diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2017-06-16 10:19:29 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2017-06-16 10:19:54 +0000 |
| commit | e96a03d924c9b59bb4c163581b1e7c22c0bb9f4c (patch) | |
| tree | 5898b0b9c6c57f0fea4f9e9333abb8e0376e1cfc /main/qemu | |
| parent | e815d52a89e06f5f74a46e2c50e85c39f89abbf0 (diff) | |
| download | aports-e96a03d924c9b59bb4c163581b1e7c22c0bb9f4c.tar.bz2 aports-e96a03d924c9b59bb4c163581b1e7c22c0bb9f4c.tar.xz | |
main/qemu. upgrade to 2.9.0
Diffstat (limited to 'main/qemu')
| -rw-r--r-- | main/qemu/APKBUILD | 31 | ||||
| -rwxr-xr-x | main/qemu/CVE-2016-9102.patch | 34 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5525.patch | 52 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5552.patch | 41 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5578.patch | 35 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5579.patch | 40 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5856.patch | 64 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5857.patch | 38 | ||||
| -rwxr-xr-x | main/qemu/CVE-2017-5898.patch | 35 | ||||
| -rw-r--r-- | main/qemu/fix-sockios-header.patch | 12 |
10 files changed, 21 insertions, 361 deletions
diff --git a/main/qemu/APKBUILD b/main/qemu/APKBUILD index 5b343f66da..c0c1e567b1 100644 --- a/main/qemu/APKBUILD +++ b/main/qemu/APKBUILD @@ -3,8 +3,8 @@ # Contributor: Jakub Jirutka <jakub@jirutka.cz> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=qemu -pkgver=2.8.1 -pkgrel=1 +pkgver=2.9.0 +pkgrel=0 pkgdesc="QEMU is a generic machine emulator and virtualizer" url="http://qemu.org/" arch="all" @@ -61,7 +61,7 @@ _subsystems=" mipsel mipsn32 mipsn32el - or32 + or1k ppc ppc64 ppc64abi32 @@ -86,7 +86,8 @@ _subsystems=" system-mips64el system-mipsel system-moxie - system-or32 + system-nios2 + system-or1k system-ppc system-ppc64 system-ppcemb @@ -128,18 +129,11 @@ source="http://wiki.qemu-project.org/download/$pkgname-$pkgver.tar.bz2 ncurses.patch ignore-signals-33-and-64-to-allow-golang-emulation.patch 0001-linux-user-fix-build-with-musl-on-ppc64le.patch + fix-sockios-header.patch $pkgname-guest-agent.confd $pkgname-guest-agent.initd 80-kvm.rules bridge.conf - CVE-2016-9102.patch - CVE-2017-5525.patch - CVE-2017-5552.patch - CVE-2017-5578.patch - CVE-2017-5579.patch - CVE-2017-5856.patch - CVE-2017-5857.patch - CVE-2017-5898.patch " # secfixes: @@ -341,7 +335,7 @@ guest() { "$subpkgdir"/etc/conf.d/$pkgname-guest-agent || return 1 } -sha512sums="0397b4029cdcb77ed053c44b3579a3f34894038e6fc6b4aa88de14515f5a78bf2f41c5e865f37111529f567c85d2f1c4deefae47dde54f76eac79410e5b2bdda qemu-2.8.1.tar.bz2 +sha512sums="4b28966eec0ca44681e35fcfb64a4eaef7c280b8d65c91d03f2efa37f76278fd8c1680e5798c7a30dbfcc8f3c05f4a803f48b8a2dfec3a4181bac079b2a5e422 qemu-2.9.0.tar.bz2 405008589cad1c8b609eca004d520bf944366e8525f85a19fc6e283c95b84b6c2429822ba064675823ab69f1406a57377266a65021623d1cd581e7db000134fd 0001-elfload-load-PIE-executables-to-right-address.patch ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606d6dd8f417acba93e1560d9a32ca29161a4bb730b302440ea 0006-linux-user-signal.c-define-__SIGRTMIN-MAX-for-non-GN.patch 4431dad803156d424a6c9fc74783762590b27fcb3bfadb6b23b149bc9e71c31f139991541aa4e0583c17ac531242dff02ebf4d5a8f9a9a77be757fb30cb65565 0001-linux-user-fix-build-with-musl-on-aarch64.patch @@ -351,15 +345,8 @@ ec84b27648c01c6e58781295dcd0c2ff8e5a635f9836ef50c1da5d0ed125db1afc4cb5b01cb97606 b6ed02aaf95a9bb30a5f107d35371207967edca058f3ca11348b0b629ea7a9c4baa618db68a3df72199eea6d86d14ced74a5a229d17604cc3f0adedcfeae7a73 ncurses.patch fd178f2913639a0c33199b3880cb17536961f2b3ff171c12b27f4be6bca032d6b88fd16302d09c692bb34883346babef5c44407a6804b20a39a465bb2bc85136 ignore-signals-33-and-64-to-allow-golang-emulation.patch dd7a4616e22d9d6b04c6d81d95d17af0d638645c1aa306306fb0ed3a12b2de0fdd32d55c8142960cf22d3a705695a95f022b34ae18712678722c53cd163a5a32 0001-linux-user-fix-build-with-musl-on-ppc64le.patch +f0f99dc4f7fb475e3fab0262c0bc2c0dd8f17d77fe096c295fa1fc3e911ce07e1592f49c6ead7489246fecdd3a3f39f89ce05704af7f3fd384ce4f626f3c4601 fix-sockios-header.patch d90c034cae3f9097466854ed1a9f32ab4b02089fcdf7320e8f4da13b2b1ff65067233f48809911485e4431d7ec1a22448b934121bc9522a2dc489009e87e2b1f qemu-guest-agent.confd 316b40d97587fea717821852859d81039cfdcb276a658bb6e6fb554e321d5856a833ebb3778149c4732cea625bac320b1008d374c88a9aae35c0fb67977c01b7 qemu-guest-agent.initd 9b7a89b20fcf737832cb7b4d5dc7d8301dd88169cbe5339eda69fbb51c2e537d8cb9ec7cf37600899e734209e63410d50d0821bce97e401421db39c294d97be2 80-kvm.rules -749efa2e764006555b4fd3a8e2f6d1118ad2ea4d45acf99104a41a93cfe66dc9685f72027c17d8211e5716246c2a52322c962cf4b73b27541b69393cd57f53bb bridge.conf -c605c658f6a15467b9c21fb89995497a24ee8093f1c7eb68e17d89cc106dc7f3473195287ab349e822a5a287b08845f817ac9087bc4a8293707a2b9fa8264683 CVE-2016-9102.patch -a633ffdbd6eb58b1f091553db7944b72f6c5ea412b82f8162b4ece4b3c98aa550246bb8ab865b24468455f92bbb4908d842e03e84b9fb1fb0f1084a4e6097288 CVE-2017-5525.patch -1a17a4c9c5c2bb724735dade20c196bf90f5ab419b0dc5ca3ce771ac68d493d1f831722fe1aac8636f2c22ebecaa4560693aad98a87bd4e45c9fa529a1549546 CVE-2017-5552.patch -5f104e05e904a1392ca31203f02b7b546aeb91f1a438631c8a5f0fb5c6c051b19d8d0219b2c71aadd5d5404222d5dbc8e80127d2afaea6ed2bf918007d613a8a CVE-2017-5578.patch -74415ea5e6f6bfa787a2515da86c3ead87b0a9694d6adbdd390cbb3be43e1c88b4be4a8891f46bc6af520d3d5582c9ebe70572e2bb78d13c29d5ca12695d33ed CVE-2017-5579.patch -2b051f9d9265f9039e2cfed0bbdc93360f1660ea5b4129ec01f6faa3c1b6b135f5c949ddc26fe05a91a95a3ac558e8844ec292558c1dd66552868cbbc6aa8744 CVE-2017-5856.patch -d6d000b57f1fb194f9554165621109b364ebdb61416bc07e2283f2d493c33e770d1b63002d62565aae1ac19ed0ad9e572c207341aa1ad023581f349f62158d30 CVE-2017-5857.patch -80f89d75970345fbf6771cb16ed0d48c91c52b6b63ac967b3dbef56c16b654df432fa7ada0549c1b812d3d641f831fe20cb8b0eb52c46b8e73ade2801a563a8d CVE-2017-5898.patch" +749efa2e764006555b4fd3a8e2f6d1118ad2ea4d45acf99104a41a93cfe66dc9685f72027c17d8211e5716246c2a52322c962cf4b73b27541b69393cd57f53bb bridge.conf" diff --git a/main/qemu/CVE-2016-9102.patch b/main/qemu/CVE-2016-9102.patch deleted file mode 100755 index b6cfa02efe..0000000000 --- a/main/qemu/CVE-2016-9102.patch +++ /dev/null @@ -1,34 +0,0 @@ -From ff55e94d23ae94c8628b0115320157c763eb3e06 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Mon, 17 Oct 2016 14:13:58 +0200 -Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate - -The 'fs.xattr.value' field in V9fsFidState object doesn't consider the -situation that this field has been allocated previously. Every time, it -will be allocated directly. This leads to a host memory leak issue if -the client sends another Txattrcreate message with the same fid number -before the fid from the previous time got clunked. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Greg Kurz <groug@kaod.org> -[groug, updated the changelog to indicate how the leak can occur] -Signed-off-by: Greg Kurz <groug@kaod.org> ---- - hw/9pfs/9p.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c -index bf23b01..66135cf 100644 ---- a/hw/9pfs/9p.c -+++ b/hw/9pfs/9p.c -@@ -3282,6 +3282,7 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque) - xattr_fidp->fs.xattr.flags = flags; - v9fs_string_init(&xattr_fidp->fs.xattr.name); - v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name); -+ g_free(xattr_fidp->fs.xattr.value); - xattr_fidp->fs.xattr.value = g_malloc0(size); - err = offset; - put_fid(pdu, file_fidp); --- -1.8.3.1 - diff --git a/main/qemu/CVE-2017-5525.patch b/main/qemu/CVE-2017-5525.patch deleted file mode 100755 index 00be7417a9..0000000000 --- a/main/qemu/CVE-2017-5525.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 14 Dec 2016 18:30:21 -0800 -Subject: [PATCH] audio: ac97: add exit function -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Currently the ac97 device emulation doesn't have a exit function, -hot unplug this device will leak some memory. Add a exit function to -avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/audio/ac97.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c -index cbd959e..c306575 100644 ---- a/hw/audio/ac97.c -+++ b/hw/audio/ac97.c -@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp) - ac97_on_reset (&s->dev.qdev); - } - -+static void ac97_exit(PCIDevice *dev) -+{ -+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev); -+ -+ AUD_close_in(&s->card, s->voice_pi); -+ AUD_close_out(&s->card, s->voice_po); -+ AUD_close_in(&s->card, s->voice_mc); -+ AUD_remove_card(&s->card); -+} -+ - static int ac97_init (PCIBus *bus) - { - pci_create_simple (bus, -1, "AC97"); -@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data) - PCIDeviceClass *k = PCI_DEVICE_CLASS (klass); - - k->realize = ac97_realize; -+ k->exit = ac97_exit; - k->vendor_id = PCI_VENDOR_ID_INTEL; - k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5; - k->revision = 0x01; --- -1.8.3.1 - diff --git a/main/qemu/CVE-2017-5552.patch b/main/qemu/CVE-2017-5552.patch deleted file mode 100755 index b6b12ec55d..0000000000 --- a/main/qemu/CVE-2017-5552.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Thu, 29 Dec 2016 03:11:26 -0500 -Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -If the virgl_renderer_resource_attach_iov function fails the -'res_iovs' will be leaked. Add check of the return value to -free the 'res_iovs' when failing. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/virtio-gpu-3d.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index e29f099..b13ced3 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g, - return; - } - -- virgl_renderer_resource_attach_iov(att_rb.resource_id, -- res_iovs, att_rb.nr_entries); -+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id, -+ res_iovs, att_rb.nr_entries); -+ -+ if (ret != 0) -+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries); - } - - static void virgl_resource_detach_backing(VirtIOGPU *g, --- -1.8.3.1 - diff --git a/main/qemu/CVE-2017-5578.patch b/main/qemu/CVE-2017-5578.patch deleted file mode 100755 index 22e778e4ba..0000000000 --- a/main/qemu/CVE-2017-5578.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liq3ea@gmail.com> -Date: Thu, 29 Dec 2016 04:28:41 -0500 -Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing - -In the resource attach backing function, everytime it will -allocate 'res->iov' thus can leading a memory leak. This -patch avoid this. - -Signed-off-by: Li Qiang <liq3ea@gmail.com> -Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/display/virtio-gpu.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c -index 6a26258..ca88cf4 100644 ---- a/hw/display/virtio-gpu.c -+++ b/hw/display/virtio-gpu.c -@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g, - return; - } - -+ if (res->iov) { -+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; -+ return; -+ } -+ - ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov); - if (ret != 0) { - cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC; --- -1.8.3.1 - diff --git a/main/qemu/CVE-2017-5579.patch b/main/qemu/CVE-2017-5579.patch deleted file mode 100755 index 120e88d72c..0000000000 --- a/main/qemu/CVE-2017-5579.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001 -From: Li Qiang <liqiang6-s@360.cn> -Date: Wed, 4 Jan 2017 00:43:16 -0800 -Subject: [PATCH] serial: fix memory leak in serial exit - -The serial_exit_core function doesn't free some resources. -This can lead memory leak when hotplug and unplug. This -patch avoid this. - -Signed-off-by: Li Qiang <liqiang6-s@360.cn> -Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/char/serial.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/hw/char/serial.c b/hw/char/serial.c -index ffbacd8..67b18ed 100644 ---- a/hw/char/serial.c -+++ b/hw/char/serial.c -@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp) - void serial_exit_core(SerialState *s) - { - qemu_chr_fe_deinit(&s->chr); -+ -+ timer_del(s->modem_status_poll); -+ timer_free(s->modem_status_poll); -+ -+ timer_del(s->fifo_timeout_timer); -+ timer_free(s->fifo_timeout_timer); -+ -+ fifo8_destroy(&s->recv_fifo); -+ fifo8_destroy(&s->xmit_fifo); -+ - qemu_unregister_reset(serial_reset, s); - } - --- -1.8.3.1 - diff --git a/main/qemu/CVE-2017-5856.patch b/main/qemu/CVE-2017-5856.patch deleted file mode 100755 index 967ce7e088..0000000000 --- a/main/qemu/CVE-2017-5856.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini <pbonzini@redhat.com> -Date: Mon, 2 Jan 2017 11:03:33 +0100 -Subject: [PATCH] megasas: fix guest-triggered memory leak - -If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd -will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory. -Avoid this by returning only the status from map_dcmd, and loading -cmd->iov_size in the caller. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/scsi/megasas.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index 67fc1e7..6233865 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd) - trace_megasas_dcmd_invalid_sge(cmd->index, - cmd->frame->header.sge_count); - cmd->iov_size = 0; -- return -1; -+ return -EINVAL; - } - iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl); - iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl); - pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1); - qemu_sglist_add(&cmd->qsg, iov_pa, iov_size); - cmd->iov_size = iov_size; -- return cmd->iov_size; -+ return 0; - } - - static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size) -@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t { - - static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd) - { -- int opcode, len; -+ int opcode; - int retval = 0; -+ size_t len; - const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl; - - opcode = le32_to_cpu(cmd->frame->dcmd.opcode); - trace_megasas_handle_dcmd(cmd->index, opcode); -- len = megasas_map_dcmd(s, cmd); -- if (len < 0) { -+ if (megasas_map_dcmd(s, cmd) < 0) { - return MFI_STAT_MEMORY_NOT_AVAILABLE; - } - while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) { - cmdptr++; - } -+ len = cmd->iov_size; - if (cmdptr->opcode == -1) { - trace_megasas_dcmd_unhandled(cmd->index, opcode, len); - retval = megasas_dcmd_dummy(s, cmd); --- -1.8.3.1 - diff --git a/main/qemu/CVE-2017-5857.patch b/main/qemu/CVE-2017-5857.patch deleted file mode 100755 index 664a669ffa..0000000000 --- a/main/qemu/CVE-2017-5857.patch +++ /dev/null @@ -1,38 +0,0 @@ -When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the -backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING) -we'll leak memory. - -This patch fixes it for 3d mode, simliar to the 2d mode fix in commit -"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy". - -Reported-by: 李强 <address@hidden> -Signed-off-by: Gerd Hoffmann <address@hidden> ---- - hw/display/virtio-gpu-3d.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c -index f96a0c2..ecb09d1 100644 ---- a/hw/display/virtio-gpu-3d.c -+++ b/hw/display/virtio-gpu-3d.c -@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g, - struct virtio_gpu_ctrl_command *cmd) - { - struct virtio_gpu_resource_unref unref; -+ struct iovec *res_iovs = NULL; -+ int num_iovs = 0; - - VIRTIO_GPU_FILL_CMD(unref); - trace_virtio_gpu_cmd_res_unref(unref.resource_id); - -+ virgl_renderer_resource_detach_iov(unref.resource_id, -+ &res_iovs, -+ &num_iovs); -+ if (res_iovs != NULL && num_iovs != 0) { -+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs); -+ } - virgl_renderer_resource_unref(unref.resource_id); - } - --- -1.8.3.1 diff --git a/main/qemu/CVE-2017-5898.patch b/main/qemu/CVE-2017-5898.patch deleted file mode 100755 index 67bd4d65b3..0000000000 --- a/main/qemu/CVE-2017-5898.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Fri, 3 Feb 2017 00:52:28 +0530 -Subject: [PATCH] usb: ccid: check ccid apdu length - -CCID device emulator uses Application Protocol Data Units(APDU) -to exchange command and responses to and from the host. -The length in these units couldn't be greater than 65536. Add -check to ensure the same. It'd also avoid potential integer -overflow in emulated_apdu_from_guest. - -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Message-id: 20170202192228.10847-1-ppandit@redhat.com -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> ---- - hw/usb/dev-smartcard-reader.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c -index 89e11b6..1325ea1 100644 ---- a/hw/usb/dev-smartcard-reader.c -+++ b/hw/usb/dev-smartcard-reader.c -@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv) - DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__, - recv->hdr.bSeq, len); - ccid_add_pending_answer(s, (CCID_Header *)recv); -- if (s->card) { -+ if (s->card && len <= BULK_OUT_DATA_SIZE) { - ccid_card_apdu_from_guest(s->card, recv->abData, len); - } else { - DPRINTF(s, D_WARN, "warning: discarded apdu\n"); --- -1.8.3.1 - diff --git a/main/qemu/fix-sockios-header.patch b/main/qemu/fix-sockios-header.patch new file mode 100644 index 0000000000..e74b7190d4 --- /dev/null +++ b/main/qemu/fix-sockios-header.patch @@ -0,0 +1,12 @@ +diff --git a/linux-user/syscall.c b/linux-user/syscall.c +index 43d0562..afa0ac4 100644 +--- a/linux-user/syscall.c ++++ b/linux-user/syscall.c +@@ -59,6 +59,7 @@ int __clone2(int (*fn)(void *), void *child_stack_base, + #include <linux/icmp.h> + #include <linux/icmpv6.h> + #include <linux/errqueue.h> ++#include <linux/sockios.h> + #include "qemu-common.h" + #ifdef CONFIG_TIMERFD + #include <sys/timerfd.h> |