diff options
Diffstat (limited to 'poky/meta/recipes-devtools/qemu')
4 files changed, 120 insertions, 8 deletions
diff --git a/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb b/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb index d9d9da0fad..372eebd886 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb +++ b/poky/meta/recipes-devtools/qemu/qemu-helper-native_1.0.bb @@ -12,7 +12,7 @@ S = "${WORKDIR}" inherit native do_compile() { - ${CC} tunctl.c -o tunctl + ${CC} ${CFLAGS} ${LDFLAGS} -Wall tunctl.c -o tunctl } do_install() { diff --git a/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c b/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c index 16e24a2add..d745dd06cb 100644 --- a/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c +++ b/poky/meta/recipes-devtools/qemu/qemu-helper/tunctl.c @@ -19,7 +19,7 @@ #define TUNSETGROUP _IOW('T', 206, int) #endif -static void Usage(char *name) +static void Usage(char *name, int status) { fprintf(stderr, "Create: %s [-b] [-u owner] [-g group] [-t device-name] " "[-f tun-clone-device]\n", name); @@ -28,7 +28,7 @@ static void Usage(char *name) fprintf(stderr, "The default tun clone device is /dev/net/tun - some systems" " use\n/dev/misc/net/tun instead\n\n"); fprintf(stderr, "-b will result in brief output (just the device name)\n"); - exit(1); + exit(status); } int main(int argc, char **argv) @@ -41,7 +41,7 @@ int main(int argc, char **argv) int tap_fd, opt, delete = 0, brief = 0; char *tun = "", *file = "/dev/net/tun", *name = argv[0], *end; - while((opt = getopt(argc, argv, "bd:f:t:u:g:")) > 0){ + while((opt = getopt(argc, argv, "bd:f:t:u:g:h")) > 0){ switch(opt) { case 'b': brief = 1; @@ -63,7 +63,7 @@ int main(int argc, char **argv) if(*end != '\0'){ fprintf(stderr, "'%s' is neither a username nor a numeric uid.\n", optarg); - Usage(name); + Usage(name, 1); } break; case 'g': @@ -76,7 +76,7 @@ int main(int argc, char **argv) if(*end != '\0'){ fprintf(stderr, "'%s' is neither a groupname nor a numeric group.\n", optarg); - Usage(name); + Usage(name, 1); } break; @@ -84,8 +84,10 @@ int main(int argc, char **argv) tun = optarg; break; case 'h': + Usage(name, 0); + break; default: - Usage(name); + Usage(name, 1); } } @@ -93,7 +95,7 @@ int main(int argc, char **argv) argc -= optind; if(argc > 0) - Usage(name); + Usage(name, 1); if((tap_fd = open(file, O_RDWR)) < 0){ fprintf(stderr, "Failed to open '%s' : ", file); diff --git a/poky/meta/recipes-devtools/qemu/qemu.inc b/poky/meta/recipes-devtools/qemu/qemu.inc index 88ae68a1e9..601fc2286b 100644 --- a/poky/meta/recipes-devtools/qemu/qemu.inc +++ b/poky/meta/recipes-devtools/qemu/qemu.inc @@ -28,6 +28,7 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \ file://0009-Fix-webkitgtk-builds.patch \ file://0010-configure-Add-pkg-config-handling-for-libgcrypt.patch \ file://CVE-2019-15890.patch \ + file://CVE-2019-12068.patch \ " UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar" @@ -94,6 +95,7 @@ do_configure_prepend_class-native() { do_configure() { ${S}/configure ${EXTRA_OECONF} } +do_configure[cleandirs] += "${B}" do_install () { export STRIP="" diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch new file mode 100644 index 0000000000..f1655e407f --- /dev/null +++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch @@ -0,0 +1,108 @@ +From de594e47659029316bbf9391efb79da0a1a08e08 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini <pbonzini@redhat.com> +Date: Wed, 14 Aug 2019 17:35:21 +0530 +Subject: [PATCH] scsi: lsi: exit infinite loop while executing script + (CVE-2019-12068) + +When executing script in lsi_execute_script(), the LSI scsi adapter +emulator advances 's->dsp' index to read next opcode. This can lead +to an infinite loop if the next opcode is empty. Move the existing +loop exit after 10k iterations so that it covers no-op opcodes as +well. + +Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08] +CVE: CVE-2019-12068 + +Reported-by: Bugs SysSec <bugs-syssec@rub.de> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + hw/scsi/lsi53c895a.c | 41 +++++++++++++++++++++++++++-------------- + 1 file changed, 27 insertions(+), 14 deletions(-) + +diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c +index 222a286..ec53b14 100644 +--- a/hw/scsi/lsi53c895a.c ++++ b/hw/scsi/lsi53c895a.c +@@ -186,6 +186,9 @@ static const char *names[] = { + /* Flag set if this is a tagged command. */ + #define LSI_TAG_VALID (1 << 16) + ++/* Maximum instructions to process. */ ++#define LSI_MAX_INSN 10000 ++ + typedef struct lsi_request { + SCSIRequest *req; + uint32_t tag; +@@ -1133,7 +1136,21 @@ static void lsi_execute_script(LSIState *s) + + s->istat1 |= LSI_ISTAT1_SRUN; + again: +- insn_processed++; ++ if (++insn_processed > LSI_MAX_INSN) { ++ /* Some windows drivers make the device spin waiting for a memory ++ location to change. If we have been executed a lot of code then ++ assume this is the case and force an unexpected device disconnect. ++ This is apparently sufficient to beat the drivers into submission. ++ */ ++ if (!(s->sien0 & LSI_SIST0_UDC)) { ++ qemu_log_mask(LOG_GUEST_ERROR, ++ "lsi_scsi: inf. loop with UDC masked"); ++ } ++ lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0); ++ lsi_disconnect(s); ++ trace_lsi_execute_script_stop(); ++ return; ++ } + insn = read_dword(s, s->dsp); + if (!insn) { + /* If we receive an empty opcode increment the DSP by 4 bytes +@@ -1570,19 +1587,7 @@ again: + } + } + } +- if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) { +- /* Some windows drivers make the device spin waiting for a memory +- location to change. If we have been executed a lot of code then +- assume this is the case and force an unexpected device disconnect. +- This is apparently sufficient to beat the drivers into submission. +- */ +- if (!(s->sien0 & LSI_SIST0_UDC)) { +- qemu_log_mask(LOG_GUEST_ERROR, +- "lsi_scsi: inf. loop with UDC masked"); +- } +- lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0); +- lsi_disconnect(s); +- } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) { ++ if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) { + if (s->dcntl & LSI_DCNTL_SSM) { + lsi_script_dma_interrupt(s, LSI_DSTAT_SSI); + } else { +@@ -1970,6 +1975,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val) + case 0x2f: /* DSP[24:31] */ + s->dsp &= 0x00ffffff; + s->dsp |= val << 24; ++ /* ++ * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one ++ * instruction. Is this correct? ++ */ + if ((s->dmode & LSI_DMODE_MAN) == 0 + && (s->istat1 & LSI_ISTAT1_SRUN) == 0) + lsi_execute_script(s); +@@ -1988,6 +1997,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val) + break; + case 0x3b: /* DCNTL */ + s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD); ++ /* ++ * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one ++ * instruction. Is this correct? ++ */ + if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0) + lsi_execute_script(s); + break; +-- +2.7.4 + |