Browse Source

Sync with portage [Fri Dec 18 09:13:34 MSK 2015].

mhiretskiy 164
root 6 years ago
parent
commit
285731d280
  1. 1
      app-accessibility/speech-dispatcher/Manifest
  2. 109
      app-accessibility/speech-dispatcher/speech-dispatcher-0.8.3.ebuild
  3. 1
      app-admin/syslog-ng/Manifest
  4. 143
      app-admin/syslog-ng/syslog-ng-3.7.1-r1.ebuild
  5. 142
      app-admin/syslog-ng/syslog-ng-3.7.1.ebuild
  6. 1
      app-emulation/qemu-guest-agent/Manifest
  7. 88
      app-emulation/qemu-guest-agent/qemu-guest-agent-2.5.0.ebuild
  8. 5
      app-emulation/qemu/Manifest
  9. 241
      app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
  10. 58
      app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
  11. 51
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch
  12. 41
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch
  13. 86
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
  14. 75
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch
  15. 26
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch
  16. 69
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch
  17. 40
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch
  18. 82
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-1.patch
  19. 373
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-2.patch
  20. 39
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-3.patch
  21. 53
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-4.patch
  22. 34
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-5.patch
  23. 35
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-6.patch
  24. 32
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-7.patch
  25. 36
      app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5166.patch
  26. 34
      app-emulation/qemu/files/qemu-2.3.0-virtio-serial.patch
  27. 86
      app-emulation/qemu/files/qemu-2.4.0-CVE-2015-5225.patch
  28. 146
      app-emulation/qemu/files/qemu-2.4.0-CVE-2015-6855.patch
  29. 58
      app-emulation/qemu/files/qemu-2.4.0-CVE-2015-7295-1.patch
  30. 54
      app-emulation/qemu/files/qemu-2.4.0-CVE-2015-7295-2.patch
  31. 47
      app-emulation/qemu/files/qemu-2.4.0-CVE-2015-7295-3.patch
  32. 124
      app-emulation/qemu/files/qemu-2.4.0-block-mirror-crash.patch
  33. 39
      app-emulation/qemu/files/qemu-2.4.0-e1000-loop.patch
  34. 611
      app-emulation/qemu/qemu-2.3.0-r5.ebuild
  35. 612
      app-emulation/qemu/qemu-2.3.0-r6.ebuild
  36. 612
      app-emulation/qemu/qemu-2.3.0-r7.ebuild
  37. 598
      app-emulation/qemu/qemu-2.3.1-r1.ebuild
  38. 598
      app-emulation/qemu/qemu-2.3.1.ebuild
  39. 640
      app-emulation/qemu/qemu-2.4.0-r1.ebuild
  40. 640
      app-emulation/qemu/qemu-2.4.0-r2.ebuild
  41. 645
      app-emulation/qemu/qemu-2.4.0.1-r1.ebuild
  42. 645
      app-emulation/qemu/qemu-2.4.0.1-r2.ebuild
  43. 640
      app-emulation/qemu/qemu-2.4.0.1.ebuild
  44. 640
      app-emulation/qemu/qemu-2.4.1-r1.ebuild
  45. 31
      app-emulation/qemu/qemu-2.5.0.ebuild
  46. 1
      app-emulation/vice/Manifest
  47. 38
      app-emulation/vice/files/vice-2.4-arm.patch
  48. 11
      app-emulation/vice/files/vice-2.4-autotools.patch
  49. 14
      app-emulation/vice/files/vice-2.4-buffer.patch
  50. 135
      app-emulation/vice/files/vice-2.4-ffmpeg-1.patch
  51. 2
      app-emulation/vice/metadata.xml
  52. 117
      app-emulation/vice/vice-2.4.ebuild
  53. 1
      app-eselect/eselect-php/Manifest
  54. 57
      app-eselect/eselect-php/eselect-php-0.8.2.ebuild
  55. 2
      dev-db/mariadb/Manifest
  56. 128
      dev-db/mariadb/mariadb-10.1.8.ebuild
  57. 2
      dev-games/cegui/cegui-0.6.2b.ebuild
  58. 2
      dev-games/cegui/cegui-0.8.4.ebuild
  59. 4
      dev-games/clanlib/clanlib-0.8.1.ebuild
  60. 1
      dev-games/goatee/Manifest
  61. 28
      dev-games/goatee/goatee-0.2.0-r1.ebuild
  62. 71
      dev-games/irrlicht/irrlicht-1.8.1.ebuild
  63. 1
      dev-games/ode/Manifest
  64. 75
      dev-games/ode/ode-0.13.ebuild
  65. 2
      dev-lang/blassic/blassic-0.10.2.ebuild
  66. 1
      dev-lang/php/Manifest
  67. 1
      dev-lang/php/metadata.xml
  68. 779
      dev-lang/php/php-7.0.1.ebuild
  69. 1
      dev-lisp/cl-ppcre-unicode/Manifest
  70. 29
      dev-lisp/cl-ppcre-unicode/cl-ppcre-unicode-2.0.11.ebuild
  71. 16
      dev-lisp/cl-ppcre-unicode/metadata.xml
  72. 1
      dev-lisp/cl-ppcre/Manifest
  73. 34
      dev-lisp/cl-ppcre/cl-ppcre-2.0.11.ebuild
  74. 1
      dev-lisp/cl-unicode/Manifest
  75. 47
      dev-lisp/cl-unicode/cl-unicode-0.1.5.ebuild
  76. 14
      dev-lisp/cl-unicode/metadata.xml
  77. 2
      dev-perl/SDL/Manifest
  78. 41
      dev-perl/SDL/SDL-2.540-r1.ebuild
  79. 41
      dev-perl/SDL/SDL-2.544.ebuild
  80. 1
      dev-python/bandit/Manifest
  81. 59
      dev-python/bandit/bandit-0.17.0.ebuild
  82. 2
      dev-python/blinker/blinker-1.4.ebuild
  83. 2
      dev-python/cffi/Manifest
  84. 42
      dev-python/cffi/cffi-1.4.0.ebuild
  85. 42
      dev-python/cffi/cffi-1.4.1.ebuild
  86. 1
      dev-python/curtsies/Manifest
  87. 38
      dev-python/curtsies/curtsies-0.2.4.ebuild
  88. 132
      dev-python/curtsies/files/curtsies-0.2.4-test-backport.patch
  89. 1
      dev-python/django-extensions/Manifest
  90. 62
      dev-python/django-extensions/django-extensions-1.6.1.ebuild
  91. 1
      dev-python/django-tables2/Manifest
  92. 23
      dev-python/django-tables2/django-tables2-1.0.5.ebuild
  93. 1
      dev-python/dulwich/Manifest
  94. 44
      dev-python/dulwich/dulwich-0.12.0.ebuild
  95. 2
      dev-python/flask/flask-0.10.1-r2.ebuild
  96. 1
      dev-python/httpbin/Manifest
  97. 36
      dev-python/httpbin/httpbin-0.4.0.ebuild
  98. 12
      dev-python/httpbin/metadata.xml
  99. 1
      dev-python/httpretty/Manifest
  100. 69
      dev-python/httpretty/httpretty-0.8.12.ebuild

1
app-accessibility/speech-dispatcher/Manifest

@ -1 +1,2 @@
DIST speech-dispatcher-0.8.1.tar.gz 1309969 SHA256 d25727239bbee4ee7881dd5e23e4da64a184b2ff3c8c9830088a671fb23b7757 SHA512 35f1ae547001a45d7945406ae5672829ff9ab6ac3f0cccb9eb3670dd92888a63c7cc4270ee90b5a166e6788afe3b117b5c3ef62c41a9df9f9af94dc4e0948fe8 WHIRLPOOL 945ef7ab1d771dc1e3727f223cfadfd309db03813f11fe995c0f4caf3a6f24bc9abc18e1f2f342b072bcd5fd0d626dae315f1fd0228d4172e051a2aba1255092
DIST speech-dispatcher-0.8.3.tar.gz 1292321 SHA256 96a293b2ba1e2498f1280c75a9607891a9990947a8d87e9855c2a642c93f1e4f SHA512 48eaa1fb27a14ad6c6a1f214044fbddde85ff07e636355e75f4f3ac1e46cea0cbbbd2cb9ce01ce4b9cb27d5395d840bd38afd2c65ec0fabcc8787483ae7a7b67 WHIRLPOOL 606bee401a98c91aa34f071007cabc3d7ad5f2a5a9425a32d40a8cce75a4b13795b4877a42451be37ea14a68a008fc1e0e063d881c08a78dce41f3a800962fd1

109
app-accessibility/speech-dispatcher/speech-dispatcher-0.8.3.ebuild

@ -0,0 +1,109 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
PYTHON_COMPAT=( python3_3 python3_4 )
inherit eutils python-r1
DESCRIPTION="Speech synthesis interface"
HOMEPAGE="http://www.freebsoft.org/speechd"
SRC_URI="http://www.freebsoft.org/pub/projects/speechd/${P}.tar.gz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~amd64-linux ~x86-linux"
IUSE="alsa ao +espeak flite nas pulseaudio python static-libs"
REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
COMMON_DEPEND="python? ( ${PYTHON_DEPS} )
>=dev-libs/dotconf-1.3
>=dev-libs/glib-2.28:2
>=media-libs/libsndfile-1.0.2
alsa? ( media-libs/alsa-lib )
ao? ( media-libs/libao )
espeak? ( app-accessibility/espeak )
flite? ( app-accessibility/flite )
nas? ( media-libs/nas )
pulseaudio? ( media-sound/pulseaudio )"
DEPEND="${COMMON_DEPEND}
>=dev-util/intltool-0.40.0
virtual/pkgconfig"
RDEPEND="${COMMON_DEPEND}
dev-python/pyxdg"
src_configure() {
local myeconfargs=(
--disable-python
$(use_enable static-libs static)
$(use_with alsa)
$(use_with ao libao)
$(use_with espeak)
$(use_with flite)
$(use_with pulseaudio pulse)
$(use_with nas)
)
econf ${myeconfargs[@]}
}
src_compile() {
use python && python_copy_sources
emake
if use python; then
building() {
cd src/api/python || die
emake \
pyexecdir="$(python_get_sitedir)" \
pythondir="$(python_get_sitedir)"
}
python_foreach_impl run_in_build_dir building
fi
}
src_install() {
emake DESTDIR="${D}" install
dodoc ANNOUNCE AUTHORS BUGS ChangeLog FAQ NEWS README*
prune_libtool_files --all
if use python; then
installation() {
cd src/api/python || die
emake \
DESTDIR="${D}" \
pyexecdir="$(python_get_sitedir)" \
pythondir="$(python_get_sitedir)" \
install
}
python_foreach_impl run_in_build_dir installation
python_replicate_script "${ED}"/usr/bin/spd-conf
fi
}
pkg_postinst() {
local editconfig="n"
if ! use espeak; then
ewarn "You have disabled espeak, which is speech-dispatcher's"
ewarn "default speech synthesizer."
ewarn
editconfig="y"
fi
if ! use pulseaudio; then
ewarn "You have disabled pulseaudio support."
ewarn "pulseaudio is speech-dispatcher's default audio subsystem."
ewarn
editconfig="y"
fi
if [[ "${editconfig}" == "y" ]]; then
ewarn "You must edit ${EROOT}etc/speech-dispatcher/speechd.conf"
ewarn "and make sure the settings there match your system."
ewarn
fi
elog "For festival support, you need to"
elog "install app-accessibility/festival-freebsoft-utils."
}

1
app-admin/syslog-ng/Manifest

@ -1,4 +1,3 @@
DIST syslog-ng-3.7.1.tar.gz 3509575 SHA256 4c19841b9079b377cd814b1e6ebbf273af41d04d51c648f4c31f19bfadc20220 SHA512 6f9a68aec2594d83c43cf40e12a3d56e65661929a47c2a053ae120e34ad358d4dfd0b5b0303a374a5557f2ac0670114037a339530b111b1078b56e5baf284ed4 WHIRLPOOL 247498f144aec419d1214378332bc286795fa8f59ba33ce75b3d000be6340758f00a694d76b5cbfdd6b68d138a6cd373c06bb52c70e6ed6de29189c03a56d16b
DIST syslog-ng-3.7.2.tar.gz 3558377 SHA256 b1b3ccc0ce7f0d8bf15b23e59f2f4f5ded70eed410dfd27105219bc8856388a5 SHA512 dbf58b51b68bc6616a136df5eb67a120718d8c83f785218d40f62e5f7b3691a3ad4d21db617551e4192e053dc9340440424e3d3b072b47ca590d4eac0dbf0e6f WHIRLPOOL 3721841f6e5ea883cd5ee71bf1651fa0861904008eb1136127c36990e2fe8801deafdf31ce880677eff7739b0b07411eee4542d8d4a80b60819fa3bd9ab24b9e
DIST syslog-ng_3.4.8.tar.gz 3169372 SHA256 96c2f970fbba4fdd7659b1fee5e476d2858c911d4304d42099f495493762ff49 SHA512 23ba9908664e594c186cbe4bd5dcfb5d2ed3faf02ec45b931bb91b078660547989c2340a08b478a33adb530d39a6d6f39a2e7519107a3f6b923ac9f39529620e WHIRLPOOL 1085fa2c90e0c85421c64ed50e8a357f29006afea2f3e329e42d1e27f4210a10fe0f05d4af95a11c245d68b43644a4a829a50c05b7d541f59a6f580b3643b434
DIST syslog-ng_3.6.2.tar.gz 3207456 SHA256 ef47fada52981e09af570457a5af30f815f5d5b6c2e33754cedd4ca9780d8261 SHA512 15603b4df2001e1ce7e0019d0dd9a0f4295445e3fd19a527ebf3d49486da7da27fac6c465727ec0354f8f70ca0f671a285ec132f9aa0de62b40f18b44af2a226 WHIRLPOOL 7135db242374d6e5789c0820a06187b7e325054fd214e3aee75aac5b8dde56786b432cc4519c07ce0cd413c3a560e8e74ee6eca319c21eaa750ca8140ef1b63f

143
app-admin/syslog-ng/syslog-ng-3.7.1-r1.ebuild

@ -1,143 +0,0 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
PYTHON_COMPAT=( python2_7 )
inherit autotools python-any-r1 eutils multilib systemd versionator
MY_PV=${PV/_/}
MY_PV_MM=$(get_version_component_range 1-2)
DESCRIPTION="syslog replacement with advanced filtering features"
HOMEPAGE="http://www.balabit.com/network-security/syslog-ng"
SRC_URI="https://github.com/balabit/syslog-ng/releases/download/${P}/${P}.tar.gz"
LICENSE="GPL-2+ LGPL-2.1+"
SLOT="0"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
IUSE="amqp caps dbi geoip ipv6 json libressl mongodb pacct python redis smtp spoof-source systemd tcpd"
RESTRICT="test"
RDEPEND="
caps? ( sys-libs/libcap )
dbi? ( >=dev-db/libdbi-0.8.3 )
geoip? ( >=dev-libs/geoip-1.5.0 )
json? ( >=dev-libs/json-c-0.9 )
python? ( ${PYTHON_DEPS} )
redis? ( dev-libs/hiredis )
smtp? ( net-libs/libesmtp )
spoof-source? ( net-libs/libnet:1.1 )
systemd? ( sys-apps/systemd )
tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
dev-libs/libpcre
!libressl? ( dev-libs/openssl:0= )
libressl? ( dev-libs/libressl:= )
>=dev-libs/eventlog-0.2.12
>=dev-libs/glib-2.10.1:2"
DEPEND="${RDEPEND}
virtual/pkgconfig
sys-devel/flex"
S=${WORKDIR}/${PN}-${MY_PV}
pkg_setup() {
use python && python-any-r1_pkg_setup
}
src_prepare() {
epatch_user
use python && python_fix_shebang .
if use !json ; then
sed -i \
-e '1 s/cim //' \
scl/Makefile.am || die
eautoreconf
fi
cp "${FILESDIR}"/*logrotate*.in "${TMPDIR}" || die
cd "${TMPDIR}" || die
for f in *logrotate*.in ; do
if use systemd ; then
sed \
's/@GENTOO_RESTART@/systemctl kill -s HUP syslog-ng/' \
$f > ${f/.in/} || die
else
sed \
's:@GENTOO_RESTART@:/etc/init.d/syslog-ng reload:' \
$f > ${f/.in/} || die
fi
done
}
src_configure() {
econf \
--disable-java \
--disable-docs \
--enable-manpages \
--with-embedded-crypto \
--with-ivykis=internal \
--with-libmongo-client=internal \
--sysconfdir=/etc/syslog-ng \
--localstatedir=/var/lib/syslog-ng \
--with-pidfile-dir=/var/run \
--with-module-dir=/usr/$(get_libdir)/syslog-ng \
$(systemd_with_unitdir) \
$(use_enable systemd) \
$(use_enable caps linux-caps) \
$(use_enable geoip) \
$(use_enable ipv6) \
$(use_enable json) \
$(use_enable mongodb) \
$(use_enable pacct) \
$(use_enable python) \
$(use_enable redis) \
$(use_enable smtp) \
$(use_enable amqp) \
$(usex amqp --with-librabbitmq-client=internal --without-librabbitmq-client) \
$(use_enable spoof-source) \
$(use_enable dbi sql) \
$(use_enable tcpd tcp-wrapper)
}
src_install() {
# -j1 for bug #484470
emake -j1 DESTDIR="${D}" install
dodoc AUTHORS NEWS.md CONTRIBUTING.md contrib/syslog-ng.conf* \
contrib/syslog2ng "${FILESDIR}/${MY_PV_MM}/syslog-ng.conf.gentoo.hardened" \
"${TMPDIR}/syslog-ng.logrotate.hardened" "${FILESDIR}/README.hardened"
# Install default configuration
insinto /etc/syslog-ng
if use userland_BSD ; then
newins "${FILESDIR}/${MY_PV_MM}/syslog-ng.conf.gentoo.fbsd" syslog-ng.conf
else
newins "${FILESDIR}/${MY_PV_MM}/syslog-ng.conf.gentoo" syslog-ng.conf
fi
insinto /etc/logrotate.d
newins "${TMPDIR}/syslog-ng.logrotate" syslog-ng
newinitd "${FILESDIR}/${MY_PV_MM}/syslog-ng.rc6" syslog-ng
newconfd "${FILESDIR}/${MY_PV_MM}/syslog-ng.confd" syslog-ng
keepdir /etc/syslog-ng/patterndb.d /var/lib/syslog-ng
prune_libtool_files --modules
use python && python_optimize
}
pkg_postinst() {
elog "For detailed documentation please see the upstream website:"
elog "http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-ose-v3.7-guide-admin/html/index.html"
# bug #355257
if ! has_version app-admin/logrotate ; then
echo
elog "It is highly recommended that app-admin/logrotate be emerged to"
elog "manage the log files. ${PN} installs a file in /etc/logrotate.d"
elog "for logrotate to use."
echo
fi
}

142
app-admin/syslog-ng/syslog-ng-3.7.1.ebuild

@ -1,142 +0,0 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
PYTHON_COMPAT=( python2_7 )
inherit autotools python-any-r1 eutils multilib systemd versionator
MY_PV=${PV/_/}
MY_PV_MM=$(get_version_component_range 1-2)
DESCRIPTION="syslog replacement with advanced filtering features"
HOMEPAGE="http://www.balabit.com/network-security/syslog-ng"
SRC_URI="https://github.com/balabit/syslog-ng/releases/download/${P}/${P}.tar.gz"
LICENSE="GPL-2+ LGPL-2.1+"
SLOT="0"
KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86 ~x86-fbsd"
IUSE="amqp caps dbi geoip ipv6 json mongodb pacct python redis smtp spoof-source systemd tcpd"
RESTRICT="test"
RDEPEND="
caps? ( sys-libs/libcap )
dbi? ( >=dev-db/libdbi-0.8.3 )
geoip? ( >=dev-libs/geoip-1.5.0 )
json? ( >=dev-libs/json-c-0.9 )
python? ( ${PYTHON_DEPS} )
redis? ( dev-libs/hiredis )
smtp? ( net-libs/libesmtp )
spoof-source? ( net-libs/libnet:1.1 )
systemd? ( sys-apps/systemd )
tcpd? ( >=sys-apps/tcp-wrappers-7.6 )
dev-libs/libpcre
dev-libs/openssl:0=
>=dev-libs/eventlog-0.2.12
>=dev-libs/glib-2.10.1:2"
DEPEND="${RDEPEND}
virtual/pkgconfig
sys-devel/flex"
S=${WORKDIR}/${PN}-${MY_PV}
pkg_setup() {
use python && python-any-r1_pkg_setup
}
src_prepare() {
epatch_user
use python && python_fix_shebang .
if use !json ; then
sed -i \
-e '1 s/cim //' \
scl/Makefile.am || die
eautoreconf
fi
cp "${FILESDIR}"/*logrotate*.in "${TMPDIR}" || die
cd "${TMPDIR}" || die
for f in *logrotate*.in ; do
if use systemd ; then
sed \
's/@GENTOO_RESTART@/systemctl kill -s HUP syslog-ng/' \
$f > ${f/.in/} || die
else
sed \
's:@GENTOO_RESTART@:/etc/init.d/syslog-ng reload:' \
$f > ${f/.in/} || die
fi
done
}
src_configure() {
econf \
--disable-java \
--disable-docs \
--enable-manpages \
--with-embedded-crypto \
--with-ivykis=internal \
--with-libmongo-client=internal \
--sysconfdir=/etc/syslog-ng \
--localstatedir=/var/lib/syslog-ng \
--with-pidfile-dir=/var/run \
--with-module-dir=/usr/$(get_libdir)/syslog-ng \
$(systemd_with_unitdir) \
$(use_enable systemd) \
$(use_enable caps linux-caps) \
$(use_enable geoip) \
$(use_enable ipv6) \
$(use_enable json) \
$(use_enable mongodb) \
$(use_enable pacct) \
$(use_enable python) \
$(use_enable redis) \
$(use_enable smtp) \
$(use_enable amqp) \
$(usex amqp --with-librabbitmq-client=internal --without-librabbitmq-client) \
$(use_enable spoof-source) \
$(use_enable dbi sql) \
$(use_enable tcpd tcp-wrapper)
}
src_install() {
# -j1 for bug #484470
emake -j1 DESTDIR="${D}" install
dodoc AUTHORS NEWS.md CONTRIBUTING.md contrib/syslog-ng.conf* \
contrib/syslog2ng "${FILESDIR}/${MY_PV_MM}/syslog-ng.conf.gentoo.hardened" \
"${TMPDIR}/syslog-ng.logrotate.hardened" "${FILESDIR}/README.hardened"
# Install default configuration
insinto /etc/syslog-ng
if use userland_BSD ; then
newins "${FILESDIR}/${MY_PV_MM}/syslog-ng.conf.gentoo.fbsd" syslog-ng.conf
else
newins "${FILESDIR}/${MY_PV_MM}/syslog-ng.conf.gentoo" syslog-ng.conf
fi
insinto /etc/logrotate.d
newins "${TMPDIR}/syslog-ng.logrotate" syslog-ng
newinitd "${FILESDIR}/${MY_PV_MM}/syslog-ng.rc6" syslog-ng
newconfd "${FILESDIR}/${MY_PV_MM}/syslog-ng.confd" syslog-ng
keepdir /etc/syslog-ng/patterndb.d /var/lib/syslog-ng
prune_libtool_files --modules
use python && python_optimize
}
pkg_postinst() {
elog "For detailed documentation please see the upstream website:"
elog "http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.7-guides/en/syslog-ng-ose-v3.7-guide-admin/html/index.html"
# bug #355257
if ! has_version app-admin/logrotate ; then
echo
elog "It is highly recommended that app-admin/logrotate be emerged to"
elog "manage the log files. ${PN} installs a file in /etc/logrotate.d"
elog "for logrotate to use."
echo
fi
}

1
app-emulation/qemu-guest-agent/Manifest

@ -1,3 +1,4 @@
DIST qemu-2.3.0.tar.bz2 24683085 SHA256 b6bab7f763d5be73e7cb5ee7d4c8365b7a8df2972c52fa5ded18893bd8281588 SHA512 7a40d213c5696b27784abd2a3119e49d42c38c923be431826c73a8f14c19074435d7f1a652686c53baf08e81f5a3005b2ddc92d67c32f6a2b19659ab627e9eaa WHIRLPOOL 9dad6e342027c3be512b4e0b40e810e0a6f1dc84a16847aa5aac74d97f7a347e60d42e770335a090f83e90a1614294f86552a84edc1faafc7093d3e32602f5de
DIST qemu-2.3.1.tar.bz2 24692020 SHA256 661d029809421cae06b4b1bc74ac0e560cb4ed47c9523c676ff277fa26dca15f SHA512 309e6df7dcc0a064d1a17c7dac2f60398700dfa8c6b60b66e4202966248097cbc49af75aa97725bc34773151be6fd75836810e9f0741ba65cdc208414fa78f6b WHIRLPOOL 26750ee00513daa99cdcd585c4b8407b8258a9c3559ae6335266d7754cb6679e7c10c56f8d12ae0ef2b5cd5d6a9a6a536213f8e86e81ced37e46205c796a773e
DIST qemu-2.4.0.tar.bz2 25070979 SHA256 72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620 SHA512 8740e0fb2c654ed897dff4649f1f83d14d57cfa9cbde723899f115982f93253ce9a2bddd60aab379d241027d2044137770efe4c0b3c83d5b20f3a2a06f05a5dc WHIRLPOOL 8c6cfae096624e01f0d5daeb86aa2dccbeaa86d2aeab626cf55cf20b7edace82d0b0f3a1d85eeb2dc1fd53abaaa9dccf8f0d7ddc657a1f5ffd72fd68301648f1
DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef

88
app-emulation/qemu-guest-agent/qemu-guest-agent-2.5.0.ebuild

@ -0,0 +1,88 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI=5
PYTHON_COMPAT=( python2_7 )
inherit eutils systemd udev python-any-r1
MY_PN="qemu"
MY_P="${MY_PN}-${PV}"
if [[ ${PV} == *9999* ]]; then
EGIT_REPO_URI="git://git.qemu.org/qemu.git"
inherit git-2
else
SRC_URI="http://wiki.qemu.org/download/${MY_P}.tar.bz2"
KEYWORDS="~amd64 ~ppc ~ppc64 ~x86 ~x86-fbsd"
fi
DESCRIPTION="QEMU Guest Agent (qemu-ga) for use when running inside a VM"
HOMEPAGE="http://wiki.qemu.org/Features/QAPI/GuestAgent"
LICENSE="GPL-2 BSD-2"
SLOT="0"
IUSE=""
RDEPEND=">=dev-libs/glib-2.22
!<app-emulation/qemu-1.1.1-r1
!<sys-apps/sysvinit-2.88-r5"
DEPEND="${RDEPEND}
${PYTHON_DEPS}"
S="${WORKDIR}/${MY_P}"
src_prepare() {
epatch_user
}
src_configure() {
tc-export AR LD OBJCOPY
local myconf=(
--prefix=/usr
--sysconfdir=/etc
--libdir="/usr/$(get_libdir)"
--localstatedir=/
--disable-bsd-user
--disable-linux-user
--disable-system
--disable-strip
--disable-werror
--enable-guest-agent
--python="${PYTHON}"
--cc="$(tc-getCC)"
--cxx="$(tc-getCXX)"
--host-cc="$(tc-getBUILD_CC)"
)
echo "./configure ${myconf[*]}"
./configure "${myconf[@]}" || die
}
src_compile() {
emake V=1 qemu-ga
}
src_install() {
dobin qemu-ga
# Normal init stuff
newinitd "${FILESDIR}/qemu-ga.init-r1" qemu-guest-agent
newconfd "${FILESDIR}/qemu-ga.conf-r1" qemu-guest-agent
insinto /etc/logrotate.d
newins "${FILESDIR}/qemu-ga.logrotate" qemu-guest-agent
# systemd stuff
udev_newrules "${FILESDIR}/qemu-ga-systemd.udev" 99-qemu-guest-agent.rules
systemd_newunit "${FILESDIR}/qemu-ga-systemd.service" \
qemu-guest-agent.service
}
pkg_postinst() {
elog "You should add 'qemu-guest-agent' to the default runlevel."
elog "e.g. rc-update add qemu-guest-agent default"
}

5
app-emulation/qemu/Manifest

@ -1,5 +1,2 @@
DIST qemu-2.3.0.tar.bz2 24683085 SHA256 b6bab7f763d5be73e7cb5ee7d4c8365b7a8df2972c52fa5ded18893bd8281588 SHA512 7a40d213c5696b27784abd2a3119e49d42c38c923be431826c73a8f14c19074435d7f1a652686c53baf08e81f5a3005b2ddc92d67c32f6a2b19659ab627e9eaa WHIRLPOOL 9dad6e342027c3be512b4e0b40e810e0a6f1dc84a16847aa5aac74d97f7a347e60d42e770335a090f83e90a1614294f86552a84edc1faafc7093d3e32602f5de
DIST qemu-2.3.1.tar.bz2 24692020 SHA256 661d029809421cae06b4b1bc74ac0e560cb4ed47c9523c676ff277fa26dca15f SHA512 309e6df7dcc0a064d1a17c7dac2f60398700dfa8c6b60b66e4202966248097cbc49af75aa97725bc34773151be6fd75836810e9f0741ba65cdc208414fa78f6b WHIRLPOOL 26750ee00513daa99cdcd585c4b8407b8258a9c3559ae6335266d7754cb6679e7c10c56f8d12ae0ef2b5cd5d6a9a6a536213f8e86e81ced37e46205c796a773e
DIST qemu-2.4.0.1.tar.bz2 25068555 SHA256 ecfe8b88037e41e817d72c460c56c6a0b573d540d6ba38b162d0de4fd22d1bdb SHA512 08eabe92fa9096386ef00f8e9d99eeec1508d15e5a98431e043a729cbaca2d96d6e3afc612e7c4a0fe5a6bba80006276185f1066b4c73105b2ea24b7e9133b84 WHIRLPOOL 1daaec23d6ada6af8bf4902e590fb96375e7149d2f53ff6bf6d8fb39722c182a2d2efcc0d40bee673a8316f621983c512daa54202bb4e632b3a4b09f0268cd09
DIST qemu-2.4.0.tar.bz2 25070979 SHA256 72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620 SHA512 8740e0fb2c654ed897dff4649f1f83d14d57cfa9cbde723899f115982f93253ce9a2bddd60aab379d241027d2044137770efe4c0b3c83d5b20f3a2a06f05a5dc WHIRLPOOL 8c6cfae096624e01f0d5daeb86aa2dccbeaa86d2aeab626cf55cf20b7edace82d0b0f3a1d85eeb2dc1fd53abaaa9dccf8f0d7ddc657a1f5ffd72fd68301648f1
DIST qemu-2.4.1.tar.bz2 25087522 SHA256 e3d5cf4c8b1f9129c9c797329a515bfb6b3b1ded0ab8b394c8a316490fe3a177 SHA512 fde32b71a50d888c1055e61f4e6dfc45bb97e8e9ebee490c545965fbdcbd5ffd859fbf20648abed1f4fa9fcc5635e9b22e1829bbe802fc8aaf989d6013235917 WHIRLPOOL a698cfa5d2d138eeddb3c6bea57e3b89ca5d47165c04ed1cfd66a81647ac59cbdd594c919abef67bf198278da1160c5b9f3a0da84cd73827f3eb19a6e6f05436
DIST qemu-2.5.0.tar.bz2 25464996 SHA256 3443887401619fe33bfa5d900a4f2d6a79425ae2b7e43d5b8c36eb7a683772d4 SHA512 12153f94cc7f834fd6a85f25690c36f2331d88d414426fb8b9ac20a34e6f9222b1eda30b727674af583580fae90dfd6d0614a905dce1567d94cd049d426b9dd3 WHIRLPOOL 8f5717989d8d234ecf1763ee386b2e1f20c3b17918de130c6dae255e4523a230b2b01a759eba25e4b9f604c680d9b868c56f58bd71b7c6c2c22a2e46804435ef

241
app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch

@ -1,241 +0,0 @@
From a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 23 Mar 2015 22:58:21 +0000
Subject: [PATCH] CVE-2015-1779: incrementally decode websocket frames
The logic for decoding websocket frames wants to fully
decode the frame header and payload, before allowing the
VNC server to see any of the payload data. There is no
size limit on websocket payloads, so this allows a
malicious network client to consume 2^64 bytes in memory
in QEMU. It can trigger this denial of service before
the VNC server even performs any authentication.
The fix is to decode the header, and then incrementally
decode the payload data as it is needed. With this fix
the websocket decoder will allow at most 4k of data to
be buffered before decoding and processing payload.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]
@@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
- *payload_size = input->offset;
+ *payload_size = *payload_remain;
[ kraxel: fix 32bit build ]
@@ -306,7 +306,7 @@ struct VncState
- uint64_t ws_payload_remain;
+ size_t ws_payload_remain;
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc-ws.c | 105 ++++++++++++++++++++++++++++++++++++++++--------------------
ui/vnc-ws.h | 9 ++++--
ui/vnc.h | 2 ++
3 files changed, 80 insertions(+), 36 deletions(-)
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
index 85dbb7e..0b7de4e 100644
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -107,7 +107,7 @@ long vnc_client_read_ws(VncState *vs)
{
int ret, err;
uint8_t *payload;
- size_t payload_size, frame_size;
+ size_t payload_size, header_size;
VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer,
vs->ws_input.capacity, vs->ws_input.offset);
buffer_reserve(&vs->ws_input, 4096);
@@ -117,18 +117,39 @@ long vnc_client_read_ws(VncState *vs)
}
vs->ws_input.offset += ret;
- /* make sure that nothing is left in the ws_input buffer */
+ ret = 0;
+ /* consume as much of ws_input buffer as possible */
do {
- err = vncws_decode_frame(&vs->ws_input, &payload,
- &payload_size, &frame_size);
- if (err <= 0) {
- return err;
+ if (vs->ws_payload_remain == 0) {
+ err = vncws_decode_frame_header(&vs->ws_input,
+ &header_size,
+ &vs->ws_payload_remain,
+ &vs->ws_payload_mask);
+ if (err <= 0) {
+ return err;
+ }
+
+ buffer_advance(&vs->ws_input, header_size);
}
+ if (vs->ws_payload_remain != 0) {
+ err = vncws_decode_frame_payload(&vs->ws_input,
+ &vs->ws_payload_remain,
+ &vs->ws_payload_mask,
+ &payload,
+ &payload_size);
+ if (err < 0) {
+ return err;
+ }
+ if (err == 0) {
+ return ret;
+ }
+ ret += err;
- buffer_reserve(&vs->input, payload_size);
- buffer_append(&vs->input, payload, payload_size);
+ buffer_reserve(&vs->input, payload_size);
+ buffer_append(&vs->input, payload, payload_size);
- buffer_advance(&vs->ws_input, frame_size);
+ buffer_advance(&vs->ws_input, payload_size);
+ }
} while (vs->ws_input.offset > 0);
return ret;
@@ -265,15 +286,14 @@ void vncws_encode_frame(Buffer *output, const void *payload,
buffer_append(output, payload, payload_size);
}
-int vncws_decode_frame(Buffer *input, uint8_t **payload,
- size_t *payload_size, size_t *frame_size)
+int vncws_decode_frame_header(Buffer *input,
+ size_t *header_size,
+ size_t *payload_remain,
+ WsMask *payload_mask)
{
unsigned char opcode = 0, fin = 0, has_mask = 0;
- size_t header_size = 0;
- uint32_t *payload32;
+ size_t payload_len;
WsHeader *header = (WsHeader *)input->buffer;
- WsMask mask;
- int i;
if (input->offset < WS_HEAD_MIN_LEN + 4) {
/* header not complete */
@@ -283,7 +303,7 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
fin = (header->b0 & 0x80) >> 7;
opcode = header->b0 & 0x0f;
has_mask = (header->b1 & 0x80) >> 7;
- *payload_size = header->b1 & 0x7f;
+ payload_len = header->b1 & 0x7f;
if (opcode == WS_OPCODE_CLOSE) {
/* disconnect */
@@ -300,40 +320,57 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
return -2;
}
- if (*payload_size < 126) {
- header_size = 6;
- mask = header->u.m;
- } else if (*payload_size == 126 && input->offset >= 8) {
- *payload_size = be16_to_cpu(header->u.s16.l16);
- header_size = 8;
- mask = header->u.s16.m16;
- } else if (*payload_size == 127 && input->offset >= 14) {
- *payload_size = be64_to_cpu(header->u.s64.l64);
- header_size = 14;
- mask = header->u.s64.m64;
+ if (payload_len < 126) {
+ *payload_remain = payload_len;
+ *header_size = 6;
+ *payload_mask = header->u.m;
+ } else if (payload_len == 126 && input->offset >= 8) {
+ *payload_remain = be16_to_cpu(header->u.s16.l16);
+ *header_size = 8;
+ *payload_mask = header->u.s16.m16;
+ } else if (payload_len == 127 && input->offset >= 14) {
+ *payload_remain = be64_to_cpu(header->u.s64.l64);
+ *header_size = 14;
+ *payload_mask = header->u.s64.m64;
} else {
/* header not complete */
return 0;
}
- *frame_size = header_size + *payload_size;
+ return 1;
+}
+
+int vncws_decode_frame_payload(Buffer *input,
+ size_t *payload_remain, WsMask *payload_mask,
+ uint8_t **payload, size_t *payload_size)
+{
+ size_t i;
+ uint32_t *payload32;
- if (input->offset < *frame_size) {
- /* frame not complete */
+ *payload = input->buffer;
+ /* If we aren't at the end of the payload, then drop
+ * off the last bytes, so we're always multiple of 4
+ * for purpose of unmasking, except at end of payload
+ */
+ if (input->offset < *payload_remain) {
+ *payload_size = input->offset - (input->offset % 4);
+ } else {
+ *payload_size = *payload_remain;
+ }
+ if (*payload_size == 0) {
return 0;
}
-
- *payload = input->buffer + header_size;
+ *payload_remain -= *payload_size;
/* unmask frame */
/* process 1 frame (32 bit op) */
payload32 = (uint32_t *)(*payload);
for (i = 0; i < *payload_size / 4; i++) {
- payload32[i] ^= mask.u;
+ payload32[i] ^= payload_mask->u;
}
/* process the remaining bytes (if any) */
for (i *= 4; i < *payload_size; i++) {
- (*payload)[i] ^= mask.c[i % 4];
+ (*payload)[i] ^= payload_mask->c[i % 4];
}
return 1;
diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h
index ef229b7..14d4230 100644
--- a/ui/vnc-ws.h
+++ b/ui/vnc-ws.h
@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs);
void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
void vncws_encode_frame(Buffer *output, const void *payload,
const size_t payload_size);
-int vncws_decode_frame(Buffer *input, uint8_t **payload,
- size_t *payload_size, size_t *frame_size);
+int vncws_decode_frame_header(Buffer *input,
+ size_t *header_size,
+ size_t *payload_remain,
+ WsMask *payload_mask);
+int vncws_decode_frame_payload(Buffer *input,
+ size_t *payload_remain, WsMask *payload_mask,
+ uint8_t **payload, size_t *payload_size);
#endif /* __QEMU_UI_VNC_WS_H */
diff --git a/ui/vnc.h b/ui/vnc.h
index e19ac39..3f7c6a9 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -306,6 +306,8 @@ struct VncState
#ifdef CONFIG_VNC_WS
Buffer ws_input;
Buffer ws_output;
+ size_t ws_payload_remain;
+ WsMask ws_payload_mask;
#endif
/* current output mode information */
VncWritePixels *write_pixels;
--
2.3.5

58
app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch

@ -1,58 +0,0 @@
From 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 23 Mar 2015 22:58:22 +0000
Subject: [PATCH] CVE-2015-1779: limit size of HTTP headers from websockets
clients
The VNC server websockets decoder will read and buffer data from
websockets clients until it sees the end of the HTTP headers,
as indicated by \r\n\r\n. In theory this allows a malicious to
trick QEMU into consuming an arbitrary amount of RAM. In practice,
because QEMU runs g_strstr_len() across the buffered header data,
it will spend increasingly long burning CPU time searching for
the substring match and less & less time reading data. So while
this does cause arbitrary memory growth, the bigger problem is
that QEMU will be burning 100% of available CPU time.
A novnc websockets client typically sends headers of around
512 bytes in length. As such it is reasonable to place a 4096
byte limit on the amount of data buffered while searching for
the end of HTTP headers.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
ui/vnc-ws.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
index 0b7de4e..62eb97f 100644
--- a/ui/vnc-ws.c
+++ b/ui/vnc-ws.c
@@ -81,8 +81,11 @@ void vncws_handshake_read(void *opaque)
VncState *vs = opaque;
uint8_t *handshake_end;
long ret;
- buffer_reserve(&vs->ws_input, 4096);
- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096);
+ /* Typical HTTP headers from novnc are 512 bytes, so limiting
+ * total header size to 4096 is easily enough. */
+ size_t want = 4096 - vs->ws_input.offset;
+ buffer_reserve(&vs->ws_input, want);
+ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want);
if (!ret) {
if (vs->csock == -1) {
@@ -99,6 +102,9 @@ void vncws_handshake_read(void *opaque)
vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset);
buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer +
strlen(WS_HANDSHAKE_END));
+ } else if (vs->ws_input.offset >= 4096) {
+ VNC_DEBUG("End of headers not found in first 4096 bytes\n");
+ vnc_client_error(vs);
}
}
--
2.3.5

51
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3209.patch

@ -1,51 +0,0 @@
https://bugs.gentoo.org/551752
From 9f7c594c006289ad41169b854d70f5da6e400a2a Mon Sep 17 00:00:00 2001
From: Petr Matousek <pmatouse@redhat.com>
Date: Sun, 24 May 2015 10:53:44 +0200
Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx
4096 is the maximum length per TMD and it is also currently the size of
the relay buffer pcnet driver uses for sending the packet data to QEMU
for further processing. With packet spanning multiple TMDs it can
happen that the overall packet size will be bigger than sizeof(buffer),
which results in memory corruption.
Fix this by only allowing to queue maximum sizeof(buffer) bytes.
This is CVE-2015-3209.
[Fixed 3-space indentation to QEMU's 4-space coding standard.
--Stefan]
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Matt Tait <matttait@google.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/pcnet.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index bdfd38f..68b9981 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s)
}
bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT);
+
+ /* if multi-tmd packet outsizes s->buffer then skip it silently.
+ Note: this is not what real hw does */
+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) {
+ s->xmit_pos = -1;
+ goto txdone;
+ }
+
s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr),
s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s));
s->xmit_pos += bcnt;
--
2.2.0.rc0.207.ga3a616c

41
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3214.patch

@ -1,41 +0,0 @@
From: Petr Matousek <pmatouse@redhat.com>
Date: Wed, 17 Jun 2015 10:46:11 +0000 (+0200)
Subject: i8254: fix out-of-bounds memory access in pit_ioport_read()
X-Git-Tag: v2.4.0-rc0~43^2~9
X-Git-Url: http://git.qemu.org/?p=qemu.git;a=commitdiff_plain;h=d4862a87e31a51de9eb260f25c9e99a75efe3235;hp=9dacf32d2cbd66cbcce7944ebdfd6b2df20e33b8
i8254: fix out-of-bounds memory access in pit_ioport_read()
Due converting PIO to the new memory read/write api we no longer provide
separate I/O region lenghts for read and write operations. As a result,
reading from PIT Mode/Command register will end with accessing
pit->channels with invalid index.
Fix this by ignoring read from the Mode/Command register.
This is CVE-2015-3214.
Reported-by: Matt Tait <matttait@google.com>
Fixes: 0505bcdec8228d8de39ab1a02644e71999e7c052
Cc: qemu-stable@nongnu.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
diff --git a/hw/timer/i8254.c b/hw/timer/i8254.c
index 3450c98..9b65a33 100644
--- a/hw/timer/i8254.c
+++ b/hw/timer/i8254.c
@@ -196,6 +196,12 @@ static uint64_t pit_ioport_read(void *opaque, hwaddr addr,
PITChannelState *s;
addr &= 3;
+
+ if (addr == 3) {
+ /* Mode/Command register is write only, read is ignored */
+ return 0;
+ }
+
s = &pit->channels[addr];
if (s->status_latched) {
s->status_latched = 0;

86
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch

@ -1,86 +0,0 @@
https://bugs.gentoo.org/549404
From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
From: Petr Matousek <pmatouse@redhat.com>
Date: Wed, 6 May 2015 09:48:59 +0200
Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
During processing of certain commands such as FD_CMD_READ_ID and
FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
get out of bounds leading to memory corruption with values coming
from the guest.
Fix this by making sure that the index is always bounded by the
allocated memory.
This is CVE-2015-3456.
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
Signed-off-by: John Snow <jsnow@redhat.com>
---
hw/block/fdc.c | 17 +++++++++++------
1 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/hw/block/fdc.c b/hw/block/fdc.c
index f72a392..d8a8edd 100644
--- a/hw/block/fdc.c
+++ b/hw/block/fdc.c
@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
{
FDrive *cur_drv;
uint32_t retval = 0;
- int pos;
+ uint32_t pos;
cur_drv = get_cur_drv(fdctrl);
fdctrl->dsr &= ~FD_DSR_PWRDOWN;
@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
return 0;
}
pos = fdctrl->data_pos;
+ pos %= FD_SECTOR_LEN;
if (fdctrl->msr & FD_MSR_NONDMA) {
- pos %= FD_SECTOR_LEN;
if (pos == 0) {
if (fdctrl->data_pos != 0)
if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
{
FDrive *cur_drv = get_cur_drv(fdctrl);
+ uint32_t pos;
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
+ pos = fdctrl->data_pos - 1;
+ pos %= FD_SECTOR_LEN;
+ if (fdctrl->fifo[pos] & 0x80) {
/* Command parameters done */
- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
+ if (fdctrl->fifo[pos] & 0x40) {
fdctrl->fifo[0] = fdctrl->fifo[1];
fdctrl->fifo[2] = 0;
fdctrl->fifo[3] = 0;
@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
{
FDrive *cur_drv;
- int pos;
+ uint32_t pos;
/* Reset mode */
if (!(fdctrl->dor & FD_DOR_nRESET)) {
@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
}
FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
- fdctrl->fifo[fdctrl->data_pos++] = value;
+ pos = fdctrl->data_pos++;
+ pos %= FD_SECTOR_LEN;
+ fdctrl->fifo[pos] = value;
if (fdctrl->data_pos == fdctrl->data_len) {
/* We now have all parameters
* and will be able to treat the command
--
1.7.0.4

75
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-1.patch

@ -1,75 +0,0 @@
From d2ff85854512574e7209f295e87b0835d5b032c6 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Sun, 26 Jul 2015 23:42:53 -0400
Subject: [PATCH] ide: Check array bounds before writing to io_buffer
(CVE-2015-5154)
If the end_transfer_func of a command is called because enough data has
been read or written for the current PIO transfer, and it fails to
correctly call the command completion functions, the DRQ bit in the
status register and s->end_transfer_func may remain set. This allows the
guest to access further bytes in s->io_buffer beyond s->data_end, and
eventually overflowing the io_buffer.
One case where this currently happens is emulation of the ATAPI command
START STOP UNIT.
This patch fixes the problem by adding explicit array bounds checks
before accessing the buffer instead of relying on end_transfer_func to
function correctly.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 122e955..44fcc23 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2021,6 +2021,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return;
+ }
+
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
@@ -2042,6 +2046,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 2 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
@@ -2063,6 +2071,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return;
+ }
+
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
@@ -2084,6 +2096,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
}
p = s->data_ptr;
+ if (p + 4 > s->data_end) {
+ return 0;
+ }
+
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;

26
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-2.patch

@ -1,26 +0,0 @@
From 03441c3a4a42beb25460dd11592539030337d0f8 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Sun, 26 Jul 2015 23:42:53 -0400
Subject: [PATCH] ide/atapi: Fix START STOP UNIT command completion
The command must be completed on all code paths. START STOP UNIT with
pwrcnd set should succeed without doing anything.
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
hw/ide/atapi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/ide/atapi.c b/hw/ide/atapi.c
index 950e311..79dd167 100644
--- a/hw/ide/atapi.c
+++ b/hw/ide/atapi.c
@@ -983,6 +983,7 @@ static void cmd_start_stop_unit(IDEState *s, uint8_t* buf)
if (pwrcnd) {
/* eject/load only happens for power condition == 0 */
+ ide_atapi_cmd_ok(s);
return;
}

69
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5154-3.patch

@ -1,69 +0,0 @@
From cb72cba83021fa42719e73a5249c12096a4d1cfc Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Sun, 26 Jul 2015 23:42:53 -0400
Subject: [PATCH] ide: Clear DRQ after handling all expected accesses
This is additional hardening against an end_transfer_func that fails to
clear the DRQ status bit. The bit must be unset as soon as the PIO
transfer has completed, so it's better to do this in a central place
instead of duplicating the code in all commands (and forgetting it in
some).
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: John Snow <jsnow@redhat.com>
---
hw/ide/core.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 44fcc23..50449ca 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -2028,8 +2028,10 @@ void ide_data_writew(void *opaque, uint32_t addr, uint32_t val)
*(uint16_t *)p = le16_to_cpu(val);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readw(void *opaque, uint32_t addr)
@@ -2053,8 +2055,10 @@ uint32_t ide_data_readw(void *opaque, uint32_t addr)
ret = cpu_to_le16(*(uint16_t *)p);
p += 2;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}
@@ -2078,8 +2082,10 @@ void ide_data_writel(void *opaque, uint32_t addr, uint32_t val)
*(uint32_t *)p = le32_to_cpu(val);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
}
uint32_t ide_data_readl(void *opaque, uint32_t addr)
@@ -2103,8 +2109,10 @@ uint32_t ide_data_readl(void *opaque, uint32_t addr)
ret = cpu_to_le32(*(uint32_t *)p);
p += 4;
s->data_ptr = p;
- if (p >= s->data_end)
+ if (p >= s->data_end) {
+ s->status &= ~DRQ_STAT;
s->end_transfer_func(s);
+ }
return ret;
}

40
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5158.patch

@ -1,40 +0,0 @@
commit c170aad8b057223b1139d72e5ce7acceafab4fa9
Author: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue Jul 21 08:59:39 2015 +0200
scsi: fix buffer overflow in scsi_req_parse_cdb (CVE-2015-5158)
This is a guest-triggerable buffer overflow present in QEMU 2.2.0
and newer. scsi_cdb_length returns -1 as an error value, but the
caller does not check it.
Luckily, the massive overflow means that QEMU will just SIGSEGV,
making the impact much smaller.
Reported-by: Zhu Donghai (朱东海) <donghai.zdh@alibaba-inc.com>
Fixes: 1894df02811f6b79ea3ffbf1084599d96f316173
Reviewed-by: Fam Zheng <famz@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/hw/scsi/scsi-bus.c b/hw/scsi/scsi-bus.c
index f50b2f0..f0ae462 100644
--- a/hw/scsi/scsi-bus.c
+++ b/hw/scsi/scsi-bus.c
@@ -1239,10 +1239,15 @@ int scsi_cdb_length(uint8_t *buf) {
int scsi_req_parse_cdb(SCSIDevice *dev, SCSICommand *cmd, uint8_t *buf)
{
int rc;
+ int len;
cmd->lba = -1;
- cmd->len = scsi_cdb_length(buf);
+ len = scsi_cdb_length(buf);
+ if (len < 0) {
+ return -1;
+ }
+ cmd->len = len;
switch (dev->type) {
case TYPE_TAPE:
rc = scsi_req_stream_xfer(cmd, dev, buf);

82
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-1.patch

@ -1,82 +0,0 @@
From 5e0c290415b9d57077a86e70c8e6a058868334d3 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:16:58 +0100
Subject: [PATCH 1/7] rtl8139: avoid nested ifs in IP header parsing
Transmit offload needs to parse packet headers. If header fields have
unexpected values the offload processing is skipped.
The code currently uses nested ifs because there is relatively little
input validation. The next patches will add missing input validation
and a goto label is more appropriate to avoid deep if statement nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 41 ++++++++++++++++++++++-------------------
1 file changed, 22 insertions(+), 19 deletions(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 5f0197c..91ba33b 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2174,28 +2174,30 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
size_t eth_payload_len = 0;
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
- if (proto == ETH_P_IP)
+ if (proto != ETH_P_IP)
{
- DPRINTF("+++ C+ mode has IP packet\n");
-
- /* not aligned */
- eth_payload_data = saved_buffer + ETH_HLEN;
- eth_payload_len = saved_size - ETH_HLEN;
-
- ip = (ip_header*)eth_payload_data;
-
- if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
- DPRINTF("+++ C+ mode packet has bad IP version %d "
- "expected %d\n", IP_HEADER_VERSION(ip),
- IP_HEADER_VERSION_4);
- ip = NULL;
- } else {
- hlen = IP_HEADER_LENGTH(ip);
- ip_protocol = ip->ip_p;
- ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- }
+ goto skip_offload;
}
+ DPRINTF("+++ C+ mode has IP packet\n");
+
+ /* not aligned */
+ eth_payload_data = saved_buffer + ETH_HLEN;
+ eth_payload_len = saved_size - ETH_HLEN;
+
+ ip = (ip_header*)eth_payload_data;
+
+ if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
+ DPRINTF("+++ C+ mode packet has bad IP version %d "
+ "expected %d\n", IP_HEADER_VERSION(ip),
+ IP_HEADER_VERSION_4);
+ goto skip_offload;
+ }
+
+ hlen = IP_HEADER_LENGTH(ip);
+ ip_protocol = ip->ip_p;
+ ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
+
if (ip)
{
if (txdw0 & CP_TX_IPCS)
@@ -2391,6 +2393,7 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
}
}
+skip_offload:
/* update tally counter */
++s->tally_counters.TxOk;
--
2.1.4

373
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-2.patch

@ -1,373 +0,0 @@
From 2d7d80e8dc160904fa7276cc05da26c062a50066 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:16:59 +0100
Subject: [PATCH 2/7] rtl8139: drop tautologous if (ip) {...} statement
The previous patch stopped using the ip pointer as an indicator that the
IP header is present. When we reach the if (ip) {...} statement we know
ip is always non-NULL.
Remove the if statement to reduce nesting.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 305 +++++++++++++++++++++++++++----------------------------
1 file changed, 151 insertions(+), 154 deletions(-)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 91ba33b..2f12d42 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2198,198 +2198,195 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
ip_protocol = ip->ip_p;
ip_data_len = be16_to_cpu(ip->ip_len) - hlen;
- if (ip)
+ if (txdw0 & CP_TX_IPCS)
{
- if (txdw0 & CP_TX_IPCS)
- {
- DPRINTF("+++ C+ mode need IP checksum\n");
+ DPRINTF("+++ C+ mode need IP checksum\n");
- if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
- /* bad packet header len */
- /* or packet too short */
- }
- else
- {
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(ip, hlen);
- DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
- hlen, ip->ip_sum);
- }
+ if (hlen<sizeof(ip_header) || hlen>eth_payload_len) {/* min header length */
+ /* bad packet header len */
+ /* or packet too short */
}
-
- if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
+ else
{
- int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(ip, hlen);
+ DPRINTF("+++ C+ mode IP header len=%d checksum=%04x\n",
+ hlen, ip->ip_sum);
+ }
+ }
- DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
- "frame data %d specified MSS=%d\n", ETH_MTU,
- ip_data_len, saved_size - ETH_HLEN, large_send_mss);
+ if ((txdw0 & CP_TX_LGSEN) && ip_protocol == IP_PROTO_TCP)
+ {
+ int large_send_mss = (txdw0 >> 16) & CP_TC_LGSEN_MSS_MASK;
- int tcp_send_offset = 0;
- int send_count = 0;
+ DPRINTF("+++ C+ mode offloaded task TSO MTU=%d IP data %d "
+ "frame data %d specified MSS=%d\n", ETH_MTU,
+ ip_data_len, saved_size - ETH_HLEN, large_send_mss);
- /* maximum IP header length is 60 bytes */
- uint8_t saved_ip_header[60];
+ int tcp_send_offset = 0;
+ int send_count = 0;
- /* save IP header template; data area is used in tcp checksum calculation */
- memcpy(saved_ip_header, eth_payload_data, hlen);
+ /* maximum IP header length is 60 bytes */
+ uint8_t saved_ip_header[60];
- /* a placeholder for checksum calculation routine in tcp case */
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+ /* save IP header template; data area is used in tcp checksum calculation */
+ memcpy(saved_ip_header, eth_payload_data, hlen);
- /* pointer to TCP header */
- tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
+ /* a placeholder for checksum calculation routine in tcp case */
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
- int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
+ /* pointer to TCP header */
+ tcp_header *p_tcp_hdr = (tcp_header*)(eth_payload_data + hlen);
- /* ETH_MTU = ip header len + tcp header len + payload */
- int tcp_data_len = ip_data_len - tcp_hlen;
- int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
+ int tcp_hlen = TCP_HEADER_DATA_OFFSET(p_tcp_hdr);
- DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
- "data len %d TCP chunk size %d\n", ip_data_len,
- tcp_hlen, tcp_data_len, tcp_chunk_size);
+ /* ETH_MTU = ip header len + tcp header len + payload */
+ int tcp_data_len = ip_data_len - tcp_hlen;
+ int tcp_chunk_size = ETH_MTU - hlen - tcp_hlen;
- /* note the cycle below overwrites IP header data,
- but restores it from saved_ip_header before sending packet */
+ DPRINTF("+++ C+ mode TSO IP data len %d TCP hlen %d TCP "
+ "data len %d TCP chunk size %d\n", ip_data_len,
+ tcp_hlen, tcp_data_len, tcp_chunk_size);
- int is_last_frame = 0;
+ /* note the cycle below overwrites IP header data,
+ but restores it from saved_ip_header before sending packet */
- for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
- {
- uint16_t chunk_size = tcp_chunk_size;
-
- /* check if this is the last frame */
- if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
- {
- is_last_frame = 1;
- chunk_size = tcp_data_len - tcp_send_offset;
- }
-
- DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
- be32_to_cpu(p_tcp_hdr->th_seq));
-
- /* add 4 TCP pseudoheader fields */
- /* copy IP source and destination fields */
- memcpy(data_to_checksum, saved_ip_header + 12, 8);
-
- DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
- "packet with %d bytes data\n", tcp_hlen +
- chunk_size);
-
- if (tcp_send_offset)
- {
- memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
- }
-
- /* keep PUSH and FIN flags only for the last frame */
- if (!is_last_frame)
- {
- TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
- }
-
- /* recalculate TCP checksum */
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_tcpip_hdr->zeros = 0;
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
- p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
-
- p_tcp_hdr->th_sum = 0;
-
- int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
- DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
- tcp_checksum);
-
- p_tcp_hdr->th_sum = tcp_checksum;
-
- /* restore IP header */
- memcpy(eth_payload_data, saved_ip_header, hlen);
-
- /* set IP data length and recalculate IP checksum */
- ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
-
- /* increment IP id for subsequent frames */
- ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
-
- ip->ip_sum = 0;
- ip->ip_sum = ip_checksum(eth_payload_data, hlen);
- DPRINTF("+++ C+ mode TSO IP header len=%d "
- "checksum=%04x\n", hlen, ip->ip_sum);
-
- int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
- DPRINTF("+++ C+ mode TSO transferring packet size "
- "%d\n", tso_send_size);
- rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
- 0, (uint8_t *) dot1q_buffer);
-
- /* add transferred count to TCP sequence number */
- p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
- ++send_count;
- }
+ int is_last_frame = 0;
- /* Stop sending this frame */
- saved_size = 0;
- }
- else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
+ for (tcp_send_offset = 0; tcp_send_offset < tcp_data_len; tcp_send_offset += tcp_chunk_size)
{
- DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
+ uint16_t chunk_size = tcp_chunk_size;
- /* maximum IP header length is 60 bytes */
- uint8_t saved_ip_header[60];
- memcpy(saved_ip_header, eth_payload_data, hlen);
+ /* check if this is the last frame */
+ if (tcp_send_offset + tcp_chunk_size >= tcp_data_len)
+ {
+ is_last_frame = 1;
+ chunk_size = tcp_data_len - tcp_send_offset;
+ }
- uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
- // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+ DPRINTF("+++ C+ mode TSO TCP seqno %08x\n",
+ be32_to_cpu(p_tcp_hdr->th_seq));
/* add 4 TCP pseudoheader fields */
/* copy IP source and destination fields */
memcpy(data_to_checksum, saved_ip_header + 12, 8);
- if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
+ DPRINTF("+++ C+ mode TSO calculating TCP checksum for "
+ "packet with %d bytes data\n", tcp_hlen +
+ chunk_size);
+
+ if (tcp_send_offset)
{
- DPRINTF("+++ C+ mode calculating TCP checksum for "
- "packet with %d bytes data\n", ip_data_len);
+ memcpy((uint8_t*)p_tcp_hdr + tcp_hlen, (uint8_t*)p_tcp_hdr + tcp_hlen + tcp_send_offset, chunk_size);
+ }
- ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_tcpip_hdr->zeros = 0;
- p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
- p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+ /* keep PUSH and FIN flags only for the last frame */
+ if (!is_last_frame)
+ {
+ TCP_HEADER_CLEAR_FLAGS(p_tcp_hdr, TCP_FLAG_PUSH|TCP_FLAG_FIN);
+ }
- tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
+ /* recalculate TCP checksum */
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_tcpip_hdr->zeros = 0;
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
+ p_tcpip_hdr->ip_payload = cpu_to_be16(tcp_hlen + chunk_size);
- p_tcp_hdr->th_sum = 0;
+ p_tcp_hdr->th_sum = 0;
- int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
- DPRINTF("+++ C+ mode TCP checksum %04x\n",
- tcp_checksum);
+ int tcp_checksum = ip_checksum(data_to_checksum, tcp_hlen + chunk_size + 12);
+ DPRINTF("+++ C+ mode TSO TCP checksum %04x\n",
+ tcp_checksum);
- p_tcp_hdr->th_sum = tcp_checksum;
- }
- else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
- {
- DPRINTF("+++ C+ mode calculating UDP checksum for "
- "packet with %d bytes data\n", ip_data_len);
+ p_tcp_hdr->th_sum = tcp_checksum;
- ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
- p_udpip_hdr->zeros = 0;
- p_udpip_hdr->ip_proto = IP_PROTO_UDP;
- p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+ /* restore IP header */
+ memcpy(eth_payload_data, saved_ip_header, hlen);
- udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
+ /* set IP data length and recalculate IP checksum */
+ ip->ip_len = cpu_to_be16(hlen + tcp_hlen + chunk_size);
- p_udp_hdr->uh_sum = 0;
+ /* increment IP id for subsequent frames */
+ ip->ip_id = cpu_to_be16(tcp_send_offset/tcp_chunk_size + be16_to_cpu(ip->ip_id));
- int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
- DPRINTF("+++ C+ mode UDP checksum %04x\n",
- udp_checksum);
+ ip->ip_sum = 0;
+ ip->ip_sum = ip_checksum(eth_payload_data, hlen);
+ DPRINTF("+++ C+ mode TSO IP header len=%d "
+ "checksum=%04x\n", hlen, ip->ip_sum);
- p_udp_hdr->uh_sum = udp_checksum;
- }
+ int tso_send_size = ETH_HLEN + hlen + tcp_hlen + chunk_size;
+ DPRINTF("+++ C+ mode TSO transferring packet size "
+ "%d\n", tso_send_size);
+ rtl8139_transfer_frame(s, saved_buffer, tso_send_size,
+ 0, (uint8_t *) dot1q_buffer);
- /* restore IP header */
- memcpy(eth_payload_data, saved_ip_header, hlen);
+ /* add transferred count to TCP sequence number */
+ p_tcp_hdr->th_seq = cpu_to_be32(chunk_size + be32_to_cpu(p_tcp_hdr->th_seq));
+ ++send_count;
}
+
+ /* Stop sending this frame */
+ saved_size = 0;
+ }
+ else if (txdw0 & (CP_TX_TCPCS|CP_TX_UDPCS))
+ {
+ DPRINTF("+++ C+ mode need TCP or UDP checksum\n");
+
+ /* maximum IP header length is 60 bytes */
+ uint8_t saved_ip_header[60];
+ memcpy(saved_ip_header, eth_payload_data, hlen);
+
+ uint8_t *data_to_checksum = eth_payload_data + hlen - 12;
+ // size_t data_to_checksum_len = eth_payload_len - hlen + 12;
+
+ /* add 4 TCP pseudoheader fields */
+ /* copy IP source and destination fields */
+ memcpy(data_to_checksum, saved_ip_header + 12, 8);
+
+ if ((txdw0 & CP_TX_TCPCS) && ip_protocol == IP_PROTO_TCP)
+ {
+ DPRINTF("+++ C+ mode calculating TCP checksum for "
+ "packet with %d bytes data\n", ip_data_len);
+
+ ip_pseudo_header *p_tcpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_tcpip_hdr->zeros = 0;
+ p_tcpip_hdr->ip_proto = IP_PROTO_TCP;
+ p_tcpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+
+ tcp_header* p_tcp_hdr = (tcp_header *) (data_to_checksum+12);
+
+ p_tcp_hdr->th_sum = 0;
+
+ int tcp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
+ DPRINTF("+++ C+ mode TCP checksum %04x\n",
+ tcp_checksum);
+
+ p_tcp_hdr->th_sum = tcp_checksum;
+ }
+ else if ((txdw0 & CP_TX_UDPCS) && ip_protocol == IP_PROTO_UDP)
+ {
+ DPRINTF("+++ C+ mode calculating UDP checksum for "
+ "packet with %d bytes data\n", ip_data_len);
+
+ ip_pseudo_header *p_udpip_hdr = (ip_pseudo_header *)data_to_checksum;
+ p_udpip_hdr->zeros = 0;
+ p_udpip_hdr->ip_proto = IP_PROTO_UDP;
+ p_udpip_hdr->ip_payload = cpu_to_be16(ip_data_len);
+
+ udp_header *p_udp_hdr = (udp_header *) (data_to_checksum+12);
+
+ p_udp_hdr->uh_sum = 0;
+
+ int udp_checksum = ip_checksum(data_to_checksum, ip_data_len + 12);
+ DPRINTF("+++ C+ mode UDP checksum %04x\n",
+ udp_checksum);
+
+ p_udp_hdr->uh_sum = udp_checksum;
+ }
+
+ /* restore IP header */
+ memcpy(eth_payload_data, saved_ip_header, hlen);
}
}
--
2.1.4

39
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-3.patch

@ -1,39 +0,0 @@
From 043d28507ef7c5fdc34866f5e3b27a72bd0cd072 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:00 +0100
Subject: [PATCH 3/7] rtl8139: skip offload on short Ethernet/IP header
Transmit offload features access Ethernet and IP headers the packet. If
the packet is too short we must not attempt to access header fields:
int proto = be16_to_cpu(*(uint16_t *)(saved_buffer + 12));
...
eth_payload_data = saved_buffer + ETH_HLEN;
...
ip = (ip_header*)eth_payload_data;
if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) {
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
---
hw/net/rtl8139.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
index 2f12d42..d377b6b 100644
--- a/hw/net/rtl8139.c
+++ b/hw/net/rtl8139.c
@@ -2164,6 +2164,11 @@ static int rtl8139_cplus_transmit_one(RTL8139State *s)
{
DPRINTF("+++ C+ mode offloaded task checksum\n");
+ /* Large enough for Ethernet and IP headers? */
+ if (saved_size < ETH_HLEN + sizeof(ip_header)) {
+ goto skip_offload;
+ }
+
/* ip packet header */
ip_header *ip = NULL;
int hlen = 0;
--
2.1.4

53
app-emulation/qemu/files/qemu-2.3.0-CVE-2015-5165-4.patch

@ -1,53 +0,0 @@
From 5a75d242fe019d05b46ef9bc330a6892525c84a7 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 15 Jul 2015 18:17:01 +0100
Subject: [PATCH 4/7] rtl8139: check IP Header Length field