diff options
Diffstat (limited to 'app-emulation/qemu')
-rw-r--r-- | app-emulation/qemu/Manifest | 17 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch | 15 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch | 61 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch | 12 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch | 334 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch | 135 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch | 32 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch | 38 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch | 144 | ||||
-rw-r--r-- | app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch | 94 | ||||
-rw-r--r-- | app-emulation/qemu/qemu-4.2.0-r5.ebuild (renamed from app-emulation/qemu/qemu-4.2.0-r2.ebuild) | 13 | ||||
-rw-r--r-- | app-emulation/qemu/qemu-4.2.0-r6.ebuild (renamed from app-emulation/qemu/qemu-4.2.0-r3.ebuild) | 13 | ||||
-rw-r--r-- | app-emulation/qemu/qemu-9999.ebuild | 7 |
13 files changed, 113 insertions, 802 deletions
diff --git a/app-emulation/qemu/Manifest b/app-emulation/qemu/Manifest index d36a0efc6adb..9be1c90119e7 100644 --- a/app-emulation/qemu/Manifest +++ b/app-emulation/qemu/Manifest @@ -2,21 +2,14 @@ AUX 65-kvm.rules-r1 120 BLAKE2B a0d95f60e48f80e5f00b3a7ef3b520861fb781868844aff7 AUX bridge.conf 454 BLAKE2B 2f3e828a001ac77de96c8a11e3fc462149e1c16972c28b8367659c2896b7c3dd147e978ef6401b280fc3474bc959bee50f65d7525bee8bc04c19bc657ba7e22f SHA512 a907ee86b81a1b61033bb7621ded65112504131ef7b698c53e4014b958ee6fc79e66f63069015a01e41362cb70a7d0ed26dd9a03033cf776f4846f0e1f8f1533 AUX qemu-2.11.1-capstone_include_path.patch 264 BLAKE2B 955b498c0ea2657ee4c9d0054a32693ac2096232ae8358848fa8518bcb87c1cce5d9145ccf560320ba53d60ae8ed85f6be801b72707a964b247e8f1f1844f9cd SHA512 ebf1d6450b7c499a8e490b19f87a3b4f8bbc50ea44edaac8c12b0993947513a8b616af2d4cf6240c8e265824a44463f917333ffa510e6ffedf379921e28fc3ab AUX qemu-2.5.0-cflags.patch 410 BLAKE2B 1d072b5dd00369bb565b30c2aa7047de92b441bf103faadb5dd42daf36ad1c5e39c5bdfdc2b5f2bb0bfec2ea1255b4182caeb467614a487f5cfcb341109a4884 SHA512 0194d28de08b4e51c5bd1c9a2cc7965ba7f66dfddb8fd91de3da93677e6cf2d38ad3270f69aaea8a20cf2533c2980018d6e0fed711be2806fe2053fba7c081f3 -AUX qemu-2.5.0-sysmacros.patch 333 BLAKE2B 8c38410c6ea789f669d89c7321cdc9e5c734bb3db332272657302977241f157b04fb07e27bda4f67ee560e39a7494344ad79616835e6ff483927f2b72ed9c597 SHA512 329632c5bff846ca3ffcdb4bc94ae62f17c6bdbb566f9bec0784357c943523e8ca7773790b83a9617734cab3b003baa3d636cbd08f7385810a63b0fa0383c4f0 -AUX qemu-3.1.0-md-clear-md-no.patch 2690 BLAKE2B fcf6b7599985da60dcdf873e27c832075cd9c766d10ab3784c0f935965276b8c520005a62fc884a35c78942ce225bbd9a67083ef058e03f1a7c0963b816ae7b4 SHA512 bb452d110353bae4878ec030ef5f2f05c73294cbe08e8fc18267f23f922117e7e295302ac65df8008b5db3ff72bcff2e3eefd2da8b9a53868daea321d10958c1 -AUX qemu-4.0.0-fix_infiniband_include.patch 338 BLAKE2B 9c85e27ca7e99d5600247ce788edcf30b74650012c06f3b68ec395f55ca7cdfac7f24679077b06ff7ba37fc1b0a8fce281838709cfae9d20c9ee89d9dbd68da9 SHA512 c8cebaa40ca46f2a78131d4ea1951304cc39b39c3d9ec37f4be41906ce6dee303f5b21e66e6716ac4ad20ed4bf3dc06709e7db95113f2c7abd0036e0e0cc722d -AUX qemu-4.0.0-linux-headers-5.2.patch 11360 BLAKE2B 6299f25424044df02e892f10d735e07af35de7ec2b4a15bcf57ec03db8956406bfe690d57f2265b5ae5c63902e4ac77614c11286ec5461e7a6da3d7237030557 SHA512 2da8020655e8b4d269cdbeaa2134cbbaee85efe30d5b7ef1180f5e74a5b8141211c781be3a229ae475fb9e9b5b1022c378768c73a5acbf42993eaa6f93fe370d AUX qemu-4.0.0-mkdir_systemtap.patch 333 BLAKE2B e7e35e7fe510e7e1a86005f3d51384a81d1de7705f3b856656ec71cc0a2a29626e94918b3cc23b32e47c8073b77b62b498e71c3e956549e25ee5f4da1a8ac9cf SHA512 de48a7d663bd78051ed8a1f62d8b0b8e3bfe58d8a0001daf12518dbd087be3154e766be11c607485e7dd851b08d5675c4fb2a2fe5cf18f3b900164a4d93eab10 -AUX qemu-4.0.0-pc-q35-4.0.patch 5020 BLAKE2B ec3ad8fbf9ee1ce54109a81e913b97daebf347b2fc2217585e68741c3f77cae1272d7b721b59d7595b51d99eadbe7e26c47bcd46c96361a7f0df345fe5d6bcfb SHA512 3621525724a587f9aa1899b7b5c2130c27fca1b9a0e907e3fe1927a79a5d59f7597491538d6079822c52dd7bed41dd3cf6233a1be8472f3ed487e43447a74c7d -AUX qemu-4.0.0-sanitize-interp_info.patch 930 BLAKE2B d555dedc493cfa1cf888cfa7ce2a4a7811f3fd12615fa5177f82c421ddd82c2d7ffcf2e5c28ca383aac1fff35d03cae6b4b6c5129c694d9b3986819aa1e12962 SHA512 7783acf1172c4fd935c2b8f5bd76e97cea6bbb3ee33a21b23a17f23933f6053b3a933f378c6eae184c2362cb090b6b2c1966f79f1f130cf7344205ef3df0178d -AUX qemu-4.0.0-xkbcommon.patch 1107 BLAKE2B 865f6578677199b7a78fb285548982c47b1ab624eed28a474d9eb66af3bb266748f045389fdacf945f40ce58352f5041bcaa3ec1966e3f39591d2138455c6435 SHA512 0048751b6883e206b5c486c418e0b2b71f09dfe8dd156b9ac7b331bce1ac5ef9cd7d2e605da144c3983b7a74a8b2f1bb2c9eef991197ee4bfea014af53f54427 -AUX qemu-4.2.0-CVE-2020-11102.patch 4924 BLAKE2B 59def39ea9088447bd033870be36e0b3e79f1b581a553118e06279f2ca322a86398ef7b3f31bbfaa210b4a767bb370fb828c1da9451196347ee1f5c1d89f19a9 SHA512 31bb5772d493506266bcbff5fa3fbaea32569fb4f8fe7c569306b9eccd7b62d0f00592e82787ea5c06a20dcc73c5a0c14ce62e402393ebf4cfe1d838a2c7aefb +AUX qemu-4.2.0-ati-vga-crash.patch 4213 BLAKE2B bd67a7fa5cc782360e42dba38be05d973a18ee0a281a1d6623b836769f6d3e0e7de87111ab5b20ddc4d6b3e069e0dd9dc9c6a4fc56fc076562b69d89f4600936 SHA512 6075eed84d4cd0252fd8c82316c0b47c56e3deef5852acf5677a9e091610102c1d790ea1da4c7b6595f84bf1362e824f4ffe06675d4dc0b96da4c6401b4d0cc0 AUX qemu-4.2.0-cflags.patch 508 BLAKE2B 86724caca22a4bd2b21db306d04d8c0f6a542a15b82bb4e340f3ddb8471f47e854276ff33adee7bd5682ecb797efdb048e9d028d954a064712d1e817e1eb6e26 SHA512 5bfb8f0e739d7bb260b5b5b0a2d28f30b97833b8037227c511f55c9bd9502241c891e7e3780e750598ccfd7fb01615254f1c7f6634787fec67539a61a217e18d AUX qemu-binfmt.initd.head 1442 BLAKE2B 23aa5338914aa7c47f9b1cc1d28291abd0ea037a33cca81f990decfafac2907c86c042350c9dd45591d16330846d4e11d2c8a2a409a68ad81656d9c2c51964c0 SHA512 3fec8946a37bfbd2089f5d95089ed5987a198fc0139ee7482d4bb38c2ffa0e165667a7853afcf2b458bc3e2a6540f172c929ca5a334a00db47e2d0f881382c0e AUX qemu-binfmt.initd.tail 245 BLAKE2B dd59f2944c6e3f0c4d282b94b687a9b5c51dd77c5103fb9889bd9ce56874495397676ae6c8375d9e9e23094828477240778d9e0f361e68cdd63fdad574851561 SHA512 bcca16805f8380d52cc591ea3d65a8f6e5de456730618f6aee301510edb75d235a22d4d7aeed224882210392840adb403eb53234b6cb76a4cb24533852a8b737 -DIST qemu-4.2.0-patches-r1.tar.xz 14552 BLAKE2B e8832ce5b7ccda02dcd63fa60a458322a36ba754c8bc682839de4ee33cf21a83cde434bdc062916d3c83e81026b68ebf2fbe099dc6c54c191875f830d95c63ae SHA512 7495e4c9ca80fd25a1bc8244b384f88f3bc6d7190e2840b1614e3bc6fd51938e42792c6a4dbdb2d400a45532e558814462647f35d5ab21e175bec84868a4161d +DIST qemu-4.2.0-patches-r2.tar.xz 17868 BLAKE2B 3783d0f923ded66cce1195248981c83bbaf8b7ad2a270207e92e60b4d05d4787cd9324649c113a4616c2a9ddcef99841264f19915615b7a0a24dac9febed48ba SHA512 556f1c595a35ee4279b2d0890d90e48cd43d9d641ccca495e2494f62ab48dfc000dbe23718276271ced3d4b7680c814f8f8846195089ff56186f618063a83b48 DIST qemu-4.2.0.tar.xz 62222068 BLAKE2B 27c9fbcd5093af425764674817ab9299224bd03f37b5983786f6f437fff1fab3b7da247c55c4ca8b8c42726b9867005944a2f7f04f2d0d94d753961615f901ef SHA512 2a79973c2b07c53e8c57a808ea8add7b6b2cbca96488ed5d4b669ead8c9318907dec2b6109f180fc8ca8f04c0f73a56e82b3a527b5626b799d7e849f2474ec56 -EBUILD qemu-4.2.0-r2.ebuild 24433 BLAKE2B 76aa9bfba93a69410762da8228a66bdf768031e3636fae9b7dd3f9393f6ab35baccf2840900f5eaf5c751dbcdcbbbd6a02de9eebf41d8b8b69d5adb055f09836 SHA512 3cf46d297948865e72d19190ad09e6eb38a9413c3c9cddf68fb5d54db6dad2c8afeaac85ef26178dcbd69b1f2b38d204b52214b2a87edd2d437acb9330f97adb -EBUILD qemu-4.2.0-r3.ebuild 24588 BLAKE2B 62d1b2d813eba84c499fa72746006958294a73ac940496b1c8606b77f17e19e551cfea8e5af5e5e389ca1153ede8a6a73cddb10b7971ce3ec353e38d882d309e SHA512 298f54434c03ec9c32dfd6b1c677d5fe876ca4e605d7e236698c3d0a3199981119f17b6c5e2a636914893c49573c09a69c25040e58ed18048ead72d6bd9195e1 -EBUILD qemu-9999.ebuild 24336 BLAKE2B 2c37e9f9dde0a942daf432579c4f0a47c5373dc3f640c139f3c96936aa92150274aa3d7fe37bf795a166c40e3abead8874eb1e7666ed6001183485bb67402e79 SHA512 5888ca6188a32b39e2dfad3a4c10a8356cbf32502522d244eb33ece87f348e3f546b15d5c413d6b281760f87150ce8bc9b86cc49e233d5798c2e8d7e96c47203 +EBUILD qemu-4.2.0-r5.ebuild 24410 BLAKE2B 62165db1afd588b237dbcfd6383e140d4c3b82336a0dd921e7a0249ec2400d82c721a85036ccfb5d8ad97c0f4659f17101e93aa673b4e6626b188a784e2d8857 SHA512 7e5e226646041d42cf34721c837a0bbdf14c14cf6fa8cf181e5c4af85cb20c5fc4ee29524133e09024da4fc7ae6d3626a6d17da205b3161de2f4d3ca8010472a +EBUILD qemu-4.2.0-r6.ebuild 24467 BLAKE2B 850484ea855dc4939329b19e46414844b2b0a505ba4c4190377f47197681f3d1d249074573f388de759dc9340ff0bfdc6e2a56df8c1eefca41dd02cdeffccb74 SHA512 f18d944c2683ef1d93f017cc8025bd51dd7ef561d7f1ad8c0176b146bbd23d3a3b3f8d4e155eee1865d940b707179febe6ee37ae04e8cd16373875bd504119d3 +EBUILD qemu-9999.ebuild 24313 BLAKE2B ef0e66599c42688b16d3576e799681004acc1f83709a0307fb12b535bbb9a79a95c3343a5261f0bb14e1cf83844ccf9223c236661d5ecb459845585f75362a40 SHA512 4783f436324c02d1b58cb6f6a7d144d7a52eb3667600f28b32830d63eca43e2500361f4765010a2ee5f4d32335f33bd51637051780da698e77e3d11c9d0d1fab MISC metadata.xml 4379 BLAKE2B 6608d9d9926e801dd84c9b8dc8f177fea1ee1896754c717cd0189aa2399e85abedd67d92f4fa0b35a84a3d86fa2871232098b6380caf408ace7a6dc96968228d SHA512 ff90794397e5e10df98bccc55508d5b5a963c0a14ee506fb2130499660e9b64aee6fcdba41906103a4f6e77a27f228b7cd34835b7035ce49bd6a8cbf2f25242e diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch deleted file mode 100644 index f2e766dc1c35..000000000000 --- a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch +++ /dev/null @@ -1,15 +0,0 @@ -Linux C libs are moving away from implicit header pollution with sys/types.h - ---- a/include/qemu/osdep.h -+++ b/include/qemu/osdep.h -@@ -78,6 +78,10 @@ extern int daemon(int, int); - #include <assert.h> - #include <signal.h> - -+#ifdef __linux__ -+#include <sys/sysmacros.h> -+#endif -+ - #ifdef __OpenBSD__ - #include <sys/signal.h> - #endif diff --git a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch b/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch deleted file mode 100644 index a7b3e8cb8f20..000000000000 --- a/app-emulation/qemu/files/qemu-3.1.0-md-clear-md-no.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0fb766134bd97ead71646e13349f93769e536ed9 Mon Sep 17 00:00:00 2001 -From: Matthias Maier <tamiko@43-1.org> -Date: Fri, 17 May 2019 02:21:10 -0500 -Subject: [PATCH] Define md-clear bit, expose md-no CPUID - -Fixes for CVE-2018-121{26|27|30}, CVE-2019-11091 - -See related fixes for Ubuntu: - https://launchpad.net/ubuntu/+source/qemu/1:3.1+dfsg-2ubuntu3.1 ---- - target/i386/cpu.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/target/i386/cpu.c b/target/i386/cpu.c -index d6bb57d2..331a364a 100644 ---- a/target/i386/cpu.c -+++ b/target/i386/cpu.c -@@ -1076,7 +1076,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .feat_names = { - NULL, NULL, "avx512-4vnniw", "avx512-4fmaps", - NULL, NULL, NULL, NULL, -- NULL, NULL, NULL, NULL, -+ NULL, NULL, "md-clear", NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, -@@ -1183,7 +1183,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .type = MSR_FEATURE_WORD, - .feat_names = { - "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", -- "ssb-no", NULL, NULL, NULL, -+ "ssb-no", "mds-no", NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, -diff --git a/target/i386/cpu.h b/target/i386/cpu.h -index 83fb5225..d0bab4d7 100644 ---- a/target/i386/cpu.h -+++ b/target/i386/cpu.h -@@ -694,6 +694,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; - - #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ - #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ -+#define CPUID_7_0_EDX_MD_CLEAR (1U << 10) /* Microarchitectural Data Clear */ - #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ - #define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ - #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ -diff --git a/target/i386/hvf/x86_cpuid.c b/target/i386/hvf/x86_cpuid.c -index 4d957fe8..b453552f 100644 ---- a/target/i386/hvf/x86_cpuid.c -+++ b/target/i386/hvf/x86_cpuid.c -@@ -90,7 +90,8 @@ uint32_t hvf_get_supported_cpuid(uint32_t func, uint32_t idx, - } - - ecx &= CPUID_7_0_ECX_AVX512BMI | CPUID_7_0_ECX_AVX512_VPOPCNTDQ; -- edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS; -+ edx &= CPUID_7_0_EDX_AVX512_4VNNIW | CPUID_7_0_EDX_AVX512_4FMAPS | \ -+ CPUID_7_0_EDX_MD_CLEAR; - } else { - ebx = 0; - ecx = 0; diff --git a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch b/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch deleted file mode 100644 index 2778cc8f4f2e..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-fix_infiniband_include.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c -index d1660b64..86715bfd 100644 ---- a/hw/rdma/rdma_backend.c -+++ b/hw/rdma/rdma_backend.c -@@ -21,7 +21,6 @@ - #include "qapi/qapi-events-rdma.h" - - #include <infiniband/verbs.h> --#include <infiniband/umad_types.h> - #include <infiniband/umad.h> - #include <rdma/rdma_user_cm.h> - diff --git a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch b/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch deleted file mode 100644 index 43be8629dfa8..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-linux-headers-5.2.patch +++ /dev/null @@ -1,334 +0,0 @@ -From 6d5d5dde9adb5acb32e6b8e3dfbf47fff0f308d2 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com> -Date: Thu, 18 Jul 2019 15:06:41 +0200 -Subject: [PATCH] linux-user: fix to handle variably sized SIOCGSTAMP with new - kernels -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -The SIOCGSTAMP symbol was previously defined in the -asm-generic/sockios.h header file. QEMU sees that header -indirectly via sys/socket.h - -In linux kernel commit 0768e17073dc527ccd18ed5f96ce85f9985e9115 -the asm-generic/sockios.h header no longer defines SIOCGSTAMP. -Instead it provides only SIOCGSTAMP_OLD, which only uses a -32-bit time_t on 32-bit architectures. - -The linux/sockios.h header then defines SIOCGSTAMP using -either SIOCGSTAMP_OLD or SIOCGSTAMP_NEW as appropriate. If -SIOCGSTAMP_NEW is used, then the tv_sec field is 64-bit even -on 32-bit architectures - -To cope with this we must now convert the old and new type from -the target to the host one. - -Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> -Reviewed-by: Arnd Bergmann <arnd@arndb.de> -Message-Id: <20190718130641.15294-1-laurent@vivier.eu> -Signed-off-by: Laurent Vivier <laurent@vivier.eu> ---- - linux-user/ioctls.h | 21 ++++++- - linux-user/syscall.c | 140 ++++++++++++++++++++++++++++++++++++--------- - linux-user/syscall_defs.h | 30 +++++++++- - linux-user/syscall_types.h | 6 -- - 4 files changed, 159 insertions(+), 38 deletions(-) - -diff --git a/linux-user/ioctls.h b/linux-user/ioctls.h -index ae895162..e6a27ad9 100644 ---- a/linux-user/ioctls.h -+++ b/linux-user/ioctls.h -@@ -219,8 +219,25 @@ - IOCTL(SIOCGRARP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_arpreq))) - IOCTL(SIOCGIWNAME, IOC_W | IOC_R, MK_PTR(MK_STRUCT(STRUCT_char_ifreq))) - IOCTL(SIOCGPGRP, IOC_R, MK_PTR(TYPE_INT)) /* pid_t */ -- IOCTL(SIOCGSTAMP, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timeval))) -- IOCTL(SIOCGSTAMPNS, IOC_R, MK_PTR(MK_STRUCT(STRUCT_timespec))) -+ -+ /* -+ * We can't use IOCTL_SPECIAL() because it will set -+ * host_cmd to XXX_OLD and XXX_NEW and these macros -+ * are not defined with kernel prior to 5.2. -+ * We must set host_cmd to the same value as in target_cmd -+ * otherwise the consistency check in syscall_init() -+ * will trigger an error. -+ * host_cmd is ignored by the do_ioctl_XXX() helpers. -+ * FIXME: create a macro to define this kind of entry -+ */ -+ { TARGET_SIOCGSTAMP_OLD, TARGET_SIOCGSTAMP_OLD, -+ "SIOCGSTAMP_OLD", IOC_R, do_ioctl_SIOCGSTAMP }, -+ { TARGET_SIOCGSTAMPNS_OLD, TARGET_SIOCGSTAMPNS_OLD, -+ "SIOCGSTAMPNS_OLD", IOC_R, do_ioctl_SIOCGSTAMPNS }, -+ { TARGET_SIOCGSTAMP_NEW, TARGET_SIOCGSTAMP_NEW, -+ "SIOCGSTAMP_NEW", IOC_R, do_ioctl_SIOCGSTAMP }, -+ { TARGET_SIOCGSTAMPNS_NEW, TARGET_SIOCGSTAMPNS_NEW, -+ "SIOCGSTAMPNS_NEW", IOC_R, do_ioctl_SIOCGSTAMPNS }, - - IOCTL(RNDGETENTCNT, IOC_R, MK_PTR(TYPE_INT)) - IOCTL(RNDADDTOENTCNT, IOC_W, MK_PTR(TYPE_INT)) -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 96cd4bf8..6df480e1 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -37,6 +37,7 @@ - #include <sched.h> - #include <sys/timex.h> - #include <sys/socket.h> -+#include <linux/sockios.h> - #include <sys/un.h> - #include <sys/uio.h> - #include <poll.h> -@@ -1139,8 +1140,9 @@ static inline abi_long copy_from_user_timeval(struct timeval *tv, - { - struct target_timeval *target_tv; - -- if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) -+ if (!lock_user_struct(VERIFY_READ, target_tv, target_tv_addr, 1)) { - return -TARGET_EFAULT; -+ } - - __get_user(tv->tv_sec, &target_tv->tv_sec); - __get_user(tv->tv_usec, &target_tv->tv_usec); -@@ -1155,8 +1157,26 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr, - { - struct target_timeval *target_tv; - -- if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) -+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ -+ __put_user(tv->tv_sec, &target_tv->tv_sec); -+ __put_user(tv->tv_usec, &target_tv->tv_usec); -+ -+ unlock_user_struct(target_tv, target_tv_addr, 1); -+ -+ return 0; -+} -+ -+static inline abi_long copy_to_user_timeval64(abi_ulong target_tv_addr, -+ const struct timeval *tv) -+{ -+ struct target__kernel_sock_timeval *target_tv; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_tv, target_tv_addr, 0)) { - return -TARGET_EFAULT; -+ } - - __put_user(tv->tv_sec, &target_tv->tv_sec); - __put_user(tv->tv_usec, &target_tv->tv_usec); -@@ -1166,6 +1186,48 @@ static inline abi_long copy_to_user_timeval(abi_ulong target_tv_addr, - return 0; - } - -+static inline abi_long target_to_host_timespec(struct timespec *host_ts, -+ abi_ulong target_addr) -+{ -+ struct target_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) { -+ return -TARGET_EFAULT; -+ } -+ __get_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __get_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 0); -+ return 0; -+} -+ -+static inline abi_long host_to_target_timespec(abi_ulong target_addr, -+ struct timespec *host_ts) -+{ -+ struct target_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ __put_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 1); -+ return 0; -+} -+ -+static inline abi_long host_to_target_timespec64(abi_ulong target_addr, -+ struct timespec *host_ts) -+{ -+ struct target__kernel_timespec *target_ts; -+ -+ if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) { -+ return -TARGET_EFAULT; -+ } -+ __put_user(host_ts->tv_sec, &target_ts->tv_sec); -+ __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -+ unlock_user_struct(target_ts, target_addr, 1); -+ return 0; -+} -+ - static inline abi_long copy_from_user_timezone(struct timezone *tz, - abi_ulong target_tz_addr) - { -@@ -4790,6 +4852,54 @@ static abi_long do_ioctl_kdsigaccept(const IOCTLEntry *ie, uint8_t *buf_temp, - return get_errno(safe_ioctl(fd, ie->host_cmd, sig)); - } - -+static abi_long do_ioctl_SIOCGSTAMP(const IOCTLEntry *ie, uint8_t *buf_temp, -+ int fd, int cmd, abi_long arg) -+{ -+ struct timeval tv; -+ abi_long ret; -+ -+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMP, &tv)); -+ if (is_error(ret)) { -+ return ret; -+ } -+ -+ if (cmd == (int)TARGET_SIOCGSTAMP_OLD) { -+ if (copy_to_user_timeval(arg, &tv)) { -+ return -TARGET_EFAULT; -+ } -+ } else { -+ if (copy_to_user_timeval64(arg, &tv)) { -+ return -TARGET_EFAULT; -+ } -+ } -+ -+ return ret; -+} -+ -+static abi_long do_ioctl_SIOCGSTAMPNS(const IOCTLEntry *ie, uint8_t *buf_temp, -+ int fd, int cmd, abi_long arg) -+{ -+ struct timespec ts; -+ abi_long ret; -+ -+ ret = get_errno(safe_ioctl(fd, SIOCGSTAMPNS, &ts)); -+ if (is_error(ret)) { -+ return ret; -+ } -+ -+ if (cmd == (int)TARGET_SIOCGSTAMPNS_OLD) { -+ if (host_to_target_timespec(arg, &ts)) { -+ return -TARGET_EFAULT; -+ } -+ } else{ -+ if (host_to_target_timespec64(arg, &ts)) { -+ return -TARGET_EFAULT; -+ } -+ } -+ -+ return ret; -+} -+ - #ifdef TIOCGPTPEER - static abi_long do_ioctl_tiocgptpeer(const IOCTLEntry *ie, uint8_t *buf_temp, - int fd, int cmd, abi_long arg) -@@ -6160,32 +6270,6 @@ static inline abi_long target_ftruncate64(void *cpu_env, abi_long arg1, - } - #endif - --static inline abi_long target_to_host_timespec(struct timespec *host_ts, -- abi_ulong target_addr) --{ -- struct target_timespec *target_ts; -- -- if (!lock_user_struct(VERIFY_READ, target_ts, target_addr, 1)) -- return -TARGET_EFAULT; -- __get_user(host_ts->tv_sec, &target_ts->tv_sec); -- __get_user(host_ts->tv_nsec, &target_ts->tv_nsec); -- unlock_user_struct(target_ts, target_addr, 0); -- return 0; --} -- --static inline abi_long host_to_target_timespec(abi_ulong target_addr, -- struct timespec *host_ts) --{ -- struct target_timespec *target_ts; -- -- if (!lock_user_struct(VERIFY_WRITE, target_ts, target_addr, 0)) -- return -TARGET_EFAULT; -- __put_user(host_ts->tv_sec, &target_ts->tv_sec); -- __put_user(host_ts->tv_nsec, &target_ts->tv_nsec); -- unlock_user_struct(target_ts, target_addr, 1); -- return 0; --} -- - static inline abi_long target_to_host_itimerspec(struct itimerspec *host_itspec, - abi_ulong target_addr) - { -diff --git a/linux-user/syscall_defs.h b/linux-user/syscall_defs.h -index 12c84071..cfb3eeec 100644 ---- a/linux-user/syscall_defs.h -+++ b/linux-user/syscall_defs.h -@@ -208,16 +208,34 @@ struct target_linger { - abi_int l_linger; /* How long to linger for */ - }; - -+#if defined(TARGET_SPARC64) && !defined(TARGET_ABI32) -+struct target_timeval { -+ abi_long tv_sec; -+ abi_int tv_usec; -+}; -+#define target__kernel_sock_timeval target_timeval -+#else - struct target_timeval { - abi_long tv_sec; - abi_long tv_usec; - }; - -+struct target__kernel_sock_timeval { -+ abi_llong tv_sec; -+ abi_llong tv_usec; -+}; -+#endif -+ - struct target_timespec { - abi_long tv_sec; - abi_long tv_nsec; - }; - -+struct target__kernel_timespec { -+ abi_llong tv_sec; -+ abi_llong tv_nsec; -+}; -+ - struct target_timezone { - abi_int tz_minuteswest; - abi_int tz_dsttime; -@@ -743,8 +761,17 @@ struct target_pollfd { - #define TARGET_SIOCATMARK 0x8905 - #define TARGET_SIOCGPGRP 0x8904 - #endif --#define TARGET_SIOCGSTAMP 0x8906 /* Get stamp (timeval) */ --#define TARGET_SIOCGSTAMPNS 0x8907 /* Get stamp (timespec) */ -+ -+#if defined(TARGET_SH4) -+#define TARGET_SIOCGSTAMP_OLD TARGET_IOR('s', 100, struct target_timeval) -+#define TARGET_SIOCGSTAMPNS_OLD TARGET_IOR('s', 101, struct target_timespec) -+#else -+#define TARGET_SIOCGSTAMP_OLD 0x8906 -+#define TARGET_SIOCGSTAMPNS_OLD 0x8907 -+#endif -+ -+#define TARGET_SIOCGSTAMP_NEW TARGET_IOR(0x89, 0x06, abi_llong[2]) -+#define TARGET_SIOCGSTAMPNS_NEW TARGET_IOR(0x89, 0x07, abi_llong[2]) - - /* Networking ioctls */ - #define TARGET_SIOCADDRT 0x890B /* add routing table entry */ -diff --git a/linux-user/syscall_types.h b/linux-user/syscall_types.h -index b98a23b0..4e369838 100644 ---- a/linux-user/syscall_types.h -+++ b/linux-user/syscall_types.h -@@ -14,12 +14,6 @@ STRUCT(serial_icounter_struct, - STRUCT(sockaddr, - TYPE_SHORT, MK_ARRAY(TYPE_CHAR, 14)) - --STRUCT(timeval, -- MK_ARRAY(TYPE_LONG, 2)) -- --STRUCT(timespec, -- MK_ARRAY(TYPE_LONG, 2)) -- - STRUCT(rtentry, - TYPE_ULONG, MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), MK_STRUCT(STRUCT_sockaddr), - TYPE_SHORT, TYPE_SHORT, TYPE_ULONG, TYPE_PTRVOID, TYPE_SHORT, TYPE_PTRVOID, diff --git a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch b/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch deleted file mode 100644 index ebabc0c4c294..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-pc-q35-4.0.patch +++ /dev/null @@ -1,135 +0,0 @@ -Backport of QEMU v4.1 commit for stable v4.0.1 release - -commit c87759ce876a7a0b17c2bf4f0b964bd51f0ee871 -Author: Alex Williamson <address@hidden> -Date: Tue May 14 14:14:41 2019 -0600 - - q35: Revert to kernel irqchip - - Commit b2fc91db8447 ("q35: set split kernel irqchip as default") changed - the default for the pc-q35-4.0 machine type to use split irqchip, which - turned out to have disasterous effects on vfio-pci INTx support. KVM - resampling irqfds are registered for handling these interrupts, but - these are non-functional in split irqchip mode. We can't simply test - for split irqchip in QEMU as userspace handling of this interrupt is a - significant performance regression versus KVM handling (GeForce GPUs - assigned to Windows VMs are non-functional without forcing MSI mode or - re-enabling kernel irqchip). - - The resolution is to revert the change in default irqchip mode in the - pc-q35-4.1 machine and create a pc-q35-4.0.1 machine for the 4.0-stable - branch. The qemu-q35-4.0 machine type should not be used in vfio-pci - configurations for devices requiring legacy INTx support without - explicitly modifying the VM configuration to use kernel irqchip. - -Link: https://bugs.launchpad.net/qemu/+bug/1826422 -Fixes: b2fc91db8447 ("q35: set split kernel irqchip as default") -Cc: address@hidden -Reviewed-by: Peter Xu <address@hidden> -Signed-off-by: Alex Williamson <address@hidden> ---- - -Same code as v1, just updating the commit log as a formal backport of -the merged 4.1 commit. - - hw/core/machine.c | 3 +++ - hw/i386/pc.c | 3 +++ - hw/i386/pc_q35.c | 16 ++++++++++++++-- - include/hw/boards.h | 3 +++ - include/hw/i386/pc.h | 3 +++ - 5 files changed, 26 insertions(+), 2 deletions(-) - -diff --git a/hw/core/machine.c b/hw/core/machine.c -index 743fef28982c..5d046a43e3d2 100644 ---- a/hw/core/machine.c -+++ b/hw/core/machine.c -@@ -24,6 +24,9 @@ - #include "hw/pci/pci.h" - #include "hw/mem/nvdimm.h" - -+GlobalProperty hw_compat_4_0[] = {}; -+const size_t hw_compat_4_0_len = G_N_ELEMENTS(hw_compat_4_0); -+ - GlobalProperty hw_compat_3_1[] = { - { "pcie-root-port", "x-speed", "2_5" }, - { "pcie-root-port", "x-width", "1" }, -diff --git a/hw/i386/pc.c b/hw/i386/pc.c -index f2c15bf1f2c3..d98b737b8f3b 100644 ---- a/hw/i386/pc.c -+++ b/hw/i386/pc.c -@@ -115,6 +115,9 @@ struct hpet_fw_config hpet_cfg = {.count = UINT8_MAX}; - /* Physical Address of PVH entry point read from kernel ELF NOTE */ - static size_t pvh_start_addr; - -+GlobalProperty pc_compat_4_0[] = {}; -+const size_t pc_compat_4_0_len = G_N_ELEMENTS(pc_compat_4_0); -+ - GlobalProperty pc_compat_3_1[] = { - { "intel-iommu", "dma-drain", "off" }, - { "Opteron_G3" "-" TYPE_X86_CPU, "rdtscp", "off" }, -diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c -index 372c6b73bebd..45cc29d1adb7 100644 ---- a/hw/i386/pc_q35.c -+++ b/hw/i386/pc_q35.c -@@ -357,7 +357,7 @@ static void pc_q35_machine_options(MachineClass *m) - m->units_per_default_bus = 1; - m->default_machine_opts = "firmware=bios-256k.bin"; - m->default_display = "std"; -- m->default_kernel_irqchip_split = true; -+ m->default_kernel_irqchip_split = false; - m->no_floppy = 1; - machine_class_allow_dynamic_sysbus_dev(m, TYPE_AMD_IOMMU_DEVICE); - machine_class_allow_dynamic_sysbus_dev(m, TYPE_INTEL_IOMMU_DEVICE); -@@ -365,12 +365,24 @@ static void pc_q35_machine_options(MachineClass *m) - m->max_cpus = 288; - } - --static void pc_q35_4_0_machine_options(MachineClass *m) -+static void pc_q35_4_0_1_machine_options(MachineClass *m) - { - pc_q35_machine_options(m); - m->alias = "q35"; - } - -+DEFINE_Q35_MACHINE(v4_0_1, "pc-q35-4.0.1", NULL, -+ pc_q35_4_0_1_machine_options); -+ -+static void pc_q35_4_0_machine_options(MachineClass *m) -+{ -+ pc_q35_4_0_1_machine_options(m); -+ m->default_kernel_irqchip_split = true; -+ m->alias = NULL; -+ compat_props_add(m->compat_props, hw_compat_4_0, hw_compat_4_0_len); -+ compat_props_add(m->compat_props, pc_compat_4_0, pc_compat_4_0_len); -+} -+ - DEFINE_Q35_MACHINE(v4_0, "pc-q35-4.0", NULL, - pc_q35_4_0_machine_options); - -diff --git a/include/hw/boards.h b/include/hw/boards.h -index e231860666a1..fe1885cbffa0 100644 ---- a/include/hw/boards.h -+++ b/include/hw/boards.h -@@ -293,6 +293,9 @@ struct MachineState { - } \ - type_init(machine_initfn##_register_types) - -+extern GlobalProperty hw_compat_4_0[]; -+extern const size_t hw_compat_4_0_len; -+ - extern GlobalProperty hw_compat_3_1[]; - extern const size_t hw_compat_3_1_len; - -diff --git a/include/hw/i386/pc.h b/include/hw/i386/pc.h -index ca65ef18afb4..43df7230a22b 100644 ---- a/include/hw/i386/pc.h -+++ b/include/hw/i386/pc.h -@@ -293,6 +293,9 @@ int e820_add_entry(uint64_t, uint64_t, uint32_t); - int e820_get_num_entries(void); - bool e820_get_entry(int, uint32_t, uint64_t *, uint64_t *); - -+extern GlobalProperty pc_compat_4_0[]; -+extern const size_t pc_compat_4_0_len; -+ - extern GlobalProperty pc_compat_3_1[]; - extern const size_t pc_compat_3_1_len; diff --git a/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch b/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch deleted file mode 100644 index 58ff0c788288..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-sanitize-interp_info.patch +++ /dev/null @@ -1,32 +0,0 @@ -linux-user: Sanitize interp_info and, for mips - -Sanitize interp_info structure in load_elf_binary() and, for mips only, -init its field fp_abi. This fixes appearances of "Unexpected FPU mode" -message in some MIPS use cases. - -Signed-off-by: Daniel Santos <address@hidden> -Signed-off-by: Aleksandar Markovic <address@hidden> ---- - linux-user/elfload.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/linux-user/elfload.c b/linux-user/elfload.c -index c1a2602..7f09d57 100644 ---- a/linux-user/elfload.c -+++ b/linux-user/elfload.c -@@ -2698,6 +2698,11 @@ int load_elf_binary(struct linux_binprm *bprm, struct image_info *info) - char *elf_interpreter = NULL; - char *scratch; - -+ memset(&interp_info, 0, sizeof(interp_info)); -+#ifdef TARGET_MIPS -+ interp_info.fp_abi = MIPS_ABI_FP_UNKNOWN; -+#endif -+ - info->start_mmap = (abi_ulong)ELF_START_MMAP; - - load_elf_image(bprm->filename, bprm->fd, info, --- -2.7.4 - - diff --git a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch b/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch deleted file mode 100644 index 3d9a5163ecf5..000000000000 --- a/app-emulation/qemu/files/qemu-4.0.0-xkbcommon.patch +++ /dev/null @@ -1,38 +0,0 @@ -From cef396dc0b11a09ede85b275ed1ceee71b60a4b3 Mon Sep 17 00:00:00 2001 -From: James Le Cuirot <chewi@gentoo.org> -Date: Sat, 14 Sep 2019 15:47:20 +0100 -Subject: [PATCH] configure: Add xkbcommon configure options - -This dependency is currently "automagic", which is bad for distributions. - -Signed-off-by: James Le Cuirot <chewi@gentoo.org> ---- - configure | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/configure b/configure -index 30aad233d1..30544f52e6 100755 ---- a/configure -+++ b/configure -@@ -1521,6 +1521,10 @@ for opt do - ;; - --disable-libpmem) libpmem=no - ;; -+ --enable-xkbcommon) xkbcommon=yes -+ ;; -+ --disable-xkbcommon) xkbcommon=no -+ ;; - *) - echo "ERROR: unknown option $opt" - echo "Try '$0 --help' for more information" -@@ -1804,6 +1808,7 @@ disabled with --disable-FEATURE, default is enabled if available: - capstone capstone disassembler support - debug-mutex mutex debugging support - libpmem libpmem support -+ xkbcommon xkbcommon support - - NOTE: The object files are built at the place where configure is launched - EOF --- -2.23.0 - diff --git a/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch b/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch deleted file mode 100644 index 118c81971d83..000000000000 --- a/app-emulation/qemu/files/qemu-4.2.0-CVE-2020-11102.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Tue, 24 Mar 2020 22:57:22 +0530 -Subject: [PATCH] net: tulip: check frame size and r/w data length - -Tulip network driver while copying tx/rx buffers does not check -frame size against r/w data length. This may lead to OOB buffer -access. Add check to avoid it. - -Limit iterations over descriptors to avoid potential infinite -loop issue in tulip_xmit_list_update. - -Reported-by: Li Qiang <pangpei.lq@antfin.com> -Reported-by: Ziming Zhang <ezrakiez@gmail.com> -Reported-by: Jason Wang <jasowang@redhat.com> -Tested-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Li Qiang <liq3ea@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- - 1 file changed, 27 insertions(+), 9 deletions(-) - -diff --git a/hw/net/tulip.c b/hw/net/tulip.c -index cfac2719d3..1295f51d07 100644 ---- a/hw/net/tulip.c -+++ b/hw/net/tulip.c -@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) - } else { - len = s->rx_frame_len; - } -+ -+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { -+ return; -+ } - pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + - (s->rx_frame_size - s->rx_frame_len), len); - s->rx_frame_len -= len; -@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) - } else { - len = s->rx_frame_len; - } -+ -+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { -+ return; -+ } - pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + - (s->rx_frame_size - s->rx_frame_len), len); - s->rx_frame_len -= len; -@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) - - trace_tulip_receive(buf, size); - -- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { -+ if (size < 14 || size > sizeof(s->rx_frame) - 4 -+ || s->rx_frame_len || tulip_rx_stopped(s)) { - return 0; - } - -@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, - return tulip_receive(qemu_get_nic_opaque(nc), buf, size); - } - -- - static NetClientInfo net_tulip_info = { - .type = NET_CLIENT_DRIVER_NIC, - .size = sizeof(NICState), -@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) - if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { - /* Internal or external Loopback */ - tulip_receive(s, s->tx_frame, s->tx_frame_len); -- } else { -+ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { - qemu_send_packet(qemu_get_queue(s->nic), - s->tx_frame, s->tx_frame_len); - } -@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) - } - } - --static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) -+static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) - { - int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; - int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; - -+ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { -+ return -1; -+ } - if (len1) { - pci_dma_read(&s->dev, desc->buf_addr1, - s->tx_frame + s->tx_frame_len, len1); - s->tx_frame_len += len1; - } - -+ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { -+ return -1; -+ } - if (len2) { - pci_dma_read(&s->dev, desc->buf_addr2, - s->tx_frame + s->tx_frame_len, len2); - s->tx_frame_len += len2; - } - desc->status = (len1 + len2) ? 0 : 0x7fffffff; -+ -+ return 0; - } - - static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) -@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) - - static void tulip_xmit_list_update(TULIPState *s) - { -+#define TULIP_DESC_MAX 128 -+ uint8_t i = 0; - struct tulip_descriptor desc; - - if (tulip_ts(s) != CSR5_TS_SUSPENDED) { - return; - } - -- for (;;) { -+ for (i = 0; i < TULIP_DESC_MAX; i++) { - tulip_desc_read(s, s->current_tx_desc, &desc); - tulip_dump_tx_descriptor(s, &desc); - -@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) - s->tx_frame_len = 0; - } - -- tulip_copy_tx_buffers(s, &desc); -- -- if (desc.control & TDES1_LS) { -- tulip_tx(s, &desc); -+ if (!tulip_copy_tx_buffers(s, &desc)) { -+ if (desc.control & TDES1_LS) { -+ tulip_tx(s, &desc); -+ } - } - } - tulip_desc_write(s, s->current_tx_desc, &desc); --- -2.24.1 - diff --git a/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch new file mode 100644 index 000000000000..5f442f0fd07a --- /dev/null +++ b/app-emulation/qemu/files/qemu-4.2.0-ati-vga-crash.patch @@ -0,0 +1,94 @@ +https://bugs.gentoo.org/719266 + +From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001 +From: BALATON Zoltan <balaton@eik.bme.hu> +Date: Mon, 6 Apr 2020 22:34:26 +0200 +Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash + +In some corner cases (that never happen during normal operation but a +malicious guest could program wrong values) pixman functions were +called with parameters that result in a crash. Fix this and add more +checks to disallow such cases. + +Reported-by: Ziming Zhang <ezrakiez@gmail.com> +Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> +Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/hw/display/ati_2d.c ++++ b/hw/display/ati_2d.c +@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) + s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), + surface_bits_per_pixel(ds), + (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); +- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); +- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); ++ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); ++ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); + int bpp = ati_bpp_from_datatype(s); ++ if (!bpp) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); ++ return; ++ } + int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; ++ if (!dst_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); ++ return; ++ } + uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.dst_offset : s->regs.default_offset); + +@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) + switch (s->regs.dp_mix & GMC_ROP3_MASK) { + case ROP3_SRCCOPY: + { +- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? +- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); +- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? +- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); ++ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); ++ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); + int src_stride = DEFAULT_CNTL ? + s->regs.src_pitch : s->regs.default_pitch; ++ if (!src_stride) { ++ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); ++ return; ++ } + uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? + s->regs.src_offset : s->regs.default_offset); + +@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_x += s->regs.dst_width; +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? ++ dst_x + s->regs.dst_width : dst_x); ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + case ROP3_PATCOPY: +@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) + dst_y * surface_stride(ds), + s->regs.dst_height * surface_stride(ds)); + } +- s->regs.dst_y += s->regs.dst_height; ++ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? ++ dst_y + s->regs.dst_height : dst_y); + break; + } + default: +-- +2.26.2 + diff --git a/app-emulation/qemu/qemu-4.2.0-r2.ebuild b/app-emulation/qemu/qemu-4.2.0-r5.ebuild index c23828e7a8d6..b0b4efc874c5 100644 --- a/app-emulation/qemu/qemu-4.2.0-r2.ebuild +++ b/app-emulation/qemu/qemu-4.2.0-r5.ebuild @@ -3,7 +3,7 @@ EAPI="7" -PYTHON_COMPAT=( python{3_6,3_7} ) +PYTHON_COMPAT=( python{3_6,3_7,3_8} ) PYTHON_REQ_USE="ncurses,readline" PLOCALES="bg de_DE fr_FR hu it tr zh_CN" @@ -24,7 +24,7 @@ if [[ ${PV} = *9999* ]]; then SRC_URI="" else SRC_URI="https://download.qemu.org/${P}.tar.xz - https://dev.gentoo.org/~tamiko/distfiles/${P}-patches-r1.tar.xz" + https://dev.gentoo.org/~tamiko/distfiles/${P}-patches-r2.tar.xz" KEYWORDS="amd64 ~arm64 ~ppc ~ppc64 x86" fi @@ -216,9 +216,7 @@ RDEPEND="${CDEPEND} PATCHES=( "${FILESDIR}"/${PN}-2.5.0-cflags.patch - "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch "${FILESDIR}"/${PN}-2.11.1-capstone_include_path.patch - "${FILESDIR}"/${PN}-4.0.0-sanitize-interp_info.patch "${FILESDIR}"/${PN}-4.0.0-mkdir_systemtap.patch #684902 "${WORKDIR}"/patches ) @@ -374,7 +372,7 @@ src_prepare() { default # Use correct toolchain to fix cross-compiling - tc-export AR LD NM OBJCOPY PKG_CONFIG + tc-export AR LD NM OBJCOPY PKG_CONFIG RANLIB export WINDRES=${CHOST}-windres # Verbose builds @@ -496,6 +494,8 @@ qemu_src_configure() { if [[ ! ${buildtype} == "user" ]] ; then # audio options local audio_opts=( + # Note: backend order matters here: #716202 + # We iterate from higher-level to lower level. $(usex pulseaudio pa "") $(usev sdl) $(usev alsa) @@ -609,8 +609,7 @@ src_test() { if [[ -n ${softmmu_targets} ]]; then cd "${S}/softmmu-build" pax-mark m */qemu-system-* #515550 - emake -j1 check - emake -j1 check-report.html + emake check fi } diff --git a/app-emulation/qemu/qemu-4.2.0-r3.ebuild b/app-emulation/qemu/qemu-4.2.0-r6.ebuild index 83a1b141b2a8..172ce2eba7b5 100644 --- a/app-emulation/qemu/qemu-4.2.0-r3.ebuild +++ b/app-emulation/qemu/qemu-4.2.0-r6.ebuild @@ -3,7 +3,7 @@ EAPI="7" -PYTHON_COMPAT=( python{3_6,3_7} ) +PYTHON_COMPAT=( python{3_6,3_7,3_8} ) PYTHON_REQ_USE="ncurses,readline" PLOCALES="bg de_DE fr_FR hu it tr zh_CN" @@ -24,7 +24,7 @@ if [[ ${PV} = *9999* ]]; then SRC_URI="" else SRC_URI="https://download.qemu.org/${P}.tar.xz - https://dev.gentoo.org/~tamiko/distfiles/${P}-patches-r1.tar.xz" + https://dev.gentoo.org/~tamiko/distfiles/${P}-patches-r2.tar.xz" KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86" fi @@ -216,11 +216,9 @@ RDEPEND="${CDEPEND} PATCHES=( "${FILESDIR}"/${PN}-2.5.0-cflags.patch - "${FILESDIR}"/${PN}-2.5.0-sysmacros.patch "${FILESDIR}"/${PN}-2.11.1-capstone_include_path.patch - "${FILESDIR}"/${PN}-4.0.0-sanitize-interp_info.patch "${FILESDIR}"/${PN}-4.0.0-mkdir_systemtap.patch #684902 - "${FILESDIR}"/${PN}-4.2.0-CVE-2020-11102.patch #716518 + "${FILESDIR}"/${PN}-4.2.0-ati-vga-crash.patch #719266 "${WORKDIR}"/patches ) @@ -375,7 +373,7 @@ src_prepare() { default # Use correct toolchain to fix cross-compiling - tc-export AR LD NM OBJCOPY PKG_CONFIG + tc-export AR LD NM OBJCOPY PKG_CONFIG RANLIB export WINDRES=${CHOST}-windres # Verbose builds @@ -612,8 +610,7 @@ src_test() { if [[ -n ${softmmu_targets} ]]; then cd "${S}/softmmu-build" pax-mark m */qemu-system-* #515550 - emake -j1 check - emake -j1 check-report.html + emake check fi } diff --git a/app-emulation/qemu/qemu-9999.ebuild b/app-emulation/qemu/qemu-9999.ebuild index dac2f00c38e8..b189a315909f 100644 --- a/app-emulation/qemu/qemu-9999.ebuild +++ b/app-emulation/qemu/qemu-9999.ebuild @@ -3,7 +3,7 @@ EAPI="7" -PYTHON_COMPAT=( python{3_6,3_7} ) +PYTHON_COMPAT=( python{3_6,3_7,3_8} ) PYTHON_REQ_USE="ncurses,readline" PLOCALES="bg de_DE fr_FR hu it tr zh_CN" @@ -370,7 +370,7 @@ src_prepare() { default # Use correct toolchain to fix cross-compiling - tc-export AR LD NM OBJCOPY PKG_CONFIG + tc-export AR LD NM OBJCOPY PKG_CONFIG RANLIB export WINDRES=${CHOST}-windres # Verbose builds @@ -606,8 +606,7 @@ src_test() { if [[ -n ${softmmu_targets} ]]; then cd "${S}/softmmu-build" pax-mark m */qemu-system-* #515550 - emake -j1 check - emake -j1 check-report.html + emake check fi } |