Re: [OE-core] [PATCH 1/2] qemu: upgrade to 2.10.1
On Thu, 2017-10-26 at 09:37 -0500, Leonardo Sandoval wrote: > I used devtool upgrade and the only hunk I need to remove was > thisone, the rest were applied cleanly. The rest was applied *silently*, but not *cleanly*. The lesson here is basically that developers shouldn't blindly trust the tools. If something is odd, investigate. What was odd in this case is that it looked like a patch was partially merged. Why would anyone do that? And indeed, it was merged completely. -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/2] qemu: upgrade to 2.10.1
Hi Patrick On Thu, Oct 26, 2017 at 4:33 AM, Patrick Ohlywrote: On Thu, 2017-10-19 at 13:10 -0700, leonardo.sandoval.gonza...@linux.intel.com wrote: From: Leonardo Sandoval All CVE patches removed because these are already integrated in 2.10.1. ... meta/recipes-devtools/qemu/qemu/glibc-2.25.patch | 14 - diff --git a/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch b/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch index a6908bdbf9..25569449e4 100644 --- a/meta/recipes-devtools/qemu/qemu/glibc- 2.25.patch +++ b/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch @@ -72,17 +72,3 @@ diff -uNr qemu-2.8.0.orig/configure qemu- 2.8.0/configure # Hold two types of flag: # CONFIG_THREAD_SETNAME_BYTHREAD - we've got a way of setting the name on # a thread we have a handle to -diff -uNr qemu-2.8.0.orig/include/sysemu/os-posix.h qemu- 2.8.0/include/sysemu/os-posix.h qemu-2.8.0.orig/include/sysemu/os-posix.h 2016-12-20 21:16:48.0 +0100 -+++ qemu-2.8.0/include/sysemu/os-posix.h 2017-02-21 19:07:18.009090381 +0100 -@@ -34,6 +34,10 @@ - #include - #include - -+#ifdef CONFIG_SYSMACROS -+#include -+#endif -+ - void os_set_line_buffering(void); - void os_set_proc_name(const char *s); - void os_setup_signal_handling(void); Instead of removing just this hunk from the glibc-2.25.patch, please remove the entire patch. It is already in 2.10.0. I was about to send a patch doing just that when I saw your version update. Here's the commit message for my patch: The patch is already present in the upstream 2.10.0. Patching during a build succeeds by adding the same hunks again to configure (which seems to cause no problems during build) and skipping the one which it detects as already applied, but "devtool modify qemu-native" is more picky: I used devtool upgrade and the only hunk I need to remove was this one, the rest were applied cleanly. Let me check again and send a V2 asap. Leo ERROR: Applying 'glibc-2.25.patch' failed: checking file configure Hunk #1 succeeded at 4986 with fuzz 2 (offset 259 lines). checking file configure Hunk #1 succeeded at 6047 with fuzz 1 (offset 352 lines). checking file include/sysemu/os-posix.h Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 1 out of 1 hunk ignored ERROR: Function failed: patch_do_patch ERROR: Logfile of failure stored in: .../devtooltmp-6_22hcm3/temp/log.do_patch.31897 NOTE: Tasks Summary: Attempted 3 tasks of which 0 didn't need to be rerun and 1 failed. ERROR: Extracting source for qemu-native failed -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/2] qemu: upgrade to 2.10.1
On 10/26/2017 12:33 PM, Patrick Ohly wrote:> The patch is already present in the upstream 2.10.0. Patching during a> build succeeds by adding the same hunks again to configure (which> seems to cause no problems during build) and skipping the one which it> detects as already applied, but "devtool modify qemu-native" is more> picky: Seems like another instance of patch (the tool) being too permissive about the context by default. Git on the other hand is always strict. When updating versions, I recommend everyone to use devtool upgrade/modify for this reason. There is at least one known case where applying a patch in an incorrect spot created a security issue: https://bugzilla.yoctoproject.org/show_bug.cgi?id=10450 Alex -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 1/2] qemu: upgrade to 2.10.1
On Thu, 2017-10-19 at 13:10 -0700, leonardo.sandoval.gonza...@linux.intel.com wrote: > From: Leonardo Sandoval> > All CVE patches removed because these are already integrated in > 2.10.1. ... > meta/recipes-devtools/qemu/qemu/glibc-2.25.patch | 14 - diff --git a/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch > b/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch > index a6908bdbf9..25569449e4 100644 > --- a/meta/recipes-devtools/qemu/qemu/glibc- > 2.25.patch > +++ b/meta/recipes-devtools/qemu/qemu/glibc-2.25.patch > @@ -72,17 +72,3 @@ diff -uNr qemu-2.8.0.orig/configure qemu- > 2.8.0/configure > # Hold two types of flag: > # CONFIG_THREAD_SETNAME_BYTHREAD - we've got a way of setting > the name on > # a thread we have a handle to > -diff -uNr qemu-2.8.0.orig/include/sysemu/os-posix.h qemu- > 2.8.0/include/sysemu/os-posix.h > qemu-2.8.0.orig/include/sysemu/os-posix.h2016-12-20 > 21:16:48.0 +0100 > -+++ qemu-2.8.0/include/sysemu/os-posix.h 2017-02-21 > 19:07:18.009090381 +0100 > -@@ -34,6 +34,10 @@ > - #include > - #include > - > -+#ifdef CONFIG_SYSMACROS > -+#include > -+#endif > -+ > - void os_set_line_buffering(void); > - void os_set_proc_name(const char *s); > - void os_setup_signal_handling(void); Instead of removing just this hunk from the glibc-2.25.patch, please remove the entire patch. It is already in 2.10.0. I was about to send a patch doing just that when I saw your version update. Here's the commit message for my patch: The patch is already present in the upstream 2.10.0. Patching during a build succeeds by adding the same hunks again to configure (which seems to cause no problems during build) and skipping the one which it detects as already applied, but "devtool modify qemu-native" is more picky: ERROR: Applying 'glibc-2.25.patch' failed: checking file configure Hunk #1 succeeded at 4986 with fuzz 2 (offset 259 lines). checking file configure Hunk #1 succeeded at 6047 with fuzz 1 (offset 352 lines). checking file include/sysemu/os-posix.h Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 1 out of 1 hunk ignored ERROR: Function failed: patch_do_patch ERROR: Logfile of failure stored in: .../devtooltmp-6_22hcm3/temp/log.do_patch.31897 NOTE: Tasks Summary: Attempted 3 tasks of which 0 didn't need to be rerun and 1 failed. ERROR: Extracting source for qemu-native failed -- Best Regards, Patrick Ohly The content of this message is my personal opinion only and although I am an employee of Intel, the statements I make here in no way represent Intel's position on the issue, nor am I authorized to speak on behalf of Intel on this matter. -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/2] qemu: upgrade to 2.10.1
From: Leonardo SandovalAll CVE patches removed because these are already integrated in 2.10.1. Signed-off-by: Leonardo Sandoval --- .../qemu/qemu/CVE-2017-13672.patch | 504 - .../qemu/qemu/CVE-2017-13673.patch | 53 --- .../qemu/qemu/CVE-2017-13711.patch | 87 .../qemu/qemu/CVE-2017-14167.patch | 70 --- meta/recipes-devtools/qemu/qemu/glibc-2.25.patch | 14 - .../qemu/{qemu_2.10.0.bb => qemu_2.10.1.bb}| 8 +- 6 files changed, 2 insertions(+), 734 deletions(-) delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-13673.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-13711.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2017-14167.patch rename meta/recipes-devtools/qemu/{qemu_2.10.0.bb => qemu_2.10.1.bb} (86%) diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch b/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch deleted file mode 100644 index ce0b1ee3ed..00 --- a/meta/recipes-devtools/qemu/qemu/CVE-2017-13672.patch +++ /dev/null @@ -1,504 +0,0 @@ -From 3d90c6254863693a6b13d918d2b8682e08bbc681 Mon Sep 17 00:00:00 2001 -From: Gerd Hoffmann -Date: Mon, 28 Aug 2017 14:29:06 +0200 -Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions - -Instead pass around the address (aka offset into vga memory). -Add vga_read_* helper functions which apply vbe_size_mask to -the address, to make sure the address stays within the valid -range, similar to the cirrus blitter fixes (commits ffaf857778 -and 026aeffcb4). - -Impact: DoS for privileged guest users. qemu crashes with -a segfault, when hitting the guard page after vga memory -allocation, while reading vga memory for display updates. - -Fixes: CVE-2017-13672 -Cc: P J P -Reported-by: David Buchanan -Signed-off-by: Gerd Hoffmann -Message-id: 20170828122906.18993-1-kra...@redhat.com - -Upstream-Status: Backport -[https://git.qemu.org/?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681] - -CVE: CVE-2017-13672 - -Signed-off-by: Yi Zhao - hw/display/vga-helpers.h | 202 ++- - hw/display/vga.c | 5 +- - hw/display/vga_int.h | 1 + - 3 files changed, 114 insertions(+), 94 deletions(-) - -diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h -index 94f6de2..5a752b3 100644 a/hw/display/vga-helpers.h -+++ b/hw/display/vga-helpers.h -@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize, - } while (--h); - } - -+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) -+{ -+return vga->vram_ptr[addr & vga->vbe_size_mask]; -+} -+ -+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) -+{ -+uint32_t offset = addr & vga->vbe_size_mask & ~1; -+uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); -+return lduw_le_p(ptr); -+} -+ -+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) -+{ -+uint32_t offset = addr & vga->vbe_size_mask & ~1; -+uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); -+return lduw_be_p(ptr); -+} -+ -+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) -+{ -+uint32_t offset = addr & vga->vbe_size_mask & ~3; -+uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); -+return ldl_le_p(ptr); -+} -+ - /* - * 4 color mode - */ --static void vga_draw_line2(VGACommonState *s1, uint8_t *d, -- const uint8_t *s, int width) -+static void vga_draw_line2(VGACommonState *vga, uint8_t *d, -+ uint32_t addr, int width) - { - uint32_t plane_mask, *palette, data, v; - int x; - --palette = s1->last_palette; --plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; -+palette = vga->last_palette; -+plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; - width >>= 3; - for(x = 0; x < width; x++) { --data = ((uint32_t *)s)[0]; -+data = vga_read_dword_le(vga, addr); - data &= plane_mask; - v = expand2[GET_PLANE(data, 0)]; - v |= expand2[GET_PLANE(data, 2)] << 2; -@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, - ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; - ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; - d += 32; --s += 4; -+addr += 4; - } - } - -@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, - /* - * 4 color mode, dup2 horizontal - */ --static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, -- const uint8_t *s, int