diff options
| author |   Aric Belsito <lluixhi@gmail.com> | 2017-07-26 12:10:10 -0700 |
|---|---|---|
| committer | Aric Belsito <lluixhi@gmail.com> | 2017-07-26 12:11:09 -0700 |
| commit | 733898218545d7f941e865f69a628b9792ca25ff (patch) | |
| tree | 62bef53004c490cf5cabaf1eec29be2f03f46f5f /app-emulation | |
| parent | sys-power/upower: 0.99.5 in main tree (diff) | |
| download | musl-733898218545d7f941e865f69a628b9792ca25ff.tar.gz musl-733898218545d7f941e865f69a628b9792ca25ff.tar.bz2 musl-733898218545d7f941e865f69a628b9792ca25ff.zip | |
app-emulation/qemu: version bump to 2.9.0-r56
Remove qemu-2.8.1-r2
Diffstat (limited to 'app-emulation')
32 files changed, 1309 insertions, 1683 deletions
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index c719930d..5fe223b6 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -4,36 +4,24 @@ AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930 SH AUX qemu-2.2.0-_sigev_un.patch 638 SHA256 1f66c5a55ec94d73182cd25f3de5490cdb075542246a37d206cfb7b4a99a40a4 SHA512 5a2f9af1b60fd5a088679f3481b8d0317da88d4922b02289265b8d193b3589dd6d498e66531fc37ed86b97f4a648a1068f2da646e381d89c472716ef58190eb1 WHIRLPOOL 8444edaa4e5d59a337a7ebba71807b51941642517e5e762fb3458fde1a53c63c919ca809e5f32b503f1a92e4ccd2d21a057995fec56fcf846246dadccbdc863f AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154 AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73 -AUX qemu-2.7.0-CVE-2016-8669-1.patch 1010 SHA256 3bc03869bede80013abb94ee029625a382c8059bc9474d9f6fd8e23840cff159 SHA512 53643363a470fba9b82c02b90f2573e45f59f5057993b2c15e1608916ece7f8582b4a84179e8ee70fcb8e3f3eb8a538a058401049ea38242bdb640c14ec54f7e WHIRLPOOL 873ed9b9784bb5757a07c1a494f70603cbe82751222d68a883327424e0d7e87d536400eca5fc7406080cbde2ab0a8fe0b3ee5c6dff81624db5d6d5964fec81be -AUX qemu-2.8.0-CVE-2016-10028.patch 1384 SHA256 25a9f2b2014bbcbb008683211503716a2b4a0e8d96ea001d32b87d451cee1842 SHA512 6cfad99e54cfaea97f5c14fbbfe35768a8ea46196117bf770725e1079f9bccca3b7071416a14e60a36c3c919760ab49663fc8b551026c8cd58c10b3f2d7940b4 WHIRLPOOL 5c0c8350112cb63c8b3db7a15a9090cd2fba879317565b108285fd92c23a8b75a593a65d94b6e448086b126a735056065d07c1877abdb6815ebaa430cf4adabf -AUX qemu-2.8.0-CVE-2016-10155.patch 1558 SHA256 53c20d983847a716f3f708c50ffbeb9d44fd8718f39d86556ae44394d1b2a624 SHA512 4ebfba87927c9f58fe1a0aa05b5850d391698617ce7c3e002d3adfd981ed8c23d35a6863e14f52264576dda31f84dc25421d2f930547f82ccfde126137d91aea WHIRLPOOL 44366afdf52eed47c28a6e9cec1ee7c613b5bac6441cf4f7bf29b30ef6ec7504e72a2d8c873a949e46f1cfd3055a407b673d6151802ab3c957cde8faaed20903 -AUX qemu-2.8.0-CVE-2016-9908.patch 1166 SHA256 22ef4999a3daf3c46a3c90ca20fb131545d4d0befeff7c3ca870585a3e03b7b7 SHA512 c46abda3a5b1a68c7c2e5236f8e424f4569a28ba2aea9b8ec32467e55b535492da6e4702d4758a5721f1bf222f7f2554a5e4c9a190781d60c40202a5291dcf49 WHIRLPOOL aa8087350770ecbb60049e3269ddf9d68258657ef6a088b562e344056689e578a390328dde9c5d2b5024e7fa03995b571295a1d64943d9b3882cf0c5f833dbd8 -AUX qemu-2.8.0-CVE-2016-9912.patch 1307 SHA256 e3eac321492a9ef42d88b04877511255c3731a9bb029d7c6ab2da0aa8f09e2d8 SHA512 f9ba4f167334d9b934c37fbed21ded8b3d71e5bdbdb1f15f81d4423b0790bfa127637155d5863b563fa974f1421c4ace1f2a4e3e81e3ae3d6045b2083210b103 WHIRLPOOL 7aa8dab7b6462f142365d274e6131ca1630c396e36c851cb562c081c4243c58e2ae22cf682e51145af08befcaba395254c765cf56112a6c177e1c9a18ffb5926 -AUX qemu-2.8.0-CVE-2017-5525-1.patch 1625 SHA256 88e253c306761017d66dca5b72184f89cebf3b617db7bc0e4b27025757a66181 SHA512 a7f82374ec4e264b065be7ba63c197d93fee230d68819bf68a0a67c84f89182d0cc0a42b9aadf53a8a903d640dacc55392174c7820379e92ad0e35c86c35a2dd WHIRLPOOL 63e192dc0e075139f18aee2d0541c75021852a7d7251321ca8fe7f9b793c72786a6aab878e308931289eab3c07c3cbbc8ad32b67de1193f85b672e16a8372495 -AUX qemu-2.8.0-CVE-2017-5525-2.patch 1664 SHA256 ab03a1cff62164090133f0dbace9724302e806a808b18d64628d12f0bd9abad6 SHA512 ac1d89331c3fc4d0ef7af411a12654329057676e9f016cb9a4a46dc9b4e01092c17af33d095f3104e71094ae585a35a8276a98560dd97f8d045e0b9fd2f0069f WHIRLPOOL 20457d7fe5b3842c0c601068dba410586fc4b4c7fce81ba3ee436a6cfec3b1b950797d6ca9a2a573fef21a29421f8c04a34d1dfefe0b7ade03a6ca51d16d99cb -AUX qemu-2.8.0-CVE-2017-5552.patch 1481 SHA256 26616f16434b3aff65b1cd1ce82c6abdfbd44da8a047a5a32b1e07755c9a3e1b SHA512 3c3f5027be3bfe56c1445004bd28536e11f606cc6787fcefad3da267eb3e11b61110c8a4700fd9d6f95ce50f10a2678b2bc6f950297b949b837882a68901d6e5 WHIRLPOOL ca93726b8a0567f68fac634eef1e88c997c1e959cafb33bc6ba8871d9021591bb61be6b3635d3fac111e1e177dbbff939c93580d7f0824e752b378dbc38fbc45 -AUX qemu-2.8.0-CVE-2017-5578.patch 1084 SHA256 a7639fc84377b23ebc55dbb1c6d8c53bb2e6230be03b2efba78108257058d8b4 SHA512 8d160d56a94ec9380640badcab29fdd05f2f665377febd1b7e71a9c619d9db963eaa74cf74a2e0287fd2f6e2a7d4bce0f8e4281b3b0292347eece52b7344243b WHIRLPOOL efd3238bf720a1051a41ea621601afeea7546cc7e48d4a7f23bc0b3277bee368bb259a2735e6290b4609e78a1e54e29fe1ba7b088824284787faddc84491d876 -AUX qemu-2.8.0-CVE-2017-5579.patch 1132 SHA256 df32524c24aa4d7d9166bb5e159ba10023c7777b9583e920bd8590feec433580 SHA512 d4669821ae8e06a31b852a31699aa26421ce5fb6c049573cb6613515da486e390d8ddf71adb4e6c1a45a15bb468bbb45df68cbf5e9388660c9c03866becb9edd WHIRLPOOL 0d5ed483c6e3f849fc4b9568a3af4c086258ef1162a4e11baa65bcf35eeb8a505c8b7de935175fdc53e7284e23eb492a95326cdea6c690283085136cb02d3b7a -AUX qemu-2.8.0-CVE-2017-5856.patch 2224 SHA256 92ddbba8c0d21bdae5b11ae064c21da939cbbb1fd0e6aa10477efced6bf9582f SHA512 7e043d8299d67d33c12bf5591f0881029013852df2243c2ea747fc6c4d1d6c0acffbaef7538634a60f8f875da94bb71db3e3a07972de066b7ac5d49e4d3cb906 WHIRLPOOL b5f38b059e4305b352e3807c2b7762fe856d1067431452fbbf991415ad17f25d152225d9e0ea61b5e8175e42abebbb2abdd85ac37f301ac123f81af822ff2f02 -AUX qemu-2.8.0-CVE-2017-5857.patch 1326 SHA256 e2150a7cc92b72e3f20506b9c76b40599af8d2366d25bd9b245a0bffa66ad8eb SHA512 d6d000b57f1fb194f9554165621109b364ebdb61416bc07e2283f2d493c33e770d1b63002d62565aae1ac19ed0ad9e572c207341aa1ad023581f349f62158d30 WHIRLPOOL cbe84c67ba9bb368baf2b1842e8c7c1ee3fb720630bcd53fdbdef9e8f3efdb25c1a927d0f65c9d1f6def28defe6997943a7867e8225eb12e395a0811ad3e32a1 -AUX qemu-2.8.0-CVE-2017-5898.patch 1412 SHA256 7f44668d51a94d19fcca0f496d8ac798fd654afe25d2998f7d07a148a836ade9 SHA512 2cd9af4957849a5d72dc0f0fbb30852870306ebc0a348cf5951df58d3029d1aae52df9261d2e4a9d7a4f132f78c390af8a049e1f109b324899bccd91e5c10d1f WHIRLPOOL c48e1fe163761880adab990683dc5d54ee31173763f11239ffee7c229bd65a2958a696dede39e7e645860980e2a7c5c6e5873e5db53872ac373d8d2415a167ab -AUX qemu-2.8.0-CVE-2017-5973.patch 2815 SHA256 206d01053ce678e2c83174b278755e112099f76350aaa765525d344a87365ded SHA512 31b4bd1b8398d8044ace7660a049c492beda83613818a718477257e0bdf922d63423100fd59f2e8411dc952d282a7c405b916ab437b131b31c21dcf65f98edce WHIRLPOOL ea43efbdd5fdc51e1b8b5057fbe50b3911896cbda8437998ca203d34db82524eb42a77440f2490574a48f15ba1c4bbb7d9c40bfb6e99e96278a1d1912ea210a7 -AUX qemu-2.8.0-CVE-2017-5987.patch 1889 SHA256 c4f2175970deca9b00bf657e66b8df31a02efce469eec02279a9659b9cb18bb0 SHA512 32708f91edbbb61ac444ee71b97a30138380544389f6265d7cb7aec330ebaaa7ca69844a9462c817fbda117e78748fc4fdeb655e70bcd72ddd8b112fd9619b0d WHIRLPOOL 1aa99740495c0d2a577cf13c47669aeba75ad389394736ce16fde31c91931254820accad85a6d6fee9757595bec3f222413a89fe4ca125913be7ecc97f33b365 -AUX qemu-2.8.0-CVE-2017-6505.patch 1481 SHA256 55e3b7e65e519caef4fdd28cccb973613759cce0d67eb64c2093b4f0a4e428e1 SHA512 5326f28a9340f392e4f32e4cd5f58cae0769859e10fd4d201983d40ec6b4d094d6a0cad2638e1e6f3e5228b93af26cc4f4a155e0d94bad89d0ea9b866f535aa7 WHIRLPOOL c88312cd5e779a98c905f175d61400ef7bb59795cc1e0392da0018a158a4c435ffa07f1e6a621db6eea925a0dbb986442eab4f79f956dc1955058fc97670f390 -AUX qemu-2.8.0-CVE-2017-7377.patch 1554 SHA256 36fbd8ec9fa7d910fde8b6b8905717b322bd23b50c2b2f925e1a2415ae306755 SHA512 195be1a75340c41aa89614aad8d07f2cf630eb10f3160cb8a86d85371ea9d7dcdbe9d49e9752ac3d6765c8d4c99c845408933b57cf21199f77ba09fcf79a02c8 WHIRLPOOL 8d7677ae3cfe18e34072ef23666c4658553a7d3b564d96e480ae432281d403242f2013d9fb189d473ab9c31def515401d22c04ba8e86d93d0369e95b1e371574 AUX qemu-2.8.0-F_SHLCK-and-F_EXLCK.patch 574 SHA256 d02353daa0ecfe161e938a5e54feab641b901f4a35c8f5831133676a6f53f43f SHA512 6b64750335aae1142ca9132fb766ac2aaeacfcdda0aa0cfca19afc4c3ea3806e30ce603fcec3767e40e84efb0ae8b9a23f21d46c807c13bb646be74f99e13389 WHIRLPOOL 7401c3daf162c71a5a5c3729855fddb5df95609b34c86ea0f4d872c8f132d6ac089cfb35a990af70aef8b7b63fe075a1e2be376b6db09bc70e8d51e48aded354 -AUX qemu-2.8.1-CVE-2017-7471.patch 2310 SHA256 ae5129c0f278de155f69e3d306038fa259c28ecb09a623262362163b00de85cc SHA512 dd5c5bc8e5ee9eb27516276d53f78ecde00b4fe5debbbdd8db1c3a2f2ef663667598acbb3b95f220e709ed89e1a0077733ca4fc1cb2fa0eb0f700e9931ddd003 WHIRLPOOL c91ddbdbc685dc76efc417087d680751aaade178593ca96fbff7b8ae1e0d0bdb659faee676d31b606e16c4adf446632a8a9350a57a1ac049b7649bdc0c3b8cf0 -AUX qemu-2.8.1-CVE-2017-8086.patch 751 SHA256 ff6f3bc1a94861da633f9e5517dde6b2719e227773941e7c9651281c77216589 SHA512 84197e80d28322efaa327dc7ad3ffc5e8bf791d89255e8ac7d5c5e9cebba3786c4e21008cbfb704de5323554a9d3f0873068c0a06493d4ca3b7849523eab6212 WHIRLPOOL 73f88468ba89d8384c04ffa3af646c8b628f1fa52f27866095f84ea1241f421763699ae18553d835133de70d7f244d0638d83d15881e5a3858a1128b14a1bcf3 +AUX qemu-2.9.0-CVE-2017-10664.patch 1613 SHA256 5941cc41f0c02b185be3f6ba450f155dfc42e98f538560a054309066d12e5736 SHA512 19be668bd5847b65a82bd710de062bf1bc16a2b93516cbd6842328a71cd8ef8e97f38fa72bffe603a41f7674652a73b9bc05bc6791d265423490aa6de09738ce WHIRLPOOL f3e436bd5ba9e61473e6a66af4a1c0063445ad616a06cbed1760326435fd391d56d6f084eae4b3465928d995cb426f02ed813747aeda0b535ed7ed4a2a598072 +AUX qemu-2.9.0-CVE-2017-10806.patch 1450 SHA256 ef884e2ed3adb618273af1d036ed0c7e3a09599e3d042080bb4b5014c6bc54d7 SHA512 38fea2c1a2a5a224585a07a028a8c4cfc1bec4d943e85c13e01228062bf306a502b0948270863b226bc974832e3af18158904fbfc08ccdf1f72f06e7830780d5 WHIRLPOOL f02fb957016af684dc894f93ec0b7dcca3febb8d37882aae1e17d2aca9948e200a013ae467cb54c5555e76c73f124a37c95fde189a4492d88322802d8160310c +AUX qemu-2.9.0-CVE-2017-11334.patch 1362 SHA256 bc2f3a50ad174e5453d0e4d1e14e9723b316e2339dc25ff31e27060ee13242bb SHA512 422296269ec29b3313c984947ac48b7179ce8e169131624d316589a621778f846b883e76cdfba50c62dc63ab5fede0ad0292704c1ca1cc9e1e7b3b01a153b8c8 WHIRLPOOL 504cf6b2ebfb11bf1471f920d101df28df59f1a585eac31ac278a366f2b769386bc7d100aa8386b3f8f45d5f5f700aa6625be3192eb4f1f3b77e69c6684cf74f +AUX qemu-2.9.0-CVE-2017-11434.patch 912 SHA256 e8be3cb9261f8735ff2a50fb8b79ccfea85456c7a2e5a5702fcc5339463dc05a SHA512 db95d9459b9669e0981195fe15f16c4e74d5f00c03e1ce5e33541e005260e77fa114b1b3f30bc06d80b723a6361b704fb58709b25773c168c8aa8f5f96580ac9 WHIRLPOOL c68e25024ab3c1d01e5b53d0a7b1591110b96d78079bc940ec28da2e2770dac6b1f9bbaaeb97c88ea0e1b46db886f7035d81bde582750e560d136916ecdab8a2 AUX qemu-2.9.0-CVE-2017-7493.patch 5656 SHA256 77462d39e811e58d3761523a6c580485bdfca0e74adbd10cf24c254e0ece262a SHA512 2b01f2878c98e77997b645ba80e69b5db398ef1e8f2b66344818d3c9af35dd66d49041ef9ee8aa152bf3e94970b4db282cf53909cb13b2532bc0a104251b2e81 WHIRLPOOL 23c788c5a78e126a61bd277e9fa1511cc71b8fbdc83a5bf319c5fc424219cbcceefad737844e45c11a76e047f8a49853d0a85b267f24f7b23bb7276d0edf0451 +AUX qemu-2.9.0-CVE-2017-7539.patch 22018 SHA256 523d41e08a2aab888e3e63b4dda6a19e535fe6fba2bf08b6ead06498ca923f29 SHA512 5c81488aeae78307bee551a3a037f3b9cf55971a17c5df17f89f31224bdfa0a5e79141341314546256bffe542b781ad25151c54340a63c766086a578e5465825 WHIRLPOOL 085fc7e7d40c803a3caf15cdee77ce553b385919678ecf4bbcc3f532af5e482ca804a167af43e4f393da93aed88285690d84a3054c7f0df61d603d0046029dbc AUX qemu-2.9.0-CVE-2017-8112.patch 696 SHA256 a4dcc2a94749a5c20ef38d4c7ce13cd1ffe46017c77eea29ced0bec5c232e6aa SHA512 840f5270332729e0149a4705bae5fcc16e9503a995d6bfa5033904a544add337ca8ccb1d2a36bb57cc198f6354f5253403f1c4f04cbd18c08b4e1a9d6af9e07f WHIRLPOOL 1ba4e75fdd0c767254c85754612da9e8ff9ba2e7ea0811f723844bec190946805cd59db83f347a3dea4296d2b58d2df4a8d99a492335ba818824348bcebdd556 AUX qemu-2.9.0-CVE-2017-8309.patch 595 SHA256 8231747fe4d9c97392fe44b117caccd07d320313dc27fad17ac658122113ced9 SHA512 4415c36acb4f0594de7fe0de2b669d03d6b54ae44eb7f1f285c36223a02cca887b57db27a43ab1cc2e7e193ee5bce2748f9d2056aa925e0cc8f2133e67168a74 WHIRLPOOL af4c5e9763a0e114e554a1c8be99ea79da0b634fdc9d87922c7713187f1f904bfcce103648d549bbb190e92443664dbb9bd7592d8137f2337be0f4b22d1f9bd1 AUX qemu-2.9.0-CVE-2017-8379.patch 2736 SHA256 f2f8910c8e1ce9fc9804f4fbbe978fee20ccbfccc5efe49f42cdaafa63c511ce SHA512 79e32f75d98ca4a92a5069b65c5b9cff16064255ed4d161e4e292b97373742c25d5ddc12dfffa627197fdb5e0808108b30d0182a9c060cd181723bd90c618d15 WHIRLPOOL 545c00189da3b252c80bb35c6b6d3368a02b36b06f2866838ddd9ebb9ccf2b608ae278ee192b6b3aef2966736afe9bcdd646c80c228ec5daef76b92bd2721bd5 AUX qemu-2.9.0-CVE-2017-8380.patch 1048 SHA256 23eb5ae64b064e46785ae4f675fbe7c6a353f6688dd154ce98b78a0b7104a2fb SHA512 872fabc4f6eee48dff292297887b8c4a18aa6f8c2f9b7247e325c96e10ef8d72206f269d89c4a4a40ea6ad3e5082db40866b0f386f31716e749fb3a7db89d2dd WHIRLPOOL ddce30f5b22707938c2ba419264a6b731f292f0748e3891c7aa48daaa7a4b204a8bb1b4110fbd7c1836a02605e49e170a4bda6ee9eccdd2570472ff0f63c8d37 +AUX qemu-2.9.0-CVE-2017-9503-1.patch 5036 SHA256 3831acce5d79ab1ad195ee6a26eb276a08fee00143ef6473ad488a49590c26e8 SHA512 690a43f3b15f10f4c030af761b2fcf873eb72d1ca53dd03f15eb35a30454298bda7ddde2b38ed549b8bad1b3a465ad3c7c9334886e75856794c0beee2dcadc2d WHIRLPOOL 909b90579ba60084bb69d3067e9bde6288011649ecc986d3f520dbce31cc9063cf3b175d62d017bf6bfa6026549250d2f64c06d4f0a411a5e95d7cf2af0062d8 +AUX qemu-2.9.0-CVE-2017-9503-2.patch 4103 SHA256 a08f7f56890e1061d47691181ccdbd4cc2d97b5221d3b438afe8c429427b1e8d SHA512 21ce3255f511c82c7f8848392cb8266d804691a02207f06b950539f025a3bafb3f4c27365956cfa5129a7f0bc1796c006303993a328e72e689b8ff722f71e542 WHIRLPOOL 67bb2f24c2b567855c8f943208c5d4ceacb6df39539cc6ffce3e09fc55052b98aa794d19f70dad4fde515bd3021c46ff53ff374e58f09a802a2222a40eb3bf2d +AUX qemu-2.9.0-CVE-2017-9524-1.patch 2624 SHA256 f2479f79a81dba79eeee7a333b50bfb6f3d7e23d4cee6a8a65b291744d676b85 SHA512 7b72e492d4f9f38f15e3ec5ba3765b6d86cb726e8581278f1abcc485245f80d7a6ca9a5378dd214a82e230221d1ec650e90a221335beec8cd18567db7f7ce311 WHIRLPOOL 95b0566a9c7712e00e6200a839f449b8367aead31bf18b797193865825123b50d9f8ff11450f540caa94a102637ee5b7075ceaf8f703482296111a7af270f374 +AUX qemu-2.9.0-CVE-2017-9524-2.patch 7016 SHA256 092da49ea1aafd9b94f20127b93c1373b9a83ef127cad1d45fdbd8f5a9d9dbe9 SHA512 de25c5506ae955fb799b2c9952120c9feb51b363f5ee277c9b63882938ce56c44702dcd688ecf65a3d2a089503be938432eb62ffa3df7409f4211bb7fa126f26 WHIRLPOOL b38c3a557be778634d53e7c356fb124e7470ad3e58b426677f3405c10faf76fa88d2f354d66a69b8549a64c480a338c94ed425c768394ad4cdd74ed4479ccc89 AUX qemu-binfmt.initd.head 1445 SHA256 a9b4b1d1ffa82d572c01f14ebfbafb4b3a4c2eb5cad5af62c059f603a9f5a277 SHA512 a735268ae9ac84d8f2f2893bf018ee6de33231fa94a823bd8502b529bb456635c1ab5cf9b440df5ede8e414291f8bf45fc53898c2f3939c50d5ec4ffa554396a WHIRLPOOL 3ec0f916d5928d464fa8416c8eac472cfa01b560bba07642ff7929799918d1c8059ac7368ff5551e6aa993027849de08035d856db7981315d8e4ec470a0f785e AUX qemu-binfmt.initd.tail 245 SHA256 1b765f5212946b73b8e4d92f64d34a9d2e358ef541c02164f6d6dd93cb15e1e7 SHA512 bcca16805f8380d52cc591ea3d65a8f6e5de456730618f6aee301510edb75d235a22d4d7aeed224882210392840adb403eb53234b6cb76a4cb24533852a8b737 WHIRLPOOL 41ddd1751101646e700a6fe4ef879bd4149d646a801f97e40534051895697dcbded06a1edda51457a0d624fbf68442c3e57178a3ee8e683e35368b88d10ba4a4 -DIST qemu-2.8.1.tar.bz2 28366270 SHA256 018e4c7ed22c220395cf41f835d01505e49d0e579a548bd3d72b03809442bbcd SHA512 0397b4029cdcb77ed053c44b3579a3f34894038e6fc6b4aa88de14515f5a78bf2f41c5e865f37111529f567c85d2f1c4deefae47dde54f76eac79410e5b2bdda WHIRLPOOL c41f53f18fac44efd1c81ba9d95204d23e9a70dc9c21624177be2fe92a327428fd5704b25bc334229fa36ae395fb4c82ba3955db39719c4458343978a4d3141a DIST qemu-2.9.0.tar.bz2 28720490 SHA256 00bfb217b1bb03c7a6c3261b819cfccbfb5a58e3e2ceff546327d271773c6c14 SHA512 4b28966eec0ca44681e35fcfb64a4eaef7c280b8d65c91d03f2efa37f76278fd8c1680e5798c7a30dbfcc8f3c05f4a803f48b8a2dfec3a4181bac079b2a5e422 WHIRLPOOL d79fe89eb271a56aee0cbd328e5f96999176b711afb5683d164b7b99d91e6dd2bfaf6e2ff4cd820a941c94f28116765cb07ffd5809d75c2f9654a67d56bfc0c1 -EBUILD qemu-2.8.1-r2.ebuild 22908 SHA256 b21f2820c166fcf91f0be3f8eb323b49d8c8ccebd4c376d9dbcdebbe751bac52 SHA512 3fa48453417e0cfa4d24f11fd5f234ec8790744c65154456328a24641a6f03cffb5b50ecf2bf81388fc18b12b382042e882fa853a09ae2288beb459e8658db5e WHIRLPOOL b5881ff308b91dc53b3115e278d5cd89d5f3f5d69ea7355fea2a048e471da1c4079eb245aa262ab2c19c6d75ddac1770acab3fa1c39d2c6e74cf72d84426e16f -EBUILD qemu-2.9.0-r2.ebuild 22065 SHA256 f722fa40663602c90dc07139580a3bcc5bcae60ce1a3808f2f38adc2d13211b1 SHA512 51822cc9753b27e6fed97bdd1e4845cbcfb0c8a4a9f55256820127994a1b3beda96765b83a8c578637a968b261f1bf6ef4c1d6ae09491e9f5f9d94af5cdb5ce4 WHIRLPOOL 20f5b6786e60eae4260df3bcdfb9f94d128abc03f9458cf3e42ddf5bb1b0749ea26bc18ba58c47c4d131cb5ab02898f7097dd85c3d9d19ac6bc49062d9d8a57b -EBUILD qemu-2.9.0-r54.ebuild 23455 SHA256 cf27b44542770cf10be0bd69481e13ccdef4d512d4d02f2388eaf441b1b2b9b8 SHA512 e1344e489cb298807c992f257954e28c0c2d24a517bdd907bc60ebf2380cebc26861161e2a5deba8c95da5af700de198951696061ea916ea9c6f1037264e89dc WHIRLPOOL 3b764803988879ef45a1b28f016d0ac732d8aa18c1fab92e52e18677fea7d3777967281c075dcdc3daa7da083c66c423d7d30ffe2d876811a776bcc5e2de63da +EBUILD qemu-2.9.0-r2.ebuild 22065 SHA256 45015103d32a318241da3d34c7340786571b65dc580f8493853c35e0ad5541ec SHA512 7b69c749172677046a101778ba2d8078bf8f5ccedc2d3c6767a2096838f8b80d0519bb798f23e7229fec04ca0c6c4c96caf7d07983ca2aca8d77e86b4f2ed229 WHIRLPOOL ebbf728a67a6f67ce2d40ac72cc95e27e46133e522d70a0e6d91525df7af048d2d1dfbb3e9534e4871882f5fe01749e3f749662414f802569c2f40ac66450afa +EBUILD qemu-2.9.0-r56.ebuild 24010 SHA256 4185ac27c271ca09d383907cf914c020ba5f9614d5c3901d12e82d4069e0090f SHA512 fab143169a3c25fcf7b2532ec10c651c8b1c1875ea8cb0daa4ae29e153c9609ebc75184df1584944eadb541db76e931ff121866dcde58f3e25e29ad9eadc0a24 WHIRLPOOL 44d3f1fc2f01e61287508580beeacc9c1e1c709b6d19347f69a33ea3202ad7e8dd035d3df948dec11b3a62564a23a41a5c5a1e6faa1e2bde5f31d0ec9c02eb9b MISC metadata.xml 3794 SHA256 149f7bc9927e13bbf7355972e85df6f9f198dd17fb575a7e516817d6a88018fb SHA512 10f130f225b90dacf8262247d795a247abfdcbf3ad5fbe0693e8d4db79f755984f690cb150a7eb5a8e5d669ce404145c4fbb6b200d6362319be74759fd78b6d3 WHIRLPOOL 6a5e88caeb64387f619a19fecb55c39ccf3c8dcd360523e8d61b80051001c02fe81432c55e40b3f360295b35e9f5a1f707c570baf95cad06d18c4cd484da0ceb diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch deleted file mode 100644 index cea8efc0..00000000 --- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch +++ /dev/null @@ -1,32 +0,0 @@ -http://bugs.gentoo.org/597108 -https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html - -From: Prasad J Pandit <address@hidden> - -The JAZZ RC4030 chipset emulator has a periodic timer and -associated interval reload register. The reload value is used -as divider when computing timer's next tick value. If reload -value is large, it could lead to divide by zero error. Limit -the interval reload value to avoid it. - -Reported-by: Huawei PSIRT <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/dma/rc4030.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c -index 2f2576f..c1b4997 100644 ---- a/hw/dma/rc4030.c -+++ b/hw/dma/rc4030.c -@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data, - break; - /* Interval timer reload */ - case 0x0228: -- s->itr = val; -+ s->itr = val & 0x01FF; - qemu_irq_lower(s->timer_irq); - set_next_tick(s); - break; --- -2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch deleted file mode 100644 index 466c819e..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch +++ /dev/null @@ -1,40 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html -https://bugs.gentoo.org/603444 - -From: P J P -Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size -Date: Wed, 14 Dec 2016 12:31:56 +0530 -From: Prasad J Pandit <address@hidden> - -Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET' -command, retrieves the maximum capabilities size to fill in the -response object. It continues to fill in capabilities even if -retrieved 'max_size' is zero(0), thus resulting in OOB access. -Add check to avoid it. - -Reported-by: Zhenhao Hong <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 758d33a..6ceeba3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -+ if (!max_size) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; -+ return; -+ } -+ - resp = g_malloc0(sizeof(*resp) + max_size); -- - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, - gc.capset_version, --- -2.9.3 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch deleted file mode 100644 index c486295d..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch +++ /dev/null @@ -1,46 +0,0 @@ -From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Mon, 28 Nov 2016 17:49:04 -0800 -Subject: [PATCH] watchdog: 6300esb: add exit function - -When the Intel 6300ESB watchdog is hot unplug. The timer allocated -in realize isn't freed thus leaking memory leak. This patch avoid -this through adding the exit function. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/watchdog/wdt_i6300esb.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c -index a83d951..49b3cd1 100644 ---- a/hw/watchdog/wdt_i6300esb.c -+++ b/hw/watchdog/wdt_i6300esb.c -@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp) - /* qemu_register_coalesced_mmio (addr, 0x10); ? */ - } - -+static void i6300esb_exit(PCIDevice *dev) -+{ -+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev); -+ -+ timer_del(d->timer); -+ timer_free(d->timer); -+} -+ - static WatchdogTimerModel model = { - .wdt_name = "i6300esb", - .wdt_description = "Intel 6300ESB", -@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data) - k->config_read = i6300esb_config_read; - k->config_write = i6300esb_config_write; - k->realize = i6300esb_realize; -+ k->exit = i6300esb_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_ESB_9; - k->class_id = PCI_CLASS_SYSTEM_OTHER; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch deleted file mode 100644 index 841de65d..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch +++ /dev/null @@ -1,35 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html -https://bugs.gentoo.org/601826 - -From: Li Qiang -Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch -Date: Tue, 1 Nov 2016 05:37:57 -0700 -From: Li Qiang <address@hidden> - -In virgl_cmd_get_capset function, it uses g_malloc to allocate -a response struct to the guest. As the 'resp'struct hasn't been full -initialized it will lead the 'resp->padding' field to the guest. -Use g_malloc0 to avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index 23f39de..d98b140 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g, - - virgl_renderer_get_cap_set(gc.capset_id, &max_ver, - &max_size); -- resp = g_malloc(sizeof(*resp) + max_size); -+ resp = g_malloc0(sizeof(*resp) + max_size); - - resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET; - virgl_renderer_fill_caps(gc.capset_id, --- -1.8.3.1 - - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch deleted file mode 100644 index 55963f70..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch +++ /dev/null @@ -1,38 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html -https://bugs.gentoo.org/602630 - -From: Li Qiang -Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy -Date: Mon, 28 Nov 2016 21:29:25 -0500 -If the guest destroy the resource before detach banking, the 'iov' -and 'addrs' field in resource is not freed thus leading memory -leak issue. This patch avoid this. - -Signed-off-by: Li Qiang <address@hidden> ---- - hw/display/virtio-gpu.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 60bce94..98dadf2 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -28,6 +28,8 @@ - static struct virtio_gpu_simple_resource* - virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id); - -+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res); -+ - #ifdef CONFIG_VIRGL - #include <virglrenderer.h> - #define VIRGL(_g, _virgl, _simple, ...) \ -@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g, - struct virtio_gpu_simple_resource *res) - { - pixman_image_unref(res->image); -+ virtio_gpu_cleanup_mapping(res); - QTAILQ_REMOVE(&g->reslist, res, next); - g_free(res); - } --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch deleted file mode 100644 index 24411b4d..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 14 Dec 2016 18:30:21 -0800 -Subject: [PATCH] audio: ac97: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently the ac97 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/audio/ac97.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 ---- a/hw/audio/ac97.c -+++ b/hw/audio/ac97.c -@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) - ac97_on_reset (&s->dev.qdev); - } - -+static void ac97_exit(PCIDevice *dev) -+{ -+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); -+ -+ AUD_close_in(&s->card, s->voice_pi); -+ AUD_close_out(&s->card, s->voice_po); -+ AUD_close_in(&s->card, s->voice_mc); -+ AUD_remove_card(&s->card); -+} -+ - static int ac97_init (PCIBus *bus) - { - pci_create_simple (bus, -1, "AC97"); -@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = ac97_realize; -+ k->exit = ac97_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; - k->revision = 0x01; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch deleted file mode 100644 index 6bbac580..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 14 Dec 2016 18:32:22 -0800 -Subject: [PATCH] audio: es1370: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Currently the es1370 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/audio/es1370.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c -index 8449b5f..883ec69 100644 ---- a/hw/audio/es1370.c -+++ b/hw/audio/es1370.c -@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp) - es1370_reset (s); - } - -+static void es1370_exit(PCIDevice *dev) -+{ -+ ES1370State *s = ES1370(dev); -+ int i; -+ -+ for (i = 0; i < 2; ++i) { -+ AUD_close_out(&s->card, s->dac_voice[i]); -+ } -+ -+ AUD_close_in(&s->card, s->adc_voice); -+ AUD_remove_card(&s->card); -+} -+ - static int es1370_init (PCIBus *bus) - { - pci_create_simple (bus, -1, TYPE_ES1370); -@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = es1370_realize; -+ k->exit = es1370_exit; - k->vendor_id = PCI_VENDOR_ID_ENSONIQ; - k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370; - k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch deleted file mode 100644 index 9475f3fd..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Thu, 29 Dec 2016 03:11:26 -0500 -Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If the virgl_renderer_resource_attach_iov function fails the -'res_iovs' will be leaked. Add check of the return value to -free the 'res_iovs' when failing. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/virtio-gpu-3d.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..b13ced3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -- res_iovs, att_rb.nr_entries); -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ res_iovs, att_rb.nr_entries); -+ -+ if (ret != 0) -+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); - } - - static void virgl_resource_detach_backing(VirtIOGPU *g, --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch deleted file mode 100644 index f93d1e7f..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Thu, 29 Dec 2016 04:28:41 -0500 -Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing - -In the resource attach backing function, everytime it will -allocate 'res->iov' thus can leading a memory leak. This -patch avoid this. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/virtio-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 6a26258..ca88cf4 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch deleted file mode 100644 index e4572a8d..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 4 Jan 2017 00:43:16 -0800 -Subject: [PATCH] serial: fix memory leak in serial exit - -The serial_exit_core function doesn't free some resources. -This can lead memory leak when hotplug and unplug. This -patch avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/char/serial.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index ffbacd8..67b18ed 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) - void serial_exit_core(SerialState *s) - { - qemu_chr_fe_deinit(&s->chr); -+ -+ timer_del(s->modem_status_poll); -+ timer_free(s->modem_status_poll); -+ -+ timer_del(s->fifo_timeout_timer); -+ timer_free(s->fifo_timeout_timer); -+ -+ fifo8_destroy(&s->recv_fifo); -+ fifo8_destroy(&s->xmit_fifo); -+ - qemu_unregister_reset(serial_reset, s); - } - --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch deleted file mode 100644 index 2ebd49fa..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size = 0; -- return -1; -+ return -EINVAL; - } - iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size = iov_size; -- return cmd->iov_size; -+ return 0; - } - - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval = 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len = megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { - cmdptr++; - } -+ len = cmd->iov_size; - if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval = megasas_dcmd_dummy(s, cmd); --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch deleted file mode 100644 index 664a669f..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch +++ /dev/null @@ -1,38 +0,0 @@ -When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the -backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) -we'll leak memory. - -This patch fixes it for 3d mode, simliar to the 2d mode fix in commit -"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". - -Reported-by: 李强 <address@hidden> -Signed-off-by: Gerd Hoffmann <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index f96a0c2..ecb09d1 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, - struct virtio_gpu_ctrl_command *cmd) - { - struct virtio_gpu_resource_unref unref; -+ struct iovec *res_iovs = NULL; -+ int num_iovs = 0; - - VIRTIO_GPU_FILL_CMD(unref); - trace_virtio_gpu_cmd_res_unref(unref.resource_id); - -+ virgl_renderer_resource_detach_iov(unref.resource_id, -+ &res_iovs, -+ &num_iovs); -+ if (res_iovs != NULL && num_iovs != 0) { -+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); -+ } - virgl_renderer_resource_unref(unref.resource_id); - } - --- -1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch deleted file mode 100644 index 9f94477a..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Fri, 3 Feb 2017 00:52:28 +0530 -Subject: [PATCH] usb: ccid: check ccid apdu length - -CCID device emulator uses Application Protocol Data Units(APDU) -to exchange command and responses to and from the host. -The length in these units couldn't be greater than 65536. Add -check to ensure the same. It'd also avoid potential integer -overflow in emulated_apdu_from_guest. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-id: 20170202192228.10847-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/dev-smartcard-reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index 89e11b6..1325ea1 100644 ---- a/hw/usb/dev-smartcard-reader.c -+++ b/hw/usb/dev-smartcard-reader.c -@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) - DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, - recv->hdr.bSeq, len); - ccid_add_pending_answer(s, (CCID_Header *)recv); -- if (s->card) { -+ if (s->card && len <= BULK_OUT_DATA_SIZE) { - ccid_card_apdu_from_guest(s->card, recv->abData, len); - } else { - DPRINTF(s, D_WARN, "warning: discarded apdu\n"); --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch deleted file mode 100644 index 50ff3c99..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch +++ /dev/null @@ -1,87 +0,0 @@ -Limits should be big enough that normal guest should not hit it. -Add a tracepoint to log them, just in case. Also, while being -at it, log the existing link trb limit too. - -Reported-by: 李强 <address@hidden> -Signed-off-by: Gerd Hoffmann <address@hidden> ---- - hw/usb/hcd-xhci.c | 15 ++++++++++++++- - hw/usb/trace-events | 1 + - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c -index fbf8a8b..28dd2f2 100644 ---- a/hw/usb/hcd-xhci.c -+++ b/hw/usb/hcd-xhci.c -@@ -51,6 +51,8 @@ - #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS) - - #define TRB_LINK_LIMIT 4 -+#define COMMAND_LIMIT 256 -+#define TRANSFER_LIMIT 256 - - #define LEN_CAP 0x40 - #define LEN_OPER (0x400 + 0x10 * MAXPORTS) -@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, - return type; - } else { - if (++link_cnt > TRB_LINK_LIMIT) { -+ trace_usb_xhci_enforced_limit("trb-link"); - return 0; - } - ring->dequeue = xhci_mask64(trb->parameter); -@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) - XHCIRing *ring; - USBEndpoint *ep = NULL; - uint64_t mfindex; -+ unsigned int count = 0; - int length; - int i; - -@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid) - epctx->retry = xfer; - break; - } -+ if (count++ > TRANSFER_LIMIT) { -+ trace_usb_xhci_enforced_limit("transfers"); -+ break; -+ } - } - epctx->kick_active--; - -@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci) - TRBType type; - XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS}; - dma_addr_t addr; -- unsigned int i, slotid = 0; -+ unsigned int i, slotid = 0, count = 0; - - DPRINTF("xhci_process_commands()\n"); - if (!xhci_running(xhci)) { -@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci) - } - event.slotid = slotid; - xhci_event(xhci, &event, 0); -+ -+ if (count++ > COMMAND_LIMIT) { -+ trace_usb_xhci_enforced_limit("commands"); -+ return; -+ } - } - } - -diff --git a/hw/usb/trace-events b/hw/usb/trace-events -index fdd1d29..0c323d4 100644 ---- a/hw/usb/trace-events -+++ b/hw/usb/trace-events -@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p" - usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d" - usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d" - usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)" -+usb_xhci_enforced_limit(const char *item) "%s" - - # hw/usb/desc.c - usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d" --- -1.8.3.1 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch deleted file mode 100644 index bfde2e9d..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Prasad J Pandit <address@hidden> - -In the SDHCI protocol, the transfer mode register value -is used during multi block transfer to check if block count -register is enabled and should be updated. Transfer mode -register could be set such that, block count register would -not be updated, thus leading to an infinite loop. Add check -to avoid it. - -Reported-by: Wjjzhang <address@hidden> -Reported-by: Jiang Xin <address@hidden> -Signed-off-by: Prasad J Pandit <address@hidden> ---- - hw/sd/sdhci.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -Update: use qemu_log_mask(LOG_UNIMP, ...) - -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html - -diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c -index 5bd5ab6..a9c744b 100644 ---- a/hw/sd/sdhci.c -+++ b/hw/sd/sdhci.c -@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s) - uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12); - uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk); - -+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) { -+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n"); -+ return; -+ } -+ - /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for - * possible stop at page boundary if initial address is not page aligned, - * allow them to work properly */ -@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque) - if (s->trnmod & SDHC_TRNS_DMA) { - switch (SDHC_DMA_TYPE(s->hostctl)) { - case SDHC_CTRL_SDMA: -- if ((s->trnmod & SDHC_TRNS_MULTI) && -- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) { -- break; -- } -- - if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) { - sdhci_sdma_transfer_single_block(s); - } else { --- -2.9.3 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch deleted file mode 100644 index a15aa96b..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Tue, 7 Feb 2017 02:23:33 -0800 -Subject: [PATCH] usb: ohci: limit the number of link eds - -The guest may builds an infinite loop with link eds. This patch -limit the number of linked ed to avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/hcd-ohci.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c -index 2cba3e3..21c93e0 100644 ---- a/hw/usb/hcd-ohci.c -+++ b/hw/usb/hcd-ohci.c -@@ -42,6 +42,8 @@ - - #define OHCI_MAX_PORTS 15 - -+#define ED_LINK_LIMIT 4 -+ - static int64_t usb_frame_time; - static int64_t usb_bit_time; - -@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - uint32_t next_ed; - uint32_t cur; - int active; -- -+ uint32_t link_cnt = 0; - active = 0; - - if (head == 0) -@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion) - - next_ed = ed.next & OHCI_DPTR_MASK; - -+ if (++link_cnt > ED_LINK_LIMIT) { -+ ohci_die(ohci); -+ return 0; -+ } -+ - if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) { - uint32_t addr; - /* Cancel pending packets for ED that have been paused. */ --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch deleted file mode 100644 index f2d317c3..00000000 --- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch +++ /dev/null @@ -1,49 +0,0 @@ -From d63fb193e71644a073b77ff5ac6f1216f2f6cf6e Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Mon, 27 Mar 2017 21:13:19 +0200 -Subject: [PATCH] 9pfs: fix file descriptor leak - -The v9fs_create() and v9fs_lcreate() functions are used to create a file -on the backend and to associate it to a fid. The fid shouldn't be already -in-use, otherwise both functions may silently leak a file descriptor or -allocated memory. The current code doesn't check that. - -This patch ensures that the fid isn't already associated to anything -before using it. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -(reworded the changelog, Greg Kurz) -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index b8c0b99..48babce 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque) - err = -ENOENT; - goto out_nofid; - } -+ if (fidp->fid_type != P9_FID_NONE) { -+ err = -EINVAL; -+ goto out; -+ } - - flags = get_dotl_openflags(pdu->s, flags); - err = v9fs_co_open2(pdu, fidp, &name, gid, -@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque) - err = -EINVAL; - goto out_nofid; - } -+ if (fidp->fid_type != P9_FID_NONE) { -+ err = -EINVAL; -+ goto out; -+ } - if (perm & P9_STAT_MODE_DIR) { - err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777, - fidp->uid, -1, &stbuf); --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch deleted file mode 100644 index c5366f57..00000000 --- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001 -From: Greg Kurz <groug@kaod.org> -Date: Mon, 17 Apr 2017 10:53:23 +0200 -Subject: [PATCH] 9pfs: local: set the path of the export root to "." -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The local backend was recently converted to using "at*()" syscalls in order -to ensure all accesses happen below the shared directory. This requires that -we only pass relative paths, otherwise the dirfd argument to the "at*()" -syscalls is ignored and the path is treated as an absolute path in the host. -This is actually the case for paths in all fids, with the notable exception -of the root fid, whose path is "/". This causes the following backend ops to -act on the "/" directory of the host instead of the virtfs shared directory -when the export root is involved: -- lstat -- chmod -- chown -- utimensat - -ie, chmod /9p_mount_point in the guest will be converted to chmod / in the -host for example. This could cause security issues with a privileged QEMU. - -All "*at()" syscalls are being passed an open file descriptor. In the case -of the export root, this file descriptor points to the path in the host that -was passed to -fsdev. - -The fix is thus as simple as changing the path of the export root fid to be -"." instead of "/". - -This is CVE-2017-7471. - -Cc: qemu-stable@nongnu.org -Reported-by: Léo Gaspard <leo@gaspard.io> -Signed-off-by: Greg Kurz <groug@kaod.org> -Reviewed-by: Eric Blake <eblake@redhat.com> -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> ---- - hw/9pfs/9p-local.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c -index 45e9a1f..f3ebca4 100644 ---- a/hw/9pfs/9p-local.c -+++ b/hw/9pfs/9p-local.c -@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path, - { - if (dir_path) { - v9fs_path_sprintf(target, "%s/%s", dir_path->data, name); -- } else { -+ } else if (strcmp(name, "/")) { - v9fs_path_sprintf(target, "%s", name); -+ } else { -+ /* We want the path of the export root to be relative, otherwise -+ * "*at()" syscalls would treat it as "/" in the host. -+ */ -+ v9fs_path_sprintf(target, "%s", "."); - } - return 0; - } --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch deleted file mode 100644 index eac72f3d..00000000 --- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Fri, 7 Apr 2017 03:48:52 -0700 -Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr - -Free 'orig_value' in error path. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p-xattr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c -index eec160b..d05c1a1 100644 ---- a/hw/9pfs/9p-xattr.c -+++ b/hw/9pfs/9p-xattr.c -@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path, - g_free(name); - close_preserve_errno(dirfd); - if (xattr_len < 0) { -+ g_free(orig_value); - return -1; - } - --- -2.10.2 - diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch new file mode 100644 index 00000000..7db06929 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10664.patch @@ -0,0 +1,47 @@ +From 041e32b8d9d076980b4e35317c0339e57ab888f1 Mon Sep 17 00:00:00 2001 +From: Max Reitz <mreitz@redhat.com> +Date: Sun, 11 Jun 2017 14:37:14 +0200 +Subject: [PATCH] qemu-nbd: Ignore SIGPIPE + +qemu proper has done so for 13 years +(8a7ddc38a60648257dc0645ab4a05b33d6040063), qemu-img and qemu-io have +done so for four years (526eda14a68d5b3596be715505289b541288ef2a). +Ignoring this signal is especially important in qemu-nbd because +otherwise a client can easily take down the qemu-nbd server by dropping +the connection when the server wants to send something, for example: + +$ qemu-nbd -x foo -f raw -t null-co:// & +[1] 12726 +$ qemu-io -c quit nbd://localhost/bar +can't open device nbd://localhost/bar: No export with name 'bar' available +[1] + 12726 broken pipe qemu-nbd -x foo -f raw -t null-co:// + +In this case, the client sends an NBD_OPT_ABORT and closes the +connection (because it is not required to wait for a reply), but the +server replies with an NBD_REP_ACK (because it is required to reply). + +Signed-off-by: Max Reitz <mreitz@redhat.com> +Message-Id: <20170611123714.31292-1-mreitz@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + qemu-nbd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 9464a0461c..4dd3fd4732 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -581,6 +581,10 @@ int main(int argc, char **argv) + sa_sigterm.sa_handler = termsig_handler; + sigaction(SIGTERM, &sa_sigterm, NULL); + ++#ifdef CONFIG_POSIX ++ signal(SIGPIPE, SIG_IGN); ++#endif ++ + module_call_init(MODULE_INIT_TRACE); + qcrypto_init(&error_fatal); + +-- +2.13.0 + diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch new file mode 100644 index 00000000..0074f5f8 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-10806.patch @@ -0,0 +1,50 @@ +From bd4a683505b27adc1ac809f71e918e58573d851d Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 9 May 2017 13:01:28 +0200 +Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Don't reinvent a broken wheel, just use the hexdump function we have. + +Impact: low, broken code doesn't run unless you have debug logging +enabled. + +Reported-by: 李强 <liqiang6-s@360.cn> +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Message-id: 20170509110128.27261-1-kraxel@redhat.com +--- + hw/usb/redirect.c | 13 +------------ + 1 file changed, 1 insertion(+), 12 deletions(-) + +diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c +index b001a27f05..ad5ef783a6 100644 +--- a/hw/usb/redirect.c ++++ b/hw/usb/redirect.c +@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg) + static void usbredir_log_data(USBRedirDevice *dev, const char *desc, + const uint8_t *data, int len) + { +- int i, j, n; +- + if (dev->debug < usbredirparser_debug_data) { + return; + } +- +- for (i = 0; i < len; i += j) { +- char buf[128]; +- +- n = sprintf(buf, "%s", desc); +- for (j = 0; j < 8 && i + j < len; j++) { +- n += sprintf(buf + n, " %02X", data[i + j]); +- } +- error_report("%s", buf); +- } ++ qemu_hexdump((char *)data, stderr, desc, len); + } + + /* +-- +2.13.0 + diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch new file mode 100644 index 00000000..bfe4c7d8 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11334.patch @@ -0,0 +1,40 @@ +[Qemu-devel] [PULL 21/41] exec: use qemu_ram_ptr_length to access guest +From: Prasad J Pandit <address@hidden> + +When accessing guest's ram block during DMA operation, use +'qemu_ram_ptr_length' to get ram block pointer. It ensures +that DMA operation of given length is possible; And avoids +any OOB memory access situations. + +Reported-by: Alex <address@hidden> +Signed-off-by: Prasad J Pandit <address@hidden> +Message-Id: <address@hidden> +Signed-off-by: Paolo Bonzini <address@hidden> +--- + exec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/exec.c b/exec.c +index a083ff8..ad103ce 100644 +--- a/exec.c ++++ b/exec.c +@@ -2929,7 +2929,7 @@ static MemTxResult address_space_write_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(ptr, buf, l); + invalidate_and_set_dirty(mr, addr1, l); + } +@@ -3020,7 +3020,7 @@ MemTxResult address_space_read_continue(AddressSpace *as, hwaddr addr, + } + } else { + /* RAM case */ +- ptr = qemu_map_ram_ptr(mr->ram_block, addr1); ++ ptr = qemu_ram_ptr_length(mr->ram_block, addr1, &l); + memcpy(buf, ptr, l); + } + +-- +1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch new file mode 100644 index 00000000..5d32067c --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-11434.patch @@ -0,0 +1,29 @@ +[Qemu-devel] [PATCH] slirp: check len against dhcp options array end +From: Prasad J Pandit <address@hidden> + +While parsing dhcp options string in 'dhcp_decode', if an options' +length 'len' appeared towards the end of 'bp_vend' array, ensuing +read could lead to an OOB memory access issue. Add check to avoid it. + +Reported-by: Reno Robert <address@hidden> +Signed-off-by: Prasad J Pandit <address@hidden> +--- + slirp/bootp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/slirp/bootp.c b/slirp/bootp.c +index 5a4646c..5dd1a41 100644 +--- a/slirp/bootp.c ++++ b/slirp/bootp.c +@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + if (p >= p_end) + break; + len = *p++; ++ if (p + len > p_end) { ++ break; ++ } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); + + switch(tag) { +-- +2.9.4 diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch new file mode 100644 index 00000000..3af16977 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-7539.patch @@ -0,0 +1,601 @@ +From 2b0bbc4f8809c972bad134bc1a2570dbb01dea0b Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> +Date: Fri, 2 Jun 2017 18:01:41 +0300 +Subject: [PATCH] nbd/server: get rid of nbd_negotiate_read and friends + +Functions nbd_negotiate_{read,write,drop_sync} were introduced in +1a6245a5b, when nbd_rwv (was nbd_wr_sync) was working through +qemu_co_sendv_recvv (the path is nbd_wr_sync -> qemu_co_{recv/send} -> +qemu_co_send_recv -> qemu_co_sendv_recvv), which just yields, without +setting any handlers. But starting from ff82911cd nbd_rwv (was +nbd_wr_syncv) works through qio_channel_yield() which sets handlers, so +watchers are redundant in nbd_negotiate_{read,write,drop_sync}, then, +let's just use nbd_{read,write,drop} functions. + +Functions nbd_{read,write,drop} has errp parameter, which is unused in +this patch. This will be fixed later. + +Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> +Reviewed-by: Eric Blake <eblake@redhat.com> +Message-Id: <20170602150150.258222-4-vsementsov@virtuozzo.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + nbd/server.c | 107 ++++++++++++----------------------------------------------- + 1 file changed, 22 insertions(+), 85 deletions(-) + +diff --git a/nbd/client.c b/nbd/client.c +index a58fb02..6b74a62 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -86,9 +86,9 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports); + + */ + +-/* Discard length bytes from channel. Return -errno on failure, or +- * the amount of bytes consumed. */ +-static ssize_t drop_sync(QIOChannel *ioc, size_t size) ++/* Discard length bytes from channel. Return -errno on failure and 0 on ++ * success*/ ++static int drop_sync(QIOChannel *ioc, size_t size) + { + ssize_t ret = 0; + char small[1024]; +@@ -96,14 +96,13 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) + + buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size)); + while (size > 0) { +- ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); ++ ssize_t count = MIN(65536, size); ++ ret = read_sync(ioc, buffer, MIN(65536, size)); + +- if (count <= 0) { ++ if (ret < 0) { + goto cleanup; + } +- assert(count <= size); + size -= count; +- ret += count; + } + + cleanup: +@@ -136,12 +135,12 @@ static int nbd_send_option_request(QIOChannel *ioc, uint32_t opt, + stl_be_p(&req.option, opt); + stl_be_p(&req.length, len); + +- if (write_sync(ioc, &req, sizeof(req)) != sizeof(req)) { ++ if (write_sync(ioc, &req, sizeof(req)) < 0) { + error_setg(errp, "Failed to send option request header"); + return -1; + } + +- if (len && write_sync(ioc, (char *) data, len) != len) { ++ if (len && write_sync(ioc, (char *) data, len) < 0) { + error_setg(errp, "Failed to send option request data"); + return -1; + } +@@ -170,7 +169,7 @@ static int nbd_receive_option_reply(QIOChannel *ioc, uint32_t opt, + nbd_opt_reply *reply, Error **errp) + { + QEMU_BUILD_BUG_ON(sizeof(*reply) != 20); +- if (read_sync(ioc, reply, sizeof(*reply)) != sizeof(*reply)) { ++ if (read_sync(ioc, reply, sizeof(*reply)) < 0) { + error_setg(errp, "failed to read option reply"); + nbd_send_opt_abort(ioc); + return -1; +@@ -219,7 +218,7 @@ static int nbd_handle_reply_err(QIOChannel *ioc, nbd_opt_reply *reply, + goto cleanup; + } + msg = g_malloc(reply->length + 1); +- if (read_sync(ioc, msg, reply->length) != reply->length) { ++ if (read_sync(ioc, msg, reply->length) < 0) { + error_setg(errp, "failed to read option error message"); + goto cleanup; + } +@@ -321,7 +320,7 @@ static int nbd_receive_list(QIOChannel *ioc, const char *want, bool *match, + nbd_send_opt_abort(ioc); + return -1; + } +- if (read_sync(ioc, &namelen, sizeof(namelen)) != sizeof(namelen)) { ++ if (read_sync(ioc, &namelen, sizeof(namelen)) < 0) { + error_setg(errp, "failed to read option name length"); + nbd_send_opt_abort(ioc); + return -1; +@@ -334,7 +333,7 @@ static int nbd_receive_list(QIOChannel *ioc, const char *want, bool *match, + return -1; + } + if (namelen != strlen(want)) { +- if (drop_sync(ioc, len) != len) { ++ if (drop_sync(ioc, len) < 0) { + error_setg(errp, "failed to skip export name with wrong length"); + nbd_send_opt_abort(ioc); + return -1; +@@ -343,14 +342,14 @@ static int nbd_receive_list(QIOChannel *ioc, const char *want, bool *match, + } + + assert(namelen < sizeof(name)); +- if (read_sync(ioc, name, namelen) != namelen) { ++ if (read_sync(ioc, name, namelen) < 0) { + error_setg(errp, "failed to read export name"); + nbd_send_opt_abort(ioc); + return -1; + } + name[namelen] = '\0'; + len -= namelen; +- if (drop_sync(ioc, len) != len) { ++ if (drop_sync(ioc, len) < 0) { + error_setg(errp, "failed to read export description"); + nbd_send_opt_abort(ioc); + return -1; +@@ -477,7 +476,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + goto fail; + } + +- if (read_sync(ioc, buf, 8) != 8) { ++ if (read_sync(ioc, buf, 8) < 0) { + error_setg(errp, "Failed to read data"); + goto fail; + } +@@ -503,7 +502,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + goto fail; + } + +- if (read_sync(ioc, &magic, sizeof(magic)) != sizeof(magic)) { ++ if (read_sync(ioc, &magic, sizeof(magic)) < 0) { + error_setg(errp, "Failed to read magic"); + goto fail; + } +@@ -515,8 +514,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + uint16_t globalflags; + bool fixedNewStyle = false; + +- if (read_sync(ioc, &globalflags, sizeof(globalflags)) != +- sizeof(globalflags)) { ++ if (read_sync(ioc, &globalflags, sizeof(globalflags)) < 0) { + error_setg(errp, "Failed to read server flags"); + goto fail; + } +@@ -534,8 +532,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + } + /* client requested flags */ + clientflags = cpu_to_be32(clientflags); +- if (write_sync(ioc, &clientflags, sizeof(clientflags)) != +- sizeof(clientflags)) { ++ if (write_sync(ioc, &clientflags, sizeof(clientflags)) < 0) { + error_setg(errp, "Failed to send clientflags field"); + goto fail; + } +@@ -573,13 +570,13 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + } + + /* Read the response */ +- if (read_sync(ioc, &s, sizeof(s)) != sizeof(s)) { ++ if (read_sync(ioc, &s, sizeof(s)) < 0) { + error_setg(errp, "Failed to read export length"); + goto fail; + } + *size = be64_to_cpu(s); + +- if (read_sync(ioc, flags, sizeof(*flags)) != sizeof(*flags)) { ++ if (read_sync(ioc, flags, sizeof(*flags)) < 0) { + error_setg(errp, "Failed to read export flags"); + goto fail; + } +@@ -596,14 +593,14 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + goto fail; + } + +- if (read_sync(ioc, &s, sizeof(s)) != sizeof(s)) { ++ if (read_sync(ioc, &s, sizeof(s)) < 0) { + error_setg(errp, "Failed to read export length"); + goto fail; + } + *size = be64_to_cpu(s); + TRACE("Size is %" PRIu64, *size); + +- if (read_sync(ioc, &oldflags, sizeof(oldflags)) != sizeof(oldflags)) { ++ if (read_sync(ioc, &oldflags, sizeof(oldflags)) < 0) { + error_setg(errp, "Failed to read export flags"); + goto fail; + } +@@ -619,7 +616,7 @@ int nbd_receive_negotiate(QIOChannel *ioc, const char *name, uint16_t *flags, + } + + TRACE("Size is %" PRIu64 ", export flags %" PRIx16, *size, *flags); +- if (zeroes && drop_sync(ioc, 124) != 124) { ++ if (zeroes && drop_sync(ioc, 124) < 0) { + error_setg(errp, "Failed to read reserved block"); + goto fail; + } +@@ -744,7 +741,6 @@ int nbd_disconnect(int fd) + ssize_t nbd_send_request(QIOChannel *ioc, NBDRequest *request) + { + uint8_t buf[NBD_REQUEST_SIZE]; +- ssize_t ret; + + TRACE("Sending request to server: " + "{ .from = %" PRIu64", .len = %" PRIu32 ", .handle = %" PRIu64 +@@ -759,16 +755,7 @@ ssize_t nbd_send_request(QIOChannel *ioc, NBDRequest *request) + stq_be_p(buf + 16, request->from); + stl_be_p(buf + 24, request->len); + +- ret = write_sync(ioc, buf, sizeof(buf)); +- if (ret < 0) { +- return ret; +- } +- +- if (ret != sizeof(buf)) { +- LOG("writing to socket failed"); +- return -EINVAL; +- } +- return 0; ++ return write_sync(ioc, buf, sizeof(buf)); + } + + ssize_t nbd_receive_reply(QIOChannel *ioc, NBDReply *reply) +@@ -777,7 +764,7 @@ ssize_t nbd_receive_reply(QIOChannel *ioc, NBDReply *reply) + uint32_t magic; + ssize_t ret; + +- ret = read_sync(ioc, buf, sizeof(buf)); ++ ret = read_sync_eof(ioc, buf, sizeof(buf)); + if (ret <= 0) { + return ret; + } +diff --git a/nbd/nbd-internal.h b/nbd/nbd-internal.h +index f43d990..e6bbc7c 100644 +--- a/nbd/nbd-internal.h ++++ b/nbd/nbd-internal.h +@@ -94,7 +94,13 @@ + #define NBD_ENOSPC 28 + #define NBD_ESHUTDOWN 108 + +-static inline ssize_t read_sync(QIOChannel *ioc, void *buffer, size_t size) ++/* read_sync_eof ++ * Tries to read @size bytes from @ioc. Returns number of bytes actually read. ++ * May return a value >= 0 and < size only on EOF, i.e. when iteratively called ++ * qio_channel_readv() returns 0. So, there are no needs to call read_sync_eof ++ * iteratively. ++ */ ++static inline ssize_t read_sync_eof(QIOChannel *ioc, void *buffer, size_t size) + { + struct iovec iov = { .iov_base = buffer, .iov_len = size }; + /* Sockets are kept in blocking mode in the negotiation phase. After +@@ -105,12 +111,32 @@ static inline ssize_t read_sync(QIOChannel *ioc, void *buffer, size_t size) + return nbd_wr_syncv(ioc, &iov, 1, size, true); + } + +-static inline ssize_t write_sync(QIOChannel *ioc, const void *buffer, +- size_t size) ++/* read_sync ++ * Reads @size bytes from @ioc. Returns 0 on success. ++ */ ++static inline int read_sync(QIOChannel *ioc, void *buffer, size_t size) ++{ ++ ssize_t ret = read_sync_eof(ioc, buffer, size); ++ ++ if (ret >= 0 && ret != size) { ++ ret = -EINVAL; ++ } ++ ++ return ret < 0 ? ret : 0; ++} ++ ++/* write_sync ++ * Writes @size bytes to @ioc. Returns 0 on success. ++ */ ++static inline int write_sync(QIOChannel *ioc, const void *buffer, size_t size) + { + struct iovec iov = { .iov_base = (void *) buffer, .iov_len = size }; + +- return nbd_wr_syncv(ioc, &iov, 1, size, false); ++ ssize_t ret = nbd_wr_syncv(ioc, &iov, 1, size, false); ++ ++ assert(ret < 0 || ret == size); ++ ++ return ret < 0 ? ret : 0; + } + + struct NBDTLSHandshakeData { +diff --git a/nbd/server.c b/nbd/server.c +index 924a1fe..a1f106b 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -104,69 +104,6 @@ struct NBDClient { + + static void nbd_client_receive_next_request(NBDClient *client); + +-static gboolean nbd_negotiate_continue(QIOChannel *ioc, +- GIOCondition condition, +- void *opaque) +-{ +- qemu_coroutine_enter(opaque); +- return TRUE; +-} +- +-static ssize_t nbd_negotiate_read(QIOChannel *ioc, void *buffer, size_t size) +-{ +- ssize_t ret; +- guint watch; +- +- assert(qemu_in_coroutine()); +- /* Negotiation are always in main loop. */ +- watch = qio_channel_add_watch(ioc, +- G_IO_IN, +- nbd_negotiate_continue, +- qemu_coroutine_self(), +- NULL); +- ret = read_sync(ioc, buffer, size); +- g_source_remove(watch); +- return ret; +- +-} +- +-static ssize_t nbd_negotiate_write(QIOChannel *ioc, const void *buffer, +- size_t size) +-{ +- ssize_t ret; +- guint watch; +- +- assert(qemu_in_coroutine()); +- /* Negotiation are always in main loop. */ +- watch = qio_channel_add_watch(ioc, +- G_IO_OUT, +- nbd_negotiate_continue, +- qemu_coroutine_self(), +- NULL); +- ret = write_sync(ioc, buffer, size); +- g_source_remove(watch); +- return ret; +-} +- +-static ssize_t nbd_negotiate_drop_sync(QIOChannel *ioc, size_t size) +-{ +- ssize_t ret, dropped = size; +- uint8_t *buffer = g_malloc(MIN(65536, size)); +- +- while (size > 0) { +- ret = nbd_negotiate_read(ioc, buffer, MIN(65536, size)); +- if (ret < 0) { +- g_free(buffer); +- return ret; +- } +- +- assert(ret <= size); +- size -= ret; +- } +- +- g_free(buffer); +- return dropped; +-} + + /* Basic flow for negotiation + +@@ -206,22 +143,22 @@ static int nbd_negotiate_send_rep_len(QIOChannel *ioc, uint32_t type, + type, opt, len); + + magic = cpu_to_be64(NBD_REP_MAGIC); +- if (nbd_negotiate_write(ioc, &magic, sizeof(magic)) != sizeof(magic)) { ++ if (nbd_write(ioc, &magic, sizeof(magic), NULL) < 0) { + LOG("write failed (rep magic)"); + return -EINVAL; + } + opt = cpu_to_be32(opt); +- if (nbd_negotiate_write(ioc, &opt, sizeof(opt)) != sizeof(opt)) { ++ if (nbd_write(ioc, &opt, sizeof(opt), NULL) < 0) { + LOG("write failed (rep opt)"); + return -EINVAL; + } + type = cpu_to_be32(type); +- if (nbd_negotiate_write(ioc, &type, sizeof(type)) != sizeof(type)) { ++ if (nbd_write(ioc, &type, sizeof(type), NULL) < 0) { + LOG("write failed (rep type)"); + return -EINVAL; + } + len = cpu_to_be32(len); +- if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) { ++ if (nbd_write(ioc, &len, sizeof(len), NULL) < 0) { + LOG("write failed (rep data length)"); + return -EINVAL; + } +@@ -256,7 +193,7 @@ nbd_negotiate_send_rep_err(QIOChannel *ioc, uint32_t type, + if (ret < 0) { + goto out; + } +- if (nbd_negotiate_write(ioc, msg, len) != len) { ++ if (nbd_write(ioc, msg, len, NULL) < 0) { + LOG("write failed (error message)"); + ret = -EIO; + } else { +@@ -287,15 +224,15 @@ static int nbd_negotiate_send_rep_list(QIOChannel *ioc, NBDExport *exp) + } + + len = cpu_to_be32(name_len); +- if (nbd_negotiate_write(ioc, &len, sizeof(len)) != sizeof(len)) { ++ if (nbd_write(ioc, &len, sizeof(len), NULL) < 0) { + LOG("write failed (name length)"); + return -EINVAL; + } +- if (nbd_negotiate_write(ioc, name, name_len) != name_len) { ++ if (nbd_write(ioc, name, name_len, NULL) < 0) { + LOG("write failed (name buffer)"); + return -EINVAL; + } +- if (nbd_negotiate_write(ioc, desc, desc_len) != desc_len) { ++ if (nbd_write(ioc, desc, desc_len, NULL) < 0) { + LOG("write failed (description buffer)"); + return -EINVAL; + } +@@ -309,7 +246,7 @@ static int nbd_negotiate_handle_list(NBDClient *client, uint32_t length) + NBDExport *exp; + + if (length) { +- if (nbd_negotiate_drop_sync(client->ioc, length) != length) { ++ if (nbd_drop(client->ioc, length, NULL) < 0) { + return -EIO; + } + return nbd_negotiate_send_rep_err(client->ioc, +@@ -340,7 +277,7 @@ static int nbd_negotiate_handle_export_name(NBDClient *client, uint32_t length) + LOG("Bad length received"); + goto fail; + } +- if (nbd_negotiate_read(client->ioc, name, length) != length) { ++ if (nbd_read(client->ioc, name, length, NULL) < 0) { + LOG("read failed"); + goto fail; + } +@@ -373,7 +310,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDClient *client, + TRACE("Setting up TLS"); + ioc = client->ioc; + if (length) { +- if (nbd_negotiate_drop_sync(ioc, length) != length) { ++ if (nbd_drop(ioc, length, NULL) < 0) { + return NULL; + } + nbd_negotiate_send_rep_err(ioc, NBD_REP_ERR_INVALID, NBD_OPT_STARTTLS, +@@ -437,8 +374,7 @@ static int nbd_negotiate_options(NBDClient *client) + ... Rest of request + */ + +- if (nbd_negotiate_read(client->ioc, &flags, sizeof(flags)) != +- sizeof(flags)) { ++ if (nbd_read(client->ioc, &flags, sizeof(flags), NULL) < 0) { + LOG("read failed"); + return -EIO; + } +@@ -464,8 +400,7 @@ static int nbd_negotiate_options(NBDClient *client) + uint32_t clientflags, length; + uint64_t magic; + +- if (nbd_negotiate_read(client->ioc, &magic, sizeof(magic)) != +- sizeof(magic)) { ++ if (nbd_read(client->ioc, &magic, sizeof(magic), NULL) < 0) { + LOG("read failed"); + return -EINVAL; + } +@@ -475,15 +410,15 @@ static int nbd_negotiate_options(NBDClient *client) + return -EINVAL; + } + +- if (nbd_negotiate_read(client->ioc, &clientflags, +- sizeof(clientflags)) != sizeof(clientflags)) { ++ if (nbd_read(client->ioc, &clientflags, ++ sizeof(clientflags), NULL) < 0) ++ { + LOG("read failed"); + return -EINVAL; + } + clientflags = be32_to_cpu(clientflags); + +- if (nbd_negotiate_read(client->ioc, &length, sizeof(length)) != +- sizeof(length)) { ++ if (nbd_read(client->ioc, &length, sizeof(length), NULL) < 0) { + LOG("read failed"); + return -EINVAL; + } +@@ -513,7 +448,7 @@ static int nbd_negotiate_options(NBDClient *client) + return -EINVAL; + + default: +- if (nbd_negotiate_drop_sync(client->ioc, length) != length) { ++ if (nbd_drop(client->ioc, length, NULL) < 0) { + return -EIO; + } + ret = nbd_negotiate_send_rep_err(client->ioc, +@@ -551,7 +486,7 @@ static int nbd_negotiate_options(NBDClient *client) + return nbd_negotiate_handle_export_name(client, length); + + case NBD_OPT_STARTTLS: +- if (nbd_negotiate_drop_sync(client->ioc, length) != length) { ++ if (nbd_drop(client->ioc, length, NULL) < 0) { + return -EIO; + } + if (client->tlscreds) { +@@ -570,7 +505,7 @@ static int nbd_negotiate_options(NBDClient *client) + } + break; + default: +- if (nbd_negotiate_drop_sync(client->ioc, length) != length) { ++ if (nbd_drop(client->ioc, length, NULL) < 0) { + return -EIO; + } + ret = nbd_negotiate_send_rep_err(client->ioc, +@@ -659,12 +594,12 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data) + TRACE("TLS cannot be enabled with oldstyle protocol"); + goto fail; + } +- if (nbd_negotiate_write(client->ioc, buf, sizeof(buf)) != sizeof(buf)) { ++ if (nbd_write(client->ioc, buf, sizeof(buf), NULL) < 0) { + LOG("write failed"); + goto fail; + } + } else { +- if (nbd_negotiate_write(client->ioc, buf, 18) != 18) { ++ if (nbd_write(client->ioc, buf, 18, NULL) < 0) { + LOG("write failed"); + goto fail; + } +@@ -679,7 +614,7 @@ static coroutine_fn int nbd_negotiate(NBDClientNewData *data) + stq_be_p(buf + 18, client->exp->size); + stw_be_p(buf + 26, client->exp->nbdflags | myflags); + len = client->no_zeroes ? 10 : sizeof(buf) - 18; +- if (nbd_negotiate_write(client->ioc, buf + 18, len) != len) { ++ if (nbd_write(client->ioc, buf + 18, len, NULL) < 0) { + LOG("write failed"); + goto fail; + } +@@ -702,11 +637,6 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, NBDRequest *request) + return ret; + } + +- if (ret != sizeof(buf)) { +- LOG("read failed"); +- return -EINVAL; +- } +- + /* Request + [ 0 .. 3] magic (NBD_REQUEST_MAGIC) + [ 4 .. 5] flags (NBD_CMD_FLAG_FUA, ...) +@@ -737,7 +667,6 @@ static ssize_t nbd_receive_request(QIOChannel *ioc, NBDRequest *request) + static ssize_t nbd_send_reply(QIOChannel *ioc, NBDReply *reply) + { + uint8_t buf[NBD_REPLY_SIZE]; +- ssize_t ret; + + reply->error = system_errno_to_nbd_errno(reply->error); + +@@ -754,16 +683,7 @@ static ssize_t nbd_send_reply(QIOChannel *ioc, NBDReply *reply) + stl_be_p(buf + 4, reply->error); + stq_be_p(buf + 8, reply->handle); + +- ret = write_sync(ioc, buf, sizeof(buf)); +- if (ret < 0) { +- return ret; +- } +- +- if (ret != sizeof(buf)) { +- LOG("writing to socket failed"); +- return -EINVAL; +- } +- return 0; ++ return write_sync(ioc, buf, sizeof(buf)); + } + + #define MAX_NBD_REQUESTS 16 +@@ -1067,7 +987,7 @@ static ssize_t nbd_co_send_reply(NBDRequestData *req, NBDReply *reply, + rc = nbd_send_reply(client->ioc, reply); + if (rc >= 0) { + ret = write_sync(client->ioc, req->data, len); +- if (ret != len) { ++ if (ret < 0) { + rc = -EIO; + } + } +@@ -1141,7 +1061,7 @@ static ssize_t nbd_co_receive_request(NBDRequestData *req, + if (request->type == NBD_CMD_WRITE) { + TRACE("Reading %" PRIu32 " byte(s)", request->len); + +- if (read_sync(client->ioc, req->data, request->len) != request->len) { ++ if (read_sync(client->ioc, req->data, request->len) < 0) { + LOG("reading from socket failed"); + rc = -EIO; + goto out; diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch new file mode 100644 index 00000000..01c81d10 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-1.patch @@ -0,0 +1,122 @@ +From 87e459a810d7b1ec1638085b5a80ea3d9b43119a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Thu, 1 Jun 2017 17:26:14 +0200 +Subject: [PATCH] megasas: always store SCSIRequest* into MegasasCmd + +This ensures that the request is unref'ed properly, and avoids a +segmentation fault in the new qtest testcase that is added. +This is CVE-2017-9503. + +Reported-by: Zhangyanyu <zyy4013@stu.ouc.edu.cn> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/scsi/megasas.c | 31 ++++++++++++++++--------------- + 2 files changed, 51 insertions(+), 15 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index 135662df31..734fdaef90 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -609,6 +609,9 @@ static void megasas_reset_frames(MegasasState *s) + static void megasas_abort_command(MegasasCmd *cmd) + { + /* Never abort internal commands. */ ++ if (cmd->dcmd_opcode != -1) { ++ return; ++ } + if (cmd->req != NULL) { + scsi_req_cancel(cmd->req); + } +@@ -1017,7 +1020,6 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + uint64_t pd_size; + uint16_t pd_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); + uint8_t cmdbuf[6]; +- SCSIRequest *req; + size_t len, resid; + + if (!cmd->iov_buf) { +@@ -1026,8 +1028,8 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + info->inquiry_data[0] = 0x7f; /* Force PQual 0x3, PType 0x1f */ + info->vpd_page83[0] = 0x7f; + megasas_setup_inquiry(cmdbuf, 0, sizeof(info->inquiry_data)); +- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); +- if (!req) { ++ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); ++ if (!cmd->req) { + trace_megasas_dcmd_req_alloc_failed(cmd->index, + "PD get info std inquiry"); + g_free(cmd->iov_buf); +@@ -1036,26 +1038,26 @@ static int megasas_pd_get_info_submit(SCSIDevice *sdev, int lun, + } + trace_megasas_dcmd_internal_submit(cmd->index, + "PD get info std inquiry", lun); +- len = scsi_req_enqueue(req); ++ len = scsi_req_enqueue(cmd->req); + if (len > 0) { + cmd->iov_size = len; +- scsi_req_continue(req); ++ scsi_req_continue(cmd->req); + } + return MFI_STAT_INVALID_STATUS; + } else if (info->inquiry_data[0] != 0x7f && info->vpd_page83[0] == 0x7f) { + megasas_setup_inquiry(cmdbuf, 0x83, sizeof(info->vpd_page83)); +- req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); +- if (!req) { ++ cmd->req = scsi_req_new(sdev, cmd->index, lun, cmdbuf, cmd); ++ if (!cmd->req) { + trace_megasas_dcmd_req_alloc_failed(cmd->index, + "PD get info vpd inquiry"); + return MFI_STAT_FLASH_ALLOC_FAIL; + } + trace_megasas_dcmd_internal_submit(cmd->index, + "PD get info vpd inquiry", lun); +- len = scsi_req_enqueue(req); ++ len = scsi_req_enqueue(cmd->req); + if (len > 0) { + cmd->iov_size = len; +- scsi_req_continue(req); ++ scsi_req_continue(cmd->req); + } + return MFI_STAT_INVALID_STATUS; + } +@@ -1217,7 +1219,6 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + struct mfi_ld_info *info = cmd->iov_buf; + size_t dcmd_size = sizeof(struct mfi_ld_info); + uint8_t cdb[6]; +- SCSIRequest *req; + ssize_t len, resid; + uint16_t sdev_id = ((sdev->id & 0xFF) << 8) | (lun & 0xFF); + uint64_t ld_size; +@@ -1226,8 +1227,8 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + cmd->iov_buf = g_malloc0(dcmd_size); + info = cmd->iov_buf; + megasas_setup_inquiry(cdb, 0x83, sizeof(info->vpd_page83)); +- req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); +- if (!req) { ++ cmd->req = scsi_req_new(sdev, cmd->index, lun, cdb, cmd); ++ if (!cmd->req) { + trace_megasas_dcmd_req_alloc_failed(cmd->index, + "LD get info vpd inquiry"); + g_free(cmd->iov_buf); +@@ -1236,10 +1237,10 @@ static int megasas_ld_get_info_submit(SCSIDevice *sdev, int lun, + } + trace_megasas_dcmd_internal_submit(cmd->index, + "LD get info vpd inquiry", lun); +- len = scsi_req_enqueue(req); ++ len = scsi_req_enqueue(cmd->req); + if (len > 0) { + cmd->iov_size = len; +- scsi_req_continue(req); ++ scsi_req_continue(cmd->req); + } + return MFI_STAT_INVALID_STATUS; + } +@@ -1851,7 +1852,7 @@ static void megasas_command_complete(SCSIRequest *req, uint32_t status, + return; + } + +- if (cmd->req == NULL) { ++ if (cmd->dcmd_opcode != -1) { + /* + * Internal command complete + */ diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch new file mode 100644 index 00000000..74725a92 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9503-2.patch @@ -0,0 +1,114 @@ +From 5104fac8539eaf155fc6de93e164be43e1e62242 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Thu, 1 Jun 2017 17:18:23 +0200 +Subject: [PATCH] megasas: do not read DCMD opcode more than once from frame + +Avoid TOC-TOU bugs by storing the DCMD opcode in the MegasasCmd + +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + hw/scsi/megasas.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c +index c353118882..a3f75c1650 100644 +--- a/hw/scsi/megasas.c ++++ b/hw/scsi/megasas.c +@@ -63,6 +63,7 @@ typedef struct MegasasCmd { + + hwaddr pa; + hwaddr pa_size; ++ uint32_t dcmd_opcode; + union mfi_frame *frame; + SCSIRequest *req; + QEMUSGList qsg; +@@ -513,6 +514,7 @@ static MegasasCmd *megasas_enqueue_frame(MegasasState *s, + cmd->context &= (uint64_t)0xFFFFFFFF; + } + cmd->count = count; ++ cmd->dcmd_opcode = -1; + s->busy++; + + if (s->consumer_pa) { +@@ -1562,22 +1564,21 @@ static const struct dcmd_cmd_tbl_t { + + static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) + { +- int opcode; + int retval = 0; + size_t len; + const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; + +- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); +- trace_megasas_handle_dcmd(cmd->index, opcode); ++ cmd->dcmd_opcode = le32_to_cpu(cmd->frame->dcmd.opcode); ++ trace_megasas_handle_dcmd(cmd->index, cmd->dcmd_opcode); + if (megasas_map_dcmd(s, cmd) < 0) { + return MFI_STAT_MEMORY_NOT_AVAILABLE; + } +- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { ++ while (cmdptr->opcode != -1 && cmdptr->opcode != cmd->dcmd_opcode) { + cmdptr++; + } + len = cmd->iov_size; + if (cmdptr->opcode == -1) { +- trace_megasas_dcmd_unhandled(cmd->index, opcode, len); ++ trace_megasas_dcmd_unhandled(cmd->index, cmd->dcmd_opcode, len); + retval = megasas_dcmd_dummy(s, cmd); + } else { + trace_megasas_dcmd_enter(cmd->index, cmdptr->desc, len); +@@ -1592,13 +1593,11 @@ static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) + static int megasas_finish_internal_dcmd(MegasasCmd *cmd, + SCSIRequest *req) + { +- int opcode; + int retval = MFI_STAT_OK; + int lun = req->lun; + +- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); +- trace_megasas_dcmd_internal_finish(cmd->index, opcode, lun); +- switch (opcode) { ++ trace_megasas_dcmd_internal_finish(cmd->index, cmd->dcmd_opcode, lun); ++ switch (cmd->dcmd_opcode) { + case MFI_DCMD_PD_GET_INFO: + retval = megasas_pd_get_info_submit(req->dev, lun, cmd); + break; +@@ -1606,7 +1605,7 @@ static int megasas_finish_internal_dcmd(MegasasCmd *cmd, + retval = megasas_ld_get_info_submit(req->dev, lun, cmd); + break; + default: +- trace_megasas_dcmd_internal_invalid(cmd->index, opcode); ++ trace_megasas_dcmd_internal_invalid(cmd->index, cmd->dcmd_opcode); + retval = MFI_STAT_INVALID_DCMD; + break; + } +@@ -1827,7 +1826,6 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) + { + MegasasCmd *cmd = req->hba_private; + uint8_t *buf; +- uint32_t opcode; + + trace_megasas_io_complete(cmd->index, len); + +@@ -1837,8 +1835,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) + } + + buf = scsi_req_get_buf(req); +- opcode = le32_to_cpu(cmd->frame->dcmd.opcode); +- if (opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { ++ if (cmd->dcmd_opcode == MFI_DCMD_PD_GET_INFO && cmd->iov_buf) { + struct mfi_pd_info *info = cmd->iov_buf; + + if (info->inquiry_data[0] == 0x7f) { +@@ -1849,7 +1846,7 @@ static void megasas_xfer_complete(SCSIRequest *req, uint32_t len) + memcpy(info->vpd_page83, buf, len); + } + scsi_req_continue(req); +- } else if (opcode == MFI_DCMD_LD_GET_INFO) { ++ } else if (cmd->dcmd_opcode == MFI_DCMD_LD_GET_INFO) { + struct mfi_ld_info *info = cmd->iov_buf; + + if (cmd->iov_buf) { +-- +2.13.0 + diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch new file mode 100644 index 00000000..9d77193b --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-1.patch @@ -0,0 +1,80 @@ +From df8ad9f128c15aa0a0ebc7b24e9a22c9775b67af Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Fri, 26 May 2017 22:04:21 -0500 +Subject: [PATCH] nbd: Fully initialize client in case of failed negotiation + +If a non-NBD client connects to qemu-nbd, we would end up with +a SIGSEGV in nbd_client_put() because we were trying to +unregister the client's association to the export, even though +we skipped inserting the client into that list. Easy trigger +in two terminals: + +$ qemu-nbd -p 30001 --format=raw file +$ nmap 127.0.0.1 -p 30001 + +nmap claims that it thinks it connected to a pago-services1 +server (which probably means nmap could be updated to learn the +NBD protocol and give a more accurate diagnosis of the open +port - but that's not our problem), then terminates immediately, +so our call to nbd_negotiate() fails. The fix is to reorder +nbd_co_client_start() to ensure that all initialization occurs +before we ever try talking to a client in nbd_negotiate(), so +that the teardown sequence on negotiation failure doesn't fault +while dereferencing a half-initialized object. + +While debugging this, I also noticed that nbd_update_server_watch() +called by nbd_client_closed() was still adding a channel to accept +the next client, even when the state was no longer RUNNING. That +is fixed by making nbd_can_accept() pay attention to the current +state. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 + +Signed-off-by: Eric Blake <eblake@redhat.com> +Message-Id: <20170527030421.28366-1-eblake@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + nbd/server.c | 8 +++----- + qemu-nbd.c | 2 +- + 2 files changed, 4 insertions(+), 6 deletions(-) + +diff --git a/nbd/server.c b/nbd/server.c +index ee59e5d234..49b55f6ede 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -1358,16 +1358,14 @@ static coroutine_fn void nbd_co_client_start(void *opaque) + + if (exp) { + nbd_export_get(exp); ++ QTAILQ_INSERT_TAIL(&exp->clients, client, next); + } ++ qemu_co_mutex_init(&client->send_lock); ++ + if (nbd_negotiate(data)) { + client_close(client); + goto out; + } +- qemu_co_mutex_init(&client->send_lock); +- +- if (exp) { +- QTAILQ_INSERT_TAIL(&exp->clients, client, next); +- } + + nbd_client_receive_next_request(client); + +diff --git a/qemu-nbd.c b/qemu-nbd.c +index f60842fd86..651f85ecc1 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -325,7 +325,7 @@ out: + + static int nbd_can_accept(void) + { +- return nb_fds < shared; ++ return state == RUNNING && nb_fds < shared; + } + + static void nbd_export_closed(NBDExport *exp) +-- +2.13.0 + diff --git a/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch new file mode 100644 index 00000000..e6934b37 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.9.0-CVE-2017-9524-2.patch @@ -0,0 +1,197 @@ +From 0c9390d978cbf61e8f16c9f580fa96b305c43568 Mon Sep 17 00:00:00 2001 +From: Eric Blake <eblake@redhat.com> +Date: Thu, 8 Jun 2017 17:26:17 -0500 +Subject: [PATCH] nbd: Fix regression on resiliency to port scan + +Back in qemu 2.5, qemu-nbd was immune to port probes (a transient +server would not quit, regardless of how many probe connections +came and went, until a connection actually negotiated). But we +broke that in commit ee7d7aa when removing the return value to +nbd_client_new(), although that patch also introduced a bug causing +an assertion failure on a client that fails negotiation. We then +made it worse during refactoring in commit 1a6245a (a segfault +before we could even assert); the (masked) assertion was cleaned +up in d3780c2 (still in 2.6), and just recently we finally fixed +the segfault ("nbd: Fully intialize client in case of failed +negotiation"). But that still means that ever since we added +TLS support to qemu-nbd, we have been vulnerable to an ill-timed +port-scan being able to cause a denial of service by taking down +qemu-nbd before a real client has a chance to connect. + +Since negotiation is now handled asynchronously via coroutines, +we no longer have a synchronous point of return by re-adding a +return value to nbd_client_new(). So this patch instead wires +things up to pass the negotiation status through the close_fn +callback function. + +Simple test across two terminals: +$ qemu-nbd -f raw -p 30001 file +$ nmap 127.0.0.1 -p 30001 && \ + qemu-io -c 'r 0 512' -f raw nbd://localhost:30001 + +Note that this patch does not change what constitutes successful +negotiation (thus, a client must enter transmission phase before +that client can be considered as a reason to terminate the server +when the connection ends). Perhaps we may want to tweak things +in a later patch to also treat a client that uses NBD_OPT_ABORT +as being a 'successful' negotiation (the client correctly talked +the NBD protocol, and informed us it was not going to use our +export after all), but that's a discussion for another day. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614 + +Signed-off-by: Eric Blake <eblake@redhat.com> +Message-Id: <20170608222617.20376-1-eblake@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + blockdev-nbd.c | 6 +++++- + include/block/nbd.h | 2 +- + nbd/server.c | 24 +++++++++++++++--------- + qemu-nbd.c | 4 ++-- + 4 files changed, 23 insertions(+), 13 deletions(-) + +diff --git a/blockdev-nbd.c b/blockdev-nbd.c +index dd0860f4a6..28f551a7b0 100644 +--- a/blockdev-nbd.c ++++ b/blockdev-nbd.c +@@ -27,6 +27,10 @@ typedef struct NBDServerData { + + static NBDServerData *nbd_server; + ++static void nbd_blockdev_client_closed(NBDClient *client, bool ignored) ++{ ++ nbd_client_put(client); ++} + + static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, + gpointer opaque) +@@ -46,7 +50,7 @@ static gboolean nbd_accept(QIOChannel *ioc, GIOCondition condition, + qio_channel_set_name(QIO_CHANNEL(cioc), "nbd-server"); + nbd_client_new(NULL, cioc, + nbd_server->tlscreds, NULL, +- nbd_client_put); ++ nbd_blockdev_client_closed); + object_unref(OBJECT(cioc)); + return TRUE; + } +diff --git a/include/block/nbd.h b/include/block/nbd.h +index 416257abca..8fa5ce51f3 100644 +--- a/include/block/nbd.h ++++ b/include/block/nbd.h +@@ -162,7 +162,7 @@ void nbd_client_new(NBDExport *exp, + QIOChannelSocket *sioc, + QCryptoTLSCreds *tlscreds, + const char *tlsaclname, +- void (*close)(NBDClient *)); ++ void (*close_fn)(NBDClient *, bool)); + void nbd_client_get(NBDClient *client); + void nbd_client_put(NBDClient *client); + +diff --git a/nbd/server.c b/nbd/server.c +index 49b55f6ede..f2b1aa47ce 100644 +--- a/nbd/server.c ++++ b/nbd/server.c +@@ -81,7 +81,7 @@ static QTAILQ_HEAD(, NBDExport) exports = QTAILQ_HEAD_INITIALIZER(exports); + + struct NBDClient { + int refcount; +- void (*close)(NBDClient *client); ++ void (*close_fn)(NBDClient *client, bool negotiated); + + bool no_zeroes; + NBDExport *exp; +@@ -778,7 +778,7 @@ void nbd_client_put(NBDClient *client) + } + } + +-static void client_close(NBDClient *client) ++static void client_close(NBDClient *client, bool negotiated) + { + if (client->closing) { + return; +@@ -793,8 +793,8 @@ static void client_close(NBDClient *client) + NULL); + + /* Also tell the client, so that they release their reference. */ +- if (client->close) { +- client->close(client); ++ if (client->close_fn) { ++ client->close_fn(client, negotiated); + } + } + +@@ -975,7 +975,7 @@ void nbd_export_close(NBDExport *exp) + + nbd_export_get(exp); + QTAILQ_FOREACH_SAFE(client, &exp->clients, next, next) { +- client_close(client); ++ client_close(client, true); + } + nbd_export_set_name(exp, NULL); + nbd_export_set_description(exp, NULL); +@@ -1337,7 +1337,7 @@ done: + + out: + nbd_request_put(req); +- client_close(client); ++ client_close(client, true); + nbd_client_put(client); + } + +@@ -1363,7 +1363,7 @@ static coroutine_fn void nbd_co_client_start(void *opaque) + qemu_co_mutex_init(&client->send_lock); + + if (nbd_negotiate(data)) { +- client_close(client); ++ client_close(client, false); + goto out; + } + +@@ -1373,11 +1373,17 @@ out: + g_free(data); + } + ++/* ++ * Create a new client listener on the given export @exp, using the ++ * given channel @sioc. Begin servicing it in a coroutine. When the ++ * connection closes, call @close_fn with an indication of whether the ++ * client completed negotiation. ++ */ + void nbd_client_new(NBDExport *exp, + QIOChannelSocket *sioc, + QCryptoTLSCreds *tlscreds, + const char *tlsaclname, +- void (*close_fn)(NBDClient *)) ++ void (*close_fn)(NBDClient *, bool)) + { + NBDClient *client; + NBDClientNewData *data = g_new(NBDClientNewData, 1); +@@ -1394,7 +1400,7 @@ void nbd_client_new(NBDExport *exp, + object_ref(OBJECT(client->sioc)); + client->ioc = QIO_CHANNEL(sioc); + object_ref(OBJECT(client->ioc)); +- client->close = close_fn; ++ client->close_fn = close_fn; + + data->client = client; + data->co = qemu_coroutine_create(nbd_co_client_start, data); +diff --git a/qemu-nbd.c b/qemu-nbd.c +index 651f85ecc1..9464a0461c 100644 +--- a/qemu-nbd.c ++++ b/qemu-nbd.c +@@ -336,10 +336,10 @@ static void nbd_export_closed(NBDExport *exp) + + static void nbd_update_server_watch(void); + +-static void nbd_client_closed(NBDClient *client) ++static void nbd_client_closed(NBDClient *client, bool negotiated) + { + nb_fds--; +- if (nb_fds == 0 && !persistent && state == RUNNING) { ++ if (negotiated && nb_fds == 0 && !persistent && state == RUNNING) { + state = TERMINATE; + } + nbd_update_server_watch(); +-- +2.13.0 + diff --git a/app-emulation/qemu/qemu-2.8.1-r2.ebuild b/app-emulation/qemu/qemu-2.8.1-r2.ebuild deleted file mode 100644 index ff24476f..00000000 --- a/app-emulation/qemu/qemu-2.8.1-r2.ebuild +++ /dev/null @@ -1,770 +0,0 @@ -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -EAPI="6" - -PYTHON_COMPAT=( python2_7 ) -PYTHON_REQ_USE="ncurses,readline" - -PLOCALES="bg de_DE fr_FR hu it tr zh_CN" - -inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ - user udev fcaps readme.gentoo-r1 pax-utils l10n - -if [[ ${PV} = *9999* ]]; then - EGIT_REPO_URI="git://git.qemu.org/qemu.git" - inherit git-r3 - SRC_URI="" -else - SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" - KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd" -fi - -DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" -HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" - -LICENSE="GPL-2 LGPL-2 BSD-2" -SLOT="0" -IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt - glusterfs gnutls gtk gtk2 infiniband iscsi +jpeg kernel_linux - kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png - pulseaudio python rbd sasl +seccomp sdl sdl2 selinux smartcard snappy - spice ssh static static-user systemtap tci test usb usbredir vde - +vhost-net virgl virtfs +vnc vte xattr xen xfs" - -COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel - mips mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc - sparc64 x86_64" -IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} - lm32 moxie ppcemb tricore unicore32 xtensa xtensaeb" -IUSE_USER_TARGETS="${COMMON_TARGETS} - armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" - -use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) -use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) -IUSE+=" ${use_softmmu_targets} ${use_user_targets}" - -# Allow no targets to be built so that people can get a tools-only build. -# Block USE flag configurations known to not work. -REQUIRED_USE="${PYTHON_REQUIRED_USE} - gtk2? ( gtk ) - qemu_softmmu_targets_arm? ( fdt ) - qemu_softmmu_targets_microblaze? ( fdt ) - qemu_softmmu_targets_ppc? ( fdt ) - qemu_softmmu_targets_ppc64? ( fdt ) - sdl2? ( sdl ) - static? ( static-user !alsa !bluetooth !gtk !gtk2 !opengl !pulseaudio ) - virtfs? ( xattr ) - vte? ( gtk )" - -# Dependencies required for qemu tools (qemu-nbd, qemu-img, qemu-io, ...) -# and user/softmmu targets (qemu-*, qemu-system-*). -# -# Yep, you need both libcap and libcap-ng since virtfs only uses libcap. -# -# The attr lib isn't always linked in (although the USE flag is always -# respected). This is because qemu supports using the C library's API -# when available rather than always using the extranl library. -ALL_DEPEND=" - >=dev-libs/glib-2.0[static-libs(+)] - sys-libs/zlib[static-libs(+)] - python? ( ${PYTHON_DEPS} ) - systemtap? ( dev-util/systemtap ) - xattr? ( sys-apps/attr[static-libs(+)] )" - -# Dependencies required for qemu tools (qemu-nbd, qemu-img, qemu-io, ...) -# softmmu targets (qemu-system-*). -SOFTMMU_TOOLS_DEPEND=" - >=x11-libs/pixman-0.28.0[static-libs(+)] - accessibility? ( - app-accessibility/brltty[api] - app-accessibility/brltty[static-libs(+)] - ) - aio? ( dev-libs/libaio[static-libs(+)] ) - alsa? ( >=media-libs/alsa-lib-1.0.13 ) - bluetooth? ( net-wireless/bluez ) - bzip2? ( app-arch/bzip2[static-libs(+)] ) - caps? ( sys-libs/libcap-ng[static-libs(+)] ) - curl? ( >=net-misc/curl-7.15.4[static-libs(+)] ) - fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) - glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) - gnutls? ( - dev-libs/nettle:=[static-libs(+)] - >=net-libs/gnutls-3.0:=[static-libs(+)] - ) - gtk? ( - gtk2? ( - x11-libs/gtk+:2 - vte? ( x11-libs/vte:0 ) - ) - !gtk2? ( - x11-libs/gtk+:3 - vte? ( x11-libs/vte:2.91 ) - ) - ) - infiniband? ( sys-fabric/librdmacm:=[static-libs(+)] ) - iscsi? ( net-libs/libiscsi ) - jpeg? ( virtual/jpeg:0=[static-libs(+)] ) - lzo? ( dev-libs/lzo:2[static-libs(+)] ) - ncurses? ( - sys-libs/ncurses:0=[unicode] - sys-libs/ncurses:0=[static-libs(+)] - ) - nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) - numa? ( sys-process/numactl[static-libs(+)] ) - opengl? ( - virtual/opengl - media-libs/libepoxy[static-libs(+)] - media-libs/mesa[static-libs(+)] - media-libs/mesa[egl,gbm] - ) - png? ( media-libs/libpng:0=[static-libs(+)] ) - pulseaudio? ( media-sound/pulseaudio ) - rbd? ( sys-cluster/ceph[static-libs(+)] ) - sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) - sdl? ( - !sdl2? ( - media-libs/libsdl[X] - >=media-libs/libsdl-1.2.11[static-libs(+)] - ) - sdl2? ( - media-libs/libsdl2[X] - media-libs/libsdl2[static-libs(+)] - ) - ) - seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) - smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) - snappy? ( app-arch/snappy[static-libs(+)] ) - spice? ( - >=app-emulation/spice-protocol-0.12.3 - >=app-emulation/spice-0.12.0[static-libs(+)] - ) - ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) - usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) - usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) - vde? ( net-misc/vde[static-libs(+)] ) - virgl? ( media-libs/virglrenderer[static-libs(+)] ) - virtfs? ( sys-libs/libcap ) - xen? ( app-emulation/xen-tools:= ) - xfs? ( sys-fs/xfsprogs[static-libs(+)] )" - -X86_FIRMWARE_DEPEND=" - >=sys-firmware/ipxe-1.0.0_p20130624 - pin-upstream-blobs? ( - ~sys-firmware/seabios-1.10.1 - ~sys-firmware/sgabios-0.1_pre8 - ~sys-firmware/vgabios-0.7a - ) - !pin-upstream-blobs? ( - sys-firmware/seabios - sys-firmware/sgabios - sys-firmware/vgabios - )" - -CDEPEND=" - !static? ( - ${ALL_DEPEND//\[static-libs(+)]} - ${SOFTMMU_TOOLS_DEPEND//\[static-libs(+)]} - ) - qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) - qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )" -DEPEND="${CDEPEND} - dev-lang/perl - =dev-lang/python-2* - sys-apps/texinfo - virtual/pkgconfig - kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) - gtk? ( nls? ( sys-devel/gettext ) ) - static? ( - ${ALL_DEPEND} - ${SOFTMMU_TOOLS_DEPEND} - ) - static-user? ( ${ALL_DEPEND} ) - test? ( - dev-libs/glib[utils] - sys-devel/bc - )" -RDEPEND="${CDEPEND} - selinux? ( sec-policy/selinux-qemu )" - -PATCHES=( - # musl patches - "${FILESDIR}"/${PN}-2.8.0-F_SHLCK-and-F_EXLCK.patch - "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch - "${FILESDIR}"/${PN}-2.2.0-_sigev_un.patch - - # gentoo patches - "${FILESDIR}"/${PN}-2.5.0-cflags.patch - "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - "${FILESDIR}"/${PN}-2.7.0-CVE-2016-8669-1.patch #597108 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9908.patch #601826 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-9912.patch #602630 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10028.patch #603444 - "${FILESDIR}"/${PN}-2.8.0-CVE-2016-10155.patch #606720 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-1.patch #606264 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5525-2.patch - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5552.patch #606722 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5578.patch #607000 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5579.patch #607100 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5856.patch #608036 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5857.patch #608038 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5898.patch #608520 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5973.patch #609334 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-5987.patch #609398 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-6505.patch #612220 - "${FILESDIR}"/${PN}-2.8.0-CVE-2017-7377.patch #614744 - "${FILESDIR}"/${PN}-2.8.1-CVE-2017-7471.patch #616484 - "${FILESDIR}"/${PN}-2.8.1-CVE-2017-8086.patch #616460 -) - -STRIP_MASK="/usr/share/qemu/palcode-clipper" - -QA_PREBUILT=" - usr/share/qemu/openbios-ppc - usr/share/qemu/openbios-sparc64 - usr/share/qemu/openbios-sparc32 - usr/share/qemu/palcode-clipper - usr/share/qemu/s390-ccw.img - usr/share/qemu/u-boot.e500" - -QA_WX_LOAD="usr/bin/qemu-i386 - usr/bin/qemu-x86_64 - usr/bin/qemu-alpha - usr/bin/qemu-arm - usr/bin/qemu-cris - usr/bin/qemu-m68k - usr/bin/qemu-microblaze - usr/bin/qemu-microblazeel - usr/bin/qemu-mips - usr/bin/qemu-mipsel - usr/bin/qemu-or32 - usr/bin/qemu-ppc - usr/bin/qemu-ppc64 - usr/bin/qemu-ppc64abi32 - usr/bin/qemu-sh4 - usr/bin/qemu-sh4eb - usr/bin/qemu-sparc - usr/bin/qemu-sparc64 - usr/bin/qemu-armeb - usr/bin/qemu-sparc32plus - usr/bin/qemu-s390x - usr/bin/qemu-unicore32" - -DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure you have the -kernel module loaded before running kvm. The easiest way to ensure that the -kernel module is loaded is to load it on boot. - For AMD CPUs the module is called 'kvm-amd'. - For Intel CPUs the module is called 'kvm-intel'. -Please review /etc/conf.d/modules for how to load these. - -Make sure your user is in the 'kvm' group. Just run - $ gpasswd -a <USER> kvm -then have <USER> re-login. - -For brand new installs, the default permissions on /dev/kvm might not let -you access it. You can tell udev to reset ownership/perms: - $ udevadm trigger -c add /dev/kvm - -If you want to register binfmt handlers for qemu user targets: -For openrc: - # rc-update add qemu-binfmt -For systemd: - # ln -s /usr/share/qemu/binfmt.d/qemu.conf /etc/binfmt.d/qemu.conf" - -pkg_pretend() { - if use kernel_linux && kernel_is lt 2 6 25; then - eerror "This version of KVM requres a host kernel of 2.6.25 or higher." - elif use kernel_linux; then - if ! linux_config_exists; then - eerror "Unable to check your kernel for KVM support" - else - CONFIG_CHECK="~KVM ~TUN ~BRIDGE" - ERROR_KVM="You must enable KVM in your kernel to continue" - ERROR_KVM_AMD="If you have an AMD CPU, you must enable KVM_AMD in" - ERROR_KVM_AMD+=" your kernel configuration." - ERROR_KVM_INTEL="If you have an Intel CPU, you must enable" - ERROR_KVM_INTEL+=" KVM_INTEL in your kernel configuration." - ERROR_TUN="You will need the Universal TUN/TAP driver compiled" - ERROR_TUN+=" into your kernel or loaded as a module to use the" - ERROR_TUN+=" virtual network device if using -net tap." - ERROR_BRIDGE="You will also need support for 802.1d" - ERROR_BRIDGE+=" Ethernet Bridging for some network configurations." - use vhost-net && CONFIG_CHECK+=" ~VHOST_NET" - ERROR_VHOST_NET="You must enable VHOST_NET to have vhost-net" - ERROR_VHOST_NET+=" support" - - if use amd64 || use x86 || use amd64-linux || use x86-linux; then - CONFIG_CHECK+=" ~KVM_AMD ~KVM_INTEL" - fi - - use python && CONFIG_CHECK+=" ~DEBUG_FS" - ERROR_DEBUG_FS="debugFS support required for kvm_stat" - - # Now do the actual checks setup above - check_extra_config - fi - fi - - if grep -qs '/usr/bin/qemu-kvm' "${EROOT}"/etc/libvirt/qemu/*.xml; then - eerror "The kvm/qemu-kvm wrappers no longer exist, but your libvirt" - eerror "instances are still pointing to it. Please update your" - eerror "configs in /etc/libvirt/qemu/ to use the -enable-kvm flag" - eerror "and the right system binary (e.g. qemu-system-x86_64)." - die "update your virt configs to not use qemu-kvm" - fi -} - -pkg_setup() { - enewgroup kvm 78 -} - -# Sanity check to make sure target lists are kept up-to-date. -check_targets() { - local var=$1 mak=$2 - local detected sorted - - pushd "${S}"/default-configs >/dev/null || die - - # Force C locale until glibc is updated. #564936 - detected=$(echo $(printf '%s\n' *-${mak}.mak | sed "s:-${mak}.mak::" | LC_COLLATE=C sort -u)) - sorted=$(echo $(printf '%s\n' ${!var} | LC_COLLATE=C sort -u)) - if [[ ${sorted} != "${detected}" ]] ; then - eerror "The ebuild needs to be kept in sync." - eerror "${var}: ${sorted}" - eerror "$(printf '%-*s' ${#var} configure): ${detected}" - die "sync ${var} to the list of targets" - fi - - popd >/dev/null -} - -handle_locales() { - # Make sure locale list is kept up-to-date. - local detected sorted - detected=$(echo $(cd po && printf '%s\n' *.po | grep -v messages.po | sed 's:.po$::' | sort -u)) - sorted=$(echo $(printf '%s\n' ${PLOCALES} | sort -u)) - if [[ ${sorted} != "${detected}" ]] ; then - eerror "The ebuild needs to be kept in sync." - eerror "PLOCALES: ${sorted}" - eerror " po/*.po: ${detected}" - die "sync PLOCALES" - fi - - # Deal with selective install of locales. - if use nls ; then - # Delete locales the user does not want. #577814 - rm_loc() { rm po/$1.po || die; } - l10n_for_each_disabled_locale_do rm_loc - else - # Cheap hack to disable gettext .mo generation. - rm -f po/*.po - fi -} - -src_prepare() { - check_targets IUSE_SOFTMMU_TARGETS softmmu - check_targets IUSE_USER_TARGETS linux-user - - # Alter target makefiles to accept CFLAGS set via flag-o - sed -i -r \ - -e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \ - Makefile Makefile.target || die - - default - - # Fix ld and objcopy being called directly - tc-export AR LD OBJCOPY - - # Verbose builds - MAKEOPTS+=" V=1" - - # Run after we've applied all patches. - handle_locales -} - -## -# configures qemu based on the build directory and the build type -# we are using. -# -qemu_src_configure() { - debug-print-function ${FUNCNAME} "$@" - - local buildtype=$1 - local builddir="${S}/${buildtype}-build" - - mkdir "${builddir}" - - local conf_opts=( - --prefix=/usr - --sysconfdir=/etc - --libdir=/usr/$(get_libdir) - --docdir=/usr/share/doc/${PF}/html - --disable-bsd-user - --disable-guest-agent - --disable-strip - --disable-werror - # We support gnutls/nettle for crypto operations. It is possible - # to use gcrypt when gnutls/nettle are disabled (but not when they - # are enabled), but it's not really worth the hassle. Disable it - # all the time to avoid automatically detecting it. #568856 - --disable-gcrypt - --python="${PYTHON}" - --cc="$(tc-getCC)" - --cxx="$(tc-getCXX)" - --host-cc="$(tc-getBUILD_CC)" - $(use_enable debug debug-info) - $(use_enable debug debug-tcg) - --enable-docs - $(use_enable tci tcg-interpreter) - $(use_enable xattr attr) - ) - - # Disable options not used by user targets. This simplifies building - # static user targets (USE=static-user) considerably. - conf_notuser() { - if [[ ${buildtype} == "user" ]] ; then - echo "--disable-${2:-$1}" - else - use_enable "$@" - fi - } - conf_opts+=( - $(conf_notuser accessibility brlapi) - $(conf_notuser aio linux-aio) - $(conf_notuser bzip2) - $(conf_notuser bluetooth bluez) - $(conf_notuser caps cap-ng) - $(conf_notuser curl) - $(conf_notuser fdt) - $(conf_notuser glusterfs) - $(conf_notuser gnutls) - $(conf_notuser gnutls nettle) - $(conf_notuser gtk) - $(conf_notuser infiniband rdma) - $(conf_notuser iscsi libiscsi) - $(conf_notuser jpeg vnc-jpeg) - $(conf_notuser kernel_linux kvm) - $(conf_notuser lzo) - $(conf_notuser ncurses curses) - $(conf_notuser nfs libnfs) - $(conf_notuser numa) - $(conf_notuser opengl) - $(conf_notuser png vnc-png) - $(conf_notuser rbd) - $(conf_notuser sasl vnc-sasl) - $(conf_notuser sdl) - $(conf_notuser seccomp) - $(conf_notuser smartcard) - $(conf_notuser snappy) - $(conf_notuser spice) - $(conf_notuser ssh libssh2) - $(conf_notuser usb libusb) - $(conf_notuser usbredir usb-redir) - $(conf_notuser vde) - $(conf_notuser vhost-net) - $(conf_notuser virgl virglrenderer) - $(conf_notuser virtfs) - $(conf_notuser vnc) - $(conf_notuser vte) - $(conf_notuser xen) - $(conf_notuser xen xen-pci-passthrough) - $(conf_notuser xfs xfsctl) - ) - - if [[ ! ${buildtype} == "user" ]] ; then - # audio options - local audio_opts="oss" - use alsa && audio_opts="alsa,${audio_opts}" - use sdl && audio_opts="sdl,${audio_opts}" - use pulseaudio && audio_opts="pa,${audio_opts}" - conf_opts+=( - --audio-drv-list="${audio_opts}" - ) - use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) ) - use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) ) - fi - - case ${buildtype} in - user) - conf_opts+=( - --enable-linux-user - --disable-system - --disable-blobs - --disable-tools - ) - local static_flag="static-user" - ;; - softmmu) - conf_opts+=( - --disable-linux-user - --enable-system - --disable-tools - --with-system-pixman - ) - local static_flag="static" - ;; - tools) - conf_opts+=( - --disable-linux-user - --disable-system - --disable-blobs - --enable-tools - ) - local static_flag="static" - ;; - esac - - local targets="${buildtype}_targets" - [[ -n ${targets} ]] && conf_opts+=( --target-list="${!targets}" ) - - # Add support for SystemTAP - use systemtap && conf_opts+=( --enable-trace-backend=dtrace ) - - # We always want to attempt to build with PIE support as it results - # in a more secure binary. But it doesn't work with static or if - # the current GCC doesn't have PIE support. - if use ${static_flag}; then - conf_opts+=( --static --disable-pie ) - else - gcc-specs-pie && conf_opts+=( --enable-pie ) - fi - - echo "../configure ${conf_opts[*]}" - cd "${builddir}" - ../configure "${conf_opts[@]}" || die "configure failed" - - # FreeBSD's kernel does not support QEMU assigning/grabbing - # host USB devices yet - use kernel_FreeBSD && \ - sed -i -E -e "s|^(HOST_USB=)bsd|\1stub|" "${S}"/config-host.mak -} - -src_configure() { - local target - - python_setup - - softmmu_targets= softmmu_bins=() - user_targets= user_bins=() - - for target in ${IUSE_SOFTMMU_TARGETS} ; do - if use "qemu_softmmu_targets_${target}"; then - softmmu_targets+=",${target}-softmmu" - softmmu_bins+=( "qemu-system-${target}" ) - fi - done - - for target in ${IUSE_USER_TARGETS} ; do - if use "qemu_user_targets_${target}"; then - user_targets+=",${target}-linux-user" - user_bins+=( "qemu-${target}" ) - fi - done - - softmmu_targets=${softmmu_targets#,} - user_targets=${user_targets#,} - - [[ -n ${softmmu_targets} ]] && qemu_src_configure "softmmu" - [[ -n ${user_targets} ]] && qemu_src_configure "user" - qemu_src_configure "tools" -} - -src_compile() { - if [[ -n ${user_targets} ]]; then - cd "${S}/user-build" - default - fi - - if [[ -n ${softmmu_targets} ]]; then - cd "${S}/softmmu-build" - default - fi - - cd "${S}/tools-build" - default -} - -src_test() { - if [[ -n ${softmmu_targets} ]]; then - cd "${S}/softmmu-build" - pax-mark m */qemu-system-* #515550 - emake -j1 check - emake -j1 check-report.html - fi -} - -qemu_python_install() { - python_domodule "${S}/scripts/qmp/qmp.py" - - python_doscript "${S}/scripts/kvm/vmxcap" - python_doscript "${S}/scripts/qmp/qmp-shell" - python_doscript "${S}/scripts/qmp/qemu-ga-client" -} - -# Generate binfmt support files. -# - /etc/init.d/qemu-binfmt script which registers the user handlers (openrc) -# - /usr/share/qemu/binfmt.d/qemu.conf (for use with systemd-binfmt) -generate_initd() { - local out="${T}/qemu-binfmt" - local out_systemd="${T}/qemu.conf" - local d="${T}/binfmt.d" - - einfo "Generating qemu binfmt scripts and configuration files" - - # Generate the debian fragments first. - mkdir -p "${d}" - "${S}"/scripts/qemu-binfmt-conf.sh \ - --debian \ - --exportdir "${d}" \ - --qemu-path "${EPREFIX}/usr/bin" \ - || die - # Then turn the fragments into a shell script we can source. - sed -E -i \ - -e 's:^([^ ]+) (.*)$:\1="\2":' \ - "${d}"/* || die - - # Generate the init.d script by assembling the fragments from above. - local f qcpu package interpreter magic mask - cat "${FILESDIR}"/qemu-binfmt.initd.head >"${out}" || die - for f in "${d}"/qemu-* ; do - source "${f}" - - # Normalize the cpu logic like we do in the init.d for the native cpu. - qcpu=${package#qemu-} - case ${qcpu} in - arm*) qcpu="arm";; - mips*) qcpu="mips";; - ppc*) qcpu="ppc";; - s390*) qcpu="s390";; - sh*) qcpu="sh";; - sparc*) qcpu="sparc";; - esac - - cat <<EOF >>"${out}" - if [ "\${cpu}" != "${qcpu}" -a -x "${interpreter}" ] ; then - echo ':${package}:M::${magic}:${mask}:${interpreter}:'"\${QEMU_BINFMT_FLAGS}" >/proc/sys/fs/binfmt_misc/register - fi -EOF - - echo ":${package}:M::${magic}:${mask}:${interpreter}:OC" >>"${out_systemd}" - - done - cat "${FILESDIR}"/qemu-binfmt.initd.tail >>"${out}" || die -} - -src_install() { - if [[ -n ${user_targets} ]]; then - cd "${S}/user-build" - emake DESTDIR="${ED}" install - - # Install binfmt handler init script for user targets. - generate_initd - doinitd "${T}/qemu-binfmt" - - # Install binfmt/qemu.conf. - insinto "/usr/share/qemu/binfmt.d" - doins "${T}/qemu.conf" - fi - - if [[ -n ${softmmu_targets} ]]; then - cd "${S}/softmmu-build" - emake DESTDIR="${ED}" install - - # This might not exist if the test failed. #512010 - [[ -e check-report.html ]] && dohtml check-report.html - - if use kernel_linux; then - udev_newrules "${FILESDIR}"/65-kvm.rules-r1 65-kvm.rules - fi - - if use python; then - python_foreach_impl qemu_python_install - fi - fi - - cd "${S}/tools-build" - emake DESTDIR="${ED}" install - - # Disable mprotect on the qemu binaries as they use JITs to be fast #459348 - pushd "${ED}"/usr/bin >/dev/null - pax-mark mr "${softmmu_bins[@]}" "${user_bins[@]}" # bug 575594 - popd >/dev/null - - # Install config file example for qemu-bridge-helper - insinto "/etc/qemu" - doins "${FILESDIR}/bridge.conf" - - # Remove the docdir placed qmp-commands.txt - mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/" || die - - cd "${S}" - dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt - newdoc pc-bios/README README.pc-bios - dodoc docs/qmp-*.txt - - if [[ -n ${softmmu_targets} ]]; then - # Remove SeaBIOS since we're using the SeaBIOS packaged one - rm "${ED}/usr/share/qemu/bios.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../seabios/bios.bin /usr/share/qemu/bios.bin - fi - - # Remove vgabios since we're using the vgabios packaged one - rm "${ED}/usr/share/qemu/vgabios.bin" - rm "${ED}/usr/share/qemu/vgabios-cirrus.bin" - rm "${ED}/usr/share/qemu/vgabios-qxl.bin" - rm "${ED}/usr/share/qemu/vgabios-stdvga.bin" - rm "${ED}/usr/share/qemu/vgabios-vmware.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../vgabios/vgabios.bin /usr/share/qemu/vgabios.bin - dosym ../vgabios/vgabios-cirrus.bin /usr/share/qemu/vgabios-cirrus.bin - dosym ../vgabios/vgabios-qxl.bin /usr/share/qemu/vgabios-qxl.bin - dosym ../vgabios/vgabios-stdvga.bin /usr/share/qemu/vgabios-stdvga.bin - dosym ../vgabios/vgabios-vmware.bin /usr/share/qemu/vgabios-vmware.bin - fi - - # Remove sgabios since we're using the sgabios packaged one - rm "${ED}/usr/share/qemu/sgabios.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../sgabios/sgabios.bin /usr/share/qemu/sgabios.bin - fi - - # Remove iPXE since we're using the iPXE packaged one - rm "${ED}"/usr/share/qemu/pxe-*.rom - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../ipxe/8086100e.rom /usr/share/qemu/pxe-e1000.rom - dosym ../ipxe/80861209.rom /usr/share/qemu/pxe-eepro100.rom - dosym ../ipxe/10500940.rom /usr/share/qemu/pxe-ne2k_pci.rom - dosym ../ipxe/10222000.rom /usr/share/qemu/pxe-pcnet.rom - dosym ../ipxe/10ec8139.rom /usr/share/qemu/pxe-rtl8139.rom - dosym ../ipxe/1af41000.rom /usr/share/qemu/pxe-virtio.rom - fi - fi - - DISABLE_AUTOFORMATTING=true - readme.gentoo_create_doc -} - -pkg_postinst() { - DISABLE_AUTOFORMATTING=true - readme.gentoo_print_elog - - if [[ -n ${softmmu_targets} ]] && use kernel_linux; then - udev_reload - fi - - fcaps cap_net_admin /usr/libexec/qemu-bridge-helper -} - -pkg_info() { - echo "Using:" - echo " $(best_version app-emulation/spice-protocol)" - echo " $(best_version sys-firmware/ipxe)" - echo " $(best_version sys-firmware/seabios)" - if has_version 'sys-firmware/seabios[binary]'; then - echo " USE=binary" - else - echo " USE=''" - fi - echo " $(best_version sys-firmware/vgabios)" -} diff --git a/app-emulation/qemu/qemu-2.9.0-r2.ebuild b/app-emulation/qemu/qemu-2.9.0-r2.ebuild index 3efa65c5..397b86c6 100644 --- a/app-emulation/qemu/qemu-2.9.0-r2.ebuild +++ b/app-emulation/qemu/qemu-2.9.0-r2.ebuild @@ -17,7 +17,7 @@ if [[ ${PV} = *9999* ]]; then SRC_URI="" else SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" - KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd" + KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd" fi DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" @@ -513,7 +513,7 @@ qemu_src_configure() { if use ${static_flag}; then conf_opts+=( --static --disable-pie ) else - gcc-specs-pie && conf_opts+=( --enable-pie ) + tc-enables-pie && conf_opts+=( --enable-pie ) fi echo "../configure ${conf_opts[*]}" diff --git a/app-emulation/qemu/qemu-2.9.0-r54.ebuild b/app-emulation/qemu/qemu-2.9.0-r56.ebuild index c36797be..ad2e5f70 100644 --- a/app-emulation/qemu/qemu-2.9.0-r54.ebuild +++ b/app-emulation/qemu/qemu-2.9.0-r56.ebuild @@ -137,7 +137,7 @@ SOFTMMU_TOOLS_DEPEND=" ) seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) - snappy? ( app-arch/snappy[static-libs(+)] ) + snappy? ( app-arch/snappy:=[static-libs(+)] ) spice? ( >=app-emulation/spice-protocol-0.12.3 >=app-emulation/spice-0.12.0[static-libs(+)] @@ -200,11 +200,20 @@ PATCHES=( # gentoo patches "${FILESDIR}"/${PN}-2.5.0-cflags.patch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8309.patch # bug 616870 - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8379.patch # bug 616872 - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8380.patch # bug 616874 - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636 - "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8309.patch # bug 616870 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8379.patch # bug 616872 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8380.patch # bug 616874 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-8112.patch # bug 616636 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7493.patch # bug 618808 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-11434.patch # bug 625614 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-11334.patch # bug 621292 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-9524-1.patch # bug 621292 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-9524-2.patch + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-9503-1.patch # bug 621184 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-9503-2.patch + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-10664.patch # bug 623016 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-10806.patch # bug 624088 + "${FILESDIR}"/${PN}-2.9.0-CVE-2017-7539.patch # bug 625850 ) STRIP_MASK="/usr/share/qemu/palcode-clipper" @@ -516,7 +525,7 @@ qemu_src_configure() { if use ${static_flag}; then conf_opts+=( --static --disable-pie ) else - gcc-specs-pie && conf_opts+=( --enable-pie ) + tc-enables-pie && conf_opts+=( --enable-pie ) fi echo "../configure ${conf_opts[*]}" |