diff options
| author |   Doug Goldstein <cardoe@gentoo.org> | 2016-02-15 09:27:12 -0600 |
|---|---|---|
| committer | Doug Goldstein <cardoe@gentoo.org> | 2016-02-15 09:27:24 -0600 |
| commit | d526fe71f108586f62e2efc2ef06a67321d22216 (patch) | |
| tree | f65bb68c3d95d67c29e0e00aadd539ff799a11dc /app-emulation/qemu/files | |
| parent | sys-apps/net-tools: run install manually for prefix #567300 (diff) | |
| download | gentoo-d526fe71f108586f62e2efc2ef06a67321d22216.tar.gz gentoo-d526fe71f108586f62e2efc2ef06a67321d22216.tar.bz2 gentoo-d526fe71f108586f62e2efc2ef06a67321d22216.zip | |
app-emulation/qemu: remove vulnerable versions
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
Diffstat (limited to 'app-emulation/qemu/files')
10 files changed, 0 insertions, 510 deletions
diff --git a/app-emulation/qemu/files/qemu-1.7.0-cflags.patch b/app-emulation/qemu/files/qemu-1.7.0-cflags.patch deleted file mode 100644 index cd003f6de023..000000000000 --- a/app-emulation/qemu/files/qemu-1.7.0-cflags.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/configure -+++ b/configure -@@ -3131,8 +3131,6 @@ fi - if test "$gcov" = "yes" ; then - CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS" - LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS" --elif test "$debug" = "no" ; then -- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS" - fi - - diff --git a/app-emulation/qemu/files/qemu-2.4-mips-fix-mtc0.patch b/app-emulation/qemu/files/qemu-2.4-mips-fix-mtc0.patch deleted file mode 100644 index 07c2be51869c..000000000000 --- a/app-emulation/qemu/files/qemu-2.4-mips-fix-mtc0.patch +++ /dev/null @@ -1,78 +0,0 @@ -From d54a299b83a07642c85a22bfe19b69ca4def9ec4 Mon Sep 17 00:00:00 2001 -From: Leon Alrae <leon.alrae@imgtec.com> -Date: Wed, 9 Sep 2015 12:44:25 +0100 -Subject: [PATCH] target-mips: correct MTC0 instruction on MIPS64 - -MTC0 on a 64-bit processor should move entire 64-bit GPR content to CP0 -register. - -Signed-off-by: Leon Alrae <leon.alrae@imgtec.com> -Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> ---- - target-mips/translate.c | 18 +++++++----------- - 1 files changed, 7 insertions(+), 11 deletions(-) - -diff --git a/target-mips/translate.c b/target-mips/translate.c -index 0883782..a59b670 100644 ---- a/target-mips/translate.c -+++ b/target-mips/translate.c -@@ -4765,12 +4765,6 @@ static inline void gen_mtc0_store32 (TCGv arg, target_ulong off) - tcg_temp_free_i32(t0); - } - --static inline void gen_mtc0_store64 (TCGv arg, target_ulong off) --{ -- tcg_gen_ext32s_tl(arg, arg); -- tcg_gen_st_tl(arg, cpu_env, off); --} -- - static void gen_mfhc0(DisasContext *ctx, TCGv arg, int reg, int sel) - { - const char *rn = "invalid"; -@@ -5629,12 +5623,14 @@ static void gen_mtc0(DisasContext *ctx, TCGv arg, int reg, int sel) - break; - case 5: - CP0_CHECK(ctx->insn_flags & ASE_MT); -- gen_mtc0_store64(arg, offsetof(CPUMIPSState, CP0_VPESchedule)); -+ tcg_gen_st_tl(arg, cpu_env, -+ offsetof(CPUMIPSState, CP0_VPESchedule)); - rn = "VPESchedule"; - break; - case 6: - CP0_CHECK(ctx->insn_flags & ASE_MT); -- gen_mtc0_store64(arg, offsetof(CPUMIPSState, CP0_VPEScheFBack)); -+ tcg_gen_st_tl(arg, cpu_env, -+ offsetof(CPUMIPSState, CP0_VPEScheFBack)); - rn = "VPEScheFBack"; - break; - case 7: -@@ -5884,7 +5880,7 @@ static void gen_mtc0(DisasContext *ctx, TCGv arg, int reg, int sel) - case 14: - switch (sel) { - case 0: -- gen_mtc0_store64(arg, offsetof(CPUMIPSState, CP0_EPC)); -+ tcg_gen_st_tl(arg, cpu_env, offsetof(CPUMIPSState, CP0_EPC)); - rn = "EPC"; - break; - default: -@@ -6057,7 +6053,7 @@ static void gen_mtc0(DisasContext *ctx, TCGv arg, int reg, int sel) - switch (sel) { - case 0: - /* EJTAG support */ -- gen_mtc0_store64(arg, offsetof(CPUMIPSState, CP0_DEPC)); -+ tcg_gen_st_tl(arg, cpu_env, offsetof(CPUMIPSState, CP0_DEPC)); - rn = "DEPC"; - break; - default: -@@ -6160,7 +6156,7 @@ static void gen_mtc0(DisasContext *ctx, TCGv arg, int reg, int sel) - case 30: - switch (sel) { - case 0: -- gen_mtc0_store64(arg, offsetof(CPUMIPSState, CP0_ErrorEPC)); -+ tcg_gen_st_tl(arg, cpu_env, offsetof(CPUMIPSState, CP0_ErrorEPC)); - rn = "ErrorEPC"; - break; - default: --- -1.7.0.4 - diff --git a/app-emulation/qemu/files/qemu-2.4-mips-fix-rdhwr.patch b/app-emulation/qemu/files/qemu-2.4-mips-fix-rdhwr.patch deleted file mode 100644 index 998ec6646e55..000000000000 --- a/app-emulation/qemu/files/qemu-2.4-mips-fix-rdhwr.patch +++ /dev/null @@ -1,44 +0,0 @@ -From cdfcad788394ff53e317043e07b8e34f4987c659 Mon Sep 17 00:00:00 2001 -From: Alex Smith <alex.smith@imgtec.com> -Date: Tue, 8 Sep 2015 11:34:11 +0100 -Subject: [PATCH 1/1] target-mips: Fix RDHWR on CP0.Count - -For RDHWR on the CP0.Count register, env->CP0_Count was being returned. -This value is a delta against the QEMU_CLOCK_VIRTUAL clock, not the -correct current value of CP0.Count. Use cpu_mips_get_count() instead. - -Signed-off-by: Alex Smith <alex.smith@imgtec.com> -Cc: Aurelien Jarno <aurelien@aurel32.net> -Cc: Leon Alrae <leon.alrae@imgtec.com> -Reviewed-by: Leon Alrae <leon.alrae@imgtec.com> -Reviewed-by: Aurelien Jarno <aurelien@aurel32.net> -Signed-off-by: Leon Alrae <leon.alrae@imgtec.com> ---- - target-mips/op_helper.c | 9 +++++++-- - 1 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/target-mips/op_helper.c b/target-mips/op_helper.c -index 1aa9e3c..94de108 100644 ---- a/target-mips/op_helper.c -+++ b/target-mips/op_helper.c -@@ -2184,10 +2184,15 @@ target_ulong helper_rdhwr_synci_step(CPUMIPSState *env) - target_ulong helper_rdhwr_cc(CPUMIPSState *env) - { - if ((env->hflags & MIPS_HFLAG_CP0) || -- (env->CP0_HWREna & (1 << 2))) -+ (env->CP0_HWREna & (1 << 2))) { -+#ifdef CONFIG_USER_ONLY - return env->CP0_Count; -- else -+#else -+ return (int32_t)cpu_mips_get_count(env); -+#endif -+ } else { - helper_raise_exception(env, EXCP_RI); -+ } - - return 0; - } --- -1.7.0.4 - diff --git a/app-emulation/qemu/files/qemu-2.4-mips-move-interrupts-new-func.patch b/app-emulation/qemu/files/qemu-2.4-mips-move-interrupts-new-func.patch deleted file mode 100644 index 0ea5df5afcb8..000000000000 --- a/app-emulation/qemu/files/qemu-2.4-mips-move-interrupts-new-func.patch +++ /dev/null @@ -1,89 +0,0 @@ -Pending upstream inclusion - -Link: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03573.html -Patchwork: https://patchwork.ozlabs.org/patch/517392/ -X-Gentoo-Bug: 563162 -X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=563162 - -Signed-off-by: Markos Chandras <hwoarang@gentoo.org> - -diff --git a/target-mips/cpu.c b/target-mips/cpu.c -index 4027d0f..144eea9 100644 ---- a/target-mips/cpu.c -+++ b/target-mips/cpu.c -@@ -58,7 +58,9 @@ static bool mips_cpu_has_work(CPUState *cs) - check for interrupts that can be taken. */ - if ((cs->interrupt_request & CPU_INTERRUPT_HARD) && - cpu_mips_hw_interrupts_pending(env)) { -- has_work = true; -+ if (cpu_mips_hw_interrupts_enabled(env)) { -+ has_work = true; -+ } - } - - /* MIPS-MT has the ability to halt the CPU. */ -diff --git a/target-mips/cpu.h b/target-mips/cpu.h -index c91883d..210370e 100644 ---- a/target-mips/cpu.h -+++ b/target-mips/cpu.h -@@ -639,23 +639,24 @@ static inline int cpu_mmu_index (CPUMIPSState *env) - return env->hflags & MIPS_HFLAG_KSU; - } - --static inline int cpu_mips_hw_interrupts_pending(CPUMIPSState *env) -+static inline bool cpu_mips_hw_interrupts_enabled(CPUMIPSState *env) - { -- int32_t pending; -- int32_t status; -- int r; -- -- if (!(env->CP0_Status & (1 << CP0St_IE)) || -- (env->CP0_Status & (1 << CP0St_EXL)) || -- (env->CP0_Status & (1 << CP0St_ERL)) || -+ return (env->CP0_Status & (1 << CP0St_IE)) && -+ !(env->CP0_Status & (1 << CP0St_EXL)) && -+ !(env->CP0_Status & (1 << CP0St_ERL)) && -+ !(env->hflags & MIPS_HFLAG_DM) && - /* Note that the TCStatus IXMT field is initialized to zero, - and only MT capable cores can set it to one. So we don't - need to check for MT capabilities here. */ -- (env->active_tc.CP0_TCStatus & (1 << CP0TCSt_IXMT)) || -- (env->hflags & MIPS_HFLAG_DM)) { -- /* Interrupts are disabled */ -- return 0; -- } -+ !(env->active_tc.CP0_TCStatus & (1 << CP0TCSt_IXMT)); -+} -+ -+/* Check if there is pending and not masked out interrupt */ -+static inline bool cpu_mips_hw_interrupts_pending(CPUMIPSState *env) -+{ -+ int32_t pending; -+ int32_t status; -+ bool r; - - pending = env->CP0_Cause & CP0Ca_IP_mask; - status = env->CP0_Status & CP0Ca_IP_mask; -@@ -669,7 +670,7 @@ static inline int cpu_mips_hw_interrupts_pending(CPUMIPSState *env) - /* A MIPS configured with compatibility or VInt (Vectored Interrupts) - treats the pending lines as individual interrupt lines, the status - lines are individual masks. */ -- r = pending & status; -+ r = (pending & status) != 0; - } - return r; - } -diff --git a/target-mips/helper.c b/target-mips/helper.c -index 01c4461..2d86323 100644 ---- a/target-mips/helper.c -+++ b/target-mips/helper.c -@@ -759,7 +759,8 @@ bool mips_cpu_exec_interrupt(CPUState *cs, int interrupt_request) - MIPSCPU *cpu = MIPS_CPU(cs); - CPUMIPSState *env = &cpu->env; - -- if (cpu_mips_hw_interrupts_pending(env)) { -+ if (cpu_mips_hw_interrupts_enabled(env) && -+ cpu_mips_hw_interrupts_pending(env)) { - /* Raise it */ - cs->exception_index = EXCP_EXT_INTERRUPT; - env->error_code = 0; diff --git a/app-emulation/qemu/files/qemu-2.4-mips-wake-up-on-irq.patch b/app-emulation/qemu/files/qemu-2.4-mips-wake-up-on-irq.patch deleted file mode 100644 index 559a4afdb0d8..000000000000 --- a/app-emulation/qemu/files/qemu-2.4-mips-wake-up-on-irq.patch +++ /dev/null @@ -1,29 +0,0 @@ -Pending upstream inclusion - -Link: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03572.html -Patchwork: https://patchwork.ozlabs.org/patch/517391/ -X-Gentoo-Bug: 563162 -X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=563162 - -Signed-off-by: Markos Chandras <hwoarang@gentoo.org> -diff --git a/target-mips/cpu.c b/target-mips/cpu.c -index 144eea9..cbeca04 100644 ---- a/target-mips/cpu.c -+++ b/target-mips/cpu.c -@@ -53,12 +53,13 @@ static bool mips_cpu_has_work(CPUState *cs) - CPUMIPSState *env = &cpu->env; - bool has_work = false; - -- /* It is implementation dependent if non-enabled interrupts -- wake-up the CPU, however most of the implementations only -+ /* Prior to MIPS Release 6 it is implementation dependent if non-enabled -+ interrupts wake-up the CPU, however most of the implementations only - check for interrupts that can be taken. */ - if ((cs->interrupt_request & CPU_INTERRUPT_HARD) && - cpu_mips_hw_interrupts_pending(env)) { -- if (cpu_mips_hw_interrupts_enabled(env)) { -+ if (cpu_mips_hw_interrupts_enabled(env) || -+ (env->insn_flags & ISA_MIPS32R6)) { - has_work = true; - } - } diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch deleted file mode 100644 index e86e0c639893..000000000000 --- a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7504.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 837f21aacf5a714c23ddaadbbc5212f9b661e3f7 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Fri, 20 Nov 2015 11:50:31 +0530 -Subject: [PATCH] net: pcnet: add check to validate receive data - size(CVE-2015-7504) - -In loopback mode, pcnet_receive routine appends CRC code to the -receive buffer. If the data size given is same as the buffer size, -the appended CRC code overwrites 4 bytes after s->buffer. Added a -check to avoid that. - -Reported by: Qinghao Tang <luodalongde@gmail.com> -Cc: qemu-stable@nongnu.org -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - hw/net/pcnet.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 0eb3cc4..309c40b 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1084,7 +1084,7 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - uint32_t fcs = ~0; - uint8_t *p = src; - -- while (p != &src[size-4]) -+ while (p != &src[size]) - CRC(fcs, *p++); - crc_err = (*(uint32_t *)p != htonl(fcs)); - } -@@ -1233,8 +1233,10 @@ static void pcnet_transmit(PCNetState *s) - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); - - /* if multi-tmd packet outsizes s->buffer then skip it silently. -- Note: this is not what real hw does */ -- if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ * Note: this is not what real hw does. -+ * Last four bytes of s->buffer are used to store CRC FCS code. -+ */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer) - 4) { - s->xmit_pos = -1; - goto txdone; - } --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch deleted file mode 100644 index 4fee9ef5da9d..000000000000 --- a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7512.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8b98a2f07175d46c3f7217639bd5e03f2ec56343 Mon Sep 17 00:00:00 2001 -From: Jason Wang <jasowang@redhat.com> -Date: Mon, 30 Nov 2015 15:00:06 +0800 -Subject: [PATCH] pcnet: fix rx buffer overflow(CVE-2015-7512) - -Backends could provide a packet whose length is greater than buffer -size. Check for this and truncate the packet to avoid rx buffer -overflow in this case. - -Cc: Prasad J Pandit <pjp@fedoraproject.org> -Cc: qemu-stable@nongnu.org -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - hw/net/pcnet.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index 309c40b..1f4a3db 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1064,6 +1064,12 @@ ssize_t pcnet_receive(NetClientState *nc, const uint8_t *buf, size_t size_) - int pktcount = 0; - - if (!s->looptest) { -+ if (size > 4092) { -+#ifdef PCNET_DEBUG_RMD -+ fprintf(stderr, "pcnet: truncates rx packet.\n"); -+#endif -+ size = 4092; -+ } - memcpy(src, buf, size); - /* no need to compute the CRC */ - src[size] = 0; --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7549.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7549.patch deleted file mode 100644 index 897fe347c857..000000000000 --- a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-7549.patch +++ /dev/null @@ -1,62 +0,0 @@ -https://bugs.gentoo.org/568214 - -From 43b11a91dd861a946b231b89b7542856ade23d1b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com> -Date: Fri, 26 Jun 2015 14:25:29 +0200 -Subject: [PATCH] msix: implement pba write (but read-only) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -qpci_msix_pending() writes on pba region, causing qemu to SEGV: - - Program received signal SIGSEGV, Segmentation fault. - [Switching to Thread 0x7ffff7fba8c0 (LWP 25882)] - 0x0000000000000000 in ?? () - (gdb) bt - #0 0x0000000000000000 in () - #1 0x00005555556556c5 in memory_region_oldmmio_write_accessor (mr=0x5555579f3f80, addr=0, value=0x7fffffffbf68, size=4, shift=0, mask=4294967295, attrs=...) at /home/elmarco/src/qemu/memory.c:434 - #2 0x00005555556558e1 in access_with_adjusted_size (addr=0, value=0x7fffffffbf68, size=4, access_size_min=1, access_size_max=4, access=0x55555565563e <memory_region_oldmmio_write_accessor>, mr=0x5555579f3f80, attrs=...) at /home/elmarco/src/qemu/memory.c:506 - #3 0x00005555556581eb in memory_region_dispatch_write (mr=0x5555579f3f80, addr=0, data=0, size=4, attrs=...) at /home/elmarco/src/qemu/memory.c:1176 - #4 0x000055555560b6f9 in address_space_rw (as=0x555555eff4e0 <address_space_memory>, addr=3759147008, attrs=..., buf=0x7fffffffc1b0 "", len=4, is_write=true) at /home/elmarco/src/qemu/exec.c:2439 - #5 0x000055555560baa2 in cpu_physical_memory_rw (addr=3759147008, buf=0x7fffffffc1b0 "", len=4, is_write=1) at /home/elmarco/src/qemu/exec.c:2534 - #6 0x000055555564c005 in cpu_physical_memory_write (addr=3759147008, buf=0x7fffffffc1b0, len=4) at /home/elmarco/src/qemu/include/exec/cpu-common.h:80 - #7 0x000055555564cd9c in qtest_process_command (chr=0x55555642b890, words=0x5555578de4b0) at /home/elmarco/src/qemu/qtest.c:378 - #8 0x000055555564db77 in qtest_process_inbuf (chr=0x55555642b890, inbuf=0x55555641b340) at /home/elmarco/src/qemu/qtest.c:569 - #9 0x000055555564dc07 in qtest_read (opaque=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", size=22) at /home/elmarco/src/qemu/qtest.c:581 - #10 0x000055555574ce3e in qemu_chr_be_write (s=0x55555642b890, buf=0x7fffffffc2e0 "writel 0xe0100800 0x0\n", len=22) at qemu-char.c:306 - #11 0x0000555555751263 in tcp_chr_read (chan=0x55555642bcf0, cond=G_IO_IN, opaque=0x55555642b890) at qemu-char.c:2876 - #12 0x00007ffff64c9a8a in g_main_context_dispatch (context=0x55555641c400) at gmain.c:3122 - -(without this patch, this can be reproduced with the ivshmem qtest) - -Implement an empty mmio write to avoid the crash. - -Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> -Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> ---- - hw/pci/msix.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/pci/msix.c b/hw/pci/msix.c -index 2fdada4..64c93d8 100644 ---- a/hw/pci/msix.c -+++ b/hw/pci/msix.c -@@ -200,8 +200,14 @@ static uint64_t msix_pba_mmio_read(void *opaque, hwaddr addr, - return pci_get_long(dev->msix_pba + addr); - } - -+static void msix_pba_mmio_write(void *opaque, hwaddr addr, -+ uint64_t val, unsigned size) -+{ -+} -+ - static const MemoryRegionOps msix_pba_mmio_ops = { - .read = msix_pba_mmio_read, -+ .write = msix_pba_mmio_write, - .endianness = DEVICE_LITTLE_ENDIAN, - .valid = { - .min_access_size = 4, --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch deleted file mode 100644 index f01d9ac3418b..000000000000 --- a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8345.patch +++ /dev/null @@ -1,65 +0,0 @@ -https://bugs.gentoo.org/566792 - -From 00837731d254908a841d69298a4f9f077babaf24 Mon Sep 17 00:00:00 2001 -From: Stefan Weil <sw@weilnetz.de> -Date: Fri, 20 Nov 2015 08:42:33 +0100 -Subject: [PATCH] eepro100: Prevent two endless loops - -http://lists.nongnu.org/archive/html/qemu-devel/2015-11/msg04592.html -shows an example how an endless loop in function action_command can -be achieved. - -During my code review, I noticed a 2nd case which can result in an -endless loop. - -Reported-by: Qinghao Tang <luodalongde@gmail.com> -Signed-off-by: Stefan Weil <sw@weilnetz.de> -Signed-off-by: Jason Wang <jasowang@redhat.com> ---- - hw/net/eepro100.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c -index 60333b7..685a478 100644 ---- a/hw/net/eepro100.c -+++ b/hw/net/eepro100.c -@@ -774,6 +774,11 @@ static void tx_command(EEPRO100State *s) - #if 0 - uint16_t tx_buffer_el = lduw_le_pci_dma(&s->dev, tbd_address + 6); - #endif -+ if (tx_buffer_size == 0) { -+ /* Prevent an endless loop. */ -+ logout("loop in %s:%u\n", __FILE__, __LINE__); -+ break; -+ } - tbd_address += 8; - TRACE(RXTX, logout - ("TBD (simplified mode): buffer address 0x%08x, size 0x%04x\n", -@@ -855,6 +860,10 @@ static void set_multicast_list(EEPRO100State *s) - - static void action_command(EEPRO100State *s) - { -+ /* The loop below won't stop if it gets special handcrafted data. -+ Therefore we limit the number of iterations. */ -+ unsigned max_loop_count = 16; -+ - for (;;) { - bool bit_el; - bool bit_s; -@@ -870,6 +879,13 @@ static void action_command(EEPRO100State *s) - #if 0 - bool bit_sf = ((s->tx.command & COMMAND_SF) != 0); - #endif -+ -+ if (max_loop_count-- == 0) { -+ /* Prevent an endless loop. */ -+ logout("loop in %s:%u\n", __FILE__, __LINE__); -+ break; -+ } -+ - s->cu_offset = s->tx.link; - TRACE(OTHER, - logout("val=(cu start), status=0x%04x, command=0x%04x, link=0x%08x\n", --- -2.6.2 - diff --git a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8504.patch b/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8504.patch deleted file mode 100644 index 7b0102a3bc86..000000000000 --- a/app-emulation/qemu/files/qemu-2.4.1-CVE-2015-8504.patch +++ /dev/null @@ -1,46 +0,0 @@ -https://bugs.gentoo.org/567828 - -From 4c65fed8bdf96780735dbdb92a8bd0d6b6526cc3 Mon Sep 17 00:00:00 2001 -From: Prasad J Pandit <pjp@fedoraproject.org> -Date: Thu, 3 Dec 2015 18:54:17 +0530 -Subject: [PATCH] ui: vnc: avoid floating point exception - -While sending 'SetPixelFormat' messages to a VNC server, -the client could set the 'red-max', 'green-max' and 'blue-max' -values to be zero. This leads to a floating point exception in -write_png_palette while doing frame buffer updates. - -Reported-by: Lian Yihan <lianyihan@360.cn> -Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> -Reviewed-by: Gerd Hoffmann <kraxel@redhat.com> -Signed-off-by: Peter Maydell <peter.maydell@linaro.org> ---- - ui/vnc.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/ui/vnc.c b/ui/vnc.c -index 7538405..cbe4d33 100644 ---- a/ui/vnc.c -+++ b/ui/vnc.c -@@ -2198,15 +2198,15 @@ static void set_pixel_format(VncState *vs, - return; - } - -- vs->client_pf.rmax = red_max; -+ vs->client_pf.rmax = red_max ? red_max : 0xFF; - vs->client_pf.rbits = hweight_long(red_max); - vs->client_pf.rshift = red_shift; - vs->client_pf.rmask = red_max << red_shift; -- vs->client_pf.gmax = green_max; -+ vs->client_pf.gmax = green_max ? green_max : 0xFF; - vs->client_pf.gbits = hweight_long(green_max); - vs->client_pf.gshift = green_shift; - vs->client_pf.gmask = green_max << green_shift; -- vs->client_pf.bmax = blue_max; -+ vs->client_pf.bmax = blue_max ? blue_max : 0xFF; - vs->client_pf.bbits = hweight_long(blue_max); - vs->client_pf.bshift = blue_shift; - vs->client_pf.bmask = blue_max << blue_shift; --- -2.6.2 - |