From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 58CE0138332 for ; Mon, 5 Sep 2016 05:30:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7BC76E09B2; Mon, 5 Sep 2016 05:30:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6326DE09B2 for ; Mon, 5 Sep 2016 05:30:14 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0262634081F for ; Mon, 5 Sep 2016 05:30:12 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2C4E2247A for ; Mon, 5 Sep 2016 05:30:11 +0000 (UTC) From: "Matthias Maier" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Matthias Maier" Message-ID: <1473053400.6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9.tamiko@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch X-VCS-Directories: app-emulation/qemu/files/ X-VCS-Committer: tamiko X-VCS-Committer-Name: Matthias Maier X-VCS-Revision: 6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9 X-VCS-Branch: master Date: Mon, 5 Sep 2016 05:30:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: df2510ac-a36b-4dde-bb4d-149a002326d1 X-Archives-Hash: b858709ef7499a6ea4c3f05fb6f411b0 commit: 6ac7a9b9a00ee2c1afb780ffcafc8e66ce1b59d9 Author: Matthias Maier gentoo org> AuthorDate: Mon Sep 5 05:00:00 2016 +0000 Commit: Matthias Maier gentoo org> CommitDate: Mon Sep 5 05:30:00 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ac7a9b9 app-emulation/qemu: drop obsolete patches Package-Manager: portage-2.2.28 .../qemu/files/qemu-2.5.0-9pfs-segfault.patch | 34 ------ .../qemu/files/qemu-2.5.0-CVE-2015-8567.patch | 95 ---------------- .../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ------ .../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 --------------------- .../qemu/files/qemu-2.5.0-CVE-2015-8701.patch | 49 --------- .../qemu/files/qemu-2.5.0-CVE-2015-8743.patch | 50 --------- .../qemu/files/qemu-2.5.0-CVE-2016-1568.patch | 41 ------- .../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ---------- .../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 ----------- .../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 ----------------- .../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 -------- .../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ------ .../qemu/files/qemu-2.5.0-ne2000-reg-check.patch | 37 ------- .../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 --------- .../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ---------- .../qemu/files/qemu-2.6.0-crypto-static.patch | 60 ---------- .../qemu/files/qemu-2.6.0-glib-size_t.patch | 11 -- 17 files changed, 943 deletions(-) diff --git a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch b/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch deleted file mode 100644 index 0e27684..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-9pfs-segfault.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 4b3a4f2d458ca5a7c6c16ac36a8d9ac22cc253d6 Mon Sep 17 00:00:00 2001 -From: Greg Kurz -Date: Wed, 23 Dec 2015 10:56:58 +0100 -Subject: [PATCH] virtio-9p: use accessor to get thread_pool - -The aio_context_new() function does not allocate a thread pool. This is -deferred to the first call to the aio_get_thread_pool() accessor. It is -hence forbidden to access the thread_pool field directly, as it may be -NULL. The accessor *must* be used always. - -Fixes: ebac1202c95a4f1b76b6ef3f0f63926fa76e753e -Reviewed-by: Michael Tokarev -Tested-by: Michael Tokarev -Cc: qemu-stable@nongnu.org -Signed-off-by: Greg Kurz ---- - hw/9pfs/virtio-9p-coth.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/9pfs/virtio-9p-coth.c b/hw/9pfs/virtio-9p-coth.c -index fb6e8f8..ab9425c 100644 ---- a/hw/9pfs/virtio-9p-coth.c -+++ b/hw/9pfs/virtio-9p-coth.c -@@ -36,6 +36,6 @@ static int coroutine_enter_func(void *arg) - void co_run_in_worker_bh(void *opaque) - { - Coroutine *co = opaque; -- thread_pool_submit_aio(qemu_get_aio_context()->thread_pool, -+ thread_pool_submit_aio(aio_get_thread_pool(qemu_get_aio_context()), - coroutine_enter_func, co, coroutine_enter_cb, co); - } --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch deleted file mode 100644 index e196043..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch +++ /dev/null @@ -1,95 +0,0 @@ -https://bugs.gentoo.org/567868 - -From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001 -From: P J P -Date: Tue, 15 Dec 2015 12:27:54 +0530 -Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device - -Vmxnet3 device emulator does not check if the device is active -before activating it, also it did not free the transmit & receive -buffers while deactivating the device, thus resulting in memory -leakage on the host. This patch fixes both these issues to avoid -host memory leakage. - -Reported-by: Qinghao Tang -Reviewed-by: Dmitry Fleytman -Signed-off-by: Prasad J Pandit -Cc: qemu-stable@nongnu.org -Signed-off-by: Jason Wang ---- - hw/net/vmxnet3.c | 24 ++++++++++++++++-------- - 1 file changed, 16 insertions(+), 8 deletions(-) - -diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c -index a5dd79a..9c1adfc 100644 ---- a/hw/net/vmxnet3.c -+++ b/hw/net/vmxnet3.c -@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s) - - static void vmxnet3_deactivate_device(VMXNET3State *s) - { -- VMW_CBPRN("Deactivating vmxnet3..."); -- s->device_active = false; -+ if (s->device_active) { -+ VMW_CBPRN("Deactivating vmxnet3..."); -+ vmxnet_tx_pkt_reset(s->tx_pkt); -+ vmxnet_tx_pkt_uninit(s->tx_pkt); -+ vmxnet_rx_pkt_uninit(s->rx_pkt); -+ s->device_active = false; -+ } - } - - static void vmxnet3_reset(VMXNET3State *s) -@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s) - - vmxnet3_deactivate_device(s); - vmxnet3_reset_interrupt_states(s); -- vmxnet_tx_pkt_reset(s->tx_pkt); - s->drv_shmem = 0; - s->tx_sop = true; - s->skip_current_tx_pkt = false; -@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s) - return; - } - -+ /* Verify if device is active */ -+ if (s->device_active) { -+ VMW_CFPRN("Vmxnet3 device is active"); -+ return; -+ } -+ - vmxnet3_adjust_by_guest_type(s); - vmxnet3_update_features(s); - vmxnet3_update_pm_state(s); -@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd) - break; - - case VMXNET3_CMD_QUIESCE_DEV: -- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device"); -+ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device"); - vmxnet3_deactivate_device(s); - break; - -@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque, - * shared address only after we get the high part - */ - if (val == 0) { -- s->device_active = false; -+ vmxnet3_deactivate_device(s); - } - s->temp_shared_guest_driver_memory = val; - s->drv_shmem = 0; -@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s) - static void vmxnet3_net_uninit(VMXNET3State *s) - { - g_free(s->mcast_list); -- vmxnet_tx_pkt_reset(s->tx_pkt); -- vmxnet_tx_pkt_uninit(s->tx_pkt); -- vmxnet_rx_pkt_uninit(s->rx_pkt); -+ vmxnet3_deactivate_device(s); - qemu_del_nic(s->nic); - } - --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch deleted file mode 100644 index 61a52ee..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001 -From: P J P -Date: Mon, 21 Dec 2015 15:13:13 +0530 -Subject: [PATCH] scsi: initialise info object with appropriate size - -While processing controller 'CTRL_GET_INFO' command, the routine -'megasas_ctrl_get_info' overflows the '&info' object size. Use its -appropriate size to null initialise it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-Id: -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini -Signed-off-by: P J P ---- - hw/scsi/megasas.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index d7dc667..576f56c 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd) - BusChild *kid; - int num_pd_disks = 0; - -- memset(&info, 0x0, cmd->iov_size); -+ memset(&info, 0x0, dcmd_size); - if (cmd->iov_size < dcmd_size) { - trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size, - dcmd_size); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch deleted file mode 100644 index be67336..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001 -From: Wolfgang Bumiller -Date: Wed, 13 Jan 2016 09:09:58 +0100 -Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619) - -When processing 'sendkey' command, hmp_sendkey routine null -terminates the 'keyname_buf' array. This results in an OOB -write issue, if 'keyname_len' was to fall outside of -'keyname_buf' array. - -Since the keyname's length is known the keyname_buf can be -removed altogether by adding a length parameter to -index_from_key() and using it for the error output as well. - -Reported-by: Ling Liu -Signed-off-by: Wolfgang Bumiller -Message-Id: <20160113080958.GA18934@olga> -[Comparison with "<" dumbed down, test for junk after strtoul() -tweaked] -Signed-off-by: Markus Armbruster ---- - hmp.c | 18 ++++++++---------- - include/ui/console.h | 2 +- - ui/input-legacy.c | 5 +++-- - 3 files changed, 12 insertions(+), 13 deletions(-) - -diff --git a/hmp.c b/hmp.c -index 54f2620..9c571f5 100644 ---- a/hmp.c -+++ b/hmp.c -@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) - int has_hold_time = qdict_haskey(qdict, "hold-time"); - int hold_time = qdict_get_try_int(qdict, "hold-time", -1); - Error *err = NULL; -- char keyname_buf[16]; - char *separator; - int keyname_len; - - while (1) { - separator = strchr(keys, '-'); - keyname_len = separator ? separator - keys : strlen(keys); -- pstrcpy(keyname_buf, sizeof(keyname_buf), keys); - - /* Be compatible with old interface, convert user inputted "<" */ -- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) { -- pstrcpy(keyname_buf, sizeof(keyname_buf), "less"); -+ if (keys[0] == '<' && keyname_len == 1) { -+ keys = "less"; - keyname_len = 4; - } -- keyname_buf[keyname_len] = 0; - - keylist = g_malloc0(sizeof(*keylist)); - keylist->value = g_malloc0(sizeof(*keylist->value)); -@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict) - } - tmp = keylist; - -- if (strstart(keyname_buf, "0x", NULL)) { -+ if (strstart(keys, "0x", NULL)) { - char *endp; -- int value = strtoul(keyname_buf, &endp, 0); -- if (*endp != '\0') { -+ int value = strtoul(keys, &endp, 0); -+ assert(endp <= keys + keyname_len); -+ if (endp != keys + keyname_len) { - goto err_out; - } - keylist->value->type = KEY_VALUE_KIND_NUMBER; - keylist->value->u.number = value; - } else { -- int idx = index_from_key(keyname_buf); -+ int idx = index_from_key(keys, keyname_len); - if (idx == Q_KEY_CODE_MAX) { - goto err_out; - } -@@ -1789,7 +1787,7 @@ out: - return; - - err_out: -- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf); -+ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys); - goto out; - } - -diff --git a/include/ui/console.h b/include/ui/console.h -index adac36d..116bc2b 100644 ---- a/include/ui/console.h -+++ b/include/ui/console.h -@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id, time_t expires) - void curses_display_init(DisplayState *ds, int full_screen); - - /* input.c */ --int index_from_key(const char *key); -+int index_from_key(const char *key, size_t key_length); - - /* gtk.c */ - void early_gtk_display_init(int opengl); -diff --git a/ui/input-legacy.c b/ui/input-legacy.c -index 35dfc27..3454055 100644 ---- a/ui/input-legacy.c -+++ b/ui/input-legacy.c -@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry { - static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers = - QTAILQ_HEAD_INITIALIZER(led_handlers); - --int index_from_key(const char *key) -+int index_from_key(const char *key, size_t key_length) - { - int i; - - for (i = 0; QKeyCode_lookup[i] != NULL; i++) { -- if (!strcmp(key, QKeyCode_lookup[i])) { -+ if (!strncmp(key, QKeyCode_lookup[i], key_length) && -+ !QKeyCode_lookup[i][key_length]) { - break; - } - } --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch deleted file mode 100644 index 0dab1c3..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch +++ /dev/null @@ -1,49 +0,0 @@ -https://bugs.gentoo.org/570110 - -From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 28 Dec 2015 16:24:08 +0530 -Subject: [PATCH] net: rocker: fix an incorrect array bounds check - -While processing transmit(tx) descriptors in 'tx_consume' routine -the switch emulator suffers from an off-by-one error, if a -descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16) -fragments. Fix an incorrect bounds check to avoid it. - -Reported-by: Qinghao Tang -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/rocker/rocker.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c -index c57f1a6..2e77e50 100644 ---- a/hw/net/rocker/rocker.c -+++ b/hw/net/rocker/rocker.c -@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info) - frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]); - frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]); - -+ if (iovcnt >= ROCKER_TX_FRAGS_MAX) { -+ goto err_too_many_frags; -+ } - iov[iovcnt].iov_len = frag_len; - iov[iovcnt].iov_base = g_malloc(frag_len); - if (!iov[iovcnt].iov_base) { -@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info) - err = -ROCKER_ENXIO; - goto err_bad_io; - } -- -- if (++iovcnt > ROCKER_TX_FRAGS_MAX) { -- goto err_too_many_frags; -- } -+ iovcnt++; - } - - if (iovcnt) { --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch deleted file mode 100644 index b2bca56..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch +++ /dev/null @@ -1,50 +0,0 @@ -https://bugs.gentoo.org/570988 - -From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 31 Dec 2015 17:05:27 +0530 -Subject: [PATCH] net: ne2000: fix bounds check in ioport operations - -While doing ioport r/w operations, ne2000 device emulation suffers -from OOB r/w errors. Update respective array bounds check to avoid -OOB access. - -Reported-by: Ling Liu -Cc: qemu-stable@nongnu.org -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/ne2000.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index 010f9ef..a3dffff 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr, - uint32_t val) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - stl_le_p(s->mem + addr, val); - } - } -@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr) - static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr) - { - addr &= ~1; /* XXX: check exact behaviour if not even */ -- if (addr < 32 || -- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) { -+ if (addr < 32 -+ || (addr >= NE2000_PMEM_START -+ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) { - return ldl_le_p(s->mem + addr); - } else { - return 0xffffffff; --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch deleted file mode 100644 index 4ce9a35..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch +++ /dev/null @@ -1,41 +0,0 @@ -https://bugs.gentoo.org/571566 - -From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Mon, 11 Jan 2016 14:10:42 -0500 -Subject: [PATCH] ide: ahci: reset ncq object to unused on error - -When processing NCQ commands, AHCI device emulation prepares a -NCQ transfer object; To which an aio control block(aiocb) object -is assigned in 'execute_ncq_command'. In case, when the NCQ -command is invalid, the 'aiocb' object is not assigned, and NCQ -transfer object is left as 'used'. This leads to a use after -free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'. -Reset NCQ transfer object to 'unused' to avoid it. - -[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js] - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Reviewed-by: John Snow -Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com -Signed-off-by: John Snow ---- - hw/ide/ahci.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c -index dd1912e..17f1cbd 100644 ---- a/hw/ide/ahci.c -+++ b/hw/ide/ahci.c -@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs) - ide_state->error = ABRT_ERR; - ide_state->status = READY_STAT | ERR_STAT; - ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag); -+ ncq_tfs->used = 0; - } - - static void ncq_finish(NCQTransferState *ncq_tfs) --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch deleted file mode 100644 index 917fa2f..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001 -From: "Gabriel L. Somlo" -Date: Thu, 5 Nov 2015 09:32:50 -0500 -Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When calculating a pointer to the currently selected fw_cfg item, the -following is used: - - FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - -When s->cur_entry is FW_CFG_INVALID, we are calculating the address of -a non-existent element in s->entries[arch][...], which is undefined. - -This patch ensures the resulting entry pointer is set to NULL whenever -s->cur_entry is FW_CFG_INVALID. - -Reported-by: Laszlo Ersek -Reviewed-by: Laszlo Ersek -Signed-off-by: Gabriel Somlo -Message-id: 1446733972-1602-5-git-send-email-somlo@cmu.edu -Cc: Marc MarĂ­ -Signed-off-by: Gabriel Somlo -Reviewed-by: Laszlo Ersek -Signed-off-by: Gerd Hoffmann ---- - hw/nvram/fw_cfg.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c -index c2d3a0a..046fa74 100644 ---- a/hw/nvram/fw_cfg.c -+++ b/hw/nvram/fw_cfg.c -@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key) - static uint8_t fw_cfg_read(FWCfgState *s) - { - int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); -- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; -+ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL : -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - uint8_t ret; - - if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len) -@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s) - } - - arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL); -- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; -+ e = (s->cur_entry == FW_CFG_INVALID) ? NULL : -+ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK]; - - if (dma.control & FW_CFG_DMA_CTL_READ) { - read = 1; --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch deleted file mode 100644 index 23c2341..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001 -From: P J P -Date: Fri, 18 Dec 2015 11:35:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - - Hello, - -A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It -occurs while doing I/O port write operations via hmp interface. In that, -'current_cpu' remains null as it is not called from cpu_exec loop, which -results in the said issue. - -Below is a proposed (tested)patch to fix this issue; Does it look okay? - -=== -From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Fri, 18 Dec 2015 11:16:07 +0530 -Subject: [PATCH] i386: avoid null pointer dereference - -When I/O port write operation is called from hmp interface, -'current_cpu' remains null, as it is not called from cpu_exec() -loop. This leads to a null pointer dereference in vapic_write -routine. Add check to avoid it. - -Reported-by: Ling Liu -Signed-off-by: Prasad J Pandit -Message-Id: -Signed-off-by: Paolo Bonzini -Signed-off-by: P J P ---- - hw/i386/kvmvapic.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c -index c6d34b2..f0922da 100644 ---- a/hw/i386/kvmvapic.c -+++ b/hw/i386/kvmvapic.c -@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s) - static void vapic_write(void *opaque, hwaddr addr, uint64_t data, - unsigned int size) - { -- CPUState *cs = current_cpu; -- X86CPU *cpu = X86_CPU(cs); -- CPUX86State *env = &cpu->env; -- hwaddr rom_paddr; - VAPICROMState *s = opaque; -+ X86CPU *cpu; -+ CPUX86State *env; -+ hwaddr rom_paddr; - -- cpu_synchronize_state(cs); -+ if (!current_cpu) { -+ return; -+ } -+ -+ cpu_synchronize_state(current_cpu); -+ cpu = X86_CPU(current_cpu); -+ env = &cpu->env; - - /* - * The VAPIC supports two PIO-based hypercalls, both via port 0x7E. --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch deleted file mode 100644 index 2922193..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch +++ /dev/null @@ -1,98 +0,0 @@ -From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001 -From: Laszlo Ersek -Date: Tue, 19 Jan 2016 14:17:20 +0100 -Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer - start - -The start_xmit() and e1000_receive_iov() functions implement DMA transfers -iterating over a set of descriptors that the guest's e1000 driver -prepares: - -- the TDLEN and RDLEN registers store the total size of the descriptor - area, - -- while the TDH and RDH registers store the offset (in whole tx / rx - descriptors) into the area where the transfer is supposed to start. - -Each time a descriptor is processed, the TDH and RDH register is bumped -(as appropriate for the transfer direction). - -QEMU already contains logic to deal with bogus transfers submitted by the -guest: - -- Normally, the transmit case wants to increase TDH from its initial value - to TDT. (TDT is allowed to be numerically smaller than the initial TDH - value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe - that QEMU currently has here is a check against reaching the original - TDH value again -- a complete wraparound, which should never happen. - -- In the receive case RDH is increased from its initial value until - "total_size" bytes have been received; preferably in a single step, or - in "s->rxbuf_size" byte steps, if the latter is smaller. However, null - RX descriptors are skipped without receiving data, while RDH is - incremented just the same. QEMU tries to prevent an infinite loop - (processing only null RX descriptors) by detecting whether RDH assumes - its original value during the loop. (Again, wrapping from RDLEN to 0 is - normal.) - -What both directions miss is that the guest could program TDLEN and RDLEN -so low, and the initial TDH and RDH so high, that these registers will -immediately be truncated to zero, and then never reassume their initial -values in the loop -- a full wraparound will never occur. - -The condition that expresses this is: - - xdh_start >= s->mac_reg[XDLEN] / sizeof(desc) - -i.e., TDH or RDH start out after the last whole rx or tx descriptor that -fits into the TDLEN or RDLEN sized area. - -This condition could be checked before we enter the loops, but -pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for -bogus DMA addresses, so we just extend the existing failsafes with the -above condition. - -This is CVE-2016-1981. - -Cc: "Michael S. Tsirkin" -Cc: Petr Matousek -Cc: Stefano Stabellini -Cc: Prasad Pandit -Cc: Michael Roth -Cc: Jason Wang -Cc: qemu-stable@nongnu.org -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044 -Signed-off-by: Laszlo Ersek -Reviewed-by: Jason Wang -Signed-off-by: Jason Wang ---- - hw/net/e1000.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/hw/net/e1000.c b/hw/net/e1000.c -index 4eda7a3..0387fa0 100644 ---- a/hw/net/e1000.c -+++ b/hw/net/e1000.c -@@ -909,7 +909,8 @@ start_xmit(E1000State *s) - * bogus values to TDT/TDLEN. - * there's nothing too intelligent we could do about this. - */ -- if (s->mac_reg[TDH] == tdh_start) { -+ if (s->mac_reg[TDH] == tdh_start || -+ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) { - DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n", - tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]); - break; -@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec *iov, int iovcnt) - if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN]) - s->mac_reg[RDH] = 0; - /* see comment in start_xmit; same here */ -- if (s->mac_reg[RDH] == rdh_start) { -+ if (s->mac_reg[RDH] == rdh_start || -+ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) { - DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n", - rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]); - set_ics(s, 0, E1000_ICS_RXO); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch deleted file mode 100644 index 0ab7b02..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001 -From: John Snow -Date: Wed, 10 Feb 2016 13:29:40 -0500 -Subject: [PATCH] ahci: Do not unmap NULL addresses - -Definitely don't try to unmap a garbage address. - -Reported-by: Zuozhi fzz -Signed-off-by: John Snow -Message-id: 1454103689-13042-2-git-send-email-jsnow@redhat.com ---- - hw/ide/ahci.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c -index 7e87b18..3a95dad 100644 ---- a/hw/ide/ahci.c -+++ b/hw/ide/ahci.c -@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad) - - static void ahci_unmap_fis_address(AHCIDevice *ad) - { -+ if (ad->res_fis == NULL) { -+ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n"); -+ return; -+ } - dma_memory_unmap(ad->hba->as, ad->res_fis, 256, - DMA_DIRECTION_FROM_DEVICE, 256); - ad->res_fis = NULL; -@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad) - - static void ahci_unmap_clb_address(AHCIDevice *ad) - { -+ if (ad->lst == NULL) { -+ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n"); -+ return; -+ } - dma_memory_unmap(ad->hba->as, ad->lst, 1024, - DMA_DIRECTION_FROM_DEVICE, 1024); - ad->lst = NULL; --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch deleted file mode 100644 index e7aa5ca..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Thu, 11 Feb 2016 16:31:20 +0530 -Subject: [PATCH] usb: check USB configuration descriptor object - -When processing remote NDIS control message packets, the USB Net -device emulator checks to see if the USB configuration descriptor -object is of RNDIS type(2). But it does not check if it is null, -which leads to a null dereference error. Add check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1455188480-14688-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-network.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 985a629..5dc4538 100644 ---- a/hw/usb/dev-network.c -+++ b/hw/usb/dev-network.c -@@ -654,7 +654,8 @@ typedef struct USBNetState { - - static int is_rndis(USBNetState *s) - { -- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE; -+ return s->dev.config ? -+ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0; - } - - static int ndis_query(USBNetState *s, uint32_t oid, --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch b/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch deleted file mode 100644 index 2874b75..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-ne2000-reg-check.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 415ab35a441eca767d033a2702223e785b9d5190 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 24 Feb 2016 11:41:33 +0530 -Subject: [PATCH] net: ne2000: check ring buffer control registers - -Ne2000 NIC uses ring buffer of NE2000_MEM_SIZE(49152) -bytes to process network packets. Registers PSTART & PSTOP -define ring buffer size & location. Setting these registers -to invalid values could lead to infinite loop or OOB r/w -access issues. Add check to avoid it. - -Reported-by: Yang Hongke -Tested-by: Yang Hongke -Signed-off-by: Prasad J Pandit -Signed-off-by: Jason Wang ---- - hw/net/ne2000.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c -index e408083..f0feaf9 100644 ---- a/hw/net/ne2000.c -+++ b/hw/net/ne2000.c -@@ -155,6 +155,10 @@ static int ne2000_buffer_full(NE2000State *s) - { - int avail, index, boundary; - -+ if (s->stop <= s->start) { -+ return 1; -+ } -+ - index = s->curpag << 8; - boundary = s->boundary << 8; - if (index < boundary) --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch deleted file mode 100644 index 2ddca3e..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 20 Jan 2016 01:26:46 +0530 -Subject: [PATCH] usb: check page select value while processing iTD - -While processing isochronous transfer descriptors(iTD), the page -select(PG) field value could lead to an OOB read access. Add -check to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1453233406-12165-1-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/hcd-ehci.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c -index ab00268..93601d9 100644 ---- a/hw/usb/hcd-ehci.c -+++ b/hw/usb/hcd-ehci.c -@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci, - if (itd->transact[i] & ITD_XACT_ACTIVE) { - pg = get_field(itd->transact[i], ITD_XACT_PGSEL); - off = itd->transact[i] & ITD_XACT_OFFSET_MASK; -- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); -- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK); - len = get_field(itd->transact[i], ITD_XACT_LENGTH); - - if (len > max * mult) { - len = max * mult; - } -- -- if (len > BUFF_SIZE) { -+ if (len > BUFF_SIZE || pg > 6) { - return -1; - } - -+ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK); - qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as); - if (off + len > 4096) { - /* transfer crosses page border */ -+ if (pg == 6) { -+ return -1; /* avoid page pg + 1 */ -+ } -+ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK); - uint32_t len2 = off + len - 4096; - uint32_t len1 = len - len2; - qemu_sglist_add(&ehci->isgl, ptr1 + off, len1); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch deleted file mode 100644 index da643fd..00000000 --- a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch +++ /dev/null @@ -1,59 +0,0 @@ -From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit -Date: Wed, 17 Feb 2016 00:23:41 +0530 -Subject: [PATCH] usb: check RNDIS buffer offsets & length - -When processing remote NDIS control message packets, -the USB Net device emulator uses a fixed length(4096) data buffer. -The incoming informationBufferOffset & Length combination could -overflow and cross that range. Check control message buffer -offsets and length to avoid it. - -Reported-by: Qinghao Tang -Signed-off-by: Prasad J Pandit -Message-id: 1455648821-17340-3-git-send-email-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann ---- - hw/usb/dev-network.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c -index 5dc4538..c6abd38 100644 ---- a/hw/usb/dev-network.c -+++ b/hw/usb/dev-network.c -@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - infobuflen = ndis_query(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen, infobuf, -@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s, - - bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8; - buflen = le32_to_cpu(buf->InformationBufferLength); -- if (bufoffs + buflen > length) -+ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) { - return USB_RET_STALL; -+ } - - ret = ndis_set(s, le32_to_cpu(buf->OID), - bufoffs + (uint8_t *) buf, buflen); -@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s, USBPacket *p) - if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) { - uint32_t offs = 8 + le32_to_cpu(msg->DataOffset); - uint32_t size = le32_to_cpu(msg->DataLength); -- if (offs + size <= len) -+ if (offs < len && size < len && offs + size <= len) { - qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size); -+ } - } - s->out_ptr -= len; - memmove(s->out_buf, &s->out_buf[len], s->out_ptr); --- -2.7.4 - diff --git a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch b/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch deleted file mode 100644 index 4856373..00000000 --- a/app-emulation/qemu/files/qemu-2.6.0-crypto-static.patch +++ /dev/null @@ -1,60 +0,0 @@ -https://lists.gnu.org/archive/html/qemu-devel/2016-06/msg01611.html - -From 6a2909cf98e892783b2502df6f7f4de46d13e42b Mon Sep 17 00:00:00 2001 -From: Mike Frysinger -Date: Mon, 6 Jun 2016 17:58:26 -0400 -Subject: [PATCH] crypto: aes: always rename internal symbols - -OpenSSL's libcrypto always defines AES symbols with the same names as -qemu's local aes code. This is problematic when enabling at least curl -as that frequently also uses libcrypto. It might not be noticed when -running, but if you try to statically link, everything falls down. - -An example snippet: - LINK qemu-nbd -.../libcrypto.a(aes-x86_64.o): In function 'AES_encrypt': -(.text+0x460): multiple definition of 'AES_encrypt' -crypto/aes.o:aes.c:(.text+0x670): first defined here -.../libcrypto.a(aes-x86_64.o): In function 'AES_decrypt': -(.text+0x9f0): multiple definition of 'AES_decrypt' -crypto/aes.o:aes.c:(.text+0xb30): first defined here -.../libcrypto.a(aes-x86_64.o): In function 'AES_cbc_encrypt': -(.text+0xf90): multiple definition of 'AES_cbc_encrypt' -crypto/aes.o:aes.c:(.text+0xff0): first defined here -collect2: error: ld returned 1 exit status -.../qemu-2.6.0/rules.mak:105: recipe for target 'qemu-nbd' failed -make: *** [qemu-nbd] Error 1 - -The aes.h header has redefines already for FreeBSD, but go ahead and -enable that for everyone since there's no real good reason to not use -a namespace all the time. - -Signed-off-by: Mike Frysinger ---- - include/crypto/aes.h | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/include/crypto/aes.h b/include/crypto/aes.h -index a006da2224a9..12fb321b89de 100644 ---- a/include/crypto/aes.h -+++ b/include/crypto/aes.h -@@ -10,14 +10,13 @@ struct aes_key_st { - }; - typedef struct aes_key_st AES_KEY; - --/* FreeBSD has its own AES_set_decrypt_key in -lcrypto, avoid conflicts */ --#ifdef __FreeBSD__ -+/* FreeBSD/OpenSSL have their own AES functions with the same names in -lcrypto -+ * (which might be pulled in via curl), so redefine to avoid conflicts. */ - #define AES_set_encrypt_key QEMU_AES_set_encrypt_key - #define AES_set_decrypt_key QEMU_AES_set_decrypt_key - #define AES_encrypt QEMU_AES_encrypt - #define AES_decrypt QEMU_AES_decrypt - #define AES_cbc_encrypt QEMU_AES_cbc_encrypt --#endif - - int AES_set_encrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key); --- -2.8.2 - diff --git a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch b/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch deleted file mode 100644 index 5fd678c..00000000 --- a/app-emulation/qemu/files/qemu-2.6.0-glib-size_t.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/configure 2016-08-07 15:50:20.386687733 +0200 -+++ b/configure 2016-08-07 15:53:55.489691690 +0200 -@@ -2967,7 +2967,7 @@ - } - EOF - --if ! compile_prog "-Werror $CFLAGS" "$LIBS" ; then -+if ! compile_prog "$CFLAGS" "$LIBS" ; then - error_exit "sizeof(size_t) doesn't match GLIB_SIZEOF_SIZE_T."\ - "You probably need to set PKG_CONFIG_LIBDIR"\ - "to point to the right pkg-config files for your"\