diff options
author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-13 14:44:42 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-08-16 10:20:35 +0100 |
commit | 686b770af67fdd2251f4ddab5b0eefc8fb0870ef (patch) | |
tree | 43ee2544e20bb6ee917a7b26c56e2331b48a54f7 /meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | |
parent | fa5d0f2c61a704436d71e5f02042fa8b2940f541 (diff) | |
download | openembedded-core-contrib-686b770af67fdd2251f4ddab5b0eefc8fb0870ef.tar.gz |
qemu: Upgrade 5.0.0 -> 5.1.0
* Drop backported CVE fixes
* Drop cpu backtrace patch from 2015 for debugging an issue which we no longer see
(patch throws rejects, files have moved)
* Update mips patch to account for file renames
* Update chardev patch to match upstream code changes
* Update webkitgtk patch, qemumips build works ok but qemux86 musl webkitgtk still
fails. Need to figure out the correct fix and upstream it for this, current
revert patch is not maintainable.
Release notes for 5.1.0 mention slight qemumips performance improvements
which would be valuable to us. My tests show no improvement in qemumips
testimage execution time for core-image-sato-sdk.
Fix a ptest issue for a file looking for /usr/bin/bash when we have
/bin/bash.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch b/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch deleted file mode 100644 index 52bfafbbae..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2020-13800.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a98610c429d52db0937c1e48659428929835c455 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 4 Jun 2020 14:38:30 +0530 -Subject: [PATCH] ati-vga: check mm_index before recursive call - (CVE-2020-13800) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While accessing VGA registers via ati_mm_read/write routines, -a guest may set 's->regs.mm_index' such that it leads to infinite -recursion. Check mm_index value to avoid such recursion. Log an -error message for wrong values. - -Reported-by: Ren Ding <rding@gatech.edu> -Reported-by: Hanqing Zhao <hanqing@gatech.edu> -Reported-by: Yi Ren <c4tren@gmail.com> -Message-id: 20200604090830.33885-1-ppandit@redhat.com -Suggested-by: BALATON Zoltan <balaton@eik.bme.hu> -Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> - -Upstream-Status: Backport [a98610c429d52db0937c1e48659428929835c455] -CVE: CVE-2020-13800 -Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> ---- - hw/display/ati.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/hw/display/ati.c b/hw/display/ati.c -index 065f197678..67604e68de 100644 ---- a/hw/display/ati.c -+++ b/hw/display/ati.c -@@ -285,8 +285,11 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, unsigned int size) - if (idx <= s->vga.vram_size - size) { - val = ldn_le_p(s->vga.vram_ptr + idx, size); - } -- } else { -+ } else if (s->regs.mm_index > MM_DATA + 3) { - val = ati_mm_read(s, s->regs.mm_index + addr - MM_DATA, size); -+ } else { -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "ati_mm_read: mm_index too small: %u\n", s->regs.mm_index); - } - break; - case BIOS_0_SCRATCH ... BUS_CNTL - 1: -@@ -520,8 +523,11 @@ static void ati_mm_write(void *opaque, hwaddr addr, - if (idx <= s->vga.vram_size - size) { - stn_le_p(s->vga.vram_ptr + idx, size, data); - } -- } else { -+ } else if (s->regs.mm_index > MM_DATA + 3) { - ati_mm_write(s, s->regs.mm_index + addr - MM_DATA, data, size); -+ } else { -+ qemu_log_mask(LOG_GUEST_ERROR, -+ "ati_mm_write: mm_index too small: %u\n", s->regs.mm_index); - } - break; - case BIOS_0_SCRATCH ... BUS_CNTL - 1: --- -2.20.1 - |