parent
46ff719f77
commit
22f8896d03
@ -0,0 +1,33 @@
|
||||
From 9f109bbc7fe718135da402535f6ca7ca5c105d4d Mon Sep 17 00:00:00 2001
|
||||
From: Martin Koller <kollix@aon.at>
|
||||
Date: Mon, 26 Oct 2015 22:12:35 +0100
|
||||
Subject: revert "fix" which adds literal quote chars to the filename
|
||||
|
||||
commit 2786d19f added explicit quote characters around the filename,
|
||||
which is wrong since the filename is passed into a QStringList,
|
||||
which passes all its separate arguments to the started process.
|
||||
Adding quote chars would lead to the filename having the
|
||||
quote chars as part of the filename.
|
||||
|
||||
BUG: 350403
|
||||
REVIEW: 125804
|
||||
---
|
||||
libk3b/jobs/k3bvideodvdtitletranscodingjob.cpp | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libk3b/jobs/k3bvideodvdtitletranscodingjob.cpp b/libk3b/jobs/k3bvideodvdtitletranscodingjob.cpp
|
||||
index 95e4811..4b721ff 100644
|
||||
--- a/libk3b/jobs/k3bvideodvdtitletranscodingjob.cpp
|
||||
+++ b/libk3b/jobs/k3bvideodvdtitletranscodingjob.cpp
|
||||
@@ -303,7 +303,7 @@ void K3b::VideoDVDTitleTranscodingJob::startTranscode( int pass )
|
||||
}
|
||||
|
||||
// the output filename
|
||||
- *d->process << "-o" << QString("\"%1\"").arg(m_filename);
|
||||
+ *d->process << "-o" << m_filename;
|
||||
}
|
||||
else {
|
||||
// gather information about the video stream, ignore audio
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
@ -0,0 +1,27 @@
|
||||
From 5b9b3537b658ad342d688fa4f210113a3d066d2a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Old=C5=99ich=20Jedli=C4=8Dka?= <oldium.pro@seznam.cz>
|
||||
Date: Sat, 14 Feb 2015 15:31:07 +0100
|
||||
Subject: Fixed compilation with newer ffmpeg/libav.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Oldřich Jedlička <oldium.pro@seznam.cz>
|
||||
---
|
||||
plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp | 64 ++++++++++++++++++++++++-----
|
||||
1 file changed, 54 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp.old 2017-02-12 21:09:02.258453125 +0100
|
||||
+++ b/plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp 2017-02-12 21:12:44.799077359 +0100
|
||||
@@ -378,7 +378,11 @@
|
||||
#endif
|
||||
|
||||
if( d->packetSize <= 0 || len < 0 )
|
||||
+#if LIBAVCODEC_VERSION_MAJOR >= 56
|
||||
+ ::av_packet_unref( &d->packet );
|
||||
+#else
|
||||
::av_free_packet( &d->packet );
|
||||
+#endif
|
||||
if( len < 0 ) {
|
||||
kDebug() << "(K3bFFMpegFile) decoding failed for " << m_filename;
|
||||
return -1;
|
@ -0,0 +1,28 @@
|
||||
From ef2ce428dc1607563273d1258f56d9083dcf99d4 Mon Sep 17 00:00:00 2001
|
||||
From: Albert Astals Cid <aacid@kde.org>
|
||||
Date: Wed, 19 Nov 2014 22:50:43 +0100
|
||||
Subject: FLAC plugin's function seekToFrame may not work properly
|
||||
|
||||
BUGS: 341077
|
||||
|
||||
Patch by Vitaly <vitfunk@yandex.ru>
|
||||
---
|
||||
plugins/decoder/flac/k3bflacdecoder.cpp | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plugins/decoder/flac/k3bflacdecoder.cpp b/plugins/decoder/flac/k3bflacdecoder.cpp
|
||||
index 2931f76..6dc21d3 100644
|
||||
--- a/plugins/decoder/flac/k3bflacdecoder.cpp
|
||||
+++ b/plugins/decoder/flac/k3bflacdecoder.cpp
|
||||
@@ -121,7 +121,7 @@ protected:
|
||||
};
|
||||
|
||||
bool K3bFLACDecoder::Private::seekToFrame(int frame) {
|
||||
- FLAC__uint64 sample = frame * rate / 75;
|
||||
+ FLAC__uint64 sample = static_cast<FLAC__uint64>(frame) * rate / 75;
|
||||
return seek_absolute(sample);
|
||||
}
|
||||
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
@ -0,0 +1,60 @@
|
||||
From 1777236203f21eed7a9baade632472094c8081d3 Mon Sep 17 00:00:00 2001
|
||||
From: Pino Toscano <pino@kde.org>
|
||||
Date: Sat, 4 Feb 2017 10:48:45 +0100
|
||||
Subject: ffmpeg: fix/simplify metadata conversion to string
|
||||
|
||||
Comparing a pointer with an integer value is (correctly) an error with
|
||||
GCC 7.
|
||||
---
|
||||
plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp | 21 +++------------------
|
||||
1 file changed, 3 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp b/plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp
|
||||
index a4fc784..22928b2 100644
|
||||
--- a/plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp
|
||||
+++ b/plugins/decoder/ffmpeg/k3bffmpegwrapper.cpp
|
||||
@@ -259,12 +259,7 @@ QString K3bFFMpegFile::title() const
|
||||
{
|
||||
// FIXME: is this UTF8 or something??
|
||||
AVDictionaryEntry *ade = av_dict_get( d->formatContext->metadata, "TITLE", NULL, 0 );
|
||||
- if( ade == NULL )
|
||||
- return QString();
|
||||
- if( ade->value != '\0' )
|
||||
- return QString::fromLocal8Bit( ade->value );
|
||||
- else
|
||||
- return QString();
|
||||
+ return ade && ade->value[0] != '\0' ? QString::fromLocal8Bit( ade->value ) : QString();
|
||||
}
|
||||
|
||||
|
||||
@@ -272,12 +267,7 @@ QString K3bFFMpegFile::author() const
|
||||
{
|
||||
// FIXME: is this UTF8 or something??
|
||||
AVDictionaryEntry *ade = av_dict_get( d->formatContext->metadata, "ARTIST", NULL, 0 );
|
||||
- if( ade == NULL )
|
||||
- return QString();
|
||||
- if( ade->value != '\0' )
|
||||
- return QString::fromLocal8Bit( ade->value );
|
||||
- else
|
||||
- return QString();
|
||||
+ return ade && ade->value[0] != '\0' ? QString::fromLocal8Bit( ade->value ) : QString();
|
||||
}
|
||||
|
||||
|
||||
@@ -285,12 +275,7 @@ QString K3bFFMpegFile::comment() const
|
||||
{
|
||||
// FIXME: is this UTF8 or something??
|
||||
AVDictionaryEntry *ade = av_dict_get( d->formatContext->metadata, "COMMENT", NULL, 0 );
|
||||
- if( ade == NULL )
|
||||
- return QString();
|
||||
- if( ade->value != '\0' )
|
||||
- return QString::fromLocal8Bit( ade->value );
|
||||
- else
|
||||
- return QString();
|
||||
+ return ade && ade->value[0] != '\0' ? QString::fromLocal8Bit( ade->value ) : QString();
|
||||
}
|
||||
|
||||
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
@ -0,0 +1,49 @@
|
||||
From 399adb1ace87ab25525922f422e5cad3b30f5b60 Mon Sep 17 00:00:00 2001
|
||||
From: Heiko Becker <heirecka@exherbo.org>
|
||||
Date: Sun, 22 Nov 2015 11:48:36 +0100
|
||||
Subject: Use FindPkgConfig instead of UsePkgConfig
|
||||
|
||||
UsePkgConfig is marked as obsolete and doesn't handle differently
|
||||
named pkg-config executables, like architecture or toolchain prefixed
|
||||
ones, well. The FindPkgConfig module respects the PKG_CONFIG env
|
||||
variable and sets PKG_CONFIG_EXECUTABLE accordingly.
|
||||
|
||||
REVIEW: 126135
|
||||
---
|
||||
cmake/modules/FindSndfile.cmake | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/cmake/modules/FindSndfile.cmake b/cmake/modules/FindSndfile.cmake
|
||||
index c5d21b5..8a6fe2b 100644
|
||||
--- a/cmake/modules/FindSndfile.cmake
|
||||
+++ b/cmake/modules/FindSndfile.cmake
|
||||
@@ -21,22 +21,20 @@ endif ( SNDFILE_INCLUDE_DIR AND SNDFILE_LIBRARIES )
|
||||
IF (NOT WIN32)
|
||||
# use pkg-config to get the directories and then use these values
|
||||
# in the FIND_PATH() and FIND_LIBRARY() calls
|
||||
- INCLUDE(UsePkgConfig)
|
||||
+ include(FindPkgConfig)
|
||||
|
||||
- PKGCONFIG(sndfile _SndfileIncDir _SndfileLinkDir _SndfileLinkFlags _SndfileCflags)
|
||||
+ pkg_check_modules(_pc_SNDFILE sndfile)
|
||||
ENDIF (NOT WIN32)
|
||||
|
||||
|
||||
FIND_PATH(SNDFILE_INCLUDE_DIR
|
||||
NAMES sndfile.h
|
||||
- PATHS ${_SndfileIncDir}
|
||||
- NO_DEFAULT_PATH
|
||||
+ HINTS ${_pc_SNDFILE_INCLUDE_DIRS}
|
||||
)
|
||||
|
||||
FIND_LIBRARY(SNDFILE_LIBRARIES
|
||||
NAMES sndfile
|
||||
- PATHS ${_SndfileLinkDir}
|
||||
- NO_DEFAULT_PATH
|
||||
+ HINTS ${_pc_SNDFILE_LIBRARY_DIRS}
|
||||
)
|
||||
|
||||
include(FindPackageHandleStandardArgs)
|
||||
--
|
||||
cgit v0.11.2
|
||||
|
@ -0,0 +1,123 @@
|
||||
# Copyright 1999-2017 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=6
|
||||
|
||||
MULTIMEDIA_REQUIRED="always"
|
||||
WEBKIT_REQUIRED="always"
|
||||
KDE_HANDBOOK="optional"
|
||||
|
||||
KDE_LINGUAS="ast be bg bs ca ca@valencia cs csb da de el en_GB eo es et eu fi fr
|
||||
ga gl he hi hne hr hu is it ja kk km ko ku lt lv mai mr ms nb nds nl nn oc pa pl
|
||||
pt pt_BR ro ru se sk sl sr sr@ijekavian sr@ijekavianlatin sr@latin sv th tr ug uk
|
||||
zh_CN zh_TW"
|
||||
|
||||
inherit kde4-base
|
||||
|
||||
DESCRIPTION="Full-featured burning and ripping application by KDE"
|
||||
HOMEPAGE="http://www.k3b.org/"
|
||||
SRC_URI="mirror://kde/stable/${PN}/${P}a.tar.xz"
|
||||
|
||||
LICENSE="GPL-2 FDL-1.2"
|
||||
SLOT="4"
|
||||
KEYWORDS="~amd64 ~x86"
|
||||
IUSE="debug dvd emovix encode ffmpeg flac libav mad mp3 musepack sndfile sox taglib vcd vorbis"
|
||||
|
||||
CDEPEND="
|
||||
$(add_kdeapps_dep libkcddb)
|
||||
media-libs/libsamplerate
|
||||
dvd? ( media-libs/libdvdread )
|
||||
ffmpeg? (
|
||||
libav? ( media-video/libav:= )
|
||||
!libav? ( media-video/ffmpeg:0= )
|
||||
)
|
||||
flac? ( >=media-libs/flac-1.2[cxx] )
|
||||
mp3? ( media-sound/lame )
|
||||
mad? ( media-libs/libmad )
|
||||
musepack? ( >=media-sound/musepack-tools-444 )
|
||||
sndfile? ( media-libs/libsndfile )
|
||||
taglib? ( >=media-libs/taglib-1.5 )
|
||||
vorbis? ( media-libs/libvorbis )
|
||||
"
|
||||
DEPEND="${CDEPEND}
|
||||
sys-devel/gettext
|
||||
"
|
||||
RDEPEND="${CDEPEND}
|
||||
app-cdr/cdrdao
|
||||
kde-frameworks/kdelibs:4[udev,udisks(+)]
|
||||
media-sound/cdparanoia
|
||||
virtual/cdrtools
|
||||
dvd? (
|
||||
>=app-cdr/dvd+rw-tools-7
|
||||
encode? ( media-video/transcode[dvd] )
|
||||
)
|
||||
emovix? ( media-video/emovix )
|
||||
sox? ( media-sound/sox )
|
||||
vcd? ( media-video/vcdimager )
|
||||
"
|
||||
|
||||
REQUIRED_USE="
|
||||
mp3? ( encode )
|
||||
sox? ( encode )
|
||||
"
|
||||
|
||||
DOCS=( ChangeLog FAQ PERMISSIONS README )
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/${P}-libav-11.patch
|
||||
"${FILESDIR}"/${P}-gcc6.patch
|
||||
"${FILESDIR}"/${P}-flac.patch
|
||||
"${FILESDIR}"/${P}-sndfile.patch
|
||||
"${FILESDIR}"/${P}-ffmpeg-3.patch
|
||||
"${FILESDIR}"/${P}-gcc7.patch
|
||||
# master
|
||||
"${FILESDIR}"/${P}-dvdrip.patch
|
||||
)
|
||||
|
||||
src_prepare() {
|
||||
kde4-base_src_prepare
|
||||
|
||||
# bug 558640
|
||||
sed -i -e "/^add_subdirectory( doc )/d" CMakeLists.txt || die
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
local mycmakeargs=(
|
||||
-DK3B_BUILD_API_DOCS=OFF
|
||||
-DK3B_BUILD_K3BSETUP=OFF
|
||||
-DK3B_BUILD_WAVE_DECODER_PLUGIN=ON
|
||||
-DK3B_ENABLE_HAL_SUPPORT=OFF
|
||||
-DK3B_ENABLE_MUSICBRAINZ=OFF
|
||||
-DK3B_DEBUG=$(usex debug)
|
||||
-DK3B_ENABLE_DVD_RIPPING=$(usex dvd)
|
||||
-DK3B_BUILD_EXTERNAL_ENCODER_PLUGIN=$(usex encode)
|
||||
-DK3B_BUILD_FFMPEG_DECODER_PLUGIN=$(usex ffmpeg)
|
||||
-DK3B_BUILD_FLAC_DECODER_PLUGIN=$(usex flac)
|
||||
-DK3B_BUILD_LAME_ENCODER_PLUGIN=$(usex mp3)
|
||||
-DK3B_BUILD_MAD_DECODER_PLUGIN=$(usex mad)
|
||||
-DK3B_BUILD_MUSE_DECODER_PLUGIN=$(usex musepack)
|
||||
-DK3B_BUILD_SNDFILE_DECODER_PLUGIN=$(usex sndfile)
|
||||
-DK3B_BUILD_SOX_ENCODER_PLUGIN=$(usex sox)
|
||||
-DK3B_ENABLE_TAGLIB=$(usex taglib)
|
||||
-DK3B_BUILD_OGGVORBIS_DECODER_PLUGIN=$(usex vorbis)
|
||||
-DK3B_BUILD_OGGVORBIS_ENCODER_PLUGIN=$(usex vorbis)
|
||||
)
|
||||
|
||||
kde4-base_src_configure
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
kde4-base_pkg_postinst
|
||||
|
||||
echo
|
||||
elog "If you get warnings on start-up, uncheck the \"Check system"
|
||||
elog "configuration\" option in the \"Misc\" settings window."
|
||||
echo
|
||||
|
||||
local group=cdrom
|
||||
use kernel_linux || group=operator
|
||||
elog "Make sure you have proper read/write permissions on optical device(s)."
|
||||
elog "Usually, it is sufficient to be in the ${group} group."
|
||||
echo
|
||||
}
|
@ -1,3 +1,2 @@
|
||||
DIST trousers-0.3.10.tar.gz 1658652 SHA256 eb9569de5c66d9698f6c3303de03777b95ec72827f68b7744454bfa9227bc530 SHA512 1835246f846d20bc1b2731d68440a9ca45865fcd52ad847d95485e4b126fae8bec09feaad559c27d83e243d92b8adc3a67934bff2034b318df075842fe9df4f0 WHIRLPOOL 7a27ef57b0038178cbf384c9fdec2d2e3e58dbeb5e5bc1503d2a7058a8312df54fa72b87968554631e4b5e483ae5e8c5e0a2367346bf3ae001b523a507ceff40
|
||||
DIST trousers-0.3.13.tar.gz 1371901 SHA256 bb908e4a3c88a17b247a4fc8e0fff3419d8a13170fe7bdfbe0e2c5c082a276d3 SHA512 c54407e538712f738b593707ffc6d617348d73de91dfddd9057273c2fcec26e5738e89db005d36d52596630a9d583f7fcb8cc388f597da6212891e2d79dce699 WHIRLPOOL 8099d2f01b1c64b2e92c78130c9f66766f9054a1ab557f0d6da149ca4869c9fed7ee3a26454ab50bd67069d30c758ccabb450dead1d9100ffacac9f596f6d46b
|
||||
DIST trousers-0.3.14.tar.gz 1378438 SHA256 ce50713a261d14b735ec9ccd97609f0ad5ce69540af560e8c3ce9eb5f2d28f47 SHA512 bf87f00329cf1d76a12cf6b6181fa22f90e76af3c5786e6e2db98438d2d3f0c0e05364374664173f45e3a2f6c0e2364948d0b958a7845cb23fcb340150cd9b21 WHIRLPOOL 1e1c51774fa796c706858d008651182673f7a88532cac35d010f4bd713fe50c1151e0a5a7ffb6975e8a050a1aab6edeb09d1672407025a776625c9b4f2912c88
|
||||
|
@ -1,104 +0,0 @@
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=5
|
||||
|
||||
inherit autotools eutils linux-info readme.gentoo systemd user udev
|
||||
|
||||
#MY_P="${PN}-${PV%.*}-${PV##*.}"
|
||||
|
||||
DESCRIPTION="An open-source TCG Software Stack (TSS) v1.1 implementation"
|
||||
HOMEPAGE="http://trousers.sf.net"
|
||||
SRC_URI="mirror://sourceforge/trousers/${P}.tar.gz"
|
||||
|
||||
LICENSE="CPL-1.0 GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~amd64 ~arm ~arm64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~x86"
|
||||
IUSE="doc libressl selinux" # gtk
|
||||
|
||||
# gtk support presently does NOT compile.
|
||||
# gtk? ( >=x11-libs/gtk+-2 )
|
||||
|
||||
CDEPEND=">=dev-libs/glib-2
|
||||
!libressl? ( >=dev-libs/openssl-0.9.7:0 )
|
||||
libressl? ( dev-libs/libressl )
|
||||
"
|
||||
DEPEND="${CDEPEND}
|
||||
virtual/pkgconfig"
|
||||
RDEPEND="${CDEPEND}
|
||||
selinux? ( sec-policy/selinux-tcsd )"
|
||||
# S="${WORKDIR}/${P}git"
|
||||
|
||||
DOCS="AUTHORS ChangeLog NICETOHAVES README TODO"
|
||||
|
||||
DOC_CONTENTS="
|
||||
If you have problems starting tcsd, please check permissions and
|
||||
ownership on /dev/tpm* and ~tss/system.data
|
||||
"
|
||||
|
||||
pkg_setup() {
|
||||
# Check for driver (not sure it can be an rdep, because ot depends on the
|
||||
# version of virtual/linux-sources... Is that supported by portage?)
|
||||
linux-info_pkg_setup
|
||||
local tpm_kernel_version tpm_kernel_present tpm_module
|
||||
kernel_is ge 2 6 12 && tpm_kernel_version="yes"
|
||||
if linux_config_exists; then
|
||||
linux_chkconfig_present TCG_TPM && tpm_kernel_present="yes"
|
||||
else
|
||||
ewarn "No kernel configuration could be found."
|
||||
fi
|
||||
has_version app-crypt/tpm-emulator && tpm_module="yes"
|
||||
if [[ -n "${tpm_kernel_present}" ]]; then
|
||||
einfo "Good, you seem to have in-kernel TPM support."
|
||||
elif [[ -n "${tpm_module}" ]]; then
|
||||
einfo "Good, you seem to have TPM support with the external module."
|
||||
if [[ -n "${tpm_kernel_version}" ]]; then
|
||||
elog
|
||||
elog "Note that since you have a >=2.6.12 kernel, you could use"
|
||||
elog "the in-kernel driver instead of (CONFIG_TCG_TPM)."
|
||||
fi
|
||||
elif [[ -n "${tpm_kernel_version}" ]]; then
|
||||
eerror
|
||||
eerror "To use this package, you will have to activate TPM support"
|
||||
eerror "in your kernel configuration. That's at least CONFIG_TCG_TPM,"
|
||||
eerror "plus probably a chip specific driver (like CONFIG_TCG_ATMEL)."
|
||||
eerror
|
||||
else
|
||||
eerror
|
||||
eerror "To use this package, you should install a TPM driver."
|
||||
eerror "You can have the following options:"
|
||||
eerror " - install app-crypt/tpm-emulator"
|
||||
eerror " - switch to a >=2.6.12 kernel and compile the kernel module"
|
||||
eerror
|
||||
fi
|
||||
|
||||
# New user/group for the daemon
|
||||
enewgroup tss
|
||||
enewuser tss -1 -1 /var/lib/tpm tss
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
epatch "${FILESDIR}"/${P}-nouseradd.patch
|
||||
epatch "${FILESDIR}"/${P}-build.patch
|
||||
mv configure.in configure.ac || die
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
# econf --with-gui=$(usex gtk gtk openssl)
|
||||
econf --with-gui=openssl
|
||||
}
|
||||
|
||||
src_install() {
|
||||
keepdir /var/lib/tpm
|
||||
default
|
||||
use doc && dodoc doc/*
|
||||
newinitd "${FILESDIR}"/tcsd.initd tcsd
|
||||
newconfd "${FILESDIR}"/tcsd.confd tcsd
|
||||
systemd_dounit "${FILESDIR}"/tcsd.service
|
||||
udev_dorules "${FILESDIR}"/61-trousers.rules
|
||||
fowners tss:tss /var/lib/tpm
|
||||
prune_libtool_files
|
||||
readme.gentoo_create_doc
|
||||
}
|
@ -1,102 +0,0 @@
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=5
|
||||
|
||||
inherit autotools eutils linux-info readme.gentoo systemd user udev
|
||||
|
||||
#MY_P="${PN}-${PV%.*}-${PV##*.}"
|
||||
|
||||
DESCRIPTION="An open-source TCG Software Stack (TSS) v1.1 implementation"
|
||||
HOMEPAGE="http://trousers.sf.net"
|
||||
SRC_URI="mirror://sourceforge/trousers/${P}.tar.gz"
|
||||
|
||||
LICENSE="CPL-1.0 GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~amd64 ~arm ~arm64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~x86"
|
||||
IUSE="doc selinux" # gtk
|
||||
|
||||
# gtk support presently does NOT compile.
|
||||
# gtk? ( >=x11-libs/gtk+-2 )
|
||||
|
||||
CDEPEND=">=dev-libs/glib-2
|
||||
>=dev-libs/openssl-0.9.7:0"
|
||||
DEPEND="${CDEPEND}
|
||||
virtual/pkgconfig"
|
||||
RDEPEND="${CDEPEND}
|
||||
selinux? ( sec-policy/selinux-tcsd )"
|
||||
# S="${WORKDIR}/${P}git"
|
||||
|
||||
DOCS="AUTHORS ChangeLog NICETOHAVES README TODO"
|
||||
|
||||
DOC_CONTENTS="
|
||||
If you have problems starting tcsd, please check permissions and
|
||||
ownership on /dev/tpm* and ~tss/system.data
|
||||
"
|
||||
|
||||
pkg_setup() {
|
||||
# Check for driver (not sure it can be an rdep, because ot depends on the
|
||||
# version of virtual/linux-sources... Is that supported by portage?)
|
||||
linux-info_pkg_setup
|
||||
local tpm_kernel_version tpm_kernel_present tpm_module
|
||||
kernel_is ge 2 6 12 && tpm_kernel_version="yes"
|
||||
if linux_config_exists; then
|
||||
linux_chkconfig_present TCG_TPM && tpm_kernel_present="yes"
|
||||
else
|
||||
ewarn "No kernel configuration could be found."
|
||||
fi
|
||||
has_version app-crypt/tpm-emulator && tpm_module="yes"
|
||||
if [[ -n "${tpm_kernel_present}" ]]; then
|
||||
einfo "Good, you seem to have in-kernel TPM support."
|
||||
elif [[ -n "${tpm_module}" ]]; then
|
||||
einfo "Good, you seem to have TPM support with the external module."
|
||||
if [[ -n "${tpm_kernel_version}" ]]; then
|
||||
elog
|
||||
elog "Note that since you have a >=2.6.12 kernel, you could use"
|
||||
elog "the in-kernel driver instead of (CONFIG_TCG_TPM)."
|
||||
fi
|
||||
elif [[ -n "${tpm_kernel_version}" ]]; then
|
||||
eerror
|
||||
eerror "To use this package, you will have to activate TPM support"
|
||||
eerror "in your kernel configuration. That's at least CONFIG_TCG_TPM,"
|
||||
eerror "plus probably a chip specific driver (like CONFIG_TCG_ATMEL)."
|
||||
eerror
|
||||
else
|
||||
eerror
|
||||
eerror "To use this package, you should install a TPM driver."
|
||||
eerror "You can have the following options:"
|
||||
eerror " - install app-crypt/tpm-emulator"
|
||||
eerror " - switch to a >=2.6.12 kernel and compile the kernel module"
|
||||
eerror
|
||||
fi
|
||||
|
||||
# New user/group for the daemon
|
||||
enewgroup tss
|
||||
enewuser tss -1 -1 /var/lib/tpm tss
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
epatch "${FILESDIR}"/${P}-nouseradd.patch
|
||||
epatch "${FILESDIR}"/${P}-build.patch
|
||||
mv configure.in configure.ac || die
|
||||
eautoreconf
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
# econf --with-gui=$(usex gtk gtk openssl)
|
||||
econf --with-gui=openssl
|
||||
}
|
||||
|
||||
src_install() {
|
||||
keepdir /var/lib/tpm
|
||||
default
|
||||
use doc && dodoc doc/*
|
||||
newinitd "${FILESDIR}"/tcsd.initd tcsd
|
||||
newconfd "${FILESDIR}"/tcsd.confd tcsd
|
||||
systemd_dounit "${FILESDIR}"/tcsd.service
|
||||
udev_dorules "${FILESDIR}"/61-trousers.rules
|
||||
fowners tss:tss /var/lib/tpm
|
||||
prune_libtool_files
|
||||
readme.gentoo_create_doc
|
||||
}
|
@ -1,2 +1 @@
|
||||
DIST aqemu-0.8.2.tar.bz2 1025129 SHA256 03c4a95328f78238021168ca4887f9735641f10eb4eb1eff58b08c15b748bf03 SHA512 45f27f82ca307ffc50ea26a57631b47236fd04915274bb00a0720e65859e183d56c3243e0e31d71e5280d0941a9c80c1457b09d393e5c4d4deeb1fea4159459d WHIRLPOOL c5a058883df1424d5d1b2b028fca7fd6aae8b72281060a305a428e63ad5bfb1d062c56c18878b6a279a79953a88c760553a701b5c3346113836eb56ab4a30aa2
|
||||
DIST v0.9.2.tar.gz 1373465 SHA256 e3d54de00ebdce3754f97f7e0e7cce8cebb588e8ce6bc249401cc909281b08de SHA512 9d4808172ee1be82509956560e4d3f9ee349fedd920342146083cc9bc79ef51fc95937c64f20ffb13e2849c577f95f59b5b65271d6e29e2d2e1ec2d1562006ba WHIRLPOOL ddefe4c3265b10940c3d65a5f6182ecfce627bcc45486d7a2b8701a6152b8a144242ea55018437f71773f7b8bb70b763095b5db6f933fdacd7b16b1f22112b87
|
||||
|
@ -1,39 +0,0 @@
|
||||
# Copyright 1999-2014 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=4
|
||||
|
||||
inherit cmake-utils
|
||||
|
||||
DESCRIPTION="Graphical interface for QEMU and KVM emulators, using Qt4"
|
||||
HOMEPAGE="https://sourceforge.net/projects/aqemu"
|
||||
SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 x86"
|
||||
IUSE="vnc"
|
||||
|
||||
DEPEND="${RDEPEND}"
|
||||
RDEPEND="app-emulation/qemu
|
||||
vnc? ( net-libs/libvncserver )
|
||||
dev-qt/qtgui:4
|
||||
dev-qt/qttest:4
|
||||
dev-qt/qtxmlpatterns:4"
|
||||
|
||||
DOCS="AUTHORS CHANGELOG README TODO"
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/aqemu-0.8.2_sigsev_propertis.patch
|
||||
"${FILESDIR}"/aqemu-0.8.2_qt48_build.patch
|
||||
"${FILESDIR}"/aqemu-0.8.2_desktop_file.patch
|
||||
)
|
||||
|
||||
src_configure() {
|
||||
local mycmakeargs=(
|
||||
"-DMAN_PAGE_COMPRESSOR="
|
||||
"-DWITHOUT_EMBEDDED_DISPLAY=$(use vnc && echo "OFF" || echo "ON")"
|
||||
)
|
||||
|
||||
cmake-utils_src_configure
|
||||
}
|
@ -1,41 +0,0 @@
|
||||
# Copyright 1999-2014 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=4
|
||||
|
||||
inherit cmake-utils
|
||||
|
||||
DESCRIPTION="Graphical interface for QEMU and KVM emulators, using Qt4"
|
||||
HOMEPAGE="https://sourceforge.net/projects/aqemu"
|
||||
SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
|
||||
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
KEYWORDS="~amd64 ~x86"
|
||||
IUSE="vnc"
|
||||
|
||||
DEPEND="${RDEPEND}"
|
||||
RDEPEND="app-emulation/qemu
|
||||
vnc? ( net-libs/libvncserver )
|
||||
dev-qt/qtgui:4
|
||||
dev-qt/qttest:4
|
||||
dev-qt/qtxmlpatterns:4"
|
||||
|
||||
DOCS="AUTHORS CHANGELOG README TODO"
|
||||
|
||||
PATCHES=(
|
||||
"${FILESDIR}"/aqemu-0.8.2_sigsev_propertis.patch
|
||||
"${FILESDIR}"/aqemu-0.8.2_qt48_build.patch
|
||||
"${FILESDIR}"/aqemu-0.8.2_desktop_file.patch
|
||||
"${FILESDIR}"/aqemu-0.8.2_format-security.patch
|
||||
)
|
||||
|
||||
src_configure() {
|
||||
local mycmakeargs=(
|
||||
"-DMAN_PAGE_COMPRESSOR="
|
||||
"-DWITHOUT_EMBEDDED_DISPLAY=$(use vnc && echo "OFF" || echo "ON")"
|
||||
)
|
||||
|
||||
cmake-utils_src_configure
|
||||
}
|
@ -1,33 +0,0 @@
|
||||
From 2a0f32e8cb46c8a1c0a33ed151737e5abb5679ed Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Rijov <rdron@users.sourceforge.net>
|
||||
Date: Mon, 31 Oct 2011 19:38:17 +0400
|
||||
Subject: [PATCH] Updated aqemu.desktop file (See bug: 3430317)
|
||||
|
||||
---
|
||||
menu_data/aqemu.desktop | 9 +++++----
|
||||
1 files changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/menu_data/aqemu.desktop
|
||||
+++ b/menu_data/aqemu.desktop
|
||||
@@ -1,14 +1,15 @@
|
||||
[Desktop Entry]
|
||||
Encoding=UTF-8
|
||||
-Name=AQEMU
|
||||
Exec=aqemu
|
||||
Terminal=false
|
||||
Type=Application
|
||||
-Icon=aqemu_48x48.png
|
||||
+Icon=aqemu_48x48
|
||||
StartupNotify=true
|
||||
Categories=System;Emulator;
|
||||
|
||||
-Name[ru]=AQEMU
|
||||
+Name=AQEMU
|
||||
+Comment=Virtual machine manager
|
||||
Name[en]=AQEMU
|
||||
-Comment[ru]=Управление виртуальными машинами
|
||||
Comment[en]=Virtual machine manager
|
||||
+Name[ru]=AQEMU
|
||||
+Comment[ru]=Управление виртуальными машинами
|
||||
--
|
||||
1.7.4.1
|
@ -1,38 +0,0 @@
|
||||
--- aqemu-0.8.2-orig/Utils.cpp
|
||||
+++ aqemu-0.8.2-format-security/Utils.cpp
|
||||
@@ -66,9 +66,9 @@ void AQDebug( const QString &sender, con
|
||||
std::cout << QString( "\nAQEMU Debug [%1] >>>\nSender: %2\nMessage: %3" )
|
||||
.arg(Messages_Index).arg(sender).arg(mes).toStdString();
|
||||
#else
|
||||
- qDebug( qPrintable(QString(
|
||||
+ qDebug() << qPrintable(QString(
|
||||
"\n\33[32mAQEMU Debug\33[0m [%1] >>>\n\33[32mSender:\33[0m %2\n\33[32mMessage:\33[0m %3")
|
||||
- .arg(Messages_Index).arg(sender).arg(mes)) );
|
||||
+ .arg(Messages_Index).arg(sender).arg(mes));
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -87,9 +87,9 @@ void AQWarning( const QString &sender, c
|
||||
std::cout << QString( "\nAQEMU Warning [%1] >>>\nSender: %2\nMessage: %3" )
|
||||
.arg(Messages_Index).arg(sender).arg(mes).toStdString();
|
||||
#else
|
||||
- qDebug( qPrintable(QString(
|
||||
+ qDebug() << qPrintable(QString(
|
||||
"\n\33[34mAQEMU Warning\33[0m [%1] >>>\n\33[34mSender:\33[0m %2\n\33[34mMessage:\33[0m %3")
|
||||
- .arg(Messages_Index).arg(sender).arg(mes)) );
|
||||
+ .arg(Messages_Index).arg(sender).arg(mes));
|
||||
#endif
|
||||
}
|
||||
|
||||
@@ -108,9 +108,9 @@ void AQError( const QString &sender, con
|
||||
std::cout << QString( "\nAQEMU Error [%1] >>>\nSender: %2\nMessage: %3" )
|
||||
.arg(Messages_Index).arg(sender).arg(mes).toStdString();
|
||||
#else
|
||||
- qDebug( qPrintable(QString(
|
||||
+ qDebug() << qPrintable(QString(
|
||||
"\n\33[31mAQEMU Error\33[0m [%1] >>>\n\33[31mSender:\33[0m %2\n\33[31mMessage:\33[0m %3")
|
||||
- .arg(Messages_Index).arg(sender).arg(mes)) );
|
||||
+ .arg(Messages_Index).arg(sender).arg(mes));
|
||||
#endif
|
||||
}
|
||||
|
@ -1,27 +0,0 @@
|
||||
From 9b21d88a4f4a681f9e80c11e83e81c976e0fc91e Mon Sep 17 00:00:00 2001
|
||||
From: Andrey Rijov <rdron@users.sourceforge.net>
|
||||
Date: Sat, 29 Oct 2011 10:20:32 +0400
|
||||
Subject: [PATCH 1/1] Fix build error on Qt 4.8
|
||||
|
||||
---
|
||||
Embedded_Display/vncview.cpp | 4 ++--
|
||||
1 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Embedded_Display/vncview.cpp b/Embedded_Display/vncview.cpp
|
||||
index 9e105c9..0be5944 100644
|
||||
--- a/Embedded_Display/vncview.cpp
|
||||
+++ b/Embedded_Display/vncview.cpp
|
||||
@@ -27,8 +27,8 @@
|
||||
#include <QMessageBox>
|
||||
#include <QInputDialog>
|
||||
#define KMessageBox QMessageBox
|
||||
- #define error(parent, message, caption) \
|
||||
- critical(parent, caption, message)
|
||||
+/* #define error(parent, message, caption) \
|
||||
+ critical(parent, caption, message)*/
|
||||
#else
|
||||
#include "settings.h"
|
||||
#include <KActionCollection>
|
||||
--
|
||||
1.7.4.1
|
||||
|
@ -1,41 +0,0 @@
|
||||
--- a/Device_Manager_Widget.cpp 2011-09-13 21:45:58.883389571 +0200
|
||||
+++ b/Device_Manager_Widget.cpp 2011-09-13 21:55:01.401866022 +0200
|
||||
@@ -981,9 +981,10 @@
|
||||
{
|
||||
if( ui.Devices_List->currentItem()->data(512).toString() == "device" + QString::number(fx) )
|
||||
{
|
||||
- finded = true;
|
||||
-
|
||||
Storage_Devices.removeAt( fx );
|
||||
+ ui.Devices_List->takeItem( ui.Devices_List->currentRow() );
|
||||
+ finded = true;
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -993,10 +994,24 @@
|
||||
"Incorrect Device!" );
|
||||
return;
|
||||
}
|
||||
+ else
|
||||
+ {
|
||||
+ // Rename items
|
||||
+ for( int ix = 0, count = 0; ix < ui.Devices_List->count(); ++ix )
|
||||
+ {
|
||||
+ if( ui.Devices_List->item(ix)->data(512).toString().contains("device") )
|
||||
+ {
|
||||
+ ui.Devices_List->item(ix)->setData( 512, QString("device%1").arg(count) );
|
||||
+ ++count;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ emit Device_Changet();
|
||||
+ return;
|
||||
+ }
|
||||
}
|
||||
|
||||
ui.Devices_List->takeItem( ui.Devices_List->currentRow() );
|
||||
-
|
||||
emit Device_Changet();
|
||||
}
|
||||
|
@ -1,3 +1 @@
|
||||
DIST qemu-2.7.0.tar.bz2 26867760 SHA256 326e739506ba690daf69fc17bd3913a6c313d9928d743bd8eddb82f403f81e53 SHA512 654acaa7b3724a288e5d7e2a26ab780d9c9ed9f647fba00a906cbaffbe9d58fd666f2d962514aa2c5b391b4c53811ac3170d2eb51727f090bd19dfe45ca9a9db WHIRLPOOL dcb3e5f7da89dd8e14d636d7ebd476e076e0043880bb9ea3fb1c03cb4bcd4e5c7d3c4719da26c3ce521e3a3db5ae671e86f198ac1bc3474e774d75504fef8b8d
|
||||
DIST qemu-2.7.1.tar.bz2 26868403 SHA256 68636788eb69bcb0b44ba220b32b50495d6bd5712a934c282217831c4822958f SHA512 16a83946e9064733254c82c961749bf9c56a0a2a8ee46145b4a78e1452ac0e2548d888963d18c80e28f65202890fd643b0011951b5b1c66ef16234767ed91898 WHIRLPOOL ae3d3c2b2a3700613733659847de6187755631cb09e8c3548ea30cd994357c9ff128646edce88dfe4dce53e6c1c0f37f8de3688ee7e22262033b40f3fc706efa
|
||||
DIST qemu-2.8.0.tar.bz2 28368517 SHA256 dafd5d7f649907b6b617b822692f4c82e60cf29bc0fc58bc2036219b591e5e62 SHA512 50f2988d822388ba9fd1bf5dbe68359033ed7432d7f0f9790299f32f63faa6dc72979256b5632ba572d47ee3e74ed40e3e8e331dc6303ec1599f1b4367cb78c2 WHIRLPOOL 0ce4e0539657eb832e4039819e7360c792b6aa41c718f0e0d762f4933217f0d370af94b1d6d9776853575b4a6811d8c85db069bf09d21bd15399ac8b50440ff5
|
||||
|
@ -0,0 +1,2 @@
|
||||
KERNEL=="kvm", GROUP="kvm", MODE="0660"
|
||||
KERNEL=="vhost-net", GROUP="kvm", MODE="0660", OPTIONS+="static_node=vhost-net"
|
@ -1,27 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In Vmxnet3 device emulator while processing transmit(tx) queue,
|
||||
when it reaches end of packet, it calls vmxnet3_complete_packet.
|
||||
In that local 'txcq_descr' object is not initialised, which could
|
||||
leak host memory bytes a guest.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/vmxnet3.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 90f6943..92f6af9 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
||||
|
||||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
|
||||
|
||||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
||||
txcq_descr.txdIdx = tx_ridx;
|
||||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
|
||||
|
||||
--
|
||||
2.5.5
|
@ -1,81 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the page count for these rings to
|
||||
an arbitrary value, leading to infinite loop or OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Tom Victor <address@hidden>
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 21 ++++++++++-----------
|
||||
1 file changed, 10 insertions(+), 11 deletions(-)
|
||||
|
||||
Update per review
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg00019.html
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..4245c15 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static void
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
- return -1;
|
||||
- }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||
|
||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -779,10 +773,15 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
+ if (!rc->reqRingNumPages
|
||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||
+ || !rc->cmpRingNumPages
|
||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
+
|
||||
pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
- return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
- }
|
||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
--
|
||||
2.5.5
|
@ -1,62 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation for large 'dataLen' values, when data_length is cast to uint32_t
|
||||
and chunk_size becomes always zero. Fix this by removing the incorrect
|
||||
cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
Update as per:
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg01172.html
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 4245c15..babac5a 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
||||
--
|
||||
2.5.5
|
@ -1,28 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, the format string used in 'mptsas_config_manufacturing_1'
|
||||
was wrong. It could lead to an invalid memory access.
|
||||
|
||||
Reported-by: Tom Victor <address@hidden>
|
||||
Fix-suggested-by: Paolo Bonzini <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..1ec895b 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
--
|
||||
2.5.5
|
@ -1,27 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() asserts to check returned size
|
||||
value is within limit of 256 bytes. Fix that assert expression.
|
||||
|
||||
Suggested-by: Paolo Bonzini <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 1ec895b..531947f 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
||||
--
|
||||
2.5.5
|
@ -1,40 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <address@hidden>
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
||||
--
|
||||
2.5.5
|
||||
|
@ -1,34 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: address@hidden
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
Message-Id: <address@hidden>
|
||||
Signed-off-by: Paolo Bonzini <address@hidden>
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index babac5a..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -247,8 +247,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
||||
--
|
||||
1.8.3.1
|
@ -1,37 +0,0 @@
|
||||
From 973e7170dddefb491a48df5cba33b2ae151013a0 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||
Subject: [PATCH] virtio: add check for descriptor's mapped address
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference while
|
||||
un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index fcf3358d6c0d..bb656b1ccff0 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -495,6 +495,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
+ if (!iov[num_sg].iov_base) {
|
||||
+ error_report("virtio: bogus descriptor or out of resources");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
iov[num_sg].iov_len = len;
|
||||
addr[num_sg] = pa;
|
||||
|
||||
--
|
||||
2.11.0
|
@ -1,31 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
Message-Id: <address@hidden>
|
||||
Cc: address@hidden
|
||||
Signed-off-by: Paolo Bonzini <address@hidden>
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
||||
--
|
||||
1.8.3.1
|
@ -1,26 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 188f954..281a2a5 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
||||
--
|
||||
1.8.3.1
|
@ -1,45 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
i.MX Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set an upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/imx_fec.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
Update per
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-09/msg05284.html
|
||||
|
||||
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
|
||||
index 1c415ab..1d74827 100644
|
||||
--- a/hw/net/imx_fec.c
|
||||
+++ b/hw/net/imx_fec.c
|
||||
@@ -220,6 +220,8 @@ static const VMStateDescription vmstate_imx_eth = {
|
||||
#define PHY_INT_PARFAULT (1 << 2)
|
||||
#define PHY_INT_AUTONEG_PAGE (1 << 1)
|
||||
|
||||
+#define IMX_MAX_DESC 1024
|
||||
+
|
||||
static void imx_eth_update(IMXFECState *s);
|
||||
|
||||
/*
|
||||
@@ -402,12 +404,12 @@ static void imx_eth_update(IMXFECState *s)
|
||||
|
||||
static void imx_fec_do_tx(IMXFECState *s)
|
||||
{
|
||||
- int frame_size = 0;
|
||||
+ int frame_size = 0, descnt = 0;
|
||||
uint8_t frame[ENET_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr = frame;
|
||||
uint32_t addr = s->tx_descriptor;
|
||||
|
||||
- while (1) {
|
||||
+ while (descnt++ < IMX_MAX_DESC) {
|
||||
IMXFECBufDesc bd;
|
||||
int len;
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 070c4b92b8cd5390889716677a0b92444d6e087a Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 0ee8ad9..d31fea1 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
||||
--
|
||||
1.7.0.4
|
||||
|
@ -1,32 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||
descriptor ring length respectively. This ring length could range
|
||||
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||
loop in pcnet_rdra_addr. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/pcnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 198a01f..3078de8 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||
case 47: /* POLLINT */
|
||||
case 72:
|
||||
case 74:
|
||||
+ break;
|
||||
case 76: /* RCVRL */
|
||||
case 78: /* XMTRL */
|
||||
+ val = (val > 0) ? val : 512;
|
||||
+ break;
|
||||
case 112:
|
||||
if (CSR_STOP(s) || CSR_SPND(s))
|
||||
break;
|
||||
--
|
||||
2.5.5
|
@ -1,25 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||
it doesn't free the resource object allocated previously. Thus leading
|
||||
a host memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 7fe6ed8..5b6d17b 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||
qemu_log_mask(LOG_GUEST_ERROR,
|
||||
"%s: host couldn't handle guest format %d\n",
|
||||
__func__, c2d.format);
|
||||
+ g_free(res);
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
return;
|
||||
}
|
||||
--
|
||||
1.8.3.1
|
@ -1,26 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||
situation the ehci's sg list doesn't be freed thus leading a memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index b093db7..f4ece9a 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
if (pg == 6) {
|
||||
+ qemu_sglist_destroy(&ehci->isgl);
|
||||
return -1; /* avoid page pg + 1 */
|
||||
}
|
||||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
||||
--
|
||||
1.8.3.1
|
@ -1,61 +0,0 @@
|
||||
From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001
|
||||
From: Gerd Hoffmann <address@hidden>
|
||||
Date: Fri, 7 Oct 2016 10:15:29 +0200
|
||||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <address@hidden>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 726435c..ee4fa48 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -54,6 +54,8 @@
|
||||
* to the specs when it gets them */
|
||||
#define ER_FULL_HACK
|
||||
|
||||
+#define TRB_LINK_LIMIT 4
|
||||
+
|
||||
#define LEN_CAP 0x40
|
||||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||
@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
dma_addr_t *addr)
|
||||
{
|
||||
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
ring->dequeue += TRB_SIZE;
|
||||
return type;
|
||||
} else {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
ring->dequeue = xhci_mask64(trb->parameter);
|
||||
if (trb->control & TRB_LK_TC) {
|
||||
ring->ccs = !ring->ccs;
|
||||
@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool ccs = ring->ccs;
|
||||
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||
bool control_td_set = 0;
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
type = TRB_TYPE(trb);
|
||||
|
||||
if (type == TR_LINK) {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return -length;
|
||||
+ }
|
||||
dequeue = xhci_mask64(trb.parameter);
|
||||
if (trb.control & TRB_LK_TC) {
|
||||
ccs = !ccs;
|
||||
--
|
||||
1.8.3.1
|
@ -1,34 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
|
||||
object thus causing potential memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/9pfs/9p.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 119ee58..543a791 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque)
|
||||
if (len < 0) {
|
||||
/* IO error return the error */
|
||||
err = len;
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
} while (count < max_count && len > 0);
|
||||
err = pdu_marshal(pdu, offset, "d", count);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
err += offset + count;
|
||||
+out_free_iovec:
|
||||
qemu_iovec_destroy(&qiov);
|
||||
qemu_iovec_destroy(&qiov_full);
|
||||
} else if (fidp->fid_type == P9_FID_XATTR) {
|
||||
--
|
||||
1.8.3.1
|
@ -1,58 +0,0 @@
|
||||
From ba42ebb863ab7d40adc79298422ed9596df8f73a Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
|
||||
|
||||
If a guest sends an empty string paramater to any 9P operation, the current
|
||||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
|
||||
|
||||
This is unfortunate because it can cause NULL pointer dereference to happen
|
||||
at various locations in the 9pfs code. And we don't want to check str->data
|
||||
everywhere we pass it to strcmp() or any other function which expects a
|
||||
dereferenceable pointer.
|
||||
|
||||
This patch enforces the allocation of genuine C empty strings instead, so
|
||||
callers don't have to bother.
|
||||
|
||||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
|
||||
the returned string is empty. It now uses v9fs_string_size() since
|
||||
name.data cannot be NULL anymore.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
[groug, rewritten title and changelog,
|
||||
fix empty string check in v9fs_xattrwalk()]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
---
|
||||
fsdev/9p-iov-marshal.c | 2 +-
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
||||
index 663cad5..1d16f8d 100644
|
||||
--- a/fsdev/9p-iov-marshal.c
|
||||
+++ b/fsdev/9p-iov-marshal.c
|
||||
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
||||
str->data = g_malloc(str->size + 1);
|
||||
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
|
||||
str->size);
|
||||
- if (copied > 0) {
|
||||
+ if (copied >= 0) {
|
||||
str->data[str->size] = 0;
|
||||
} else {
|
||||
v9fs_string_free(str);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 119ee58..39a7e1d 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3174,7 +3174,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
goto out;
|
||||
}
|
||||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
|
||||
- if (name.data == NULL) {
|
||||
+ if (!v9fs_string_size(&name)) {
|
||||
/*
|
||||
* listxattr request. Get the size first
|
||||
*/
|
||||
--
|
||||
2.7.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Rocker network switch emulator has test registers to help debug
|
||||
DMA operations. While testing host DMA access, a buffer address
|
||||
is written to register 'TEST_DMA_ADDR' and its size is written to
|
||||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
||||
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
||||
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/rocker/rocker.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 30f2ce4..e9d215a 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
||||
rocker_msix_irq(r, val);
|
||||
break;
|
||||
case ROCKER_TEST_DMA_SIZE:
|
||||
- r->test_dma_size = val;
|
||||
+ r->test_dma_size = val & 0xFFFF;
|
||||
break;
|
||||
case ROCKER_TEST_DMA_ADDR + 4:
|
||||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
||||
--
|
||||
2.5.5
|
@ -1,34 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
16550A UART device uses an oscillator to generate frequencies
|
||||
(baud base), which decide communication speed. This speed could
|
||||
be changed by dividing it by a divider. If the divider is
|
||||
greater than the baud base, speed is set to zero, leading to a
|
||||
divide by zero error. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/char/serial.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
Update per
|
||||
-> https://lists.gnu.org/archive/html/qemu-devel/2016-10/msg02400.html
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index 3442f47..eec72b7 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)
|
||||
int speed, parity, data_bits, stop_bits, frame_size;
|
||||
QEMUSerialSetParams ssp;
|
||||
|
||||
- if (s->divider == 0)
|
||||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
||||
return;
|
||||
+ }
|
||||
|
||||
/* Start bit. */
|
||||
frame_size = 1;
|
||||
--
|
||||
2.5.5
|
@ -1,31 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
Intel HDA emulator uses stream of buffers during DMA data
|
||||
transfers. Each entry has buffer length and buffer pointer
|
||||
position, which are used to derive bytes to 'copy'. If this
|
||||
length and buffer pointer were to be same, 'copy' could be
|
||||
set to zero(0), leading to an infinite loop. Add check to
|
||||
avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/audio/intel-hda.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
||||
index cd95340..537face 100644
|
||||
--- a/hw/audio/intel-hda.c
|
||||
+++ b/hw/audio/intel-hda.c
|
||||
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
||||
}
|
||||
|
||||
left = len;
|
||||
- while (left > 0) {
|
||||
+ s = st->bentries;
|
||||
+ while (left > 0 && s-- > 0) {
|
||||
copy = left;
|
||||
if (copy > st->bsize - st->lpib)
|
||||
copy = st->bsize - st->lpib;
|
||||
--
|
||||
2.7.4
|
@ -1,29 +0,0 @@
|
||||
From: Prasad J Pandit <address@hidden>
|
||||
|
||||
RTL8139 ethernet controller in C+ mode supports multiple
|
||||
descriptor rings, each with maximum of 64 descriptors. While
|
||||
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
|
||||
it does not limit the descriptor count and runs forever. Add
|
||||
check to avoid it.
|
||||
|
||||
Reported-by: Andrew Henderson <address@hidden>
|
||||
Signed-off-by: Prasad J Pandit <address@hidden>
|
||||
---
|
||||
hw/net/rtl8139.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
||||
index 3345bc6..f05e59c 100644
|
||||
--- a/hw/net/rtl8139.c
|
||||
+++ b/hw/net/rtl8139.c
|
||||
@@ -2350,7 +2350,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
||||
{
|
||||
int txcount = 0;
|
||||
|
||||
- while (rtl8139_cplus_transmit_one(s))
|
||||
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
||||
{
|
||||
++txcount;
|
||||
}
|
||||
--
|
||||
2.7.4
|
@ -1,21 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
|
||||
situation that this field has been allocated previously. Every time, it
|
||||
will be allocated directly. This leads a host memory leak issue. This
|
||||
patch fix this.
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 75ba5f1..a4c7109 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3269,6 +3269,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
+ g_free(xattr_fidp->fs.xattr.value);
|
||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
@ -1,27 +0,0 @@
|
||||
Author: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon Oct 17 14:13:58 2016 +0200
|
||||
|
||||
9pfs: fix information leak in xattr read
|
||||
|
||||
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
|
||||
reads this memory before writing to it, this will leak host heap memory
|
||||
to the guest. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 26aa7d5..bf23b01 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3269,8 +3269,8 @@ static void coroutine_fn v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
g_free(xattr_fidp->fs.xattr.value);
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
||||
out_nofid:
|
@ -1,92 +0,0 @@
|
||||
From 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
|
||||
originated offset: they must ensure this offset does not go beyond
|
||||
the size of the extended attribute that was set in v9fs_xattrcreate().
|
||||
Unfortunately, the current code implement these checks with unsafe
|
||||
calculations on 32 and 64 bit values, which may allow a malicious
|
||||
guest to cause OOB access anyway.
|
||||
|
||||
Fix this by comparing the offset and the xattr size, which are
|
||||
both uint64_t, before trying to compute the effective number of bytes
|
||||
to read or write.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
---
|
||||
hw/9pfs/9p.c | 32 ++++++++++++--------------------
|
||||
1 file changed, 12 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index ab18ef2..7705ead 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1637,20 +1637,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
ssize_t err;
|
||||
size_t offset = 7;
|
||||
- int read_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t read_count;
|
||||
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
|
||||
VirtQueueElement *elem = v->elems[pdu->idx];
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- read_count = xattr_len - off;
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
+ read_count = 0;
|
||||
+ } else {
|
||||
+ read_count = fidp->fs.xattr.len - off;
|
||||
+ }
|
||||
if (read_count > max_count) {
|
||||
read_count = max_count;
|
||||
- } else if (read_count < 0) {
|
||||
- /*
|
||||
- * read beyond XATTR value
|
||||
- */
|
||||
- read_count = 0;
|
||||
}
|
||||
err = pdu_marshal(pdu, offset, "d", read_count);
|
||||
if (err < 0) {
|
||||
@@ -1979,23 +1976,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
int i, to_copy;
|
||||
ssize_t err = 0;
|
||||
- int write_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t write_count;
|
||||
size_t offset = 7;
|
||||
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- write_count = xattr_len - off;
|
||||
- if (write_count > count) {
|
||||
- write_count = count;
|
||||
- } else if (write_count < 0) {
|
||||
- /*
|
||||
- * write beyond XATTR value len specified in
|
||||
- * xattrcreate
|
||||
- */
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
err = -ENOSPC;
|
||||
goto out;
|
||||
}
|
||||
+ write_count = fidp->fs.xattr.len - off;
|
||||
+ if (write_count > count) {
|
||||
+ write_count = count;
|
||||
+ }
|
||||
err = pdu_marshal(pdu, offset, "d", write_count);
|
||||
if (err < 0) {
|
||||
return err;
|
||||
--
|
||||
2.7.3
|
||||
|
@ -1,25 +0,0 @@
|
||||
From: Li Qiang <address@hidden>
|
||||
|
||||
In v9fs_link dispatch function, it doesn't put the 'oldfidp'
|
||||
fid object, this will make the 'oldfidp->ref' never reach to 0,
|
||||
thus leading a memory leak issue. This patch fix this.
|
||||
|
||||
Signed-off-by: Li Qiang <address@hidden>
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 8b50bfb..29f8b7a 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2413,6 +2413,7 @@ static void v9fs_link(void *opaque)
|
||||
if (!err) {
|
||||
err = offset;
|
||||
}
|
||||
+ put_fid(pdu, oldfidp);
|
||||
out:
|
||||
put_fid(pdu, dfidp);
|
||||
out_nofid:
|
||||
--
|
||||
1.8.3.1
|
@ -1,27 +0,0 @@
|
||||
Author: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon Oct 17 14:13:58 2016 +0200
|
||||
|
||||
9pfs: fix memory leak in v9fs_write
|
||||
|
||||
If an error occurs when marshalling the transfer length to the guest, the
|
||||
v9fs_write() function doesn't free an IO vector, thus leading to a memory
|
||||
leak. This patch fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index d43a552..e88cf25 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2090,7 +2090,7 @@ static void coroutine_fn v9fs_write(void *opaque)
|
||||
offset = 7;
|
||||
err = pdu_marshal(pdu, offset, "d", total);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_qiov;
|
||||
}
|
||||
err += offset;
|
||||
|
@ -0,0 +1,46 @@
|
||||
From eb7a20a3616085d46aa6b4b4224e15587ec67e6e Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 28 Nov 2016 17:49:04 -0800
|
||||
Subject: [PATCH] watchdog: 6300esb: add exit function
|
||||
|
||||
When the Intel 6300ESB watchdog is hot unplug. The timer allocated
|
||||
in realize isn't freed thus leaking memory leak. This patch avoid
|
||||
this through adding the exit function.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
hw/watchdog/wdt_i6300esb.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
|
||||
index a83d951..49b3cd1 100644
|
||||
--- a/hw/watchdog/wdt_i6300esb.c
|
||||
+++ b/hw/watchdog/wdt_i6300esb.c
|
||||
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
|
||||
/* qemu_register_coalesced_mmio (addr, 0x10); ? */
|
||||
}
|
||||
|
||||
+static void i6300esb_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
|
||||
+
|
||||
+ timer_del(d->timer);
|
||||
+ timer_free(d->timer);
|
||||
+}
|
||||
+
|
||||
static WatchdogTimerModel model = {
|
||||
.wdt_name = "i6300esb",
|
||||
.wdt_description = "Intel 6300ESB",
|
||||
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
|
||||
k->config_read = i6300esb_config_read;
|
||||
k->config_write = i6300esb_config_write;
|
||||
k->realize = i6300esb_realize;
|
||||
+ k->exit = i6300esb_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
|
||||
k->class_id = PCI_CLASS_SYSTEM_OTHER;
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 62d4c6bd5263bb8413a06c80144fc678df6dfb64 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 1 Feb 2017 09:35:01 +0100
|
||||
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
|
||||
|
||||
When doing bitblt copy in backward mode, we should minus the
|
||||
blt width first just like the adding in the forward mode. This
|
||||
can avoid the oob access of the front of vga's vram.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
|
||||
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||
address, so check it as-is against vram size ]
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
---
|
||||
hw/display/cirrus_vga.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 7db6409..16f27e8 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
{
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
- int32_t max = addr
|
||||
- + s->cirrus_blt_width;
|
||||
- if (min < 0 || max > s->vga.vram_size) {
|
||||
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
+ - s->cirrus_blt_width;
|
||||
+ if (min < -1 || addr >= s->vga.vram_size) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,52 @@
|
||||
From 12351a91da97b414eec8cdb09f1d9f41e535a401 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 14 Dec 2016 18:30:21 -0800
|
||||
Subject: [PATCH] audio: ac97: add exit function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the ac97 device emulation doesn't have a exit function,
|
||||
hot unplug this device will leak some memory. Add a exit function to
|
||||
avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/audio/ac97.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
|
||||
index cbd959e..c306575 100644
|
||||
--- a/hw/audio/ac97.c
|
||||
+++ b/hw/audio/ac97.c
|
||||
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
|
||||
ac97_on_reset (&s->dev.qdev);
|
||||
}
|
||||
|
||||
+static void ac97_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
|
||||
+
|
||||
+ AUD_close_in(&s->card, s->voice_pi);
|
||||
+ AUD_close_out(&s->card, s->voice_po);
|
||||
+ AUD_close_in(&s->card, s->voice_mc);
|
||||
+ AUD_remove_card(&s->card);
|
||||
+}
|
||||
+
|
||||
static int ac97_init (PCIBus *bus)
|
||||
{
|
||||
pci_create_simple (bus, -1, "AC97");
|
||||
@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
|
||||
|
||||
k->realize = ac97_realize;
|
||||
+ k->exit = ac97_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
|
||||
k->revision = 0x01;
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,55 @@
|
||||
From 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 14 Dec 2016 18:32:22 -0800
|
||||
Subject: [PATCH] audio: es1370: add exit function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the es1370 device emulation doesn't have a exit function,
|
||||
hot unplug this device will leak some memory. Add a exit function to
|
||||
avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/audio/es1370.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
|
||||
index 8449b5f..883ec69 100644
|
||||
--- a/hw/audio/es1370.c
|
||||
+++ b/hw/audio/es1370.c
|
||||
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
|
||||
es1370_reset (s);
|
||||
}
|
||||
|
||||
+static void es1370_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ ES1370State *s = ES1370(dev);
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < 2; ++i) {
|
||||
+ AUD_close_out(&s->card, s->dac_voice[i]);
|
||||
+ }
|
||||
+
|
||||
+ AUD_close_in(&s->card, s->adc_voice);
|
||||
+ AUD_remove_card(&s->card);
|
||||
+}
|
||||
+
|
||||
static int es1370_init (PCIBus *bus)
|
||||
{
|
||||
pci_create_simple (bus, -1, TYPE_ES1370);
|
||||
@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
|
||||
|
||||
k->realize = es1370_realize;
|
||||
+ k->exit = es1370_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
|
||||
k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
|
||||
k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,41 @@
|
||||
From 33243031dad02d161225ba99d782616da133f689 Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Thu, 29 Dec 2016 03:11:26 -0500
|
||||
Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the virgl_renderer_resource_attach_iov function fails the
|
||||
'res_iovs' will be leaked. Add check of the return value to
|
||||
free the 'res_iovs' when failing.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index e29f099..b13ced3 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
- virgl_renderer_resource_attach_iov(att_rb.resource_id,
|
||||
- res_iovs, att_rb.nr_entries);
|
||||
+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
|
||||
+ res_iovs, att_rb.nr_entries);
|
||||
+
|
||||
+ if (ret != 0)
|
||||
+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
|
||||
}
|
||||
|
||||
static void virgl_resource_detach_backing(VirtIOGPU *g,
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,35 @@
|
||||
From 204f01b30975923c64006f8067f0937b91eea68b Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Thu, 29 Dec 2016 04:28:41 -0500
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in resource attach backing
|
||||
|
||||
In the resource attach backing function, everytime it will
|
||||
allocate 'res->iov' thus can leading a memory leak. This
|
||||
patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Message-id: 1483003721-65360-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/virtio-gpu.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index 6a26258..ca88cf4 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -714,6 +714,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
+ if (res->iov) {
|
||||
+ cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
ret = virtio_gpu_create_mapping_iov(&ab, cmd, &res->addrs, &res->iov);
|
||||
if (ret != 0) {
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,40 @@
|
||||
From 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b Mon Sep 17 00:00:00 2001
|
||||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 4 Jan 2017 00:43:16 -0800
|
||||
Subject: [PATCH] serial: fix memory leak in serial exit
|
||||
|
||||
The serial_exit_core function doesn't free some resources.
|
||||
This can lead memory leak when hotplug and unplug. This
|
||||
patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
hw/char/serial.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index ffbacd8..67b18ed 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -906,6 +906,16 @@ void serial_realize_core(SerialState *s, Error **errp)
|
||||
void serial_exit_core(SerialState *s)
|
||||
{
|
||||
qemu_chr_fe_deinit(&s->chr);
|
||||
+
|
||||
+ timer_del(s->modem_status_poll);
|
||||
+ timer_free(s->modem_status_poll);
|
||||
+
|
||||
+ timer_del(s->fifo_timeout_timer);
|
||||
+ timer_free(s->fifo_timeout_timer);
|
||||
+
|
||||
+ fifo8_destroy(&s->recv_fifo);
|
||||
+ fifo8_destroy(&s->xmit_fifo);
|
||||
+
|
||||
qemu_unregister_reset(serial_reset, s);
|
||||
}
|
||||
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,37 @@
|
||||
From 42922105beb14c2fc58185ea022b9f72fb5465e9 Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Feb 2017 18:29:59 +0000
|
||||
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
|
||||
|
||||
While doing multi block SDMA transfer in routine
|
||||
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
|
||||
index 'begin' and data length 's->data_count' could end up to be same.
|
||||
This could lead to an OOB access issue. Correct transfer data length
|
||||
to avoid it.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Message-id: 20170130064736.9236-1-ppandit@redhat.com
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
---
|
||||
hw/sd/sdhci.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index 01fbf22..5bd5ab6 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
boundary_count -= block_size - begin;
|
||||
}
|
||||
dma_memory_read(&address_space_memory, s->sdmasysad,
|
||||
- &s->fifo_buffer[begin], s->data_count);
|
||||
+ &s->fifo_buffer[begin], s->data_count - begin);
|
||||
s->sdmasysad += s->data_count - begin;
|
||||
if (s->data_count == block_size) {
|
||||
for (n = 0; n < block_size; n++) {
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,64 @@
|
||||
From 765a707000e838c30b18d712fe6cb3dd8e0435f3 Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 2 Jan 2017 11:03:33 +0100
|
||||
Subject: [PATCH] megasas: fix guest-triggered memory leak
|
||||
|
||||
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
|
||||
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
|
||||
Avoid this by returning only the status from map_dcmd, and loading
|
||||
cmd->iov_size in the caller.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
hw/scsi/megasas.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index 67fc1e7..6233865 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -683,14 +683,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||
trace_megasas_dcmd_invalid_sge(cmd->index,
|
||||
cmd->frame->header.sge_count);
|
||||
cmd->iov_size = 0;
|
||||
- return -1;
|
||||
+ return -EINVAL;
|
||||
}
|
||||
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
|
||||
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
|
||||
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
|
||||
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
|
||||
cmd->iov_size = iov_size;
|
||||
- return cmd->iov_size;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
|
||||
@@ -1559,19 +1559,20 @@ static const struct dcmd_cmd_tbl_t {
|
||||
|
||||
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||
{
|
||||
- int opcode, len;
|
||||
+ int opcode;
|
||||
int retval = 0;
|
||||
+ size_t len;
|
||||
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
||||
|
||||
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
||||
trace_megasas_handle_dcmd(cmd->index, opcode);
|
||||
- len = megasas_map_dcmd(s, cmd);
|
||||
- if (len < 0) {
|
||||
+ if (megasas_map_dcmd(s, cmd) < 0) {
|
||||
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
||||
}
|
||||
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
||||
cmdptr++;
|
||||
}
|
||||
+ len = cmd->iov_size;
|
||||
if (cmdptr->opcode == -1) {
|
||||
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
||||
retval = megasas_dcmd_dummy(s, cmd);
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,38 @@
|
||||
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
|
||||
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
|
||||
we'll leak memory.
|
||||
|
||||
This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
|
||||
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
|
||||
|
||||
Reported-by: 李强 <address@hidden>
|
||||
Signed-off-by: Gerd Hoffmann <address@hidden>
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index f96a0c2..ecb09d1 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
|
||||
struct virtio_gpu_ctrl_command *cmd)
|
||||
{
|
||||
struct virtio_gpu_resource_unref unref;
|
||||
+ struct iovec *res_iovs = NULL;
|
||||
+ int num_iovs = 0;
|
||||
|
||||
VIRTIO_GPU_FILL_CMD(unref);
|
||||
trace_virtio_gpu_cmd_res_unref(unref.resource_id);
|
||||
|
||||
+ virgl_renderer_resource_detach_iov(unref.resource_id,
|
||||
+ &res_iovs,
|
||||
+ &num_iovs);
|
||||
+ if (res_iovs != NULL && num_iovs != 0) {
|
||||
+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
|
||||
+ }
|
||||
virgl_renderer_resource_unref(unref.resource_id);
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
@ -0,0 +1,35 @@
|
||||
From c7dfbf322595ded4e70b626bf83158a9f3807c6a Mon Sep 17 00:00:00 2001
|
||||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
||||
Subject: [PATCH] usb: ccid: check ccid apdu length
|
||||
|
||||
CCID device emulator uses Application Protocol Data Units(APDU)
|
||||
to exchange command and responses to and from the host.
|
||||
The length in these units couldn't be greater than 65536. Add
|
||||
check to ensure the same. It'd also avoid potential integer
|
||||
overflow in emulated_apdu_from_guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/usb/dev-smartcard-reader.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
||||
index 89e11b6..1325ea1 100644
|
||||
--- a/hw/usb/dev-smartcard-reader.c
|
||||
+++ b/hw/usb/dev-smartcard-reader.c
|
||||
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
||||
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
||||
recv->hdr.bSeq, len);
|
||||
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
||||
- if (s->card) {
|
||||
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
||||
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
||||
} else {
|
||||
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,46 @@
|
||||
From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
|
||||
From: Gonglei <arei.gonglei@huawei.com>
|
||||
Date: Tue, 3 Jan 2017 14:50:03 +0800
|
||||
Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
|
||||
|
||||
Because the 'size_t' type is 4 bytes in 32-bit platform, which
|
||||
is the same with 'int'. It's easy to make 'max_len' to zero when
|
||||
integer overflow and then cause heap overflow if 'max_len' is zero.
|
||||
|
||||
Using uint_64 instead of size_t to avoid the integer overflow.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
|
||||
Tested-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
---
|
||||
hw/virtio/virtio-crypto.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
|
||||
index 2f2467e..c23e1ad 100644
|
||||
--- a/hw/virtio/virtio-crypto.c
|
||||
+++ b/hw/virtio/virtio-crypto.c
|
||||
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
|
||||
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
|
||||
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
|
||||
|
||||
- size_t max_len, curr_size = 0;
|
||||
+ uint64_t max_len, curr_size = 0;
|
||||
size_t s;
|
||||
|
||||
/* Plain cipher */
|
||||
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
|
||||
return NULL;
|
||||
}
|
||||
|
||||
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
|
||||
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
|
||||
if (unlikely(max_len > vcrypto->conf.max_size)) {
|
||||
virtio_error(vdev, "virtio-crypto too big length");
|
||||
return NULL;
|
||||
--
|
||||
2.10.2
|
||||
|
@ -0,0 +1,24 @@
|
||||
Source: http://pkgs.fedoraproject.org/cgit/rpms/jfbterm.git/plain/jfbterm-0.4.7-wrong-inline-gcc5.patch
|
||||
|
||||
--- jfbterm-0.4.7/pen.c.inline_gcc5 2003-08-30 03:48:16.000000000 +0900
|
||||
+++ jfbterm-0.4.7/pen.c 2015-02-09 10:36:47.182751545 +0900
|
||||
@@ -62,7 +62,7 @@
|
||||
p->attr = q->attr;
|
||||
}
|
||||
|
||||
-inline void tpen_off_all_attribute(TPen* p)
|
||||
+void tpen_off_all_attribute(TPen* p)
|
||||
{
|
||||
p->bcol = 0;
|
||||
p->fcol = 7;
|
||||
--- jfbterm-0.4.7/pen.h.inline_gcc5 2002-07-17 01:21:23.000000000 +0900
|
||||
+++ jfbterm-0.4.7/pen.h 2015-02-09 10:36:52.058705503 +0900
|
||||
@@ -58,7 +58,7 @@
|
||||
void tpen_init(TPen* p);
|
||||
void tpen_final(TPen* p);
|
||||
void tpen_copy(TPen* p, TPen* q);
|
||||
-inline void tpen_off_all_attribute(TPen* p);
|
||||
+void tpen_off_all_attribute(TPen* p);
|
||||
void tpen_higlight(TPen* p);
|
||||
void tpen_dehiglight(TPen* p);
|
||||
void tpen_underline(TPen* p);
|
@ -1,2 +1 @@
|
||||
DIST opencc-0.3.0_pre20120819.tar.xz 363528 SHA256 3ed46594547b86f1326b07c3ea910148b1c58b74c9d21c8d4e11ec30e2254fae SHA512 0ca231b5fd7b314111a76bfaa8e288fc2d43e02dbbb2a7c7e9312c1f1f0aed1a0d3b67b04b0cc3634d1b48b8fe6983e6219db053f3a2114abadec1af00b9f8d5 WHIRLPOOL 268d331479bffefdc6e1f58600422a36a32abb7d4dd873eeb216977daca05f4a4775ca547bb301bc16ea8fc702ef04cfd5d8f88c90d10e224a585575129e67c6
|
||||
DIST opencc-1.0.4.tar.gz 1597309 SHA256 0553b7461ebd379d118d45d7f40f8a6e272750115bdbc49267595a05ee3481ac SHA512 682cc621fddb6495f26675863faefe7c9f584d2c60676cee0a3ff2120828a09a5e71671f5537030c2cc874f55b7f22af70d9d376f17b83e30cb04dcd5f6bba8a WHIRLPOOL 964180d27db85df6ffb4310ea6cae7b6c294c163bce68d05a5a21e8e736be6c11b44f8a2a856481b47e14c8c1104d244fc294259cbfa2f3160912743ac933cd6
|
||||
|
@ -1,17 +0,0 @@
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -70,11 +70,11 @@ set (DIR_SHARE ${DIR_PREFIX}/share)
|
||||
set (DIR_BIN ${DIR_PREFIX}/bin)
|
||||
set (DIR_ETC ${DIR_PREFIX}/etc)
|
||||
|
||||
if (DEFINED CMAKE_INSTALL_LIBDIR)
|
||||
- set (DIR_LIBRARY ${CMAKE_INSTALL_LIBDIR})
|
||||
- set (DIR_LIBRARY_STATIC ${CMAKE_INSTALL_LIBDIR})
|
||||
+ set (DIR_LIBRARY ${DIR_PREFIX}/${CMAKE_INSTALL_LIBDIR})
|
||||
+ set (DIR_LIBRARY_STATIC ${DIR_PREFIX}/${CMAKE_INSTALL_LIBDIR})
|
||||
endif (DEFINED CMAKE_INSTALL_LIBDIR)
|
||||
|
||||
if (DEFINED SHARE_INSTALL_PREFIX)
|
||||
set (DIR_SHARE ${SHARE_INSTALL_PREFIX})
|
||||
endif (DEFINED SHARE_INSTALL_PREFIX)
|
@ -1,42 +0,0 @@
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=4
|
||||
|
||||
inherit cmake-utils multilib eutils
|
||||
|
||||
DESCRIPTION="Libraries for Simplified-Traditional Chinese Conversion"
|
||||
HOMEPAGE="https://github.com/BYVoid/OpenCC"
|
||||
SRC_URI="http://dev.gentooexperimental.org/~scarabeus/${P}.tar.xz"
|
||||
|
||||
LICENSE="Apache-2.0"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 hppa ppc ppc64 x86"
|
||||
IUSE="+nls static-libs"
|
||||
|
||||
DEPEND="nls? ( sys-devel/gettext )"
|
||||
RDEPEND="nls? ( virtual/libintl )"
|
||||
|
||||
DOCS="AUTHORS README"
|
||||
|
||||
src_prepare() {
|
||||
sed -i \
|
||||
-e "s:\${CMAKE_\(SHARED\|STATIC\)_LIBRARY_PREFIX}:\"$(get_libdir)\":" \
|
||||
CMakeLists.txt || die
|
||||
epatch "${FILESDIR}"/${P}-cmake-libdir.patch
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
local mycmakeargs=(
|
||||
"$(cmake-utils_use_enable nls GETTEXT)"
|
||||
)
|
||||
|
||||
cmake-utils_src_configure
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cmake-utils_src_install
|
||||
|
||||
use static-libs || find "${ED}" -name '*.la' -o -name '*.a' -exec rm {} +
|
||||
}
|
@ -1,2 +1 @@
|
||||
DIST thinkfan-0.9.2.tar.gz 39539 SHA256 90daa0f2db221e1d5085d7f25cb6c63608d174db2987478c340e9523e652af79 SHA512 b27fd60a02ad06d30485ae3d658af6b9e79af3c898f415d0ff613839424f5dc9731be03d1d9bf3ed1311ecd0778aef5b30fa908cab386cf419db77ae29940684 WHIRLPOOL 2ca120ad9cf4960c7536cf6252b711257cbb7c1ca6061d028aebf53fd18e41d3b852d36158bddd18f791e1128b98d35a3f68fae5bb29077820f4dff6fc9b1919
|
||||
DIST thinkfan-0.9.3.tar.gz 39527 SHA256 b61c634996c450445d7e440bf41f7adcda86506063f832afa40d44e01061e45b SHA512 d2a29f9cae636c22b66958f8ec50cb60a162d745c3967257bb5e20cc9e152894d4e8a66f897ffa4e49353eba4a42e3499bb9e554719974284089a46cfc6280d7 WHIRLPOOL 3bdbc0ca3731fef85e385b3259cc9ce6bf4c3b15195138caf5b192847bbba411068d00df8e5673600796e15d4d965c116b73745e787bea9f5a68dbbb5ee118db
|
||||
|
@ -1,11 +0,0 @@
|
||||
--- thinkfan-0.9.2/rcscripts/thinkfan.gentoo
|
||||
+++ thinkfan-0.9.2/rcscripts/thinkfan.gentoo
|
||||
@@ -11,7 +11,7 @@
|
||||
|
||||
start() {
|
||||
ebegin "Starting thinkfan"
|
||||
- start-stop-daemon --start --exec /usr/sbin/thinkfan -- -q -s5 -c /etc/thinkfan.com
|
||||
+ start-stop-daemon --start --exec /usr/sbin/thinkfan -- -q -s5 -c /etc/thinkfan.conf
|
||||
eend $?
|
||||
}
|
||||
|
@ -1,49 +0,0 @@
|
||||
# Copyright 1999-2015 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
EAPI=5
|
||||
|
||||
inherit cmake-utils readme.gentoo systemd
|
||||
|
||||
DESCRIPTION="simple fan control program for thinkpads"
|
||||
HOMEPAGE="http://thinkfan.sourceforge.net"
|
||||
SRC_URI="mirror://sourceforge/${PN}/${P}.tar.gz"
|
||||
|
||||
LICENSE="GPL-3"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 x86"
|
||||
IUSE="atasmart"
|
||||
|
||||
DEPEND="atasmart? ( dev-libs/libatasmart )"
|
||||
RDEPEND="${DEPEND}"
|
||||
|
||||
S="${WORKDIR}"
|
||||
|
||||
src_prepare() {
|
||||
epatch "${FILESDIR}"/${P}-openrc.patch
|
||||
|
||||
sed -e "s:share/doc/${PN}:share/doc/${P}:" \
|
||||
-i CMakeLists.txt
|
||||
}
|
||||
|
||||
src_configure() {
|
||||
mycmakeargs+=(
|
||||
"-DCMAKE_BUILD_TYPE:STRING=Debug"
|
||||
"$(cmake-utils_use_use atasmart ATASMART)"
|
||||
)
|
||||
|
||||
cmake-utils_src_configure
|
||||
}
|
||||
|
||||
src_install() {
|
||||
cmake-utils_src_install
|
||||
|
||||
newinitd rcscripts/${PN}.gentoo ${PN}
|
||||
systemd_dounit rcscripts/${PN}.service
|
||||
|
||||
readme.gentoo_create_doc
|
||||
}
|
||||
|
||||
DOC_CONTENTS="Please read the documentation and copy an
|
||||
appropriate file to /etc/thinkfan.conf."
|
@ -1,48 +0,0 @@
|
||||
# Copyright 1999-2012 Gentoo Foundation
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
# $Id$
|
||||
|
||||
inherit toolchain-funcs
|
||||
|
||||
DESCRIPTION="list executables"
|
||||
HOMEPAGE="http://tools.suckless.org/lsx"
|
||||
SRC_URI="http://suckless.org/download/${P}.tar.gz"
|
||||
|
||||
LICENSE="MIT"
|
||||
SLOT="0"
|
||||
KEYWORDS="amd64 x86"
|
||||
IUSE=""
|
||||
|
||||
DEPEND=""
|
||||
RDEPEND=""
|
||||
|
||||
src_unpack() {
|
||||
unpack ${A}
|
||||
cd "${S}"
|
||||
|
||||
sed -i \
|
||||
-e "s/.*strip.*//" \
|
||||
Makefile || die "sed failed"
|
||||
|
||||
sed -i \
|
||||
-e "s/CFLAGS = -Os/CFLAGS +=/" \
|
||||
-e "s/LDFLAGS =/LDFLAGS +=/" \
|
||||
config.mk || die "sed failed"
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
emake CC=$(tc-getCC) || die "emake failed"
|
||||
}
|
||||
|
||||
src_install() {
|
||||
emake DESTDIR="${D}" PREFIX="/usr" install || die "emake install failed"
|
||||
|
||||
# collision with net-dialup/lrzsz
|
||||
mv "${D}/usr/bin/${PN}" "${D}/usr/bin/${PN}-suckless"
|
||||
|
||||
dodoc README
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
elog "Run ${PN} with ${PN}-suckless"
|
||||
}
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in new issue