From f036a54ad63f3412cac44886789daf95871dfa7ce3aa51c3783bcdb2b48b2b1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20F=C3=A4rber?= Date: Mon, 21 Nov 2016 17:05:46 +0000 Subject: [PATCH] Accepting request 441247 from home:bfrogers:branches:Virtualization Refine the reproducible build changes to no longer override linux commands, but rather fix via patches only. Also fix all the recent security issues reported. OBS-URL: https://build.opensuse.org/request/show/441247 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=320 --- ...-vmsvga-correct-bitmap-and-pixmap-si.patch | 45 +++++++++ ...-scsi-mptconfig-fix-an-assert-expres.patch | 36 +++++++ ...-scsi-mptconfig-fix-misuse-of-MPTSAS.patch | 40 ++++++++ ...-scsi-pvscsi-limit-loop-to-fetch-SG-.patch | 64 ++++++++++++ ...-usb-xhci-fix-memory-leak-in-usb_xhc.patch | 32 ++++++ ...-scsi-mptsas-use-g_new0-to-allocate-.patch | 35 +++++++ ...-scsi-pvscsi-limit-process-IO-loop-t.patch | 38 +++++++ ...-virtio-add-check-for-descriptor-s-m.patch | 38 +++++++ ...-net-mcf-limit-buffer-descriptor-cou.patch | 52 ++++++++++ ...-usb-ehci-fix-memory-leak-in-ehci_pr.patch | 32 ++++++ ...-xhci-limit-the-number-of-link-trbs-.patch | 68 +++++++++++++ ...-9pfs-allocate-space-for-guest-origi.patch | 58 +++++++++++ 0053-9pfs-fix-memory-leak-in-v9fs_link.patch | 32 ++++++ ...-9pfs-fix-potential-host-memory-leak.patch | 39 ++++++++ ...-9pfs-fix-information-leak-in-xattr-.patch | 32 ++++++ ...-9pfs-fix-memory-leak-in-v9fs_xattrc.patch | 35 +++++++ 0057-9pfs-fix-memory-leak-in-v9fs_write.patch | 33 +++++++ ...-char-serial-check-divider-value-aga.patch | 37 +++++++ ...-net-pcnet-check-rx-tx-descriptor-ri.patch | 37 +++++++ ...-net-eepro100-fix-memory-leak-in-dev.patch | 30 ++++++ ...-net-rocker-set-limit-to-DMA-buffer-.patch | 36 +++++++ ...-net-vmxnet-initialise-local-tx-desc.patch | 33 +++++++ ...-net-rtl8139-limit-processing-of-rin.patch | 34 +++++++ ...-audio-intel-hda-check-stream-entry-.patch | 38 +++++++ ...-virtio-gpu-fix-memory-leak-in-virti.patch | 35 +++++++ ...-9pfs-fix-integer-overflow-issue-in-.patch | 92 +++++++++++++++++ ...-dma-rc4030-limit-interval-timer-rel.patch | 32 ++++++ ...-net-imx-limit-buffer-descriptor-cou.patch | 47 +++++++++ ...-roms-Makefile-pass-a-packaging-time.patch | 71 ++++++++++++++ ipxe-stable-buildid.patch | 42 ++++++-- qemu-linux-user.changes | 41 ++++++++ qemu-linux-user.spec | 58 +++++++++++ qemu-testsuite.changes | 78 +++++++++++++++ qemu-testsuite.spec | 75 +++++++++++++- qemu.changes | 78 +++++++++++++++ qemu.spec | 98 ++++++++++++++----- qemu.spec.in | 41 +++----- sgabios-stable-buildid.patch | 26 +++++ 38 files changed, 1710 insertions(+), 58 deletions(-) create mode 100644 0041-vmsvga-correct-bitmap-and-pixmap-si.patch create mode 100644 0042-scsi-mptconfig-fix-an-assert-expres.patch create mode 100644 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch create mode 100644 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch create mode 100644 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch create mode 100644 0046-scsi-mptsas-use-g_new0-to-allocate-.patch create mode 100644 0047-scsi-pvscsi-limit-process-IO-loop-t.patch create mode 100644 0048-virtio-add-check-for-descriptor-s-m.patch create mode 100644 0049-net-mcf-limit-buffer-descriptor-cou.patch create mode 100644 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch create mode 100644 0051-xhci-limit-the-number-of-link-trbs-.patch create mode 100644 0052-9pfs-allocate-space-for-guest-origi.patch create mode 100644 0053-9pfs-fix-memory-leak-in-v9fs_link.patch create mode 100644 0054-9pfs-fix-potential-host-memory-leak.patch create mode 100644 0055-9pfs-fix-information-leak-in-xattr-.patch create mode 100644 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch create mode 100644 0057-9pfs-fix-memory-leak-in-v9fs_write.patch create mode 100644 0058-char-serial-check-divider-value-aga.patch create mode 100644 0059-net-pcnet-check-rx-tx-descriptor-ri.patch create mode 100644 0060-net-eepro100-fix-memory-leak-in-dev.patch create mode 100644 0061-net-rocker-set-limit-to-DMA-buffer-.patch create mode 100644 0062-net-vmxnet-initialise-local-tx-desc.patch create mode 100644 0063-net-rtl8139-limit-processing-of-rin.patch create mode 100644 0064-audio-intel-hda-check-stream-entry-.patch create mode 100644 0065-virtio-gpu-fix-memory-leak-in-virti.patch create mode 100644 0066-9pfs-fix-integer-overflow-issue-in-.patch create mode 100644 0067-dma-rc4030-limit-interval-timer-rel.patch create mode 100644 0068-net-imx-limit-buffer-descriptor-cou.patch create mode 100644 0069-roms-Makefile-pass-a-packaging-time.patch create mode 100644 sgabios-stable-buildid.patch diff --git a/0041-vmsvga-correct-bitmap-and-pixmap-si.patch b/0041-vmsvga-correct-bitmap-and-pixmap-si.patch new file mode 100644 index 00000000..aadb8ccb --- /dev/null +++ b/0041-vmsvga-correct-bitmap-and-pixmap-si.patch @@ -0,0 +1,45 @@ +From fd5aa800d14fbc8f0a6a75b37ee0e74092dde8cd Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 8 Sep 2016 18:15:54 +0530 +Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks + +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, +the computed BITMAP and PIXMAP size are checked against the +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. +Correct these checks to avoid OOB memory access. + +Reported-by: Qinghao Tang +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db) +[BR: CVE-2016-7170 BSC#998516] +Signed-off-by: Bruce Rogers +--- + hw/display/vmware_vga.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e51a05e..6599cf0 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + cursor.bpp = vmsvga_fifo_read(s); + + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); +- if (cursor.width > 256 || +- cursor.height > 256 || +- cursor.bpp > 32 || +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { ++ if (cursor.width > 256 ++ || cursor.height > 256 ++ || cursor.bpp > 32 ++ || SVGA_BITMAP_SIZE(x, y) ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) { + goto badcmd; + } + diff --git a/0042-scsi-mptconfig-fix-an-assert-expres.patch b/0042-scsi-mptconfig-fix-an-assert-expres.patch new file mode 100644 index 00000000..6cce259c --- /dev/null +++ b/0042-scsi-mptconfig-fix-an-assert-expres.patch @@ -0,0 +1,36 @@ +From eccd42e2e97bdf76467d48b0cecdd07327c686fd Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 31 Aug 2016 17:36:07 +0530 +Subject: [PATCH] scsi: mptconfig: fix an assert expression + +When LSI SAS1068 Host Bus emulator builds configuration page +headers, mptsas_config_pack() should assert that the size +fits in a byte. However, the size is expressed in 32-bit +units, so up to 1020 bytes fit. The assertion was only +allowing replies up to 252 bytes, so fix it. + +Suggested-by: Paolo Bonzini +Signed-off-by: Prasad J Pandit +Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6) +[BR: CVE-2016-7157 BSC#997860] +Signed-off-by: Bruce Rogers +--- + hw/scsi/mptconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c +index 7071854..3e4f400 100644 +--- a/hw/scsi/mptconfig.c ++++ b/hw/scsi/mptconfig.c +@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...) + va_end(ap); + + if (data) { +- assert(ret < 256 && (ret % 4) == 0); ++ assert(ret / 4 < 256 && (ret % 4) == 0); + stb_p(*data + 1, ret / 4); + } + return ret; diff --git a/0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch b/0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch new file mode 100644 index 00000000..4785f1f2 --- /dev/null +++ b/0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch @@ -0,0 +1,40 @@ +From 3e3bf236d5b712cd5861effaf193093779584c80 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Mon, 29 Aug 2016 11:35:37 +0200 +Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK + +These issues cause respectively a QEMU crash and a leak of 2 bytes of +stack. They were discovered by VictorV of 360 Marvel Team. + +Reported-by: Tom Victor +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d) +[BR: CVE-2016-7157 BSC#997860] +Signed-off-by: Bruce Rogers +--- + hw/scsi/mptconfig.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c +index 3e4f400..87a416a 100644 +--- a/hw/scsi/mptconfig.c ++++ b/hw/scsi/mptconfig.c +@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address + { + /* VPD - all zeros */ + return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, +- "s256"); ++ "*s256"); + } + + static +@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address) + return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01, + "*l*lwwb*b*b*blww", + pcic->vendor_id, pcic->device_id, pcic->revision, +- pcic->subsystem_vendor_id, ++ pcic->class_id, pcic->subsystem_vendor_id, + pcic->subsystem_id); + } + diff --git a/0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch b/0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch new file mode 100644 index 00000000..370321f7 --- /dev/null +++ b/0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch @@ -0,0 +1,64 @@ +From c08b11cce7dce1fc89c71d3c0de4c5706a89009a Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Tue, 6 Sep 2016 02:20:43 +0530 +Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list + +In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very +long time or go into an infinite loop due to two different bugs: + +1) the request descriptor data length is defined to be 64 bit. While +building SG list from a request descriptor, it gets truncated to 32bit +in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop +situation large 'dataLen' values when data_length is cast to uint32_t and +chunk_size becomes always zero. Fix this by removing the incorrect cast. + +2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the +element has a zero length. Get out of the loop early when this happens, +by introducing an upper limit on the number of SG list elements. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8) +[BR: CVE-2016-7156 BSC#997859] +Signed-off-by: Bruce Rogers +--- + hw/scsi/vmw_pvscsi.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 5116f4a..73679f8 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -40,6 +40,8 @@ + #define PVSCSI_MAX_DEVS (64) + #define PVSCSI_MSIX_NUM_VECTORS (1) + ++#define PVSCSI_MAX_SG_ELEM 2048 ++ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +@@ -634,17 +636,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, + static void + pvscsi_convert_sglist(PVSCSIRequest *r) + { +- int chunk_size; ++ uint32_t chunk_size, elmcnt = 0; + uint64_t data_length = r->req.dataLen; + PVSCSISGState sg = r->sg; +- while (data_length) { +- while (!sg.resid) { ++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { ++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { + pvscsi_get_next_sg_elem(&sg); + trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, + r->sg.resid); + } +- assert(data_length > 0); +- chunk_size = MIN((unsigned) data_length, sg.resid); ++ chunk_size = MIN(data_length, sg.resid); + if (chunk_size) { + qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); + } diff --git a/0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch b/0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch new file mode 100644 index 00000000..6cff7cd2 --- /dev/null +++ b/0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch @@ -0,0 +1,32 @@ +From c559aa30371dc110e2b13e5006a327aab6503ac7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 13 Sep 2016 03:20:03 -0700 +Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit + +If the xhci uses msix, it doesn't free the corresponding +memory, thus leading a memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e) +[BR: CVE-2016-7466 BSC#1000345] +Signed-off-by: Bruce Rogers +--- + hw/usb/hcd-xhci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 188f954..281a2a5 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) + /* destroy msix memory region */ + if (dev->msix_table && dev->msix_pba + && dev->msix_entry_used) { +- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); +- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); ++ msix_uninit(dev, &xhci->mem, &xhci->mem); + } + + usb_bus_release(&xhci->bus); diff --git a/0046-scsi-mptsas-use-g_new0-to-allocate-.patch b/0046-scsi-mptsas-use-g_new0-to-allocate-.patch new file mode 100644 index 00000000..480fd712 --- /dev/null +++ b/0046-scsi-mptsas-use-g_new0-to-allocate-.patch @@ -0,0 +1,35 @@ +From 9115b36311e918d6ccea499ff5767508b72250e6 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 12 Sep 2016 18:14:11 +0530 +Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com> +Cc: qemu-stable@nongnu.org +Signed-off-by: Paolo Bonzini +(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5) +[BR: CVE-2016-7423 BSC#1000397] +Signed-off-by: Bruce Rogers +--- + hw/scsi/mptsas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 0e0a22f..eaae1bb 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; diff --git a/0047-scsi-pvscsi-limit-process-IO-loop-t.patch b/0047-scsi-pvscsi-limit-process-IO-loop-t.patch new file mode 100644 index 00000000..c1da85a9 --- /dev/null +++ b/0047-scsi-pvscsi-limit-process-IO-loop-t.patch @@ -0,0 +1,38 @@ +From a6cfc94b9a325993d6d77022ae8d0fd0cc77d117 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 14 Sep 2016 15:09:12 +0530 +Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size + +Vmware Paravirtual SCSI emulator while processing IO requests +could run into an infinite loop if 'pvscsi_ring_pop_req_descr' +always returned positive value. Limit IO loop to the ring size. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9) +[BR: CVE-2016-7421 BSC#999661] +Signed-off-by: Bruce Rogers +--- + hw/scsi/vmw_pvscsi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 73679f8..efa5459 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -253,8 +253,11 @@ static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING ++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + +- if (ready_ptr != mgr->consumed_ptr) { ++ if (ready_ptr != mgr->consumed_ptr ++ && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = + mgr->consumed_ptr++ & mgr->txr_len_mask; + uint32_t next_ready_page = diff --git a/0048-virtio-add-check-for-descriptor-s-m.patch b/0048-virtio-add-check-for-descriptor-s-m.patch new file mode 100644 index 00000000..9cc345ee --- /dev/null +++ b/0048-virtio-add-check-for-descriptor-s-m.patch @@ -0,0 +1,38 @@ +From db87d12d0e7e3720ebc0283aced8077f43e29963 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 19 Sep 2016 23:55:45 +0530 +Subject: [PATCH] virtio: add check for descriptor's mapped address + +virtio back end uses set of buffers to facilitate I/O operations. +If its size is too large, 'cpu_physical_memory_map' could return +a null address. This would result in a null dereference while +un-mapping descriptors. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Reviewed-by: Laszlo Ersek +(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0) +[BR: CVE-2016-7422 BSC#1000346] +Signed-off-by: Bruce Rogers +--- + hw/virtio/virtio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 74c085c..eabe573 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove + } + + iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); ++ if (!iov[num_sg].iov_base) { ++ error_report("virtio: bogus descriptor or out of resources"); ++ exit(1); ++ } ++ + iov[num_sg].iov_len = len; + addr[num_sg] = pa; + diff --git a/0049-net-mcf-limit-buffer-descriptor-cou.patch b/0049-net-mcf-limit-buffer-descriptor-cou.patch new file mode 100644 index 00000000..3970e9e9 --- /dev/null +++ b/0049-net-mcf-limit-buffer-descriptor-cou.patch @@ -0,0 +1,52 @@ +From 60f6f3204dcfbb6c7518751061abc99ddd9b2c97 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 22 Sep 2016 16:02:37 +0530 +Subject: [PATCH] net: mcf: limit buffer descriptor count + +ColdFire Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Paolo Bonzini +Signed-off-by: Jason Wang +(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a) +[BR: CVE-2016-7908 BSC#1002550] +Signed-off-by: Bruce Rogers +--- + hw/net/mcf_fec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c +index 0ee8ad9..d31fea1 100644 +--- a/hw/net/mcf_fec.c ++++ b/hw/net/mcf_fec.c +@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0) + #define DPRINTF(fmt, ...) do {} while(0) + #endif + ++#define FEC_MAX_DESC 1024 + #define FEC_MAX_FRAME_SIZE 2032 + + typedef struct { +@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + uint32_t addr; + mcf_fec_bd bd; + int frame_size; +- int len; ++ int len, descnt = 0; + uint8_t frame[FEC_MAX_FRAME_SIZE]; + uint8_t *ptr; + +@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s) + ptr = frame; + frame_size = 0; + addr = s->tx_descriptor; +- while (1) { ++ while (descnt++ < FEC_MAX_DESC) { + mcf_fec_read_bd(&bd, addr); + DPRINTF("tx_bd %x flags %04x len %d data %08x\n", + addr, bd.flags, bd.length, bd.data); diff --git a/0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch b/0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch new file mode 100644 index 00000000..bde1cf3f --- /dev/null +++ b/0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch @@ -0,0 +1,32 @@ +From 9d2c9efdb4d8b49689517271db3420c6de75278d Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sun, 18 Sep 2016 19:48:35 -0700 +Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd + +While processing isochronous transfer descriptors(iTD), if the page +select(PG) field value is out of bands it will return. In this +situation the ehci's sg list is not freed thus leading to a memory +leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Thomas Huth +Signed-off-by: Michael Tokarev +(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a) +[BR: CVE-2016-7995 BSC#1003612] +Signed-off-by: Bruce Rogers +--- + hw/usb/hcd-ehci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index b093db7..f4ece9a 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci, + if (off + len > 4096) { + /* transfer crosses page border */ + if (pg == 6) { ++ qemu_sglist_destroy(&ehci->isgl); + return -1; /* avoid page pg + 1 */ + } + ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); diff --git a/0051-xhci-limit-the-number-of-link-trbs-.patch b/0051-xhci-limit-the-number-of-link-trbs-.patch new file mode 100644 index 00000000..18e0e7a4 --- /dev/null +++ b/0051-xhci-limit-the-number-of-link-trbs-.patch @@ -0,0 +1,68 @@ +From 8e5cea1968f6fe19792237cb2abeaf6e7ff3244e Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 10 Oct 2016 12:46:22 +0200 +Subject: [PATCH] xhci: limit the number of link trbs we are willing to process + +Needed to avoid we run in circles forever in case the guest builds +an endless loop with link trbs. + +Reported-by: Li Qiang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com +(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce) +[BR: CVE-2016-8576 BSC#1003878] +Signed-off-by: Bruce Rogers +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 281a2a5..8a9a31a 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -54,6 +54,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; diff --git a/0052-9pfs-allocate-space-for-guest-origi.patch b/0052-9pfs-allocate-space-for-guest-origi.patch new file mode 100644 index 00000000..e578449f --- /dev/null +++ b/0052-9pfs-allocate-space-for-guest-origi.patch @@ -0,0 +1,58 @@ +From 2d4128223e6b5a3dff30e0b07435620f1092c5ae Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: allocate space for guest originated empty strings + +If a guest sends an empty string paramater to any 9P operation, the current +code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }. + +This is unfortunate because it can cause NULL pointer dereference to happen +at various locations in the 9pfs code. And we don't want to check str->data +everywhere we pass it to strcmp() or any other function which expects a +dereferenceable pointer. + +This patch enforces the allocation of genuine C empty strings instead, so +callers don't have to bother. + +Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if +the returned string is empty. It now uses v9fs_string_size() since +name.data cannot be NULL anymore. + +Signed-off-by: Li Qiang +[groug, rewritten title and changelog, + fix empty string check in v9fs_xattrwalk()] +Signed-off-by: Greg Kurz +(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a) +[BR: CVE-2016-8578 BSC#1003894] +Signed-off-by: Bruce Rogers +--- + fsdev/9p-iov-marshal.c | 2 +- + hw/9pfs/9p.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c +index 663cad5..1d16f8d 100644 +--- a/fsdev/9p-iov-marshal.c ++++ b/fsdev/9p-iov-marshal.c +@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, + str->data = g_malloc(str->size + 1); + copied = v9fs_unpack(str->data, out_sg, out_num, offset, + str->size); +- if (copied > 0) { ++ if (copied >= 0) { + str->data[str->size] = 0; + } else { + v9fs_string_free(str); +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index dfe293d..a345fe3 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3160,7 +3160,7 @@ static void v9fs_xattrwalk(void *opaque) + goto out; + } + v9fs_path_copy(&xattr_fidp->path, &file_fidp->path); +- if (name.data == NULL) { ++ if (!v9fs_string_size(&name)) { + /* + * listxattr request. Get the size first + */ diff --git a/0053-9pfs-fix-memory-leak-in-v9fs_link.patch b/0053-9pfs-fix-memory-leak-in-v9fs_link.patch new file mode 100644 index 00000000..fb6e314c --- /dev/null +++ b/0053-9pfs-fix-memory-leak-in-v9fs_link.patch @@ -0,0 +1,32 @@ +From 9f7f59799ea714c512ecfc0e224df66095abf9c0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_link + +The v9fs_link() function keeps a reference on the source fid object. This +causes a memory leak since the reference never goes down to 0. This patch +fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c) +[BR: CVE-2016-9105 BSC#1007494] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index a345fe3..239aef4 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -2402,6 +2402,7 @@ static void v9fs_link(void *opaque) + if (!err) { + err = offset; + } ++ put_fid(pdu, oldfidp); + out: + put_fid(pdu, dfidp); + out_nofid: diff --git a/0054-9pfs-fix-potential-host-memory-leak.patch b/0054-9pfs-fix-potential-host-memory-leak.patch new file mode 100644 index 00000000..f9218b6f --- /dev/null +++ b/0054-9pfs-fix-potential-host-memory-leak.patch @@ -0,0 +1,39 @@ +From 5f29f9ab1d097cf326dfa477f75d30117f668b49 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read + +In 9pfs read dispatch function, it doesn't free two QEMUIOVector +object thus causing potential memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Greg Kurz +(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19) +[BR: CVE-2016-8577 BSC#1003893] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 239aef4..4a71cff 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1812,14 +1812,15 @@ static void v9fs_read(void *opaque) + if (len < 0) { + /* IO error return the error */ + err = len; +- goto out; ++ goto out_free_iovec; + } + } while (count < max_count && len > 0); + err = pdu_marshal(pdu, offset, "d", count); + if (err < 0) { +- goto out; ++ goto out_free_iovec; + } + err += offset + count; ++out_free_iovec: + qemu_iovec_destroy(&qiov); + qemu_iovec_destroy(&qiov_full); + } else if (fidp->fid_type == P9_FID_XATTR) { diff --git a/0055-9pfs-fix-information-leak-in-xattr-.patch b/0055-9pfs-fix-information-leak-in-xattr-.patch new file mode 100644 index 00000000..8303065e --- /dev/null +++ b/0055-9pfs-fix-information-leak-in-xattr-.patch @@ -0,0 +1,32 @@ +From 9f8a42e3f35479353ad9b9b5af78e136fd59b509 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix information leak in xattr read + +9pfs uses g_malloc() to allocate the xattr memory space, if the guest +reads this memory before writing to it, this will leak host heap memory +to the guest. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Signed-off-by: Greg Kurz +(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d) +[BR: CVE-2016-9103 BSC#1007454] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 4a71cff..af32464 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); + out_nofid: diff --git a/0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch b/0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch new file mode 100644 index 00000000..90e16546 --- /dev/null +++ b/0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch @@ -0,0 +1,35 @@ +From 61eb543d366088cebecaf8fead80d1bd32db7cb2 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate + +The 'fs.xattr.value' field in V9fsFidState object doesn't consider the +situation that this field has been allocated previously. Every time, it +will be allocated directly. This leads to a host memory leak issue if +the client sends another Txattrcreate message with the same fid number +before the fid from the previous time got clunked. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, updated the changelog to indicate how the leak can occur] +Signed-off-by: Greg Kurz + +(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06) +[BR: CVE-2016-9102 BSC#1007450] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index af32464..aa2b8c0 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque) + xattr_fidp->fs.xattr.flags = flags; + v9fs_string_init(&xattr_fidp->fs.xattr.name); + v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); ++ g_free(xattr_fidp->fs.xattr.value); + xattr_fidp->fs.xattr.value = g_malloc0(size); + err = offset; + put_fid(pdu, file_fidp); diff --git a/0057-9pfs-fix-memory-leak-in-v9fs_write.patch b/0057-9pfs-fix-memory-leak-in-v9fs_write.patch new file mode 100644 index 00000000..66d3e86e --- /dev/null +++ b/0057-9pfs-fix-memory-leak-in-v9fs_write.patch @@ -0,0 +1,33 @@ +From 1dd9e4b00e2f7eb60436a5a3017042eb7b93a8ff Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Mon, 17 Oct 2016 14:13:58 +0200 +Subject: [PATCH] 9pfs: fix memory leak in v9fs_write + +If an error occurs when marshalling the transfer length to the guest, the +v9fs_write() function doesn't free an IO vector, thus leading to a memory +leak. This patch fixes the issue. + +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +[groug, rephrased the changelog] +Signed-off-by: Greg Kurz +(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9) +[BR: CVE-2016-9106 BSC#1007495] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index aa2b8c0..af07846 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -2080,7 +2080,7 @@ static void v9fs_write(void *opaque) + offset = 7; + err = pdu_marshal(pdu, offset, "d", total); + if (err < 0) { +- goto out; ++ goto out_qiov; + } + err += offset; + trace_v9fs_write_return(pdu->tag, pdu->id, total, err); diff --git a/0058-char-serial-check-divider-value-aga.patch b/0058-char-serial-check-divider-value-aga.patch new file mode 100644 index 00000000..54a83603 --- /dev/null +++ b/0058-char-serial-check-divider-value-aga.patch @@ -0,0 +1,37 @@ +From 5a472227730f7f2465baf36716d755ced0300611 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 12 Oct 2016 11:28:08 +0530 +Subject: [PATCH] char: serial: check divider value against baud base + +16550A UART device uses an oscillator to generate frequencies +(baud base), which decide communication speed. This speed could +be changed by dividing it by a divider. If the divider is +greater than the baud base, speed is set to zero, leading to a +divide by zero error. Add check to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01) +[BR: CVE-2016-8669 BSC#1004707] +Signed-off-by: Bruce Rogers +--- + hw/char/serial.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/char/serial.c b/hw/char/serial.c +index 3442f47..eec72b7 100644 +--- a/hw/char/serial.c ++++ b/hw/char/serial.c +@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s) + int speed, parity, data_bits, stop_bits, frame_size; + QEMUSerialSetParams ssp; + +- if (s->divider == 0) ++ if (s->divider == 0 || s->divider > s->baudbase) { + return; ++ } + + /* Start bit. */ + frame_size = 1; diff --git a/0059-net-pcnet-check-rx-tx-descriptor-ri.patch b/0059-net-pcnet-check-rx-tx-descriptor-ri.patch new file mode 100644 index 00000000..9ea0c601 --- /dev/null +++ b/0059-net-pcnet-check-rx-tx-descriptor-ri.patch @@ -0,0 +1,37 @@ +From ac4e97299905661397882b588d6d2c08e5df65b0 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 30 Sep 2016 00:27:33 +0530 +Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length + +The AMD PC-Net II emulator has set of control and status(CSR) +registers. Of these, CSR76 and CSR78 hold receive and transmit +descriptor ring length respectively. This ring length could range +from 1 to 65535. Setting ring length to zero leads to an infinite +loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff) +[BR: CVE-2016-7909 BSC#1002557] +Signed-off-by: Bruce Rogers +--- + hw/net/pcnet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c +index 198a01f..3078de8 100644 +--- a/hw/net/pcnet.c ++++ b/hw/net/pcnet.c +@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value) + case 47: /* POLLINT */ + case 72: + case 74: ++ break; + case 76: /* RCVRL */ + case 78: /* XMTRL */ ++ val = (val > 0) ? val : 512; ++ break; + case 112: + if (CSR_STOP(s) || CSR_SPND(s)) + break; diff --git a/0060-net-eepro100-fix-memory-leak-in-dev.patch b/0060-net-eepro100-fix-memory-leak-in-dev.patch new file mode 100644 index 00000000..0622c216 --- /dev/null +++ b/0060-net-eepro100-fix-memory-leak-in-dev.patch @@ -0,0 +1,30 @@ +From c266d999085e07c2cbb9b59b9cf4e39c0c7e2ae0 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sat, 8 Oct 2016 05:07:25 -0700 +Subject: [PATCH] net: eepro100: fix memory leak in device uninit + +The exit dispatch of eepro100 network card device doesn't free +the 's->vmstate' field which was allocated in device realize thus +leading a host memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +Signed-off-by: Jason Wang +(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae) +[BR: CVE-2016-9101 BSC#1007391] +Signed-off-by: Bruce Rogers +--- + hw/net/eepro100.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c +index bab4dbf..4bf71f2 100644 +--- a/hw/net/eepro100.c ++++ b/hw/net/eepro100.c +@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev) + EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev); + + vmstate_unregister(&pci_dev->qdev, s->vmstate, s); ++ g_free(s->vmstate); + eeprom93xx_free(&pci_dev->qdev, s->eeprom); + qemu_del_nic(s->nic); + } diff --git a/0061-net-rocker-set-limit-to-DMA-buffer-.patch b/0061-net-rocker-set-limit-to-DMA-buffer-.patch new file mode 100644 index 00000000..9849d564 --- /dev/null +++ b/0061-net-rocker-set-limit-to-DMA-buffer-.patch @@ -0,0 +1,36 @@ +From 9999bb270b68c8bfb82d37a52515cbbfdc7d900f Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Wed, 12 Oct 2016 14:40:55 +0530 +Subject: [PATCH] net: rocker: set limit to DMA buffer size + +Rocker network switch emulator has test registers to help debug +DMA operations. While testing host DMA access, a buffer address +is written to register 'TEST_DMA_ADDR' and its size is written to +register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT +test, if DMA buffer size was greater than 'INT_MAX', it leads to +an invalid buffer access. Limit the DMA buffer size to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Reviewed-by: Jiri Pirko +Signed-off-by: Jason Wang +(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723) +[BR: CVE-2016-8668 BSC#1004706] +Signed-off-by: Bruce Rogers +--- + hw/net/rocker/rocker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index 30f2ce4..e9d215a 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val) + rocker_msix_irq(r, val); + break; + case ROCKER_TEST_DMA_SIZE: +- r->test_dma_size = val; ++ r->test_dma_size = val & 0xFFFF; + break; + case ROCKER_TEST_DMA_ADDR + 4: + r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32; diff --git a/0062-net-vmxnet-initialise-local-tx-desc.patch b/0062-net-vmxnet-initialise-local-tx-desc.patch new file mode 100644 index 00000000..7117c06d --- /dev/null +++ b/0062-net-vmxnet-initialise-local-tx-desc.patch @@ -0,0 +1,33 @@ +From d77a9e7e19bf1f4697445513df7b67a865bb6d8e Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Thu, 11 Aug 2016 00:42:20 +0530 +Subject: [PATCH] net: vmxnet: initialise local tx descriptor + +In Vmxnet3 device emulator while processing transmit(tx) queue, +when it reaches end of packet, it calls vmxnet3_complete_packet. +In that local 'txcq_descr' object is not initialised, which could +leak host memory bytes a guest. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Reviewed-by: Dmitry Fleytman +Signed-off-by: Jason Wang +(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf) +[BR: CVE-2016-6836 BSC#994760] +Signed-off-by: Bruce Rogers +--- + hw/net/vmxnet3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 90f6943..92f6af9 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) + + VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); + ++ memset(&txcq_descr, 0, sizeof(txcq_descr)); + txcq_descr.txdIdx = tx_ridx; + txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); + diff --git a/0063-net-rtl8139-limit-processing-of-rin.patch b/0063-net-rtl8139-limit-processing-of-rin.patch new file mode 100644 index 00000000..088cb933 --- /dev/null +++ b/0063-net-rtl8139-limit-processing-of-rin.patch @@ -0,0 +1,34 @@ +From 854b5adf363ebfb07ad0134079401d62cdf25b77 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Fri, 21 Oct 2016 17:39:29 +0530 +Subject: [PATCH] net: rtl8139: limit processing of ring descriptors + +RTL8139 ethernet controller in C+ mode supports multiple +descriptor rings, each with maximum of 64 descriptors. While +processing transmit descriptor ring in 'rtl8139_cplus_transmit', +it does not limit the descriptor count and runs forever. Add +check to avoid it. + +Reported-by: Andrew Henderson +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +(cherry picked from commit c7c35916692fe010fef25ac338443d3fe40be225) +[BR: CVE-2016-8910 BSC#1006538] +Signed-off-by: Bruce Rogers +--- + hw/net/rtl8139.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c +index 3345bc6..f05e59c 100644 +--- a/hw/net/rtl8139.c ++++ b/hw/net/rtl8139.c +@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s) + { + int txcount = 0; + +- while (rtl8139_cplus_transmit_one(s)) ++ while (txcount < 64 && rtl8139_cplus_transmit_one(s)) + { + ++txcount; + } diff --git a/0064-audio-intel-hda-check-stream-entry-.patch b/0064-audio-intel-hda-check-stream-entry-.patch new file mode 100644 index 00000000..b17502bd --- /dev/null +++ b/0064-audio-intel-hda-check-stream-entry-.patch @@ -0,0 +1,38 @@ +From 1f01b4d6f3d3acc6d0fd5e809b0de4547f4815cc Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 20 Oct 2016 13:10:24 +0530 +Subject: [PATCH] audio: intel-hda: check stream entry count during transfer + +Intel HDA emulator uses stream of buffers during DMA data +transfers. Each entry has buffer length and buffer pointer +position, which are used to derive bytes to 'copy'. If this +length and buffer pointer were to be same, 'copy' could be +set to zero(0), leading to an infinite loop. Add check to +avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +Reviewed-by: Stefan Hajnoczi +Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050) +[BR: CVE-2016-8909 BSC#1006536] +Signed-off-by: Bruce Rogers +--- + hw/audio/intel-hda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c +index cd95340..537face 100644 +--- a/hw/audio/intel-hda.c ++++ b/hw/audio/intel-hda.c +@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output, + } + + left = len; +- while (left > 0) { ++ s = st->bentries; ++ while (left > 0 && s-- > 0) { + copy = left; + if (copy > st->bsize - st->lpib) + copy = st->bsize - st->lpib; diff --git a/0065-virtio-gpu-fix-memory-leak-in-virti.patch b/0065-virtio-gpu-fix-memory-leak-in-virti.patch new file mode 100644 index 00000000..f625395d --- /dev/null +++ b/0065-virtio-gpu-fix-memory-leak-in-virti.patch @@ -0,0 +1,35 @@ +From 6562305928517bbc5b2a4525b8baddb58a510666 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Sun, 18 Sep 2016 19:07:11 -0700 +Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In virtio gpu resource create dispatch, if the pixman format is zero +it doesn't free the resource object allocated previously. Thus leading +a host memory leak issue. This patch avoid this. + +Signed-off-by: Li Qiang +Reviewed-by: Marc-André Lureau +Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd) +[BR: CVE-2016-7994 BSC#1003613] +Signed-off-by: Bruce Rogers +--- + hw/display/virtio-gpu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c +index 7fe6ed8..5b6d17b 100644 +--- a/hw/display/virtio-gpu.c ++++ b/hw/display/virtio-gpu.c +@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, + qemu_log_mask(LOG_GUEST_ERROR, + "%s: host couldn't handle guest format %d\n", + __func__, c2d.format); ++ g_free(res); + cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } diff --git a/0066-9pfs-fix-integer-overflow-issue-in-.patch b/0066-9pfs-fix-integer-overflow-issue-in-.patch new file mode 100644 index 00000000..b8fe18ac --- /dev/null +++ b/0066-9pfs-fix-integer-overflow-issue-in-.patch @@ -0,0 +1,92 @@ +From a3ada2d4bae5bd45ca8751f47fe59f71cf7355e7 Mon Sep 17 00:00:00 2001 +From: Li Qiang +Date: Tue, 1 Nov 2016 12:00:40 +0100 +Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest +originated offset: they must ensure this offset does not go beyond +the size of the extended attribute that was set in v9fs_xattrcreate(). +Unfortunately, the current code implement these checks with unsafe +calculations on 32 and 64 bit values, which may allow a malicious +guest to cause OOB access anyway. + +Fix this by comparing the offset and the xattr size, which are +both uint64_t, before trying to compute the effective number of bytes +to read or write. + +Suggested-by: Greg Kurz +Signed-off-by: Li Qiang +Reviewed-by: Greg Kurz +Reviewed-By: Guido Günther +Signed-off-by: Greg Kurz +(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6) +[BR: CVE-2016-9104 BSC#1007493] +Signed-off-by: Bruce Rogers +--- + hw/9pfs/9p.c | 32 ++++++++++++-------------------- + 1 file changed, 12 insertions(+), 20 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index af07846..fc4f2cd 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1628,20 +1628,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + ssize_t err; + size_t offset = 7; +- int read_count; +- int64_t xattr_len; ++ uint64_t read_count; + V9fsVirtioState *v = container_of(s, V9fsVirtioState, state); + VirtQueueElement *elem = v->elems[pdu->idx]; + +- xattr_len = fidp->fs.xattr.len; +- read_count = xattr_len - off; ++ if (fidp->fs.xattr.len < off) { ++ read_count = 0; ++ } else { ++ read_count = fidp->fs.xattr.len - off; ++ } + if (read_count > max_count) { + read_count = max_count; +- } else if (read_count < 0) { +- /* +- * read beyond XATTR value +- */ +- read_count = 0; + } + err = pdu_marshal(pdu, offset, "d", read_count); + if (err < 0) { +@@ -1969,23 +1966,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp, + { + int i, to_copy; + ssize_t err = 0; +- int write_count; +- int64_t xattr_len; ++ uint64_t write_count; + size_t offset = 7; + + +- xattr_len = fidp->fs.xattr.len; +- write_count = xattr_len - off; +- if (write_count > count) { +- write_count = count; +- } else if (write_count < 0) { +- /* +- * write beyond XATTR value len specified in +- * xattrcreate +- */ ++ if (fidp->fs.xattr.len < off) { + err = -ENOSPC; + goto out; + } ++ write_count = fidp->fs.xattr.len - off; ++ if (write_count > count) { ++ write_count = count; ++ } + err = pdu_marshal(pdu, offset, "d", write_count); + if (err < 0) { + return err; diff --git a/0067-dma-rc4030-limit-interval-timer-rel.patch b/0067-dma-rc4030-limit-interval-timer-rel.patch new file mode 100644 index 00000000..bc18d015 --- /dev/null +++ b/0067-dma-rc4030-limit-interval-timer-rel.patch @@ -0,0 +1,32 @@ +From 491b61b48cef566df12b5b2191111febd95d1a5c Mon Sep 17 00:00:00 2001 +From: P J P +Date: Mon, 31 Oct 2016 15:55:14 -0600 +Subject: [PATCH] dma: rc4030: limit interval timer reload value + +The JAZZ RC4030 chipset emulator has a periodic timer and +associated interval reload register. The reload value is used +as divider when computing timer's next tick value. If reload +value is large, it could lead to divide by zero error. Limit +the interval reload value to avoid it. + +Reported-by: Huawei PSIRT +Signed-off-by: Prasad J Pandit +[BR: CVE-2016-8667 BSC#1004702] +Signed-off-by: Bruce Rogers +--- + hw/dma/rc4030.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c +index 2f2576f..c1b4997 100644 +--- a/hw/dma/rc4030.c ++++ b/hw/dma/rc4030.c +@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data, + break; + /* Interval timer reload */ + case 0x0228: +- s->itr = val; ++ s->itr = val & 0x01FF; + qemu_irq_lower(s->timer_irq); + set_next_tick(s); + break; diff --git a/0068-net-imx-limit-buffer-descriptor-cou.patch b/0068-net-imx-limit-buffer-descriptor-cou.patch new file mode 100644 index 00000000..4cf26260 --- /dev/null +++ b/0068-net-imx-limit-buffer-descriptor-cou.patch @@ -0,0 +1,47 @@ +From b7f162a68696ea14af398de7584cfaf9f2de4509 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Mon, 31 Oct 2016 15:58:47 -0600 +Subject: [PATCH] net: imx: limit buffer descriptor count + +i.MX Fast Ethernet Controller uses buffer descriptors to manage +data flow to/fro receive & transmit queues. While transmitting +packets, it could continue to read buffer descriptors if a buffer +descriptor has length of zero and has crafted values in bd.flags. +Set an upper limit to number of buffer descriptors. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +[BR: CVE-2016-7907 BSC#1002549] +Signed-off-by: Bruce Rogers +--- + hw/net/imx_fec.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c +index 1c415ab..1d74827 100644 +--- a/hw/net/imx_fec.c ++++ b/hw/net/imx_fec.c +@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = { + #define PHY_INT_PARFAULT (1 << 2) + #define PHY_INT_AUTONEG_PAGE (1 << 1) + ++#define IMX_MAX_DESC 1024 ++ + static void imx_eth_update(IMXFECState *s); + + /* +@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s) + + static void imx_fec_do_tx(IMXFECState *s) + { +- int frame_size = 0; ++ int frame_size = 0, descnt = 0; + uint8_t frame[ENET_MAX_FRAME_SIZE]; + uint8_t *ptr = frame; + uint32_t addr = s->tx_descriptor; + +- while (1) { ++ while (descnt++ < IMX_MAX_DESC) { + IMXFECBufDesc bd; + int len; + diff --git a/0069-roms-Makefile-pass-a-packaging-time.patch b/0069-roms-Makefile-pass-a-packaging-time.patch new file mode 100644 index 00000000..d0af6fce --- /dev/null +++ b/0069-roms-Makefile-pass-a-packaging-time.patch @@ -0,0 +1,71 @@ +From 265aa090c4da5686ac3ed77285108606a79e4821 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers +Date: Sat, 19 Nov 2016 08:06:30 -0700 +Subject: [PATCH] roms/Makefile: pass a packaging timestamp to subpackages with + date info + +Certain rom subpackages build from qemu git-submodules call the date +program to include date information in the packaged binaries. This +causes repeated builds of the package to be different, wkere the only +real difference is due to the fact that time build timestamp has +changed. To promote reproducible builds and avoid customers being +prompted to update packages needlessly, we'll use the timestamp of the +VERSION file as the packaging timestamp for all packages that build in a +timestamp for whatever reason. + +[BR: BSC#1011213] +Signed-off-by: Bruce Rogers +--- + roms/Makefile | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/roms/Makefile b/roms/Makefile +index 88b3709..eb0640f 100644 +--- a/roms/Makefile ++++ b/roms/Makefile +@@ -52,6 +52,12 @@ SEABIOS_EXTRAVERSION="-prebuilt.qemu-project.org" + # + EFIROM ?= $(shell which EfiRom 2>/dev/null) + ++# NB: Certain SUSE qemu subpackages use date information, but we want ++# reproducible builds, so we use a pre-determined timestamp, rather ++# than the current timestamp to acheive consistent results build to ++# build. ++PACKAGING_TIMESTAMP = $(shell date -r ../VERSION +%s) ++ + default: + @echo "nothing is build by default" + @echo "available build targets:" +@@ -105,7 +111,7 @@ build-lgplvgabios: + + .PHONY: sgabios + sgabios: +- $(MAKE) -C sgabios ++ $(MAKE) -C sgabios PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) + cp sgabios/sgabios.bin ../pc-bios + + +@@ -125,18 +131,22 @@ efi-rom-%: build-pxe-roms build-efi-roms + + build-pxe-roms: + $(MAKE) -C ipxe/src CONFIG=qemu \ ++ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \ + CROSS_COMPILE=$(x86_64_cross_prefix) \ + $(patsubst %,bin/%.rom,$(pxerom_targets)) + + build-efi-roms: build-pxe-roms + $(MAKE) -C ipxe/src CONFIG=qemu \ ++ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \ + CROSS_COMPILE=$(x86_64_cross_prefix) \ + $(patsubst %,bin-i386-efi/%.efidrv,$(pxerom_targets)) \ + $(patsubst %,bin-x86_64-efi/%.efidrv,$(pxerom_targets)) + + + slof: +- $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) qemu ++ $(MAKE) -C SLOF CROSS=$(powerpc64_cross_prefix) \ ++ PACKAGING_TIMESTAMP=$(PACKAGING_TIMESTAMP) \ ++ qemu + cp SLOF/boot_rom.bin ../pc-bios/slof.bin + + u-boot.e500: diff --git a/ipxe-stable-buildid.patch b/ipxe-stable-buildid.patch index 4eb70dba..a8a7b4d4 100644 --- a/ipxe-stable-buildid.patch +++ b/ipxe-stable-buildid.patch @@ -1,13 +1,43 @@ ---- a/roms/ipxe/src/Makefile.housekeeping -+++ b/roms/ipxe/src/Makefile.housekeeping -@@ -1074,7 +1074,9 @@ blib : $(BLIB) +ipxe:Makefile: fix issues of build reproducibility + +It is desirable to produce the same bits on subsequent +builds when the actual code of the package doesn't +change. (bsc#1011213) + +Signed-off-by: Bruce Rogers +--- + src/Makefile.housekeeping | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/src/Makefile.housekeeping ++++ b/src/Makefile.housekeeping +@@ -1079,11 +1079,18 @@ blib : $(BLIB) # Command to generate build ID. Must be unique for each $(BIN)/%.tmp, # even within the same build run. # -BUILD_ID_CMD := perl -e 'printf "0x%08x", int ( rand ( 0xffffffff ) );' -+BUILD_ID_DIR := .build_ids -+VERYCLEANUP += $(BUILD_ID_DIR) -+BUILD_ID_CMD := bash -c 'declare -i i=1 ; mkdir -p $(BUILD_ID_DIR) ; cd $(BUILD_ID_DIR) ; until mkdir "$${i}" 2>/dev/null ; do : $$(( i++ )) ; done ; printf "0x%08x" "$${i}" ' ++# NB: In the case of the SUSE qemu-ipxe package we want reproducible ++# builds, so we just use the TGT_ROM_NAME variable, which is already ++# a unique (in the context of the files we generate) hex value suitable ++# for specifying the build_id. We no longer define a BUILD_ID_CMD, as ++# we need to use the TGT_ROM_NAME variable directly in the link command # Build timestamp # +-BUILD_TIMESTAMP := $(shell date +%s) ++# NB: In the case of the SUSE qemu-ipxe package we want reproducible ++# builds, so we use a pre-determined timestamp, rather than the current ++# timestamp ++BUILD_TIMESTAMP := $(PACKAGING_TIMESTAMP) + + # Build version + # +@@ -1103,7 +1110,7 @@ $(BIN)/version.%.o : core/version.c $(MA + $(BIN)/%.tmp : $(BIN)/version.%.o $(BLIB) $(MAKEDEPS) $(LDSCRIPT) + $(QM)$(ECHO) " [LD] $@" + $(Q)$(LD) $(LDFLAGS) -T $(LDSCRIPT) $(TGT_LD_FLAGS) $< $(BLIB) -o $@ \ +- --defsym _build_id=`$(BUILD_ID_CMD)` \ ++ --defsym _build_id=`$(PRINTF) "0x%b" "$(TGT_ROM_NAME)"` \ + --defsym _build_timestamp=$(BUILD_TIMESTAMP) \ + -Map $(BIN)/$*.tmp.map + $(Q)$(OBJDUMP) -ht $@ | $(PERL) $(SORTOBJDUMP) >> $(BIN)/$*.tmp.map diff --git a/qemu-linux-user.changes b/qemu-linux-user.changes index 296022a1..3417e909 100644 --- a/qemu-linux-user.changes +++ b/qemu-linux-user.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Sat Nov 19 15:24:08 UTC 2016 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7 +* Patches added: + 0069-roms-Makefile-pass-a-packaging-time.patch + +------------------------------------------------------------------- +Thu Nov 10 21:49:18 UTC 2016 - brogers@suse.com + +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7 +* Patches added: + 0041-vmsvga-correct-bitmap-and-pixmap-si.patch + 0042-scsi-mptconfig-fix-an-assert-expres.patch + 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch + 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch + 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch + 0046-scsi-mptsas-use-g_new0-to-allocate-.patch + 0047-scsi-pvscsi-limit-process-IO-loop-t.patch + 0048-virtio-add-check-for-descriptor-s-m.patch + 0049-net-mcf-limit-buffer-descriptor-cou.patch + 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch + 0051-xhci-limit-the-number-of-link-trbs-.patch + 0052-9pfs-allocate-space-for-guest-origi.patch + 0053-9pfs-fix-memory-leak-in-v9fs_link.patch + 0054-9pfs-fix-potential-host-memory-leak.patch + 0055-9pfs-fix-information-leak-in-xattr-.patch + 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch + 0057-9pfs-fix-memory-leak-in-v9fs_write.patch + 0058-char-serial-check-divider-value-aga.patch + 0059-net-pcnet-check-rx-tx-descriptor-ri.patch + 0060-net-eepro100-fix-memory-leak-in-dev.patch + 0061-net-rocker-set-limit-to-DMA-buffer-.patch + 0062-net-vmxnet-initialise-local-tx-desc.patch + 0063-net-rtl8139-limit-processing-of-rin.patch + 0064-audio-intel-hda-check-stream-entry-.patch + 0065-virtio-gpu-fix-memory-leak-in-virti.patch + 0066-9pfs-fix-integer-overflow-issue-in-.patch + 0067-dma-rc4030-limit-interval-timer-rel.patch + 0068-net-imx-limit-buffer-descriptor-cou.patch + ------------------------------------------------------------------- Mon Nov 7 16:14:20 UTC 2016 - afaerber@suse.de diff --git a/qemu-linux-user.spec b/qemu-linux-user.spec index 28e12c58..ef143160 100644 --- a/qemu-linux-user.spec +++ b/qemu-linux-user.spec @@ -65,6 +65,35 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch Patch0038: 0038-linux-user-properly-test-for-infini.patch Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch +Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch +Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch +Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch +Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch +Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch +Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch +Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch +Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch +Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch +Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch +Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch +Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch +Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch +Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch +Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch +Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch +Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch +Patch0058: 0058-char-serial-check-divider-value-aga.patch +Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch +Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch +Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch +Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch +Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch +Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch +Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch +Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch +Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch +Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch +Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch # Please do not add patches manually here, run update_git.sh. # this is to make lint happy Source300: qemu-rpmlintrc @@ -158,6 +187,35 @@ run cross-architecture builds. %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 %build ./configure --prefix=%_prefix --sysconfdir=%_sysconfdir \ diff --git a/qemu-testsuite.changes b/qemu-testsuite.changes index d9b5cdd4..baf77b28 100644 --- a/qemu-testsuite.changes +++ b/qemu-testsuite.changes @@ -1,3 +1,81 @@ +------------------------------------------------------------------- +Sat Nov 19 15:24:03 UTC 2016 - brogers@suse.com + +- Refine the approach to producing stable builds in our ROM based + packages. All built roms which have hostname or date calls now + produce consistent results build to build via patch changes, so + remove the hostname and date call workarounds. (bsc#1011213) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7 +* Patches added: + 0069-roms-Makefile-pass-a-packaging-time.patch + sgabios-stable-buildid.patch + +------------------------------------------------------------------- +Sat Nov 19 15:15:03 UTC 2016 - brogers@suse.com + +- Re-enable ceph (rbd) functionality in OBS builds as we've been told + the issues which prompted us to disable it are resolved + +- Address various security/stability issues +* Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516) + 0041-vmsvga-correct-bitmap-and-pixmap-si.patch +* Fix DOS in LSI SAS1068 emulation (CVE-2016-7157 bsc#997860) + 0042-scsi-mptconfig-fix-an-assert-expres.patch + 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch +* Fix DOS in Vmware pv scsi interface (CVE-2016-7156 bsc#997859) + 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch +* Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345) + 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch +* Fix OOB access in LSI SAS1068 emulation (CVE-2016-7423 bsc#1000397) + 0046-scsi-mptsas-use-g_new0-to-allocate-.patch +* Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661) + 0047-scsi-pvscsi-limit-process-IO-loop-t.patch +* Fix NULL pointer dereference in virtio processing + (CVE-2016-7422 bsc#1000346) + 0048-virtio-add-check-for-descriptor-s-m.patch +* Fix DOS in ColdFire Fast Ethernet Controller emulation + (CVE-2016-7908 bsc#1002550) + 0049-net-mcf-limit-buffer-descriptor-cou.patch +* Fix DOS in USB EHCI emulation (CVE-2016-7995 bsc#1003612) + 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch +* Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878) + 0051-xhci-limit-the-number-of-link-trbs-.patch +* Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894) + 0052-9pfs-allocate-space-for-guest-origi.patch +* Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494) + 0053-9pfs-fix-memory-leak-in-v9fs_link.patch +* Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893) + 0054-9pfs-fix-potential-host-memory-leak.patch +* Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454) + 0055-9pfs-fix-information-leak-in-xattr-.patch +* Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450) + 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch +* Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495) + 0057-9pfs-fix-memory-leak-in-v9fs_write.patch +* Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707) + 0058-char-serial-check-divider-value-aga.patch +* Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557) + 0059-net-pcnet-check-rx-tx-descriptor-ri.patch +* Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391) + 0060-net-eepro100-fix-memory-leak-in-dev.patch +* Fix OOB access in Rocker switch emulation (CVE-2016-8668 bsc#1004706) + 0061-net-rocker-set-limit-to-DMA-buffer-.patch +* Plug data leak in vmxnet3 emulation (CVE-2016-6836 bsc#994760) + 0062-net-vmxnet-initialise-local-tx-desc.patch +* Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538) + 0063-net-rtl8139-limit-processing-of-rin.patch +* Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536) + 0064-audio-intel-hda-check-stream-entry-.patch +* Fix DOS in virtio-gpu (CVE-2016-7994 bsc#1003613) + 0065-virtio-gpu-fix-memory-leak-in-virti.patch +* Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493) + 0066-9pfs-fix-integer-overflow-issue-in-.patch +* Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702) + 0067-dma-rc4030-limit-interval-timer-rel.patch +* Fix DOS in i.MX NIC emulation (CVE-2016-7907 bsc#1002549) + 0068-net-imx-limit-buffer-descriptor-cou.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7 + ------------------------------------------------------------------- Fri Nov 11 11:11:11 UTC 2016 - ohering@suse.de diff --git a/qemu-testsuite.spec b/qemu-testsuite.spec index ded49392..5ac06402 100644 --- a/qemu-testsuite.spec +++ b/qemu-testsuite.spec @@ -127,15 +127,50 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch Patch0038: 0038-linux-user-properly-test-for-infini.patch Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch +Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch +Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch +Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch +Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch +Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch +Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch +Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch +Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch +Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch +Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch +Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch +Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch +Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch +Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch +Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch +Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch +Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch +Patch0058: 0058-char-serial-check-divider-value-aga.patch +Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch +Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch +Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch +Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch +Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch +Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch +Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch +Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch +Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch +Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch +Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. %if %{build_x86_fw_from_source} -# SeaBIOS +# SeaBIOS / SeaVGABIOS # PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit Patch1000: seabios_128kb.patch # ipxe +Patch1100: ipxe-stable-buildid.patch + +# sgabios +Patch1200: sgabios-stable-buildid.patch + +# SLOF # (currently no patches) %endif @@ -747,12 +782,49 @@ This package provides a service file for starting and stopping KSM. %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios %patch1000 -p1 popd pushd roms/ipxe +%patch1100 -p1 +popd + +pushd roms/sgabios +%patch1200 -p1 +popd + +pushd roms/SLOF # (currently no patches) popd @@ -768,6 +840,7 @@ rm -f pc-bios/slof.bin %endif %build +echo '%{version}' > roms/seabios/.version ./configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ diff --git a/qemu.changes b/qemu.changes index d9b5cdd4..baf77b28 100644 --- a/qemu.changes +++ b/qemu.changes @@ -1,3 +1,81 @@ +------------------------------------------------------------------- +Sat Nov 19 15:24:03 UTC 2016 - brogers@suse.com + +- Refine the approach to producing stable builds in our ROM based + packages. All built roms which have hostname or date calls now + produce consistent results build to build via patch changes, so + remove the hostname and date call workarounds. (bsc#1011213) +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7 +* Patches added: + 0069-roms-Makefile-pass-a-packaging-time.patch + sgabios-stable-buildid.patch + +------------------------------------------------------------------- +Sat Nov 19 15:15:03 UTC 2016 - brogers@suse.com + +- Re-enable ceph (rbd) functionality in OBS builds as we've been told + the issues which prompted us to disable it are resolved + +- Address various security/stability issues +* Fix OOB access in VMware SVGA emulation (CVE-2016-7170 bsc#998516) + 0041-vmsvga-correct-bitmap-and-pixmap-si.patch +* Fix DOS in LSI SAS1068 emulation (CVE-2016-7157 bsc#997860) + 0042-scsi-mptconfig-fix-an-assert-expres.patch + 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch +* Fix DOS in Vmware pv scsi interface (CVE-2016-7156 bsc#997859) + 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch +* Fix DOS in USB xHCI emulation (CVE-2016-7466 bsc#1000345) + 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch +* Fix OOB access in LSI SAS1068 emulation (CVE-2016-7423 bsc#1000397) + 0046-scsi-mptsas-use-g_new0-to-allocate-.patch +* Fix DOS in Vmware pv scsi interface (CVE-2016-7421 bsc#999661) + 0047-scsi-pvscsi-limit-process-IO-loop-t.patch +* Fix NULL pointer dereference in virtio processing + (CVE-2016-7422 bsc#1000346) + 0048-virtio-add-check-for-descriptor-s-m.patch +* Fix DOS in ColdFire Fast Ethernet Controller emulation + (CVE-2016-7908 bsc#1002550) + 0049-net-mcf-limit-buffer-descriptor-cou.patch +* Fix DOS in USB EHCI emulation (CVE-2016-7995 bsc#1003612) + 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch +* Fix DOS in USB xHCI emulation (CVE-2016-8576 bsc#1003878) + 0051-xhci-limit-the-number-of-link-trbs-.patch +* Fix DOS in virtio-9pfs (CVE-2016-8578 bsc#1003894) + 0052-9pfs-allocate-space-for-guest-origi.patch +* Fix DOS in virtio-9pfs (CVE-2016-9105 bsc#1007494) + 0053-9pfs-fix-memory-leak-in-v9fs_link.patch +* Fix DOS in virtio-9pfs (CVE-2016-8577 bsc#1003893) + 0054-9pfs-fix-potential-host-memory-leak.patch +* Plug data leak in virtio-9pfs interface (CVE-2016-9103 bsc#1007454) + 0055-9pfs-fix-information-leak-in-xattr-.patch +* Fix DOS in virtio-9pfs interface (CVE-2016-9102 bsc#1007450) + 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch +* Fix DOS in virtio-9pfs (CVE-2016-9106 bsc#1007495) + 0057-9pfs-fix-memory-leak-in-v9fs_write.patch +* Fix DOS in 16550A UART emulation (CVE-2016-8669 bsc#1004707) + 0058-char-serial-check-divider-value-aga.patch +* Fix DOS in PC-Net II emulation (CVE-2016-7909 bsc#1002557) + 0059-net-pcnet-check-rx-tx-descriptor-ri.patch +* Fix DOS in PRO100 emulation (CVE-2016-9101 bsc#1007391) + 0060-net-eepro100-fix-memory-leak-in-dev.patch +* Fix OOB access in Rocker switch emulation (CVE-2016-8668 bsc#1004706) + 0061-net-rocker-set-limit-to-DMA-buffer-.patch +* Plug data leak in vmxnet3 emulation (CVE-2016-6836 bsc#994760) + 0062-net-vmxnet-initialise-local-tx-desc.patch +* Fix DOS in RTL8139 emulation (CVE-2016-8910 bsc#1006538) + 0063-net-rtl8139-limit-processing-of-rin.patch +* Fix DOS in Intel HDA controller emulation (CVE-2016-8909 bsc#1006536) + 0064-audio-intel-hda-check-stream-entry-.patch +* Fix DOS in virtio-gpu (CVE-2016-7994 bsc#1003613) + 0065-virtio-gpu-fix-memory-leak-in-virti.patch +* Fix DOS in virtio-9pfs (CVE-2016-9104 bsc#1007493) + 0066-9pfs-fix-integer-overflow-issue-in-.patch +* Fix DOS in JAZZ RC4030 emulation (CVE-2016-8667 bsc#1004702) + 0067-dma-rc4030-limit-interval-timer-rel.patch +* Fix DOS in i.MX NIC emulation (CVE-2016-7907 bsc#1002549) + 0068-net-imx-limit-buffer-descriptor-cou.patch +- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.7 + ------------------------------------------------------------------- Fri Nov 11 11:11:11 UTC 2016 - ohering@suse.de diff --git a/qemu.spec b/qemu.spec index 64d0a4e7..483b882f 100644 --- a/qemu.spec +++ b/qemu.spec @@ -127,16 +127,50 @@ Patch0037: 0037-configure-Fix-detection-of-seccomp-.patch Patch0038: 0038-linux-user-properly-test-for-infini.patch Patch0039: 0039-Fix-tlb_vaddr_to_host-with-CONFIG_U.patch Patch0040: 0040-linux-user-remove-all-traces-of-qem.patch +Patch0041: 0041-vmsvga-correct-bitmap-and-pixmap-si.patch +Patch0042: 0042-scsi-mptconfig-fix-an-assert-expres.patch +Patch0043: 0043-scsi-mptconfig-fix-misuse-of-MPTSAS.patch +Patch0044: 0044-scsi-pvscsi-limit-loop-to-fetch-SG-.patch +Patch0045: 0045-usb-xhci-fix-memory-leak-in-usb_xhc.patch +Patch0046: 0046-scsi-mptsas-use-g_new0-to-allocate-.patch +Patch0047: 0047-scsi-pvscsi-limit-process-IO-loop-t.patch +Patch0048: 0048-virtio-add-check-for-descriptor-s-m.patch +Patch0049: 0049-net-mcf-limit-buffer-descriptor-cou.patch +Patch0050: 0050-usb-ehci-fix-memory-leak-in-ehci_pr.patch +Patch0051: 0051-xhci-limit-the-number-of-link-trbs-.patch +Patch0052: 0052-9pfs-allocate-space-for-guest-origi.patch +Patch0053: 0053-9pfs-fix-memory-leak-in-v9fs_link.patch +Patch0054: 0054-9pfs-fix-potential-host-memory-leak.patch +Patch0055: 0055-9pfs-fix-information-leak-in-xattr-.patch +Patch0056: 0056-9pfs-fix-memory-leak-in-v9fs_xattrc.patch +Patch0057: 0057-9pfs-fix-memory-leak-in-v9fs_write.patch +Patch0058: 0058-char-serial-check-divider-value-aga.patch +Patch0059: 0059-net-pcnet-check-rx-tx-descriptor-ri.patch +Patch0060: 0060-net-eepro100-fix-memory-leak-in-dev.patch +Patch0061: 0061-net-rocker-set-limit-to-DMA-buffer-.patch +Patch0062: 0062-net-vmxnet-initialise-local-tx-desc.patch +Patch0063: 0063-net-rtl8139-limit-processing-of-rin.patch +Patch0064: 0064-audio-intel-hda-check-stream-entry-.patch +Patch0065: 0065-virtio-gpu-fix-memory-leak-in-virti.patch +Patch0066: 0066-9pfs-fix-integer-overflow-issue-in-.patch +Patch0067: 0067-dma-rc4030-limit-interval-timer-rel.patch +Patch0068: 0068-net-imx-limit-buffer-descriptor-cou.patch +Patch0069: 0069-roms-Makefile-pass-a-packaging-time.patch # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. -Patch999: ipxe-stable-buildid.patch %if %{build_x86_fw_from_source} -# SeaBIOS +# SeaBIOS / SeaVGABIOS # PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit Patch1000: seabios_128kb.patch # ipxe +Patch1100: ipxe-stable-buildid.patch + +# sgabios +Patch1200: sgabios-stable-buildid.patch + +# SLOF # (currently no patches) %endif @@ -748,13 +782,49 @@ This package provides a service file for starting and stopping KSM. %patch0038 -p1 %patch0039 -p1 %patch0040 -p1 +%patch0041 -p1 +%patch0042 -p1 +%patch0043 -p1 +%patch0044 -p1 +%patch0045 -p1 +%patch0046 -p1 +%patch0047 -p1 +%patch0048 -p1 +%patch0049 -p1 +%patch0050 -p1 +%patch0051 -p1 +%patch0052 -p1 +%patch0053 -p1 +%patch0054 -p1 +%patch0055 -p1 +%patch0056 -p1 +%patch0057 -p1 +%patch0058 -p1 +%patch0059 -p1 +%patch0060 -p1 +%patch0061 -p1 +%patch0062 -p1 +%patch0063 -p1 +%patch0064 -p1 +%patch0065 -p1 +%patch0066 -p1 +%patch0067 -p1 +%patch0068 -p1 +%patch0069 -p1 -%patch999 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios %patch1000 -p1 popd pushd roms/ipxe +%patch1100 -p1 +popd + +pushd roms/sgabios +%patch1200 -p1 +popd + +pushd roms/SLOF # (currently no patches) popd @@ -771,21 +841,6 @@ rm -f pc-bios/slof.bin %build echo '%{version}' > roms/seabios/.version -mkdir .bin -pushd $_ -tee hostname <<_EOD_ -#!/bin/sh -echo hostname -_EOD_ -tee date <<_EOD_ -#!/bin/sh -exec $(type -p date) --reference="$PWD/date" --utc "\$@" -_EOD_ -touch -r ../VERSION date -chmod 00755 * -ls -l --time-style=full-iso * -export PATH="$PWD:$PATH" -popd ./configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ @@ -955,13 +1010,6 @@ make %{?_smp_mflags} -C roms pxerom %ifarch x86_64 make %{?_smp_mflags} -C roms efirom %endif -# relink ipxe roms, this time with a stable build_id -find roms/ipxe \( -name "*.rom" -o -name "*.tmp" \) -print -delete -make -C roms pxerom -%ifarch x86_64 -make -C roms efirom -%endif -# make -C roms sgabios %endif %if %{build_slof_from_source} diff --git a/qemu.spec.in b/qemu.spec.in index a1ec5c03..978a01be 100644 --- a/qemu.spec.in +++ b/qemu.spec.in @@ -91,13 +91,18 @@ PATCH_FILES # Please do not add QEMU patches manually here. # Run update_git.sh to regenerate this queue. -Patch999: ipxe-stable-buildid.patch %if %{build_x86_fw_from_source} -# SeaBIOS +# SeaBIOS / SeaVGABIOS # PATCH-FIX-OPENSUSE seabios_128kb.patch brogers@suse.com -- make it fit Patch1000: seabios_128kb.patch # ipxe +Patch1100: ipxe-stable-buildid.patch + +# sgabios +Patch1200: sgabios-stable-buildid.patch + +# SLOF # (currently no patches) %endif @@ -671,15 +676,21 @@ This package provides a service file for starting and stopping KSM. %setup -q -n qemu-2.7.0 PATCH_EXEC -%patch999 -p1 %if %{build_x86_fw_from_source} pushd roms/seabios %patch1000 -p1 popd pushd roms/ipxe -# (currently no patches) +%patch1100 -p1 popd +pushd roms/sgabios +%patch1200 -p1 +popd + +pushd roms/SLOF +# (currently no patches) +popd # as a safeguard, delete the firmware files that we intend to build for i in %built_firmware_files @@ -694,21 +705,6 @@ rm -f pc-bios/slof.bin %build echo '%{version}' > roms/seabios/.version -mkdir .bin -pushd $_ -tee hostname <<_EOD_ -#!/bin/sh -echo hostname -_EOD_ -tee date <<_EOD_ -#!/bin/sh -exec $(type -p date) --reference="$PWD/date" --utc "\$@" -_EOD_ -touch -r ../VERSION date -chmod 00755 * -ls -l --time-style=full-iso * -export PATH="$PWD:$PATH" -popd ./configure \ --prefix=%_prefix \ --sysconfdir=%_sysconfdir \ @@ -879,13 +875,6 @@ make %{?_smp_mflags} -C roms pxerom %ifarch x86_64 make %{?_smp_mflags} -C roms efirom %endif -# relink ipxe roms, this time with a stable build_id -find roms/ipxe \( -name "*.rom" -o -name "*.tmp" \) -print -delete -make -C roms pxerom -%ifarch x86_64 -make -C roms efirom -%endif -# make -C roms sgabios %endif %if %{build_slof_from_source} diff --git a/sgabios-stable-buildid.patch b/sgabios-stable-buildid.patch new file mode 100644 index 00000000..5860aa6c --- /dev/null +++ b/sgabios-stable-buildid.patch @@ -0,0 +1,26 @@ +sgabios:Makefile: fix issues of build reproducibility + +It is desirable to produce the same bits on subsequent +builds when the actual code of the package doesn't +change. (bsc#1011213) + +Signed-off-by: Bruce Rogers +--- + Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/Makefile ++++ b/Makefile +@@ -14,9 +14,9 @@ + # + # $Id$ + +-BUILD_DATE = \"$(shell date -u)\" +-BUILD_SHORT_DATE = \"$(shell date -u +%D)\" +-BUILD_HOST = \"$(shell hostname)\" ++BUILD_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u)\" ++BUILD_SHORT_DATE = \"$(shell date --date='@$(PACKAGING_TIMESTAMP)' -u +%D)\" ++BUILD_HOST = \"hostname\" + BUILD_USER = \"$(shell whoami)\" + + CFLAGS := -Wall -Os -m32 -nostdlib