushing-too.patch @@ -1,4 +1,4 @@ -From 59fee72689eddc2ada6307ed855828bb762b4a8c Mon Sep 17 00:00:00 2001 +From 8de35823c9f03e06ce40870e6cd04ce1c0a44be2 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 11 Jul 2012 16:47:42 +0200 Subject: [PATCH] linux-user: lock tb flushing too diff --git a/0019-linux-user-Fake-proc-cpuinfo.patch b/0019-linux-user-Fake-proc-cpuinfo.patch index 276cfa3c..bfd666b0 100644 --- a/0019-linux-user-Fake-proc-cpuinfo.patch +++ b/0019-linux-user-Fake-proc-cpuinfo.patch @@ -1,4 +1,4 @@ -From ce9b4d41b0828783ce84fe814e5fd863cfb351ba Mon Sep 17 00:00:00 2001 +From e5ecc65e4ae5d85fd0645eacfed60757cef04c1a Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 23 Jul 2012 10:24:14 +0200 Subject: [PATCH] linux-user: Fake /proc/cpuinfo diff --git a/0020-linux-user-implement-FS_IOC_GETFLAG.patch b/0020-linux-user-implement-FS_IOC_GETFLAG.patch index 37666bad..edc97309 100644 --- a/0020-linux-user-implement-FS_IOC_GETFLAG.patch +++ b/0020-linux-user-implement-FS_IOC_GETFLAG.patch @@ -1,4 +1,4 @@ -From 66b365a0e2355febe34cf84d95251405aec6f708 Mon Sep 17 00:00:00 2001 +From f2bf40c52ebd8618da52c0ab89e38737170d34ec Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 20 Aug 2012 00:02:52 +0200 Subject: [PATCH] linux-user: implement FS_IOC_GETFLAGS ioctl diff --git a/0021-linux-user-implement-FS_IOC_SETFLAG.patch b/0021-linux-user-implement-FS_IOC_SETFLAG.patch index 4a3f7748..b5507c1b 100644 --- a/0021-linux-user-implement-FS_IOC_SETFLAG.patch +++ b/0021-linux-user-implement-FS_IOC_SETFLAG.patch @@ -1,4 +1,4 @@ -From 59e184c9df705e8abc72a57e89f14ebc58544768 Mon Sep 17 00:00:00 2001 +From 7e407d22128dac3b6dae0393a2173e6ee4878abd Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 20 Aug 2012 00:07:13 +0200 Subject: [PATCH] linux-user: implement FS_IOC_SETFLAGS ioctl diff --git a/0022-linux-user-XXX-disable-fiemap.patch b/0022-linux-user-XXX-disable-fiemap.patch index 1d801475..18c85886 100644 --- a/0022-linux-user-XXX-disable-fiemap.patch +++ b/0022-linux-user-XXX-disable-fiemap.patch @@ -1,4 +1,4 @@ -From 75832d69b3684fa6222a500c9b8676629d4e1e25 Mon Sep 17 00:00:00 2001 +From 416732418f358a876ee8406eb12925e198155e49 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 21 Aug 2012 14:20:40 +0200 Subject: [PATCH] linux-user: XXX disable fiemap diff --git a/0023-slirp-nooutgoing.patch b/0023-slirp-nooutgoing.patch index 980077e6..ee5297d9 100644 --- a/0023-slirp-nooutgoing.patch +++ b/0023-slirp-nooutgoing.patch @@ -1,4 +1,4 @@ -From c25692dda0ab777bc1634dfbb42eae412d1fdd50 Mon Sep 17 00:00:00 2001 +From 76603c63b15b71597d8d232d9c8f590598939cb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 29 Aug 2012 18:42:56 +0200 Subject: [PATCH] slirp: -nooutgoing @@ -33,7 +33,7 @@ index 6106520..32b25a5 100644 "-singlestep always run in singlestep mode\n", QEMU_ARCH_ALL) STEXI diff --git a/slirp/socket.c b/slirp/socket.c -index bd97b2d..6cbd829 100644 +index a10eff1..fec954e 100644 --- a/slirp/socket.c +++ b/slirp/socket.c @@ -608,6 +608,8 @@ sorecvfrom(struct socket *so) @@ -57,9 +57,9 @@ index bd97b2d..6cbd829 100644 + /* Don't care what port we get */ ret = sendto(so->s, m->m_data, m->m_len, 0, - (struct sockaddr *)&addr, sizeof(addr)); + (struct sockaddr *)&addr, sockaddr_size(&addr)); diff --git a/slirp/tcp_subr.c b/slirp/tcp_subr.c -index 32ff452..9a3850d 100644 +index 6b9fef2..e712e21 100644 --- a/slirp/tcp_subr.c +++ b/slirp/tcp_subr.c @@ -391,6 +391,8 @@ tcp_sockclosed(struct tcpcb *tp) @@ -96,7 +96,7 @@ index 32ff452..9a3850d 100644 socket_set_fast_reuse(s); opt = 1; diff --git a/vl.c b/vl.c -index 9df534f..3c36fe9 100644 +index 5fd22cb..18c88ff 100644 --- a/vl.c +++ b/vl.c @@ -162,6 +162,7 @@ int smp_threads = 1; diff --git a/0024-vnc-password-file-and-incoming-conn.patch b/0024-vnc-password-file-and-incoming-conn.patch index db036c40..cd76d558 100644 --- a/0024-vnc-password-file-and-incoming-conn.patch +++ b/0024-vnc-password-file-and-incoming-conn.patch @@ -1,4 +1,4 @@ -From 586df5db147b17cc8d70eff145745912a56ed7b1 Mon Sep 17 00:00:00 2001 +From 1e6837a4cf1e2c757a9ee61f99ffd90dc97e3067 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Wed, 29 Aug 2012 20:06:01 +0200 Subject: [PATCH] vnc: password-file= and incoming-connections= diff --git a/0025-linux-user-add-more-blk-ioctls.patch b/0025-linux-user-add-more-blk-ioctls.patch index 5784c767..c104713d 100644 --- a/0025-linux-user-add-more-blk-ioctls.patch +++ b/0025-linux-user-add-more-blk-ioctls.patch @@ -1,4 +1,4 @@ -From df3c67d7a83d9f2bc4914425c7000a08c27e686f Mon Sep 17 00:00:00 2001 +From 4910a63b38b4b6cd811d59ccf239423f8f6998fc Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 10 Oct 2012 10:21:20 +0200 Subject: [PATCH] linux-user: add more blk ioctls diff --git a/0026-linux-user-use-target_ulong.patch b/0026-linux-user-use-target_ulong.patch index 6ceaf407..9c04e0cd 100644 --- a/0026-linux-user-use-target_ulong.patch +++ b/0026-linux-user-use-target_ulong.patch @@ -1,4 +1,4 @@ -From 34a8db65f986af5c3744a5b030492fbe34b37b4d Mon Sep 17 00:00:00 2001 +From 4a2a102bf012ec39a75498e79d18d7e1cb703bd3 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Tue, 9 Oct 2012 09:06:49 +0200 Subject: [PATCH] linux-user: use target_ulong diff --git a/0027-block-Add-support-for-DictZip-enabl.patch b/0027-block-Add-support-for-DictZip-enabl.patch index cabd39c8..a76ef195 100644 --- a/0027-block-Add-support-for-DictZip-enabl.patch +++ b/0027-block-Add-support-for-DictZip-enabl.patch @@ -1,4 +1,4 @@ -From c2257cd730ae7cc445118cee261600318aa0f148 Mon Sep 17 00:00:00 2001 +From e457395b8a52702b4866234bbe641d6044d725e6 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 5 Aug 2009 09:49:37 +0200 Subject: [PATCH] block: Add support for DictZip enabled gzip files diff --git a/0028-block-Add-tar-container-format.patch b/0028-block-Add-tar-container-format.patch index 0ff01ee1..1af499b4 100644 --- a/0028-block-Add-tar-container-format.patch +++ b/0028-block-Add-tar-container-format.patch @@ -1,4 +1,4 @@ -From e7f37824f310f22f81d3aa8e0643583309ea8ea7 Mon Sep 17 00:00:00 2001 +From 5e55ea4fdd7fcb2dad3ea1c59889390fe94e38bc Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 5 Aug 2009 17:28:38 +0200 Subject: [PATCH] block: Add tar container format diff --git a/0029-Legacy-Patch-kvm-qemu-preXX-dictzip.patch b/0029-Legacy-Patch-kvm-qemu-preXX-dictzip.patch index 29cfa0ed..a182ea53 100644 --- a/0029-Legacy-Patch-kvm-qemu-preXX-dictzip.patch +++ b/0029-Legacy-Patch-kvm-qemu-preXX-dictzip.patch @@ -1,4 +1,4 @@ -From 9635817a5b678f8e77e02eb9ca693a77433e3045 Mon Sep 17 00:00:00 2001 +From e25606c433e170cb966f2ec6a0e88c9160684d54 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 12 Dec 2012 19:11:30 +0100 Subject: [PATCH] Legacy Patch kvm-qemu-preXX-dictzip3.patch diff --git a/0030-console-add-question-mark-escape-op.patch b/0030-console-add-question-mark-escape-op.patch index b68ed014..4b8efd9b 100644 --- a/0030-console-add-question-mark-escape-op.patch +++ b/0030-console-add-question-mark-escape-op.patch @@ -1,4 +1,4 @@ -From a42dd03acbea98cbf11f841a78ddf7830fd6d783 Mon Sep 17 00:00:00 2001 +From 543e99f83c5c7aff0675f430f0b7ff6e9e43472d Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 6 Jun 2011 06:53:52 +0200 Subject: [PATCH] console: add question-mark escape operator diff --git a/0031-Make-char-muxer-more-robust-wrt-sma.patch b/0031-Make-char-muxer-more-robust-wrt-sma.patch index 1193dca7..6949e60f 100644 --- a/0031-Make-char-muxer-more-robust-wrt-sma.patch +++ b/0031-Make-char-muxer-more-robust-wrt-sma.patch @@ -1,4 +1,4 @@ -From feca29c048619c102c385e2150a67c62d78435eb Mon Sep 17 00:00:00 2001 +From 7cf495aa2aff024d97b20b87fa87fc17cbbbf5ff Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 1 Apr 2010 17:36:23 +0200 Subject: [PATCH] Make char muxer more robust wrt small FIFOs diff --git a/0032-linux-user-lseek-explicitly-cast-no.patch b/0032-linux-user-lseek-explicitly-cast-no.patch index c4371ff8..46b4d8d0 100644 --- a/0032-linux-user-lseek-explicitly-cast-no.patch +++ b/0032-linux-user-lseek-explicitly-cast-no.patch @@ -1,4 +1,4 @@ -From 6d422ead57671b98efbee2da0b3a606de976b8f5 Mon Sep 17 00:00:00 2001 +From 5ac9c6a5e5acfc0ce7b61783533ce3a866d85ec3 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Thu, 13 Dec 2012 14:29:22 +0100 Subject: [PATCH] linux-user: lseek: explicitly cast non-set offsets to signed diff --git a/0033-virtfs-proxy-helper-Provide-__u64-f.patch b/0033-virtfs-proxy-helper-Provide-__u64-f.patch index ae8d56e9..25b49fc5 100644 --- a/0033-virtfs-proxy-helper-Provide-__u64-f.patch +++ b/0033-virtfs-proxy-helper-Provide-__u64-f.patch @@ -1,4 +1,4 @@ -From 09a9fc2bd1066ed9b5ddbeb4f975461bd93a7b57 Mon Sep 17 00:00:00 2001 +From 0ae16f3d2670b4bd86595f6b9f2b5bd7b6faa438 Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Thu, 16 May 2013 12:39:10 +0200 Subject: [PATCH] virtfs-proxy-helper: Provide __u64 for broken diff --git a/0034-configure-Enable-PIE-for-ppc-and-pp.patch b/0034-configure-Enable-PIE-for-ppc-and-pp.patch index dd47b023..352d3620 100644 --- a/0034-configure-Enable-PIE-for-ppc-and-pp.patch +++ b/0034-configure-Enable-PIE-for-ppc-and-pp.patch @@ -1,4 +1,4 @@ -From 5676fd4e9e421b4400124629916d8e761c62d00d Mon Sep 17 00:00:00 2001 +From 96642b20aa9624ffa934c24c22da03b184ee2c9f Mon Sep 17 00:00:00 2001 From: Dinar Valeev Date: Wed, 2 Oct 2013 17:56:03 +0200 Subject: [PATCH] configure: Enable PIE for ppc and ppc64 hosts @@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure b/configure -index ab54f3c..f8b8391 100755 +index c37fc5f..94035eb 100755 --- a/configure +++ b/configure @@ -1537,7 +1537,7 @@ fi diff --git a/0035-qtest-Increase-socket-timeout.patch b/0035-qtest-Increase-socket-timeout.patch index 7ff4cf32..1e09144c 100644 --- a/0035-qtest-Increase-socket-timeout.patch +++ b/0035-qtest-Increase-socket-timeout.patch @@ -1,4 +1,4 @@ -From 79c0f63ce2a8ebfb9a32fd05845ec439756c6a86 Mon Sep 17 00:00:00 2001 +From 9aff904100fd11df814e8498cf9dd3d8c7810562 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Thu, 17 Apr 2014 18:39:10 +0200 Subject: [PATCH] qtest: Increase socket timeout diff --git a/0036-AIO-Reduce-number-of-threads-for-32.patch b/0036-AIO-Reduce-number-of-threads-for-32.patch index b17e9b76..14c9fb7b 100644 --- a/0036-AIO-Reduce-number-of-threads-for-32.patch +++ b/0036-AIO-Reduce-number-of-threads-for-32.patch @@ -1,4 +1,4 @@ -From 8afc9f3a0bac1b63c6cf1da4e1abb680bd3127e6 Mon Sep 17 00:00:00 2001 +From b70818ca8b9ca9ea88460c97b59c8e73e0c96bc8 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Wed, 14 Jan 2015 01:32:11 +0100 Subject: [PATCH] AIO: Reduce number of threads for 32bit hosts diff --git a/0037-configure-Enable-libseccomp-for-ppc.patch b/0037-configure-Enable-libseccomp-for-ppc.patch index 62106d45..0c04207c 100644 --- a/0037-configure-Enable-libseccomp-for-ppc.patch +++ b/0037-configure-Enable-libseccomp-for-ppc.patch @@ -1,4 +1,4 @@ -From de7e0973fc8fe7f097999135fcb65b0a830a1eff Mon Sep 17 00:00:00 2001 +From b44837ddb7fe9d43d70dc4260e4e9561d68ebc04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Tue, 14 Apr 2015 18:42:06 +0200 Subject: [PATCH] configure: Enable libseccomp for ppc @@ -14,7 +14,7 @@ Signed-off-by: Andreas Färber 1 file changed, 3 insertions(+) diff --git a/configure b/configure -index f8b8391..593e865 100755 +index 94035eb..4efabe3 100755 --- a/configure +++ b/configure @@ -1879,6 +1879,9 @@ if test "$seccomp" != "no" ; then diff --git a/0038-dictzip-Fix-on-big-endian-systems.patch b/0038-dictzip-Fix-on-big-endian-systems.patch index 0a8eb4f2..2409dd9a 100644 --- a/0038-dictzip-Fix-on-big-endian-systems.patch +++ b/0038-dictzip-Fix-on-big-endian-systems.patch @@ -1,4 +1,4 @@ -From cce7d2ee8a4d6dd434b7a28a9edd59ff504b53ae Mon Sep 17 00:00:00 2001 +From ab4667c328ab637aabd54364658e8d047297eb54 Mon Sep 17 00:00:00 2001 From: Alexander Graf Date: Mon, 15 Jun 2015 17:36:32 +0200 Subject: [PATCH] dictzip: Fix on big endian systems diff --git a/0039-block-split-large-discard-requests-.patch b/0039-block-split-large-discard-requests-.patch index 57247a94..f83bc16c 100644 --- a/0039-block-split-large-discard-requests-.patch +++ b/0039-block-split-large-discard-requests-.patch @@ -1,4 +1,4 @@ -From 328eda4d196550c8dab103cd9ff7a45888834111 Mon Sep 17 00:00:00 2001 +From 33fcb26d3770b6ff5019d796595675a3275bfe46 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Thu, 24 Mar 2016 14:32:39 +0100 Subject: [PATCH] block: split large discard requests from block frontend diff --git a/0040-xen_disk-Add-suse-specific-flush-di.patch b/0040-xen_disk-Add-suse-specific-flush-di.patch index 370af375..91b58ceb 100644 --- a/0040-xen_disk-Add-suse-specific-flush-di.patch +++ b/0040-xen_disk-Add-suse-specific-flush-di.patch @@ -1,4 +1,4 @@ -From 903848e6ee598edb5303a8ad8bea38aee0eb5883 Mon Sep 17 00:00:00 2001 +From 529b4b3328e96f55ae0a44d1293616f426077a0b Mon Sep 17 00:00:00 2001 From: Bruce Rogers Date: Wed, 9 Mar 2016 15:18:11 -0700 Subject: [PATCH] xen_disk: Add suse specific flush disable handling and map to diff --git a/0041-build-link-with-libatomic-on-powerp.patch b/0041-build-link-with-libatomic-on-powerp.patch index 34c9f101..5eecf7a5 100644 --- a/0041-build-link-with-libatomic-on-powerp.patch +++ b/0041-build-link-with-libatomic-on-powerp.patch @@ -1,4 +1,4 @@ -From 7e1f77646a047c0c160274c2c6bf5440ea1856d2 Mon Sep 17 00:00:00 2001 +From 260d6920548a51e773c2bdca0a2770a3083404a2 Mon Sep 17 00:00:00 2001 From: Olaf Hering Date: Fri, 1 Apr 2016 12:27:16 +0200 Subject: [PATCH] build: link with libatomic on powerpc-linux @@ -14,7 +14,7 @@ Signed-off-by: Olaf Hering 1 file changed, 27 insertions(+) diff --git a/configure b/configure -index 593e865..478631e 100755 +index 4efabe3..b455035 100755 --- a/configure +++ b/configure @@ -4032,6 +4032,33 @@ if test "$usb_redir" != "no" ; then diff --git a/0042-net-mipsnet-check-packet-length-aga.patch b/0042-net-mipsnet-check-packet-length-aga.patch new file mode 100644 index 00000000..f025b7f6 --- /dev/null +++ b/0042-net-mipsnet-check-packet-length-aga.patch @@ -0,0 +1,33 @@ +From 53260b0f3e1426185786f5fe45f99ca1ded84062 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 7 Apr 2016 04:27:00 -0600 +Subject: [PATCH] net: mipsnet: check packet length against buffer + +When receiving packets over MIPSnet network device, it uses + receive buffer of size 1514 bytes. In case the controller +accepts large(MTU) packets, it could lead to memory corruption. +Add check to avoid it. + +Reported by: Oleksandr Bazhaniuk + +Signed-off-by: Prasad J Pandit +[BR: BSC#975136 CVE-2016-4002] +Signed-off-by: Bruce Rogers +--- + hw/net/mipsnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c +index 740cd98..cf8b823 100644 +--- a/hw/net/mipsnet.c ++++ b/hw/net/mipsnet.c +@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si + if (!mipsnet_can_receive(nc)) + return 0; + ++ if (size >= sizeof(s->rx_buffer)) { ++ return 0; ++ } + s->busy = 1; + + /* Just accept everything. */ diff --git a/0043-i386-kvmvapic-initialise-imm32-vari.patch b/0043-i386-kvmvapic-initialise-imm32-vari.patch new file mode 100644 index 00000000..9b0b4659 --- /dev/null +++ b/0043-i386-kvmvapic-initialise-imm32-vari.patch @@ -0,0 +1,35 @@ +From 4c2fce28b205a0912f1224bdb8dbba2a0d7bf593 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 7 Apr 2016 12:50:08 +0530 +Subject: [PATCH] i386: kvmvapic: initialise imm32 variable + +When processing Task Priorty Register(TPR) access, it could leak +automatic stack variable 'imm32' in patch_instruction(). +Initialise the variable to avoid it. + +Reported by: Donghai Zdh +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0) +[BR: BSC#975700 CVE-2016-4020] +Signed-off-by: Bruce Rogers +--- + hw/i386/kvmvapic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c +index c69f374..ff1e31a 100644 +--- a/hw/i386/kvmvapic.c ++++ b/hw/i386/kvmvapic.c +@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) + CPUX86State *env = &cpu->env; + VAPICHandlers *handlers; + uint8_t opcode[2]; +- uint32_t imm32; ++ uint32_t imm32 = 0; + target_ulong current_pc = 0; + target_ulong current_cs_base = 0; + int current_flags = 0; diff --git a/0044-esp-check-command-buffer-length-bef.patch b/0044-esp-check-command-buffer-length-bef.patch new file mode 100644 index 00000000..25673b3d --- /dev/null +++ b/0044-esp-check-command-buffer-length-bef.patch @@ -0,0 +1,42 @@ +From 4a36592c8982234afc9591adb50684c2daed0fbd Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 19 May 2016 16:09:30 +0530 +Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. While +writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check +was missing to validate input length. Add check to avoid OOB write +access. + +Fixes CVE-2016-4439. + +Reported-by: Li Qiang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef) +[BR: CVE-2016-4439 BSC#980711] +Signed-off-by: Bruce Rogers +--- + hw/scsi/esp.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 8961be2..01497e6 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val) + break; + case ESP_FIFO: + if (s->do_cmd) { +- s->cmdbuf[s->cmdlen++] = val & 0xff; ++ if (s->cmdlen < TI_BUFSZ) { ++ s->cmdbuf[s->cmdlen++] = val & 0xff; ++ } else { ++ trace_esp_error_fifo_overrun(); ++ } + } else if (s->ti_size == TI_BUFSZ - 1) { + trace_esp_error_fifo_overrun(); + } else { diff --git a/0045-esp-check-dma-length-before-reading.patch b/0045-esp-check-dma-length-before-reading.patch new file mode 100644 index 00000000..a9c2282a --- /dev/null +++ b/0045-esp-check-dma-length-before-reading.patch @@ -0,0 +1,76 @@ +From 648083b0e53202c883906a5d57d420a9c6411c89 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 19 May 2016 16:09:31 +0530 +Subject: [PATCH] esp: check dma length before reading scsi + command(CVE-2016-4441) + +The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte +FIFO buffer. It is used to handle command and data transfer. +Routine get_cmd() uses DMA to read scsi commands into this buffer. +Add check to validate DMA length against buffer size to avoid any +overrun. + +Fixes CVE-2016-4441. + +Reported-by: Li Qiang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90) +[BR: CVE-2016-4441 BSC#980723] +Signed-off-by: Bruce Rogers +--- + hw/scsi/esp.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c +index 01497e6..591c817 100644 +--- a/hw/scsi/esp.c ++++ b/hw/scsi/esp.c +@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req) + } + } + +-static uint32_t get_cmd(ESPState *s, uint8_t *buf) ++static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen) + { + uint32_t dmalen; + int target; +@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf) + dmalen = s->rregs[ESP_TCLO]; + dmalen |= s->rregs[ESP_TCMID] << 8; + dmalen |= s->rregs[ESP_TCHI] << 16; ++ if (dmalen > buflen) { ++ return 0; ++ } + s->dma_memory_read(s->dma_opaque, buf, dmalen); + } else { + dmalen = s->ti_size; +@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s) + s->dma_cb = handle_satn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) + do_cmd(s, buf); + } +@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s) + s->dma_cb = handle_s_without_atn; + return; + } +- len = get_cmd(s, buf); ++ len = get_cmd(s, buf, sizeof(buf)); + if (len) { + do_busid_cmd(s, buf, 0); + } +@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s) + s->dma_cb = handle_satn_stop; + return; + } +- s->cmdlen = get_cmd(s, s->cmdbuf); ++ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf)); + if (s->cmdlen) { + trace_esp_handle_satn_stop(s->cmdlen); + s->do_cmd = 1; diff --git a/0046-scsi-pvscsi-check-command-descripto.patch b/0046-scsi-pvscsi-check-command-descripto.patch new file mode 100644 index 00000000..78720f9e --- /dev/null +++ b/0046-scsi-pvscsi-check-command-descripto.patch @@ -0,0 +1,96 @@ +From 2f492d1dceb93302ae10a97ea799e344e52e1a89 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 23 May 2016 04:49:00 -0600 +Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the ring buffer size to an arbitrary +value leading to OOB access issue. Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +[BR: CVE-2016-4952 BSC#981266] +Signed-off-by: Bruce Rogers +--- + hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index e690b4e..e1d6d06 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input) + return log; + } + +-static void ++static int + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + ++ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) ++ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { ++ return -1; ++ } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + +-static void ++static int + pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + { + int i; + uint32_t len_log2; + uint32_t ring_size; + ++ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) { ++ return -1; ++ } + ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE; + len_log2 = pvscsi_log2(ring_size - 1); + +@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri) + + /* Flush ring state page changes */ + smp_wmb(); ++ ++ return 0; + } + + static void +@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + + pvscsi_dbg_dump_tx_rings_config(rc); +- pvscsi_ring_init_data(&s->rings, rc); ++ if (pvscsi_ring_init_data(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } ++ + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; + } +@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s) + } + + if (s->rings_info_valid) { +- pvscsi_ring_init_msg(&s->rings, rc); ++ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } + s->msg_ring_info_valid = TRUE; + } + return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t); diff --git a/0047-scsi-mptsas-infinite-loop-while-fet.patch b/0047-scsi-mptsas-infinite-loop-while-fet.patch new file mode 100644 index 00000000..ee94cbab --- /dev/null +++ b/0047-scsi-mptsas-infinite-loop-while-fet.patch @@ -0,0 +1,45 @@ +From 62f461d944c764953299772d72892daca092fe3f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 24 May 2016 02:10:00 -0600 +Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests + +The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically +looks for requests and fetches them. A loop doing that in +mptsas_fetch_requests() could run infinitely if 's->state' was +not operational. Move check to avoid such a loop. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +[BR: CVE-2016-4964 BSC#981399] +Signed-off-by: Bruce Rogers +--- + hw/scsi/mptsas.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 499c146..be88e16 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s) + hwaddr addr; + int size; + +- if (s->state != MPI_IOC_STATE_OPERATIONAL) { +- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); +- return; +- } +- + /* Read the message header from the guest first. */ + addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post); + pci_dma_read(pci, addr, req, sizeof(hdr)); +@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque) + { + MPTSASState *s = opaque; + ++ if (s->state != MPI_IOC_STATE_OPERATIONAL) { ++ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE); ++ return; ++ } + while (!MPTSAS_FIFO_EMPTY(s, request_post)) { + mptsas_fetch_request(s); + } diff --git a/0048-vga-add-sr_vbe-register-set.patch b/0048-vga-add-sr_vbe-register-set.patch new file mode 100644 index 00000000..5b123f7c --- /dev/null +++ b/0048-vga-add-sr_vbe-register-set.patch @@ -0,0 +1,235 @@ +From b360e87d80afa47ab5e1aaa2d58aac0a83047277 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 17 May 2016 10:54:54 +0200 +Subject: [PATCH] vga: add sr_vbe register set + +Commit "fd3c136 vga: make sure vga register setup for vbe stays intact +(CVE-2016-3712)." causes a regression. The win7 installer is unhappy +because it can't freely modify vga registers any more while in vbe mode. + +This patch introduces a new sr_vbe register set. The vbe_update_vgaregs +will fill sr_vbe[] instead of sr[]. Normal vga register reads and +writes go to sr[]. Any sr register read access happens through a new +sr() helper function which will read from sr_vbe[] with vbe active and +from sr[] otherwise. + +This way we can allow guests update sr[] registers as they want, without +allowing them disrupt vbe video modes that way. + +Cc: qemu-stable@nongnu.org +Reported-by: Thomas Lamprecht +Signed-off-by: Gerd Hoffmann +Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd) +Signed-off-by: Bruce Rogers +--- + hw/display/vga.c | 50 ++++++++++++++++++++++++++++---------------------- + hw/display/vga_int.h | 1 + + 2 files changed, 29 insertions(+), 22 deletions(-) + +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 4a55ec6..9ebc54f 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s) + return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED; + } + ++static inline uint8_t sr(VGACommonState *s, int idx) ++{ ++ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx]; ++} ++ + static void vga_update_memory_access(VGACommonState *s) + { + hwaddr base, offset, size; +@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s) + s->has_chain4_alias = false; + s->plane_updated = 0xf; + } +- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) == +- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) == ++ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + offset = 0; + switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) { + case 0: +@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s) + ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8); + vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf; + +- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1; ++ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1; + clock_sel = (s->msr >> 2) & 3; + dots = (s->msr & 1) ? 8 : 9; + +@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val) + printf("vga: write SR%x = 0x%02x\n", s->sr_index, val); + #endif + s->sr[s->sr_index] = val & sr_mask[s->sr_index]; +- vbe_update_vgaregs(s); + if (s->sr_index == VGA_SEQ_CLOCK_MODE) { + s->update_retrace_info(s); + } +@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s) + + if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) { + shift_control = 0; +- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ ++ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */ + } else { + shift_control = 2; + /* set chain 4 mode */ +- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; ++ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M; + /* activate all planes */ +- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; ++ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES; + } + s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) | + (shift_control << 5); +@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr) + break; + } + +- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ + assert(addr < s->vram_size); + ret = s->vram_ptr[addr]; +@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + break; + } + +- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) { ++ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) { + /* chain 4 mode : simplest access */ + plane = addr & 3; + mask = (1 << plane); +- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { + assert(addr < s->vram_size); + s->vram_ptr[addr] = val; + #ifdef DEBUG_VGA_MEM +@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + /* odd/even mode (aka text mode mapping) */ + plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1); + mask = (1 << plane); +- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) { ++ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) { + addr = ((addr & ~1) << 1) | plane; + if (addr >= s->vram_size) { + return; +@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + + do_write: + /* mask data according to sr[2] */ +- mask = s->sr[VGA_SEQ_PLANE_WRITE]; ++ mask = sr(s, VGA_SEQ_PLANE_WRITE); + s->plane_updated |= mask; /* only used to detect font change */ + write_mask = mask16[mask]; + if (addr * sizeof(uint32_t) >= s->vram_size) { +@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight + /* total width & height */ + cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; + cwidth = 8; +- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { ++ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { + cwidth = 9; + } +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { + cwidth = 16; /* NOTE: no 18 pixel wide */ + } + width = (s->cr[VGA_CRTC_H_DISP] + 1); +@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update) + int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL); + + /* compute font data address (in plane 2) */ +- v = s->sr[VGA_SEQ_CHARACTER_MAP]; ++ v = sr(s, VGA_SEQ_CHARACTER_MAP); + offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2; + if (offset != s->font_offsets[0]) { + s->font_offsets[0] = offset; +@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + } + + if (shift_control == 0) { +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + disp_width <<= 1; + } + } else if (shift_control == 1) { +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + disp_width <<= 1; + } + } +@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + + if (shift_control == 0) { + full_update |= update_palette16(s); +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + v = VGA_DRAW_LINE4D2; + } else { + v = VGA_DRAW_LINE4; +@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + bits = 4; + } else if (shift_control == 1) { + full_update |= update_palette16(s); +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) { + v = VGA_DRAW_LINE2D2; + } else { + v = VGA_DRAW_LINE2; +@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + #if 0 + printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n", + width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE], +- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]); ++ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE)); + #endif + addr1 = (s->start_addr * 4); + bwidth = (width * bits + 7) / 8; +@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s) + { + s->sr_index = 0; + memset(s->sr, '\0', sizeof(s->sr)); ++ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe)); + s->gr_index = 0; + memset(s->gr, '\0', sizeof(s->gr)); + s->ar_index = 0; +@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata) + /* total width & height */ + cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1; + cw = 8; +- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) { ++ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) { + cw = 9; + } +- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) { ++ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) { + cw = 16; /* NOTE: no 18 pixel wide */ + } + width = (s->cr[VGA_CRTC_H_DISP] + 1); +@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id) + + /* force refresh */ + s->graphic_mode = -1; ++ vbe_update_vgaregs(s); + return 0; + } + +diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h +index bdb43a5..3ce5544 100644 +--- a/hw/display/vga_int.h ++++ b/hw/display/vga_int.h +@@ -98,6 +98,7 @@ typedef struct VGACommonState { + MemoryRegion chain4_alias; + uint8_t sr_index; + uint8_t sr[256]; ++ uint8_t sr_vbe[256]; + uint8_t gr_index; + uint8_t gr[256]; + uint8_t ar_index; diff --git a/qemu-2.6.0-rc3.tar.bz2 b/qemu-2.6.0-rc3.tar.bz2 deleted file mode 100644 index 6ab7e654..00000000 --- a/qemu-2.6.0-rc3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1fd2d10ef0e1775017827bd5d34c59c604a340263c9347c86ec70215d2bc36d8 -size 25790061 diff --git a/qemu-2.6.0-rc3.tar.bz2.sig b/qemu-2.6.0-rc3.tar.bz2.sig deleted file mode 100644 index 68a9678d..00000000 Binary files a/qemu-2.6.0-rc3.tar.bz2.sig and /dev/null differ diff --git a/qemu-2.6.0.tar.bz2 b/qemu-2.6.0.tar.bz2 new file mode 100644 index 00000000..97b1a2af --- /dev/null +++ b/qemu-2.6.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c9ac4a651b273233d21b8bec32e30507cb9cce7900841febc330956a1a8434ec +size 25755267 diff --git a/qemu-2.6.0.tar.bz2.sig b/qemu-2.6.0.tar.bz2.sig new file mode 100644 index 00000000..10f6b0fc Binary files /dev/null and b/qemu-2.6.0.tar.bz2.sig differ diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index f54b7632..1d7859bc 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Thu May 26 16:23:33 UTC 2016 - brogers@suse.com + +- Address various security/stability issues +* Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Fix OOB access in MIPSnet emulated controller CVE-2016-4002 (bsc#975136) + 0042-net-mipsnet-check-packet-length-aga.patch +* Fix possible host data leakage to guest from TPR access + CVE-2016-4020 (bsc#975700) + 0043-i386-kvmvapic-initialise-imm32-vari.patch +* Avoid OOB access in 53C9X emulation CVE-2016-4439 (bsc#980711) + 0044-esp-check-command-buffer-length-bef.patch +* Avoid OOB access in 53C9X emulation CVE-2016-4441 (bsc#980723) + 0045-esp-check-dma-length-before-reading.patch +* Avoid OOB access in Vmware PV SCSI emulation CVE-2016-4952 (bsc#981266) + 0046-scsi-pvscsi-check-command-descripto.patch +* Avoid potential DoS in LSI SAS1068 emulation CVE-2016-4964 (bsc#981399) + 0047-scsi-mptsas-infinite-loop-while-fet.patch +* Fix regression in vga behavior - introduced in v2.6.0 CVE-2016-3712 (bsc#978160) + 0048-vga-add-sr_vbe-register-set.patch + +------------------------------------------------------------------- +Wed May 25 21:42:12 UTC 2016 - brogers@suse.com + +- Update to v2.6.0: See http://wiki.qemu-project.org/ChangeLog/2.6 + ------------------------------------------------------------------- Thu Apr 28 15:21:54 UTC 2016 - afaerber@suse.de diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index c9ee4099..b57f0cf0 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -21,9 +21,9 @@ Url: http://www.qemu.org/ Summary: Universal CPU emulator License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC -Version: 2.5.93 +Version: 2.6.0 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2 +Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 # This patch queue is auto-generated from https://github.com/openSUSE/qemu Patch0001: 0001-XXX-dont-dump-core-on-sigabort.patch Patch0002: 0002-XXX-work-around-SA_RESTART-race-wit.patch @@ -66,6 +66,13 @@ Patch0038: 0038-dictzip-Fix-on-big-endian-systems.patch Patch0039: 0039-block-split-large-discard-requests-.patch Patch0040: 0040-xen_disk-Add-suse-specific-flush-di.patch Patch0041: 0041-build-link-with-libatomic-on-powerp.patch +Patch0042: 0042-net-mipsnet-check-packet-length-aga.patch +Patch0043: 0043-i386-kvmvapic-initialise-imm32-vari.patch +Patch0044: 0044-esp-check-command-buffer-length-bef.patch +Patch0045: 0045-esp-check-dma-length-before-reading.patch +Patch0046: 0046-scsi-pvscsi-check-command-descripto.patch +Patch0047: 0047-scsi-mptsas-infinite-loop-while-fet.patch +Patch0048: 0048-vga-add-sr_vbe-register-set.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: qemu-rpmlintrc @@ -118,7 +125,7 @@ emulations. This can be used together with the OBS build script to run cross-architecture builds. %prep -%setup -q -n qemu-2.6.0-rc3 +%setup -q -n qemu-2.6.0 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -160,6 +167,13 @@ run cross-architecture builds. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ diff --git a/qemu-linux-user.spec.in b/qemu-linux-user.spec.in index 84469e58..b8e7af04 100644 --- a/qemu-linux-user.spec.in +++ b/qemu-linux-user.spec.in @@ -23,7 +23,7 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC QEMU_VERSION Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2 +Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 # This patch queue is auto-generated from https://github.com/openSUSE/qemu PATCH_FILES # Please do not add patches manually here, run update_git.sh. @@ -78,7 +78,7 @@ emulations. This can be used together with the OBS build script to run cross-architecture builds. %prep -%setup -q -n qemu-2.6.0-rc3 +%setup -q -n qemu-2.6.0 PATCH_EXEC %build diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index 5b6d83e6..f2b570c0 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Thu May 26 16:23:33 UTC 2016 - brogers@suse.com + +- Address various security/stability issues +* Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Fix OOB access in MIPSnet emulated controller CVE-2016-4002 (bsc#975136) + 0042-net-mipsnet-check-packet-length-aga.patch +* Fix possible host data leakage to guest from TPR access + CVE-2016-4020 (bsc#975700) + 0043-i386-kvmvapic-initialise-imm32-vari.patch +* Avoid OOB access in 53C9X emulation CVE-2016-4439 (bsc#980711) + 0044-esp-check-command-buffer-length-bef.patch +* Avoid OOB access in 53C9X emulation CVE-2016-4441 (bsc#980723) + 0045-esp-check-dma-length-before-reading.patch +* Avoid OOB access in Vmware PV SCSI emulation CVE-2016-4952 (bsc#981266) + 0046-scsi-pvscsi-check-command-descripto.patch +* Avoid potential DoS in LSI SAS1068 emulation CVE-2016-4964 (bsc#981399) + 0047-scsi-mptsas-infinite-loop-while-fet.patch +* Fix regression in vga behavior - introduced in v2.6.0 CVE-2016-3712 (bsc#978160) + 0048-vga-add-sr_vbe-register-set.patch + +------------------------------------------------------------------- +Wed May 25 21:42:12 UTC 2016 - brogers@suse.com + +- Update to v2.6.0: See http://wiki.qemu-project.org/ChangeLog/2.6 +- Enable SDL2, virglrenderer (for use with virtio-gpu), xfsctl, and + tracing using default log backend +- Build efi pxe roms on x86_64 + ------------------------------------------------------------------- Thu Apr 28 16:37:10 UTC 2016 - afaerber@suse.de diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index 7faeedfd..13b7641b 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -51,10 +51,10 @@ Url: http://www.qemu.org/ Summary: Universal CPU emulator License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC -Version: 2.5.93 +Version: 2.6.0 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2 -Source99: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2.sig +Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 +Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -107,6 +107,13 @@ Patch0038: 0038-dictzip-Fix-on-big-endian-systems.patch Patch0039: 0039-block-split-large-discard-requests-.patch Patch0040: 0040-xen_disk-Add-suse-specific-flush-di.patch Patch0041: 0041-build-link-with-libatomic-on-powerp.patch +Patch0042: 0042-net-mipsnet-check-packet-length-aga.patch +Patch0043: 0043-i386-kvmvapic-initialise-imm32-vari.patch +Patch0044: 0044-esp-check-command-buffer-length-bef.patch +Patch0045: 0045-esp-check-dma-length-before-reading.patch +Patch0046: 0046-scsi-pvscsi-check-command-descripto.patch +Patch0047: 0047-scsi-mptsas-infinite-loop-while-fet.patch +Patch0048: 0048-vga-add-sr_vbe-register-set.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -122,7 +129,13 @@ Source302: bridge.conf Source400: update_git.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: SDL-devel +%if 0%{?suse_version} >= 1320 +BuildRequires: SDL2-devel +%endif BuildRequires: alsa-devel +%if 0%{?build_x86_fw_from_source} +BuildRequires: binutils-devel +%endif BuildRequires: bluez-devel %if 0%{?suse_version} >= 1130 BuildRequires: brlapi-devel @@ -151,10 +164,15 @@ BuildRequires: libbz2-devel BuildRequires: libcacard-devel BuildRequires: libcap-devel BuildRequires: libcap-ng-devel +BuildRequires: libdrm-devel +%if 0%{?suse_version} >= 1320 +BuildRequires: libepoxy-devel +%endif %if 0%{?suse_version} >= 1310 # 12.3 and earlier don't ship a compatible libfdt; use the bundled one there BuildRequires: libfdt1-devel %endif +BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel %if 0%{?suse_version} >= 1315 @@ -200,6 +218,9 @@ BuildRequires: makeinfo %endif BuildRequires: mozilla-nss-devel BuildRequires: ncurses-devel +%if 0%{?build_x86_fw_from_source} +BuildRequires: ovmf-tools +%endif BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python @@ -212,7 +233,7 @@ BuildRequires: systemd %define with_systemd 1 %endif %if %{kvm_available} -BuildRequires: udev +BuildRequires: pkgconfig(udev) %if 0%( pkg-config --exists 'udev > 190' && echo '1' ) == 01 %define _udevrulesdir /usr/lib/udev/rules.d %else @@ -222,6 +243,10 @@ BuildRequires: udev %if 0%{?sles_version} != 11 BuildRequires: usbredir-devel %endif +%if 0%{?suse_version} >= 1320 +BuildRequires: virglrenderer >= 0.4.1 +BuildRequires: virglrenderer-devel >= 0.4.1 +%endif %if 0%{?suse_version} >= 1210 %if 0%{?suse_version} >= 1220 BuildRequires: vte-devel @@ -232,6 +257,7 @@ BuildRequires: vte2-devel %ifarch x86_64 BuildRequires: xen-devel %endif +BuildRequires: xfsprogs-devel %if %{build_x86_fw_from_source} BuildRequires: xz-devel %endif @@ -255,6 +281,9 @@ BuildRequires: qemu-x86 = %version Requires: /usr/sbin/groupadd Requires: pwdutils Requires: timezone +%if %{kvm_available} +Requires(post): udev +%endif Recommends: qemu-block-curl Recommends: qemu-tools Recommends: qemu-x86 @@ -289,11 +318,15 @@ Suggests: qemu-lang Recommends: qemu-ksm = %{version} %endif +%ifarch x86_64 +%define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \ +efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom} +%endif %define built_firmware_files {bios.bin bios-256k.bin \ sgabios.bin vgabios.bin vgabios-cirrus.bin \ vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \ optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \ -pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom} +pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -528,6 +561,7 @@ This sub-package contains various tools, including a bridge helper. Summary: Universal CPU emulator -- Guest agent Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-ga +Requires(post): udev %if 0%{?with_systemd} %{?systemd_requires} %endif @@ -616,7 +650,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.6.0-rc3 +%setup -q -n qemu-2.6.0 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -658,6 +692,13 @@ This package provides a service file for starting and stopping KSM. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios @@ -766,7 +807,11 @@ rm -f pc-bios/slof.bin --disable-rdma \ %endif --enable-sdl \ +%if 0%{?suse_version} >= 1320 + --with-sdlabi=2.0 \ +%else --with-sdlabi=1.2 \ +%endif %if 0%{?suse_version} > 1320 --enable-seccomp \ %else @@ -788,7 +833,6 @@ rm -f pc-bios/slof.bin --disable-spice \ %endif --enable-tpm \ - --enable-trace-backends=nop \ %if 0%{?sles_version} != 11 --enable-usb-redir \ %else @@ -798,6 +842,9 @@ rm -f pc-bios/slof.bin --enable-vde \ --enable-vhdx \ --enable-vhost-net \ +%if 0%{?suse_version} >= 1320 + --enable-virglrenderer \ +%endif --enable-virtfs \ --enable-vnc \ --enable-vnc-jpeg \ @@ -813,6 +860,7 @@ rm -f pc-bios/slof.bin %else --disable-xen \ %endif + --enable-xfsctl \ %if "%{name}" != "qemu-testsuite" @@ -823,6 +871,9 @@ make %{?_smp_mflags} V=1 make %{?_smp_mflags} -C roms bios make %{?_smp_mflags} -C roms seavgabios make %{?_smp_mflags} -C roms pxerom +%ifarch x86_64 +make %{?_smp_mflags} -C roms efirom +%endif make -C roms sgabios %endif %if %{build_slof_from_source} diff --git a/qemu.changes b/qemu.changes index 5b6d83e6..f2b570c0 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Thu May 26 16:23:33 UTC 2016 - brogers@suse.com + +- Address various security/stability issues +* Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.6 +* Fix OOB access in MIPSnet emulated controller CVE-2016-4002 (bsc#975136) + 0042-net-mipsnet-check-packet-length-aga.patch +* Fix possible host data leakage to guest from TPR access + CVE-2016-4020 (bsc#975700) + 0043-i386-kvmvapic-initialise-imm32-vari.patch +* Avoid OOB access in 53C9X emulation CVE-2016-4439 (bsc#980711) + 0044-esp-check-command-buffer-length-bef.patch +* Avoid OOB access in 53C9X emulation CVE-2016-4441 (bsc#980723) + 0045-esp-check-dma-length-before-reading.patch +* Avoid OOB access in Vmware PV SCSI emulation CVE-2016-4952 (bsc#981266) + 0046-scsi-pvscsi-check-command-descripto.patch +* Avoid potential DoS in LSI SAS1068 emulation CVE-2016-4964 (bsc#981399) + 0047-scsi-mptsas-infinite-loop-while-fet.patch +* Fix regression in vga behavior - introduced in v2.6.0 CVE-2016-3712 (bsc#978160) + 0048-vga-add-sr_vbe-register-set.patch + +------------------------------------------------------------------- +Wed May 25 21:42:12 UTC 2016 - brogers@suse.com + +- Update to v2.6.0: See http://wiki.qemu-project.org/ChangeLog/2.6 +- Enable SDL2, virglrenderer (for use with virtio-gpu), xfsctl, and + tracing using default log backend +- Build efi pxe roms on x86_64 + ------------------------------------------------------------------- Thu Apr 28 16:37:10 UTC 2016 - afaerber@suse.de diff --git a/qemu.spec b/qemu.spec index 80ebc35d..3768c6b5 100644 --- a/qemu.spec +++ b/qemu.spec @@ -51,10 +51,10 @@ Url: http://www.qemu.org/ Summary: Universal CPU emulator License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC -Version: 2.5.93 +Version: 2.6.0 Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2 -Source99: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2.sig +Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 +Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -107,6 +107,13 @@ Patch0038: 0038-dictzip-Fix-on-big-endian-systems.patch Patch0039: 0039-block-split-large-discard-requests-.patch Patch0040: 0040-xen_disk-Add-suse-specific-flush-di.patch Patch0041: 0041-build-link-with-libatomic-on-powerp.patch +Patch0042: 0042-net-mipsnet-check-packet-length-aga.patch +Patch0043: 0043-i386-kvmvapic-initialise-imm32-vari.patch +Patch0044: 0044-esp-check-command-buffer-length-bef.patch +Patch0045: 0045-esp-check-dma-length-before-reading.patch +Patch0046: 0046-scsi-pvscsi-check-command-descripto.patch +Patch0047: 0047-scsi-mptsas-infinite-loop-while-fet.patch +Patch0048: 0048-vga-add-sr_vbe-register-set.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. @@ -122,7 +129,13 @@ Source302: bridge.conf Source400: update_git.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: SDL-devel +%if 0%{?suse_version} >= 1320 +BuildRequires: SDL2-devel +%endif BuildRequires: alsa-devel +%if 0%{?build_x86_fw_from_source} +BuildRequires: binutils-devel +%endif BuildRequires: bluez-devel %if 0%{?suse_version} >= 1130 BuildRequires: brlapi-devel @@ -151,10 +164,15 @@ BuildRequires: libbz2-devel BuildRequires: libcacard-devel BuildRequires: libcap-devel BuildRequires: libcap-ng-devel +BuildRequires: libdrm-devel +%if 0%{?suse_version} >= 1320 +BuildRequires: libepoxy-devel +%endif %if 0%{?suse_version} >= 1310 # 12.3 and earlier don't ship a compatible libfdt; use the bundled one there BuildRequires: libfdt1-devel %endif +BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel %if 0%{?suse_version} >= 1315 @@ -200,6 +218,9 @@ BuildRequires: makeinfo %endif BuildRequires: mozilla-nss-devel BuildRequires: ncurses-devel +%if 0%{?build_x86_fw_from_source} +BuildRequires: ovmf-tools +%endif BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python @@ -212,7 +233,7 @@ BuildRequires: systemd %define with_systemd 1 %endif %if %{kvm_available} -BuildRequires: udev +BuildRequires: pkgconfig(udev) %if 0%( pkg-config --exists 'udev > 190' && echo '1' ) == 01 %define _udevrulesdir /usr/lib/udev/rules.d %else @@ -222,6 +243,10 @@ BuildRequires: udev %if 0%{?sles_version} != 11 BuildRequires: usbredir-devel %endif +%if 0%{?suse_version} >= 1320 +BuildRequires: virglrenderer >= 0.4.1 +BuildRequires: virglrenderer-devel >= 0.4.1 +%endif %if 0%{?suse_version} >= 1210 %if 0%{?suse_version} >= 1220 BuildRequires: vte-devel @@ -232,6 +257,7 @@ BuildRequires: vte2-devel %ifarch x86_64 BuildRequires: xen-devel %endif +BuildRequires: xfsprogs-devel %if %{build_x86_fw_from_source} BuildRequires: xz-devel %endif @@ -255,6 +281,9 @@ BuildRequires: qemu-x86 = %version Requires: /usr/sbin/groupadd Requires: pwdutils Requires: timezone +%if %{kvm_available} +Requires(post): udev +%endif Recommends: qemu-block-curl Recommends: qemu-tools Recommends: qemu-x86 @@ -289,11 +318,15 @@ Suggests: qemu-lang Recommends: qemu-ksm = %{version} %endif +%ifarch x86_64 +%define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \ +efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom} +%endif %define built_firmware_files {bios.bin bios-256k.bin \ sgabios.bin vgabios.bin vgabios-cirrus.bin \ vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \ optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \ -pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom} +pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -528,6 +561,7 @@ This sub-package contains various tools, including a bridge helper. Summary: Universal CPU emulator -- Guest agent Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-ga +Requires(post): udev %if 0%{?with_systemd} %{?systemd_requires} %endif @@ -616,7 +650,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.6.0-rc3 +%setup -q -n qemu-2.6.0 %patch0001 -p1 %patch0002 -p1 %patch0003 -p1 @@ -658,6 +692,13 @@ This package provides a service file for starting and stopping KSM. %patch0039 -p1 %patch0040 -p1 %patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios @@ -766,7 +807,11 @@ rm -f pc-bios/slof.bin --disable-rdma \ %endif --enable-sdl \ +%if 0%{?suse_version} >= 1320 + --with-sdlabi=2.0 \ +%else --with-sdlabi=1.2 \ +%endif %if 0%{?suse_version} > 1320 --enable-seccomp \ %else @@ -788,7 +833,6 @@ rm -f pc-bios/slof.bin --disable-spice \ %endif --enable-tpm \ - --enable-trace-backends=nop \ %if 0%{?sles_version} != 11 --enable-usb-redir \ %else @@ -798,6 +842,9 @@ rm -f pc-bios/slof.bin --enable-vde \ --enable-vhdx \ --enable-vhost-net \ +%if 0%{?suse_version} >= 1320 + --enable-virglrenderer \ +%endif --enable-virtfs \ --enable-vnc \ --enable-vnc-jpeg \ @@ -813,6 +860,7 @@ rm -f pc-bios/slof.bin %else --disable-xen \ %endif + --enable-xfsctl \ %if "%{name}" != "qemu-testsuite" @@ -823,6 +871,9 @@ make %{?_smp_mflags} V=1 make %{?_smp_mflags} -C roms bios make %{?_smp_mflags} -C roms seavgabios make %{?_smp_mflags} -C roms pxerom +%ifarch x86_64 +make %{?_smp_mflags} -C roms efirom +%endif make -C roms sgabios %endif %if %{build_slof_from_source} diff --git a/qemu.spec.in b/qemu.spec.in index 212cf601..54bceddc 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -53,8 +53,8 @@ License: BSD-3-Clause and GPL-2.0 and GPL-2.0+ and LGPL-2.1+ and MIT Group: System/Emulators/PC QEMU_VERSION Release: 0 -Source: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2 -Source99: http://wiki.qemu.org/download/qemu-2.6.0-rc3.tar.bz2.sig +Source: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2 +Source99: http://wiki.qemu.org/download/qemu-2.6.0.tar.bz2.sig Source1: 80-kvm.rules Source2: qemu-ifup Source3: kvm_stat @@ -82,7 +82,13 @@ Source302: bridge.conf Source400: update_git.sh BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: SDL-devel +%if 0%{?suse_version} >= 1320 +BuildRequires: SDL2-devel +%endif BuildRequires: alsa-devel +%if 0%{?build_x86_fw_from_source} +BuildRequires: binutils-devel +%endif BuildRequires: bluez-devel %if 0%{?suse_version} >= 1130 BuildRequires: brlapi-devel @@ -111,10 +117,15 @@ BuildRequires: libbz2-devel BuildRequires: libcacard-devel BuildRequires: libcap-devel BuildRequires: libcap-ng-devel +BuildRequires: libdrm-devel +%if 0%{?suse_version} >= 1320 +BuildRequires: libepoxy-devel +%endif %if 0%{?suse_version} >= 1310 # 12.3 and earlier don't ship a compatible libfdt; use the bundled one there BuildRequires: libfdt1-devel %endif +BuildRequires: libgbm-devel BuildRequires: libgcrypt-devel BuildRequires: libgnutls-devel %if 0%{?suse_version} >= 1315 @@ -160,6 +171,9 @@ BuildRequires: makeinfo %endif BuildRequires: mozilla-nss-devel BuildRequires: ncurses-devel +%if 0%{?build_x86_fw_from_source} +BuildRequires: ovmf-tools +%endif BuildRequires: pkgconfig BuildRequires: pwdutils BuildRequires: python @@ -172,7 +186,7 @@ BuildRequires: systemd %define with_systemd 1 %endif %if %{kvm_available} -BuildRequires: udev +BuildRequires: pkgconfig(udev) %if 0%( pkg-config --exists 'udev > 190' && echo '1' ) == 01 %define _udevrulesdir /usr/lib/udev/rules.d %else @@ -182,6 +196,10 @@ BuildRequires: udev %if 0%{?sles_version} != 11 BuildRequires: usbredir-devel %endif +%if 0%{?suse_version} >= 1320 +BuildRequires: virglrenderer >= 0.4.1 +BuildRequires: virglrenderer-devel >= 0.4.1 +%endif %if 0%{?suse_version} >= 1210 %if 0%{?suse_version} >= 1220 BuildRequires: vte-devel @@ -192,6 +210,7 @@ BuildRequires: vte2-devel %ifarch x86_64 BuildRequires: xen-devel %endif +BuildRequires: xfsprogs-devel %if %{build_x86_fw_from_source} BuildRequires: xz-devel %endif @@ -215,6 +234,9 @@ BuildRequires: qemu-x86 = %version Requires: /usr/sbin/groupadd Requires: pwdutils Requires: timezone +%if %{kvm_available} +Requires(post): udev +%endif Recommends: qemu-block-curl Recommends: qemu-tools Recommends: qemu-x86 @@ -249,11 +271,15 @@ Suggests: qemu-lang Recommends: qemu-ksm = %{version} %endif +%ifarch x86_64 +%define x86_64_only_b_f_f {efi-e1000.rom efi-eepro100.rom \ +efi-pcnet.rom efi-ne2k_pci.rom efi-rtl8139.rom efi-virtio.rom} +%endif %define built_firmware_files {bios.bin bios-256k.bin \ sgabios.bin vgabios.bin vgabios-cirrus.bin \ vgabios-stdvga.bin vgabios-virtio.bin vgabios-vmware.bin vgabios-qxl.bin \ optionrom/linuxboot.bin optionrom/multiboot.bin optionrom/kvmvapic.bin \ -pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom} +pxe-e1000.rom pxe-pcnet.rom pxe-ne2k_pci.rom pxe-rtl8139.rom pxe-eepro100.rom pxe-virtio.rom %{?x86_64_only_b_f_f}} %description QEMU is an extremely well-performing CPU emulator that allows you to @@ -488,6 +514,7 @@ This sub-package contains various tools, including a bridge helper. Summary: Universal CPU emulator -- Guest agent Group: System/Emulators/PC Provides: qemu:%_bindir/qemu-ga +Requires(post): udev %if 0%{?with_systemd} %{?systemd_requires} %endif @@ -576,7 +603,7 @@ This package provides a service file for starting and stopping KSM. %endif # !qemu-testsuite %prep -%setup -q -n qemu-2.6.0-rc3 +%setup -q -n qemu-2.6.0 PATCH_EXEC %if %{build_x86_fw_from_source} @@ -686,7 +713,11 @@ rm -f pc-bios/slof.bin --disable-rdma \ %endif --enable-sdl \ +%if 0%{?suse_version} >= 1320 + --with-sdlabi=2.0 \ +%else --with-sdlabi=1.2 \ +%endif %if 0%{?suse_version} > 1320 --enable-seccomp \ %else @@ -708,7 +739,6 @@ rm -f pc-bios/slof.bin --disable-spice \ %endif --enable-tpm \ - --enable-trace-backends=nop \ %if 0%{?sles_version} != 11 --enable-usb-redir \ %else @@ -718,6 +748,9 @@ rm -f pc-bios/slof.bin --enable-vde \ --enable-vhdx \ --enable-vhost-net \ +%if 0%{?suse_version} >= 1320 + --enable-virglrenderer \ +%endif --enable-virtfs \ --enable-vnc \ --enable-vnc-jpeg \ @@ -733,6 +766,8 @@ rm -f pc-bios/slof.bin %else --disable-xen \ %endif + --enable-xfsctl \ + %if "%{name}" != "qemu-testsuite" @@ -743,6 +778,9 @@ make %{?_smp_mflags} V=1 make %{?_smp_mflags} -C roms bios make %{?_smp_mflags} -C roms seavgabios make %{?_smp_mflags} -C roms pxerom +%ifarch x86_64 +make %{?_smp_mflags} -C roms efirom +%endif make -C roms sgabios %endif %if %{build_slof_from_source} diff --git a/update_git.sh b/update_git.sh index 2db55207..9fabc005 100644 --- a/update_git.sh +++ b/update_git.sh @@ -14,7 +14,7 @@ set -e GIT_TREE=git://github.com/openSUSE/qemu.git GIT_LOCAL_TREE=~/git/qemu-opensuse GIT_BRANCH=opensuse-2.6 -GIT_UPSTREAM_TAG=v2.6.0-rc3 +GIT_UPSTREAM_TAG=v2.6.0 GIT_DIR=/dev/shm/qemu-factory-git-dir CMP_DIR=/dev/shm/qemu-factory-cmp-dir