From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9EDA858973 for ; Sat, 30 Jan 2016 17:19:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B128421C007; Sat, 30 Jan 2016 17:19:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4049B21C007 for ; Sat, 30 Jan 2016 17:19:45 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A327A340BC0 for ; Sat, 30 Jan 2016 17:19:43 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 6C967C0 for ; Sat, 30 Jan 2016 17:19:41 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <1454174885.db375501bb3b42701ab7b00e15a76ec00779332b.blueness@gentoo> Subject: [gentoo-commits] proj/musl:master commit in: app-emulation/qemu/, app-emulation/qemu/files/ X-VCS-Repository: proj/musl X-VCS-Files: app-emulation/qemu/Manifest app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch app-emulation/qemu/files/qemu-2.5.0-cflags.patch app-emulation/qemu/qemu-2.2.1-r99.ebuild app-emulation/qemu/qemu-2.5.0-r99.ebuild X-VCS-Directories: app-emulation/qemu/files/ app-emulation/qemu/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: db375501bb3b42701ab7b00e15a76ec00779332b X-VCS-Branch: master Date: Sat, 30 Jan 2016 17:19:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8bc57b6c-d4d9-477c-b19b-9c6e2dbd1e8b X-Archives-Hash: a1dcbf8147f22a09cd5bebe62afdd86b commit: db375501bb3b42701ab7b00e15a76ec00779332b Author: Felix Janda posteo de> AuthorDate: Sat Jan 30 15:58:50 2016 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Sat Jan 30 17:28:05 2016 +0000 URL: https://gitweb.gentoo.org/proj/musl.git/commit/?id=db375501 app-emulation/qemu: bump to 2.5.0 app-emulation/qemu/Manifest | 13 +- .../qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch | 241 ------------------ .../qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch | 58 ----- .../qemu/files/qemu-2.3.0-CVE-2015-3456.patch | 86 ------- .../qemu/files/qemu-2.5.0-CVE-2015-8558.patch | 50 ++++ .../qemu/files/qemu-2.5.0-CVE-2015-8567.patch | 95 +++++++ .../qemu/files/qemu-2.5.0-CVE-2015-8701.patch | 49 ++++ .../qemu/files/qemu-2.5.0-CVE-2015-8743.patch | 50 ++++ .../qemu/files/qemu-2.5.0-CVE-2016-1568.patch | 41 +++ app-emulation/qemu/files/qemu-2.5.0-cflags.patch | 13 + ...qemu-2.2.1-r99.ebuild => qemu-2.5.0-r99.ebuild} | 274 ++++++++++++--------- 11 files changed, 469 insertions(+), 501 deletions(-) diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index 2ecdb66..9fdb00d 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -4,11 +4,14 @@ AUX qemu-1.7.0-cflags.patch 300 SHA256 8f35e55c4bae93e82f9580eabe2d6a2d4660bd053 AUX qemu-2.0.0-F_SHLCK-and-F_EXLCK.patch 563 SHA256 99de67d610ad13a1dcf6c67a3c2b5b87fb909220173a956435737f9bea3c371b SHA512 a29e9a889388a6627ed492a79e66514ffb5e64f9479646982091811548fc2a9bf6682104a6c774d83e645e4b1db39e491afd4efce789fe164623442a7f3e5d00 WHIRLPOOL d3aab06099de263c22f4c71810a3b2cb8602d17731ec76674cd1415e539306555a7b96b789f0daad473600dfa04a83224ff603f7b9a9ac63a4902f74d0e9deb5 AUX qemu-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 930 SHA256 6af6cf9044997710a6d0fbdba30a35c8d775e30d30c032ec97db672f75ec88ac SHA512 ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea WHIRLPOOL 06b9dd5251ac03405c97b1f5a623b4d86bda2f72fbcd52b90ae4d11a0cfb59cae62df2cb6189405fbe53ab05ff2b7ca8165fda239dbfe5f31ed70abb53b3b9f3 AUX qemu-2.2.0-_sigev_un.patch 636 SHA256 f3b9a4d6162c553f3110ad22716305818e2130e2ff5d628faf044fc58a5e3cb5 SHA512 f72b879daede5184904f64cabb276de96299a37a93fce444d09e9068671009e95a5e5d6b815ec41a5db5b3807de14d470a56bba5806ffd4dfec577577b046ccb WHIRLPOOL 9453ad4966e10d504f3e867fd984642a3c1ee3ae847b5ca56196fd1f9e6c0f2d7b52ca07446212af72fef6d0ded1527a5eb306fa6cd915e8dd9ce11523362bac -AUX qemu-2.2.1-CVE-2015-1779-1.patch 8631 SHA256 17ea04bb0571f3a346eb25ce2d61fd7053515767adedfde567fd39205993c600 SHA512 191dde0754b9466d87cf99a578ac07f0902f373156f4d5ff98540b9099a6fa8e29ba4ca9d4a5a21ae5dbba2b80c36600ea0bd2c31fa0c8734926514015166ab8 WHIRLPOOL 2be2f490eb32857b2b218761df3580bc31eb5a89bf1b289a048e9fd489cdb024869399481345b5ecb09a45c4fbf1ee4639062ae1fdbee9781e66ca6cc8af4cac -AUX qemu-2.2.1-CVE-2015-1779-2.patch 2318 SHA256 4c0966520bf09df25d99c883f94037e765406dd4097dd704e66361bb07f73679 SHA512 7a85bc8e00c60c6c36790d1169f0d84d2c75fe81c1700b4f764ddcb0d0587d4b6d228d80e65fead035e3ab99449aad2f559071edf9145ff7a755506f3ff05b0e WHIRLPOOL 078388c50367d41c810a02aa795b6ad0df381582bdd2725ae125243ee5921aa4057494f063a7de49da6b6f6343f37a3c83d96ef6d92c22e722972c8e4ea968dc -AUX qemu-2.3.0-CVE-2015-3456.patch 2853 SHA256 efac61bf9c20d5d08ef47bc9d51be5c8bd519f1d970ba3c3506c5760bf807e7d SHA512 5fed59ae67a962d187418f4bd57cebe901f9bcba817694b5e2a57daf77c34a406ed7c1f278e12d813304e58c48a24493b4e001a9ee4045bab2608f1730715ac7 WHIRLPOOL 9ad5237aa1bbe46a8493e331bb9c2152c36f9c877582485e1cf811b09430bad97a9f3b6bc52face7e4287f9c9fe4f1891de154a62ba93ea454c3ed9d44e8f729 +AUX qemu-2.5.0-CVE-2015-8558.patch 1459 SHA256 d769e6eb6dc0bdb0b982ef5fe7d73cc6bad47233102f53d11c6ed6c9051602d8 SHA512 42961191890c500675610d5d33e6ff468b07428c6b428ac01bb5c0e3ea88ff611a3532f848d54317458475fef221a06e41761ef14ea61d1b741db73450c4f90d WHIRLPOOL 475679dc1a24bc75012995a9a2122847454701b65ff0b7f8192865b45de49ce08572f129a7cfdeb36521252ed2f80c95e9dddbd64cb8e39fdc5beacc25934798 +AUX qemu-2.5.0-CVE-2015-8567.patch 3108 SHA256 88b72df4e02407c3b9ca4835c38988b97fcd5aa9c68da6fa47207fe675d4e661 SHA512 2f0243ec9764d72fe5e7a005a8db40d3d5c4c2edae5c3451087ee3f5c841c96a3112875cf88a19061fa2ce0d04715d247e6eb1eb83e1e5b57ec0b9eb324b8ce6 WHIRLPOOL b432ff3e105da5c0bd20dd1d7da0374f4005b2ac5a9a8c824e96730aeafa89bb8fc125f8b2857fdaf72024082ddbc0c7a28c3e3ffb9114c3d370db1b638c4731 +AUX qemu-2.5.0-CVE-2015-8701.patch 1671 SHA256 f39e0c6301cffa1b14c3ef0ab72fce0e2acd42170759ef7954234d31602aeb99 SHA512 d39edf84e2d17e6080bbc4a270732cd73b41fa39d948ee7bc4456e1024c5a69ddfb5e848af3272615f5aa36a3b6410a12f5a73e00ccfa58e0d60d7289d034aa9 WHIRLPOOL 352148c367837ba2d6eb5eb39e00c128f0cff3faef159754a41318857bc11a6616be184c24df4767ec2c8c14910ad74fc3be48273f6312b1687910fbcaf7bec3 +AUX qemu-2.5.0-CVE-2015-8743.patch 1777 SHA256 22aac571c1aa6f6a283d200a7703fdfea0a5bcaf227a003a2cbf5741bbb8df85 SHA512 65d8632fd43959983ca02f9ab116ec78ea043e6d867e6d743014885c2a423bb3b87c2e56caa37e7f29e971a44f5ea695cb4ce1c3a9c1fc2d734b25ca0b2f4054 WHIRLPOOL 9128c812cfbfe3d4629cd6c7c2c6f50c9ef2fe2d5b62b24486559279296987f593f852f913eb67fbe956d650d50612fa7a658a60b3d80cf4fa9256e332d77330 +AUX qemu-2.5.0-CVE-2016-1568.patch 1476 SHA256 ba2a25142977eea531159d81ef8938e8519c92800aa1958e71da9e2780c8256a SHA512 643ef742e6cd1dbc8f420b38f684bc8639e4bd58ab38c254654d4b1a72b129202fecdddddfd308b48ed7813da193edff68d737080d5035c82daf9676ee17df22 WHIRLPOOL af9376400540f20d77ea06cb6a12ce415b72bb22cdde3365bba8b02deb8985aedfee303646e13e1d1263a2dcd17bf1518637183a81c66c2db7b438aa88ef7d95 +AUX qemu-2.5.0-cflags.patch 410 SHA256 17f5624dd733f5c80e733cc67ae36a736169ec066024dbf802b416accfed0755 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 WHIRLPOOL 5f5b95d00409fbe03adb64801d30a2fb5f98dded5efa7f0e78b5746776f72917dcbea767e1d0afcb304d8bf8c484adedb8037e6d54e9d34997c2bc3a98b53154 AUX qemu-binfmt.initd-r1 7023 SHA256 3572c110c6f217754e638796400a5901910a2e61b8818c8569f8258b103ebcc6 SHA512 773af64fef164c00945acf5881e64a10141aa8fdc85491e57bf8dcc7c800a4f81879527998a0896a42f921edcbf5f741beb31ac2a82e45cba506c7b8461733c8 WHIRLPOOL 30382fe347248683e989c2b7fbd804ce26173b313746d80467029b2ad3594f414628f7537120b168a0e700c424d3525528eb632b07e16544c2fd07f418f3187c AUX qemu-kvm-1.4 68 SHA256 8b1adf198129f001e75a2311fc420c168094d1084d2163cdf6a32b3b23c96137 SHA512 706fab4d155c410acc292e67fb354ce7dcd17f7e33f2ca8c9c44035ea128f8d36f89e27cf87ebe22721f5676be9e7f2ae5484fd000183c8ffd7854e02eb3d120 WHIRLPOOL ef795330b592cef8e3d92f52a77eb77a671e6aa1a47d07531917b5c1c09e72e5df1a44aea939b086e0a3c5ef2a5cea9223556a46ceae73e55300475c42f07067 -DIST qemu-2.2.1.tar.bz2 24483500 SHA256 4617154c6ef744b83e10b744e392ad111dd351d435d6563ce24d8da75b1335a0 SHA512 970ead0c92fc04502c6d3a8dbfafa5797667b3d276a1a25ddbe991d20d8e17a588905ecbffa77fb3b9d12e481ac3776ca4c38fe89a5e4c96dc2fb045214bfa9f WHIRLPOOL 9226ce4a4f5c7247d6ab34eb8b45c9a91416ee5849dbe25b9d15cddbd6aba2b8da77280f6055d363a81ddec515d28bf501351cb7e21ecfb4bfe42cdb7e349788 -EBUILD qemu-2.2.1-r99.ebuild 18744 SHA256 15c5267816cbc7798b2aa0c342bd0a0254550d2fdb1497f3237aa33b53c8c59f SHA512 c7c90792a79fbf226e41f8dd61d5f3b1046a1e9c130d3216a0c29d374a09ec5aa8575e2578b843f37fd04645e2804ae91298924d307aff25922d7461bf52fe78 WHIRLPOOL ef73221242451e8772598ee1b0e346f4aa94ec59c1daf58ca9ac35d49e431c687ca5d80155e4e5846a3f76d35330a1043f9ae9018c19e0e1fc828711298aebae +DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef +EBUILD qemu-2.5.0-r99.ebuild 20028 SHA256 aeca48b0f3004f6d41077db6a763ef43c900cecf59d0f9d3ec6eb028846f0560 SHA512 31101660cd608272b6d6b24081ca095f3eb2fb2a33a2174fe62bf86fe006db6deb56590ae8a784fc69e3dd4f19c7a96035d38506f8a3d07e27397d710cf9e85c WHIRLPOOL 457f88c5e474183df7ae41a8d6c0ad49e76a6fdd69c59591c62f750c426e3998628f0770303536102d87509cfc2578813799e4052e09fb688460fa7bf424a2c4 MISC metadata.xml 3774 SHA256 45d220d5c3fedecb5c318e2ab1fa796391f5fd3db09e4ef218b3bc7cb3cb10e1 SHA512 90b16206b5398b4044132d930b417372e1d305a93b062c895bc3b46ae64a19aa96d2471b5838f960cca7c6c30ce58571f332731f02eaeee17e4204469c5d6330 WHIRLPOOL f5498b8cb14aeeacdfd1da30c26ceca282bba3042a6288496d624d91c3c26c1bed34c42374db04e06378c8efd78010d3bef76c41c1aa529ccf17cec513ed1fa8 diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch deleted file mode 100644 index 35ef8fd..0000000 --- a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch +++ /dev/null @@ -1,241 +0,0 @@ -From a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e Mon Sep 17 00:00:00 2001 -From: "Daniel P. Berrange" -Date: Mon, 23 Mar 2015 22:58:21 +0000 -Subject: [PATCH] CVE-2015-1779: incrementally decode websocket frames - -The logic for decoding websocket frames wants to fully -decode the frame header and payload, before allowing the -VNC server to see any of the payload data. There is no -size limit on websocket payloads, so this allows a -malicious network client to consume 2^64 bytes in memory -in QEMU. It can trigger this denial of service before -the VNC server even performs any authentication. - -The fix is to decode the header, and then incrementally -decode the payload data as it is needed. With this fix -the websocket decoder will allow at most 4k of data to -be buffered before decoding and processing payload. - -Signed-off-by: Daniel P. Berrange - -[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ] - - @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input, - - *payload_size = input->offset; - + *payload_size = *payload_remain; - -[ kraxel: fix 32bit build ] - - @@ -306,7 +306,7 @@ struct VncState - - uint64_t ws_payload_remain; - + size_t ws_payload_remain; - -Signed-off-by: Gerd Hoffmann ---- - ui/vnc-ws.c | 105 ++++++++++++++++++++++++++++++++++++++++-------------------- - ui/vnc-ws.h | 9 ++++-- - ui/vnc.h | 2 ++ - 3 files changed, 80 insertions(+), 36 deletions(-) - -diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c -index 85dbb7e..0b7de4e 100644 ---- a/ui/vnc-ws.c -+++ b/ui/vnc-ws.c -@@ -107,7 +107,7 @@ long vnc_client_read_ws(VncState *vs) - { - int ret, err; - uint8_t *payload; -- size_t payload_size, frame_size; -+ size_t payload_size, header_size; - VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer, - vs->ws_input.capacity, vs->ws_input.offset); - buffer_reserve(&vs->ws_input, 4096); -@@ -117,18 +117,39 @@ long vnc_client_read_ws(VncState *vs) - } - vs->ws_input.offset += ret; - -- /* make sure that nothing is left in the ws_input buffer */ -+ ret = 0; -+ /* consume as much of ws_input buffer as possible */ - do { -- err = vncws_decode_frame(&vs->ws_input, &payload, -- &payload_size, &frame_size); -- if (err <= 0) { -- return err; -+ if (vs->ws_payload_remain == 0) { -+ err = vncws_decode_frame_header(&vs->ws_input, -+ &header_size, -+ &vs->ws_payload_remain, -+ &vs->ws_payload_mask); -+ if (err <= 0) { -+ return err; -+ } -+ -+ buffer_advance(&vs->ws_input, header_size); - } -+ if (vs->ws_payload_remain != 0) { -+ err = vncws_decode_frame_payload(&vs->ws_input, -+ &vs->ws_payload_remain, -+ &vs->ws_payload_mask, -+ &payload, -+ &payload_size); -+ if (err < 0) { -+ return err; -+ } -+ if (err == 0) { -+ return ret; -+ } -+ ret += err; - -- buffer_reserve(&vs->input, payload_size); -- buffer_append(&vs->input, payload, payload_size); -+ buffer_reserve(&vs->input, payload_size); -+ buffer_append(&vs->input, payload, payload_size); - -- buffer_advance(&vs->ws_input, frame_size); -+ buffer_advance(&vs->ws_input, payload_size); -+ } - } while (vs->ws_input.offset > 0); - - return ret; -@@ -265,15 +286,14 @@ void vncws_encode_frame(Buffer *output, const void *payload, - buffer_append(output, payload, payload_size); - } - --int vncws_decode_frame(Buffer *input, uint8_t **payload, -- size_t *payload_size, size_t *frame_size) -+int vncws_decode_frame_header(Buffer *input, -+ size_t *header_size, -+ size_t *payload_remain, -+ WsMask *payload_mask) - { - unsigned char opcode = 0, fin = 0, has_mask = 0; -- size_t header_size = 0; -- uint32_t *payload32; -+ size_t payload_len; - WsHeader *header = (WsHeader *)input->buffer; -- WsMask mask; -- int i; - - if (input->offset < WS_HEAD_MIN_LEN + 4) { - /* header not complete */ -@@ -283,7 +303,7 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload, - fin = (header->b0 & 0x80) >> 7; - opcode = header->b0 & 0x0f; - has_mask = (header->b1 & 0x80) >> 7; -- *payload_size = header->b1 & 0x7f; -+ payload_len = header->b1 & 0x7f; - - if (opcode == WS_OPCODE_CLOSE) { - /* disconnect */ -@@ -300,40 +320,57 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload, - return -2; - } - -- if (*payload_size < 126) { -- header_size = 6; -- mask = header->u.m; -- } else if (*payload_size == 126 && input->offset >= 8) { -- *payload_size = be16_to_cpu(header->u.s16.l16); -- header_size = 8; -- mask = header->u.s16.m16; -- } else if (*payload_size == 127 && input->offset >= 14) { -- *payload_size = be64_to_cpu(header->u.s64.l64); -- header_size = 14; -- mask = header->u.s64.m64; -+ if (payload_len < 126) { -+ *payload_remain = payload_len; -+ *header_size = 6; -+ *payload_mask = header->u.m; -+ } else if (payload_len == 126 && input->offset >= 8) { -+ *payload_remain = be16_to_cpu(header->u.s16.l16); -+ *header_size = 8; -+ *payload_mask = header->u.s16.m16; -+ } else if (payload_len == 127 && input->offset >= 14) { -+ *payload_remain = be64_to_cpu(header->u.s64.l64); -+ *header_size = 14; -+ *payload_mask = header->u.s64.m64; - } else { - /* header not complete */ - return 0; - } - -- *frame_size = header_size + *payload_size; -+ return 1; -+} -+ -+int vncws_decode_frame_payload(Buffer *input, -+ size_t *payload_remain, WsMask *payload_mask, -+ uint8_t **payload, size_t *payload_size) -+{ -+ size_t i; -+ uint32_t *payload32; - -- if (input->offset < *frame_size) { -- /* frame not complete */ -+ *payload = input->buffer; -+ /* If we aren't at the end of the payload, then drop -+ * off the last bytes, so we're always multiple of 4 -+ * for purpose of unmasking, except at end of payload -+ */ -+ if (input->offset < *payload_remain) { -+ *payload_size = input->offset - (input->offset % 4); -+ } else { -+ *payload_size = *payload_remain; -+ } -+ if (*payload_size == 0) { - return 0; - } -- -- *payload = input->buffer + header_size; -+ *payload_remain -= *payload_size; - - /* unmask frame */ - /* process 1 frame (32 bit op) */ - payload32 = (uint32_t *)(*payload); - for (i = 0; i < *payload_size / 4; i++) { -- payload32[i] ^= mask.u; -+ payload32[i] ^= payload_mask->u; - } - /* process the remaining bytes (if any) */ - for (i *= 4; i < *payload_size; i++) { -- (*payload)[i] ^= mask.c[i % 4]; -+ (*payload)[i] ^= payload_mask->c[i % 4]; - } - - return 1; -diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h -index ef229b7..14d4230 100644 ---- a/ui/vnc-ws.h -+++ b/ui/vnc-ws.h -@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs); - void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size); - void vncws_encode_frame(Buffer *output, const void *payload, - const size_t payload_size); --int vncws_decode_frame(Buffer *input, uint8_t **payload, -- size_t *payload_size, size_t *frame_size); -+int vncws_decode_frame_header(Buffer *input, -+ size_t *header_size, -+ size_t *payload_remain, -+ WsMask *payload_mask); -+int vncws_decode_frame_payload(Buffer *input, -+ size_t *payload_remain, WsMask *payload_mask, -+ uint8_t **payload, size_t *payload_size); - - #endif /* __QEMU_UI_VNC_WS_H */ -diff --git a/ui/vnc.h b/ui/vnc.h -index e19ac39..3f7c6a9 100644 ---- a/ui/vnc.h -+++ b/ui/vnc.h -@@ -306,6 +306,8 @@ struct VncState - #ifdef CONFIG_VNC_WS - Buffer ws_input; - Buffer ws_output; -+ size_t ws_payload_remain; -+ WsMask ws_payload_mask; - #endif - /* current output mode information */ - VncWritePixels *write_pixels; --- -2.3.5 - diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch deleted file mode 100644 index c7a8c8b..0000000 --- a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 Mon Sep 17 00:00:00 2001 -From: "Daniel P. Berrange" -Date: Mon, 23 Mar 2015 22:58:22 +0000 -Subject: [PATCH] CVE-2015-1779: limit size of HTTP headers from websockets - clients - -The VNC server websockets decoder will read and buffer data from -websockets clients until it sees the end of the HTTP headers, -as indicated by \r\n\r\n. In theory this allows a malicious to -trick QEMU into consuming an arbitrary amount of RAM. In practice, -because QEMU runs g_strstr_len() across the buffered header data, -it will spend increasingly long burning CPU time searching for -the substring match and less & less time reading data. So while -this does cause arbitrary memory growth, the bigger problem is -that QEMU will be burning 100% of available CPU time. - -A novnc websockets client typically sends headers of around -512 bytes in length. As such it is reasonable to place a 4096 -byte limit on the amount of data buffered while searching for -the end of HTTP headers. - -Signed-off-by: Daniel P. Berrange -Signed-off-by: Gerd Hoffmann ---- - ui/vnc-ws.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c -index 0b7de4e..62eb97f 100644 ---- a/ui/vnc-ws.c -+++ b/ui/vnc-ws.c -@@ -81,8 +81,11 @@ void vncws_handshake_read(void *opaque) - VncState *vs = opaque; - uint8_t *handshake_end; - long ret; -- buffer_reserve(&vs->ws_input, 4096); -- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096); -+ /* Typical HTTP headers from novnc are 512 bytes, so limiting -+ * total header size to 4096 is easily enough. */ -+ size_t want = 4096 - vs->ws_input.offset; -+ buffer_reserve(&vs->ws_input, want); -+ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want); - - if (!ret) { - if (vs->csock == -1) { -@@ -99,6 +102,9 @@ void vncws_handshake_read(void *opaque) - vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset); - buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer + - strlen(WS_HANDSHAKE_END)); -+ } else if (vs->ws_input.offset >= 4096) { -+ VNC_DEBUG("End of headers not found in first 4096 bytes\n"); -+ vnc_client_error(vs); - } - } - --- -2.3.5 - diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch deleted file mode 100644 index 87697d0..0000000 --- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch +++ /dev/null @@ -1,86 +0,0 @@ -https://bugs.gentoo.org/549404 - -From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -1.7.0.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch new file mode 100644 index 0000000..fbc6a0a --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch @@ -0,0 +1,50 @@ +https://bugs.gentoo.org/568246 + +From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 14 Dec 2015 09:21:23 +0100 +Subject: [PATCH] ehci: make idt processing more robust + +Make ehci_process_itd return an error in case we didn't do any actual +iso transfer because we've found no active transaction. That'll avoid +ehci happily run in circles forever if the guest builds a loop out of +idts. + +This is CVE-2015-8558. + +Cc: qemu-stable@nongnu.org +Reported-by: Qinghao Tang +Tested-by: P J P +Signed-off-by: Gerd Hoffmann +--- + hw/usb/hcd-ehci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c +index 4e2161b..d07f228 100644 +--- a/hw/usb/hcd-ehci.c ++++ b/hw/usb/hcd-ehci.c +@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci, + { + USBDevice *dev; + USBEndpoint *ep; +- uint32_t i, len, pid, dir, devaddr, endp; ++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0; + uint32_t pg, off, ptr1, ptr2, max, mult; + + ehci->periodic_sched_active = PERIODIC_ACTIVE; +@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci, + ehci_raise_irq(ehci, USBSTS_INT); + } + itd->transact[i] &= ~ITD_XACT_ACTIVE; ++ xfers++; + } + } +- return 0; ++ return xfers ? 0 : -1; + } + + +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch new file mode 100644 index 0000000..e196043 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch @@ -0,0 +1,95 @@ +https://bugs.gentoo.org/567868 + +From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 +From: P J P +Date: Tue, 15 Dec 2015 12:27:54 +0530 +Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device + +Vmxnet3 device emulator does not check if the device is active +before activating it, also it did not free the transmit & receive +buffers while deactivating the device, thus resulting in memory +leakage on the host. This patch fixes both these issues to avoid +host memory leakage. + +Reported-by: Qinghao Tang +Reviewed-by: Dmitry Fleytman +Signed-off-by: Prasad J Pandit +Cc: qemu-stable@nongnu.org +Signed-off-by: Jason Wang +--- + hw/net/vmxnet3.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c +index a5dd79a..9c1adfc 100644 +--- a/hw/net/vmxnet3.c ++++ b/hw/net/vmxnet3.c +@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) + + static void vmxnet3_deactivate_device(VMXNET3State *s) + { +- VMW_CBPRN("Deactivating vmxnet3..."); +- s->device_active = false; ++ if (s->device_active) { ++ VMW_CBPRN("Deactivating vmxnet3..."); ++ vmxnet_tx_pkt_reset(s->tx_pkt); ++ vmxnet_tx_pkt_uninit(s->tx_pkt); ++ vmxnet_rx_pkt_uninit(s->rx_pkt); ++ s->device_active = false; ++ } + } + + static void vmxnet3_reset(VMXNET3State *s) +@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) + + vmxnet3_deactivate_device(s); + vmxnet3_reset_interrupt_states(s); +- vmxnet_tx_pkt_reset(s->tx_pkt); + s->drv_shmem = 0; + s->tx_sop = true; + s->skip_current_tx_pkt = false; +@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) + return; + } + ++ /* Verify if device is active */ ++ if (s->device_active) { ++ VMW_CFPRN("Vmxnet3 device is active"); ++ return; ++ } ++ + vmxnet3_adjust_by_guest_type(s); + vmxnet3_update_features(s); + vmxnet3_update_pm_state(s); +@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) + break; + + case VMXNET3_CMD_QUIESCE_DEV: +- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); ++ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); + vmxnet3_deactivate_device(s); + break; + +@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, + * shared address only after we get the high part + */ + if (val == 0) { +- s->device_active = false; ++ vmxnet3_deactivate_device(s); + } + s->temp_shared_guest_driver_memory = val; + s->drv_shmem = 0; +@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) + static void vmxnet3_net_uninit(VMXNET3State *s) + { + g_free(s->mcast_list); +- vmxnet_tx_pkt_reset(s->tx_pkt); +- vmxnet_tx_pkt_uninit(s->tx_pkt); +- vmxnet_rx_pkt_uninit(s->rx_pkt); ++ vmxnet3_deactivate_device(s); + qemu_del_nic(s->nic); + } + +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch new file mode 100644 index 0000000..0dab1c3 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch @@ -0,0 +1,49 @@ +https://bugs.gentoo.org/570110 + +From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 28 Dec 2015 16:24:08 +0530 +Subject: [PATCH] net: rocker: fix an incorrect array bounds check + +While processing transmit(tx) descriptors in 'tx_consume' routine +the switch emulator suffers from an off-by-one error, if a +descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) +fragments. Fix an incorrect bounds check to avoid it. + +Reported-by: Qinghao Tang +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/rocker/rocker.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c +index c57f1a6..2e77e50 100644 +--- a/hw/net/rocker/rocker.c ++++ b/hw/net/rocker/rocker.c +@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) + frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); + frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); + ++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { ++ goto err_too_many_frags; ++ } + iov[iovcnt].iov_len = frag_len; + iov[iovcnt].iov_base = g_malloc(frag_len); + if (!iov[iovcnt].iov_base) { +@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) + err = -ROCKER_ENXIO; + goto err_bad_io; + } +- +- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { +- goto err_too_many_frags; +- } ++ iovcnt++; + } + + if (iovcnt) { +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch new file mode 100644 index 0000000..b2bca56 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch @@ -0,0 +1,50 @@ +https://bugs.gentoo.org/570988 + +From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Thu, 31 Dec 2015 17:05:27 +0530 +Subject: [PATCH] net: ne2000: fix bounds check in ioport operations + +While doing ioport r/w operations, ne2000 device emulation suffers +from OOB r/w errors. Update respective array bounds check to avoid +OOB access. + +Reported-by: Ling Liu +Cc: qemu-stable@nongnu.org +Signed-off-by: Prasad J Pandit +Signed-off-by: Jason Wang +--- + hw/net/ne2000.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c +index 010f9ef..a3dffff 100644 +--- a/hw/net/ne2000.c ++++ b/hw/net/ne2000.c +@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, + uint32_t val) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + stl_le_p(s->mem + addr, val); + } + } +@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) + static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) + { + addr &= ~1; /* XXX: check exact behaviour if not even */ +- if (addr < 32 || +- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { ++ if (addr < 32 ++ || (addr >= NE2000_PMEM_START ++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { + return ldl_le_p(s->mem + addr); + } else { + return 0xffffffff; +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch new file mode 100644 index 0000000..4ce9a35 --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch @@ -0,0 +1,41 @@ +https://bugs.gentoo.org/571566 + +From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 +From: Prasad J Pandit +Date: Mon, 11 Jan 2016 14:10:42 -0500 +Subject: [PATCH] ide: ahci: reset ncq object to unused on error + +When processing NCQ commands, AHCI device emulation prepares a +NCQ transfer object; To which an aio control block(aiocb) object +is assigned in 'execute_ncq_command'. In case, when the NCQ +command is invalid, the 'aiocb' object is not assigned, and NCQ +transfer object is left as 'used'. This leads to a use after +free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. +Reset NCQ transfer object to 'unused' to avoid it. + +[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] + +Reported-by: Qinghao Tang +Signed-off-by: Prasad J Pandit +Reviewed-by: John Snow +Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com +Signed-off-by: John Snow +--- + hw/ide/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c +index dd1912e..17f1cbd 100644 +--- a/hw/ide/ahci.c ++++ b/hw/ide/ahci.c +@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) + ide_state->error = ABRT_ERR; + ide_state->status = READY_STAT | ERR_STAT; + ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); ++ ncq_tfs->used = 0; + } + + static void ncq_finish(NCQTransferState *ncq_tfs) +-- +2.6.2 + diff --git a/app-emulation/qemu/files/qemu-2.5.0-cflags.patch b/app-emulation/qemu/files/qemu-2.5.0-cflags.patch new file mode 100644 index 0000000..173394f --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.5.0-cflags.patch @@ -0,0 +1,13 @@ +--- a/configure ++++ b/configure +@@ -4468,10 +4468,6 @@ fi + if test "$gcov" = "yes" ; then + CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" + LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" +-elif test "$fortify_source" = "yes" ; then +- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" +-elif test "$debug" = "no"; then +- CFLAGS="-O2 $CFLAGS" + fi + + ########################################## diff --git a/app-emulation/qemu/qemu-2.2.1-r99.ebuild b/app-emulation/qemu/qemu-2.5.0-r99.ebuild similarity index 73% rename from app-emulation/qemu/qemu-2.2.1-r99.ebuild rename to app-emulation/qemu/qemu-2.5.0-r99.ebuild index 5b8baf1..2fe26b3 100644 --- a/app-emulation/qemu/qemu-2.2.1-r99.ebuild +++ b/app-emulation/qemu/qemu-2.5.0-r99.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/qemu/qemu-2.2.1-r2.ebuild,v 1.3 2015/05/14 07:09:58 ago Exp $ +# $Id$ EAPI=5 @@ -16,12 +16,11 @@ if [[ ${PV} = *9999* ]]; then EGIT_REPO_URI="git://git.qemu.org/qemu.git" inherit git-2 SRC_URI="" - KEYWORDS="" else SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2 ${BACKPORTS:+ - http://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}" - KEYWORDS="amd64 ~ppc ~ppc64 x86 ~x86-fbsd" + https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}" + KEYWORDS="amd64 ~ppc x86" fi DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools" @@ -30,76 +29,119 @@ HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org" LICENSE="GPL-2 LGPL-2 BSD-2" SLOT="0" IUSE="accessibility +aio alsa bluetooth +caps +curl debug +fdt glusterfs \ -gtk infiniband iscsi +jpeg \ +gnutls gtk gtk2 infiniband iscsi +jpeg \ kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs +png pulseaudio python \ -rbd sasl +seccomp sdl selinux smartcard snappy spice ssh static static-softmmu \ -static-user systemtap tci test +threads tls usb usbredir +uuid vde +vhost-net \ -virtfs +vnc xattr xen xfs" +rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static static-softmmu +static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \ +virgl virtfs +vnc vte xattr xen xfs" COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32 x86_64" -IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb xtensa xtensaeb" -IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 sparc32plus" +IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa xtensaeb" +IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32 ppc64le sparc32plus tilegx" -use_targets=" - $(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) - $(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) -" -IUSE+=" ${use_targets}" +use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s' ${IUSE_SOFTMMU_TARGETS}) +use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS}) +IUSE+=" ${use_softmmu_targets} ${use_user_targets}" -# Require at least one softmmu or user target. +# Allow no targets to be built so that people can get a tools-only build. # Block USE flag configurations known to not work. -REQUIRED_USE="|| ( ${use_targets} ) - ${PYTHON_REQUIRED_USE} +REQUIRED_USE="${PYTHON_REQUIRED_USE} + gtk2? ( gtk ) qemu_softmmu_targets_arm? ( fdt ) qemu_softmmu_targets_microblaze? ( fdt ) qemu_softmmu_targets_ppc? ( fdt ) qemu_softmmu_targets_ppc64? ( fdt ) + sdl2? ( sdl ) static? ( static-softmmu static-user ) - static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk ) - virtfs? ( xattr )" + static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 ) + virtfs? ( xattr ) + vte? ( gtk )" # Yep, you need both libcap and libcap-ng since virtfs only uses libcap. # # The attr lib isn't always linked in (although the USE flag is always # respected). This is because qemu supports using the C library's API # when available rather than always using the extranl library. +# +# Older versions of gnutls are supported, but it's simpler to just require +# the latest versions. This is also why we require nettle. COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)] sys-libs/zlib[static-libs(+)] xattr? ( sys-apps/attr[static-libs(+)] )" SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND} >=x11-libs/pixman-0.28.0[static-libs(+)] + accessibility? ( app-accessibility/brltty[static-libs(+)] ) aio? ( dev-libs/libaio[static-libs(+)] ) + alsa? ( >=media-libs/alsa-lib-1.0.13 ) + bluetooth? ( net-wireless/bluez ) caps? ( sys-libs/libcap-ng[static-libs(+)] ) curl? ( >=net-misc/curl-7.15.4[static-libs(+)] ) fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] ) glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] ) + gnutls? ( + dev-libs/nettle[static-libs(+)] + >=net-libs/gnutls-3.0[static-libs(+)] + ) + gtk? ( + gtk2? ( + x11-libs/gtk+:2 + vte? ( x11-libs/vte:0 ) + ) + !gtk2? ( + x11-libs/gtk+:3 + vte? ( x11-libs/vte:2.90 ) + ) + ) infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] ) + iscsi? ( net-libs/libiscsi ) jpeg? ( virtual/jpeg:=[static-libs(+)] ) lzo? ( dev-libs/lzo:2[static-libs(+)] ) - ncurses? ( sys-libs/ncurses[static-libs(+)] ) + ncurses? ( sys-libs/ncurses:0=[static-libs(+)] ) nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] ) numa? ( sys-process/numactl[static-libs(+)] ) + opengl? ( + virtual/opengl + media-libs/libepoxy[static-libs(+)] + media-libs/mesa[static-libs(+)] + media-libs/mesa[egl,gles2] + ) png? ( media-libs/libpng:0=[static-libs(+)] ) + pulseaudio? ( media-sound/pulseaudio ) rbd? ( sys-cluster/ceph[static-libs(+)] ) sasl? ( dev-libs/cyrus-sasl[static-libs(+)] ) - sdl? ( >=media-libs/libsdl-1.2.11[static-libs(+)] ) + sdl? ( + !sdl2? ( + media-libs/libsdl[X] + >=media-libs/libsdl-1.2.11[static-libs(+)] + ) + sdl2? ( + media-libs/libsdl2[X] + media-libs/libsdl2[static-libs(+)] + ) + ) seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] ) + smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] ) snappy? ( app-arch/snappy[static-libs(+)] ) - spice? ( >=app-emulation/spice-0.12.0[static-libs(+)] ) + spice? ( + >=app-emulation/spice-protocol-0.12.3 + >=app-emulation/spice-0.12.0[static-libs(+)] + ) ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] ) - tls? ( net-libs/gnutls[static-libs(+)] ) - usb? ( >=dev-libs/libusb-1.0.18[static-libs(+)] ) + usb? ( >=virtual/libusb-1-r2[static-libs(+)] ) + usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] ) uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] ) vde? ( net-misc/vde[static-libs(+)] ) + virgl? ( media-libs/virglrenderer[static-libs(+)] ) + virtfs? ( sys-libs/libcap ) xfs? ( sys-fs/xfsprogs[static-libs(+)] )" USER_LIB_DEPEND="${COMMON_LIB_DEPEND}" X86_FIRMWARE_DEPEND=" >=sys-firmware/ipxe-1.0.0_p20130624 pin-upstream-blobs? ( - ~sys-firmware/seabios-1.7.5 + ~sys-firmware/seabios-1.8.2 ~sys-firmware/sgabios-0.1_pre8 ~sys-firmware/vgabios-0.7a ) @@ -108,28 +150,14 @@ X86_FIRMWARE_DEPEND=" sys-firmware/sgabios sys-firmware/vgabios )" -CDEPEND="!static-softmmu? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) - !static-user? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) +CDEPEND=" + !static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) ) + !static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} ) " ${use_user_targets}) ) qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} ) qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} ) - accessibility? ( app-accessibility/brltty ) - alsa? ( >=media-libs/alsa-lib-1.0.13 ) - bluetooth? ( net-wireless/bluez ) - gtk? ( - x11-libs/gtk+:3 - x11-libs/vte:2.90 - ) - iscsi? ( net-libs/libiscsi ) - opengl? ( virtual/opengl ) - pulseaudio? ( media-sound/pulseaudio ) python? ( ${PYTHON_DEPS} ) - sdl? ( media-libs/libsdl[X] ) - smartcard? ( dev-libs/nss !app-emulation/libcacard ) - spice? ( >=app-emulation/spice-protocol-0.12.3 ) systemtap? ( dev-util/systemtap ) - usbredir? ( >=sys-apps/usbredir-0.6 ) - virtfs? ( sys-libs/libcap ) - xen? ( app-emulation/xen-tools )" + xen? ( app-emulation/xen-tools:= )" DEPEND="${CDEPEND} dev-lang/perl =dev-lang/python-2* @@ -137,8 +165,8 @@ DEPEND="${CDEPEND} virtual/pkgconfig kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 ) gtk? ( nls? ( sys-devel/gettext ) ) - static-softmmu? ( ${SOFTMMU_LIB_DEPEND} ) - static-user? ( ${USER_LIB_DEPEND} ) + static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) " ${use_softmmu_targets}) ) + static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) " ${use_user_targets}) ) test? ( dev-libs/glib[utils] sys-devel/bc @@ -245,10 +273,32 @@ pkg_pretend() { pkg_setup() { enewgroup kvm 78 - python_setup +} + +# Sanity check to make sure target lists are kept up-to-date. +check_targets() { + local var=$1 mak=$2 + local detected sorted + + pushd "${S}"/default-configs >/dev/null || die + + # Force C locale until glibc is updated. #564936 + detected=$(echo $(printf '%s\n' *-${mak}.mak | sed "s:-${mak}.mak::" | LC_COLLATE=C sort -u)) + sorted=$(echo $(printf '%s\n' ${!var} | LC_COLLATE=C sort -u)) + if [[ ${sorted} != "${detected}" ]] ; then + eerror "The ebuild needs to be kept in sync." + eerror "${var}: ${sorted}" + eerror "$(printf '%-*s' ${#var} configure): ${detected}" + die "sync ${var} to the list of targets" + fi + + popd >/dev/null } src_prepare() { + check_targets IUSE_SOFTMMU_TARGETS softmmu + check_targets IUSE_USER_TARGETS linux-user + # Alter target makefiles to accept CFLAGS set via flag-o sed -i -r \ -e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \ @@ -257,20 +307,22 @@ src_prepare() { # Cheap hack to disable gettext .mo generation. use nls || rm -f po/*.po - epatch "${FILESDIR}"/qemu-1.7.0-cflags.patch - epatch "${FILESDIR}"/${P}-CVE-2015-1779-1.patch #544328 - epatch "${FILESDIR}"/${P}-CVE-2015-1779-2.patch #544328 - epatch "${FILESDIR}"/${PN}-2.3.0-CVE-2015-3456.patch #549404 - # Patching for musl epatch "${FILESDIR}"/${PN}-2.0.0-F_SHLCK-and-F_EXLCK.patch epatch "${FILESDIR}"/${PN}-2.0.0-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch epatch "${FILESDIR}"/${PN}-2.2.0-_sigev_un.patch + epatch "${FILESDIR}"/qemu-2.5.0-cflags.patch [[ -n ${BACKPORTS} ]] && \ EPATCH_FORCE=yes EPATCH_SUFFIX="patch" EPATCH_SOURCE="${S}/patches" \ epatch + epatch "${FILESDIR}"/${P}-CVE-2015-8567.patch #567868 + epatch "${FILESDIR}"/${P}-CVE-2015-8558.patch #568246 + epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110 + epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988 + epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566 + # Fix ld and objcopy being called directly tc-export AR LD OBJCOPY @@ -288,14 +340,10 @@ qemu_src_configure() { debug-print-function ${FUNCNAME} "$@" local buildtype=$1 - local builddir=$2 + local builddir="${S}/${buildtype}-build" local static_flag="static-${buildtype}" - # audio options - local audio_opts="oss" - use alsa && audio_opts="alsa,${audio_opts}" - use sdl && audio_opts="sdl,${audio_opts}" - use pulseaudio && audio_opts="pa,${audio_opts}" + mkdir "${builddir}" local conf_opts=( --prefix=/usr @@ -306,6 +354,11 @@ qemu_src_configure() { --disable-guest-agent --disable-strip --disable-werror + # We support gnutls/nettle for crypto operations. It is possible + # to use gcrypt when gnutls/nettle are disabled (but not when they + # are enabled), but it's not really worth the hassle. Disable it + # all the time to avoid automatically detecting it. #568856 + --disable-gcrypt --python="${PYTHON}" --cc="$(tc-getCC)" --cxx="$(tc-getCXX)" @@ -334,6 +387,8 @@ qemu_src_configure() { $(conf_softmmu curl) $(conf_softmmu fdt) $(conf_softmmu glusterfs) + $(conf_softmmu gnutls) + $(conf_softmmu gnutls nettle) $(conf_softmmu gtk) $(conf_softmmu infiniband rdma) $(conf_softmmu iscsi libiscsi) @@ -343,26 +398,25 @@ qemu_src_configure() { $(conf_softmmu ncurses curses) $(conf_softmmu nfs libnfs) $(conf_softmmu numa) - $(conf_softmmu opengl glx) + $(conf_softmmu opengl) $(conf_softmmu png vnc-png) $(conf_softmmu rbd) $(conf_softmmu sasl vnc-sasl) $(conf_softmmu sdl) $(conf_softmmu seccomp) - $(conf_softmmu smartcard smartcard-nss) + $(conf_softmmu smartcard) $(conf_softmmu snappy) $(conf_softmmu spice) $(conf_softmmu ssh libssh2) - $(conf_softmmu tls quorum) - $(conf_softmmu tls vnc-tls) - $(conf_softmmu tls vnc-ws) $(conf_softmmu usb libusb) $(conf_softmmu usbredir usb-redir) $(conf_softmmu uuid) $(conf_softmmu vde) $(conf_softmmu vhost-net) + $(conf_softmmu virgl virglrenderer) $(conf_softmmu virtfs) $(conf_softmmu vnc) + $(conf_softmmu vte) $(conf_softmmu xen) $(conf_softmmu xen xen-pci-passthrough) $(conf_softmmu xfs xfsctl) @@ -373,23 +427,39 @@ qemu_src_configure() { conf_opts+=( --enable-linux-user --disable-system - --target-list="${user_targets}" --disable-blobs --disable-tools ) ;; softmmu) + # audio options + local audio_opts="oss" + use alsa && audio_opts="alsa,${audio_opts}" + use sdl && audio_opts="sdl,${audio_opts}" + use pulseaudio && audio_opts="pa,${audio_opts}" + conf_opts+=( --disable-linux-user --enable-system - --target-list="${softmmu_targets}" --with-system-pixman --audio-drv-list="${audio_opts}" ) - use gtk && conf_opts+=( --with-gtkabi=3.0 ) + use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) ) + use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) ) + ;; + tools) + conf_opts+=( + --disable-linux-user + --disable-system + --disable-blobs + ) + static_flag="static" ;; esac + local targets="${buildtype}_targets" + [[ -n ${targets} ]] && conf_opts+=( --target-list="${!targets}" ) + # Add support for SystemTAP use systemtap && conf_opts+=( --enable-trace-backend=dtrace ) @@ -402,7 +472,7 @@ qemu_src_configure() { gcc-specs-pie && conf_opts+=( --enable-pie ) fi - einfo "../configure ${conf_opts[*]}" + echo "../configure ${conf_opts[*]}" cd "${builddir}" ../configure "${conf_opts[@]}" || die "configure failed" @@ -415,7 +485,7 @@ qemu_src_configure() { src_configure() { local target - python_export_best + python_setup softmmu_targets= softmmu_bins=() user_targets= user_bins=() @@ -434,21 +504,12 @@ src_configure() { fi done - [[ -n ${softmmu_targets} ]] && \ - einfo "Building the following softmmu targets: ${softmmu_targets}" - - [[ -n ${user_targets} ]] && \ - einfo "Building the following user targets: ${user_targets}" - - if [[ -n ${softmmu_targets} ]]; then - mkdir "${S}/softmmu-build" - qemu_src_configure "softmmu" "${S}/softmmu-build" - fi + softmmu_targets=${softmmu_targets#,} + user_targets=${user_targets#,} - if [[ -n ${user_targets} ]]; then - mkdir "${S}/user-build" - qemu_src_configure "user" "${S}/user-build" - fi + [[ -n ${softmmu_targets} ]] && qemu_src_configure "softmmu" + [[ -n ${user_targets} ]] && qemu_src_configure "user" + [[ -z ${softmmu_targets}${user_targets} ]] && qemu_src_configure "tools" } src_compile() { @@ -461,6 +522,11 @@ src_compile() { cd "${S}/softmmu-build" default fi + + if [[ -z ${softmmu_targets}${user_targets} ]]; then + cd "${S}/tools-build" + default + fi } src_test() { @@ -506,6 +572,11 @@ src_install() { fi fi + if [[ -z ${softmmu_targets}${user_targets} ]]; then + cd "${S}/tools-build" + emake DESTDIR="${ED}" install + fi + # Disable mprotect on the qemu binaries as they use JITs to be fast #459348 pushd "${ED}"/usr/bin >/dev/null pax-mark m "${softmmu_bins[@]}" "${user_bins[@]}" @@ -516,21 +587,21 @@ src_install() { doins "${FILESDIR}/bridge.conf" # Remove the docdir placed qmp-commands.txt - mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/qmp/" + mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/" || die cd "${S}" dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt newdoc pc-bios/README README.pc-bios - dodoc docs/qmp/*.txt + dodoc docs/qmp-*.txt - # Remove SeaBIOS since we're using the SeaBIOS packaged one - rm "${ED}/usr/share/qemu/bios.bin" - if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then - dosym ../seabios/bios.bin /usr/share/qemu/bios.bin - fi - - # Remove vgabios since we're using the vgabios packaged one if [[ -n ${softmmu_targets} ]]; then + # Remove SeaBIOS since we're using the SeaBIOS packaged one + rm "${ED}/usr/share/qemu/bios.bin" + if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386; then + dosym ../seabios/bios.bin /usr/share/qemu/bios.bin + fi + + # Remove vgabios since we're using the vgabios packaged one rm "${ED}/usr/share/qemu/vgabios.bin" rm "${ED}/usr/share/qemu/vgabios-cirrus.bin" rm "${ED}/usr/share/qemu/vgabios-qxl.bin" @@ -568,21 +639,6 @@ src_install() { pkg_postinst() { if qemu_support_kvm; then readme.gentoo_print_elog - ewarn "Migration from qemu-kvm instances and loading qemu-kvm created" - ewarn "save states has been removed starting with the 1.6.2 release" - ewarn - ewarn "It is recommended that you migrate any VMs that may be running" - ewarn "on qemu-kvm to a host with a newer qemu and regenerate" - ewarn "any saved states with a newer qemu." - ewarn - ewarn "qemu-kvm was the primary qemu provider in Gentoo through 1.2.x" - - if use x86 || use amd64; then - ewarn - ewarn "The /usr/bin/kvm and /usr/bin/qemu-kvm wrappers are no longer" - ewarn "installed. In order to use kvm acceleration, pass the flag" - ewarn "-enable-kvm when running your system target." - fi fi if [[ -n ${softmmu_targets} ]] && use kernel_linux; then @@ -590,10 +646,6 @@ pkg_postinst() { fi fcaps cap_net_admin /usr/libexec/qemu-bridge-helper - if use virtfs && [ -n "${softmmu_targets}" ]; then - local virtfs_caps="cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_setgid,cap_mknod,cap_setuid" - fcaps ${virtfs_caps} /usr/bin/virtfs-proxy-helper - fi } pkg_info() { @@ -601,7 +653,7 @@ pkg_info() { echo " $(best_version app-emulation/spice-protocol)" echo " $(best_version sys-firmware/ipxe)" echo " $(best_version sys-firmware/seabios)" - if has_version sys-firmware/seabios[binary]; then + if has_version 'sys-firmware/seabios[binary]'; then echo " USE=binary" else echo " USE=''"