commit: 346b8a658c0fb521e9a783699a678756765d8845
Author: Mike Frysinger <vapier <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 23 05:22:02 2016 +0000
Commit: Mike Frysinger <vapier <AT> gentoo <DOT> org>
CommitDate: Wed Mar 23 05:22:02 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=346b8a65
app-emulation/qemu: backport various upstream fixes
.../qemu/files/qemu-2.5.0-CVE-2015-8613.patch | 35 ++
.../qemu/files/qemu-2.5.0-CVE-2015-8619.patch | 121 ++++
.../qemu/files/qemu-2.5.0-CVE-2016-1714.patch | 58 ++
.../qemu/files/qemu-2.5.0-CVE-2016-1922.patch | 65 ++
.../qemu/files/qemu-2.5.0-CVE-2016-1981.patch | 98 +++
.../qemu/files/qemu-2.5.0-CVE-2016-2197.patch | 43 ++
.../qemu/files/qemu-2.5.0-CVE-2016-2198.patch | 46 ++
.../qemu/files/qemu-2.5.0-CVE-2016-2392.patch | 35 ++
.../files/qemu-2.5.0-rng-stack-corrupt-0.patch | 98 +++
.../files/qemu-2.5.0-rng-stack-corrupt-1.patch | 135 +++++
.../files/qemu-2.5.0-rng-stack-corrupt-2.patch | 155 +++++
.../files/qemu-2.5.0-rng-stack-corrupt-3.patch | 179 ++++++
.../qemu/files/qemu-2.5.0-sysmacros.patch | 15 +
.../qemu/files/qemu-2.5.0-usb-ehci-oob.patch | 52 ++
.../files/qemu-2.5.0-usb-ndis-int-overflow.patch | 59 ++
app-emulation/qemu/qemu-2.5.0-r2.ebuild | 669 +++++++++++++++++++++
16 files changed, 1863 insertions(+)
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
new file mode 100644
index 0000000..61a52ee
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8613.patch
@@ -0,0 +1,35 @@
+From 36fef36b91f7ec0435215860f1458b5342ce2811 Mon Sep 17 00:00:00 2001
+From: P J P <ppan...@redhat.com>
+Date: Mon, 21 Dec 2015 15:13:13 +0530
+Subject: [PATCH] scsi: initialise info object with appropriate size
+
+While processing controller 'CTRL_GET_INFO' command, the routine
+'megasas_ctrl_get_info' overflows the '&info' object size. Use its
+appropriate size to null initialise it.
+
+Reported-by: Qinghao Tang <luodalon...@gmail.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512211501420.22471@wniryva>
+Cc: qemu-sta...@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
+Signed-off-by: P J P <ppan...@redhat.com>
+---
+ hw/scsi/megasas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
+index d7dc667..576f56c 100644
+--- a/hw/scsi/megasas.c
++++ b/hw/scsi/megasas.c
+@@ -718,7 +718,7 @@ static int megasas_ctrl_get_info(MegasasState *s,
MegasasCmd *cmd)
+ BusChild *kid;
+ int num_pd_disks = 0;
+
+- memset(&info, 0x0, cmd->iov_size);
++ memset(&info, 0x0, dcmd_size);
+ if (cmd->iov_size < dcmd_size) {
+ trace_megasas_dcmd_invalid_xfer_len(cmd->index, cmd->iov_size,
+ dcmd_size);
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
new file mode 100644
index 0000000..be67336
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8619.patch
@@ -0,0 +1,121 @@
+From 64ffbe04eaafebf4045a3ace52a360c14959d196 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumil...@proxmox.com>
+Date: Wed, 13 Jan 2016 09:09:58 +0100
+Subject: [PATCH] hmp: fix sendkey out of bounds write (CVE-2015-8619)
+
+When processing 'sendkey' command, hmp_sendkey routine null
+terminates the 'keyname_buf' array. This results in an OOB
+write issue, if 'keyname_len' was to fall outside of
+'keyname_buf' array.
+
+Since the keyname's length is known the keyname_buf can be
+removed altogether by adding a length parameter to
+index_from_key() and using it for the error output as well.
+
+Reported-by: Ling Liu <liuling...@360.cn>
+Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
+Message-Id: <20160113080958.GA18934@olga>
+[Comparison with "<" dumbed down, test for junk after strtoul()
+tweaked]
+Signed-off-by: Markus Armbruster <arm...@redhat.com>
+---
+ hmp.c | 18 ++++++++----------
+ include/ui/console.h | 2 +-
+ ui/input-legacy.c | 5 +++--
+ 3 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/hmp.c b/hmp.c
+index 54f2620..9c571f5 100644
+--- a/hmp.c
++++ b/hmp.c
+@@ -1731,21 +1731,18 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
+ int has_hold_time = qdict_haskey(qdict, "hold-time");
+ int hold_time = qdict_get_try_int(qdict, "hold-time", -1);
+ Error *err = NULL;
+- char keyname_buf[16];
+ char *separator;
+ int keyname_len;
+
+ while (1) {
+ separator = strchr(keys, '-');
+ keyname_len = separator ? separator - keys : strlen(keys);
+- pstrcpy(keyname_buf, sizeof(keyname_buf), keys);
+
+ /* Be compatible with old interface, convert user inputted "<" */
+- if (!strncmp(keyname_buf, "<", 1) && keyname_len == 1) {
+- pstrcpy(keyname_buf, sizeof(keyname_buf), "less");
++ if (keys[0] == '<' && keyname_len == 1) {
++ keys = "less";
+ keyname_len = 4;
+ }
+- keyname_buf[keyname_len] = 0;
+
+ keylist = g_malloc0(sizeof(*keylist));
+ keylist->value = g_malloc0(sizeof(*keylist->value));
+@@ -1758,16 +1755,17 @@ void hmp_sendkey(Monitor *mon, const QDict *qdict)
+ }
+ tmp = keylist;
+
+- if (strstart(keyname_buf, "0x", NULL)) {
++ if (strstart(keys, "0x", NULL)) {
+ char *endp;
+- int value = strtoul(keyname_buf, &endp, 0);
+- if (*endp != '\0') {
++ int value = strtoul(keys, &endp, 0);
++ assert(endp <= keys + keyname_len);
++ if (endp != keys + keyname_len) {
+ goto err_out;
+ }
+ keylist->value->type = KEY_VALUE_KIND_NUMBER;
+ keylist->value->u.number = value;
+ } else {
+- int idx = index_from_key(keyname_buf);
++ int idx = index_from_key(keys, keyname_len);
+ if (idx == Q_KEY_CODE_MAX) {
+ goto err_out;
+ }
+@@ -1789,7 +1787,7 @@ out:
+ return;
+
+ err_out:
+- monitor_printf(mon, "invalid parameter: %s\n", keyname_buf);
++ monitor_printf(mon, "invalid parameter: %.*s\n", keyname_len, keys);
+ goto out;
+ }
+
+diff --git a/include/ui/console.h b/include/ui/console.h
+index adac36d..116bc2b 100644
+--- a/include/ui/console.h
++++ b/include/ui/console.h
+@@ -448,7 +448,7 @@ static inline int vnc_display_pw_expire(const char *id,
time_t expires)
+ void curses_display_init(DisplayState *ds, int full_screen);
+
+ /* input.c */
+-int index_from_key(const char *key);
++int index_from_key(const char *key, size_t key_length);
+
+ /* gtk.c */
+ void early_gtk_display_init(int opengl);
+diff --git a/ui/input-legacy.c b/ui/input-legacy.c
+index 35dfc27..3454055 100644
+--- a/ui/input-legacy.c
++++ b/ui/input-legacy.c
+@@ -57,12 +57,13 @@ struct QEMUPutLEDEntry {
+ static QTAILQ_HEAD(, QEMUPutLEDEntry) led_handlers =
+ QTAILQ_HEAD_INITIALIZER(led_handlers);
+
+-int index_from_key(const char *key)
++int index_from_key(const char *key, size_t key_length)
+ {
+ int i;
+
+ for (i = 0; QKeyCode_lookup[i] != NULL; i++) {
+- if (!strcmp(key, QKeyCode_lookup[i])) {
++ if (!strncmp(key, QKeyCode_lookup[i], key_length) &&
++ !QKeyCode_lookup[i][key_length]) {
+ break;
+ }
+ }
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
new file mode 100644
index 0000000..917fa2f
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1714.patch
@@ -0,0 +1,58 @@
+From 66f8fd9dda312191b78d2a2ba2848bcee76127a2 Mon Sep 17 00:00:00 2001
+From: "Gabriel L. Somlo" <so...@cmu.edu>
+Date: Thu, 5 Nov 2015 09:32:50 -0500
+Subject: [PATCH] fw_cfg: avoid calculating invalid current entry pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When calculating a pointer to the currently selected fw_cfg item, the
+following is used:
+
+ FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+
+When s->cur_entry is FW_CFG_INVALID, we are calculating the address of
+a non-existent element in s->entries[arch][...], which is undefined.
+
+This patch ensures the resulting entry pointer is set to NULL whenever
+s->cur_entry is FW_CFG_INVALID.
+
+Reported-by: Laszlo Ersek <ler...@redhat.com>
+Reviewed-by: Laszlo Ersek <ler...@redhat.com>
+Signed-off-by: Gabriel Somlo <so...@cmu.edu>
+Message-id: 1446733972-1602-5-git-send-email-so...@cmu.edu
+Cc: Marc MarĂ <mar...@redhat.com>
+Signed-off-by: Gabriel Somlo <so...@cmu.edu>
+Reviewed-by: Laszlo Ersek <ler...@redhat.com>
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+---
+ hw/nvram/fw_cfg.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/nvram/fw_cfg.c b/hw/nvram/fw_cfg.c
+index c2d3a0a..046fa74 100644
+--- a/hw/nvram/fw_cfg.c
++++ b/hw/nvram/fw_cfg.c
+@@ -277,7 +277,8 @@ static int fw_cfg_select(FWCfgState *s, uint16_t key)
+ static uint8_t fw_cfg_read(FWCfgState *s)
+ {
+ int arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+- FWCfgEntry *e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++ FWCfgEntry *e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+ uint8_t ret;
+
+ if (s->cur_entry == FW_CFG_INVALID || !e->data || s->cur_offset >= e->len)
+@@ -342,7 +343,8 @@ static void fw_cfg_dma_transfer(FWCfgState *s)
+ }
+
+ arch = !!(s->cur_entry & FW_CFG_ARCH_LOCAL);
+- e = &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
++ e = (s->cur_entry == FW_CFG_INVALID) ? NULL :
++ &s->entries[arch][s->cur_entry & FW_CFG_ENTRY_MASK];
+
+ if (dma.control & FW_CFG_DMA_CTL_READ) {
+ read = 1;
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
new file mode 100644
index 0000000..23c2341
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1922.patch
@@ -0,0 +1,65 @@
+From 4c1396cb576c9b14425558b73de1584c7a9735d7 Mon Sep 17 00:00:00 2001
+From: P J P <ppan...@redhat.com>
+Date: Fri, 18 Dec 2015 11:35:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+ Hello,
+
+A null pointer dereference issue was reported by Mr Ling Liu, CC'd here. It
+occurs while doing I/O port write operations via hmp interface. In that,
+'current_cpu' remains null as it is not called from cpu_exec loop, which
+results in the said issue.
+
+Below is a proposed (tested)patch to fix this issue; Does it look okay?
+
+===
+From ae88a4947fab9a148cd794f8ad2d812e7f5a1d0f Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Fri, 18 Dec 2015 11:16:07 +0530
+Subject: [PATCH] i386: avoid null pointer dereference
+
+When I/O port write operation is called from hmp interface,
+'current_cpu' remains null, as it is not called from cpu_exec()
+loop. This leads to a null pointer dereference in vapic_write
+routine. Add check to avoid it.
+
+Reported-by: Ling Liu <liuling...@360.cn>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-Id: <alpine.LFD.2.20.1512181129320.9805@wniryva>
+Signed-off-by: Paolo Bonzini <pbonz...@redhat.com>
+Signed-off-by: P J P <ppan...@redhat.com>
+---
+ hw/i386/kvmvapic.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
+index c6d34b2..f0922da 100644
+--- a/hw/i386/kvmvapic.c
++++ b/hw/i386/kvmvapic.c
+@@ -634,13 +634,18 @@ static int vapic_prepare(VAPICROMState *s)
+ static void vapic_write(void *opaque, hwaddr addr, uint64_t data,
+ unsigned int size)
+ {
+- CPUState *cs = current_cpu;
+- X86CPU *cpu = X86_CPU(cs);
+- CPUX86State *env = &cpu->env;
+- hwaddr rom_paddr;
+ VAPICROMState *s = opaque;
++ X86CPU *cpu;
++ CPUX86State *env;
++ hwaddr rom_paddr;
+
+- cpu_synchronize_state(cs);
++ if (!current_cpu) {
++ return;
++ }
++
++ cpu_synchronize_state(current_cpu);
++ cpu = X86_CPU(current_cpu);
++ env = &cpu->env;
+
+ /*
+ * The VAPIC supports two PIO-based hypercalls, both via port 0x7E.
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
new file mode 100644
index 0000000..2922193
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1981.patch
@@ -0,0 +1,98 @@
+From dd793a74882477ca38d49e191110c17dfee51dcc Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <ler...@redhat.com>
+Date: Tue, 19 Jan 2016 14:17:20 +0100
+Subject: [PATCH] e1000: eliminate infinite loops on out-of-bounds transfer
+ start
+
+The start_xmit() and e1000_receive_iov() functions implement DMA transfers
+iterating over a set of descriptors that the guest's e1000 driver
+prepares:
+
+- the TDLEN and RDLEN registers store the total size of the descriptor
+ area,
+
+- while the TDH and RDH registers store the offset (in whole tx / rx
+ descriptors) into the area where the transfer is supposed to start.
+
+Each time a descriptor is processed, the TDH and RDH register is bumped
+(as appropriate for the transfer direction).
+
+QEMU already contains logic to deal with bogus transfers submitted by the
+guest:
+
+- Normally, the transmit case wants to increase TDH from its initial value
+ to TDT. (TDT is allowed to be numerically smaller than the initial TDH
+ value; wrapping at or above TDLEN bytes to zero is normal.) The failsafe
+ that QEMU currently has here is a check against reaching the original
+ TDH value again -- a complete wraparound, which should never happen.
+
+- In the receive case RDH is increased from its initial value until
+ "total_size" bytes have been received; preferably in a single step, or
+ in "s->rxbuf_size" byte steps, if the latter is smaller. However, null
+ RX descriptors are skipped without receiving data, while RDH is
+ incremented just the same. QEMU tries to prevent an infinite loop
+ (processing only null RX descriptors) by detecting whether RDH assumes
+ its original value during the loop. (Again, wrapping from RDLEN to 0 is
+ normal.)
+
+What both directions miss is that the guest could program TDLEN and RDLEN
+so low, and the initial TDH and RDH so high, that these registers will
+immediately be truncated to zero, and then never reassume their initial
+values in the loop -- a full wraparound will never occur.
+
+The condition that expresses this is:
+
+ xdh_start >= s->mac_reg[XDLEN] / sizeof(desc)
+
+i.e., TDH or RDH start out after the last whole rx or tx descriptor that
+fits into the TDLEN or RDLEN sized area.
+
+This condition could be checked before we enter the loops, but
+pci_dma_read() / pci_dma_write() knows how to fill in buffers safely for
+bogus DMA addresses, so we just extend the existing failsafes with the
+above condition.
+
+This is CVE-2016-1981.
+
+Cc: "Michael S. Tsirkin" <m...@redhat.com>
+Cc: Petr Matousek <pmato...@redhat.com>
+Cc: Stefano Stabellini <stefano.stabell...@eu.citrix.com>
+Cc: Prasad Pandit <ppan...@redhat.com>
+Cc: Michael Roth <mdr...@linux.vnet.ibm.com>
+Cc: Jason Wang <jasow...@redhat.com>
+Cc: qemu-sta...@nongnu.org
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1296044
+Signed-off-by: Laszlo Ersek <ler...@redhat.com>
+Reviewed-by: Jason Wang <jasow...@redhat.com>
+Signed-off-by: Jason Wang <jasow...@redhat.com>
+---
+ hw/net/e1000.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/hw/net/e1000.c b/hw/net/e1000.c
+index 4eda7a3..0387fa0 100644
+--- a/hw/net/e1000.c
++++ b/hw/net/e1000.c
+@@ -909,7 +909,8 @@ start_xmit(E1000State *s)
+ * bogus values to TDT/TDLEN.
+ * there's nothing too intelligent we could do about this.
+ */
+- if (s->mac_reg[TDH] == tdh_start) {
++ if (s->mac_reg[TDH] == tdh_start ||
++ tdh_start >= s->mac_reg[TDLEN] / sizeof(desc)) {
+ DBGOUT(TXERR, "TDH wraparound @%x, TDT %x, TDLEN %x\n",
+ tdh_start, s->mac_reg[TDT], s->mac_reg[TDLEN]);
+ break;
+@@ -1166,7 +1167,8 @@ e1000_receive_iov(NetClientState *nc, const struct iovec
*iov, int iovcnt)
+ if (++s->mac_reg[RDH] * sizeof(desc) >= s->mac_reg[RDLEN])
+ s->mac_reg[RDH] = 0;
+ /* see comment in start_xmit; same here */
+- if (s->mac_reg[RDH] == rdh_start) {
++ if (s->mac_reg[RDH] == rdh_start ||
++ rdh_start >= s->mac_reg[RDLEN] / sizeof(desc)) {
+ DBGOUT(RXERR, "RDH wraparound @%x, RDT %x, RDLEN %x\n",
+ rdh_start, s->mac_reg[RDT], s->mac_reg[RDLEN]);
+ set_ics(s, 0, E1000_ICS_RXO);
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
new file mode 100644
index 0000000..0ab7b02
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2197.patch
@@ -0,0 +1,43 @@
+From 99b4cb71069f109b79b27bc629fc0cf0886dbc4b Mon Sep 17 00:00:00 2001
+From: John Snow <js...@redhat.com>
+Date: Wed, 10 Feb 2016 13:29:40 -0500
+Subject: [PATCH] ahci: Do not unmap NULL addresses
+
+Definitely don't try to unmap a garbage address.
+
+Reported-by: Zuozhi fzz <zuozhi....@alibaba-inc.com>
+Signed-off-by: John Snow <js...@redhat.com>
+Message-id: 1454103689-13042-2-git-send-email-js...@redhat.com
+---
+ hw/ide/ahci.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index 7e87b18..3a95dad 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -662,6 +662,10 @@ static bool ahci_map_fis_address(AHCIDevice *ad)
+
+ static void ahci_unmap_fis_address(AHCIDevice *ad)
+ {
++ if (ad->res_fis == NULL) {
++ DPRINTF(ad->port_no, "Attempt to unmap NULL FIS address\n");
++ return;
++ }
+ dma_memory_unmap(ad->hba->as, ad->res_fis, 256,
+ DMA_DIRECTION_FROM_DEVICE, 256);
+ ad->res_fis = NULL;
+@@ -678,6 +682,10 @@ static bool ahci_map_clb_address(AHCIDevice *ad)
+
+ static void ahci_unmap_clb_address(AHCIDevice *ad)
+ {
++ if (ad->lst == NULL) {
++ DPRINTF(ad->port_no, "Attempt to unmap NULL CLB address\n");
++ return;
++ }
+ dma_memory_unmap(ad->hba->as, ad->lst, 1024,
+ DMA_DIRECTION_FROM_DEVICE, 1024);
+ ad->lst = NULL;
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
new file mode 100644
index 0000000..d179c33
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2198.patch
@@ -0,0 +1,46 @@
+From dff0367cf66f489aa772320fa2937a8cac1ca30d Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Fri, 29 Jan 2016 18:30:34 +0530
+Subject: [PATCH] usb: ehci: add capability mmio write function
+
+USB Ehci emulation supports host controller capability registers.
+But its mmio '.write' function was missing, which lead to a null
+pointer dereference issue. Add a do nothing 'ehci_caps_write'
+definition to avoid it; Do nothing because capability registers
+are Read Only(RO).
+
+Reported-by: Zuozhi Fzz <zuozhi....@alibaba-inc.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-id: 1454072434-16045-1-git-send-email-ppan...@redhat.com
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+---
+ hw/usb/hcd-ehci.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 1b50601..0f95d0d 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -895,6 +895,11 @@ static uint64_t ehci_caps_read(void *ptr, hwaddr addr,
+ return s->caps[addr];
+ }
+
++static void ehci_caps_write(void *ptr, hwaddr addr,
++ uint64_t val, unsigned size)
++{
++}
++
+ static uint64_t ehci_opreg_read(void *ptr, hwaddr addr,
+ unsigned size)
+ {
+@@ -2315,6 +2320,7 @@ static void ehci_frame_timer(void *opaque)
+
+ static const MemoryRegionOps ehci_mmio_caps_ops = {
+ .read = ehci_caps_read,
++ .write = ehci_caps_write,
+ .valid.min_access_size = 1,
+ .valid.max_access_size = 4,
+ .impl.min_access_size = 1,
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
new file mode 100644
index 0000000..e7aa5ca
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-2392.patch
@@ -0,0 +1,35 @@
+From 80eecda8e5d09c442c24307f340840a5b70ea3b9 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Thu, 11 Feb 2016 16:31:20 +0530
+Subject: [PATCH] usb: check USB configuration descriptor object
+
+When processing remote NDIS control message packets, the USB Net
+device emulator checks to see if the USB configuration descriptor
+object is of RNDIS type(2). But it does not check if it is null,
+which leads to a null dereference error. Add check to avoid it.
+
+Reported-by: Qinghao Tang <luodalon...@gmail.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-id: 1455188480-14688-1-git-send-email-ppan...@redhat.com
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+---
+ hw/usb/dev-network.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 985a629..5dc4538 100644
+--- a/hw/usb/dev-network.c
++++ b/hw/usb/dev-network.c
+@@ -654,7 +654,8 @@ typedef struct USBNetState {
+
+ static int is_rndis(USBNetState *s)
+ {
+- return s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE;
++ return s->dev.config ?
++ s->dev.config->bConfigurationValue == DEV_RNDIS_CONFIG_VALUE : 0;
+ }
+
+ static int ndis_query(USBNetState *s, uint32_t oid,
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
new file mode 100644
index 0000000..684f6ad
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-0.patch
@@ -0,0 +1,98 @@
+From 3c52ddcdc548e7fbe65112d8a7bdc9cd105b4750 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lpro...@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:15 +0100
+Subject: [PATCH] rng: remove the unused request cancellation code
+
+rng_backend_cancel_requests had no callers and none of the code
+deleted in this commit ever ran.
+
+Signed-off-by: Ladi Prosek <lpro...@redhat.com>
+Reviewed-by: Amit Shah <amit.s...@redhat.com>
+Message-Id: <1456994238-9585-2-git-send-email-lpro...@redhat.com>
+Signed-off-by: Amit Shah <amit.s...@redhat.com>
+---
+ backends/rng-egd.c | 12 ------------
+ backends/rng.c | 9 ---------
+ include/sysemu/rng.h | 11 -----------
+ 3 files changed, 32 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 2de5cd5..0b2976a 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -125,17 +125,6 @@ static void rng_egd_free_requests(RngEgd *s)
+ s->requests = NULL;
+ }
+
+-static void rng_egd_cancel_requests(RngBackend *b)
+-{
+- RngEgd *s = RNG_EGD(b);
+-
+- /* We simply delete the list of pending requests. If there is data in
the
+- * queue waiting to be read, this is okay, because there will always be
+- * more data than we requested originally
+- */
+- rng_egd_free_requests(s);
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+ RngEgd *s = RNG_EGD(b);
+@@ -213,7 +202,6 @@ static void rng_egd_class_init(ObjectClass *klass, void
*data)
+ RngBackendClass *rbc = RNG_BACKEND_CLASS(klass);
+
+ rbc->request_entropy = rng_egd_request_entropy;
+- rbc->cancel_requests = rng_egd_cancel_requests;
+ rbc->opened = rng_egd_opened;
+ }
+
+diff --git a/backends/rng.c b/backends/rng.c
+index b7820ef..2f2f3ee 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -26,15 +26,6 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ }
+ }
+
+-void rng_backend_cancel_requests(RngBackend *s)
+-{
+- RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
+-
+- if (k->cancel_requests) {
+- k->cancel_requests(s);
+- }
+-}
+-
+ static bool rng_backend_prop_get_opened(Object *obj, Error **errp)
+ {
+ RngBackend *s = RNG_BACKEND(obj);
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 858be8c..87b3ebe 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -37,7 +37,6 @@ struct RngBackendClass
+
+ void (*request_entropy)(RngBackend *s, size_t size,
+ EntropyReceiveFunc *receive_entropy, void
*opaque);
+- void (*cancel_requests)(RngBackend *s);
+
+ void (*opened)(RngBackend *s, Error **errp);
+ };
+@@ -68,14 +67,4 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ EntropyReceiveFunc *receive_entropy,
+ void *opaque);
+-
+-/**
+- * rng_backend_cancel_requests:
+- * @s: the backend to cancel all pending requests in
+- *
+- * Cancels all pending requests submitted by @rng_backend_request_entropy.
This
+- * should be used by a device during reset or in preparation for live
migration
+- * to stop tracking any request.
+- */
+-void rng_backend_cancel_requests(RngBackend *s);
+ #endif
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
new file mode 100644
index 0000000..44ba8a7
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-1.patch
@@ -0,0 +1,135 @@
+From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lpro...@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
+
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+
+Signed-off-by: Ladi Prosek <lpro...@redhat.com>
+Reviewed-by: Amit Shah <amit.s...@redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lpro...@redhat.com>
+Signed-off-by: Amit Shah <amit.s...@redhat.com>
+---
+ backends/rng-egd.c | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 0b2976a..b061362 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -25,19 +25,8 @@ typedef struct RngEgd
+
+ CharDriverState *chr;
+ char *chr_name;
+-
+- GSList *requests;
+ } RngEgd;
+
+-typedef struct RngRequest
+-{
+- EntropyReceiveFunc *receive_entropy;
+- uint8_t *data;
+- void *opaque;
+- size_t offset;
+- size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+ EntropyReceiveFunc *receive_entropy,
+ void *opaque)
+@@ -66,7 +55,7 @@ static void rng_egd_request_entropy(RngBackend *b, size_t
size,
+ size -= len;
+ }
+
+- s->requests = g_slist_append(s->requests, req);
++ s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+
+ static void rng_egd_free_request(RngRequest *req)
+@@ -81,7 +70,7 @@ static int rng_egd_chr_can_read(void *opaque)
+ GSList *i;
+ int size = 0;
+
+- for (i = s->requests; i; i = i->next) {
++ for (i = s->parent.requests; i; i = i->next) {
+ RngRequest *req = i->data;
+ size += req->size - req->offset;
+ }
+@@ -94,8 +83,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t
*buf, int size)
+ RngEgd *s = RNG_EGD(opaque);
+ size_t buf_offset = 0;
+
+- while (size > 0 && s->requests) {
+- RngRequest *req = s->requests->data;
++ while (size > 0 && s->parent.requests) {
++ RngRequest *req = s->parent.requests->data;
+ int len = MIN(size, req->size - req->offset);
+
+ memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -104,7 +93,8 @@ static void rng_egd_chr_read(void *opaque, const uint8_t
*buf, int size)
+ size -= len;
+
+ if (req->offset == req->size) {
+- s->requests = g_slist_remove_link(s->requests, s->requests);
++ s->parent.requests = g_slist_remove_link(s->parent.requests,
++ s->parent.requests);
+
+ req->receive_entropy(req->opaque, req->data, req->size);
+
+@@ -117,12 +107,12 @@ static void rng_egd_free_requests(RngEgd *s)
+ {
+ GSList *i;
+
+- for (i = s->requests; i; i = i->next) {
++ for (i = s->parent.requests; i; i = i->next) {
+ rng_egd_free_request(i->data);
+ }
+
+- g_slist_free(s->requests);
+- s->requests = NULL;
++ g_slist_free(s->parent.requests);
++ s->parent.requests = NULL;
+ }
+
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 87b3ebe..c744d82 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -24,6 +24,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+ OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+
++typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+
+@@ -31,6 +32,15 @@ typedef void (EntropyReceiveFunc)(void *opaque,
+ const void *data,
+ size_t size);
+
++struct RngRequest
++{
++ EntropyReceiveFunc *receive_entropy;
++ uint8_t *data;
++ void *opaque;
++ size_t offset;
++ size_t size;
++};
++
+ struct RngBackendClass
+ {
+ ObjectClass parent_class;
+@@ -47,6 +57,7 @@ struct RngBackend
+
+ /*< protected >*/
+ bool opened;
++ GSList *requests;
+ };
+
+ /**
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
new file mode 100644
index 0000000..1cffcc5
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-2.patch
@@ -0,0 +1,155 @@
+From 9f14b0add1dcdbfa2ee61051d068211fb0a1fcc9 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lpro...@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:17 +0100
+Subject: [PATCH] rng: move request queue cleanup from RngEgd to RngBackend
+
+RngBackend is now in charge of cleaning up the linked list on
+instance finalization. It also exposes a function to finalize
+individual RngRequest instances, called by its child classes.
+
+Signed-off-by: Ladi Prosek <lpro...@redhat.com>
+Reviewed-by: Amit Shah <amit.s...@redhat.com>
+Message-Id: <1456994238-9585-4-git-send-email-lpro...@redhat.com>
+Signed-off-by: Amit Shah <amit.s...@redhat.com>
+---
+ backends/rng-egd.c | 25 +------------------------
+ backends/rng.c | 32 ++++++++++++++++++++++++++++++++
+ include/sysemu/rng.h | 12 ++++++++++++
+ 3 files changed, 45 insertions(+), 24 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index b061362..8f2bd16 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -58,12 +58,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t
size,
+ s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+
+-static void rng_egd_free_request(RngRequest *req)
+-{
+- g_free(req->data);
+- g_free(req);
+-}
+-
+ static int rng_egd_chr_can_read(void *opaque)
+ {
+ RngEgd *s = RNG_EGD(opaque);
+@@ -93,28 +87,13 @@ static void rng_egd_chr_read(void *opaque, const uint8_t
*buf, int size)
+ size -= len;
+
+ if (req->offset == req->size) {
+- s->parent.requests = g_slist_remove_link(s->parent.requests,
+- s->parent.requests);
+-
+ req->receive_entropy(req->opaque, req->data, req->size);
+
+- rng_egd_free_request(req);
++ rng_backend_finalize_request(&s->parent, req);
+ }
+ }
+ }
+
+-static void rng_egd_free_requests(RngEgd *s)
+-{
+- GSList *i;
+-
+- for (i = s->parent.requests; i; i = i->next) {
+- rng_egd_free_request(i->data);
+- }
+-
+- g_slist_free(s->parent.requests);
+- s->parent.requests = NULL;
+-}
+-
+ static void rng_egd_opened(RngBackend *b, Error **errp)
+ {
+ RngEgd *s = RNG_EGD(b);
+@@ -183,8 +162,6 @@ static void rng_egd_finalize(Object *obj)
+ }
+
+ g_free(s->chr_name);
+-
+- rng_egd_free_requests(s);
+ }
+
+ static void rng_egd_class_init(ObjectClass *klass, void *data)
+diff --git a/backends/rng.c b/backends/rng.c
+index 2f2f3ee..014cb9d 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -64,6 +64,30 @@ static void rng_backend_prop_set_opened(Object *obj, bool
value, Error **errp)
+ s->opened = true;
+ }
+
++static void rng_backend_free_request(RngRequest *req)
++{
++ g_free(req->data);
++ g_free(req);
++}
++
++static void rng_backend_free_requests(RngBackend *s)
++{
++ GSList *i;
++
++ for (i = s->requests; i; i = i->next) {
++ rng_backend_free_request(i->data);
++ }
++
++ g_slist_free(s->requests);
++ s->requests = NULL;
++}
++
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req)
++{
++ s->requests = g_slist_remove(s->requests, req);
++ rng_backend_free_request(req);
++}
++
+ static void rng_backend_init(Object *obj)
+ {
+ object_property_add_bool(obj, "opened",
+@@ -72,6 +96,13 @@ static void rng_backend_init(Object *obj)
+ NULL);
+ }
+
++static void rng_backend_finalize(Object *obj)
++{
++ RngBackend *s = RNG_BACKEND(obj);
++
++ rng_backend_free_requests(s);
++}
++
+ static void rng_backend_class_init(ObjectClass *oc, void *data)
+ {
+ UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
+@@ -84,6 +115,7 @@ static const TypeInfo rng_backend_info = {
+ .parent = TYPE_OBJECT,
+ .instance_size = sizeof(RngBackend),
+ .instance_init = rng_backend_init,
++ .instance_finalize = rng_backend_finalize,
+ .class_size = sizeof(RngBackendClass),
+ .class_init = rng_backend_class_init,
+ .abstract = true,
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index c744d82..08a2eda 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -78,4 +79,15 @@ struct RngBackend
+ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ EntropyReceiveFunc *receive_entropy,
+ void *opaque);
++
++/**
++ * rng_backend_free_request:
++ * @s: the backend that created the request
++ * @req: the request to finalize
++ *
++ * Used by child rng backend classes to finalize requests once they've been
++ * processed. The request is removed from the list of active requests and
++ * deleted.
++ */
++void rng_backend_finalize_request(RngBackend *s, RngRequest *req);
+ #endif
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
new file mode 100644
index 0000000..ca9340a
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-rng-stack-corrupt-3.patch
@@ -0,0 +1,179 @@
+From 60253ed1e6ec6d8e5ef2efe7bf755f475dce9956 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lpro...@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:18 +0100
+Subject: [PATCH] rng: add request queue support to rng-random
+
+Requests are now created in the RngBackend parent class and the
+code path is shared by both rng-egd and rng-random.
+
+This commit fixes the rng-random implementation which processed
+only one request at a time and simply discarded all but the most
+recent one. In the guest this manifested as delayed completion
+of reads from virtio-rng, i.e. a read was completed only after
+another read was issued.
+
+By switching rng-random to use the same request queue as rng-egd,
+the unsafe stack-based allocation of the entropy buffer is
+eliminated and replaced with g_malloc.
+
+Signed-off-by: Ladi Prosek <lpro...@redhat.com>
+Reviewed-by: Amit Shah <amit.s...@redhat.com>
+Message-Id: <1456994238-9585-5-git-send-email-lpro...@redhat.com>
+Signed-off-by: Amit Shah <amit.s...@redhat.com>
+---
+ backends/rng-egd.c | 16 ++--------------
+ backends/rng-random.c | 43 +++++++++++++++++++------------------------
+ backends/rng.c | 13 ++++++++++++-
+ include/sysemu/rng.h | 3 +--
+ 4 files changed, 34 insertions(+), 41 deletions(-)
+
+diff --git a/backends/rng-egd.c b/backends/rng-egd.c
+index 8f2bd16..30332ed 100644
+--- a/backends/rng-egd.c
++++ b/backends/rng-egd.c
+@@ -27,20 +27,10 @@ typedef struct RngEgd
+ char *chr_name;
+ } RngEgd;
+
+-static void rng_egd_request_entropy(RngBackend *b, size_t size,
+- EntropyReceiveFunc *receive_entropy,
+- void *opaque)
++static void rng_egd_request_entropy(RngBackend *b, RngRequest *req)
+ {
+ RngEgd *s = RNG_EGD(b);
+- RngRequest *req;
+-
+- req = g_malloc(sizeof(*req));
+-
+- req->offset = 0;
+- req->size = size;
+- req->receive_entropy = receive_entropy;
+- req->opaque = opaque;
+- req->data = g_malloc(req->size);
++ size_t size = req->size;
+
+ while (size > 0) {
+ uint8_t header[2];
+@@ -54,8 +44,6 @@ static void rng_egd_request_entropy(RngBackend *b, size_t
size,
+
+ size -= len;
+ }
+-
+- s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+
+ static int rng_egd_chr_can_read(void *opaque)
+diff --git a/backends/rng-random.c b/backends/rng-random.c
+index 8cdad6a..a6cb385 100644
+--- a/backends/rng-random.c
++++ b/backends/rng-random.c
+@@ -22,10 +22,6 @@ struct RndRandom
+
+ int fd;
+ char *filename;
+-
+- EntropyReceiveFunc *receive_func;
+- void *opaque;
+- size_t size;
+ };
+
+ /**
+@@ -38,36 +34,35 @@ struct RndRandom
+ static void entropy_available(void *opaque)
+ {
+ RndRandom *s = RNG_RANDOM(opaque);
+- uint8_t buffer[s->size];
+- ssize_t len;
+
+- len = read(s->fd, buffer, s->size);
+- if (len < 0 && errno == EAGAIN) {
+- return;
+- }
+- g_assert(len != -1);
++ while (s->parent.requests != NULL) {
++ RngRequest *req = s->parent.requests->data;
++ ssize_t len;
++
++ len = read(s->fd, req->data, req->size);
++ if (len < 0 && errno == EAGAIN) {
++ return;
++ }
++ g_assert(len != -1);
+
+- s->receive_func(s->opaque, buffer, len);
+- s->receive_func = NULL;
++ req->receive_entropy(req->opaque, req->data, len);
+
++ rng_backend_finalize_request(&s->parent, req);
++ }
++
++ /* We've drained all requests, the fd handler can be reset. */
+ qemu_set_fd_handler(s->fd, NULL, NULL, NULL);
+ }
+
+-static void rng_random_request_entropy(RngBackend *b, size_t size,
+- EntropyReceiveFunc *receive_entropy,
+- void *opaque)
++static void rng_random_request_entropy(RngBackend *b, RngRequest *req)
+ {
+ RndRandom *s = RNG_RANDOM(b);
+
+- if (s->receive_func) {
+- s->receive_func(s->opaque, NULL, 0);
++ if (s->parent.requests == NULL) {
++ /* If there are no pending requests yet, we need to
++ * install our fd handler. */
++ qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+-
+- s->receive_func = receive_entropy;
+- s->opaque = opaque;
+- s->size = size;
+-
+- qemu_set_fd_handler(s->fd, entropy_available, NULL, s);
+ }
+
+ static void rng_random_opened(RngBackend *b, Error **errp)
+diff --git a/backends/rng.c b/backends/rng.c
+index 014cb9d..277a41b 100644
+--- a/backends/rng.c
++++ b/backends/rng.c
+@@ -20,9 +20,20 @@ void rng_backend_request_entropy(RngBackend *s, size_t size,
+ void *opaque)
+ {
+ RngBackendClass *k = RNG_BACKEND_GET_CLASS(s);
++ RngRequest *req;
+
+ if (k->request_entropy) {
+- k->request_entropy(s, size, receive_entropy, opaque);
++ req = g_malloc(sizeof(*req));
++
++ req->offset = 0;
++ req->size = size;
++ req->receive_entropy = receive_entropy;
++ req->opaque = opaque;
++ req->data = g_malloc(req->size);
++
++ k->request_entropy(s, req);
++
++ s->requests = g_slist_append(s->requests, req);
+ }
+ }
+
+diff --git a/include/sysemu/rng.h b/include/sysemu/rng.h
+index 08a2eda..4fffd68 100644
+--- a/include/sysemu/rng.h
++++ b/include/sysemu/rng.h
+@@ -45,8 +45,7 @@ struct RngBackendClass
+ {
+ ObjectClass parent_class;
+
+- void (*request_entropy)(RngBackend *s, size_t size,
+- EntropyReceiveFunc *receive_entropy, void
*opaque);
++ void (*request_entropy)(RngBackend *s, RngRequest *req);
+
+ void (*opened)(RngBackend *s, Error **errp);
+ };
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
new file mode 100644
index 0000000..f2e766d
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-sysmacros.patch
@@ -0,0 +1,15 @@
+Linux C libs are moving away from implicit header pollution with sys/types.h
+
+--- a/include/qemu/osdep.h
++++ b/include/qemu/osdep.h
+@@ -78,6 +78,10 @@ extern int daemon(int, int);
+ #include <assert.h>
+ #include <signal.h>
+
++#ifdef __linux__
++#include <sys/sysmacros.h>
++#endif
++
+ #ifdef __OpenBSD__
+ #include <sys/signal.h>
+ #endif
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
new file mode 100644
index 0000000..2ddca3e
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ehci-oob.patch
@@ -0,0 +1,52 @@
+From 49d925ce50383a286278143c05511d30ec41a36e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Wed, 20 Jan 2016 01:26:46 +0530
+Subject: [PATCH] usb: check page select value while processing iTD
+
+While processing isochronous transfer descriptors(iTD), the page
+select(PG) field value could lead to an OOB read access. Add
+check to avoid it.
+
+Reported-by: Qinghao Tang <luodalon...@gmail.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-id: 1453233406-12165-1-git-send-email-ppan...@redhat.com
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+---
+ hw/usb/hcd-ehci.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index ab00268..93601d9 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1405,21 +1405,23 @@ static int ehci_process_itd(EHCIState *ehci,
+ if (itd->transact[i] & ITD_XACT_ACTIVE) {
+ pg = get_field(itd->transact[i], ITD_XACT_PGSEL);
+ off = itd->transact[i] & ITD_XACT_OFFSET_MASK;
+- ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
+- ptr2 = (itd->bufptr[pg+1] & ITD_BUFPTR_MASK);
+ len = get_field(itd->transact[i], ITD_XACT_LENGTH);
+
+ if (len > max * mult) {
+ len = max * mult;
+ }
+-
+- if (len > BUFF_SIZE) {
++ if (len > BUFF_SIZE || pg > 6) {
+ return -1;
+ }
+
++ ptr1 = (itd->bufptr[pg] & ITD_BUFPTR_MASK);
+ qemu_sglist_init(&ehci->isgl, ehci->device, 2, ehci->as);
+ if (off + len > 4096) {
+ /* transfer crosses page border */
++ if (pg == 6) {
++ return -1; /* avoid page pg + 1 */
++ }
++ ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
+ uint32_t len2 = off + len - 4096;
+ uint32_t len1 = len - len2;
+ qemu_sglist_add(&ehci->isgl, ptr1 + off, len1);
+--
+2.7.4
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
new file mode 100644
index 0000000..da643fd
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-usb-ndis-int-overflow.patch
@@ -0,0 +1,59 @@
+From fe3c546c5ff2a6210f9a4d8561cc64051ca8603e Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <p...@fedoraproject.org>
+Date: Wed, 17 Feb 2016 00:23:41 +0530
+Subject: [PATCH] usb: check RNDIS buffer offsets & length
+
+When processing remote NDIS control message packets,
+the USB Net device emulator uses a fixed length(4096) data buffer.
+The incoming informationBufferOffset & Length combination could
+overflow and cross that range. Check control message buffer
+offsets and length to avoid it.
+
+Reported-by: Qinghao Tang <luodalon...@gmail.com>
+Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
+Message-id: 1455648821-17340-3-git-send-email-ppan...@redhat.com
+Signed-off-by: Gerd Hoffmann <kra...@redhat.com>
+---
+ hw/usb/dev-network.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/hw/usb/dev-network.c b/hw/usb/dev-network.c
+index 5dc4538..c6abd38 100644
+--- a/hw/usb/dev-network.c
++++ b/hw/usb/dev-network.c
+@@ -916,8 +916,9 @@ static int rndis_query_response(USBNetState *s,
+
+ bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+ buflen = le32_to_cpu(buf->InformationBufferLength);
+- if (bufoffs + buflen > length)
++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
+ return USB_RET_STALL;
++ }
+
+ infobuflen = ndis_query(s, le32_to_cpu(buf->OID),
+ bufoffs + (uint8_t *) buf, buflen, infobuf,
+@@ -962,8 +963,9 @@ static int rndis_set_response(USBNetState *s,
+
+ bufoffs = le32_to_cpu(buf->InformationBufferOffset) + 8;
+ buflen = le32_to_cpu(buf->InformationBufferLength);
+- if (bufoffs + buflen > length)
++ if (buflen > length || bufoffs >= length || bufoffs + buflen > length) {
+ return USB_RET_STALL;
++ }
+
+ ret = ndis_set(s, le32_to_cpu(buf->OID),
+ bufoffs + (uint8_t *) buf, buflen);
+@@ -1213,8 +1215,9 @@ static void usb_net_handle_dataout(USBNetState *s,
USBPacket *p)
+ if (le32_to_cpu(msg->MessageType) == RNDIS_PACKET_MSG) {
+ uint32_t offs = 8 + le32_to_cpu(msg->DataOffset);
+ uint32_t size = le32_to_cpu(msg->DataLength);
+- if (offs + size <= len)
++ if (offs < len && size < len && offs + size <= len) {
+ qemu_send_packet(qemu_get_queue(s->nic), s->out_buf + offs, size);
++ }
+ }
+ s->out_ptr -= len;
+ memmove(s->out_buf, &s->out_buf[len], s->out_ptr);
+--
+2.7.4
+
diff --git a/app-emulation/qemu/qemu-2.5.0-r2.ebuild
b/app-emulation/qemu/qemu-2.5.0-r2.ebuild
new file mode 100644
index 0000000..7c4c9d1
--- /dev/null
+++ b/app-emulation/qemu/qemu-2.5.0-r2.ebuild
@@ -0,0 +1,669 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+PYTHON_COMPAT=( python2_7 )
+PYTHON_REQ_USE="ncurses,readline"
+
+inherit eutils flag-o-matic linux-info toolchain-funcs multilib python-r1 \
+ user udev fcaps readme.gentoo pax-utils
+
+BACKPORTS=
+
+if [[ ${PV} = *9999* ]]; then
+ EGIT_REPO_URI="git://git.qemu.org/qemu.git"
+ inherit git-2
+ SRC_URI=""
+else
+ SRC_URI="http://wiki.qemu-project.org/download/${P}.tar.bz2
+ ${BACKPORTS:+
+
https://dev.gentoo.org/~cardoe/distfiles/${P}-${BACKPORTS}.tar.xz}";
+ KEYWORDS="~amd64 ~arm64 ~ppc ~ppc64 ~x86 ~x86-fbsd"
+fi
+
+DESCRIPTION="QEMU + Kernel-based Virtual Machine userland tools"
+HOMEPAGE="http://www.qemu.org http://www.linux-kvm.org";
+
+LICENSE="GPL-2 LGPL-2 BSD-2"
+SLOT="0"
+IUSE="accessibility +aio alsa bluetooth +caps +curl debug +fdt glusterfs \
+gnutls gtk gtk2 infiniband iscsi +jpeg \
+kernel_linux kernel_FreeBSD lzo ncurses nfs nls numa opengl +pin-upstream-blobs
++png pulseaudio python \
+rbd sasl +seccomp sdl sdl2 selinux smartcard snappy spice ssh static
static-softmmu
+static-user systemtap tci test +threads usb usbredir +uuid vde +vhost-net \
+virgl virtfs +vnc vte xattr xen xfs"
+
+COMMON_TARGETS="aarch64 alpha arm cris i386 m68k microblaze microblazeel mips
+mips64 mips64el mipsel or32 ppc ppc64 s390x sh4 sh4eb sparc sparc64 unicore32
+x86_64"
+IUSE_SOFTMMU_TARGETS="${COMMON_TARGETS} lm32 moxie ppcemb tricore xtensa
xtensaeb"
+IUSE_USER_TARGETS="${COMMON_TARGETS} armeb mipsn32 mipsn32el ppc64abi32
ppc64le sparc32plus tilegx"
+
+use_softmmu_targets=$(printf ' qemu_softmmu_targets_%s'
${IUSE_SOFTMMU_TARGETS})
+use_user_targets=$(printf ' qemu_user_targets_%s' ${IUSE_USER_TARGETS})
+IUSE+=" ${use_softmmu_targets} ${use_user_targets}"
+
+# Allow no targets to be built so that people can get a tools-only build.
+# Block USE flag configurations known to not work.
+REQUIRED_USE="${PYTHON_REQUIRED_USE}
+ gtk2? ( gtk )
+ qemu_softmmu_targets_arm? ( fdt )
+ qemu_softmmu_targets_microblaze? ( fdt )
+ qemu_softmmu_targets_ppc? ( fdt )
+ qemu_softmmu_targets_ppc64? ( fdt )
+ sdl2? ( sdl )
+ static? ( static-softmmu static-user )
+ static-softmmu? ( !alsa !pulseaudio !bluetooth !opengl !gtk !gtk2 )
+ virtfs? ( xattr )
+ vte? ( gtk )"
+
+# Yep, you need both libcap and libcap-ng since virtfs only uses libcap.
+#
+# The attr lib isn't always linked in (although the USE flag is always
+# respected). This is because qemu supports using the C library's API
+# when available rather than always using the extranl library.
+#
+# Older versions of gnutls are supported, but it's simpler to just require
+# the latest versions. This is also why we require nettle.
+COMMON_LIB_DEPEND=">=dev-libs/glib-2.0[static-libs(+)]
+ sys-libs/zlib[static-libs(+)]
+ xattr? ( sys-apps/attr[static-libs(+)] )"
+SOFTMMU_LIB_DEPEND="${COMMON_LIB_DEPEND}
+ >=x11-libs/pixman-0.28.0[static-libs(+)]
+ accessibility? ( app-accessibility/brltty[static-libs(+)] )
+ aio? ( dev-libs/libaio[static-libs(+)] )
+ alsa? ( >=media-libs/alsa-lib-1.0.13 )
+ bluetooth? ( net-wireless/bluez )
+ caps? ( sys-libs/libcap-ng[static-libs(+)] )
+ curl? ( >=net-misc/curl-7.15.4[static-libs(+)] )
+ fdt? ( >=sys-apps/dtc-1.4.0[static-libs(+)] )
+ glusterfs? ( >=sys-cluster/glusterfs-3.4.0[static-libs(+)] )
+ gnutls? (
+ dev-libs/nettle[static-libs(+)]
+ >=net-libs/gnutls-3.0[static-libs(+)]
+ )
+ gtk? (
+ gtk2? (
+ x11-libs/gtk+:2
+ vte? ( x11-libs/vte:0 )
+ )
+ !gtk2? (
+ x11-libs/gtk+:3
+ vte? ( x11-libs/vte:2.90 )
+ )
+ )
+ infiniband? ( sys-infiniband/librdmacm:=[static-libs(+)] )
+ iscsi? ( net-libs/libiscsi )
+ jpeg? ( virtual/jpeg:=[static-libs(+)] )
+ lzo? ( dev-libs/lzo:2[static-libs(+)] )
+ ncurses? ( sys-libs/ncurses:0=[static-libs(+)] )
+ nfs? ( >=net-fs/libnfs-1.9.3[static-libs(+)] )
+ numa? ( sys-process/numactl[static-libs(+)] )
+ opengl? (
+ virtual/opengl
+ media-libs/libepoxy[static-libs(+)]
+ media-libs/mesa[static-libs(+)]
+ media-libs/mesa[egl,gles2]
+ )
+ png? ( media-libs/libpng:0=[static-libs(+)] )
+ pulseaudio? ( media-sound/pulseaudio )
+ rbd? ( sys-cluster/ceph[static-libs(+)] )
+ sasl? ( dev-libs/cyrus-sasl[static-libs(+)] )
+ sdl? (
+ !sdl2? (
+ media-libs/libsdl[X]
+ >=media-libs/libsdl-1.2.11[static-libs(+)]
+ )
+ sdl2? (
+ media-libs/libsdl2[X]
+ media-libs/libsdl2[static-libs(+)]
+ )
+ )
+ seccomp? ( >=sys-libs/libseccomp-2.1.0[static-libs(+)] )
+ smartcard? ( >=app-emulation/libcacard-2.5.0[static-libs(+)] )
+ snappy? ( app-arch/snappy[static-libs(+)] )
+ spice? (
+ >=app-emulation/spice-protocol-0.12.3
+ >=app-emulation/spice-0.12.0[static-libs(+)]
+ )
+ ssh? ( >=net-libs/libssh2-1.2.8[static-libs(+)] )
+ usb? ( >=virtual/libusb-1-r2[static-libs(+)] )
+ usbredir? ( >=sys-apps/usbredir-0.6[static-libs(+)] )
+ uuid? ( >=sys-apps/util-linux-2.16.0[static-libs(+)] )
+ vde? ( net-misc/vde[static-libs(+)] )
+ virgl? ( media-libs/virglrenderer[static-libs(+)] )
+ virtfs? ( sys-libs/libcap )
+ xfs? ( sys-fs/xfsprogs[static-libs(+)] )"
+USER_LIB_DEPEND="${COMMON_LIB_DEPEND}"
+X86_FIRMWARE_DEPEND="
+ >=sys-firmware/ipxe-1.0.0_p20130624
+ pin-upstream-blobs? (
+ ~sys-firmware/seabios-1.8.2
+ ~sys-firmware/sgabios-0.1_pre8
+ ~sys-firmware/vgabios-0.7a
+ )
+ !pin-upstream-blobs? (
+ sys-firmware/seabios
+ sys-firmware/sgabios
+ sys-firmware/vgabios
+ )"
+CDEPEND="
+ !static-softmmu? ( $(printf "%s? (
${SOFTMMU_LIB_DEPEND//\[static-libs(+)]} ) " ${use_softmmu_targets}) )
+ !static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND//\[static-libs(+)]} )
" ${use_user_targets}) )
+ qemu_softmmu_targets_i386? ( ${X86_FIRMWARE_DEPEND} )
+ qemu_softmmu_targets_x86_64? ( ${X86_FIRMWARE_DEPEND} )
+ python? ( ${PYTHON_DEPS} )
+ systemtap? ( dev-util/systemtap )
+ xen? ( app-emulation/xen-tools:= )"
+DEPEND="${CDEPEND}
+ dev-lang/perl
+ =dev-lang/python-2*
+ sys-apps/texinfo
+ virtual/pkgconfig
+ kernel_linux? ( >=sys-kernel/linux-headers-2.6.35 )
+ gtk? ( nls? ( sys-devel/gettext ) )
+ static-softmmu? ( $(printf "%s? ( ${SOFTMMU_LIB_DEPEND} ) "
${use_softmmu_targets}) )
+ static-user? ( $(printf "%s? ( ${USER_LIB_DEPEND} ) "
${use_user_targets}) )
+ test? (
+ dev-libs/glib[utils]
+ sys-devel/bc
+ )"
+RDEPEND="${CDEPEND}
+ selinux? ( sec-policy/selinux-qemu )
+"
+
+STRIP_MASK="/usr/share/qemu/palcode-clipper"
+
+QA_PREBUILT="
+ usr/share/qemu/openbios-ppc
+ usr/share/qemu/openbios-sparc64
+ usr/share/qemu/openbios-sparc32
+ usr/share/qemu/palcode-clipper
+ usr/share/qemu/s390-ccw.img
+ usr/share/qemu/u-boot.e500
+"
+
+QA_WX_LOAD="usr/bin/qemu-i386
+ usr/bin/qemu-x86_64
+ usr/bin/qemu-alpha
+ usr/bin/qemu-arm
+ usr/bin/qemu-cris
+ usr/bin/qemu-m68k
+ usr/bin/qemu-microblaze
+ usr/bin/qemu-microblazeel
+ usr/bin/qemu-mips
+ usr/bin/qemu-mipsel
+ usr/bin/qemu-or32
+ usr/bin/qemu-ppc
+ usr/bin/qemu-ppc64
+ usr/bin/qemu-ppc64abi32
+ usr/bin/qemu-sh4
+ usr/bin/qemu-sh4eb
+ usr/bin/qemu-sparc
+ usr/bin/qemu-sparc64
+ usr/bin/qemu-armeb
+ usr/bin/qemu-sparc32plus
+ usr/bin/qemu-s390x
+ usr/bin/qemu-unicore32"
+
+DOC_CONTENTS="If you don't have kvm compiled into the kernel, make sure
+you have the kernel module loaded before running kvm. The easiest way to
+ensure that the kernel module is loaded is to load it on boot.\n
+For AMD CPUs the module is called 'kvm-amd'\n
+For Intel CPUs the module is called 'kvm-intel'\n
+Please review /etc/conf.d/modules for how to load these\n\n
+Make sure your user is in the 'kvm' group\n
+Just run 'gpasswd -a <USER> kvm', then have <USER> re-login."
+
+qemu_support_kvm() {
+ if use qemu_softmmu_targets_x86_64 || use qemu_softmmu_targets_i386 \
+ use qemu_softmmu_targets_ppc || use qemu_softmmu_targets_ppc64 \
+ use qemu_softmmu_targets_s390x; then
+ return 0
+ fi
+
+ return 1
+}
+
+pkg_pretend() {
+ if use kernel_linux && kernel_is lt 2 6 25; then
+ eerror "This version of KVM requres a host kernel of 2.6.25 or
higher."
+ elif use kernel_linux; then
+ if ! linux_config_exists; then
+ eerror "Unable to check your kernel for KVM support"
+ else
+ CONFIG_CHECK="~KVM ~TUN ~BRIDGE"
+ ERROR_KVM="You must enable KVM in your kernel to
continue"
+ ERROR_KVM_AMD="If you have an AMD CPU, you must enable
KVM_AMD in"
+ ERROR_KVM_AMD+=" your kernel configuration."
+ ERROR_KVM_INTEL="If you have an Intel CPU, you must
enable"
+ ERROR_KVM_INTEL+=" KVM_INTEL in your kernel
configuration."
+ ERROR_TUN="You will need the Universal TUN/TAP driver
compiled"
+ ERROR_TUN+=" into your kernel or loaded as a module to
use the"
+ ERROR_TUN+=" virtual network device if using -net tap."
+ ERROR_BRIDGE="You will also need support for 802.1d"
+ ERROR_BRIDGE+=" Ethernet Bridging for some network
configurations."
+ use vhost-net && CONFIG_CHECK+=" ~VHOST_NET"
+ ERROR_VHOST_NET="You must enable VHOST_NET to have
vhost-net"
+ ERROR_VHOST_NET+=" support"
+
+ if use amd64 || use x86 || use amd64-linux || use
x86-linux; then
+ CONFIG_CHECK+=" ~KVM_AMD ~KVM_INTEL"
+ fi
+
+ use python && CONFIG_CHECK+=" ~DEBUG_FS"
+ ERROR_DEBUG_FS="debugFS support required for kvm_stat"
+
+ # Now do the actual checks setup above
+ check_extra_config
+ fi
+ fi
+
+ if grep -qs '/usr/bin/qemu-kvm' "${EROOT}"/etc/libvirt/qemu/*.xml; then
+ eerror "The kvm/qemu-kvm wrappers no longer exist, but your
libvirt"
+ eerror "instances are still pointing to it. Please update your"
+ eerror "configs in /etc/libvirt/qemu/ to use the -enable-kvm
flag"
+ eerror "and the right system binary (e.g. qemu-system-x86_64)."
+ die "update your virt configs to not use qemu-kvm"
+ fi
+}
+
+pkg_setup() {
+ enewgroup kvm 78
+}
+
+# Sanity check to make sure target lists are kept up-to-date.
+check_targets() {
+ local var=$1 mak=$2
+ local detected sorted
+
+ pushd "${S}"/default-configs >/dev/null || die
+
+ # Force C locale until glibc is updated. #564936
+ detected=$(echo $(printf '%s\n' *-${mak}.mak | sed "s:-${mak}.mak::" |
LC_COLLATE=C sort -u))
+ sorted=$(echo $(printf '%s\n' ${!var} | LC_COLLATE=C sort -u))
+ if [[ ${sorted} != "${detected}" ]] ; then
+ eerror "The ebuild needs to be kept in sync."
+ eerror "${var}: ${sorted}"
+ eerror "$(printf '%-*s' ${#var} configure): ${detected}"
+ die "sync ${var} to the list of targets"
+ fi
+
+ popd >/dev/null
+}
+
+src_prepare() {
+ check_targets IUSE_SOFTMMU_TARGETS softmmu
+ check_targets IUSE_USER_TARGETS linux-user
+
+ # Alter target makefiles to accept CFLAGS set via flag-o
+ sed -i -r \
+ -e 's/^(C|OP_C|HELPER_C)FLAGS=/\1FLAGS+=/' \
+ Makefile Makefile.target || die
+
+ # Cheap hack to disable gettext .mo generation.
+ use nls || rm -f po/*.po
+
+ epatch "${FILESDIR}"/qemu-2.5.0-cflags.patch
+ [[ -n ${BACKPORTS} ]] && \
+ EPATCH_FORCE=yes EPATCH_SUFFIX="patch"
EPATCH_SOURCE="${S}/patches" \
+ epatch
+
+ epatch "${FILESDIR}"/${P}-CVE-2015-8567.patch #567868
+ epatch "${FILESDIR}"/${P}-CVE-2015-8558.patch #568246
+ epatch "${FILESDIR}"/${P}-CVE-2015-8701.patch #570110
+ epatch "${FILESDIR}"/${P}-CVE-2015-8743.patch #570988
+ epatch "${FILESDIR}"/${P}-CVE-2016-1568.patch #571566
+ epatch "${FILESDIR}"/${P}-CVE-2015-8613.patch #569118
+ epatch "${FILESDIR}"/${P}-CVE-2015-8619.patch #569300
+ epatch "${FILESDIR}"/${P}-CVE-2016-1714.patch #571560
+ epatch "${FILESDIR}"/${P}-CVE-2016-1922.patch #572082
+ epatch "${FILESDIR}"/${P}-CVE-2016-1981.patch #572412
+ epatch "${FILESDIR}"/${P}-usb-ehci-oob.patch #572454
+ epatch "${FILESDIR}"/${P}-CVE-2016-2197.patch #573280
+ epatch "${FILESDIR}"/${P}-CVE-2016-2198.patch #573314
+ epatch "${FILESDIR}"/${P}-CVE-2016-2392.patch #574902
+ epatch "${FILESDIR}"/${P}-usb-ndis-int-overflow.patch #575492
+ epatch "${FILESDIR}"/${P}-rng-stack-corrupt-{0,1,2,3}.patch #576420
+ epatch "${FILESDIR}"/${P}-sysmacros.patch
+
+ # Fix ld and objcopy being called directly
+ tc-export AR LD OBJCOPY
+
+ # Verbose builds
+ MAKEOPTS+=" V=1"
+
+ epatch_user
+}
+
+##
+# configures qemu based on the build directory and the build type
+# we are using.
+#
+qemu_src_configure() {
+ debug-print-function ${FUNCNAME} "$@"
+
+ local buildtype=$1
+ local builddir="${S}/${buildtype}-build"
+ local static_flag="static-${buildtype}"
+
+ mkdir "${builddir}"
+
+ local conf_opts=(
+ --prefix=/usr
+ --sysconfdir=/etc
+ --libdir=/usr/$(get_libdir)
+ --docdir=/usr/share/doc/${PF}/html
+ --disable-bsd-user
+ --disable-guest-agent
+ --disable-strip
+ --disable-werror
+ # We support gnutls/nettle for crypto operations. It is
possible
+ # to use gcrypt when gnutls/nettle are disabled (but not when
they
+ # are enabled), but it's not really worth the hassle. Disable
it
+ # all the time to avoid automatically detecting it. #568856
+ --disable-gcrypt
+ --python="${PYTHON}"
+ --cc="$(tc-getCC)"
+ --cxx="$(tc-getCXX)"
+ --host-cc="$(tc-getBUILD_CC)"
+ $(use_enable debug debug-info)
+ $(use_enable debug debug-tcg)
+ --enable-docs
+ $(use_enable tci tcg-interpreter)
+ $(use_enable xattr attr)
+ )
+
+ # Disable options not used by user targets as the default configure
+ # options will autoprobe and try to link in a bunch of unused junk.
+ conf_softmmu() {
+ if [[ ${buildtype} == "user" ]] ; then
+ echo "--disable-${2:-$1}"
+ else
+ use_enable "$@"
+ fi
+ }
+ conf_opts+=(
+ $(conf_softmmu accessibility brlapi)
+ $(conf_softmmu aio linux-aio)
+ $(conf_softmmu bluetooth bluez)
+ $(conf_softmmu caps cap-ng)
+ $(conf_softmmu curl)
+ $(conf_softmmu fdt)
+ $(conf_softmmu glusterfs)
+ $(conf_softmmu gnutls)
+ $(conf_softmmu gnutls nettle)
+ $(conf_softmmu gtk)
+ $(conf_softmmu infiniband rdma)
+ $(conf_softmmu iscsi libiscsi)
+ $(conf_softmmu jpeg vnc-jpeg)
+ $(conf_softmmu kernel_linux kvm)
+ $(conf_softmmu lzo)
+ $(conf_softmmu ncurses curses)
+ $(conf_softmmu nfs libnfs)
+ $(conf_softmmu numa)
+ $(conf_softmmu opengl)
+ $(conf_softmmu png vnc-png)
+ $(conf_softmmu rbd)
+ $(conf_softmmu sasl vnc-sasl)
+ $(conf_softmmu sdl)
+ $(conf_softmmu seccomp)
+ $(conf_softmmu smartcard)
+ $(conf_softmmu snappy)
+ $(conf_softmmu spice)
+ $(conf_softmmu ssh libssh2)
+ $(conf_softmmu usb libusb)
+ $(conf_softmmu usbredir usb-redir)
+ $(conf_softmmu uuid)
+ $(conf_softmmu vde)
+ $(conf_softmmu vhost-net)
+ $(conf_softmmu virgl virglrenderer)
+ $(conf_softmmu virtfs)
+ $(conf_softmmu vnc)
+ $(conf_softmmu vte)
+ $(conf_softmmu xen)
+ $(conf_softmmu xen xen-pci-passthrough)
+ $(conf_softmmu xfs xfsctl)
+ )
+
+ case ${buildtype} in
+ user)
+ conf_opts+=(
+ --enable-linux-user
+ --disable-system
+ --disable-blobs
+ --disable-tools
+ )
+ ;;
+ softmmu)
+ # audio options
+ local audio_opts="oss"
+ use alsa && audio_opts="alsa,${audio_opts}"
+ use sdl && audio_opts="sdl,${audio_opts}"
+ use pulseaudio && audio_opts="pa,${audio_opts}"
+
+ conf_opts+=(
+ --disable-linux-user
+ --enable-system
+ --with-system-pixman
+ --audio-drv-list="${audio_opts}"
+ )
+ use gtk && conf_opts+=( --with-gtkabi=$(usex gtk2 2.0 3.0) )
+ use sdl && conf_opts+=( --with-sdlabi=$(usex sdl2 2.0 1.2) )
+ ;;
+ tools)
+ conf_opts+=(
+ --disable-linux-user
+ --disable-system
+ --disable-blobs
+ )
+ static_flag="static"
+ ;;
+ esac
+
+ local targets="${buildtype}_targets"
+ [[ -n ${targets} ]] && conf_opts+=( --target-list="${!targets}" )
+
+ # Add support for SystemTAP
+ use systemtap && conf_opts+=( --enable-trace-backend=dtrace )
+
+ # We always want to attempt to build with PIE support as it results
+ # in a more secure binary. But it doesn't work with static or if
+ # the current GCC doesn't have PIE support.
+ if use ${static_flag}; then
+ conf_opts+=( --static --disable-pie )
+ else
+ gcc-specs-pie && conf_opts+=( --enable-pie )
+ fi
+
+ echo "../configure ${conf_opts[*]}"
+ cd "${builddir}"
+ ../configure "${conf_opts[@]}" || die "configure failed"
+
+ # FreeBSD's kernel does not support QEMU assigning/grabbing
+ # host USB devices yet
+ use kernel_FreeBSD && \
+ sed -i -E -e "s|^(HOST_USB=)bsd|\1stub|" "${S}"/config-host.mak
+}
+
+src_configure() {
+ local target
+
+ python_setup
+
+ softmmu_targets= softmmu_bins=()
+ user_targets= user_bins=()
+
+ for target in ${IUSE_SOFTMMU_TARGETS} ; do
+ if use "qemu_softmmu_targets_${target}"; then
+ softmmu_targets+=",${target}-softmmu"
+ softmmu_bins+=( "qemu-system-${target}" )
+ fi
+ done
+
+ for target in ${IUSE_USER_TARGETS} ; do
+ if use "qemu_user_targets_${target}"; then
+ user_targets+=",${target}-linux-user"
+ user_bins+=( "qemu-${target}" )
+ fi
+ done
+
+ softmmu_targets=${softmmu_targets#,}
+ user_targets=${user_targets#,}
+
+ [[ -n ${softmmu_targets} ]] && qemu_src_configure "softmmu"
+ [[ -n ${user_targets} ]] && qemu_src_configure "user"
+ [[ -z ${softmmu_targets}${user_targets} ]] && qemu_src_configure "tools"
+}
+
+src_compile() {
+ if [[ -n ${user_targets} ]]; then
+ cd "${S}/user-build"
+ default
+ fi
+
+ if [[ -n ${softmmu_targets} ]]; then
+ cd "${S}/softmmu-build"
+ default
+ fi
+
+ if [[ -z ${softmmu_targets}${user_targets} ]]; then
+ cd "${S}/tools-build"
+ default
+ fi
+}
+
+src_test() {
+ if [[ -n ${softmmu_targets} ]]; then
+ cd "${S}/softmmu-build"
+ pax-mark m */qemu-system-* #515550
+ emake -j1 check
+ emake -j1 check-report.html
+ fi
+}
+
+qemu_python_install() {
+ python_domodule "${S}/scripts/qmp/qmp.py"
+
+ python_doscript "${S}/scripts/kvm/kvm_stat"
+ python_doscript "${S}/scripts/kvm/vmxcap"
+ python_doscript "${S}/scripts/qmp/qmp-shell"
+ python_doscript "${S}/scripts/qmp/qemu-ga-client"
+}
+
+src_install() {
+ if [[ -n ${user_targets} ]]; then
+ cd "${S}/user-build"
+ emake DESTDIR="${ED}" install
+
+ # Install binfmt handler init script for user targets
+ newinitd "${FILESDIR}/qemu-binfmt.initd-r1" qemu-binfmt
+ fi
+
+ if [[ -n ${softmmu_targets} ]]; then
+ cd "${S}/softmmu-build"
+ emake DESTDIR="${ED}" install
+
+ # This might not exist if the test failed. #512010
+ [[ -e check-report.html ]] && dohtml check-report.html
+
+ if use kernel_linux; then
+ udev_dorules "${FILESDIR}"/65-kvm.rules
+ fi
+
+ if use python; then
+ python_foreach_impl qemu_python_install
+ fi
+ fi
+
+ if [[ -z ${softmmu_targets}${user_targets} ]]; then
+ cd "${S}/tools-build"
+ emake DESTDIR="${ED}" install
+ fi
+
+ # Disable mprotect on the qemu binaries as they use JITs to be fast
#459348
+ pushd "${ED}"/usr/bin >/dev/null
+ pax-mark m "${softmmu_bins[@]}" "${user_bins[@]}"
+ popd >/dev/null
+
+ # Install config file example for qemu-bridge-helper
+ insinto "/etc/qemu"
+ doins "${FILESDIR}/bridge.conf"
+
+ # Remove the docdir placed qmp-commands.txt
+ mv "${ED}/usr/share/doc/${PF}/html/qmp-commands.txt" "${S}/docs/" || die
+
+ cd "${S}"
+ dodoc Changelog MAINTAINERS docs/specs/pci-ids.txt
+ newdoc pc-bios/README README.pc-bios
+ dodoc docs/qmp-*.txt
+
+ if [[ -n ${softmmu_targets} ]]; then
+ # Remove SeaBIOS since we're using the SeaBIOS packaged one
+ rm "${ED}/usr/share/qemu/bios.bin"
+ if use qemu_softmmu_targets_x86_64 || use
qemu_softmmu_targets_i386; then
+ dosym ../seabios/bios.bin /usr/share/qemu/bios.bin
+ fi
+
+ # Remove vgabios since we're using the vgabios packaged one
+ rm "${ED}/usr/share/qemu/vgabios.bin"
+ rm "${ED}/usr/share/qemu/vgabios-cirrus.bin"
+ rm "${ED}/usr/share/qemu/vgabios-qxl.bin"
+ rm "${ED}/usr/share/qemu/vgabios-stdvga.bin"
+ rm "${ED}/usr/share/qemu/vgabios-vmware.bin"
+ if use qemu_softmmu_targets_x86_64 || use
qemu_softmmu_targets_i386; then
+ dosym ../vgabios/vgabios.bin /usr/share/qemu/vgabios.bin
+ dosym ../vgabios/vgabios-cirrus.bin
/usr/share/qemu/vgabios-cirrus.bin
+ dosym ../vgabios/vgabios-qxl.bin
/usr/share/qemu/vgabios-qxl.bin
+ dosym ../vgabios/vgabios-stdvga.bin
/usr/share/qemu/vgabios-stdvga.bin
+ dosym ../vgabios/vgabios-vmware.bin
/usr/share/qemu/vgabios-vmware.bin
+ fi
+
+ # Remove sgabios since we're using the sgabios packaged one
+ rm "${ED}/usr/share/qemu/sgabios.bin"
+ if use qemu_softmmu_targets_x86_64 || use
qemu_softmmu_targets_i386; then
+ dosym ../sgabios/sgabios.bin /usr/share/qemu/sgabios.bin
+ fi
+
+ # Remove iPXE since we're using the iPXE packaged one
+ rm "${ED}"/usr/share/qemu/pxe-*.rom
+ if use qemu_softmmu_targets_x86_64 || use
qemu_softmmu_targets_i386; then
+ dosym ../ipxe/8086100e.rom /usr/share/qemu/pxe-e1000.rom
+ dosym ../ipxe/80861209.rom
/usr/share/qemu/pxe-eepro100.rom
+ dosym ../ipxe/10500940.rom
/usr/share/qemu/pxe-ne2k_pci.rom
+ dosym ../ipxe/10222000.rom /usr/share/qemu/pxe-pcnet.rom
+ dosym ../ipxe/10ec8139.rom
/usr/share/qemu/pxe-rtl8139.rom
+ dosym ../ipxe/1af41000.rom
/usr/share/qemu/pxe-virtio.rom
+ fi
+ fi
+
+ qemu_support_kvm && readme.gentoo_create_doc
+}
+
+pkg_postinst() {
+ if qemu_support_kvm; then
+ readme.gentoo_print_elog
+ fi
+
+ if [[ -n ${softmmu_targets} ]] && use kernel_linux; then
+ udev_reload
+ fi
+
+ fcaps cap_net_admin /usr/libexec/qemu-bridge-helper
+}
+
+pkg_info() {
+ echo "Using:"
+ echo " $(best_version app-emulation/spice-protocol)"
+ echo " $(best_version sys-firmware/ipxe)"
+ echo " $(best_version sys-firmware/seabios)"
+ if has_version 'sys-firmware/seabios[binary]'; then
+ echo " USE=binary"
+ else
+ echo " USE=''"
+ fi
+ echo " $(best_version sys-firmware/vgabios)"
+}
