Accepting request 441247 from home:bfrogers:branches:Virtualization
Refine the reproducible build changes to no longer override linux commands, but rather fix via patches only. Also fix all the recent security issues reported. OBS-URL: https://build.opensuse.org/request/show/441247 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=320
This commit is contained in:
parent
2e9c4a4658
commit
f036a54ad6
45
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
Normal file
45
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From fd5aa800d14fbc8f0a6a75b37ee0e74092dde8cd Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 8 Sep 2016 18:15:54 +0530
|
||||
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
|
||||
[BR: CVE-2016-7170 BSC#998516]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
36
0042-scsi-mptconfig-fix-an-assert-expres.patch
Normal file
36
0042-scsi-mptconfig-fix-an-assert-expres.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From eccd42e2e97bdf76467d48b0cecdd07327c686fd Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
||||
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() should assert that the size
|
||||
fits in a byte. However, the size is expressed in 32-bit
|
||||
units, so up to 1020 bytes fit. The assertion was only
|
||||
allowing replies up to 252 bytes, so fix it.
|
||||
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
||||
[BR: CVE-2016-7157 BSC#997860]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..3e4f400 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
40
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
Normal file
40
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
Normal file
@ -0,0 +1,40 @@
|
||||
From 3e3bf236d5b712cd5861effaf193093779584c80 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
||||
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
||||
|
||||
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
||||
stack. They were discovered by VictorV of 360 Marvel Team.
|
||||
|
||||
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
||||
[BR: CVE-2016-7157 BSC#997860]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/scsi/mptconfig.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 3e4f400..87a416a 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
||||
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
||||
"*l*lwwb*b*b*blww",
|
||||
pcic->vendor_id, pcic->device_id, pcic->revision,
|
||||
- pcic->subsystem_vendor_id,
|
||||
+ pcic->class_id, pcic->subsystem_vendor_id,
|
||||
pcic->subsystem_id);
|
||||
}
|
||||
|
64
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
Normal file
64
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From c08b11cce7dce1fc89c71d3c0de4c5706a89009a Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 6 Sep 2016 02:20:43 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation large 'dataLen' values when data_length is cast to uint32_t and
|
||||
chunk_size becomes always zero. Fix this by removing the incorrect cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
|
||||
[BR: CVE-2016-7156 BSC#997859]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..73679f8 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -634,17 +636,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
32
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
Normal file
32
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From c559aa30371dc110e2b13e5006a327aab6503ac7 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 13 Sep 2016 03:20:03 -0700
|
||||
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
|
||||
[BR: CVE-2016-7466 BSC#1000345]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 188f954..281a2a5 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
35
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
Normal file
35
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 9115b36311e918d6ccea499ff5767508b72250e6 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
||||
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
||||
[BR: CVE-2016-7423 BSC#1000397]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
38
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
Normal file
38
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From a6cfc94b9a325993d6d77022ae8d0fd0cc77d117 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
||||
[BR: CVE-2016-7421 BSC#999661]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 73679f8..efa5459 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -253,8 +253,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
38
0048-virtio-add-check-for-descriptor-s-m.patch
Normal file
38
0048-virtio-add-check-for-descriptor-s-m.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From db87d12d0e7e3720ebc0283aced8077f43e29963 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||
Subject: [PATCH] virtio: add check for descriptor's mapped address
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference while
|
||||
un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
|
||||
[BR: CVE-2016-7422 BSC#1000346]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 74c085c..eabe573 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
+ if (!iov[num_sg].iov_base) {
|
||||
+ error_report("virtio: bogus descriptor or out of resources");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
iov[num_sg].iov_len = len;
|
||||
addr[num_sg] = pa;
|
||||
|
52
0049-net-mcf-limit-buffer-descriptor-cou.patch
Normal file
52
0049-net-mcf-limit-buffer-descriptor-cou.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From 60f6f3204dcfbb6c7518751061abc99ddd9b2c97 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
|
||||
[BR: CVE-2016-7908 BSC#1002550]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
32
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
Normal file
32
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 9d2c9efdb4d8b49689517271db3420c6de75278d Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:48:35 -0700
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||
situation the ehci's sg list is not freed thus leading to a memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
|
||||
[BR: CVE-2016-7995 BSC#1003612]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b093db7..f4ece9a 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
if (pg == 6) {
|
||||
+ qemu_sglist_destroy(&ehci->isgl);
|
||||
return -1; /* avoid page pg + 1 */
|
||||
}
|
||||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
68
0051-xhci-limit-the-number-of-link-trbs-.patch
Normal file
68
0051-xhci-limit-the-number-of-link-trbs-.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 8e5cea1968f6fe19792237cb2abeaf6e7ff3244e Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 10 Oct 2016 12:46:22 +0200
|
||||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||
|
||||
Needed to avoid we run in circles forever in case the guest builds
|
||||
an endless loop with link trbs.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
|
||||
[BR: CVE-2016-8576 BSC#1003878]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 281a2a5..8a9a31a 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -54,6 +54,8 @@
|
||||
* to the specs when it gets them */
|
||||
#define ER_FULL_HACK
|
||||
|
||||
+#define TRB_LINK_LIMIT 4
|
||||
+
|
||||
#define LEN_CAP 0x40
|
||||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
dma_addr_t *addr)
|
||||
{
|
||||
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
ring->dequeue += TRB_SIZE;
|
||||
return type;
|
||||
} else {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
ring->dequeue = xhci_mask64(trb->parameter);
|
||||
if (trb->control & TRB_LK_TC) {
|
||||
ring->ccs = !ring->ccs;
|
||||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool ccs = ring->ccs;
|
||||
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||
bool control_td_set = 0;
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
type = TRB_TYPE(trb);
|
||||
|
||||
if (type == TR_LINK) {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return -length;
|
||||
+ }
|
||||
dequeue = xhci_mask64(trb.parameter);
|
||||
if (trb.control & TRB_LK_TC) {
|
||||
ccs = !ccs;
|
58
0052-9pfs-allocate-space-for-guest-origi.patch
Normal file
58
0052-9pfs-allocate-space-for-guest-origi.patch
Normal file
@ -0,0 +1,58 @@
|
||||
From 2d4128223e6b5a3dff30e0b07435620f1092c5ae Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
|
||||
|
||||
If a guest sends an empty string paramater to any 9P operation, the current
|
||||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
|
||||
|
||||
This is unfortunate because it can cause NULL pointer dereference to happen
|
||||
at various locations in the 9pfs code. And we don't want to check str->data
|
||||
everywhere we pass it to strcmp() or any other function which expects a
|
||||
dereferenceable pointer.
|
||||
|
||||
This patch enforces the allocation of genuine C empty strings instead, so
|
||||
callers don't have to bother.
|
||||
|
||||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
|
||||
the returned string is empty. It now uses v9fs_string_size() since
|
||||
name.data cannot be NULL anymore.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
[groug, rewritten title and changelog,
|
||||
fix empty string check in v9fs_xattrwalk()]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a)
|
||||
[BR: CVE-2016-8578 BSC#1003894]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
fsdev/9p-iov-marshal.c | 2 +-
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
||||
index 663cad5..1d16f8d 100644
|
||||
--- a/fsdev/9p-iov-marshal.c
|
||||
+++ b/fsdev/9p-iov-marshal.c
|
||||
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
||||
str->data = g_malloc(str->size + 1);
|
||||
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
|
||||
str->size);
|
||||
- if (copied > 0) {
|
||||
+ if (copied >= 0) {
|
||||
str->data[str->size] = 0;
|
||||
} else {
|
||||
v9fs_string_free(str);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index dfe293d..a345fe3 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3160,7 +3160,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
goto out;
|
||||
}
|
||||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
|
||||
- if (name.data == NULL) {
|
||||
+ if (!v9fs_string_size(&name)) {
|
||||
/*
|
||||
* listxattr request. Get the size first
|
||||
*/
|
32
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
Normal file
32
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 9f7f59799ea714c512ecfc0e224df66095abf9c0 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
|
||||
|
||||
The v9fs_link() function keeps a reference on the source fid object. This
|
||||
causes a memory leak since the reference never goes down to 0. This patch
|
||||
fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c)
|
||||
[BR: CVE-2016-9105 BSC#1007494]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index a345fe3..239aef4 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2402,6 +2402,7 @@ static void v9fs_link(void *opaque)
|
||||
if (!err) {
|
||||
err = offset;
|
||||
}
|
||||
+ put_fid(pdu, oldfidp);
|
||||
out:
|
||||
put_fid(pdu, dfidp);
|
||||
out_nofid:
|
39
0054-9pfs-fix-potential-host-memory-leak.patch
Normal file
39
0054-9pfs-fix-potential-host-memory-leak.patch
Normal file
@ -0,0 +1,39 @@
|
||||
From 5f29f9ab1d097cf326dfa477f75d30117f668b49 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
|
||||
|
||||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
|
||||
object thus causing potential memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19)
|
||||
[BR: CVE-2016-8577 BSC#1003893]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/9pfs/9p.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 239aef4..4a71cff 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque)
|
||||
if (len < 0) {
|
||||
/* IO error return the error */
|
||||
err = len;
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
} while (count < max_count && len > 0);
|
||||
err = pdu_marshal(pdu, offset, "d", count);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
err += offset + count;
|
||||
+out_free_iovec:
|
||||
qemu_iovec_destroy(&qiov);
|
||||
qemu_iovec_destroy(&qiov_full);
|
||||
} else if (fidp->fid_type == P9_FID_XATTR) {
|
32
0055-9pfs-fix-information-leak-in-xattr-.patch
Normal file
32
0055-9pfs-fix-information-leak-in-xattr-.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 9f8a42e3f35479353ad9b9b5af78e136fd59b509 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix information leak in xattr read
|
||||
|
||||
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
|
||||
reads this memory before writing to it, this will leak host heap memory
|
||||
to the guest. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d)
|
||||
[BR: CVE-2016-9103 BSC#1007454]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 4a71cff..af32464 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
||||
out_nofid:
|
35
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
Normal file
35
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 61eb543d366088cebecaf8fead80d1bd32db7cb2 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
|
||||
|
||||
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
|
||||
situation that this field has been allocated previously. Every time, it
|
||||
will be allocated directly. This leads to a host memory leak issue if
|
||||
the client sends another Txattrcreate message with the same fid number
|
||||
before the fid from the previous time got clunked.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, updated the changelog to indicate how the leak can occur]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06)
|
||||
[BR: CVE-2016-9102 BSC#1007450]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index af32464..aa2b8c0 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
+ g_free(xattr_fidp->fs.xattr.value);
|
||||
xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
33
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
Normal file
33
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 1dd9e4b00e2f7eb60436a5a3017042eb7b93a8ff Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
|
||||
|
||||
If an error occurs when marshalling the transfer length to the guest, the
|
||||
v9fs_write() function doesn't free an IO vector, thus leading to a memory
|
||||
leak. This patch fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9)
|
||||
[BR: CVE-2016-9106 BSC#1007495]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index aa2b8c0..af07846 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque)
|
||||
offset = 7;
|
||||
err = pdu_marshal(pdu, offset, "d", total);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_qiov;
|
||||
}
|
||||
err += offset;
|
||||
trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
|
37
0058-char-serial-check-divider-value-aga.patch
Normal file
37
0058-char-serial-check-divider-value-aga.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 5a472227730f7f2465baf36716d755ced0300611 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 11:28:08 +0530
|
||||
Subject: [PATCH] char: serial: check divider value against baud base
|
||||
|
||||
16550A UART device uses an oscillator to generate frequencies
|
||||
(baud base), which decide communication speed. This speed could
|
||||
be changed by dividing it by a divider. If the divider is
|
||||
greater than the baud base, speed is set to zero, leading to a
|
||||
divide by zero error. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01)
|
||||
[BR: CVE-2016-8669 BSC#1004707]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/char/serial.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index 3442f47..eec72b7 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
||||
int speed, parity, data_bits, stop_bits, frame_size;
|
||||
QEMUSerialSetParams ssp;
|
||||
|
||||
- if (s->divider == 0)
|
||||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
||||
return;
|
||||
+ }
|
||||
|
||||
/* Start bit. */
|
||||
frame_size = 1;
|
37
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
Normal file
37
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From ac4e97299905661397882b588d6d2c08e5df65b0 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 30 Sep 2016 00:27:33 +0530
|
||||
Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
|
||||
|
||||
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||
descriptor ring length respectively. This ring length could range
|
||||
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)
|
||||
[BR: CVE-2016-7909 BSC#1002557]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/pcnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 198a01f..3078de8 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||
case 47: /* POLLINT */
|
||||
case 72:
|
||||
case 74:
|
||||
+ break;
|
||||
case 76: /* RCVRL */
|
||||
case 78: /* XMTRL */
|
||||
+ val = (val > 0) ? val : 512;
|
||||
+ break;
|
||||
case 112:
|
||||
if (CSR_STOP(s) || CSR_SPND(s))
|
||||
break;
|
30
0060-net-eepro100-fix-memory-leak-in-dev.patch
Normal file
30
0060-net-eepro100-fix-memory-leak-in-dev.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From c266d999085e07c2cbb9b59b9cf4e39c0c7e2ae0 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sat, 8 Oct 2016 05:07:25 -0700
|
||||
Subject: [PATCH] net: eepro100: fix memory leak in device uninit
|
||||
|
||||
The exit dispatch of eepro100 network card device doesn't free
|
||||
the 's->vmstate' field which was allocated in device realize thus
|
||||
leading a host memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae)
|
||||
[BR: CVE-2016-9101 BSC#1007391]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/eepro100.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
|
||||
index bab4dbf..4bf71f2 100644
|
||||
--- a/hw/net/eepro100.c
|
||||
+++ b/hw/net/eepro100.c
|
||||
@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
|
||||
EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
|
||||
|
||||
vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
|
||||
+ g_free(s->vmstate);
|
||||
eeprom93xx_free(&pci_dev->qdev, s->eeprom);
|
||||
qemu_del_nic(s->nic);
|
||||
}
|
36
0061-net-rocker-set-limit-to-DMA-buffer-.patch
Normal file
36
0061-net-rocker-set-limit-to-DMA-buffer-.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From 9999bb270b68c8bfb82d37a52515cbbfdc7d900f Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 14:40:55 +0530
|
||||
Subject: [PATCH] net: rocker: set limit to DMA buffer size
|
||||
|
||||
Rocker network switch emulator has test registers to help debug
|
||||
DMA operations. While testing host DMA access, a buffer address
|
||||
is written to register 'TEST_DMA_ADDR' and its size is written to
|
||||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
||||
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
||||
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723)
|
||||
[BR: CVE-2016-8668 BSC#1004706]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/rocker/rocker.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 30f2ce4..e9d215a 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
||||
rocker_msix_irq(r, val);
|
||||
break;
|
||||
case ROCKER_TEST_DMA_SIZE:
|
||||
- r->test_dma_size = val;
|
||||
+ r->test_dma_size = val & 0xFFFF;
|
||||
break;
|
||||
case ROCKER_TEST_DMA_ADDR + 4:
|
||||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
33
0062-net-vmxnet-initialise-local-tx-desc.patch
Normal file
33
0062-net-vmxnet-initialise-local-tx-desc.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From d77a9e7e19bf1f4697445513df7b67a865bb6d8e Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Thu, 11 Aug 2016 00:42:20 +0530
|
||||
Subject: [PATCH] net: vmxnet: initialise local tx descriptor
|
||||
|
||||
In Vmxnet3 device emulator while processing transmit(tx) queue,
|
||||
when it reaches end of packet, it calls vmxnet3_complete_packet.
|
||||
In that local 'txcq_descr' object is not initialised, which could
|
||||
leak host memory bytes a guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf)
|
||||
[BR: CVE-2016-6836 BSC#994760]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/vmxnet3.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 90f6943..92f6af9 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
||||
|
||||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
|
||||
|
||||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
||||
txcq_descr.txdIdx = tx_ridx;
|
||||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
|
||||
|
34
0063-net-rtl8139-limit-processing-of-rin.patch
Normal file
34
0063-net-rtl8139-limit-processing-of-rin.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From 854b5adf363ebfb07ad0134079401d62cdf25b77 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 21 Oct 2016 17:39:29 +0530
|
||||
Subject: [PATCH] net: rtl8139: limit processing of ring descriptors
|
||||
|
||||
RTL8139 ethernet controller in C+ mode supports multiple
|
||||
descriptor rings, each with maximum of 64 descriptors. While
|
||||
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
|
||||
it does not limit the descriptor count and runs forever. Add
|
||||
check to avoid it.
|
||||
|
||||
Reported-by: Andrew Henderson <hendersa@icculus.org>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit c7c35916692fe010fef25ac338443d3fe40be225)
|
||||
[BR: CVE-2016-8910 BSC#1006538]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/rtl8139.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
||||
index 3345bc6..f05e59c 100644
|
||||
--- a/hw/net/rtl8139.c
|
||||
+++ b/hw/net/rtl8139.c
|
||||
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
||||
{
|
||||
int txcount = 0;
|
||||
|
||||
- while (rtl8139_cplus_transmit_one(s))
|
||||
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
||||
{
|
||||
++txcount;
|
||||
}
|
38
0064-audio-intel-hda-check-stream-entry-.patch
Normal file
38
0064-audio-intel-hda-check-stream-entry-.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From 1f01b4d6f3d3acc6d0fd5e809b0de4547f4815cc Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 20 Oct 2016 13:10:24 +0530
|
||||
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
|
||||
|
||||
Intel HDA emulator uses stream of buffers during DMA data
|
||||
transfers. Each entry has buffer length and buffer pointer
|
||||
position, which are used to derive bytes to 'copy'. If this
|
||||
length and buffer pointer were to be same, 'copy' could be
|
||||
set to zero(0), leading to an infinite loop. Add check to
|
||||
avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
|
||||
[BR: CVE-2016-8909 BSC#1006536]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/audio/intel-hda.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
||||
index cd95340..537face 100644
|
||||
--- a/hw/audio/intel-hda.c
|
||||
+++ b/hw/audio/intel-hda.c
|
||||
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
||||
}
|
||||
|
||||
left = len;
|
||||
- while (left > 0) {
|
||||
+ s = st->bentries;
|
||||
+ while (left > 0 && s-- > 0) {
|
||||
copy = left;
|
||||
if (copy > st->bsize - st->lpib)
|
||||
copy = st->bsize - st->lpib;
|
35
0065-virtio-gpu-fix-memory-leak-in-virti.patch
Normal file
35
0065-virtio-gpu-fix-memory-leak-in-virti.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 6562305928517bbc5b2a4525b8baddb58a510666 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:07:11 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||
it doesn't free the resource object allocated previously. Thus leading
|
||||
a host memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd)
|
||||
[BR: CVE-2016-7994 BSC#1003613]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 7fe6ed8..5b6d17b 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||
qemu_log_mask(LOG_GUEST_ERROR,
|
||||
"%s: host couldn't handle guest format %d\n",
|
||||
__func__, c2d.format);
|
||||
+ g_free(res);
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
return;
|
||||
}
|
92
0066-9pfs-fix-integer-overflow-issue-in-.patch
Normal file
92
0066-9pfs-fix-integer-overflow-issue-in-.patch
Normal file
@ -0,0 +1,92 @@
|
||||
From a3ada2d4bae5bd45ca8751f47fe59f71cf7355e7 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
|
||||
originated offset: they must ensure this offset does not go beyond
|
||||
the size of the extended attribute that was set in v9fs_xattrcreate().
|
||||
Unfortunately, the current code implement these checks with unsafe
|
||||
calculations on 32 and 64 bit values, which may allow a malicious
|
||||
guest to cause OOB access anyway.
|
||||
|
||||
Fix this by comparing the offset and the xattr size, which are
|
||||
both uint64_t, before trying to compute the effective number of bytes
|
||||
to read or write.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
|
||||
[BR: CVE-2016-9104 BSC#1007493]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/9pfs/9p.c | 32 ++++++++++++--------------------
|
||||
1 file changed, 12 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index af07846..fc4f2cd 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
ssize_t err;
|
||||
size_t offset = 7;
|
||||
- int read_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t read_count;
|
||||
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
|
||||
VirtQueueElement *elem = v->elems[pdu->idx];
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- read_count = xattr_len - off;
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
+ read_count = 0;
|
||||
+ } else {
|
||||
+ read_count = fidp->fs.xattr.len - off;
|
||||
+ }
|
||||
if (read_count > max_count) {
|
||||
read_count = max_count;
|
||||
- } else if (read_count < 0) {
|
||||
- /*
|
||||
- * read beyond XATTR value
|
||||
- */
|
||||
- read_count = 0;
|
||||
}
|
||||
err = pdu_marshal(pdu, offset, "d", read_count);
|
||||
if (err < 0) {
|
||||
@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
int i, to_copy;
|
||||
ssize_t err = 0;
|
||||
- int write_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t write_count;
|
||||
size_t offset = 7;
|
||||
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- write_count = xattr_len - off;
|
||||
- if (write_count > count) {
|
||||
- write_count = count;
|
||||
- } else if (write_count < 0) {
|
||||
- /*
|
||||
- * write beyond XATTR value len specified in
|
||||
- * xattrcreate
|
||||
- */
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
err = -ENOSPC;
|
||||
goto out;
|
||||
}
|
||||
+ write_count = fidp->fs.xattr.len - off;
|
||||
+ if (write_count > count) {
|
||||
+ write_count = count;
|
||||
+ }
|
||||
err = pdu_marshal(pdu, offset, "d", write_count);
|
||||
if (err < 0) {
|
||||
return err;
|
32
0067-dma-rc4030-limit-interval-timer-rel.patch
Normal file
32
0067-dma-rc4030-limit-interval-timer-rel.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 491b61b48cef566df12b5b2191111febd95d1a5c Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Mon, 31 Oct 2016 15:55:14 -0600
|
||||
Subject: [PATCH] dma: rc4030: limit interval timer reload value
|
||||
|
||||
The JAZZ RC4030 chipset emulator has a periodic timer and
|
||||
associated interval reload register. The reload value is used
|
||||
as divider when computing timer's next tick value. If reload
|
||||
value is large, it could lead to divide by zero error. Limit
|
||||
the interval reload value to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
[BR: CVE-2016-8667 BSC#1004702]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/dma/rc4030.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
||||
index 2f2576f..c1b4997 100644
|
||||
--- a/hw/dma/rc4030.c
|
||||
+++ b/hw/dma/rc4030.c
|
||||
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
break;
|
||||
/* Interval timer reload */
|
||||
case 0x0228:
|
||||
- s->itr = val;
|
||||
+ s->itr = val & 0x01FF;
|
||||
qemu_irq_lower(s->timer_irq);
|
||||
set_next_tick(s);
|
||||
break;
|
47
0068-net-imx-limit-buffer-descriptor-cou.patch
Normal file
47
0068-net-imx-limit-buffer-descriptor-cou.patch
Normal file
@ -0,0 +1,47 @@
|
||||
From b7f162a68696ea14af398de7584cfaf9f2de4509 Mon Sep 17 00:00:00 2001
|
||||
From: P J P <ppandit@redhat.com>
|
||||
Date: Mon, 31 Oct 2016 15:58:47 -0600
|
||||
Subject: [PATCH] net: imx: limit buffer descriptor count
|
||||
|
||||
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set an upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
[BR: CVE-2016-7907 BSC#1002549]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
hw/net/imx_fec.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
||||
index 1c415ab..1d74827 100644
|
||||
--- a/hw/net/imx_fec.c
|
||||
+++ b/hw/net/imx_fec.c
|
||||
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
||||
#define PHY_INT_PARFAULT (1 << 2)
|
||||
#define PHY_INT_AUTONEG_PAGE (1 << 1)
|
||||
|
||||
+#define IMX_MAX_DESC 1024
|
||||
+
|
||||
static void imx_eth_update(IMXFECState *s);
|
||||
|
||||
/*
|
||||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
||||
|
||||
static void imx_fec_do_tx(IMXFECState *s)
|
||||
{
|
||||
- int frame_size = 0;
|
||||
+ int frame_size = 0, descnt = 0;
|
||||
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr = frame;
|
||||
uint32_t addr = s->tx_descriptor;
|
||||
|
||||
- while (1) {
|
||||
+ while (descnt++ < IMX_MAX_DESC) {
|
||||
IMXFECBufDesc bd;
|
||||
int len;
|
||||
|
71
0069-roms-Makefile-pass-a-packaging-time.patch
Normal file
71
0069-roms-Makefile-pass-a-packaging-time.patch
Normal file
@ -0,0 +1,71 @@
|
||||
From 265aa090c4da5686ac3ed77285108606a79e4821 Mon Sep 17 00:00:00 2001
|
||||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Sat, 19 Nov 2016 08:06:30 -0700
|
||||
Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with
|
||||
date info
|
||||
|
||||
Certain rom subpackages build from qemu git-submodules call the date
|
||||
program to include date information in the packaged binaries. This
|
||||
causes repeated builds of the package to be different, wkere the only
|
||||
real difference is due to the fact that time build timestamp has
|
||||
changed. To promote reproducible builds and avoid customers being
|
||||
prompted to update packages needlessly, we'll use the timestamp of the
|
||||
VERSION file as the packaging timestamp for all packages that build in a
|
||||
timestamp for whatever reason.
|
||||
|
||||
[BR: BSC#1011213]
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
roms/Makefile | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/roms/Makefile b/roms/Makefile
|
||||
index 88b3709..eb0640f 100644
|
||||
--- a/roms/Makefile
|
||||
+++ b/roms/Makefile
|
||||
@@ -52,6 +52,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu-project.org"
|
||||
#
|
||||
EFIROM ?= $(shell which EfiRom 2>/dev/null)
|
||||
|
||||
+# NB: Certain SUSE qemu subpackages use date information, but we want
|
||||
+# reproducible builds, so we use a pre-determined timestamp, rather
|
||||
+# than the current timestamp to acheive consistent results build to
|
||||
+# build.
|
||||
+PACKAGING_TIMESTAMP = $(shell date -r ../VERSION +%s)
|
||||
+
|
||||
default:
|
||||
@echo "nothing is build by default"
|
||||
@echo "available build targets:"
|
||||
@@ -105,7 +111,7 @@ build-lgplvgabios:
|
||||
|
||||
.PHONY: sgabios
|
||||
sgabios:
|
||||
- $(MAKE) -C sgabios
|
||||
+ $(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP)
|
||||
cp sgabios/sgabios.bin ../pc-bios
|
||||
|
||||
|
||||
@@ -125,18 +131,22 @@ efi-rom-%: build-pxe-roms build-efi-roms
|
||||
|
||||
build-pxe-roms:
|
||||
$(MAKE) -C ipxe/src CONFIG=qemu \
|
||||
+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
|
||||
CROSS_COMPILE=$(x86_64_cross_prefix) \
|
||||
$(patsubst %,bin/%.rom,$(pxerom_targets))
|
||||
|
||||
build-efi-roms: build-pxe-roms
|
||||
$(MAKE) -C ipxe/src CONFIG=qemu \
|
||||
+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
|
||||
CROSS_COMPILE=$(x86_64_cross_prefix) \
|
||||
$(patsubst %,bin-i386-efi/%.efidrv,$(pxerom_targets)) \
|
||||
$(patsubst %,bin-x86_64-efi/%.efidrv,$(pxerom_targets))
|
||||
|
||||
|
||||
slof:
|
||||
- $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) qemu
|
||||
+ $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) \
|
||||
+ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \
|
||||
+ qemu
|
||||
cp SLOF/boot_rom.bin ../pc-bios/slof.bin
|
||||
|
||||
u-boot.e500:
|
@ -1,13 +1,43 @@
|
||||
--- a/roms/ipxe/src/Makefile.housekeeping
|
||||
+++ b/roms/ipxe/src/Makefile.housekeeping
|
||||
@@ -1074,7 +1074,9 @@ blib : $(BLIB)
|
||||
ipxe:Makefile: fix issues of build reproducibility
|
||||
|
||||
It is desirable to produce the same bits on subsequent
|
||||
builds when the actual code of the package doesn't
|
||||
change. (bsc#1011213)
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
src/Makefile.housekeeping | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/src/Makefile.housekeeping
|
||||
+++ b/src/Makefile.housekeeping
|
||||
@@ -1079,11 +1079,18 @@ blib : $(BLIB)
|
||||
# Command to generate build ID. Must be unique for each $(BIN)/%.tmp,
|
||||
# even within the same build run.
|
||||
#
|
||||
-BUILD_ID_CMD := perl -e 'printf "0x%08x", int ( rand ( 0xffffffff ) );'
|
||||
+BUILD_ID_DIR := .build_ids
|
||||
+VERYCLEANUP += $(BUILD_ID_DIR)
|
||||
+BUILD_ID_CMD := bash -c 'declare -i i=1 ; mkdir -p $(BUILD_ID_DIR) ; cd $(BUILD_ID_DIR) ; until mkdir "$${i}" 2>/dev/null ; do : $$(( i++ )) ; done ; printf "0x%08x" "$${i}" '
|
||||
+# NB: In the case of the SUSE qemu-ipxe package we want reproducible
|
||||
+# builds, so we just use the TGT_ROM_NAME variable, which is already
|
||||
+# a unique (in the context of the files we generate) hex value suitable
|
||||
+# for specifying the build_id. We no longer define a BUILD_ID_CMD, as
|
||||
+# we need to use the TGT_ROM_NAME variable directly in the link command
|
||||
|
||||
# Build timestamp
|
||||
#
|
||||
-BUILD_TIMESTAMP := $(shell date +%s)
|
||||
+# NB: In the case of the SUSE qemu-ipxe package we want reproducible
|
||||
+# builds, so we use a pre-determined timestamp, rather than the current
|
||||
+# timestamp
|
||||
+BUILD_TIMESTAMP := $(PACKAGING_TIMESTAMP)
|
||||
|
||||
# Build version
|
||||
#
|
||||
@@ -1103,7 +1110,7 @@ $(BIN)/version.%.o : core/version.c $(MA
|
||||
$(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT)
|
||||
$(QM)$(ECHO) " [LD] $@"
|
||||
$(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \
|
||||
- --defsym _build_id=`$(BUILD_ID_CMD)` \
|
||||
+ --defsym _build_id=`$(PRINTF) "0x%b" "$(TGT_ROM_NAME)"` \
|
||||
--defsym _build_timestamp=$(BUILD_TIMESTAMP) \
|
||||
-Map $(BIN)/$*.tmp.map
|
||||
$(Q)$(OBJDUMP) -ht $@ | $(PERL) $(SORTOBJDUMP) >> $(BIN)/$*.tmp.map
|
||||
|
@ -1,3 +1,44 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 19 15:24:08 UTC 2016 - brogers@suse.com
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
|
||||
* Patches added:
|
||||
0069-roms-Makefile-pass-a-packaging-time.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 10 21:49:18 UTC 2016 - brogers@suse.com
|
||||
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
|
||||
* Patches added:
|
||||
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
|
||||
0042-scsi-mptconfig-fix-an-assert-expres.patch
|
||||
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
|
||||
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
|
||||
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
|
||||
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
|
||||
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
|
||||
0048-virtio-add-check-for-descriptor-s-m.patch
|
||||
0049-net-mcf-limit-buffer-descriptor-cou.patch
|
||||
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
|
||||
0051-xhci-limit-the-number-of-link-trbs-.patch
|
||||
0052-9pfs-allocate-space-for-guest-origi.patch
|
||||
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
0054-9pfs-fix-potential-host-memory-leak.patch
|
||||
0055-9pfs-fix-information-leak-in-xattr-.patch
|
||||
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
|
||||
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
0058-char-serial-check-divider-value-aga.patch
|
||||
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
|
||||
0060-net-eepro100-fix-memory-leak-in-dev.patch
|
||||
0061-net-rocker-set-limit-to-DMA-buffer-.patch
|
||||
0062-net-vmxnet-initialise-local-tx-desc.patch
|
||||
0063-net-rtl8139-limit-processing-of-rin.patch
|
||||
0064-audio-intel-hda-check-stream-entry-.patch
|
||||
0065-virtio-gpu-fix-memory-leak-in-virti.patch
|
||||
0066-9pfs-fix-integer-overflow-issue-in-.patch
|
||||
0067-dma-rc4030-limit-interval-timer-rel.patch
|
||||
0068-net-imx-limit-buffer-descriptor-cou.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 7 16:14:20 UTC 2016 - afaerber@suse.de
|
||||
|
||||
|
@ -65,6 +65,35 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch
|
||||
Patch0038: 0038-linux-user-properly-test-for-infini.patch
|
||||
Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch
|
||||
Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch
|
||||
Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch
|
||||
Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch
|
||||
Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
|
||||
Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
|
||||
Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
|
||||
Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch
|
||||
Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch
|
||||
Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch
|
||||
Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch
|
||||
Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
|
||||
Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch
|
||||
Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch
|
||||
Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch
|
||||
Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch
|
||||
Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
|
||||
Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
Patch0058: 0058-char-serial-check-divider-value-aga.patch
|
||||
Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch
|
||||
Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch
|
||||
Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch
|
||||
Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch
|
||||
Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch
|
||||
Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch
|
||||
Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch
|
||||
Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch
|
||||
Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch
|
||||
Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch
|
||||
Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch
|
||||
# Please do not add patches manually here, run update_git.sh.
|
||||
# this is to make lint happy
|
||||
Source300: qemu-rpmlintrc
|
||||
@ -158,6 +187,35 @@ run cross-architecture builds.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
%patch0047 -p1
|
||||
%patch0048 -p1
|
||||
%patch0049 -p1
|
||||
%patch0050 -p1
|
||||
%patch0051 -p1
|
||||
%patch0052 -p1
|
||||
%patch0053 -p1
|
||||
%patch0054 -p1
|
||||
%patch0055 -p1
|
||||
%patch0056 -p1
|
||||
%patch0057 -p1
|
||||
%patch0058 -p1
|
||||
%patch0059 -p1
|
||||
%patch0060 -p1
|
||||
%patch0061 -p1
|
||||
%patch0062 -p1
|
||||
%patch0063 -p1
|
||||
%patch0064 -p1
|
||||
%patch0065 -p1
|
||||
%patch0066 -p1
|
||||
%patch0067 -p1
|
||||
%patch0068 -p1
|
||||
%patch0069 -p1
|
||||
|
||||
%build
|
||||
./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \
|
||||
|
@ -1,3 +1,81 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 19 15:24:03 UTC 2016 - brogers@suse.com
|
||||
|
||||
- Refine the approach to producing stable builds in our ROM based
|
||||
packages. All built roms which have hostname or date calls now
|
||||
produce consistent results build to build via patch changes, so
|
||||
remove the hostname and date call workarounds. (bsc#1011213)
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
|
||||
* Patches added:
|
||||
0069-roms-Makefile-pass-a-packaging-time.patch
|
||||
sgabios-stable-buildid.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 19 15:15:03 UTC 2016 - brogers@suse.com
|
||||
|
||||
- Re-enable ceph (rbd) functionality in OBS builds as we've been told
|
||||
the issues which prompted us to disable it are resolved
|
||||
|
||||
- Address various security/stability issues
|
||||
* Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516)
|
||||
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
|
||||
* Fix DOS in LSI SAS1068 emulation (CVE-2016-7157 bsc#997860)
|
||||
0042-scsi-mptconfig-fix-an-assert-expres.patch
|
||||
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
|
||||
* Fix DOS in Vmware pv scsi interface (CVE-2016-7156 bsc#997859)
|
||||
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
|
||||
* Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345)
|
||||
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
|
||||
* Fix OOB access in LSI SAS1068 emulation (CVE-2016-7423 bsc#1000397)
|
||||
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
|
||||
* Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661)
|
||||
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
|
||||
* Fix NULL pointer dereference in virtio processing
|
||||
(CVE-2016-7422 bsc#1000346)
|
||||
0048-virtio-add-check-for-descriptor-s-m.patch
|
||||
* Fix DOS in ColdFire Fast Ethernet Controller emulation
|
||||
(CVE-2016-7908 bsc#1002550)
|
||||
0049-net-mcf-limit-buffer-descriptor-cou.patch
|
||||
* Fix DOS in USB EHCI emulation (CVE-2016-7995 bsc#1003612)
|
||||
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
|
||||
* Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878)
|
||||
0051-xhci-limit-the-number-of-link-trbs-.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)
|
||||
0052-9pfs-allocate-space-for-guest-origi.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)
|
||||
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)
|
||||
0054-9pfs-fix-potential-host-memory-leak.patch
|
||||
* Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454)
|
||||
0055-9pfs-fix-information-leak-in-xattr-.patch
|
||||
* Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450)
|
||||
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)
|
||||
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
* Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707)
|
||||
0058-char-serial-check-divider-value-aga.patch
|
||||
* Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557)
|
||||
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
|
||||
* Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)
|
||||
0060-net-eepro100-fix-memory-leak-in-dev.patch
|
||||
* Fix OOB access in Rocker switch emulation (CVE-2016-8668 bsc#1004706)
|
||||
0061-net-rocker-set-limit-to-DMA-buffer-.patch
|
||||
* Plug data leak in vmxnet3 emulation (CVE-2016-6836 bsc#994760)
|
||||
0062-net-vmxnet-initialise-local-tx-desc.patch
|
||||
* Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)
|
||||
0063-net-rtl8139-limit-processing-of-rin.patch
|
||||
* Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536)
|
||||
0064-audio-intel-hda-check-stream-entry-.patch
|
||||
* Fix DOS in virtio-gpu (CVE-2016-7994 bsc#1003613)
|
||||
0065-virtio-gpu-fix-memory-leak-in-virti.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)
|
||||
0066-9pfs-fix-integer-overflow-issue-in-.patch
|
||||
* Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702)
|
||||
0067-dma-rc4030-limit-interval-timer-rel.patch
|
||||
* Fix DOS in i.MX NIC emulation (CVE-2016-7907 bsc#1002549)
|
||||
0068-net-imx-limit-buffer-descriptor-cou.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 11 11:11:11 UTC 2016 - ohering@suse.de
|
||||
|
||||
|
@ -127,15 +127,50 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch
|
||||
Patch0038: 0038-linux-user-properly-test-for-infini.patch
|
||||
Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch
|
||||
Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch
|
||||
Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch
|
||||
Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch
|
||||
Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
|
||||
Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
|
||||
Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
|
||||
Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch
|
||||
Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch
|
||||
Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch
|
||||
Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch
|
||||
Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
|
||||
Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch
|
||||
Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch
|
||||
Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch
|
||||
Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch
|
||||
Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
|
||||
Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
Patch0058: 0058-char-serial-check-divider-value-aga.patch
|
||||
Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch
|
||||
Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch
|
||||
Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch
|
||||
Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch
|
||||
Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch
|
||||
Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch
|
||||
Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch
|
||||
Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch
|
||||
Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch
|
||||
Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch
|
||||
Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
%if %{build_x86_fw_from_source}
|
||||
# SeaBIOS
|
||||
# SeaBIOS / SeaVGABIOS
|
||||
# PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit
|
||||
Patch1000: seabios_128kb.patch
|
||||
|
||||
# ipxe
|
||||
Patch1100: ipxe-stable-buildid.patch
|
||||
|
||||
# sgabios
|
||||
Patch1200: sgabios-stable-buildid.patch
|
||||
|
||||
# SLOF
|
||||
# (currently no patches)
|
||||
%endif
|
||||
|
||||
@ -747,12 +782,49 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
%patch0047 -p1
|
||||
%patch0048 -p1
|
||||
%patch0049 -p1
|
||||
%patch0050 -p1
|
||||
%patch0051 -p1
|
||||
%patch0052 -p1
|
||||
%patch0053 -p1
|
||||
%patch0054 -p1
|
||||
%patch0055 -p1
|
||||
%patch0056 -p1
|
||||
%patch0057 -p1
|
||||
%patch0058 -p1
|
||||
%patch0059 -p1
|
||||
%patch0060 -p1
|
||||
%patch0061 -p1
|
||||
%patch0062 -p1
|
||||
%patch0063 -p1
|
||||
%patch0064 -p1
|
||||
%patch0065 -p1
|
||||
%patch0066 -p1
|
||||
%patch0067 -p1
|
||||
%patch0068 -p1
|
||||
%patch0069 -p1
|
||||
|
||||
%if %{build_x86_fw_from_source}
|
||||
pushd roms/seabios
|
||||
%patch1000 -p1
|
||||
popd
|
||||
pushd roms/ipxe
|
||||
%patch1100 -p1
|
||||
popd
|
||||
|
||||
pushd roms/sgabios
|
||||
%patch1200 -p1
|
||||
popd
|
||||
|
||||
pushd roms/SLOF
|
||||
# (currently no patches)
|
||||
popd
|
||||
|
||||
@ -768,6 +840,7 @@ rm -f pc-bios/slof.bin
|
||||
%endif
|
||||
|
||||
%build
|
||||
echo '%{version}' > roms/seabios/.version
|
||||
./configure \
|
||||
--prefix=%_prefix \
|
||||
--sysconfdir=%_sysconfdir \
|
||||
|
78
qemu.changes
78
qemu.changes
@ -1,3 +1,81 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 19 15:24:03 UTC 2016 - brogers@suse.com
|
||||
|
||||
- Refine the approach to producing stable builds in our ROM based
|
||||
packages. All built roms which have hostname or date calls now
|
||||
produce consistent results build to build via patch changes, so
|
||||
remove the hostname and date call workarounds. (bsc#1011213)
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
|
||||
* Patches added:
|
||||
0069-roms-Makefile-pass-a-packaging-time.patch
|
||||
sgabios-stable-buildid.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 19 15:15:03 UTC 2016 - brogers@suse.com
|
||||
|
||||
- Re-enable ceph (rbd) functionality in OBS builds as we've been told
|
||||
the issues which prompted us to disable it are resolved
|
||||
|
||||
- Address various security/stability issues
|
||||
* Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516)
|
||||
0041-vmsvga-correct-bitmap-and-pixmap-si.patch
|
||||
* Fix DOS in LSI SAS1068 emulation (CVE-2016-7157 bsc#997860)
|
||||
0042-scsi-mptconfig-fix-an-assert-expres.patch
|
||||
0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
|
||||
* Fix DOS in Vmware pv scsi interface (CVE-2016-7156 bsc#997859)
|
||||
0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
|
||||
* Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345)
|
||||
0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
|
||||
* Fix OOB access in LSI SAS1068 emulation (CVE-2016-7423 bsc#1000397)
|
||||
0046-scsi-mptsas-use-g_new0-to-allocate-.patch
|
||||
* Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661)
|
||||
0047-scsi-pvscsi-limit-process-IO-loop-t.patch
|
||||
* Fix NULL pointer dereference in virtio processing
|
||||
(CVE-2016-7422 bsc#1000346)
|
||||
0048-virtio-add-check-for-descriptor-s-m.patch
|
||||
* Fix DOS in ColdFire Fast Ethernet Controller emulation
|
||||
(CVE-2016-7908 bsc#1002550)
|
||||
0049-net-mcf-limit-buffer-descriptor-cou.patch
|
||||
* Fix DOS in USB EHCI emulation (CVE-2016-7995 bsc#1003612)
|
||||
0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
|
||||
* Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878)
|
||||
0051-xhci-limit-the-number-of-link-trbs-.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894)
|
||||
0052-9pfs-allocate-space-for-guest-origi.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494)
|
||||
0053-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893)
|
||||
0054-9pfs-fix-potential-host-memory-leak.patch
|
||||
* Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454)
|
||||
0055-9pfs-fix-information-leak-in-xattr-.patch
|
||||
* Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450)
|
||||
0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495)
|
||||
0057-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
* Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707)
|
||||
0058-char-serial-check-divider-value-aga.patch
|
||||
* Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557)
|
||||
0059-net-pcnet-check-rx-tx-descriptor-ri.patch
|
||||
* Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391)
|
||||
0060-net-eepro100-fix-memory-leak-in-dev.patch
|
||||
* Fix OOB access in Rocker switch emulation (CVE-2016-8668 bsc#1004706)
|
||||
0061-net-rocker-set-limit-to-DMA-buffer-.patch
|
||||
* Plug data leak in vmxnet3 emulation (CVE-2016-6836 bsc#994760)
|
||||
0062-net-vmxnet-initialise-local-tx-desc.patch
|
||||
* Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538)
|
||||
0063-net-rtl8139-limit-processing-of-rin.patch
|
||||
* Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536)
|
||||
0064-audio-intel-hda-check-stream-entry-.patch
|
||||
* Fix DOS in virtio-gpu (CVE-2016-7994 bsc#1003613)
|
||||
0065-virtio-gpu-fix-memory-leak-in-virti.patch
|
||||
* Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493)
|
||||
0066-9pfs-fix-integer-overflow-issue-in-.patch
|
||||
* Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702)
|
||||
0067-dma-rc4030-limit-interval-timer-rel.patch
|
||||
* Fix DOS in i.MX NIC emulation (CVE-2016-7907 bsc#1002549)
|
||||
0068-net-imx-limit-buffer-descriptor-cou.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 11 11:11:11 UTC 2016 - ohering@suse.de
|
||||
|
||||
|
98
qemu.spec
98
qemu.spec
@ -127,16 +127,50 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch
|
||||
Patch0038: 0038-linux-user-properly-test-for-infini.patch
|
||||
Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch
|
||||
Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch
|
||||
Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch
|
||||
Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch
|
||||
Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch
|
||||
Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch
|
||||
Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch
|
||||
Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch
|
||||
Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch
|
||||
Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch
|
||||
Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch
|
||||
Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch
|
||||
Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch
|
||||
Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch
|
||||
Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch
|
||||
Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch
|
||||
Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch
|
||||
Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
Patch0058: 0058-char-serial-check-divider-value-aga.patch
|
||||
Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch
|
||||
Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch
|
||||
Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch
|
||||
Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch
|
||||
Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch
|
||||
Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch
|
||||
Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch
|
||||
Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch
|
||||
Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch
|
||||
Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch
|
||||
Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
Patch999: ipxe-stable-buildid.patch
|
||||
%if %{build_x86_fw_from_source}
|
||||
# SeaBIOS
|
||||
# SeaBIOS / SeaVGABIOS
|
||||
# PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit
|
||||
Patch1000: seabios_128kb.patch
|
||||
|
||||
# ipxe
|
||||
Patch1100: ipxe-stable-buildid.patch
|
||||
|
||||
# sgabios
|
||||
Patch1200: sgabios-stable-buildid.patch
|
||||
|
||||
# SLOF
|
||||
# (currently no patches)
|
||||
%endif
|
||||
|
||||
@ -748,13 +782,49 @@ This package provides a service file for starting and stopping KSM.
|
||||
%patch0038 -p1
|
||||
%patch0039 -p1
|
||||
%patch0040 -p1
|
||||
%patch0041 -p1
|
||||
%patch0042 -p1
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0045 -p1
|
||||
%patch0046 -p1
|
||||
%patch0047 -p1
|
||||
%patch0048 -p1
|
||||
%patch0049 -p1
|
||||
%patch0050 -p1
|
||||
%patch0051 -p1
|
||||
%patch0052 -p1
|
||||
%patch0053 -p1
|
||||
%patch0054 -p1
|
||||
%patch0055 -p1
|
||||
%patch0056 -p1
|
||||
%patch0057 -p1
|
||||
%patch0058 -p1
|
||||
%patch0059 -p1
|
||||
%patch0060 -p1
|
||||
%patch0061 -p1
|
||||
%patch0062 -p1
|
||||
%patch0063 -p1
|
||||
%patch0064 -p1
|
||||
%patch0065 -p1
|
||||
%patch0066 -p1
|
||||
%patch0067 -p1
|
||||
%patch0068 -p1
|
||||
%patch0069 -p1
|
||||
|
||||
%patch999 -p1
|
||||
%if %{build_x86_fw_from_source}
|
||||
pushd roms/seabios
|
||||
%patch1000 -p1
|
||||
popd
|
||||
pushd roms/ipxe
|
||||
%patch1100 -p1
|
||||
popd
|
||||
|
||||
pushd roms/sgabios
|
||||
%patch1200 -p1
|
||||
popd
|
||||
|
||||
pushd roms/SLOF
|
||||
# (currently no patches)
|
||||
popd
|
||||
|
||||
@ -771,21 +841,6 @@ rm -f pc-bios/slof.bin
|
||||
|
||||
%build
|
||||
echo '%{version}' > roms/seabios/.version
|
||||
mkdir .bin
|
||||
pushd $_
|
||||
tee hostname <<_EOD_
|
||||
#!/bin/sh
|
||||
echo hostname
|
||||
_EOD_
|
||||
tee date <<_EOD_
|
||||
#!/bin/sh
|
||||
exec $(type -p date) --reference="$PWD/date" --utc "\$@"
|
||||
_EOD_
|
||||
touch -r ../VERSION date
|
||||
chmod 00755 *
|
||||
ls -l --time-style=full-iso *
|
||||
export PATH="$PWD:$PATH"
|
||||
popd
|
||||
./configure \
|
||||
--prefix=%_prefix \
|
||||
--sysconfdir=%_sysconfdir \
|
||||
@ -955,13 +1010,6 @@ make %{?_smp_mflags} -C roms pxerom
|
||||
%ifarch x86_64
|
||||
make %{?_smp_mflags} -C roms efirom
|
||||
%endif
|
||||
# relink ipxe roms, this time with a stable build_id
|
||||
find roms/ipxe \( -name "*.rom" -o -name "*.tmp" \) -print -delete
|
||||
make -C roms pxerom
|
||||
%ifarch x86_64
|
||||
make -C roms efirom
|
||||
%endif
|
||||
#
|
||||
make -C roms sgabios
|
||||
%endif
|
||||
%if %{build_slof_from_source}
|
||||
|
41
qemu.spec.in
41
qemu.spec.in
@ -91,13 +91,18 @@ PATCH_FILES
|
||||
# Please do not add QEMU patches manually here.
|
||||
# Run update_git.sh to regenerate this queue.
|
||||
|
||||
Patch999: ipxe-stable-buildid.patch
|
||||
%if %{build_x86_fw_from_source}
|
||||
# SeaBIOS
|
||||
# SeaBIOS / SeaVGABIOS
|
||||
# PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit
|
||||
Patch1000: seabios_128kb.patch
|
||||
|
||||
# ipxe
|
||||
Patch1100: ipxe-stable-buildid.patch
|
||||
|
||||
# sgabios
|
||||
Patch1200: sgabios-stable-buildid.patch
|
||||
|
||||
# SLOF
|
||||
# (currently no patches)
|
||||
%endif
|
||||
|
||||
@ -671,15 +676,21 @@ This package provides a service file for starting and stopping KSM.
|
||||
%setup -q -n qemu-2.7.0
|
||||
PATCH_EXEC
|
||||
|
||||
%patch999 -p1
|
||||
%if %{build_x86_fw_from_source}
|
||||
pushd roms/seabios
|
||||
%patch1000 -p1
|
||||
popd
|
||||
pushd roms/ipxe
|
||||
# (currently no patches)
|
||||
%patch1100 -p1
|
||||
popd
|
||||
|
||||
pushd roms/sgabios
|
||||
%patch1200 -p1
|
||||
popd
|
||||
|
||||
pushd roms/SLOF
|
||||
# (currently no patches)
|
||||
popd
|
||||
|
||||
# as a safeguard, delete the firmware files that we intend to build
|
||||
for i in %built_firmware_files
|
||||
@ -694,21 +705,6 @@ rm -f pc-bios/slof.bin
|
||||
|
||||
%build
|
||||
echo '%{version}' > roms/seabios/.version
|
||||
mkdir .bin
|
||||
pushd $_
|
||||
tee hostname <<_EOD_
|
||||
#!/bin/sh
|
||||
echo hostname
|
||||
_EOD_
|
||||
tee date <<_EOD_
|
||||
#!/bin/sh
|
||||
exec $(type -p date) --reference="$PWD/date" --utc "\$@"
|
||||
_EOD_
|
||||
touch -r ../VERSION date
|
||||
chmod 00755 *
|
||||
ls -l --time-style=full-iso *
|
||||
export PATH="$PWD:$PATH"
|
||||
popd
|
||||
./configure \
|
||||
--prefix=%_prefix \
|
||||
--sysconfdir=%_sysconfdir \
|
||||
@ -879,13 +875,6 @@ make %{?_smp_mflags} -C roms pxerom
|
||||
%ifarch x86_64
|
||||
make %{?_smp_mflags} -C roms efirom
|
||||
%endif
|
||||
# relink ipxe roms, this time with a stable build_id
|
||||
find roms/ipxe \( -name "*.rom" -o -name "*.tmp" \) -print -delete
|
||||
make -C roms pxerom
|
||||
%ifarch x86_64
|
||||
make -C roms efirom
|
||||
%endif
|
||||
#
|
||||
make -C roms sgabios
|
||||
%endif
|
||||
%if %{build_slof_from_source}
|
||||
|
26
sgabios-stable-buildid.patch
Normal file
26
sgabios-stable-buildid.patch
Normal file
@ -0,0 +1,26 @@
|
||||
sgabios:Makefile: fix issues of build reproducibility
|
||||
|
||||
It is desirable to produce the same bits on subsequent
|
||||
builds when the actual code of the package doesn't
|
||||
change. (bsc#1011213)
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
---
|
||||
Makefile | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -14,9 +14,9 @@
|
||||
#
|
||||
# $Id$
|
||||
|
||||
-BUILD_DATE = \"$(shell date -u)\"
|
||||
-BUILD_SHORT_DATE = \"$(shell date -u +%D)\"
|
||||
-BUILD_HOST = \"$(shell hostname)\"
|
||||
+BUILD_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u)\"
|
||||
+BUILD_SHORT_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u +%D)\"
|
||||
+BUILD_HOST = \"hostname\"
|
||||
BUILD_USER = \"$(shell whoami)\"
|
||||
|
||||
CFLAGS := -Wall -Os -m32 -nostdlib
|
Loading…
Reference in New Issue
Block a user