From: "Matthias Maier" <tamiko@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/
Date: Wed, 26 Jul 2017 17:15:00 +0000 (UTC) [thread overview]
Message-ID: <1501089293.4716c9ae8666e4cfc6eff46960f7bff8f4f3d708.tamiko@gentoo> (raw)
commit: 4716c9ae8666e4cfc6eff46960f7bff8f4f3d708
Author: Matthias Maier <tamiko <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 26 17:14:28 2017 +0000
Commit: Matthias Maier <tamiko <AT> gentoo <DOT> org>
CommitDate: Wed Jul 26 17:14:53 2017 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4716c9ae
app-emulation/qemu: drop old patch files
Package-Manager: Portage-2.3.6, Repoman-2.3.3
.../qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch | 32 ------
.../qemu/files/qemu-2.8.0-CVE-2016-10028.patch | 40 --------
.../qemu/files/qemu-2.8.0-CVE-2016-10155.patch | 46 ---------
.../qemu/files/qemu-2.8.0-CVE-2016-9908.patch | 35 -------
.../qemu/files/qemu-2.8.0-CVE-2016-9912.patch | 38 -------
.../qemu/files/qemu-2.8.0-CVE-2017-2615.patch | 48 ---------
.../qemu/files/qemu-2.8.0-CVE-2017-2620.patch | 56 -----------
.../qemu/files/qemu-2.8.0-CVE-2017-2630.patch | 22 ----
.../qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch | 52 ----------
.../qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch | 55 ----------
.../qemu/files/qemu-2.8.0-CVE-2017-5552.patch | 41 --------
.../qemu/files/qemu-2.8.0-CVE-2017-5578.patch | 35 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5579.patch | 40 --------
.../qemu/files/qemu-2.8.0-CVE-2017-5667.patch | 37 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5856.patch | 64 ------------
.../qemu/files/qemu-2.8.0-CVE-2017-5857.patch | 38 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5898.patch | 35 -------
.../qemu/files/qemu-2.8.0-CVE-2017-5931.patch | 46 ---------
.../qemu/files/qemu-2.8.0-CVE-2017-5973.patch | 87 ----------------
.../qemu/files/qemu-2.8.0-CVE-2017-5987.patch | 50 ---------
.../qemu/files/qemu-2.8.0-CVE-2017-6058.patch | 112 ---------------------
.../qemu/files/qemu-2.8.0-CVE-2017-6505.patch | 52 ----------
.../qemu/files/qemu-2.8.0-CVE-2017-7377.patch | 49 ---------
.../qemu/files/qemu-2.8.1-CVE-2017-7471.patch | 64 ------------
.../qemu/files/qemu-2.8.1-CVE-2017-8086.patch | 28 ------
25 files changed, 1202 deletions(-)
diff --git a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch b/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
deleted file mode 100644
index cea8efc0686..00000000000
--- a/app-emulation/qemu/files/qemu-2.7.0-CVE-2016-8669-1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-http://bugs.gentoo.org/597108
-https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02577.html
-
-From: Prasad J Pandit <address@hidden>
-
-The JAZZ RC4030 chipset emulator has a periodic timer and
-associated interval reload register. The reload value is used
-as divider when computing timer's next tick value. If reload
-value is large, it could lead to divide by zero error. Limit
-the interval reload value to avoid it.
-
-Reported-by: Huawei PSIRT <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/dma/rc4030.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
-index 2f2576f..c1b4997 100644
---- a/hw/dma/rc4030.c
-+++ b/hw/dma/rc4030.c
-@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
- break;
- /* Interval timer reload */
- case 0x0228:
-- s->itr = val;
-+ s->itr = val & 0x01FF;
- qemu_irq_lower(s->timer_irq);
- set_next_tick(s);
- break;
---
-2.5.5
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
deleted file mode 100644
index 466c819e78a..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10028.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-12/msg01903.html
-https://bugs.gentoo.org/603444
-
-From: P J P
-Subject: [Qemu-devel] [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
-Date: Wed, 14 Dec 2016 12:31:56 +0530
-From: Prasad J Pandit <address@hidden>
-
-Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
-command, retrieves the maximum capabilities size to fill in the
-response object. It continues to fill in capabilities even if
-retrieved 'max_size' is zero(0), thus resulting in OOB access.
-Add check to avoid it.
-
-Reported-by: Zhenhao Hong <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 758d33a..6ceeba3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -370,8 +370,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-+ if (!max_size) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
-+ return;
-+ }
-+
- resp = g_malloc0(sizeof(*resp) + max_size);
--
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
- gc.capset_version,
---
-2.9.3
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch
deleted file mode 100644
index c486295d06f..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-10155.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Mon, 28 Nov 2016 17:49:04 -0800
-Subject: [PATCH] watchdog: 6300esb: add exit function
-
-When the Intel 6300ESB watchdog is hot unplug. The timer allocated
-in realize isn't freed thus leaking memory leak. This patch avoid
-this through adding the exit function.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/watchdog/wdt_i6300esb.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
-index a83d951..49b3cd1 100644
---- a/hw/watchdog/wdt_i6300esb.c
-+++ b/hw/watchdog/wdt_i6300esb.c
-@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
- /* qemu_register_coalesced_mmio (addr, 0x10); ? */
- }
-
-+static void i6300esb_exit(PCIDevice *dev)
-+{
-+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
-+
-+ timer_del(d->timer);
-+ timer_free(d->timer);
-+}
-+
- static WatchdogTimerModel model = {
- .wdt_name = "i6300esb",
- .wdt_description = "Intel 6300ESB",
-@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
- k->config_read = i6300esb_config_read;
- k->config_write = i6300esb_config_write;
- k->realize = i6300esb_realize;
-+ k->exit = i6300esb_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
- k->class_id = PCI_CLASS_SYSTEM_OTHER;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
deleted file mode 100644
index 841de65d48c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9908.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg00059.html
-https://bugs.gentoo.org/601826
-
-From: Li Qiang
-Subject: [Qemu-devel] [PATCH] virtio-gpu: fix information leak in capset get dispatch
-Date: Tue, 1 Nov 2016 05:37:57 -0700
-From: Li Qiang <address@hidden>
-
-In virgl_cmd_get_capset function, it uses g_malloc to allocate
-a response struct to the guest. As the 'resp'struct hasn't been full
-initialized it will lead the 'resp->padding' field to the guest.
-Use g_malloc0 to avoid this.
-
-Signed-off-by: Li Qiang <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index 23f39de..d98b140 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -371,7 +371,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
-
- virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
- &max_size);
-- resp = g_malloc(sizeof(*resp) + max_size);
-+ resp = g_malloc0(sizeof(*resp) + max_size);
-
- resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
- virgl_renderer_fill_caps(gc.capset_id,
---
-1.8.3.1
-
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
deleted file mode 100644
index 55963f70b98..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2016-9912.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-https://lists.gnu.org/archive/html/qemu-devel/2016-11/msg05043.html
-https://bugs.gentoo.org/602630
-
-From: Li Qiang
-Subject: [Qemu-devel] [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
-Date: Mon, 28 Nov 2016 21:29:25 -0500
-If the guest destroy the resource before detach banking, the 'iov'
-and 'addrs' field in resource is not freed thus leading memory
-leak issue. This patch avoid this.
-
-Signed-off-by: Li Qiang <address@hidden>
----
- hw/display/virtio-gpu.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 60bce94..98dadf2 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -28,6 +28,8 @@
- static struct virtio_gpu_simple_resource*
- virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
-
-+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
-+
- #ifdef CONFIG_VIRGL
- #include <virglrenderer.h>
- #define VIRGL(_g, _virgl, _simple, ...) \
-@@ -358,6 +360,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
- struct virtio_gpu_simple_resource *res)
- {
- pixman_image_unref(res->image);
-+ virtio_gpu_cleanup_mapping(res);
- QTAILQ_REMOVE(&g->reslist, res, next);
- g_free(res);
- }
---
-1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch
deleted file mode 100644
index f0bba801657..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2615.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 1 Feb 2017 09:35:01 +0100
-Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
-
-When doing bitblt copy in backward mode, we should minus the
-blt width first just like the adding in the forward mode. This
-can avoid the oob access of the front of vga's vram.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-
-{ kraxel: with backward blits (negative pitch) addr is the topmost
- address, so check it as-is against vram size ]
-
-Cc: qemu-stable@nongnu.org
-Cc: P J P <ppandit@redhat.com>
-Cc: Laszlo Ersek <lersek@redhat.com>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
-Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
-Reviewed-by: Laszlo Ersek <lersek@redhat.com>
----
- hw/display/cirrus_vga.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 7db6409..16f27e8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
- {
- if (pitch < 0) {
- int64_t min = addr
-- + ((int64_t)s->cirrus_blt_height-1) * pitch;
-- int32_t max = addr
-- + s->cirrus_blt_width;
-- if (min < 0 || max > s->vga.vram_size) {
-+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
-+ - s->cirrus_blt_width;
-+ if (min < -1 || addr >= s->vga.vram_size) {
- return true;
- }
- } else {
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch
deleted file mode 100644
index e2a98012d7c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2620.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: Gerd Hoffmann <kraxel@redhat.com>
-Subject: [PATCH 3/3] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
-
-CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
-and blit width, at all. Oops. Fix it.
-
-Security impact: high.
-
-The missing blit destination check allows to write to host memory.
-Basically same as CVE-2014-8106 for the other blit variants.
-
-The missing blit width check allows to overflow cirrus_bltbuf,
-with the attractive target cirrus_srcptr (current cirrus_bltbuf write
-position) being located right after cirrus_bltbuf in CirrusVGAState.
-
-Due to cirrus emulation writing cirrus_bltbuf bytewise the attacker
-hasn't full control over cirrus_srcptr though, only one byte can be
-changed. Once the first byte has been modified further writes land
-elsewhere.
-
-[ This is CVE-2017-2620 / XSA-209 - Ian Jackson ]
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/cirrus_vga.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
-index 0e47cf8..a093dc8 100644
---- a/hw/display/cirrus_vga.c
-+++ b/hw/display/cirrus_vga.c
-@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- {
- int w;
-
-+ if (blit_is_unsafe(s)) {
-+ return 0;
-+ }
-+
- s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
- s->cirrus_srcptr = &s->cirrus_bltbuf[0];
- s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
-@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
- }
- s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
- }
-+
-+ /* the blit_is_unsafe call above should catch this */
-+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
-+
- s->cirrus_srcptr = s->cirrus_bltbuf;
- s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
- cirrus_update_memory_access(s);
---
-1.8.3.1
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch
deleted file mode 100644
index 034b322de5f..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-2630.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Comparison symbol is misused. It may lead to memory corruption.
-
-Signed-off-by: Vladimir Sementsov-Ogievskiy <address@hidden>
----
- nbd/client.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/nbd/client.c b/nbd/client.c
-index 6caf6bda6d..351731bc63 100644
---- a/nbd/client.c
-+++ b/nbd/client.c
-@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size)
- char small[1024];
- char *buffer;
-
-- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size));
-+ buffer = sizeof(small) > size ? small : g_malloc(MIN(65536, size));
- while (size > 0) {
- ssize_t count = read_sync(ioc, buffer, MIN(65536, size));
-
---
-2.11.0
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch
deleted file mode 100644
index 24411b4dca3..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-1.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:30:21 -0800
-Subject: [PATCH] audio: ac97: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the ac97 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/ac97.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
-index cbd959e..c306575 100644
---- a/hw/audio/ac97.c
-+++ b/hw/audio/ac97.c
-@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
- ac97_on_reset (&s->dev.qdev);
- }
-
-+static void ac97_exit(PCIDevice *dev)
-+{
-+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
-+
-+ AUD_close_in(&s->card, s->voice_pi);
-+ AUD_close_out(&s->card, s->voice_po);
-+ AUD_close_in(&s->card, s->voice_mc);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int ac97_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, "AC97");
-@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = ac97_realize;
-+ k->exit = ac97_exit;
- k->vendor_id = PCI_VENDOR_ID_INTEL;
- k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
- k->revision = 0x01;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch
deleted file mode 100644
index 6bbac580c3c..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5525-2.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 14 Dec 2016 18:32:22 -0800
-Subject: [PATCH] audio: es1370: add exit function
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently the es1370 device emulation doesn't have a exit function,
-hot unplug this device will leak some memory. Add a exit function to
-avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/audio/es1370.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
-index 8449b5f..883ec69 100644
---- a/hw/audio/es1370.c
-+++ b/hw/audio/es1370.c
-@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
- es1370_reset (s);
- }
-
-+static void es1370_exit(PCIDevice *dev)
-+{
-+ ES1370State *s = ES1370(dev);
-+ int i;
-+
-+ for (i = 0; i < 2; ++i) {
-+ AUD_close_out(&s->card, s->dac_voice[i]);
-+ }
-+
-+ AUD_close_in(&s->card, s->adc_voice);
-+ AUD_remove_card(&s->card);
-+}
-+
- static int es1370_init (PCIBus *bus)
- {
- pci_create_simple (bus, -1, TYPE_ES1370);
-@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
- PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
-
- k->realize = es1370_realize;
-+ k->exit = es1370_exit;
- k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
- k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
- k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch
deleted file mode 100644
index 9475f3fd2a2..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5552.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 03:11:26 -0500
-Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the virgl_renderer_resource_attach_iov function fails the
-'res_iovs' will be leaked. Add check of the return value to
-free the 'res_iovs' when failing.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu-3d.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index e29f099..b13ced3 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-- virgl_renderer_resource_attach_iov(att_rb.resource_id,
-- res_iovs, att_rb.nr_entries);
-+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
-+ res_iovs, att_rb.nr_entries);
-+
-+ if (ret != 0)
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
- }
-
- static void virgl_resource_detach_backing(VirtIOGPU *g,
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch
deleted file mode 100644
index f93d1e7f9e9..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5578.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Thu, 29 Dec 2016 04:28:41 -0500
-Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
-
-In the resource attach backing function, everytime it will
-allocate 'res->iov' thus can leading a memory leak. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liq3ea@gmail.com>
-Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/display/virtio-gpu.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
-index 6a26258..ca88cf4 100644
---- a/hw/display/virtio-gpu.c
-+++ b/hw/display/virtio-gpu.c
-@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
- return;
- }
-
-+ if (res->iov) {
-+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
-+ return;
-+ }
-+
- ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
- if (ret != 0) {
- cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch
deleted file mode 100644
index e4572a8d571..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5579.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Wed, 4 Jan 2017 00:43:16 -0800
-Subject: [PATCH] serial: fix memory leak in serial exit
-
-The serial_exit_core function doesn't free some resources.
-This can lead memory leak when hotplug and unplug. This
-patch avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/char/serial.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/char/serial.c b/hw/char/serial.c
-index ffbacd8..67b18ed 100644
---- a/hw/char/serial.c
-+++ b/hw/char/serial.c
-@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
- void serial_exit_core(SerialState *s)
- {
- qemu_chr_fe_deinit(&s->chr);
-+
-+ timer_del(s->modem_status_poll);
-+ timer_free(s->modem_status_poll);
-+
-+ timer_del(s->fifo_timeout_timer);
-+ timer_free(s->fifo_timeout_timer);
-+
-+ fifo8_destroy(&s->recv_fifo);
-+ fifo8_destroy(&s->xmit_fifo);
-+
- qemu_unregister_reset(serial_reset, s);
- }
-
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch
deleted file mode 100644
index 93e9c9406c4..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5667.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Tue, 7 Feb 2017 18:29:59 +0000
-Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
-
-While doing multi block SDMA transfer in routine
-'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
-index 'begin' and data length 's->data_count' could end up to be same.
-This could lead to an OOB access issue. Correct transfer data length
-to avoid it.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Jiang Xin <jiangxin1@huawei.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20170130064736.9236-1-ppandit@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/sd/sdhci.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 01fbf22..5bd5ab6 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- boundary_count -= block_size - begin;
- }
- dma_memory_read(&address_space_memory, s->sdmasysad,
-- &s->fifo_buffer[begin], s->data_count);
-+ &s->fifo_buffer[begin], s->data_count - begin);
- s->sdmasysad += s->data_count - begin;
- if (s->data_count == block_size) {
- for (n = 0; n < block_size; n++) {
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch
deleted file mode 100644
index 2ebd49fa54d..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5856.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Mon, 2 Jan 2017 11:03:33 +0100
-Subject: [PATCH] megasas: fix guest-triggered memory leak
-
-If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
-will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
-Avoid this by returning only the status from map_dcmd, and loading
-cmd->iov_size in the caller.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
----
- hw/scsi/megasas.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 67fc1e7..6233865 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
- trace_megasas_dcmd_invalid_sge(cmd->index,
- cmd->frame->header.sge_count);
- cmd->iov_size = 0;
-- return -1;
-+ return -EINVAL;
- }
- iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
- iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
- pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
- qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
- cmd->iov_size = iov_size;
-- return cmd->iov_size;
-+ return 0;
- }
-
- static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
-@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
-
- static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
- {
-- int opcode, len;
-+ int opcode;
- int retval = 0;
-+ size_t len;
- const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
-
- opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
- trace_megasas_handle_dcmd(cmd->index, opcode);
-- len = megasas_map_dcmd(s, cmd);
-- if (len < 0) {
-+ if (megasas_map_dcmd(s, cmd) < 0) {
- return MFI_STAT_MEMORY_NOT_AVAILABLE;
- }
- while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
- cmdptr++;
- }
-+ len = cmd->iov_size;
- if (cmdptr->opcode == -1) {
- trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
- retval = megasas_dcmd_dummy(s, cmd);
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch
deleted file mode 100644
index 664a669ffaa..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5857.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
-backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
-we'll leak memory.
-
-This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
-"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
-
-Reported-by: 李强 <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
----
- hw/display/virtio-gpu-3d.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
-index f96a0c2..ecb09d1 100644
---- a/hw/display/virtio-gpu-3d.c
-+++ b/hw/display/virtio-gpu-3d.c
-@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
- struct virtio_gpu_ctrl_command *cmd)
- {
- struct virtio_gpu_resource_unref unref;
-+ struct iovec *res_iovs = NULL;
-+ int num_iovs = 0;
-
- VIRTIO_GPU_FILL_CMD(unref);
- trace_virtio_gpu_cmd_res_unref(unref.resource_id);
-
-+ virgl_renderer_resource_detach_iov(unref.resource_id,
-+ &res_iovs,
-+ &num_iovs);
-+ if (res_iovs != NULL && num_iovs != 0) {
-+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
-+ }
- virgl_renderer_resource_unref(unref.resource_id);
- }
-
---
-1.8.3.1
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch
deleted file mode 100644
index 9f94477a46b..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5898.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp@fedoraproject.org>
-Date: Fri, 3 Feb 2017 00:52:28 +0530
-Subject: [PATCH] usb: ccid: check ccid apdu length
-
-CCID device emulator uses Application Protocol Data Units(APDU)
-to exchange command and responses to and from the host.
-The length in these units couldn't be greater than 65536. Add
-check to ensure the same. It'd also avoid potential integer
-overflow in emulated_apdu_from_guest.
-
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Message-id: 20170202192228.10847-1-ppandit@redhat.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/dev-smartcard-reader.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
-index 89e11b6..1325ea1 100644
---- a/hw/usb/dev-smartcard-reader.c
-+++ b/hw/usb/dev-smartcard-reader.c
-@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
- DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
- recv->hdr.bSeq, len);
- ccid_add_pending_answer(s, (CCID_Header *)recv);
-- if (s->card) {
-+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
- ccid_card_apdu_from_guest(s->card, recv->abData, len);
- } else {
- DPRINTF(s, D_WARN, "warning: discarded apdu\n");
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch
deleted file mode 100644
index f24d557c96d..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-
-Using uint_64 instead of size_t to avoid the integer overflow.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e..c23e1ad 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- uint32_t hash_start_src_offset = 0, len_to_hash = 0;
- uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
-
-- size_t max_len, curr_size = 0;
-+ uint64_t max_len, curr_size = 0;
- size_t s;
-
- /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
- return NULL;
- }
-
-- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
- if (unlikely(max_len > vcrypto->conf.max_size)) {
- virtio_error(vdev, "virtio-crypto too big length");
- return NULL;
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch
deleted file mode 100644
index 50ff3c99792..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5973.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-Limits should be big enough that normal guest should not hit it.
-Add a tracepoint to log them, just in case. Also, while being
-at it, log the existing link trb limit too.
-
-Reported-by: 李强 <address@hidden>
-Signed-off-by: Gerd Hoffmann <address@hidden>
----
- hw/usb/hcd-xhci.c | 15 ++++++++++++++-
- hw/usb/trace-events | 1 +
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
-index fbf8a8b..28dd2f2 100644
---- a/hw/usb/hcd-xhci.c
-+++ b/hw/usb/hcd-xhci.c
-@@ -51,6 +51,8 @@
- #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS)
-
- #define TRB_LINK_LIMIT 4
-+#define COMMAND_LIMIT 256
-+#define TRANSFER_LIMIT 256
-
- #define LEN_CAP 0x40
- #define LEN_OPER (0x400 + 0x10 * MAXPORTS)
-@@ -943,6 +945,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
- return type;
- } else {
- if (++link_cnt > TRB_LINK_LIMIT) {
-+ trace_usb_xhci_enforced_limit("trb-link");
- return 0;
- }
- ring->dequeue = xhci_mask64(trb->parameter);
-@@ -2060,6 +2063,7 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
- XHCIRing *ring;
- USBEndpoint *ep = NULL;
- uint64_t mfindex;
-+ unsigned int count = 0;
- int length;
- int i;
-
-@@ -2172,6 +2176,10 @@ static void xhci_kick_epctx(XHCIEPContext *epctx, unsigned int streamid)
- epctx->retry = xfer;
- break;
- }
-+ if (count++ > TRANSFER_LIMIT) {
-+ trace_usb_xhci_enforced_limit("transfers");
-+ break;
-+ }
- }
- epctx->kick_active--;
-
-@@ -2618,7 +2626,7 @@ static void xhci_process_commands(XHCIState *xhci)
- TRBType type;
- XHCIEvent event = {ER_COMMAND_COMPLETE, CC_SUCCESS};
- dma_addr_t addr;
-- unsigned int i, slotid = 0;
-+ unsigned int i, slotid = 0, count = 0;
-
- DPRINTF("xhci_process_commands()\n");
- if (!xhci_running(xhci)) {
-@@ -2735,6 +2743,11 @@ static void xhci_process_commands(XHCIState *xhci)
- }
- event.slotid = slotid;
- xhci_event(xhci, &event, 0);
-+
-+ if (count++ > COMMAND_LIMIT) {
-+ trace_usb_xhci_enforced_limit("commands");
-+ return;
-+ }
- }
- }
-
-diff --git a/hw/usb/trace-events b/hw/usb/trace-events
-index fdd1d29..0c323d4 100644
---- a/hw/usb/trace-events
-+++ b/hw/usb/trace-events
-@@ -174,6 +174,7 @@ usb_xhci_xfer_retry(void *xfer) "%p"
- usb_xhci_xfer_success(void *xfer, uint32_t bytes) "%p: len %d"
- usb_xhci_xfer_error(void *xfer, uint32_t ret) "%p: ret %d"
- usb_xhci_unimplemented(const char *item, int nr) "%s (0x%x)"
-+usb_xhci_enforced_limit(const char *item) "%s"
-
- # hw/usb/desc.c
- usb_desc_device(int addr, int len, int ret) "dev %d query device, len %d, ret %d"
---
-1.8.3.1
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch
deleted file mode 100644
index bfde2e9d4b7..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5987.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From: Prasad J Pandit <address@hidden>
-
-In the SDHCI protocol, the transfer mode register value
-is used during multi block transfer to check if block count
-register is enabled and should be updated. Transfer mode
-register could be set such that, block count register would
-not be updated, thus leading to an infinite loop. Add check
-to avoid it.
-
-Reported-by: Wjjzhang <address@hidden>
-Reported-by: Jiang Xin <address@hidden>
-Signed-off-by: Prasad J Pandit <address@hidden>
----
- hw/sd/sdhci.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-Update: use qemu_log_mask(LOG_UNIMP, ...)
- -> https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02354.html
-
-diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
-index 5bd5ab6..a9c744b 100644
---- a/hw/sd/sdhci.c
-+++ b/hw/sd/sdhci.c
-@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
- uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
- uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
-
-+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
-+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
-+ return;
-+ }
-+
- /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
- * possible stop at page boundary if initial address is not page aligned,
- * allow them to work properly */
-@@ -797,11 +802,6 @@ static void sdhci_data_transfer(void *opaque)
- if (s->trnmod & SDHC_TRNS_DMA) {
- switch (SDHC_DMA_TYPE(s->hostctl)) {
- case SDHC_CTRL_SDMA:
-- if ((s->trnmod & SDHC_TRNS_MULTI) &&
-- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
-- break;
-- }
--
- if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
- sdhci_sdma_transfer_single_block(s);
- } else {
---
-2.9.3
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch
deleted file mode 100644
index 666c18ccea1..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6058.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-This patch fixed a problem that was introduced in commit eb700029.
-
-When net_rx_pkt_attach_iovec() calls eth_strip_vlan()
-this can result in pkt->ehdr_buf being overflowed, because
-ehdr_buf is only sizeof(struct eth_header) bytes large
-but eth_strip_vlan() can write
-sizeof(struct eth_header) + sizeof(struct vlan_header)
-bytes into it.
-
-Devices affected by this problem: vmxnet3.
-
-Reported-by: Peter Maydell <address@hidden>
-Signed-off-by: Dmitry Fleytman <address@hidden>
----
- hw/net/net_rx_pkt.c | 34 +++++++++++++++++-----------------
- 1 file changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
-index 1019b50..7c0beac 100644
---- a/hw/net/net_rx_pkt.c
-+++ b/hw/net/net_rx_pkt.c
-@@ -23,13 +23,13 @@
-
- struct NetRxPkt {
- struct virtio_net_hdr virt_hdr;
-- uint8_t ehdr_buf[sizeof(struct eth_header)];
-+ uint8_t ehdr_buf[sizeof(struct eth_header) + sizeof(struct vlan_header)];
- struct iovec *vec;
- uint16_t vec_len_total;
- uint16_t vec_len;
- uint32_t tot_len;
- uint16_t tci;
-- bool vlan_stripped;
-+ size_t ehdr_buf_len;
- bool has_virt_hdr;
- eth_pkt_types_e packet_type;
-
-@@ -88,15 +88,13 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,
- const struct iovec *iov, int iovcnt,
- size_t ploff)
- {
-- if (pkt->vlan_stripped) {
-+ if (pkt->ehdr_buf_len) {
- net_rx_pkt_iovec_realloc(pkt, iovcnt + 1);
-
- pkt->vec[0].iov_base = pkt->ehdr_buf;
-- pkt->vec[0].iov_len = sizeof(pkt->ehdr_buf);
--
-- pkt->tot_len =
-- iov_size(iov, iovcnt) - ploff + sizeof(struct eth_header);
-+ pkt->vec[0].iov_len = pkt->ehdr_buf_len;
-
-+ pkt->tot_len = iov_size(iov, iovcnt) - ploff + pkt->ehdr_buf_len;
- pkt->vec_len = iov_copy(pkt->vec + 1, pkt->vec_len_total - 1,
- iov, iovcnt, ploff, pkt->tot_len);
- } else {
-@@ -123,11 +121,12 @@ void net_rx_pkt_attach_iovec(struct NetRxPkt *pkt,
- uint16_t tci = 0;
- uint16_t ploff = iovoff;
- assert(pkt);
-- pkt->vlan_stripped = false;
-
- if (strip_vlan) {
-- pkt->vlan_stripped = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
-- &ploff, &tci);
-+ pkt->ehdr_buf_len = eth_strip_vlan(iov, iovcnt, iovoff, pkt->ehdr_buf,
-+ &ploff, &tci);
-+ } else {
-+ pkt->ehdr_buf_len = 0;
- }
-
- pkt->tci = tci;
-@@ -143,12 +142,13 @@ void net_rx_pkt_attach_iovec_ex(struct NetRxPkt *pkt,
- uint16_t tci = 0;
- uint16_t ploff = iovoff;
- assert(pkt);
-- pkt->vlan_stripped = false;
-
- if (strip_vlan) {
-- pkt->vlan_stripped = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
-- pkt->ehdr_buf,
-- &ploff, &tci);
-+ pkt->ehdr_buf_len = eth_strip_vlan_ex(iov, iovcnt, iovoff, vet,
-+ pkt->ehdr_buf,
-+ &ploff, &tci);
-+ } else {
-+ pkt->ehdr_buf_len = 0;
- }
-
- pkt->tci = tci;
-@@ -162,8 +162,8 @@ void net_rx_pkt_dump(struct NetRxPkt *pkt)
- NetRxPkt *pkt = (NetRxPkt *)pkt;
- assert(pkt);
-
-- printf("RX PKT: tot_len: %d, vlan_stripped: %d, vlan_tag: %d\n",
-- pkt->tot_len, pkt->vlan_stripped, pkt->tci);
-+ printf("RX PKT: tot_len: %d, ehdr_buf_len: %lu, vlan_tag: %d\n",
-+ pkt->tot_len, pkt->ehdr_buf_len, pkt->tci);
- #endif
- }
-
-@@ -426,7 +426,7 @@ bool net_rx_pkt_is_vlan_stripped(struct NetRxPkt *pkt)
- {
- assert(pkt);
-
-- return pkt->vlan_stripped;
-+ return pkt->ehdr_buf_len ? true : false;
- }
-
- bool net_rx_pkt_has_virt_hdr(struct NetRxPkt *pkt)
---
-2.7.4
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
deleted file mode 100644
index a15aa96bd56..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-6505.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb Mon Sep 17 00:00:00 2001
-From: Li Qiang <liqiang6-s@360.cn>
-Date: Tue, 7 Feb 2017 02:23:33 -0800
-Subject: [PATCH] usb: ohci: limit the number of link eds
-
-The guest may builds an infinite loop with link eds. This patch
-limit the number of linked ed to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- hw/usb/hcd-ohci.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index 2cba3e3..21c93e0 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -42,6 +42,8 @@
-
- #define OHCI_MAX_PORTS 15
-
-+#define ED_LINK_LIMIT 4
-+
- static int64_t usb_frame_time;
- static int64_t usb_bit_time;
-
-@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
- uint32_t next_ed;
- uint32_t cur;
- int active;
--
-+ uint32_t link_cnt = 0;
- active = 0;
-
- if (head == 0)
-@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
-
- next_ed = ed.next & OHCI_DPTR_MASK;
-
-+ if (++link_cnt > ED_LINK_LIMIT) {
-+ ohci_die(ohci);
-+ return 0;
-+ }
-+
- if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
- uint32_t addr;
- /* Cancel pending packets for ED that have been paused. */
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
deleted file mode 100644
index f2d317c3c94..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-7377.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From d63fb193e71644a073b77ff5ac6f1216f2f6cf6e Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Mon, 27 Mar 2017 21:13:19 +0200
-Subject: [PATCH] 9pfs: fix file descriptor leak
-
-The v9fs_create() and v9fs_lcreate() functions are used to create a file
-on the backend and to associate it to a fid. The fid shouldn't be already
-in-use, otherwise both functions may silently leak a file descriptor or
-allocated memory. The current code doesn't check that.
-
-This patch ensures that the fid isn't already associated to anything
-before using it.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-(reworded the changelog, Greg Kurz)
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
-index b8c0b99..48babce 100644
---- a/hw/9pfs/9p.c
-+++ b/hw/9pfs/9p.c
-@@ -1550,6 +1550,10 @@ static void coroutine_fn v9fs_lcreate(void *opaque)
- err = -ENOENT;
- goto out_nofid;
- }
-+ if (fidp->fid_type != P9_FID_NONE) {
-+ err = -EINVAL;
-+ goto out;
-+ }
-
- flags = get_dotl_openflags(pdu->s, flags);
- err = v9fs_co_open2(pdu, fidp, &name, gid,
-@@ -2153,6 +2157,10 @@ static void coroutine_fn v9fs_create(void *opaque)
- err = -EINVAL;
- goto out_nofid;
- }
-+ if (fidp->fid_type != P9_FID_NONE) {
-+ err = -EINVAL;
-+ goto out;
-+ }
- if (perm & P9_STAT_MODE_DIR) {
- err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
- fidp->uid, -1, &stbuf);
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
deleted file mode 100644
index c5366f5758e..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-7471.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9c6b899f7a46893ab3b671e341a2234e9c0c060e Mon Sep 17 00:00:00 2001
-From: Greg Kurz <groug@kaod.org>
-Date: Mon, 17 Apr 2017 10:53:23 +0200
-Subject: [PATCH] 9pfs: local: set the path of the export root to "."
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The local backend was recently converted to using "at*()" syscalls in order
-to ensure all accesses happen below the shared directory. This requires that
-we only pass relative paths, otherwise the dirfd argument to the "at*()"
-syscalls is ignored and the path is treated as an absolute path in the host.
-This is actually the case for paths in all fids, with the notable exception
-of the root fid, whose path is "/". This causes the following backend ops to
-act on the "/" directory of the host instead of the virtfs shared directory
-when the export root is involved:
-- lstat
-- chmod
-- chown
-- utimensat
-
-ie, chmod /9p_mount_point in the guest will be converted to chmod / in the
-host for example. This could cause security issues with a privileged QEMU.
-
-All "*at()" syscalls are being passed an open file descriptor. In the case
-of the export root, this file descriptor points to the path in the host that
-was passed to -fsdev.
-
-The fix is thus as simple as changing the path of the export root fid to be
-"." instead of "/".
-
-This is CVE-2017-7471.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Léo Gaspard <leo@gaspard.io>
-Signed-off-by: Greg Kurz <groug@kaod.org>
-Reviewed-by: Eric Blake <eblake@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/9pfs/9p-local.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/hw/9pfs/9p-local.c b/hw/9pfs/9p-local.c
-index 45e9a1f..f3ebca4 100644
---- a/hw/9pfs/9p-local.c
-+++ b/hw/9pfs/9p-local.c
-@@ -1098,8 +1098,13 @@ static int local_name_to_path(FsContext *ctx, V9fsPath *dir_path,
- {
- if (dir_path) {
- v9fs_path_sprintf(target, "%s/%s", dir_path->data, name);
-- } else {
-+ } else if (strcmp(name, "/")) {
- v9fs_path_sprintf(target, "%s", name);
-+ } else {
-+ /* We want the path of the export root to be relative, otherwise
-+ * "*at()" syscalls would treat it as "/" in the host.
-+ */
-+ v9fs_path_sprintf(target, "%s", ".");
- }
- return 0;
- }
---
-2.10.2
-
diff --git a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch b/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
deleted file mode 100644
index eac72f3dcb5..00000000000
--- a/app-emulation/qemu/files/qemu-2.8.1-CVE-2017-8086.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 4ffcdef4277a91af15a3c09f7d16af072c29f3f2 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Fri, 7 Apr 2017 03:48:52 -0700
-Subject: [PATCH] 9pfs: xattr: fix memory leak in v9fs_list_xattr
-
-Free 'orig_value' in error path.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Greg Kurz <groug@kaod.org>
----
- hw/9pfs/9p-xattr.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/hw/9pfs/9p-xattr.c b/hw/9pfs/9p-xattr.c
-index eec160b..d05c1a1 100644
---- a/hw/9pfs/9p-xattr.c
-+++ b/hw/9pfs/9p-xattr.c
-@@ -108,6 +108,7 @@ ssize_t v9fs_list_xattr(FsContext *ctx, const char *path,
- g_free(name);
- close_preserve_errno(dirfd);
- if (xattr_len < 0) {
-+ g_free(orig_value);
- return -1;
- }
-
---
-2.10.2
-
next reply other threads:[~2017-07-26 17:15 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-26 17:15 Matthias Maier [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-02-27 9:31 [gentoo-commits] repo/gentoo:master commit in: app-emulation/qemu/files/ Ionen Wolkens
2025-02-05 0:18 Sam James
2024-12-23 20:01 Conrad Kostecki
2024-08-20 8:01 Joonas Niilola
2023-11-20 20:20 Ulrich Müller
2023-10-22 16:33 Joonas Niilola
2023-02-22 11:32 Sam James
2022-01-12 8:38 Matthias Maier
2022-01-10 21:02 John Helmert III
2022-01-06 19:08 John Helmert III
2021-06-16 20:59 Sergei Trofimovich
2021-03-14 18:53 Conrad Kostecki
2020-09-21 21:48 Conrad Kostecki
2020-07-06 18:40 Sergei Trofimovich
2020-04-18 21:31 Sergei Trofimovich
2019-05-20 16:27 Matthias Maier
2018-03-30 2:54 Aaron Bauman
2018-03-27 15:44 Matthias Maier
2017-12-06 12:42 Michael Palimaka
2017-11-12 20:22 Matthias Maier
2017-07-26 19:37 Matthias Maier
2016-09-05 5:30 Matthias Maier
2016-08-15 20:36 Luca Barbato
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1501089293.4716c9ae8666e4cfc6eff46960f7bff8f4f3d708.tamiko@gentoo \
--to=tamiko@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox