From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BAAB8138330 for ; Sat, 1 Oct 2016 19:38:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B5F85E083C; Sat, 1 Oct 2016 19:38:36 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 82866E083C for ; Sat, 1 Oct 2016 19:38:36 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AAEF63409E6 for ; Sat, 1 Oct 2016 19:38:34 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2EDD82481 for ; Sat, 1 Oct 2016 19:38:33 +0000 (UTC) From: "Felix Janda" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Felix Janda" Message-ID: <1475350526.8308b5d857fa865e06de75451acbe5c2bc359cf2.doughdemon@gentoo> Subject: [gentoo-commits] proj/musl:master commit in: app-emulation/qemu/files/, app-emulation/qemu/ X-VCS-Repository: proj/musl X-VCS-Files: app-emulation/qemu/Manifest app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch app-emulation/qemu/file s/qemu-2.7.0-CVE-2016-7421.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch app-emulation/qemu/qemu-2.5.1-r99.ebuild app-emulation/qemu/qemu-2.7.0-r99.ebuild X-VCS-Directories: app-emulation/qemu/ app-emulation/qemu/files/ X-VCS-Committer: doughdemon X-VCS-Committer-Name: Felix Janda X-VCS-Revision: 8308b5d857fa865e06de75451acbe5c2bc359cf2 X-VCS-Branch: master Date: Sat, 1 Oct 2016 19:38:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 7fd9506d-aae9-488e-a11b-2b56f7cf5d11 X-Archives-Hash: b9f24a3e04603522bf318ca6f965ea06 commit: 8308b5d857fa865e06de75451acbe5c2bc359cf2 Author: Felix Janda posteo de> AuthorDate: Fri Sep 30 00:07:37 2016 +0000 Commit: Felix Janda posteo de> CommitDate: Sat Oct 1 19:35:26 2016 +0000 URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=8308b5d8 app-emulation/qemu: bump to 2.7.0 app-emulation/qemu/Manifest | 25 +-- .../qemu/files/qemu-2.2.0-_sigev_un.patch | 5 +- .../qemu/files/qemu-2.5.0-CVE-2016-2198.patch | 46 ------ .../files/qemu-2.5.0-rng-stack-corrupt-0.patch | 98 ----------- .../files/qemu-2.5.0-rng-stack-corrupt-1.patch | 135 ---------------- .../files/qemu-2.5.0-rng-stack-corrupt-2.patch | 155 ------------------ .../files/qemu-2.5.0-rng-stack-corrupt-3.patch | 179 --------------------- .../qemu/files/qemu-2.5.1-CVE-2015-8558.patch | 107 ------------ .../qemu/files/qemu-2.5.1-CVE-2016-4020.patch | 16 -- .../files/qemu-2.5.1-stellaris_enet-overflow.patch | 47 ------ .../qemu/files/qemu-2.5.1-xfs-linux-headers.patch | 82 ---------- .../qemu/files/qemu-2.7.0-CVE-2016-6836.patch | 27 ++++ .../qemu/files/qemu-2.7.0-CVE-2016-7155.patch | 81 ++++++++++ .../qemu/files/qemu-2.7.0-CVE-2016-7156.patch | 62 +++++++ .../qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch | 28 ++++ .../qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch | 27 ++++ .../qemu/files/qemu-2.7.0-CVE-2016-7170.patch | 40 +++++ .../qemu/files/qemu-2.7.0-CVE-2016-7421.patch | 34 ++++ .../qemu/files/qemu-2.7.0-CVE-2016-7422.patch | 38 +++++ .../qemu/files/qemu-2.7.0-CVE-2016-7423.patch | 31 ++++ .../qemu/files/qemu-2.7.0-CVE-2016-7466.patch | 26 +++ ...qemu-2.5.1-r99.ebuild => qemu-2.7.0-r99.ebuild} | 46 +++--- 22 files changed, 433 insertions(+), 902 deletions(-) diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index 5d10f94..1eb09a6 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -2,20 +2,21 @@ AUX 65-kvm.rules 40 SHA256 c16a8dc7855880b2651f1a3ff488ecc54d4ac1036c71fffd50070 AUX bridge.conf 454 SHA256 a51850dd39923f3482e4c575b48ad9fef9c9ebb2f2176225da399b79ce48c69d SHA512 a907ee86b81a1b61033bb7621ded65112504131ef7b698c53e4014b958ee6fc79e66f63069015a01e41362cb70a7d0ed26dd9a03033cf776f4846f0e1f8f1533 WHIRLPOOL 8fcbd4abf9b8f7ca3d16fe0eaf17196ebf708dfecf85ce0f020e0de22b64905114f7b310f361826c81bb961c6b1bbbf984bff1e595bb949993b8966ccb222c35 AUX qemu-2.0.0-F_SHLCK-and-F_EXLCK.patch 563 SHA256 99de67d610ad13a1dcf6c67a3c2b5b87fb909220173a956435737f9bea3c371b SHA512 a29e9a889388a6627ed492a79e66514ffb5e64f9479646982091811548fc2a9bf6682104a6c774d83e645e4b1db39e491afd4efce789fe164623442a7f3e5d00 WHIRLPOOL d3aab06099de263c22f4c71810a3b2cb8602d17731ec76674cd1415e539306555a7b96b789f0daad473600dfa04a83224ff603f7b9a9ac63a4902f74d0e9deb5 AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930 SHA256 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac SHA512 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea WHIRLPOOL 06b9dd5251ac03405c97b1f5a623b4d86bda2f72fbcd52b90ae4d11a0cfb59cae62df2cb6189405fbe53ab05ff2b7ca8165fda239dbfe5f31ed70abb53b3b9f3 -AUX qemu-2.2.0-_sigev_un.patch 636 SHA256 f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512 f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb WHIRLPOOL 9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac -AUX qemu-2.5.0-CVE-2016-2198.patch 1540 SHA256 0d6d81a27ffac1af7c478a050aa690eb007cf9735a1a0c4b398eabeb990d5ab4 SHA512 b0b3131bb2b9b2d3f2a3f3286eeb92b527f0d3366e657cf8bcbabc6426b57893936c5a8ef66697ad1014b4525c09fa4d067195600f96ab2b005fd52b6e77d9a4 WHIRLPOOL f5c56b87f934c573fc71169fcded579b9917285fbfff59fd9288011775f482ead2ac09e1399f325e826305fab2f7bc2cd21d333711c526c1658a069a5ee93491 +AUX qemu-2.2.0-_sigev_un.patch 465 SHA256 4d5a1359a1bc25f1f8dcb7f021efc235b9c8f2535258ca65706c5fde15946ebe SHA512 af90b8dcd8b14716df6270436ae1d77c998a04547bf17f961b2d9a594d1abfb573ca25283a633de6bcd3a81a778b88a4c7950dbd39c23ee35191626da14eb802 WHIRLPOOL cf40379cd0c9f3a8f89823a6d9415666a99885711bdde44067d4a3a082a9b33efbe69279c0782b2e84b7586389e82845dd30668240f236266f61ba447abb8241 AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154 -AUX qemu-2.5.0-rng-stack-corrupt-0.patch 3125 SHA256 164b155db78a9291b9f8dea71a16b5779e1a9d382a8cb0f5ff380d1f2d811cef SHA512 7da544873dbefbbc7a2ed69bd7cca0053bfe71ef7f5c2faf12cb5dc6e07b8d9104e5bcf329b3355e886edc5805509623234c9fe8fb536544d6285b04ccc59919 WHIRLPOOL f076264ce4bae5be2f34e006e3e4dcc20042313cb6da4977b61529c3100e835952807738d53a86967f98abad68eba1c8dcbb6a04af162b048399e059b5eb9d6b -AUX qemu-2.5.0-rng-stack-corrupt-1.patch 4110 SHA256 16966eb20072a5d16fec46e5959e32708342af9a7266fe4a90a0abaf68af3529 SHA512 530d6a5f9b6795013bbe197cf0a0d7eddfb06d18c0f8410bcf5bcc2d32c4b72c325b8b0ade2c517bd305fcbdab03124cc527d24d73ce767daf51de65d00920c8 WHIRLPOOL c0b653c67993c6c6ed282f0c86099c8c80a241f10e23ef3fd8e33c6d86fbb5553049550e83954cfc6d3576735c4ce28099f813917966c0a05c84bb46a6bee413 -AUX qemu-2.5.0-rng-stack-corrupt-2.patch 4601 SHA256 c2b4e1ee8ee4bb2f4d42012a847c1da83a9e2349238d37bba1a3b9c440957f7f SHA512 ba299d07c7382f39f177f8094594daf131727d3d28633b426064f7cc6bf75d19b1ae78db248fc70ddbdb43fd2a6b0c5ed7793e6f42aba2763cdb4c12d6816c54 WHIRLPOOL 62b6ab75c32574a4c53193d82c7f51efdaa4789154c2d2f9acee7ede240d2920d92e31dfead7edc17aa12f938919143ce049d2c9ef9733baccc27d382506437f -AUX qemu-2.5.0-rng-stack-corrupt-3.patch 5519 SHA256 5a3c2ed59bc30f395aee5cd0b77cdb06d868386e5bbe1b392169f8d96ae9474a SHA512 f62713130d3b989b274476a4cc2eafb95dc41de4723fe475e454132817a159eb729bbbe5a29aee755715100095670107c5762271184252e9d0cd43c4b25bc5d1 WHIRLPOOL f8e4aa90b90b03dd6e4dd68734cb16ee5f59a9585697ef3c48e7e861968798cb3c66018ad5a788f99b99e9fddab2ae83d977ec4b1a8599596a5ce03286726e3e AUX qemu-2.5.0-sysmacros.patch 333 SHA256 a5716fc02da383d455f5cbd76f49e4ee74d84c2d5703319adcbeb145d04875f9 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 WHIRLPOOL 2a774767d4685545d3ed18e4f5dece99a9007597d73c56197652ff24083550f987ffb69e5c624760dece87def71a7c5c22a694bf999d7309e48ef622f18f0d73 -AUX qemu-2.5.1-CVE-2015-8558.patch 3237 SHA256 3320c5624a33076b36f39566a4c3bbe5f95adae44207512d791175bcfc3959ff SHA512 c6ea0ca7d0ea221e9704001d26dae143861463ec45c7a543f041520874dd6e3a2d4bdb6d1eca25097f265aa2a1600858c9908b59cdd640007ab057cf7b86083f WHIRLPOOL 0c3c683a79f68ab3073a3b5e6afe2b6184d66254bd8278e131d5aa199ff51d52e5b186521ff8799345b1f1977afc112550e1a7d4b684b2a3267e9caddd0f1576 -AUX qemu-2.5.1-CVE-2016-4020.patch 567 SHA256 6c8e933593cfbedc98de81bf01e394d1ca1d016109fcc81e91f6472d2092b1a0 SHA512 90ac43329cbbcc0451470e010a1a1bd32ef8891c1f2d7d7e54e870e740c77ea8dfdec30989d586aaea250de6ca294504bf7e88818bf35e3269cf528ea3e50ce5 WHIRLPOOL 7ea7c7af1f2a3f11bc5bfe7b708021bbcb03c00d354a733c0fad14193110559cd1561939bd5bb6597a84bc01e74a914ef9dc51f28c522473b424919edc17cdb3 -AUX qemu-2.5.1-stellaris_enet-overflow.patch 1569 SHA256 5d20aef8139068eeb63c167856c8f0004e8761227d9bb1fd67240c4b922f704a SHA512 92c015af82eb92bf5f6f4d6fd86b402636a61f0ac9572cc2f002d4c795ce133f7858a38336fd5f4a25c7157dea969d288bb73f00d9a8b3b8f517ba2aea6e4ba8 WHIRLPOOL 94c49f8f78864ac3da247b569d2afc2ee0d801482a00117a7898fb396440118ef3bc54e1b61023496184f37404c893a1ef7725ce6ca9a27ca596cdf38e747603 -AUX qemu-2.5.1-xfs-linux-headers.patch 2634 SHA256 ca1eb8d4593d794541f375cb1425861e145aa036d440b9d29c4cb7b5102d018b SHA512 88b8a6178893e3354d90ad1a7cfc370fc05ffd2e3ea7c9cc8aeda9e129ea93d45838b5816afb46c0594886fbb129e3665a738f4c195183b843caedc0302530c0 WHIRLPOOL 193f1b89710ecbbb5b645a59ac6f3b7bad8191cc3228bad0427cb80c54e1b55d11d25abe1f59173b9669452f57a52f830d074bb106bdc3c05b6659826a4d561d +AUX qemu-2.7.0-CVE-2016-6836.patch 889 SHA256 a94812131e8baa66b81971579ab84b20bf15d544e2698448a5247ac0ddca0b3d SHA512 cf7f327f26aee5b6688eb662ced8aa07775ad9558b4a02db244303f6b7d37be9cd19b18d5725819b4708184105b98830864e0ad3af81373e59e880809036345b WHIRLPOOL df00627ad447162fdcac4b2c965a8cb5c916a7fb66d8c3a4f8f48bb2d869d7805cb3308cd495ff74ebf4840e7bc2d85abf8e666d78b3da9abb4e2bae22697a82 +AUX qemu-2.7.0-CVE-2016-7155.patch 2745 SHA256 addf638a53bfae8556e463e0b78a151eef0fdf171eb395a98dbdf0332ff74131 SHA512 96e9df733c5227899da7d2ecc346139df9830dd16fc16f1f14666f8be60205a43f434fd79e158c2000926656ffa137809f1cb3c57a04cb375011f816e92e2f4b WHIRLPOOL c04c0dda417a70e4acb289c6b296da93f3eb8e51f7cfad62351b7235512e04714fdc169a87f4cbf1ef82bfc6decc8ebb5b3958f23d001795c9ebcd08369185a3 +AUX qemu-2.7.0-CVE-2016-7156.patch 2314 SHA256 7fa0d7f1025a3435b692a6e7ed8fa3be38a918395a8253e8c27f416ff37e041d SHA512 db3009fdf6d85ffd24fd4a2a40b372b0e665274bba1ce01632aef0d583f2830b58f889166a34acd36409944ab3f7e264801bf89a78f55a586b5f43429a1c86dc WHIRLPOOL ce8101b7607612ed7b9c6fbe373f9b5dec07e0ea8af0b4be8e52b4add5dd0ba12c9e5eb7380d68e3d3867988e0cfc1bdd1e8357ce2b71ef19f51e316fac62161 +AUX qemu-2.7.0-CVE-2016-7157-1.patch 888 SHA256 7a1f6199b16c220df51002e1222763d1a7c7b3a08349f664e576a9facc553516 SHA512 5c104464dfa48804d94ccca9a9d881f9e22eba2c3d9a2cbf3a645c3a696e89ea3f4603ea28deba9a1cd800df9bc5ad4894606869eca3e1e9cf95414723846938 WHIRLPOOL af42ec7ca93c92c4df060b4efd61bcc3f7cb5582d00bfe174d81f2393ad3a7f06e27cc2b2186f664860c3ee98f76dd68cd7e6de7ff7e63b778f345c32a62b495 +AUX qemu-2.7.0-CVE-2016-7157-2.patch 812 SHA256 1db3b565b4762abbc1096286c9887400591af76bf422a105e457c6bdcb887b59 SHA512 8d2177adc638d384302ec89de65a0acd4f4069580c40d6c50cb78501f25f4d171f3b92a36464711337e07dbf208f9ad93eb2f86a7361dde52026c1764341e10d WHIRLPOOL e815e165bb23cd42aaba2310e3fa48bba33b0344069e6f54c4b26dddad746516053221969fad855d6c827d42371494c609123b002e1e2a96c366d11131b3243a +AUX qemu-2.7.0-CVE-2016-7170.patch 1527 SHA256 37d600b5a4ba143f1d6b26acbcf23357fa41a5f852774f68b6b6736a6ecec024 SHA512 c84494ec4ee9607cef7b230a25d10de444a29fecba57566df5394d40b88596ef91fbd5edfb51a58c5ecff7fa7ef39b7d32ba7976dbd011fb1b29a2e46e4e0080 WHIRLPOOL ddd3d94da447556b24257c11068bef360da6cf35e22257869b09057f42ba027636e605db96d9a66253f423f5667814a1f8c551f8eece733fd997b03d6ac81e2b +AUX qemu-2.7.0-CVE-2016-7421.patch 1183 SHA256 f3996d9d4658fb32a04ce8ae3d3510e6a51a0aa39f64b003a636f68dacef19db SHA512 51d07015e27e4dfbde2c3ffa37d91134374b49c136735845c34155238767483ede8bbc7232ea93b4e4cbcc28195cbe1986d44ac0dd96e914ec29df3a1da9dfcc WHIRLPOOL a4e27d329591b2a3b94a7abed81df1f87509f5a38beb490d7a4ca7c14df2a864f4126c26fc044bb4357467b0f9ed0ca5811d5e85812e318adcb3236c30bef7a1 +AUX qemu-2.7.0-CVE-2016-7422.patch 1125 SHA256 7a3d31031b8ea70be29715e8d384f47ad8758e81b9cfc3768e59dd6c6a00cb2a SHA512 6a08f661cd2b00214297570c8035042544b0e707b2f20f6c59c251a73971f2b7e1920c7242ca09a4684ea58dcb177d11d087ee5e0523792e3c446e70239498ef WHIRLPOOL 82b38aa12e49695c1f0c67c303039afb05cc314d14e5bc8286bafebfbabd3eb3cddd41338d45f9510ea2f5074fd9028b39c251be0e5856e0221232a8b28797a9 +AUX qemu-2.7.0-CVE-2016-7423.patch 925 SHA256 2b9b1102c3c9c54ba2c311661c3222b1df246a519e9eef57d0793951c1249ae0 SHA512 e4401163d15f9ebd9057b8ddf4187f7a0a2f379cb8aea2bd92b20f132f7714a4e386733884be4568eddbd4067b6cad80275ccc101276897c4796117a9b20144f WHIRLPOOL 9bd9f5ed067604f065d3ac7447f8135dd72e178caa6f3c5a5ca7bc531a8008ec46620c4af33bea54a35dfe52e430d48dcf5b59145c4e1efc2a14cb789e38f5bd +AUX qemu-2.7.0-CVE-2016-7466.patch 830 SHA256 5664c091038185766a54b93495029bbf6de116e8752c2334fa1c71b8387e89c3 SHA512 d158b1f66766f33b1df561956cc3c77d40e1422e44791cfc753d3def2f1851c2c9c0aeb299bcd1ae969dde8f4249f4489ed90776ebb497db4f626217710e4f48 WHIRLPOOL 13112769ecd6420e17d2a3c0e110a2bd479fc09d8a2086d27f0703a4d6c35ded07e003f28ff14579655c5468cd02c77fa514ba7ed6543f61deb60c6de604c99b AUX qemu-binfmt.initd-r1 6910 SHA256 2886c567589b958f450a87537cdb6c5bf95e8c1e4afbdf59139d16819e79d51d SHA512 09f399b6b559c6dd64d77843f600afad464909e72ae0924e97a5ef2eea55b3fb8abf6fbd57c380ec60e2f9d145ec365fd9a24c2e1b84cc6cef7070e4fb5bd72e WHIRLPOOL 983f6ae733c23c0049321184e1b6738ad5d27a70265945e6b47f3fb317ba3c84918b4929e728081549062fd0bf4a46c0a7e7184911355f3ac75963e1f8b70cd4 AUX qemu-kvm-1.4 68 SHA256 8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512 706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120 WHIRLPOOL ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067 -DIST qemu-2.5.1.tar.bz2 25464539 SHA256 028752c33bb786abbfe496ba57315dc5a7d0a33b5a7a767f6d7a29020c525d2c SHA512 66959ad6a2a89f23c5daba245c76f71ddc03a33a1167bca639a042ebbf7329b2e698cd2c0e65c22a9874563a34256a48386aa9df6475b06d38db74187e3e3b3f WHIRLPOOL 32525271574692d56b7794dc63606659f46e6ae19a56dee31b3cec33dab9c4eb74147a65db4940229492d8680f38c2d05bc2a8fbcb4b6887b0c1cbe5fbbe44cf -EBUILD qemu-2.5.1-r99.ebuild 21104 SHA256 92637c4d36984ff78616a2ca9a1952d453f035608357b2f212cddc4b98bed5de SHA512 0dd1b5d37448371604efb213894bfde17ab08d234affc675dc2474ba395e4b854071711304c30be4a405ed98d6cb2be7f107958487080cd8dbeb15fada2da9f8 WHIRLPOOL cc8ed2d2140b669da67d8a5f15b93651638848f77b853d11b7e235ba37b75d945076266798fff1ccf8d74ba16113cbead260b10e9c8aaed03c07fb5d9d1f1ce3 +DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d +EBUILD qemu-2.7.0-r99.ebuild 21332 SHA256 a6d13be36bb59bf53727dba5fe1dd5f397652531d339cf622acd15aef6cd482f SHA512 fd1ef102a4b7d4554a2b864d321419413b967f9f585031f74c600dc350db541588fa98a150329aa1134dbc761933484a2ce2e14979c096fe076cf92f7bdfedee WHIRLPOOL 50e36b66bfd83516ce4003681bcba2327da80c679aad3ab658007a87652c22f7e584eb4fb5d635b570096243abd361075c6c8e35197c2e9bbed34a4d7353537c MISC metadata.xml 3925 SHA256 d1c219b7da0cbf77919cd1e055acbb3f6788a574fd802c98a43c89a411697b36 SHA512 3ff45d1c8ede12b4eedc7d01f39777b76a1cbd0ba9364299dec99d4b4a05cade5784d6f6e50197d5b5ae1f1b8e831c49da195eb53263c49b7d16aec8ee28b6e6 WHIRLPOOL bc25783fac0f3f13318834cc535404af9af20de16c7aeec222e59dc2ed7740ac5e767b329a5bcd6356d0cbae2428e278515f1446aa8ecb87a873bf4dbe04bf41 diff --git a/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch b/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch index 5827c2e..588291c 100644 --- a/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch +++ b/app-emulation/qemu/files/qemu-2.2.0-_sigev_un.patch @@ -1,6 +1,5 @@ -diff -ur a/qemu-2.2.0/linux-user/syscall.c b/qemu-2.2.0/linux-user/syscall.c ---- a/qemu-2.2.0/linux-user/syscall.c 2014-12-09 15:45:43.000000000 -0100 -+++ b/qemu-2.2.0/linux-user/syscall.c 2015-03-16 19:09:49.050386155 -0100 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c @@ -5033,7 +5033,7 @@ host_sevp->sigev_signo = target_to_host_signal(tswap32(target_sevp->sigev_signo)); diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch deleted file mode 100644 index d179c33..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch +++ /dev/null @@ -1,46 +0,0 @@ -From dff0367cf66f489aa772320fa2937a8cac1ca30d Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 29 Jan 2016 18:30:34 +0530 -Subject: [PATCH] usb: ehci: add capability mmio write function - -USB Ehci emulation supports host controller capability registers. -But its mmio '.write' function was missing, which lead to a null -pointer dereference issue. Add a do nothing 'ehci_caps_write' -definition to avoid it; Do nothing because capability registers -are Read Only(RO). - -Reported-by: Zuozhi Fzz -Signed-off-by: Prasad J Pandit -Message-id: 1454072434-16045-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index 1b50601..0f95d0d 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -895,6 +895,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr, - return s->caps[addr]; - } - -+static void ehci_caps_write(void *ptr, hwaddr addr, -+ uint64_t val, unsigned size) -+{ -+} -+ - static uint64_t ehci_opreg_read(void *ptr, hwaddr addr, - unsigned size) - { -@@ -2315,6 +2320,7 @@ static void ehci_frame_timer(void *opaque) - - static const MemoryRegionOps ehci_mmio_caps_ops = { - .read = ehci_caps_read, -+ .write = ehci_caps_write, - .valid.min_access_size = 1, - .valid.max_access_size = 4, - .impl.min_access_size = 1, --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch deleted file mode 100644 index 684f6ad..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:15 +0100 -Subject: [PATCH] rng: remove the unused request cancellation code - -rng_backend_cancel_requests had no callers and none of the code -deleted in this commit ever ran. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-2-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 12 ------------ - backends/rng.c | 9 --------- - include/sysemu/rng.h | 11 ----------- - 3 files changed, 32 deletions(-) - -diff --git a/backends/rng-egd.c b/backends/rng-egd.c -index 2de5cd5..0b2976a 100644 ---- a/backends/rng-egd.c -+++ b/backends/rng-egd.c -@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s) - s->requests = NULL; - } - --static void rng_egd_cancel_requests(RngBackend *b) --{ -- RngEgd *s = RNG_EGD(b); -- -- /* We simply delete the list of pending requests. If there is data in the -- * queue waiting to be read, this is okay, because there will always be -- * more data than we requested originally -- */ -- rng_egd_free_requests(s); --} -- - static void rng_egd_opened(RngBackend *b, Error **errp) - { - RngEgd *s = RNG_EGD(b); -@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void *data) - RngBackendClass *rbc = RNG_BACKEND_CLASS(klass); - - rbc->request_entropy = rng_egd_request_entropy; -- rbc->cancel_requests = rng_egd_cancel_requests; - rbc->opened = rng_egd_opened; - } - -diff --git a/backends/rng.c b/backends/rng.c -index b7820ef..2f2f3ee 100644 ---- a/backends/rng.c -+++ b/backends/rng.c -@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, - } - } - --void rng_backend_cancel_requests(RngBackend *s) --{ -- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); -- -- if (k->cancel_requests) { -- k->cancel_requests(s); -- } --} -- - static bool rng_backend_prop_get_opened(Object *obj, Error **errp) - { - RngBackend *s = RNG_BACKEND(obj); -diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h -index 858be8c..87b3ebe 100644 ---- a/include/sysemu/rng.h -+++ b/include/sysemu/rng.h -@@ -37,7 +37,6 @@ struct RngBackendClass - - void (*request_entropy)(RngBackend *s, size_t size, - EntropyReceiveFunc *receive_entropy, void *opaque); -- void (*cancel_requests)(RngBackend *s); - - void (*opened)(RngBackend *s, Error **errp); - }; -@@ -68,14 +67,4 @@ struct RngBackend - void rng_backend_request_entropy(RngBackend *s, size_t size, - EntropyReceiveFunc *receive_entropy, - void *opaque); -- --/** -- * rng_backend_cancel_requests: -- * @s: the backend to cancel all pending requests in -- * -- * Cancels all pending requests submitted by @rng_backend_request_entropy. This -- * should be used by a device during reset or in preparation for live migration -- * to stop tracking any request. -- */ --void rng_backend_cancel_requests(RngBackend *s); - #endif --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch deleted file mode 100644 index 44ba8a7..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:16 +0100 -Subject: [PATCH] rng: move request queue from RngEgd to RngBackend - -The 'requests' field now lives in the RngBackend parent class. -There are no functional changes in this commit. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 28 +++++++++------------------- - include/sysemu/rng.h | 11 +++++++++++ - 2 files changed, 20 insertions(+), 19 deletions(-) - -diff --git a/backends/rng-egd.c b/backends/rng-egd.c -index 0b2976a..b061362 100644 ---- a/backends/rng-egd.c -+++ b/backends/rng-egd.c -@@ -25,19 +25,8 @@ typedef struct RngEgd - - CharDriverState *chr; - char *chr_name; -- -- GSList *requests; - } RngEgd; - --typedef struct RngRequest --{ -- EntropyReceiveFunc *receive_entropy; -- uint8_t *data; -- void *opaque; -- size_t offset; -- size_t size; --} RngRequest; -- - static void rng_egd_request_entropy(RngBackend *b, size_t size, - EntropyReceiveFunc *receive_entropy, - void *opaque) -@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, - size -= len; - } - -- s->requests = g_slist_append(s->requests, req); -+ s->parent.requests = g_slist_append(s->parent.requests, req); - } - - static void rng_egd_free_request(RngRequest *req) -@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque) - GSList *i; - int size = 0; - -- for (i = s->requests; i; i = i->next) { -+ for (i = s->parent.requests; i; i = i->next) { - RngRequest *req = i->data; - size += req->size - req->offset; - } -@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) - RngEgd *s = RNG_EGD(opaque); - size_t buf_offset = 0; - -- while (size > 0 && s->requests) { -- RngRequest *req = s->requests->data; -+ while (size > 0 && s->parent.requests) { -+ RngRequest *req = s->parent.requests->data; - int len = MIN(size, req->size - req->offset); - - memcpy(req->data + req->offset, buf + buf_offset, len); -@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) - size -= len; - - if (req->offset == req->size) { -- s->requests = g_slist_remove_link(s->requests, s->requests); -+ s->parent.requests = g_slist_remove_link(s->parent.requests, -+ s->parent.requests); - - req->receive_entropy(req->opaque, req->data, req->size); - -@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s) - { - GSList *i; - -- for (i = s->requests; i; i = i->next) { -+ for (i = s->parent.requests; i; i = i->next) { - rng_egd_free_request(i->data); - } - -- g_slist_free(s->requests); -- s->requests = NULL; -+ g_slist_free(s->parent.requests); -+ s->parent.requests = NULL; - } - - static void rng_egd_opened(RngBackend *b, Error **errp) -diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h -index 87b3ebe..c744d82 100644 ---- a/include/sysemu/rng.h -+++ b/include/sysemu/rng.h -@@ -24,6 +24,7 @@ - #define RNG_BACKEND_CLASS(klass) \ - OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND) - -+typedef struct RngRequest RngRequest; - typedef struct RngBackendClass RngBackendClass; - typedef struct RngBackend RngBackend; - -@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque, - const void *data, - size_t size); - -+struct RngRequest -+{ -+ EntropyReceiveFunc *receive_entropy; -+ uint8_t *data; -+ void *opaque; -+ size_t offset; -+ size_t size; -+}; -+ - struct RngBackendClass - { - ObjectClass parent_class; -@@ -47,6 +57,7 @@ struct RngBackend - - /*< protected >*/ - bool opened; -+ GSList *requests; - }; - - /** --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch deleted file mode 100644 index 1cffcc5..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:17 +0100 -Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend - -RngBackend is now in charge of cleaning up the linked list on -instance finalization. It also exposes a function to finalize -individual RngRequest instances, called by its child classes. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-4-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 25 +------------------------ - backends/rng.c | 32 ++++++++++++++++++++++++++++++++ - include/sysemu/rng.h | 12 ++++++++++++ - 3 files changed, 45 insertions(+), 24 deletions(-) - -diff --git a/backends/rng-egd.c b/backends/rng-egd.c -index b061362..8f2bd16 100644 ---- a/backends/rng-egd.c -+++ b/backends/rng-egd.c -@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, - s->parent.requests = g_slist_append(s->parent.requests, req); - } - --static void rng_egd_free_request(RngRequest *req) --{ -- g_free(req->data); -- g_free(req); --} -- - static int rng_egd_chr_can_read(void *opaque) - { - RngEgd *s = RNG_EGD(opaque); -@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t *buf, int size) - size -= len; - - if (req->offset == req->size) { -- s->parent.requests = g_slist_remove_link(s->parent.requests, -- s->parent.requests); -- - req->receive_entropy(req->opaque, req->data, req->size); - -- rng_egd_free_request(req); -+ rng_backend_finalize_request(&s->parent, req); - } - } - } - --static void rng_egd_free_requests(RngEgd *s) --{ -- GSList *i; -- -- for (i = s->parent.requests; i; i = i->next) { -- rng_egd_free_request(i->data); -- } -- -- g_slist_free(s->parent.requests); -- s->parent.requests = NULL; --} -- - static void rng_egd_opened(RngBackend *b, Error **errp) - { - RngEgd *s = RNG_EGD(b); -@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj) - } - - g_free(s->chr_name); -- -- rng_egd_free_requests(s); - } - - static void rng_egd_class_init(ObjectClass *klass, void *data) -diff --git a/backends/rng.c b/backends/rng.c -index 2f2f3ee..014cb9d 100644 ---- a/backends/rng.c -+++ b/backends/rng.c -@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool value, Error **errp) - s->opened = true; - } - -+static void rng_backend_free_request(RngRequest *req) -+{ -+ g_free(req->data); -+ g_free(req); -+} -+ -+static void rng_backend_free_requests(RngBackend *s) -+{ -+ GSList *i; -+ -+ for (i = s->requests; i; i = i->next) { -+ rng_backend_free_request(i->data); -+ } -+ -+ g_slist_free(s->requests); -+ s->requests = NULL; -+} -+ -+void rng_backend_finalize_request(RngBackend *s, RngRequest *req) -+{ -+ s->requests = g_slist_remove(s->requests, req); -+ rng_backend_free_request(req); -+} -+ - static void rng_backend_init(Object *obj) - { - object_property_add_bool(obj, "opened", -@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj) - NULL); - } - -+static void rng_backend_finalize(Object *obj) -+{ -+ RngBackend *s = RNG_BACKEND(obj); -+ -+ rng_backend_free_requests(s); -+} -+ - static void rng_backend_class_init(ObjectClass *oc, void *data) - { - UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); -@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = { - .parent = TYPE_OBJECT, - .instance_size = sizeof(RngBackend), - .instance_init = rng_backend_init, -+ .instance_finalize = rng_backend_finalize, - .class_size = sizeof(RngBackendClass), - .class_init = rng_backend_class_init, - .abstract = true, -diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h -index c744d82..08a2eda 100644 ---- a/include/sysemu/rng.h -+++ b/include/sysemu/rng.h -@@ -78,4 +79,15 @@ struct RngBackend - void rng_backend_request_entropy(RngBackend *s, size_t size, - EntropyReceiveFunc *receive_entropy, - void *opaque); -+ -+/** -+ * rng_backend_free_request: -+ * @s: the backend that created the request -+ * @req: the request to finalize -+ * -+ * Used by child rng backend classes to finalize requests once they've been -+ * processed. The request is removed from the list of active requests and -+ * deleted. -+ */ -+void rng_backend_finalize_request(RngBackend *s, RngRequest *req); - #endif --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch deleted file mode 100644 index ca9340a..0000000 --- a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek -Date: Thu, 3 Mar 2016 09:37:18 +0100 -Subject: [PATCH] rng: add request queue support to rng-random - -Requests are now created in the RngBackend parent class and the -code path is shared by both rng-egd and rng-random. - -This commit fixes the rng-random implementation which processed -only one request at a time and simply discarded all but the most -recent one. In the guest this manifested as delayed completion -of reads from virtio-rng, i.e. a read was completed only after -another read was issued. - -By switching rng-random to use the same request queue as rng-egd, -the unsafe stack-based allocation of the entropy buffer is -eliminated and replaced with g_malloc. - -Signed-off-by: Ladi Prosek -Reviewed-by: Amit Shah -Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah ---- - backends/rng-egd.c | 16 ++-------------- - backends/rng-random.c | 43 +++++++++++++++++++------------------------ - backends/rng.c | 13 ++++++++++++- - include/sysemu/rng.h | 3 +-- - 4 files changed, 34 insertions(+), 41 deletions(-) - -diff --git a/backends/rng-egd.c b/backends/rng-egd.c -index 8f2bd16..30332ed 100644 ---- a/backends/rng-egd.c -+++ b/backends/rng-egd.c -@@ -27,20 +27,10 @@ typedef struct RngEgd - char *chr_name; - } RngEgd; - --static void rng_egd_request_entropy(RngBackend *b, size_t size, -- EntropyReceiveFunc *receive_entropy, -- void *opaque) -+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) - { - RngEgd *s = RNG_EGD(b); -- RngRequest *req; -- -- req = g_malloc(sizeof(*req)); -- -- req->offset = 0; -- req->size = size; -- req->receive_entropy = receive_entropy; -- req->opaque = opaque; -- req->data = g_malloc(req->size); -+ size_t size = req->size; - - while (size > 0) { - uint8_t header[2]; -@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t size, - - size -= len; - } -- -- s->parent.requests = g_slist_append(s->parent.requests, req); - } - - static int rng_egd_chr_can_read(void *opaque) -diff --git a/backends/rng-random.c b/backends/rng-random.c -index 8cdad6a..a6cb385 100644 ---- a/backends/rng-random.c -+++ b/backends/rng-random.c -@@ -22,10 +22,6 @@ struct RndRandom - - int fd; - char *filename; -- -- EntropyReceiveFunc *receive_func; -- void *opaque; -- size_t size; - }; - - /** -@@ -38,36 +34,35 @@ struct RndRandom - static void entropy_available(void *opaque) - { - RndRandom *s = RNG_RANDOM(opaque); -- uint8_t buffer[s->size]; -- ssize_t len; - -- len = read(s->fd, buffer, s->size); -- if (len < 0 && errno == EAGAIN) { -- return; -- } -- g_assert(len != -1); -+ while (s->parent.requests != NULL) { -+ RngRequest *req = s->parent.requests->data; -+ ssize_t len; -+ -+ len = read(s->fd, req->data, req->size); -+ if (len < 0 && errno == EAGAIN) { -+ return; -+ } -+ g_assert(len != -1); - -- s->receive_func(s->opaque, buffer, len); -- s->receive_func = NULL; -+ req->receive_entropy(req->opaque, req->data, len); - -+ rng_backend_finalize_request(&s->parent, req); -+ } -+ -+ /* We've drained all requests, the fd handler can be reset. */ - qemu_set_fd_handler(s->fd, NULL, NULL, NULL); - } - --static void rng_random_request_entropy(RngBackend *b, size_t size, -- EntropyReceiveFunc *receive_entropy, -- void *opaque) -+static void rng_random_request_entropy(RngBackend *b, RngRequest *req) - { - RndRandom *s = RNG_RANDOM(b); - -- if (s->receive_func) { -- s->receive_func(s->opaque, NULL, 0); -+ if (s->parent.requests == NULL) { -+ /* If there are no pending requests yet, we need to -+ * install our fd handler. */ -+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); - } -- -- s->receive_func = receive_entropy; -- s->opaque = opaque; -- s->size = size; -- -- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); - } - - static void rng_random_opened(RngBackend *b, Error **errp) -diff --git a/backends/rng.c b/backends/rng.c -index 014cb9d..277a41b 100644 ---- a/backends/rng.c -+++ b/backends/rng.c -@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size, - void *opaque) - { - RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); -+ RngRequest *req; - - if (k->request_entropy) { -- k->request_entropy(s, size, receive_entropy, opaque); -+ req = g_malloc(sizeof(*req)); -+ -+ req->offset = 0; -+ req->size = size; -+ req->receive_entropy = receive_entropy; -+ req->opaque = opaque; -+ req->data = g_malloc(req->size); -+ -+ k->request_entropy(s, req); -+ -+ s->requests = g_slist_append(s->requests, req); - } - } - -diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h -index 08a2eda..4fffd68 100644 ---- a/include/sysemu/rng.h -+++ b/include/sysemu/rng.h -@@ -45,8 +45,7 @@ struct RngBackendClass - { - ObjectClass parent_class; - -- void (*request_entropy)(RngBackend *s, size_t size, -- EntropyReceiveFunc *receive_entropy, void *opaque); -+ void (*request_entropy)(RngBackend *s, RngRequest *req); - - void (*opened)(RngBackend *s, Error **errp); - }; --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch deleted file mode 100644 index cf1a4c3..0000000 --- a/app-emulation/qemu/files/qemu-2.5.1-CVE-2015-8558.patch +++ /dev/null @@ -1,107 +0,0 @@ -https://bugs.gentoo.org/580426 -https://bugs.gentoo.org/568246 - -From a49923d2837d20510d645d3758f1ad87c32d0730 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 18 Apr 2016 09:20:54 +0200 -Subject: [PATCH] Revert "ehci: make idt processing more robust" - -This reverts commit 156a2e4dbffa85997636a7a39ef12da6f1b40254. - -Breaks FreeBSD. - -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index d5c0e1c..43a8f7a 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1397,7 +1397,7 @@ static int ehci_process_itd(EHCIState *ehci, - { - USBDevice *dev; - USBEndpoint *ep; -- uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; -+ uint32_t i, len, pid, dir, devaddr, endp; - uint32_t pg, off, ptr1, ptr2, max, mult; - - ehci->periodic_sched_active = PERIODIC_ACTIVE; -@@ -1489,10 +1489,9 @@ static int ehci_process_itd(EHCIState *ehci, - ehci_raise_irq(ehci, USBSTS_INT); - } - itd->transact[i] &= ~ITD_XACT_ACTIVE; -- xfers++; - } - } -- return xfers ? 0 : -1; -+ return 0; - } - - --- -2.7.4 - -From 1ae3f2f178087711f9591350abad133525ba93f2 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 18 Apr 2016 09:11:38 +0200 -Subject: [PATCH] ehci: apply limit to iTD/sidt descriptors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Commit "156a2e4 ehci: make idt processing more robust" tries to avoid a -DoS by the guest (create a circular iTD queue and let qemu ehci -emulation run in circles forever). Unfortunately this has two problems: -First it misses the case of siTDs, and second it reportedly breaks -FreeBSD. - -So lets go for a different approach: just count the number of iTDs and -siTDs we have seen per frame and apply a limit. That should really -catch all cases now. - -Reported-by: 杜少博 -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index 159f58d..d5c0e1c 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -2011,6 +2011,7 @@ static int ehci_state_writeback(EHCIQueue *q) - static void ehci_advance_state(EHCIState *ehci, int async) - { - EHCIQueue *q = NULL; -+ int itd_count = 0; - int again; - - do { -@@ -2035,10 +2036,12 @@ static void ehci_advance_state(EHCIState *ehci, int async) - - case EST_FETCHITD: - again = ehci_state_fetchitd(ehci, async); -+ itd_count++; - break; - - case EST_FETCHSITD: - again = ehci_state_fetchsitd(ehci, async); -+ itd_count++; - break; - - case EST_ADVANCEQUEUE: -@@ -2087,7 +2090,8 @@ static void ehci_advance_state(EHCIState *ehci, int async) - break; - } - -- if (again < 0) { -+ if (again < 0 || itd_count > 16) { -+ /* TODO: notify guest (raise HSE irq?) */ - fprintf(stderr, "processing error - resetting ehci HC\n"); - ehci_reset(ehci); - again = 0; --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch b/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch deleted file mode 100644 index e3115c1..0000000 --- a/app-emulation/qemu/files/qemu-2.5.1-CVE-2016-4020.patch +++ /dev/null @@ -1,16 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-04/msg01106.html -https://bugs.gentoo.org/580040 - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c69f374..ff1e31a 100644 ---- a/hw/i386/kvmvapic.c -+++ b/hw/i386/kvmvapic.c -@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip) - CPUX86State *env = &cpu->env; - VAPICHandlers *handlers; - uint8_t opcode[2]; -- uint32_t imm32; -+ uint32_t imm32 = 0; - target_ulong current_pc = 0; - target_ulong current_cs_base = 0; - int current_flags = 0; diff --git a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch b/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch deleted file mode 100644 index ab7d3f3..0000000 --- a/app-emulation/qemu/files/qemu-2.5.1-stellaris_enet-overflow.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 3a15cc0e1ee7168db0782133d2607a6bfa422d66 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 8 Apr 2016 11:33:48 +0530 -Subject: [PATCH] net: stellaris_enet: check packet length against receive - buffer - -When receiving packets over Stellaris ethernet controller, it -uses receive buffer of size 2048 bytes. In case the controller -accepts large(MTU) packets, it could lead to memory corruption. -Add check to avoid it. - -Reported-by: Oleksandr Bazhaniuk -Signed-off-by: Prasad J Pandit -Message-id: 1460095428-22698-1-git-send-email-ppandit@redhat.com -Reviewed-by: Peter Maydell -Signed-off-by: Peter Maydell ---- - hw/net/stellaris_enet.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/hw/net/stellaris_enet.c b/hw/net/stellaris_enet.c -index 84cf60b..6880894 100644 ---- a/hw/net/stellaris_enet.c -+++ b/hw/net/stellaris_enet.c -@@ -236,8 +236,18 @@ static ssize_t stellaris_enet_receive(NetClientState *nc, const uint8_t *buf, si - n = s->next_packet + s->np; - if (n >= 31) - n -= 31; -- s->np++; - -+ if (size >= sizeof(s->rx[n].data) - 6) { -+ /* If the packet won't fit into the -+ * emulated 2K RAM, this is reported -+ * as a FIFO overrun error. -+ */ -+ s->ris |= SE_INT_FOV; -+ stellaris_enet_update(s); -+ return -1; -+ } -+ -+ s->np++; - s->rx[n].len = size + 6; - p = s->rx[n].data; - *(p++) = (size + 6); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch b/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch deleted file mode 100644 index 743171b..0000000 --- a/app-emulation/qemu/files/qemu-2.5.1-xfs-linux-headers.patch +++ /dev/null @@ -1,82 +0,0 @@ -https://bugs.gentoo.org/577810 - -From 277abf15a60f7653bfb05ffb513ed74ffdaea1b7 Mon Sep 17 00:00:00 2001 -From: Jan Vesely -Date: Fri, 29 Apr 2016 13:15:23 -0400 -Subject: [PATCH] configure: Check if struct fsxattr is available from linux - header -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes build failure with --enable-xfsctl and -new linux headers (>=4.5) and older xfsprogs(<4.5): -In file included from /usr/include/xfs/xfs.h:38:0, - from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:97: -/usr/include/xfs/xfs_fs.h:42:8: error: redefinition of ‘struct fsxattr’ - struct fsxattr { - ^ -In file included from /var/tmp/portage/app-emulation/qemu-2.5.0-r1/work/qemu-2.5.0/block/raw-posix.c:60:0: -/usr/include/linux/fs.h:155:8: note: originally defined here - struct fsxattr { - -This is really a bug in the system headers, but we can work around it -by defining HAVE_FSXATTR in the QEMU headers if linux/fs.h provides -the struct, so that xfs_fs.h doesn't try to define it as well. - -CC: qemu-trivial@nongnu.org -CC: Markus Armbruster -CC: Peter Maydell -CC: Stefan Weil -Tested-by: Stefan Weil -Signed-off-by: Jan Vesely -[PMM: adjusted commit message, comments] -Signed-off-by: Peter Maydell ---- - configure | 23 +++++++++++++++++++++++ - 1 file changed, 23 insertions(+) - -diff --git a/configure b/configure -index ab54f3c..c37fc5f 100755 ---- a/configure -+++ b/configure -@@ -4494,6 +4494,21 @@ if test "$fortify_source" != "no"; then - fi - - ########################################## -+# check if struct fsxattr is available via linux/fs.h -+ -+have_fsxattr=no -+cat > $TMPC << EOF -+#include -+struct fsxattr foo; -+int main(void) { -+ return 0; -+} -+EOF -+if compile_prog "" "" ; then -+ have_fsxattr=yes -+fi -+ -+########################################## - # End of CC checks - # After here, no more $cc or $ld runs - -@@ -5160,6 +5175,14 @@ fi - if test "$have_ifaddrs_h" = "yes" ; then - echo "HAVE_IFADDRS_H=y" >> $config_host_mak - fi -+ -+# Work around a system header bug with some kernel/XFS header -+# versions where they both try to define 'struct fsxattr': -+# xfs headers will not try to redefine structs from linux headers -+# if this macro is set. -+if test "$have_fsxattr" = "yes" ; then -+ echo "HAVE_FSXATTR=y" >> $config_host_mak -+fi - if test "$vte" = "yes" ; then - echo "CONFIG_VTE=y" >> $config_host_mak - echo "VTE_CFLAGS=$vte_cflags" >> $config_host_mak --- -2.8.2 - diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch new file mode 100644 index 0000000..56f7435 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-6836.patch @@ -0,0 +1,27 @@ +From: Li Qiang + +In Vmxnet3 device emulator while processing transmit(tx) queue, +when it reaches end of packet, it calls vmxnet3_complete_packet. +In that local 'txcq_descr' object is not initialised, which could +leak host memory bytes a guest. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/net/vmxnet3.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index 90f6943..92f6af9 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx) + + VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring); + ++ memset(&txcq_descr, 0, sizeof(txcq_descr)); + txcq_descr.txdIdx = tx_ridx; + txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring); + +-- +2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch new file mode 100644 index 0000000..495faf2 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7155.patch @@ -0,0 +1,81 @@ +From: Prasad J Pandit + +Vmware Paravirtual SCSI emulation uses command descriptors to +process SCSI commands. These descriptors come with their ring +buffers. A guest could set the page count for these rings to +an arbitrary value, leading to infinite loop or OOB access. +Add check to avoid it. + +Reported-by: Tom Victor +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/vmw_pvscsi.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +Update per review + -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 5116f4a..4245c15 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input) + return log; + } + +-static int ++static void + pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + { + int i; +@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + uint32_t req_ring_size, cmp_ring_size; + m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT; + +- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) +- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) { +- return -1; +- } + req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE; + txr_len_log2 = pvscsi_log2(req_ring_size - 1); +@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri) + + /* Flush ring state page changes */ + smp_wmb(); +- +- return 0; + } + + static int +@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc) + + trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages); + for (i = 0; i < rc->cmpRingNumPages; i++) { +- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]); ++ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]); + } + } + +@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s) + + trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS"); + ++ if (!rc->reqRingNumPages ++ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES ++ || !rc->cmpRingNumPages ++ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) { ++ return PVSCSI_COMMAND_PROCESSING_FAILED; ++ } ++ + pvscsi_dbg_dump_tx_rings_config(rc); +- if (pvscsi_ring_init_data(&s->rings, rc) < 0) { +- return PVSCSI_COMMAND_PROCESSING_FAILED; +- } ++ pvscsi_ring_init_data(&s->rings, rc); + + s->rings_info_valid = TRUE; + return PVSCSI_COMMAND_PROCESSING_SUCCEEDED; +-- +2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch new file mode 100644 index 0000000..9c21a67 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7156.patch @@ -0,0 +1,62 @@ +From: Prasad J Pandit + +In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very +long time or go into an infinite loop due to two different bugs: + +1) the request descriptor data length is defined to be 64 bit. While +building SG list from a request descriptor, it gets truncated to 32bit +in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop +situation for large 'dataLen' values, when data_length is cast to uint32_t +and chunk_size becomes always zero. Fix this by removing the incorrect +cast. + +2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the +element has a zero length. Get out of the loop early when this happens, +by introducing an upper limit on the number of SG list elements. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/scsi/vmw_pvscsi.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +Update as per: + -> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index 4245c15..babac5a 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -40,6 +40,8 @@ + #define PVSCSI_MAX_DEVS (64) + #define PVSCSI_MSIX_NUM_VECTORS (1) + ++#define PVSCSI_MAX_SG_ELEM 2048 ++ + #define PVSCSI_MAX_CMD_DATA_WORDS \ + (sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t)) + +@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d, + static void + pvscsi_convert_sglist(PVSCSIRequest *r) + { +- int chunk_size; ++ uint32_t chunk_size, elmcnt = 0; + uint64_t data_length = r->req.dataLen; + PVSCSISGState sg = r->sg; +- while (data_length) { +- while (!sg.resid) { ++ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) { ++ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) { + pvscsi_get_next_sg_elem(&sg); + trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr, + r->sg.resid); + } +- assert(data_length > 0); +- chunk_size = MIN((unsigned) data_length, sg.resid); ++ chunk_size = MIN(data_length, sg.resid); + if (chunk_size) { + qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size); + } +-- +2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch new file mode 100644 index 0000000..480de30 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-1.patch @@ -0,0 +1,28 @@ +From: Prasad J Pandit + +When LSI SAS1068 Host Bus emulator builds configuration page +headers, the format string used in 'mptsas_config_manufacturing_1' +was wrong. It could lead to an invalid memory access. + +Reported-by: Tom Victor +Fix-suggested-by: Paolo Bonzini +Signed-off-by: Prasad J Pandit +--- + hw/scsi/mptconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c +index 7071854..1ec895b 100644 +--- a/hw/scsi/mptconfig.c ++++ b/hw/scsi/mptconfig.c +@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address + { + /* VPD - all zeros */ + return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00, +- "s256"); ++ "*s256"); + } + + static +-- +2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch new file mode 100644 index 0000000..5e79608 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7157-2.patch @@ -0,0 +1,27 @@ +From: Prasad J Pandit + +When LSI SAS1068 Host Bus emulator builds configuration page +headers, mptsas_config_pack() asserts to check returned size +value is within limit of 256 bytes. Fix that assert expression. + +Suggested-by: Paolo Bonzini +Signed-off-by: Prasad J Pandit +--- + hw/scsi/mptconfig.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c +index 1ec895b..531947f 100644 +--- a/hw/scsi/mptconfig.c ++++ b/hw/scsi/mptconfig.c +@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...) + va_end(ap); + + if (data) { +- assert(ret < 256 && (ret % 4) == 0); ++ assert(ret / 4 < 256); + stb_p(*data + 1, ret / 4); + } + return ret; +-- +2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch new file mode 100644 index 0000000..7eb5f76 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7170.patch @@ -0,0 +1,40 @@ +From: Prasad J Pandit + +When processing svga command DEFINE_CURSOR in vmsvga_fifo_run, +the computed BITMAP and PIXMAP size are checked against the +'cursor.mask[]' and 'cursor.image[]' array sizes in bytes. +Correct these checks to avoid OOB memory access. + +Reported-by: Qinghao Tang +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +--- + hw/display/vmware_vga.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c +index e51a05e..6599cf0 100644 +--- a/hw/display/vmware_vga.c ++++ b/hw/display/vmware_vga.c +@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s) + cursor.bpp = vmsvga_fifo_read(s); + + args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp); +- if (cursor.width > 256 || +- cursor.height > 256 || +- cursor.bpp > 32 || +- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask || +- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) { ++ if (cursor.width > 256 ++ || cursor.height > 256 ++ || cursor.bpp > 32 ++ || SVGA_BITMAP_SIZE(x, y) ++ > sizeof(cursor.mask) / sizeof(cursor.mask[0]) ++ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp) ++ > sizeof(cursor.image) / sizeof(cursor.image[0])) { + goto badcmd; + } + +-- +2.5.5 + diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch new file mode 100644 index 0000000..b9f3545 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7421.patch @@ -0,0 +1,34 @@ +From: Prasad J Pandit + +Vmware Paravirtual SCSI emulator while processing IO requests +could run into an infinite loop if 'pvscsi_ring_pop_req_descr' +always returned positive value. Limit IO loop to the ring size. + +Cc: address@hidden +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: +Signed-off-by: Paolo Bonzini +--- + hw/scsi/vmw_pvscsi.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c +index babac5a..a5ce7de 100644 +--- a/hw/scsi/vmw_pvscsi.c ++++ b/hw/scsi/vmw_pvscsi.c +@@ -247,8 +247,11 @@ static hwaddr + pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr) + { + uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx); ++ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING ++ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE; + +- if (ready_ptr != mgr->consumed_ptr) { ++ if (ready_ptr != mgr->consumed_ptr ++ && ready_ptr - mgr->consumed_ptr < ring_size) { + uint32_t next_ready_ptr = + mgr->consumed_ptr++ & mgr->txr_len_mask; + uint32_t next_ready_page = +-- +1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch new file mode 100644 index 0000000..6368e7f --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7422.patch @@ -0,0 +1,38 @@ +From: Prasad J Pandit + +virtio back end uses set of buffers to facilitate I/O operations. +If its size is too large, 'cpu_physical_memory_map' could return +a null address. This would result in a null dereference +while un-mapping descriptors. Add check to avoid it. + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +--- + hw/virtio/virtio.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c +index 15ee3a7..0a4c5b6 100644 +--- a/hw/virtio/virtio.c ++++ b/hw/virtio/virtio.c +@@ -472,12 +472,14 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove + } + + iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write); +- iov[num_sg].iov_len = len; +- addr[num_sg] = pa; ++ if (iov[num_sg].iov_base) { ++ iov[num_sg].iov_len = len; ++ addr[num_sg] = pa; + ++ pa += len; ++ num_sg++; ++ } + sz -= len; +- pa += len; +- num_sg++; + } + *p_num_sg = num_sg; + } +-- +2.5.5 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch new file mode 100644 index 0000000..fdd871b --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7423.patch @@ -0,0 +1,31 @@ +From: Li Qiang + +When processing IO request in mptsas, it uses g_new to allocate +a 'req' object. If an error occurs before 'req->sreq' is +allocated, It could lead to an OOB write in mptsas_free_request +function. Use g_new0 to avoid it. + +Reported-by: Li Qiang +Signed-off-by: Prasad J Pandit +Message-Id: +Cc: address@hidden +Signed-off-by: Paolo Bonzini +--- + hw/scsi/mptsas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c +index 0e0a22f..eaae1bb 100644 +--- a/hw/scsi/mptsas.c ++++ b/hw/scsi/mptsas.c +@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s, + goto bad; + } + +- req = g_new(MPTSASRequest, 1); ++ req = g_new0(MPTSASRequest, 1); + QTAILQ_INSERT_TAIL(&s->pending, req, next); + req->scsi_io = *scsi_io; + req->dev = s; +-- +1.8.3.1 diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch new file mode 100644 index 0000000..d5028bb --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-7466.patch @@ -0,0 +1,26 @@ +From: Li Qiang + +If the xhci uses msix, it doesn't free the corresponding +memory, thus leading a memory leak. This patch avoid this. + +Signed-off-by: Li Qiang +--- + hw/usb/hcd-xhci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 188f954..281a2a5 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev) + /* destroy msix memory region */ + if (dev->msix_table && dev->msix_pba + && dev->msix_entry_used) { +- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio); +- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio); ++ msix_uninit(dev, &xhci->mem, &xhci->mem); + } + + usb_bus_release(&xhci->bus); +-- +1.8.3.1 diff --git a/app-emulation/qemu/qemu-2.5.1-r99.ebuild b/app-emulation/qemu/qemu-2.7.0-r99.ebuild similarity index 94% rename from app-emulation/qemu/qemu-2.5.1-r99.ebuild rename to app-emulation/qemu/qemu-2.7.0-r99.ebuild index 1d169e8..f8432d3 100644 --- a/app-emulation/qemu/qemu-2.5.1-r99.ebuild +++ b/app-emulation/qemu/qemu-2.7.0-r99.ebuild @@ -2,26 +2,22 @@ # Distributed under the terms of the GNU General Public License v2 # $Id$ -EAPI=5 +EAPI="5" PYTHON_COMPAT=( python2_7 ) PYTHON_REQ_USE="ncurses,readline" -PLOCALES="de_DE fr_FR hu it tr zh_CN" +PLOCALES="bg de_DE fr_FR hu it tr zh_CN" inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \ - user udev fcaps readme.gentoo pax-utils l10n - -BACKPORTS= + user udev fcaps readme.gentoo-r1 pax-utils l10n if [[ ${PV} = *9999* ]]; then EGIT_REPO_URI="git://git.qemu.org/qemu.git" inherit git-2 SRC_URI="" else - SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2 - ${BACKPORTS:+ - https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}" + SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2" KEYWORDS="amd64 ~ppc x86" fi @@ -30,7 +26,7 @@ HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" LICENSE="GPL-2 LGPL-2 BSD-2" SLOT="0" -IUSE="accessibility +aio alsa bluetooth +caps +curl debug +fdt glusterfs \ +IUSE="accessibility +aio alsa bluetooth bzip2 +caps +curl debug +fdt glusterfs \ gnutls gtk gtk2 infiniband iscsi +jpeg \ kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png pulseaudio python \ @@ -70,8 +66,13 @@ REQUIRED_USE="${PYTHON_REQUIRED_USE} # # Older versions of gnutls are supported, but it's simpler to just require # the latest versions. This is also why we require nettle. +# +# TODO: Split out tools deps into another var. e.g. bzip2 is only used by +# system binaries and tools, not user binaries. COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)] + dev-libs/libpcre[static-libs(+)] sys-libs/zlib[static-libs(+)] + bzip2? ( app-arch/bzip2[static-libs(+)] ) xattr? ( sys-apps/attr[static-libs(+)] )" SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} >=x11-libs/pixman-0.28.0[static-libs(+)] @@ -108,7 +109,7 @@ SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} virtual/opengl media-libs/libepoxy[static-libs(+)] media-libs/mesa[static-libs(+)] - media-libs/mesa[egl,gles2] + media-libs/mesa[egl,gles2,gbm] ) png? ( media-libs/libpng:0=[static-libs(+)] ) pulseaudio? ( media-sound/pulseaudio ) @@ -337,18 +338,18 @@ src_prepare() { epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch epatch "${FILESDIR}"/${PN}-2.2.0-_sigev_un.patch - epatch "${FILESDIR}"/qemu-2.5.0-cflags.patch - [[ -n ${BACKPORTS} ]] && \ - EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ - epatch - - epatch "${FILESDIR}"/${PN}-2.5.0-CVE-2016-2198.patch #573314 - epatch "${FILESDIR}"/${PN}-2.5.0-rng-stack-corrupt-{0,1,2,3}.patch #576420 - epatch "${FILESDIR}"/${PN}-2.5.1-stellaris_enet-overflow.patch #579614 - epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2016-4020.patch #580040 - epatch "${FILESDIR}"/${PN}-2.5.1-CVE-2015-8558.patch #568246 #580426 + epatch "${FILESDIR}"/${PN}-2.5.0-cflags.patch epatch "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch - epatch "${FILESDIR}"/${PN}-2.5.1-xfs-linux-headers.patch #577810 + epatch "${FILESDIR}"/${P}-CVE-2016-6836.patch # bug 591242 + epatch "${FILESDIR}"/${P}-CVE-2016-7155.patch # bug 593034 + epatch "${FILESDIR}"/${P}-CVE-2016-7156.patch # bug 593036 + epatch "${FILESDIR}"/${P}-CVE-2016-7157-1.patch # bug 593038 + epatch "${FILESDIR}"/${P}-CVE-2016-7157-2.patch # bug 593038 + epatch "${FILESDIR}"/${P}-CVE-2016-7170.patch # bug 593284 + epatch "${FILESDIR}"/${P}-CVE-2016-7421.patch # bug 593950 + epatch "${FILESDIR}"/${P}-CVE-2016-7422.patch # bug 593956 + epatch "${FILESDIR}"/${P}-CVE-2016-7466.patch # bug 594520 + epatch "${FILESDIR}"/${P}-CVE-2016-7423.patch # bug 594368 # Fix ld and objcopy being called directly tc-export AR LD OBJCOPY @@ -412,6 +413,7 @@ qemu_src_configure() { conf_opts+=( $(conf_softmmu accessibility brlapi) $(conf_softmmu aio linux-aio) + $(conf_softmmu bzip2) $(conf_softmmu bluetooth bluez) $(conf_softmmu caps cap-ng) $(conf_softmmu curl) @@ -482,6 +484,7 @@ qemu_src_configure() { --disable-linux-user --disable-system --disable-blobs + $(use_enable bzip2) ) static_flag="static" ;; @@ -571,7 +574,6 @@ src_test() { qemu_python_install() { python_domodule "${S}/scripts/qmp/qmp.py" - python_doscript "${S}/scripts/kvm/kvm_stat" python_doscript "${S}/scripts/kvm/vmxcap" python_doscript "${S}/scripts/qmp/qmp-shell" python_doscript "${S}/scripts/qmp/qemu-ga-client"