diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch | 183 |
1 files changed, 0 insertions, 183 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch b/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch deleted file mode 100644 index d5395e6152..0000000000 --- a/meta/recipes-devtools/qemu/qemu/CVE-2016-2858.patch +++ /dev/null @@ -1,183 +0,0 @@ -From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001 -From: Ladi Prosek <lprosek@redhat.com> -Date: Thu, 3 Mar 2016 09:37:18 +0100 -Subject: [PATCH] rng: add request queue support to rng-random - -Requests are now created in the RngBackend parent class and the -code path is shared by both rng-egd and rng-random. - -This commit fixes the rng-random implementation which processed -only one request at a time and simply discarded all but the most -recent one. In the guest this manifested as delayed completion -of reads from virtio-rng, i.e. a read was completed only after -another read was issued. - -By switching rng-random to use the same request queue as rng-egd, -the unsafe stack-based allocation of the entropy buffer is -eliminated and replaced with g_malloc. - -Signed-off-by: Ladi Prosek <lprosek@redhat.com> -Reviewed-by: Amit Shah <amit.shah@redhat.com> -Message-Id: <1456994238-9585-5-git-send-email-lprosek@redhat.com> -Signed-off-by: Amit Shah <amit.shah@redhat.com> - -Upstream-Status: Backport -CVE: CVE-2016-2858 - -http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - backends/rng-egd.c | 16 ++-------------- - backends/rng-random.c | 43 +++++++++++++++++++------------------------ - backends/rng.c | 13 ++++++++++++- - include/sysemu/rng.h | 3 +-- - 4 files changed, 34 insertions(+), 41 deletions(-) - -Index: qemu-2.5.0/backends/rng-egd.c -=================================================================== ---- qemu-2.5.0.orig/backends/rng-egd.c -+++ qemu-2.5.0/backends/rng-egd.c -@@ -26,20 +26,10 @@ typedef struct RngEgd - char *chr_name; - } RngEgd; - --static void rng_egd_request_entropy(RngBackend *b, size_t size, -- EntropyReceiveFunc *receive_entropy, -- void *opaque) -+static void rng_egd_request_entropy(RngBackend *b, RngRequest *req) - { - RngEgd *s = RNG_EGD(b); -- RngRequest *req; -- -- req = g_malloc(sizeof(*req)); -- -- req->offset = 0; -- req->size = size; -- req->receive_entropy = receive_entropy; -- req->opaque = opaque; -- req->data = g_malloc(req->size); -+ size_t size = req->size; - - while (size > 0) { - uint8_t header[2]; -@@ -53,8 +43,6 @@ static void rng_egd_request_entropy(RngB - - size -= len; - } -- -- s->parent.requests = g_slist_append(s->parent.requests, req); - } - - static int rng_egd_chr_can_read(void *opaque) -Index: qemu-2.5.0/backends/rng-random.c -=================================================================== ---- qemu-2.5.0.orig/backends/rng-random.c -+++ qemu-2.5.0/backends/rng-random.c -@@ -21,10 +21,6 @@ struct RndRandom - - int fd; - char *filename; -- -- EntropyReceiveFunc *receive_func; -- void *opaque; -- size_t size; - }; - - /** -@@ -37,36 +33,35 @@ struct RndRandom - static void entropy_available(void *opaque) - { - RndRandom *s = RNG_RANDOM(opaque); -- uint8_t buffer[s->size]; -- ssize_t len; - -- len = read(s->fd, buffer, s->size); -- if (len < 0 && errno == EAGAIN) { -- return; -- } -- g_assert(len != -1); -+ while (s->parent.requests != NULL) { -+ RngRequest *req = s->parent.requests->data; -+ ssize_t len; -+ -+ len = read(s->fd, req->data, req->size); -+ if (len < 0 && errno == EAGAIN) { -+ return; -+ } -+ g_assert(len != -1); -+ -+ req->receive_entropy(req->opaque, req->data, len); - -- s->receive_func(s->opaque, buffer, len); -- s->receive_func = NULL; -+ rng_backend_finalize_request(&s->parent, req); -+ } - -+ /* We've drained all requests, the fd handler can be reset. */ - qemu_set_fd_handler(s->fd, NULL, NULL, NULL); - } - --static void rng_random_request_entropy(RngBackend *b, size_t size, -- EntropyReceiveFunc *receive_entropy, -- void *opaque) -+static void rng_random_request_entropy(RngBackend *b, RngRequest *req) - { - RndRandom *s = RNG_RANDOM(b); - -- if (s->receive_func) { -- s->receive_func(s->opaque, NULL, 0); -+ if (s->parent.requests == NULL) { -+ /* If there are no pending requests yet, we need to -+ * install our fd handler. */ -+ qemu_set_fd_handler(s->fd, entropy_available, NULL, s); - } -- -- s->receive_func = receive_entropy; -- s->opaque = opaque; -- s->size = size; -- -- qemu_set_fd_handler(s->fd, entropy_available, NULL, s); - } - - static void rng_random_opened(RngBackend *b, Error **errp) -Index: qemu-2.5.0/backends/rng.c -=================================================================== ---- qemu-2.5.0.orig/backends/rng.c -+++ qemu-2.5.0/backends/rng.c -@@ -19,9 +19,20 @@ void rng_backend_request_entropy(RngBack - void *opaque) - { - RngBackendClass *k = RNG_BACKEND_GET_CLASS(s); -+ RngRequest *req; - - if (k->request_entropy) { -- k->request_entropy(s, size, receive_entropy, opaque); -+ req = g_malloc(sizeof(*req)); -+ -+ req->offset = 0; -+ req->size = size; -+ req->receive_entropy = receive_entropy; -+ req->opaque = opaque; -+ req->data = g_malloc(req->size); -+ -+ k->request_entropy(s, req); -+ -+ s->requests = g_slist_append(s->requests, req); - } - } - -Index: qemu-2.5.0/include/sysemu/rng.h -=================================================================== ---- qemu-2.5.0.orig/include/sysemu/rng.h -+++ qemu-2.5.0/include/sysemu/rng.h -@@ -46,8 +46,7 @@ struct RngBackendClass - { - ObjectClass parent_class; - -- void (*request_entropy)(RngBackend *s, size_t size, -- EntropyReceiveFunc *receive_entropy, void *opaque); -+ void (*request_entropy)(RngBackend *s, RngRequest *req); - - void (*opened)(RngBackend *s, Error **errp); - }; |