diff options
| author |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-13 14:44:42 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-16 10:20:35 +0100 |
| commit | 686b770af67fdd2251f4ddab5b0eefc8fb0870ef (patch) | |
| tree | 43ee2544e20bb6ee917a7b26c56e2331b48a54f7 /meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | |
| parent | fa5d0f2c61a704436d71e5f02042fa8b2940f541 (diff) | |
| download | openembedded-core-contrib-686b770af67fdd2251f4ddab5b0eefc8fb0870ef.tar.gz | |
qemu: Upgrade 5.0.0 -> 5.1.0
* Drop backported CVE fixes
* Drop cpu backtrace patch from 2015 for debugging an issue which we no longer see
(patch throws rejects, files have moved)
* Update mips patch to account for file renames
* Update chardev patch to match upstream code changes
* Update webkitgtk patch, qemumips build works ok but qemux86 musl webkitgtk still
fails. Need to figure out the correct fix and upstream it for this, current
revert patch is not maintainable.
Release notes for 5.1.0 mention slight qemumips performance improvements
which would be valuable to us. My tests show no improvement in qemumips
testimage execution time for core-image-sato-sdk.
Fix a ptest issue for a file looking for /usr/bin/bash when we have
/bin/bash.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch deleted file mode 100644 index af8d4ba8f4..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13362.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f50ab86a2620bd7e8507af865b164655ee921661 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 14 May 2020 00:55:38 +0530 -Subject: [PATCH] megasas: use unsigned type for reply_queue_head and check - index - -A guest user may set 'reply_queue_head' field of MegasasState to -a negative value. Later in 'megasas_lookup_frame' it is used to -index into s->frames[] array. Use unsigned type to avoid OOB -access issue. - -Also check that 'index' value stays within s->frames[] bounds -through the while() loop in 'megasas_lookup_frame' to avoid OOB -access. - -Reported-by: Ren Ding <rding@gatech.edu> -Reported-by: Hanqing Zhao <hanqing@gatech.edu> -Reported-by: Alexander Bulekov <alxndr@bu.edu> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Acked-by: Alexander Bulekov <alxndr@bu.edu> -Message-Id: <20200513192540.1583887-2-ppandit@redhat.com> -Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> - -Upstream-Status: Backport [f50ab86a2620bd7e8507af865b164655ee921661] -CVE: CVE-2020-13362 -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/scsi/megasas.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c -index af18c88b65..6ce598cd69 100644 ---- a/hw/scsi/megasas.c -+++ b/hw/scsi/megasas.c -@@ -112,7 +112,7 @@ typedef struct MegasasState { - uint64_t reply_queue_pa; - void *reply_queue; - int reply_queue_len; -- int reply_queue_head; -+ uint16_t reply_queue_head; - int reply_queue_tail; - uint64_t consumer_pa; - uint64_t producer_pa; -@@ -445,7 +445,7 @@ static MegasasCmd *megasas_lookup_frame(MegasasState *s, - - index = s->reply_queue_head; - -- while (num < s->fw_cmds) { -+ while (num < s->fw_cmds && index < MEGASAS_MAX_FRAMES) { - if (s->frames[index].pa && s->frames[index].pa == frame) { - cmd = &s->frames[index]; - break; --- -2.20.1 - |