diff options
Diffstat (limited to 'poky/meta/recipes-devtools/qemu')
30 files changed, 303 insertions, 952 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu-native.inc b/poky/meta/recipes-devtools/qemu/qemu-native.inc index 28cfd2cca..aa5c9b9a7 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-native.inc +++ b/poky/meta/recipes-devtools/qemu/qemu-native.inc @@ -2,11 +2,6 @@ inherit native require qemu.inc -SRC_URI_append = " \ - file://0012-fix-libcap-header-issue-on-some-distro.patch \ - file://0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch \ - " - EXTRA_OEMAKE_append = " LD='${LD}' AR='${AR}' OBJCOPY='${OBJCOPY}' LDFLAGS='${LDFLAGS}'" LDFLAGS_append = " -fuse-ld=bfd" diff --git a/poky/meta/recipes-devtools/qemu/qemu-native_4.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb index c8acff8e1..c8acff8e1 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-native_4.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-native_5.1.0.bb diff --git a/poky/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb index 7394385d3..222b55cbc 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-system-native_4.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-system-native_5.1.0.bb @@ -10,7 +10,7 @@ DEPENDS = "glib-2.0-native zlib-native pixman-native qemu-native bison-native" EXTRA_OECONF_append = " --target-list=${@get_qemu_system_target_list(d)}" PACKAGECONFIG ??= "fdt alsa kvm \ - ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '' ,d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ " # Handle distros such as CentOS 5 32-bit that do not have kvm support diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 126e7d442..bbb903896 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -27,26 +27,22 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch \ file://0009-Fix-webkitgtk-builds.patch \ file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ - file://0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch \ - file://CVE-2019-15890.patch \ - file://CVE-2020-1711.patch \ - file://CVE-2020-7039-1.patch \ - file://CVE-2020-7039-2.patch \ - file://CVE-2020-7039-3.patch \ file://0001-Add-enable-disable-udev.patch \ - file://CVE-2020-7211.patch \ - file://0001-qemu-Do-not-include-file-if-not-exists.patch \ - file://CVE-2020-11102.patch \ - file://CVE-2020-11869.patch \ - " + file://0001-qemu-Do-not-include-file-if-not-exists.patch \ + file://find_datadir.patch \ + file://usb-fix-setup_len-init.patch \ + " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" -SRC_URI[md5sum] = "278eeb294e4b497e79af7a57e660cb9a" -SRC_URI[sha256sum] = "d3481d4108ce211a053ef15be69af1bdd9dde1510fda80d92be0f6c3e98768f0" +SRC_URI[sha256sum] = "c9174eb5933d9eb5e61f541cd6d1184cd3118dfe4c5c4955bc1bdc4d390fa4e5" COMPATIBLE_HOST_mipsarchn32 = "null" COMPATIBLE_HOST_mipsarchn64 = "null" +# Per https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg03873.html +# upstream states qemu doesn't work without optimization +DEBUG_BUILD = "0" + do_install_append() { # Prevent QA warnings about installed ${localstatedir}/run if [ -d ${D}${localstatedir}/run ]; then rmdir ${D}${localstatedir}/run; fi @@ -66,6 +62,7 @@ do_install_ptest() { -e '$ {/endif/d}' ${D}${PTEST_PATH}/tests/Makefile.include sed -i -e 's,${HOSTTOOLS_DIR}/python3,${bindir}/python3,' \ ${D}/${PTEST_PATH}/tests/qemu-iotests/common.env + sed -i -e "1s,#!/usr/bin/bash,#!${base_bindir}/bash," ${D}${PTEST_PATH}/tests/data/acpi/disassemle-aml.sh } # QEMU_TARGETS is overridable variable @@ -86,6 +83,7 @@ EXTRA_OECONF = " \ --disable-strip \ --disable-werror \ --extra-cflags='${CFLAGS}' \ + --extra-ldflags='${LDFLAGS}' \ --with-git=/bin/false \ --disable-git-update \ ${PACKAGECONFIG_CONFARGS} \ @@ -145,7 +143,7 @@ PACKAGECONFIG_remove_darwin = "kvm virglrenderer glx gtk+" PACKAGECONFIG_remove_mingw32 = "kvm virglrenderer glx gtk+" PACKAGECONFIG[sdl] = "--enable-sdl,--disable-sdl,libsdl2" -PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr,--disable-virtfs,libcap attr," +PACKAGECONFIG[virtfs] = "--enable-virtfs --enable-attr --enable-cap-ng,--disable-virtfs,libcap-ng attr," PACKAGECONFIG[aio] = "--enable-linux-aio,--disable-linux-aio,libaio," PACKAGECONFIG[xfs] = "--enable-xfsctl,--disable-xfsctl,xfsprogs," PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest" @@ -164,12 +162,11 @@ PACKAGECONFIG[nettle] = "--enable-nettle,--disable-nettle,nettle" PACKAGECONFIG[libusb] = "--enable-libusb,--disable-libusb,libusb1" PACKAGECONFIG[fdt] = "--enable-fdt,--disable-fdt,dtc" PACKAGECONFIG[alsa] = "--audio-drv-list='oss alsa',,alsa-lib" -PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,mesa" +PACKAGECONFIG[glx] = "--enable-opengl,--disable-opengl,virtual/libgl" PACKAGECONFIG[lzo] = "--enable-lzo,--disable-lzo,lzo" PACKAGECONFIG[numa] = "--enable-numa,--disable-numa,numactl" PACKAGECONFIG[gnutls] = "--enable-gnutls,--disable-gnutls,gnutls" PACKAGECONFIG[bzip2] = "--enable-bzip2,--disable-bzip2,bzip2" -PACKAGECONFIG[bluez] = "--enable-bluez,--disable-bluez,bluez5" PACKAGECONFIG[libiscsi] = "--enable-libiscsi,--disable-libiscsi" PACKAGECONFIG[kvm] = "--enable-kvm,--disable-kvm" PACKAGECONFIG[virglrenderer] = "--enable-virglrenderer,--disable-virglrenderer,virglrenderer" @@ -178,10 +175,15 @@ PACKAGECONFIG[spice] = "--enable-spice,--disable-spice,spice" # usbredir will be in meta-networking layer PACKAGECONFIG[usb-redir] = "--enable-usb-redir,--disable-usb-redir,usbredir" PACKAGECONFIG[snappy] = "--enable-snappy,--disable-snappy,snappy" -PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs" +PACKAGECONFIG[glusterfs] = "--enable-glusterfs,--disable-glusterfs,glusterfs" PACKAGECONFIG[xkbcommon] = "--enable-xkbcommon,--disable-xkbcommon,libxkbcommon" PACKAGECONFIG[libudev] = "--enable-libudev,--disable-libudev,eudev" PACKAGECONFIG[libxml2] = "--enable-libxml2,--disable-libxml2,libxml2" +PACKAGECONFIG[attr] = "--enable-attr,--disable-attr,attr," +PACKAGECONFIG[rbd] = "--enable-rbd,--disable-rbd,ceph,ceph" +PACKAGECONFIG[vhost] = "--enable-vhost-net,--disable-vhost-net,," +PACKAGECONFIG[ust] = "--enable-trace-backend=ust,--enable-trace-backend=nop,lttng-ust," +PACKAGECONFIG[pie] = "--enable-pie,--disable-pie,," INSANE_SKIP_${PN} = "arch" diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch index c2c5849d6..1304ee3bf 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch @@ -1,21 +1,24 @@ -From a471cf4e4c73350e090eb2cd87ec959d138012e5 Mon Sep 17 00:00:00 2001 +From b921e5204030845dc7c9d16d5f66d965e8d05367 Mon Sep 17 00:00:00 2001 From: Jeremy Puhlman <jpuhlman@mvista.com> Date: Thu, 19 Mar 2020 11:54:26 -0700 Subject: [PATCH] Add enable/disable libudev Upstream-Status: Pending Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- configure | 4 ++++ 1 file changed, 4 insertions(+) -diff --git a/configure b/configure -index cac271c..bd116eb 100755 ---- a/configure -+++ b/configure -@@ -1539,6 +1539,10 @@ for opt do +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -1640,6 +1640,10 @@ for opt do ;; - --disable-plugins) plugins="no" + --disable-libdaxctl) libdaxctl=no ;; + --enable-libudev) libudev="yes" + ;; @@ -24,6 +27,3 @@ index cac271c..bd116eb 100755 *) echo "ERROR: unknown option $opt" echo "Try '$0 --help' for more information" --- -1.8.3.1 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch index 66ff99650..46c9da08a 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch @@ -1,4 +1,4 @@ -From 526cb7e26f6dd96c9ee2ffa05ce0a358d3bfbfb3 Mon Sep 17 00:00:00 2001 +From 883feb43129dc39b491e492c7ccfe89aefe53c44 Mon Sep 17 00:00:00 2001 From: Richard Purdie <richard.purdie@linuxfoundation.org> Date: Thu, 27 Nov 2014 14:04:29 +0000 Subject: [PATCH] qemu: Add missing wacom HID descriptor @@ -14,15 +14,17 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Upstream-Status: Submitted 2014/11/27 +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- hw/usb/dev-wacom.c | 94 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) -diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c -index 8ed57b3b..1502928b 100644 ---- a/hw/usb/dev-wacom.c -+++ b/hw/usb/dev-wacom.c -@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings = { +Index: qemu-5.1.0/hw/usb/dev-wacom.c +=================================================================== +--- qemu-5.1.0.orig/hw/usb/dev-wacom.c ++++ qemu-5.1.0/hw/usb/dev-wacom.c +@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings [STR_SERIALNUMBER] = "1", }; @@ -112,7 +114,7 @@ index 8ed57b3b..1502928b 100644 static const USBDescIface desc_iface_wacom = { .bInterfaceNumber = 0, .bNumEndpoints = 1, -@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wacom = { +@@ -91,7 +174,7 @@ static const USBDescIface desc_iface_wac 0x00, /* u8 country_code */ 0x01, /* u8 num_descriptors */ 0x22, /* u8 type: Report */ @@ -121,7 +123,7 @@ index 8ed57b3b..1502928b 100644 }, }, }, -@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USBDevice *dev, USBPacket *p, +@@ -271,6 +354,15 @@ static void usb_wacom_handle_control(USB } switch (request) { diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch index eccac0509..d6c0f9ebe 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch @@ -1,4 +1,4 @@ -From 98c2da129db19ee63d7e21b77a0ef70822c95069 Mon Sep 17 00:00:00 2001 +From 34247f83095f8cdcdc1f9d7f0c6ffbd46b25d979 Mon Sep 17 00:00:00 2001 From: Oleksiy Obitotskyy <oobitots@cisco.com> Date: Wed, 25 Mar 2020 21:21:35 +0200 Subject: [PATCH] qemu: Do not include file if not exists @@ -6,26 +6,26 @@ Subject: [PATCH] qemu: Do not include file if not exists Script configure checks for if_alg.h and check failed but if_alg.h still included. -Upstream-status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html] +Upstream-Status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html] Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com> + +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- linux-user/syscall.c | 2 ++ 1 file changed, 2 insertions(+) -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index fc18f244..68d62666 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -106,7 +106,9 @@ +Index: qemu-5.1.0/linux-user/syscall.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/syscall.c ++++ qemu-5.1.0/linux-user/syscall.c +@@ -109,7 +109,9 @@ #include <linux/blkpg.h> #include <netpacket/packet.h> #include <linux/netlink.h> +#if defined(CONFIG_AF_ALG) #include <linux/if_alg.h> +#endif - #include "linux_loop.h" - #include "uname.h" - --- -2.20.1 - + #include <linux/rtc.h> + #include <sound/asound.h> + #ifdef HAVE_DRM_H diff --git a/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch index 7f7da5100..f379948f1 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch @@ -1,4 +1,4 @@ -From 8ee6281516bd9210e75e91d705da8916bab3bf51 Mon Sep 17 00:00:00 2001 +From 5da6cef7761157a003e7ebde74fb3cf90ab396d9 Mon Sep 17 00:00:00 2001 From: Juro Bystricky <juro.bystricky@intel.com> Date: Thu, 31 Aug 2017 11:06:56 -0700 Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for @@ -10,17 +10,19 @@ Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Juro Bystricky <juro.bystricky@intel.com> +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- tests/Makefile.include | 8 ++++++++ 1 file changed, 8 insertions(+) -diff --git a/tests/Makefile.include b/tests/Makefile.include -index 8566f5f1..52d0320b 100644 ---- a/tests/Makefile.include -+++ b/tests/Makefile.include -@@ -1210,4 +1210,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) - -include $(wildcard tests/*.d) - -include $(wildcard tests/libqos/*.d) +Index: qemu-5.1.0/tests/Makefile.include +=================================================================== +--- qemu-5.1.0.orig/tests/Makefile.include ++++ qemu-5.1.0/tests/Makefile.include +@@ -982,4 +982,12 @@ all: $(QEMU_IOTESTS_HELPERS-y) + -include $(wildcard tests/qtest/*.d) + -include $(wildcard tests/qtest/libqos/*.d) +buildtest-TESTS: $(check-unit-y) + diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch index 012d60d8f..33cef4221 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch @@ -15,13 +15,13 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> --- - hw/mips/mips_malta.c | 2 +- + hw/mips/malta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c -index 92e9ca5b..3a7f3954 100644 ---- a/hw/mips/mips_malta.c -+++ b/hw/mips/mips_malta.c +Index: qemu-5.1.0/hw/mips/malta.c +=================================================================== +--- qemu-5.1.0.orig/hw/mips/malta.c ++++ qemu-5.1.0/hw/mips/malta.c @@ -59,7 +59,7 @@ #define ENVP_ADDR 0x80002000l diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch index bc30397e8..71f537f9b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch @@ -12,11 +12,11 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> configure | 9 --------- 1 file changed, 9 deletions(-) -diff --git a/configure b/configure -index 6099be1d..a766017b 100755 ---- a/configure -+++ b/configure -@@ -5390,15 +5390,6 @@ fi +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -5751,15 +5751,6 @@ fi # check if we have valgrind/valgrind.h valgrind_h=no diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch index ec303371b..02ebbee1a 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch @@ -1,22 +1,24 @@ -From 6cdf82af2eba312b9b8da86dda28b98d3d51f4d4 Mon Sep 17 00:00:00 2001 +From 230fe5804099bdca0c9e4cae7280c9fc513cb7f5 Mon Sep 17 00:00:00 2001 From: Stephen Arnold <sarnold@vctlabs.com> Date: Sun, 12 Jun 2016 18:09:56 -0700 Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment Upstream-Status: Pending +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- configure | 4 ---- 1 file changed, 4 deletions(-) -diff --git a/configure b/configure -index a766017b..72f11aca 100755 ---- a/configure -+++ b/configure -@@ -6085,10 +6085,6 @@ write_c_skeleton +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -6515,10 +6515,6 @@ write_c_skeleton if test "$gcov" = "yes" ; then - CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" - LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" + QEMU_CFLAGS="-fprofile-arcs -ftest-coverage -g $QEMU_CFLAGS" + QEMU_LDFLAGS="-fprofile-arcs -ftest-coverage $QEMU_LDFLAGS" -elif test "$fortify_source" = "yes" ; then - CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" -elif test "$debug" = "no"; then diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch index 0810ae84c..98fd5e913 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch @@ -51,11 +51,11 @@ Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> qapi/char.json | 5 +++ 3 files changed, 109 insertions(+) -diff --git a/chardev/char-socket.c b/chardev/char-socket.c -index 185fe38d..54fa4234 100644 ---- a/chardev/char-socket.c -+++ b/chardev/char-socket.c -@@ -1288,6 +1288,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock, +Index: qemu-5.1.0/chardev/char-socket.c +=================================================================== +--- qemu-5.1.0.orig/chardev/char-socket.c ++++ qemu-5.1.0/chardev/char-socket.c +@@ -1292,6 +1292,67 @@ static bool qmp_chardev_validate_socket( return true; } @@ -123,7 +123,7 @@ index 185fe38d..54fa4234 100644 static void qmp_chardev_open_socket(Chardev *chr, ChardevBackend *backend, -@@ -1296,6 +1357,9 @@ static void qmp_chardev_open_socket(Chardev *chr, +@@ -1300,6 +1361,9 @@ static void qmp_chardev_open_socket(Char { SocketChardev *s = SOCKET_CHARDEV(chr); ChardevSocket *sock = backend->u.socket.data; @@ -133,7 +133,7 @@ index 185fe38d..54fa4234 100644 bool do_nodelay = sock->has_nodelay ? sock->nodelay : false; bool is_listen = sock->has_server ? sock->server : true; bool is_telnet = sock->has_telnet ? sock->telnet : false; -@@ -1361,6 +1425,14 @@ static void qmp_chardev_open_socket(Chardev *chr, +@@ -1365,6 +1429,14 @@ static void qmp_chardev_open_socket(Char update_disconnected_filename(s); @@ -148,13 +148,15 @@ index 185fe38d..54fa4234 100644 if (s->is_listen) { if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270, is_waitconnect, errp) < 0) { -@@ -1380,9 +1452,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, +@@ -1384,11 +1456,27 @@ static void qemu_chr_parse_socket(QemuOp const char *host = qemu_opt_get(opts, "host"); const char *port = qemu_opt_get(opts, "port"); const char *fd = qemu_opt_get(opts, "fd"); +#ifndef _WIN32 + const char *cmd = qemu_opt_get(opts, "cmd"); +#endif + bool tight = qemu_opt_get_bool(opts, "tight", true); + bool abstract = qemu_opt_get_bool(opts, "abstract", false); SocketAddressLegacy *addr; ChardevSocket *sock; @@ -171,19 +173,19 @@ index 185fe38d..54fa4234 100644 + } + } else +#endif -+ if ((!!path + !!fd + !!host) != 1) { error_setg(errp, "Exactly one of 'path', 'fd' or 'host' required"); -@@ -1425,12 +1514,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend, +@@ -1431,12 +1519,24 @@ static void qemu_chr_parse_socket(QemuOp sock->has_tls_authz = qemu_opt_get(opts, "tls-authz"); sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz")); +- addr = g_new0(SocketAddressLegacy, 1); +#ifndef _WIN32 + sock->cmd = g_strdup(cmd); +#endif + - addr = g_new0(SocketAddressLegacy, 1); ++ addr = g_new0(SocketAddressLegacy, 1); +#ifndef _WIN32 + if (path || cmd) { +#else @@ -197,28 +199,28 @@ index 185fe38d..54fa4234 100644 +#else q_unix->path = g_strdup(path); +#endif + q_unix->tight = tight; + q_unix->abstract = abstract; } else if (host) { - addr->type = SOCKET_ADDRESS_LEGACY_KIND_INET; - addr->u.inet.data = g_new(InetSocketAddress, 1); -diff --git a/chardev/char.c b/chardev/char.c -index 7b6b2cb1..0c2ca64b 100644 ---- a/chardev/char.c -+++ b/chardev/char.c -@@ -837,6 +837,9 @@ QemuOptsList qemu_chardev_opts = { - },{ +Index: qemu-5.1.0/chardev/char.c +=================================================================== +--- qemu-5.1.0.orig/chardev/char.c ++++ qemu-5.1.0/chardev/char.c +@@ -826,6 +826,9 @@ QemuOptsList qemu_chardev_opts = { .name = "path", .type = QEMU_OPT_STRING, -+ },{ + },{ + .name = "cmd", + .type = QEMU_OPT_STRING, - },{ ++ },{ .name = "host", .type = QEMU_OPT_STRING, -diff --git a/qapi/char.json b/qapi/char.json -index a6e81ac7..517962c6 100644 ---- a/qapi/char.json -+++ b/qapi/char.json -@@ -247,6 +247,10 @@ + },{ +Index: qemu-5.1.0/qapi/char.json +=================================================================== +--- qemu-5.1.0.orig/qapi/char.json ++++ qemu-5.1.0/qapi/char.json +@@ -250,6 +250,10 @@ # # @addr: socket address to listen on (server=true) # or connect to (server=false) @@ -229,7 +231,7 @@ index a6e81ac7..517962c6 100644 # @tls-creds: the ID of the TLS credentials object (since 2.6) # @tls-authz: the ID of the QAuthZ authorization object against which # the client's x509 distinguished name will be validated. This -@@ -272,6 +276,7 @@ +@@ -276,6 +280,7 @@ ## { 'struct': 'ChardevSocket', 'data': { 'addr': 'SocketAddressLegacy', diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch index 89baad9b7..034ac5782 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch @@ -29,11 +29,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> hw/intc/apic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/hw/intc/apic.c b/hw/intc/apic.c -index 2a74f7b4..4d5da365 100644 ---- a/hw/intc/apic.c -+++ b/hw/intc/apic.c -@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev) +Index: qemu-5.1.0/hw/intc/apic.c +=================================================================== +--- qemu-5.1.0.orig/hw/intc/apic.c ++++ qemu-5.1.0/hw/intc/apic.c +@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *de APICCommonState *s = APIC(dev); uint32_t lvt0; diff --git a/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch index 30bb4ddf2..d20f04ee5 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch @@ -18,11 +18,11 @@ Signed-off-by: Alistair Francis <alistair.francis@xilinx.com> linux-user/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/linux-user/main.c b/linux-user/main.c -index 6ff7851e..ebff0485 100644 ---- a/linux-user/main.c -+++ b/linux-user/main.c -@@ -78,7 +78,7 @@ int have_guest_base; +Index: qemu-5.1.0/linux-user/main.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/main.c ++++ qemu-5.1.0/linux-user/main.c +@@ -92,7 +92,7 @@ static int last_log_mask; (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32)) /* There are a number of places where we assign reserved_va to a variable of type abi_ulong and expect it to fit. Avoid the last page. */ diff --git a/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch index 7e273eece..f2a44986b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch @@ -1,4 +1,4 @@ -From 613166007e3b852c99caf2cd34a972e2c8460737 Mon Sep 17 00:00:00 2001 +From 815c97ba0de02da9dace3fcfcbdf9b20e029f0d7 Mon Sep 17 00:00:00 2001 From: Martin Jansa <martin.jansa@lge.com> Date: Fri, 1 Jun 2018 08:41:07 +0000 Subject: [PATCH] Fix webkitgtk builds @@ -19,6 +19,8 @@ This reverts commit ebf9a3630c911d0cfc9c20f7cafe9ba4f88cf583. Upstream-Status: Pending Signed-off-by: Alistair Francis <alistair.francis@wdc.com> +[update patch context] +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> --- include/exec/cpu-all.h | 6 +----- include/exec/cpu_ldst.h | 5 ++++- @@ -26,29 +28,29 @@ Signed-off-by: Alistair Francis <alistair.francis@wdc.com> linux-user/syscall.c | 5 +---- 4 files changed, 10 insertions(+), 23 deletions(-) -diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h -index e96781a4..a369f81a 100644 ---- a/include/exec/cpu-all.h -+++ b/include/exec/cpu-all.h -@@ -162,12 +162,8 @@ extern unsigned long guest_base; - extern int have_guest_base; - extern unsigned long reserved_va; - --#if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS --#define GUEST_ADDR_MAX (~0ul) --#else --#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : \ +Index: qemu-5.1.0/include/exec/cpu-all.h +=================================================================== +--- qemu-5.1.0.orig/include/exec/cpu-all.h ++++ qemu-5.1.0/include/exec/cpu-all.h +@@ -176,11 +176,8 @@ extern unsigned long reserved_va; + * avoid setting bits at the top of guest addresses that might need + * to be used for tags. + */ +-#define GUEST_ADDR_MAX_ \ +- ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ? \ +- UINT32_MAX : ~0ul) +-#define GUEST_ADDR_MAX (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_) +- +#define GUEST_ADDR_MAX (reserved_va ? reserved_va : \ - (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) --#endif ++ (1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1) #else #include "exec/hwaddr.h" -diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h -index fd499f7e..30575f60 100644 ---- a/include/exec/cpu_ldst.h -+++ b/include/exec/cpu_ldst.h -@@ -65,7 +65,10 @@ typedef uint64_t abi_ptr; +Index: qemu-5.1.0/include/exec/cpu_ldst.h +=================================================================== +--- qemu-5.1.0.orig/include/exec/cpu_ldst.h ++++ qemu-5.1.0/include/exec/cpu_ldst.h +@@ -75,7 +75,10 @@ typedef uint64_t abi_ptr; #if HOST_LONG_BITS <= TARGET_VIRT_ADDR_SPACE_BITS #define guest_addr_valid(x) (1) #else @@ -60,11 +62,11 @@ index fd499f7e..30575f60 100644 #endif #define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base) -diff --git a/linux-user/mmap.c b/linux-user/mmap.c -index 46a6e3a7..77354654 100644 ---- a/linux-user/mmap.c -+++ b/linux-user/mmap.c -@@ -78,7 +78,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot) +Index: qemu-5.1.0/linux-user/mmap.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/mmap.c ++++ qemu-5.1.0/linux-user/mmap.c +@@ -71,7 +71,7 @@ int target_mprotect(abi_ulong start, abi return -TARGET_EINVAL; len = TARGET_PAGE_ALIGN(len); end = start + len; @@ -73,18 +75,18 @@ index 46a6e3a7..77354654 100644 return -TARGET_ENOMEM; } prot &= PROT_READ | PROT_WRITE | PROT_EXEC; -@@ -495,8 +495,8 @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot, +@@ -467,8 +467,8 @@ abi_long target_mmap(abi_ulong start, ab * It can fail only on 64-bit host with 32-bit target. * On any other target/host host mmap() handles this error correctly. */ -- if (!guest_range_valid(start, len)) { +- if (end < start || !guest_range_valid(start, len)) { - errno = ENOMEM; -+ if ((unsigned long)start + len - 1 > (abi_ulong) -1) { ++ if (end < start || ((unsigned long)start + len - 1 > (abi_ulong) -1)) { + errno = EINVAL; goto fail; } -@@ -636,10 +636,8 @@ int target_munmap(abi_ulong start, abi_ulong len) +@@ -604,10 +604,8 @@ int target_munmap(abi_ulong start, abi_u if (start & ~TARGET_PAGE_MASK) return -TARGET_EINVAL; len = TARGET_PAGE_ALIGN(len); @@ -96,7 +98,7 @@ index 46a6e3a7..77354654 100644 mmap_lock(); end = start + len; real_start = start & qemu_host_page_mask; -@@ -694,13 +692,6 @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size, +@@ -662,13 +660,6 @@ abi_long target_mremap(abi_ulong old_add int prot; void *host_addr; @@ -110,11 +112,11 @@ index 46a6e3a7..77354654 100644 mmap_lock(); if (flags & MREMAP_FIXED) { -diff --git a/linux-user/syscall.c b/linux-user/syscall.c -index 171c0cae..fc18f244 100644 ---- a/linux-user/syscall.c -+++ b/linux-user/syscall.c -@@ -4138,9 +4138,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env, +Index: qemu-5.1.0/linux-user/syscall.c +=================================================================== +--- qemu-5.1.0.orig/linux-user/syscall.c ++++ qemu-5.1.0/linux-user/syscall.c +@@ -4336,9 +4336,6 @@ static inline abi_ulong do_shmat(CPUArch return -TARGET_EINVAL; } } @@ -124,12 +126,12 @@ index 171c0cae..fc18f244 100644 mmap_lock(); -@@ -6990,7 +6987,7 @@ static int open_self_maps(void *cpu_env, int fd) - } - if (h2g_valid(min)) { - int flags = page_get_flags(h2g(min)); -- max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX) + 1; -+ max = h2g_valid(max - 1) ? max : (uintptr_t)g2h(GUEST_ADDR_MAX); +@@ -7376,7 +7373,7 @@ static int open_self_maps(void *cpu_env, + const char *path; + + max = h2g_valid(max - 1) ? +- max : (uintptr_t) g2h(GUEST_ADDR_MAX) + 1; ++ max : (uintptr_t) g2h(GUEST_ADDR_MAX); + if (page_check_range(h2g(min), max - min, flags) == -1) { continue; - } diff --git a/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch index 34df78b7f..d7e3fffdd 100644 --- a/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch +++ b/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch @@ -14,11 +14,11 @@ Signed-off-by: He Zhe <zhe.he@windriver.com> configure | 48 ++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 40 insertions(+), 8 deletions(-) -diff --git a/configure b/configure -index 72f11aca..cac271ce 100755 ---- a/configure -+++ b/configure -@@ -2875,6 +2875,30 @@ has_libgcrypt() { +Index: qemu-5.1.0/configure +=================================================================== +--- qemu-5.1.0.orig/configure ++++ qemu-5.1.0/configure +@@ -3084,6 +3084,30 @@ has_libgcrypt() { return 0 } @@ -49,7 +49,7 @@ index 72f11aca..cac271ce 100755 if test "$nettle" != "no"; then pass="no" -@@ -2915,7 +2939,14 @@ fi +@@ -3124,7 +3148,14 @@ fi if test "$gcrypt" != "no"; then pass="no" @@ -65,7 +65,7 @@ index 72f11aca..cac271ce 100755 gcrypt_cflags=$(libgcrypt-config --cflags) gcrypt_libs=$(libgcrypt-config --libs) # Debian has removed -lgpg-error from libgcrypt-config -@@ -2925,15 +2956,16 @@ if test "$gcrypt" != "no"; then +@@ -3134,15 +3165,16 @@ if test "$gcrypt" != "no"; then then gcrypt_libs="$gcrypt_libs -lgpg-error" fi diff --git a/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch b/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch deleted file mode 100644 index 2fe0850a3..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch +++ /dev/null @@ -1,54 +0,0 @@ -From a88c40f02ace88f09b2a85a64831b277b2ebc88c Mon Sep 17 00:00:00 2001 -From: Peter Wu <peter@lekensteyn.nl> -Date: Sat, 21 Dec 2019 17:21:24 +0100 -Subject: [PATCH] hw/i386/pc: fix regression in parsing vga cmdline parameter - -When the 'vga=' parameter is succeeded by another parameter, QEMU 4.2.0 -would refuse to start with a rather cryptic message: - - $ qemu-system-x86_64 -kernel /boot/vmlinuz-linux -append 'vga=792 quiet' - qemu: can't parse 'vga' parameter: Invalid argument - -It was not clear whether this applied to the '-vga std' parameter or the -'-append' one. Fix the parsing regression and clarify the error. - -Fixes: 133ef074bd ("hw/i386/pc: replace use of strtol with qemu_strtoui in x86_load_linux()") -Cc: Sergio Lopez <slp@redhat.com> -Signed-off-by: Peter Wu <peter@lekensteyn.nl> -Message-Id: <20191221162124.1159291-1-peter@lekensteyn.nl> -Cc: qemu-stable@nongnu.org -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a88c40f02ace88f09b2a85a64831b277b2ebc88c] ---- - hw/i386/x86.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/hw/i386/x86.c b/hw/i386/x86.c -index d8bb5c2a96..9b9a4d5837 100644 ---- a/hw/i386/x86.c -+++ b/hw/i386/x86.c -@@ -612,6 +612,7 @@ void x86_load_linux(X86MachineState *x86ms, - vmode = strstr(kernel_cmdline, "vga="); - if (vmode) { - unsigned int video_mode; -+ const char *end; - int ret; - /* skip "vga=" */ - vmode += 4; -@@ -622,10 +623,9 @@ void x86_load_linux(X86MachineState *x86ms, - } else if (!strncmp(vmode, "ask", 3)) { - video_mode = 0xfffd; - } else { -- ret = qemu_strtoui(vmode, NULL, 0, &video_mode); -- if (ret != 0) { -- fprintf(stderr, "qemu: can't parse 'vga' parameter: %s\n", -- strerror(-ret)); -+ ret = qemu_strtoui(vmode, &end, 0, &video_mode); -+ if (ret != 0 || (*end && *end != ' ')) { -+ fprintf(stderr, "qemu: invalid 'vga=' kernel parameter.\n"); - exit(1); - } - } --- -2.25.0 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch b/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch deleted file mode 100644 index 3a7d7bbd3..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 9125afb733d8c96416bb83c5adad39bb8d0803a1 Mon Sep 17 00:00:00 2001 -From: Hongxu Jia <hongxu.jia@windriver.com> -Date: Tue, 12 Mar 2013 09:54:06 +0800 -Subject: [PATCH] fix libcap header issue on some distro - -1, When build qemu-native on SLED 11.2, there is an error: -... -| In file included from /usr/include/bits/sigcontext.h:28, -| from /usr/include/signal.h:339, -| from /buildarea2/tmp/work/i686-linux/qemu-native/1.4.0-r0/ -qemu-1.4.0/include/qemu-common.h:42, -| from fsdev/virtfs-proxy-helper.c:23: -| /usr/include/asm/sigcontext.h:28: error: expected specifier- -qualifier-list before '__u64' -| /usr/include/asm/sigcontext.h:191: error: expected specifier- -qualifier-list before '__u64' -... - -2, The virtfs-proxy-helper.c includes <sys/capability.h> and -qemu-common.h in sequence. The header include map is: -(`-->' presents `include') -... -"virtfs-proxy-helper.c" --> <sys/capability.h> -... -"virtfs-proxy-helper.c" --> "qemu-common.h" --> <signal.h> --> -<bits/sigcontext.h> --> <asm/sigcontext.h> --> <linux/types.h> --> -<asm/types.h> --> <asm-generic/types.h> --> <asm-generic/int-ll64.h> -... - -3, The bug is found on SLED 11.2 x86. In libcap header file -/usr/include/sys/capability.h, it does evil stuff like this: -... - 25 /* - 26 * Make sure we can be included from userland by preventing - 27 * capability.h from including other kernel headers - 28 */ - 29 #define _LINUX_TYPES_H - 30 #define _LINUX_FS_H - 31 #define __LINUX_COMPILER_H - 32 #define __user - 33 - 34 typedef unsigned int __u32; - 35 typedef __u32 __le32; -... -This completely prevents including /usr/include/linux/types.h. -The above `<asm/sigcontext.h> --> <linux/types.h>' is prevented, -and '__u64' is defined in <asm-generic/int-ll64.h>. - -4, Modify virtfs-proxy-helper.c to include <sys/capability.h> -last to workaround the issue. - -http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html -http://patchwork.linuxtv.org/patch/12748/ - -Upstream-Status: Pending -Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> - ---- - fsdev/virtfs-proxy-helper.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c -index 6f132c5f..8329950c 100644 ---- a/fsdev/virtfs-proxy-helper.c -+++ b/fsdev/virtfs-proxy-helper.c -@@ -13,7 +13,6 @@ - #include <sys/resource.h> - #include <getopt.h> - #include <syslog.h> --#include <sys/capability.h> - #include <sys/fsuid.h> - #include <sys/vfs.h> - #include <sys/ioctl.h> -@@ -27,7 +26,11 @@ - #include "9p-iov-marshal.h" - #include "hw/9pfs/9p-proxy.h" - #include "fsdev/9p-iov-marshal.h" -- -+/* -+ * Include this one last due to some versions of it being buggy: -+ * http://www.linuxtv.org/pipermail/vdr/2009-August/021194.html -+ */ -+#include <sys/capability.h> - #define PROGNAME "virtfs-proxy-helper" - - #ifndef XFS_SUPER_MAGIC diff --git a/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch deleted file mode 100644 index e5ebfc126..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 0a53e906510cce1f32bc04a11e81ea40f834dac4 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?An=C3=ADbal=20Lim=C3=B3n?= <anibal.limon@linux.intel.com> -Date: Wed, 12 Aug 2015 15:11:30 -0500 -Subject: [PATCH] cpus.c: Add error messages when qemi_cpu_kick_thread fails. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add custom_debug.h with function for print backtrace information. -When pthread_kill fails in qemu_cpu_kick_thread display backtrace and -current cpu information. - -Upstream-Status: Inappropriate -Signed-off-by: Aníbal Limón <anibal.limon@linux.intel.com> - ---- - cpus.c | 5 +++++ - custom_debug.h | 24 ++++++++++++++++++++++++ - 2 files changed, 29 insertions(+) - create mode 100644 custom_debug.h - -diff --git a/cpus.c b/cpus.c -index e83f72b4..e6e2576e 100644 ---- a/cpus.c -+++ b/cpus.c -@@ -1769,6 +1769,8 @@ static void *qemu_tcg_cpu_thread_fn(void *arg) - return NULL; - } - -+#include "custom_debug.h" -+ - static void qemu_cpu_kick_thread(CPUState *cpu) - { - #ifndef _WIN32 -@@ -1781,6 +1783,9 @@ static void qemu_cpu_kick_thread(CPUState *cpu) - err = pthread_kill(cpu->thread->thread, SIG_IPI); - if (err && err != ESRCH) { - fprintf(stderr, "qemu:%s: %s", __func__, strerror(err)); -+ fprintf(stderr, "CPU #%d:\n", cpu->cpu_index); -+ cpu_dump_state(cpu, stderr, 0); -+ backtrace_print(); - exit(1); - } - #else /* _WIN32 */ -diff --git a/custom_debug.h b/custom_debug.h -new file mode 100644 -index 00000000..f029e455 ---- /dev/null -+++ b/custom_debug.h -@@ -0,0 +1,24 @@ -+#include <execinfo.h> -+#include <stdio.h> -+#define BACKTRACE_MAX 128 -+static void backtrace_print(void) -+{ -+ int nfuncs = 0; -+ void *buf[BACKTRACE_MAX]; -+ char **symbols; -+ int i; -+ -+ nfuncs = backtrace(buf, BACKTRACE_MAX); -+ -+ symbols = backtrace_symbols(buf, nfuncs); -+ if (symbols == NULL) { -+ fprintf(stderr, "backtrace_print failed to get symbols"); -+ return; -+ } -+ -+ fprintf(stderr, "Backtrace ...\n"); -+ for (i = 0; i < nfuncs; i++) -+ fprintf(stderr, "%s\n", symbols[i]); -+ -+ free(symbols); -+} diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch deleted file mode 100644 index 1d89431be..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-15890.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 4fc0d23e8f6d795c679623d2ed2cbe6a7a17b9c7 Mon Sep 17 00:00:00 2001 -From: Li Zhou <li.zhou@windriver.com> -Date: Tue, 10 Sep 2019 20:02:15 -0700 -Subject: [PATCH] ip_reass: Fix use after free - -Using ip_deq after m_free might read pointers from an allocation reuse. - -This would be difficult to exploit, but that is still related with -CVE-2019-14378 which generates fragmented IP packets that would trigger this -issue and at least produce a DoS. - -Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org> - -Upstream-Status: Backport -CVE: CVE-2019-15890 -Signed-off-by: Li Zhou <li.zhou@windriver.com> ---- - slirp/src/ip_input.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/slirp/src/ip_input.c b/slirp/src/ip_input.c -index 8c75d914..c07d7d40 100644 ---- a/slirp/src/ip_input.c -+++ b/slirp/src/ip_input.c -@@ -292,6 +292,7 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) - */ - while (q != (struct ipasfrag *)&fp->frag_link && - ip->ip_off + ip->ip_len > q->ipf_off) { -+ struct ipasfrag *prev; - i = (ip->ip_off + ip->ip_len) - q->ipf_off; - if (i < q->ipf_len) { - q->ipf_len -= i; -@@ -299,9 +300,10 @@ static struct ip *ip_reass(Slirp *slirp, struct ip *ip, struct ipq *fp) - m_adj(dtom(slirp, q), i); - break; - } -+ prev = q; - q = q->ipf_next; -- m_free(dtom(slirp, q->ipf_prev)); -- ip_deq(q->ipf_prev); -+ ip_deq(prev); -+ m_free(dtom(slirp, prev)); - } - - insert: --- -2.23.0 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch deleted file mode 100644 index e8f3e1dbd..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Tue, 24 Mar 2020 22:57:22 +0530 -Subject: [PATCH] net: tulip: check frame size and r/w data length - -Tulip network driver while copying tx/rx buffers does not check -frame size against r/w data length. This may lead to OOB buffer -access. Add check to avoid it. - -Limit iterations over descriptors to avoid potential infinite -loop issue in tulip_xmit_list_update. - -Reported-by: Li Qiang <pangpei.lq@antfin.com> -Reported-by: Ziming Zhang <ezrakiez@gmail.com> -Reported-by: Jason Wang <jasowang@redhat.com> -Tested-by: Li Qiang <liq3ea@gmail.com> -Reviewed-by: Li Qiang <liq3ea@gmail.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Jason Wang <jasowang@redhat.com> - -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850] -CVE: CVE-2020-11102 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> ---- - hw/net/tulip.c | 36 +++++++++++++++++++++++++++--------- - 1 file changed, 27 insertions(+), 9 deletions(-) - -diff --git a/hw/net/tulip.c b/hw/net/tulip.c -index cfac271..1295f51 100644 ---- a/hw/net/tulip.c -+++ b/hw/net/tulip.c -@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) - } else { - len = s->rx_frame_len; - } -+ -+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { -+ return; -+ } - pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame + - (s->rx_frame_size - s->rx_frame_len), len); - s->rx_frame_len -= len; -@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc) - } else { - len = s->rx_frame_len; - } -+ -+ if (s->rx_frame_len + len > sizeof(s->rx_frame)) { -+ return; -+ } - pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame + - (s->rx_frame_size - s->rx_frame_len), len); - s->rx_frame_len -= len; -@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size) - - trace_tulip_receive(buf, size); - -- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) { -+ if (size < 14 || size > sizeof(s->rx_frame) - 4 -+ || s->rx_frame_len || tulip_rx_stopped(s)) { - return 0; - } - -@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc, - return tulip_receive(qemu_get_nic_opaque(nc), buf, size); - } - -- - static NetClientInfo net_tulip_info = { - .type = NET_CLIENT_DRIVER_NIC, - .size = sizeof(NICState), -@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) - if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) { - /* Internal or external Loopback */ - tulip_receive(s, s->tx_frame, s->tx_frame_len); -- } else { -+ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) { - qemu_send_packet(qemu_get_queue(s->nic), - s->tx_frame, s->tx_frame_len); - } -@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc) - } - } - --static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) -+static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) - { - int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK; - int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK; - -+ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) { -+ return -1; -+ } - if (len1) { - pci_dma_read(&s->dev, desc->buf_addr1, - s->tx_frame + s->tx_frame_len, len1); - s->tx_frame_len += len1; - } - -+ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) { -+ return -1; -+ } - if (len2) { - pci_dma_read(&s->dev, desc->buf_addr2, - s->tx_frame + s->tx_frame_len, len2); - s->tx_frame_len += len2; - } - desc->status = (len1 + len2) ? 0 : 0x7fffffff; -+ -+ return 0; - } - - static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n) -@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s) - - static void tulip_xmit_list_update(TULIPState *s) - { -+#define TULIP_DESC_MAX 128 -+ uint8_t i = 0; - struct tulip_descriptor desc; - - if (tulip_ts(s) != CSR5_TS_SUSPENDED) { - return; - } - -- for (;;) { -+ for (i = 0; i < TULIP_DESC_MAX; i++) { - tulip_desc_read(s, s->current_tx_desc, &desc); - tulip_dump_tx_descriptor(s, &desc); - -@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s) - s->tx_frame_len = 0; - } - -- tulip_copy_tx_buffers(s, &desc); -- -- if (desc.control & TDES1_LS) { -- tulip_tx(s, &desc); -+ if (!tulip_copy_tx_buffers(s, &desc)) { -+ if (desc.control & TDES1_LS) { -+ tulip_tx(s, &desc); -+ } - } - } - tulip_desc_write(s, s->current_tx_desc, &desc); --- -1.8.3.1 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch deleted file mode 100644 index ca7ffed93..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11869.patch +++ /dev/null @@ -1,97 +0,0 @@ -From ac2071c3791b67fc7af78b8ceb320c01ca1b5df7 Mon Sep 17 00:00:00 2001 -From: BALATON Zoltan <balaton@eik.bme.hu> -Date: Mon, 6 Apr 2020 22:34:26 +0200 -Subject: [PATCH] ati-vga: Fix checks in ati_2d_blt() to avoid crash - -In some corner cases (that never happen during normal operation but a -malicious guest could program wrong values) pixman functions were -called with parameters that result in a crash. Fix this and add more -checks to disallow such cases. - -Reported-by: Ziming Zhang <ezrakiez@gmail.com> -Signed-off-by: BALATON Zoltan <balaton@eik.bme.hu> -Message-id: 20200406204029.19559747D5D@zero.eik.bme.hu -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> - -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=ac2071c3791b67fc7af78b8ceb320c01ca1b5df7] -CVE: CVE-2020-11869 -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> ---- - hw/display/ati_2d.c | 37 ++++++++++++++++++++++++++----------- - 1 file changed, 26 insertions(+), 11 deletions(-) - -diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c -index 42e8231..23a8ae0 100644 ---- a/hw/display/ati_2d.c -+++ b/hw/display/ati_2d.c -@@ -53,12 +53,20 @@ void ati_2d_blt(ATIVGAState *s) - s->vga.vbe_start_addr, surface_data(ds), surface_stride(ds), - surface_bits_per_pixel(ds), - (s->regs.dp_mix & GMC_ROP3_MASK) >> 16); -- int dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? -- s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); -- int dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? -- s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); -+ unsigned dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? -+ s->regs.dst_x : s->regs.dst_x + 1 - s->regs.dst_width); -+ unsigned dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? -+ s->regs.dst_y : s->regs.dst_y + 1 - s->regs.dst_height); - int bpp = ati_bpp_from_datatype(s); -+ if (!bpp) { -+ qemu_log_mask(LOG_GUEST_ERROR, "Invalid bpp\n"); -+ return; -+ } - int dst_stride = DEFAULT_CNTL ? s->regs.dst_pitch : s->regs.default_pitch; -+ if (!dst_stride) { -+ qemu_log_mask(LOG_GUEST_ERROR, "Zero dest pitch\n"); -+ return; -+ } - uint8_t *dst_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? - s->regs.dst_offset : s->regs.default_offset); - -@@ -82,12 +90,16 @@ void ati_2d_blt(ATIVGAState *s) - switch (s->regs.dp_mix & GMC_ROP3_MASK) { - case ROP3_SRCCOPY: - { -- int src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? -- s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); -- int src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? -- s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); -+ unsigned src_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? -+ s->regs.src_x : s->regs.src_x + 1 - s->regs.dst_width); -+ unsigned src_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? -+ s->regs.src_y : s->regs.src_y + 1 - s->regs.dst_height); - int src_stride = DEFAULT_CNTL ? - s->regs.src_pitch : s->regs.default_pitch; -+ if (!src_stride) { -+ qemu_log_mask(LOG_GUEST_ERROR, "Zero source pitch\n"); -+ return; -+ } - uint8_t *src_bits = s->vga.vram_ptr + (DEFAULT_CNTL ? - s->regs.src_offset : s->regs.default_offset); - -@@ -137,8 +149,10 @@ void ati_2d_blt(ATIVGAState *s) - dst_y * surface_stride(ds), - s->regs.dst_height * surface_stride(ds)); - } -- s->regs.dst_x += s->regs.dst_width; -- s->regs.dst_y += s->regs.dst_height; -+ s->regs.dst_x = (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? -+ dst_x + s->regs.dst_width : dst_x); -+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? -+ dst_y + s->regs.dst_height : dst_y); - break; - } - case ROP3_PATCOPY: -@@ -179,7 +193,8 @@ void ati_2d_blt(ATIVGAState *s) - dst_y * surface_stride(ds), - s->regs.dst_height * surface_stride(ds)); - } -- s->regs.dst_y += s->regs.dst_height; -+ s->regs.dst_y = (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? -+ dst_y + s->regs.dst_height : dst_y); - break; - } - default: --- -1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch deleted file mode 100644 index aa7bc8232..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001 -From: Felipe Franciosi <felipe@nutanix.com> -Date: Thu, 23 Jan 2020 12:44:59 +0000 -Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) - -When querying an iSCSI server for the provisioning status of blocks (via -GET LBA STATUS), Qemu only validates that the response descriptor zero's -LBA matches the one requested. Given the SCSI spec allows servers to -respond with the status of blocks beyond the end of the LUN, Qemu may -have its heap corrupted by clearing/setting too many bits at the end of -its allocmap for the LUN. - -A malicious guest in control of the iSCSI server could carefully program -Qemu's heap (by selectively setting the bitmap) and then smash it. - -This limits the number of bits that iscsi_co_block_status() will try to -update in the allocmap so it can't overflow the bitmap. - -Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc] -CVE: CVE-2020-1711 - -Fixes: CVE-2020-1711 -Cc: qemu-stable@nongnu.org -Signed-off-by: Felipe Franciosi <felipe@nutanix.com> -Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com> -Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> -Signed-off-by: Kevin Wolf <kwolf@redhat.com> -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> ---- - block/iscsi.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/block/iscsi.c b/block/iscsi.c -index 2aea7e3..cbd5729 100644 ---- a/block/iscsi.c -+++ b/block/iscsi.c -@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, - struct scsi_get_lba_status *lbas = NULL; - struct scsi_lba_status_descriptor *lbasd = NULL; - struct IscsiTask iTask; -- uint64_t lba; -+ uint64_t lba, max_bytes; - int ret; - - iscsi_co_init_iscsitask(iscsilun, &iTask); -@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs, - } - - lba = offset / iscsilun->block_size; -+ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size; - - qemu_mutex_lock(&iscsilun->mutex); - retry: -@@ -764,7 +765,7 @@ retry: - goto out_unlock; - } - -- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size; -+ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes); - - if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED || - lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) { --- -1.8.3.1 diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch deleted file mode 100644 index df6bca6db..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch +++ /dev/null @@ -1,44 +0,0 @@ -From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 27 Feb 2020 12:07:35 +0800 -Subject: [PATCH] tcp_emu: Fix oob access - -The main loop only checks for one available byte, while we sometimes -need two bytes. - -CVE: CVE-2020-7039 -Upstream-Status: Backport -[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - slirp/src/tcp_subr.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c -index d6dd133..4bea2d4 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - break; - - case 5: -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ - /* - * The difference between versions 1.0 and - * 2.0 is here. For future versions of -@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m) - /* This is the field containing the port - * number that RA-player is listening to. - */ -+ -+ if (bptr == m->m_data + m->m_len - 1) -+ return 1; /* We need two bytes */ -+ - lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1]; - if (lport < 6970) - lport += 256; /* don't know why */ --- -2.7.4 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch deleted file mode 100644 index 4a00fa2af..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 27 Feb 2020 12:10:34 +0800 -Subject: [PATCH] slirp: use correct size while emulating commands - -While emulating services in tcp_emu(), it uses 'mbuf' size -'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m) -size to avoid possible OOB access. -Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Samuel Thibault's avatarSamuel Thibault -<samuel.thibault@ens-lyon.org> -Message-Id: <20200109094228.79764-3-ppandit@redhat.com> - -CVE: CVE-2020-7039 -Upstream-Status: Backport -[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - slirp/src/tcp_subr.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c -index 4bea2d4..e8ed4ef 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4, - n5, n6, x == 7 ? buff : ""); - return 1; -@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m) - n4 = (laddr & 0xff); - - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size - m->m_len, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), - "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s", - n1, n2, n3, n4, n5, n6, x == 7 ? buff : ""); - -@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - if (m->m_data[m->m_len - 1] == '\0' && lport != 0 && - (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr, - htons(lport), SS_FACCEPTONCE)) != NULL) -- m->m_len = -- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1; -+ m->m_len = snprintf(m->m_data, M_ROOM(m), -+ "%d", ntohs(so->so_fport)) + 1; - return 1; - - case EMU_IRC: --- -2.7.4 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch deleted file mode 100644 index 70ce480d8..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001 -From: Changqing Li <changqing.li@windriver.com> -Date: Thu, 27 Feb 2020 12:15:04 +0800 -Subject: [PATCH] slirp: use correct size while emulating IRC commands - -While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size -'m->m_size' to write DCC commands via snprintf(3). This may -lead to OOB write access, because 'bptr' points somewhere in -the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m) -size to avoid OOB access. -Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com> -Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Samuel Thibault's avatarSamuel Thibault -<samuel.thibault@ens-lyon.org> -Message-Id: <20200109094228.79764-2-ppandit@redhat.com> - -CVE: CVE-2020-7039 -Upstream-Status: Backport -[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - slirp/src/tcp_subr.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c -index e8ed4ef..3a4a8ee 100644 ---- a/slirp/src/tcp_subr.c -+++ b/slirp/src/tcp_subr.c -@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n", -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC CHAT chat %lu %u%c\n", - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), 1); - } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport, -@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC SEND %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); - } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport, -@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m) - return 1; - } - m->m_len = bptr - m->m_data; /* Adjust length */ -- m->m_len += -- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff, -+ m->m_len += snprintf(bptr, M_FREEROOM(m), -+ "DCC MOVE %s %lu %u %u%c\n", buff, - (unsigned long)ntohl(so->so_faddr.s_addr), - ntohs(so->so_fport), n1, 1); - } --- -2.7.4 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch deleted file mode 100644 index 11be4c92e..000000000 --- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Mon, 13 Jan 2020 17:44:31 +0530 -Subject: [PATCH] slirp: tftp: restrict relative path access - -tftp restricts relative or directory path access on Linux systems. -Apply same restrictions on Windows systems too. It helps to avoid -directory traversal issue. - -Fixes: https://bugs.launchpad.net/qemu/+bug/1812451 -Reported-by: Peter Maydell <peter.maydell@linaro.org> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org> -Message-Id: <20200113121431.156708-1-ppandit@redhat.com> - -Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch] -CVE: CVE-2020-7211 -Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> - ---- - slirp/src/tftp.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c -index 093c2e0..e52e71b 100644 ---- a/slirp/src/tftp.c -+++ b/slirp/src/tftp.c -@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, - k += 6; /* skipping octet */ - - /* do sanity checks on the filename */ -- if (!strncmp(req_fname, "../", 3) || -- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) { -+ if ( -+#ifdef G_OS_WIN32 -+ strstr(req_fname, "..\\") || -+ req_fname[strlen(req_fname) - 1] == '\\' || -+#endif -+ strstr(req_fname, "../") || -+ req_fname[strlen(req_fname) - 1] == '/') { - tftp_send_error(spt, 2, "Access violation", tp); - return; - } --- -2.24.1 - diff --git a/poky/meta/recipes-devtools/qemu/qemu/find_datadir.patch b/poky/meta/recipes-devtools/qemu/qemu/find_datadir.patch new file mode 100644 index 000000000..9a4c11267 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/find_datadir.patch @@ -0,0 +1,39 @@ +qemu: search for datadir as in version 4.2 + +os_find_datadir() was changed after the 4.2 release. We need to check for +../share/qemu relative to the executable because that is where the runqemu +configuration assumes it will be. + +Upstream-Status: Submitted [qemu-devel@nongnu.org] + +Signed-off-by: Joe Slater <joe.slater@windriver.com> + + +Index: qemu-5.1.0/os-posix.c +=================================================================== +--- qemu-5.1.0.orig/os-posix.c ++++ qemu-5.1.0/os-posix.c +@@ -82,8 +82,9 @@ void os_setup_signal_handling(void) + + /* + * Find a likely location for support files using the location of the binary. ++ * Typically, this would be "$bindir/../share/qemu". + * When running from the build tree this will be "$bindir/../pc-bios". +- * Otherwise, this is CONFIG_QEMU_DATADIR. ++ * Otherwise, this is CONFIG_QEMU_DATADIR as constructed by configure. + * + * The caller must use g_free() to free the returned data when it is + * no longer required. +@@ -96,6 +97,12 @@ char *os_find_datadir(void) + exec_dir = qemu_get_exec_dir(); + g_return_val_if_fail(exec_dir != NULL, NULL); + ++ dir = g_build_filename(exec_dir, "..", "share", "qemu", NULL); ++ if (g_file_test(dir, G_FILE_TEST_IS_DIR)) { ++ return g_steal_pointer(&dir); ++ } ++ g_free(dir); /* no autofree this time */ ++ + dir = g_build_filename(exec_dir, "..", "pc-bios", NULL); + if (g_file_test(dir, G_FILE_TEST_IS_DIR)) { + return g_steal_pointer(&dir); diff --git a/poky/meta/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch b/poky/meta/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch new file mode 100644 index 000000000..92801da46 --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/usb-fix-setup_len-init.patch @@ -0,0 +1,89 @@ +CVE: CVE-2020-14364 +Upstream-Status: Backport +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From b946434f2659a182afc17e155be6791ebfb302eb Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Tue, 25 Aug 2020 07:36:36 +0200 +Subject: [PATCH] usb: fix setup_len init (CVE-2020-14364) + +Store calculated setup_len in a local variable, verify it, and only +write it to the struct (USBDevice->setup_len) in case it passed the +sanity checks. + +This prevents other code (do_token_{in,out} functions specifically) +from working with invalid USBDevice->setup_len values and overrunning +the USBDevice->setup_buf[] buffer. + +Fixes: CVE-2020-14364 +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +Tested-by: Gonglei <arei.gonglei@huawei.com> +Reviewed-by: Li Qiang <liq3ea@gmail.com> +Message-id: 20200825053636.29648-1-kraxel@redhat.com +--- + hw/usb/core.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/hw/usb/core.c b/hw/usb/core.c +index 5abd128b6bc..5234dcc73fe 100644 +--- a/hw/usb/core.c ++++ b/hw/usb/core.c +@@ -129,6 +129,7 @@ void usb_wakeup(USBEndpoint *ep, unsigned int stream) + static void do_token_setup(USBDevice *s, USBPacket *p) + { + int request, value, index; ++ unsigned int setup_len; + + if (p->iov.size != 8) { + p->status = USB_RET_STALL; +@@ -138,14 +139,15 @@ static void do_token_setup(USBDevice *s, USBPacket *p) + usb_packet_copy(p, s->setup_buf, p->iov.size); + s->setup_index = 0; + p->actual_length = 0; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; +@@ -259,26 +261,28 @@ static void do_token_out(USBDevice *s, USBPacket *p) + static void do_parameter(USBDevice *s, USBPacket *p) + { + int i, request, value, index; ++ unsigned int setup_len; + + for (i = 0; i < 8; i++) { + s->setup_buf[i] = p->parameter >> (i*8); + } + + s->setup_state = SETUP_STATE_PARAM; +- s->setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; + s->setup_index = 0; + + request = (s->setup_buf[0] << 8) | s->setup_buf[1]; + value = (s->setup_buf[3] << 8) | s->setup_buf[2]; + index = (s->setup_buf[5] << 8) | s->setup_buf[4]; + +- if (s->setup_len > sizeof(s->data_buf)) { ++ setup_len = (s->setup_buf[7] << 8) | s->setup_buf[6]; ++ if (setup_len > sizeof(s->data_buf)) { + fprintf(stderr, + "usb_generic_handle_packet: ctrl buffer too small (%d > %zu)\n", +- s->setup_len, sizeof(s->data_buf)); ++ setup_len, sizeof(s->data_buf)); + p->status = USB_RET_STALL; + return; + } ++ s->setup_len = setup_len; + + if (p->pid == USB_TOKEN_OUT) { + usb_packet_copy(p, s->data_buf, s->setup_len); diff --git a/poky/meta/recipes-devtools/qemu/qemu_4.2.0.bb b/poky/meta/recipes-devtools/qemu/qemu_5.1.0.bb index a4018cc44..599ff82fc 100644 --- a/poky/meta/recipes-devtools/qemu/qemu_4.2.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu_5.1.0.bb @@ -21,8 +21,8 @@ do_install_append_class-nativesdk() { PACKAGECONFIG ??= " \ fdt sdl kvm \ ${@bb.utils.filter('DISTRO_FEATURES', 'alsa xen', d)} \ - ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '' ,d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ " PACKAGECONFIG_class-nativesdk ??= "fdt sdl kvm \ - ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '' ,d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'opengl', 'virglrenderer glx', '', d)} \ " |