meta-openembedded and poky: subtree updates
Squash of the following due to dependencies among them
and OpenBMC changes:
meta-openembedded: subtree update:d0748372d2..9201611135
meta-openembedded: subtree update:9201611135..17fd382f34
poky: subtree update:9052e5b32a..2e11d97b6c
poky: subtree update:2e11d97b6c..a8544811d7
The change log was too large for the jenkins plugin
to handle therefore it has been removed. Here is
the first and last commit of each subtree:
meta-openembedded:d0748372d2
cppzmq: bump to version 4.6.0
meta-openembedded:17fd382f34
mpv: Remove X11 dependency
poky:9052e5b32a
package_ipk: Remove pointless comment to trigger rebuild
poky:a8544811d7
pbzip2: Fix license warning
Change-Id: If0fc6c37629642ee207a4ca2f7aa501a2c673cd6
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
new file mode 100644
index 0000000..c2c5849
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0001-Add-enable-disable-udev.patch
@@ -0,0 +1,29 @@
+From a471cf4e4c73350e090eb2cd87ec959d138012e5 Mon Sep 17 00:00:00 2001
+From: Jeremy Puhlman <jpuhlman@mvista.com>
+Date: Thu, 19 Mar 2020 11:54:26 -0700
+Subject: [PATCH] Add enable/disable libudev
+
+Upstream-Status: Pending
+Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
+---
+ configure | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/configure b/configure
+index cac271c..bd116eb 100755
+--- a/configure
++++ b/configure
+@@ -1539,6 +1539,10 @@ for opt do
+ ;;
+ --disable-plugins) plugins="no"
+ ;;
++ --enable-libudev) libudev="yes"
++ ;;
++ --disable-libudev) libudev="no"
++ ;;
+ *)
+ echo "ERROR: unknown option $opt"
+ echo "Try '$0 --help' for more information"
+--
+1.8.3.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
index 9478102..66ff996 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Add-missing-wacom-HID-descriptor.patch
@@ -1,4 +1,4 @@
-From 4655dc18074e0be9d239f51dac32b61435da8549 Mon Sep 17 00:00:00 2001
+From 526cb7e26f6dd96c9ee2ffa05ce0a358d3bfbfb3 Mon Sep 17 00:00:00 2001
From: Richard Purdie <richard.purdie@linuxfoundation.org>
Date: Thu, 27 Nov 2014 14:04:29 +0000
Subject: [PATCH] qemu: Add missing wacom HID descriptor
@@ -19,7 +19,7 @@
1 file changed, 93 insertions(+), 1 deletion(-)
diff --git a/hw/usb/dev-wacom.c b/hw/usb/dev-wacom.c
-index 8c43db93..3ff8ca28 100644
+index 8ed57b3b..1502928b 100644
--- a/hw/usb/dev-wacom.c
+++ b/hw/usb/dev-wacom.c
@@ -74,6 +74,89 @@ static const USBDescStrings desc_strings = {
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
new file mode 100644
index 0000000..eccac05
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0001-qemu-Do-not-include-file-if-not-exists.patch
@@ -0,0 +1,31 @@
+From 98c2da129db19ee63d7e21b77a0ef70822c95069 Mon Sep 17 00:00:00 2001
+From: Oleksiy Obitotskyy <oobitots@cisco.com>
+Date: Wed, 25 Mar 2020 21:21:35 +0200
+Subject: [PATCH] qemu: Do not include file if not exists
+
+Script configure checks for if_alg.h and check failed but
+if_alg.h still included.
+
+Upstream-status: Submitted [https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg07188.html]
+Signed-off-by: Oleksiy Obitotskyy <oobitots@cisco.com>
+---
+ linux-user/syscall.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/linux-user/syscall.c b/linux-user/syscall.c
+index fc18f244..68d62666 100644
+--- a/linux-user/syscall.c
++++ b/linux-user/syscall.c
+@@ -106,7 +106,9 @@
+ #include <linux/blkpg.h>
+ #include <netpacket/packet.h>
+ #include <linux/netlink.h>
++#if defined(CONFIG_AF_ALG)
+ #include <linux/if_alg.h>
++#endif
+ #include "linux_loop.h"
+ #include "uname.h"
+
+--
+2.20.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch b/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
index 2ccddd5..7f7da51 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0002-Add-subpackage-ptest-which-runs-all-unit-test-cases-.patch
@@ -1,4 +1,4 @@
-From 67751f3a23e3db3012f391b3b3b73a4484488ce9 Mon Sep 17 00:00:00 2001
+From 8ee6281516bd9210e75e91d705da8916bab3bf51 Mon Sep 17 00:00:00 2001
From: Juro Bystricky <juro.bystricky@intel.com>
Date: Thu, 31 Aug 2017 11:06:56 -0700
Subject: [PATCH] Add subpackage -ptest which runs all unit test cases for
@@ -15,10 +15,10 @@
1 file changed, 8 insertions(+)
diff --git a/tests/Makefile.include b/tests/Makefile.include
-index fd7fdb86..83b7f409 100644
+index 8566f5f1..52d0320b 100644
--- a/tests/Makefile.include
+++ b/tests/Makefile.include
-@@ -1183,4 +1183,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
+@@ -1210,4 +1210,12 @@ all: $(QEMU_IOTESTS_HELPERS-y)
-include $(wildcard tests/*.d)
-include $(wildcard tests/libqos/*.d)
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch b/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
index 5c42d68..012d60d 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0003-qemu-Add-addition-environment-space-to-boot-loader-q.patch
@@ -1,4 +1,4 @@
-From 235b94f1188597873c8776b019fed49947983392 Mon Sep 17 00:00:00 2001
+From ce1eceab2350d27960ec254650717085f6a11c9a Mon Sep 17 00:00:00 2001
From: Jason Wessel <jason.wessel@windriver.com>
Date: Fri, 28 Mar 2014 17:42:43 +0800
Subject: [PATCH] qemu: Add addition environment space to boot loader
@@ -19,15 +19,15 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/mips/mips_malta.c b/hw/mips/mips_malta.c
-index 20e019bf..d150b01c 100644
+index 92e9ca5b..3a7f3954 100644
--- a/hw/mips/mips_malta.c
+++ b/hw/mips/mips_malta.c
-@@ -60,7 +60,7 @@
+@@ -59,7 +59,7 @@
- #define ENVP_ADDR 0x80002000l
- #define ENVP_NB_ENTRIES 16
--#define ENVP_ENTRY_SIZE 256
-+#define ENVP_ENTRY_SIZE 1024
+ #define ENVP_ADDR 0x80002000l
+ #define ENVP_NB_ENTRIES 16
+-#define ENVP_ENTRY_SIZE 256
++#define ENVP_ENTRY_SIZE 1024
/* Hardware addresses */
- #define FLASH_ADDRESS 0x1e000000ULL
+ #define FLASH_ADDRESS 0x1e000000ULL
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
index 0ac4ab4..bc30397 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0004-qemu-disable-Valgrind.patch
@@ -1,4 +1,4 @@
-From 3ad7a375015d47fdf5016e03e11fa93440d6d8bd Mon Sep 17 00:00:00 2001
+From 4127296bb1046cdf73994ba69dc913d8c02fd74f Mon Sep 17 00:00:00 2001
From: Ross Burton <ross.burton@intel.com>
Date: Tue, 20 Oct 2015 22:19:08 +0100
Subject: [PATCH] qemu: disable Valgrind
@@ -13,10 +13,10 @@
1 file changed, 9 deletions(-)
diff --git a/configure b/configure
-index 714e7fb6..dad4fc59 100755
+index 6099be1d..a766017b 100755
--- a/configure
+++ b/configure
-@@ -5335,15 +5335,6 @@ fi
+@@ -5390,15 +5390,6 @@ fi
# check if we have valgrind/valgrind.h
valgrind_h=no
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch b/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
index a736815..ec30337 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0005-qemu-native-set-ld.bfd-fix-cflags-and-set-some-envir.patch
@@ -1,4 +1,4 @@
-From 80e6070bcdfe636b103a13598e6c38ad0d0e7624 Mon Sep 17 00:00:00 2001
+From 6cdf82af2eba312b9b8da86dda28b98d3d51f4d4 Mon Sep 17 00:00:00 2001
From: Stephen Arnold <sarnold@vctlabs.com>
Date: Sun, 12 Jun 2016 18:09:56 -0700
Subject: [PATCH] qemu-native: set ld.bfd, fix cflags, and set some environment
@@ -10,10 +10,10 @@
1 file changed, 4 deletions(-)
diff --git a/configure b/configure
-index dad4fc59..685bbe5e 100755
+index a766017b..72f11aca 100755
--- a/configure
+++ b/configure
-@@ -5971,10 +5971,6 @@ write_c_skeleton
+@@ -6085,10 +6085,6 @@ write_c_skeleton
if test "$gcov" = "yes" ; then
CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch b/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
index a423855..0810ae8 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0006-chardev-connect-socket-to-a-spawned-command.patch
@@ -1,4 +1,4 @@
-From ad853601e75f6d0dd09672bcca05fbe4fac766a4 Mon Sep 17 00:00:00 2001
+From bcc63f775e265df69963a4ad7805b8678ace68f0 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@xilinx.com>
Date: Thu, 21 Dec 2017 11:35:16 -0800
Subject: [PATCH] chardev: connect socket to a spawned command
@@ -52,10 +52,10 @@
3 files changed, 109 insertions(+)
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
-index 7ca5d97a..207fae4a 100644
+index 185fe38d..54fa4234 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
-@@ -1278,6 +1278,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock,
+@@ -1288,6 +1288,67 @@ static bool qmp_chardev_validate_socket(ChardevSocket *sock,
return true;
}
@@ -123,7 +123,7 @@
static void qmp_chardev_open_socket(Chardev *chr,
ChardevBackend *backend,
-@@ -1286,6 +1347,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
+@@ -1296,6 +1357,9 @@ static void qmp_chardev_open_socket(Chardev *chr,
{
SocketChardev *s = SOCKET_CHARDEV(chr);
ChardevSocket *sock = backend->u.socket.data;
@@ -133,7 +133,7 @@
bool do_nodelay = sock->has_nodelay ? sock->nodelay : false;
bool is_listen = sock->has_server ? sock->server : true;
bool is_telnet = sock->has_telnet ? sock->telnet : false;
-@@ -1351,6 +1415,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
+@@ -1361,6 +1425,14 @@ static void qmp_chardev_open_socket(Chardev *chr,
update_disconnected_filename(s);
@@ -148,7 +148,7 @@
if (s->is_listen) {
if (qmp_chardev_open_socket_server(chr, is_telnet || is_tn3270,
is_waitconnect, errp) < 0) {
-@@ -1370,9 +1442,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
+@@ -1380,9 +1452,26 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
const char *host = qemu_opt_get(opts, "host");
const char *port = qemu_opt_get(opts, "port");
const char *fd = qemu_opt_get(opts, "fd");
@@ -175,7 +175,7 @@
if ((!!path + !!fd + !!host) != 1) {
error_setg(errp,
"Exactly one of 'path', 'fd' or 'host' required");
-@@ -1415,12 +1504,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
+@@ -1425,12 +1514,24 @@ static void qemu_chr_parse_socket(QemuOpts *opts, ChardevBackend *backend,
sock->has_tls_authz = qemu_opt_get(opts, "tls-authz");
sock->tls_authz = g_strdup(qemu_opt_get(opts, "tls-authz"));
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch b/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
index b50e8c2..89baad9 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0007-apic-fixup-fallthrough-to-PIC.patch
@@ -1,4 +1,4 @@
-From f51e49e7d7d87b7254242b7360f99c2df94a5a2d Mon Sep 17 00:00:00 2001
+From a59a98d100123030a4145e7efe3b8a001920a9f1 Mon Sep 17 00:00:00 2001
From: Mark Asselstine <mark.asselstine@windriver.com>
Date: Tue, 26 Feb 2013 11:43:28 -0500
Subject: [PATCH] apic: fixup fallthrough to PIC
@@ -30,7 +30,7 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/intc/apic.c b/hw/intc/apic.c
-index bce89911..df4b582e 100644
+index 2a74f7b4..4d5da365 100644
--- a/hw/intc/apic.c
+++ b/hw/intc/apic.c
@@ -603,7 +603,7 @@ int apic_accept_pic_intr(DeviceState *dev)
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch b/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
index e562f25..30bb4dd 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0008-linux-user-Fix-webkitgtk-hangs-on-32-bit-x86-target.patch
@@ -1,4 +1,4 @@
-From 25a064f91f73630e5dff2a6aeb23d953c469cea6 Mon Sep 17 00:00:00 2001
+From cf8c9aac5243f506a1a3e8e284414f311cde04f5 Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@xilinx.com>
Date: Wed, 17 Jan 2018 10:51:49 -0800
Subject: [PATCH] linux-user: Fix webkitgtk hangs on 32-bit x86 target
@@ -19,15 +19,15 @@
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/linux-user/main.c b/linux-user/main.c
-index 8ffc5251..4067e739 100644
+index 6ff7851e..ebff0485 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
-@@ -77,7 +77,7 @@ int have_guest_base;
+@@ -78,7 +78,7 @@ int have_guest_base;
(TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
/* There are a number of places where we assign reserved_va to a variable
of type abi_ulong and expect it to fit. Avoid the last page. */
--# define MAX_RESERVED_VA (0xfffffffful & TARGET_PAGE_MASK)
-+# define MAX_RESERVED_VA (0x7ffffffful & TARGET_PAGE_MASK)
+-# define MAX_RESERVED_VA(CPU) (0xfffffffful & TARGET_PAGE_MASK)
++# define MAX_RESERVED_VA(CPU) (0x7ffffffful & TARGET_PAGE_MASK)
# else
- # define MAX_RESERVED_VA (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
+ # define MAX_RESERVED_VA(CPU) (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
# endif
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch b/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
index 4072d94..7e273ee 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0009-Fix-webkitgtk-builds.patch
@@ -1,4 +1,4 @@
-From b633b9a1813fcd715dce44659a89293f1c64ae8c Mon Sep 17 00:00:00 2001
+From 613166007e3b852c99caf2cd34a972e2c8460737 Mon Sep 17 00:00:00 2001
From: Martin Jansa <martin.jansa@lge.com>
Date: Fri, 1 Jun 2018 08:41:07 +0000
Subject: [PATCH] Fix webkitgtk builds
@@ -18,6 +18,7 @@
Upstream-Status: Pending
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+
---
include/exec/cpu-all.h | 6 +-----
include/exec/cpu_ldst.h | 5 ++++-
@@ -26,7 +27,7 @@
4 files changed, 10 insertions(+), 23 deletions(-)
diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
-index 536ea58f81..4c63a6a2e4 100644
+index e96781a4..a369f81a 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -162,12 +162,8 @@ extern unsigned long guest_base;
@@ -44,7 +45,7 @@
#include "exec/hwaddr.h"
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
-index 9151fdb042..cb2b8f329f 100644
+index fd499f7e..30575f60 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -65,7 +65,10 @@ typedef uint64_t abi_ptr;
@@ -60,7 +61,7 @@
#define h2g_valid(x) guest_addr_valid((unsigned long)(x) - guest_base)
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
-index 46a6e3a761..7735465462 100644
+index 46a6e3a7..77354654 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -78,7 +78,7 @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
@@ -110,10 +111,10 @@
if (flags & MREMAP_FIXED) {
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index 8b41a03901..bc5d85de02 100644
+index 171c0cae..fc18f244 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
-@@ -4031,9 +4031,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
+@@ -4138,9 +4138,6 @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
return -TARGET_EINVAL;
}
}
@@ -123,7 +124,7 @@
mmap_lock();
-@@ -6881,7 +6878,7 @@ static int open_self_maps(void *cpu_env, int fd)
+@@ -6990,7 +6987,7 @@ static int open_self_maps(void *cpu_env, int fd)
}
if (h2g_valid(min)) {
int flags = page_get_flags(h2g(min));
@@ -132,6 +133,3 @@
if (page_check_range(h2g(min), max - min, flags) == -1) {
continue;
}
---
-2.22.0
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch b/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
index a8ab7da..34df78b 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
+++ b/poky/meta/recipes-devtools/qemu/qemu/0010-configure-Add-pkg-config-handling-for-libgcrypt.patch
@@ -1,7 +1,7 @@
-From 5214dd4461f2090ef0965b4d2518f49927d61cbc Mon Sep 17 00:00:00 2001
+From c207607cdf3996ad9783c3bffbcd3d65e74c0158 Mon Sep 17 00:00:00 2001
From: He Zhe <zhe.he@windriver.com>
Date: Wed, 28 Aug 2019 19:56:28 +0800
-Subject: [Qemu-devel] [PATCH] configure: Add pkg-config handling for libgcrypt
+Subject: [PATCH] configure: Add pkg-config handling for libgcrypt
libgcrypt may also be controlled by pkg-config, this patch adds pkg-config
handling for libgcrypt.
@@ -9,12 +9,13 @@
Upstream-Status: Denied [https://lists.nongnu.org/archive/html/qemu-devel/2019-08/msg06333.html]
Signed-off-by: He Zhe <zhe.he@windriver.com>
+
---
configure | 48 ++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 40 insertions(+), 8 deletions(-)
diff --git a/configure b/configure
-index e44e454..0f362a7 100755
+index 72f11aca..cac271ce 100755
--- a/configure
+++ b/configure
@@ -2875,6 +2875,30 @@ has_libgcrypt() {
@@ -48,7 +49,7 @@
if test "$nettle" != "no"; then
pass="no"
-@@ -2902,7 +2926,14 @@ fi
+@@ -2915,7 +2939,14 @@ fi
if test "$gcrypt" != "no"; then
pass="no"
@@ -64,7 +65,7 @@
gcrypt_cflags=$(libgcrypt-config --cflags)
gcrypt_libs=$(libgcrypt-config --libs)
# Debian has removed -lgpg-error from libgcrypt-config
-@@ -2912,15 +2943,16 @@ if test "$gcrypt" != "no"; then
+@@ -2925,15 +2956,16 @@ if test "$gcrypt" != "no"; then
then
gcrypt_libs="$gcrypt_libs -lgpg-error"
fi
@@ -88,6 +89,3 @@
if test "$pass" = "yes"; then
gcrypt="yes"
cat > $TMPC << EOF
---
-2.7.4
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch b/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
new file mode 100644
index 0000000..2fe0850
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/0011-hw-i386-pc-fix-regression-in-parsing-vga-cmdline-par.patch
@@ -0,0 +1,54 @@
+From a88c40f02ace88f09b2a85a64831b277b2ebc88c Mon Sep 17 00:00:00 2001
+From: Peter Wu <peter@lekensteyn.nl>
+Date: Sat, 21 Dec 2019 17:21:24 +0100
+Subject: [PATCH] hw/i386/pc: fix regression in parsing vga cmdline parameter
+
+When the 'vga=' parameter is succeeded by another parameter, QEMU 4.2.0
+would refuse to start with a rather cryptic message:
+
+ $ qemu-system-x86_64 -kernel /boot/vmlinuz-linux -append 'vga=792 quiet'
+ qemu: can't parse 'vga' parameter: Invalid argument
+
+It was not clear whether this applied to the '-vga std' parameter or the
+'-append' one. Fix the parsing regression and clarify the error.
+
+Fixes: 133ef074bd ("hw/i386/pc: replace use of strtol with qemu_strtoui in x86_load_linux()")
+Cc: Sergio Lopez <slp@redhat.com>
+Signed-off-by: Peter Wu <peter@lekensteyn.nl>
+Message-Id: <20191221162124.1159291-1-peter@lekensteyn.nl>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a88c40f02ace88f09b2a85a64831b277b2ebc88c]
+---
+ hw/i386/x86.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/i386/x86.c b/hw/i386/x86.c
+index d8bb5c2a96..9b9a4d5837 100644
+--- a/hw/i386/x86.c
++++ b/hw/i386/x86.c
+@@ -612,6 +612,7 @@ void x86_load_linux(X86MachineState *x86ms,
+ vmode = strstr(kernel_cmdline, "vga=");
+ if (vmode) {
+ unsigned int video_mode;
++ const char *end;
+ int ret;
+ /* skip "vga=" */
+ vmode += 4;
+@@ -622,10 +623,9 @@ void x86_load_linux(X86MachineState *x86ms,
+ } else if (!strncmp(vmode, "ask", 3)) {
+ video_mode = 0xfffd;
+ } else {
+- ret = qemu_strtoui(vmode, NULL, 0, &video_mode);
+- if (ret != 0) {
+- fprintf(stderr, "qemu: can't parse 'vga' parameter: %s\n",
+- strerror(-ret));
++ ret = qemu_strtoui(vmode, &end, 0, &video_mode);
++ if (ret != 0 || (*end && *end != ' ')) {
++ fprintf(stderr, "qemu: invalid 'vga=' kernel parameter.\n");
+ exit(1);
+ }
+ }
+--
+2.25.0
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0010-fix-libcap-header-issue-on-some-distro.patch b/poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
similarity index 100%
rename from poky/meta/recipes-devtools/qemu/qemu/0010-fix-libcap-header-issue-on-some-distro.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0012-fix-libcap-header-issue-on-some-distro.patch
diff --git a/poky/meta/recipes-devtools/qemu/qemu/0011-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch b/poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
similarity index 100%
rename from poky/meta/recipes-devtools/qemu/qemu/0011-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
rename to poky/meta/recipes-devtools/qemu/qemu/0013-cpus.c-Add-error-messages-when-qemi_cpu_kick_thread-.patch
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch
deleted file mode 100644
index f1655e4..0000000
--- a/poky/meta/recipes-devtools/qemu/qemu/CVE-2019-12068.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From de594e47659029316bbf9391efb79da0a1a08e08 Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Wed, 14 Aug 2019 17:35:21 +0530
-Subject: [PATCH] scsi: lsi: exit infinite loop while executing script
- (CVE-2019-12068)
-
-When executing script in lsi_execute_script(), the LSI scsi adapter
-emulator advances 's->dsp' index to read next opcode. This can lead
-to an infinite loop if the next opcode is empty. Move the existing
-loop exit after 10k iterations so that it covers no-op opcodes as
-well.
-
-Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08]
-CVE: CVE-2019-12068
-
-Reported-by: Bugs SysSec <bugs-syssec@rub.de>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- hw/scsi/lsi53c895a.c | 41 +++++++++++++++++++++++++++--------------
- 1 file changed, 27 insertions(+), 14 deletions(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 222a286..ec53b14 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -186,6 +186,9 @@ static const char *names[] = {
- /* Flag set if this is a tagged command. */
- #define LSI_TAG_VALID (1 << 16)
-
-+/* Maximum instructions to process. */
-+#define LSI_MAX_INSN 10000
-+
- typedef struct lsi_request {
- SCSIRequest *req;
- uint32_t tag;
-@@ -1133,7 +1136,21 @@ static void lsi_execute_script(LSIState *s)
-
- s->istat1 |= LSI_ISTAT1_SRUN;
- again:
-- insn_processed++;
-+ if (++insn_processed > LSI_MAX_INSN) {
-+ /* Some windows drivers make the device spin waiting for a memory
-+ location to change. If we have been executed a lot of code then
-+ assume this is the case and force an unexpected device disconnect.
-+ This is apparently sufficient to beat the drivers into submission.
-+ */
-+ if (!(s->sien0 & LSI_SIST0_UDC)) {
-+ qemu_log_mask(LOG_GUEST_ERROR,
-+ "lsi_scsi: inf. loop with UDC masked");
-+ }
-+ lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
-+ lsi_disconnect(s);
-+ trace_lsi_execute_script_stop();
-+ return;
-+ }
- insn = read_dword(s, s->dsp);
- if (!insn) {
- /* If we receive an empty opcode increment the DSP by 4 bytes
-@@ -1570,19 +1587,7 @@ again:
- }
- }
- }
-- if (insn_processed > 10000 && s->waiting == LSI_NOWAIT) {
-- /* Some windows drivers make the device spin waiting for a memory
-- location to change. If we have been executed a lot of code then
-- assume this is the case and force an unexpected device disconnect.
-- This is apparently sufficient to beat the drivers into submission.
-- */
-- if (!(s->sien0 & LSI_SIST0_UDC)) {
-- qemu_log_mask(LOG_GUEST_ERROR,
-- "lsi_scsi: inf. loop with UDC masked");
-- }
-- lsi_script_scsi_interrupt(s, LSI_SIST0_UDC, 0);
-- lsi_disconnect(s);
-- } else if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
-+ if (s->istat1 & LSI_ISTAT1_SRUN && s->waiting == LSI_NOWAIT) {
- if (s->dcntl & LSI_DCNTL_SSM) {
- lsi_script_dma_interrupt(s, LSI_DSTAT_SSI);
- } else {
-@@ -1970,6 +1975,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
- case 0x2f: /* DSP[24:31] */
- s->dsp &= 0x00ffffff;
- s->dsp |= val << 24;
-+ /*
-+ * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
-+ * instruction. Is this correct?
-+ */
- if ((s->dmode & LSI_DMODE_MAN) == 0
- && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
- lsi_execute_script(s);
-@@ -1988,6 +1997,10 @@ static void lsi_reg_writeb(LSIState *s, int offset, uint8_t val)
- break;
- case 0x3b: /* DCNTL */
- s->dcntl = val & ~(LSI_DCNTL_PFF | LSI_DCNTL_STD);
-+ /*
-+ * FIXME: if s->waiting != LSI_NOWAIT, this will only execute one
-+ * instruction. Is this correct?
-+ */
- if ((val & LSI_DCNTL_STD) && (s->istat1 & LSI_ISTAT1_SRUN) == 0)
- lsi_execute_script(s);
- break;
---
-2.7.4
-
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch
new file mode 100644
index 0000000..e8f3e1d
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-11102.patch
@@ -0,0 +1,148 @@
+From 8ffb7265af64ec81748335ec8f20e7ab542c3850 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 24 Mar 2020 22:57:22 +0530
+Subject: [PATCH] net: tulip: check frame size and r/w data length
+
+Tulip network driver while copying tx/rx buffers does not check
+frame size against r/w data length. This may lead to OOB buffer
+access. Add check to avoid it.
+
+Limit iterations over descriptors to avoid potential infinite
+loop issue in tulip_xmit_list_update.
+
+Reported-by: Li Qiang <pangpei.lq@antfin.com>
+Reported-by: Ziming Zhang <ezrakiez@gmail.com>
+Reported-by: Jason Wang <jasowang@redhat.com>
+Tested-by: Li Qiang <liq3ea@gmail.com>
+Reviewed-by: Li Qiang <liq3ea@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=commit;h=8ffb7265af64ec81748335ec8f20e7ab542c3850]
+CVE: CVE-2020-11102
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+---
+ hw/net/tulip.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/hw/net/tulip.c b/hw/net/tulip.c
+index cfac271..1295f51 100644
+--- a/hw/net/tulip.c
++++ b/hw/net/tulip.c
+@@ -170,6 +170,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
+ } else {
+ len = s->rx_frame_len;
+ }
++
++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
++ return;
++ }
+ pci_dma_write(&s->dev, desc->buf_addr1, s->rx_frame +
+ (s->rx_frame_size - s->rx_frame_len), len);
+ s->rx_frame_len -= len;
+@@ -181,6 +185,10 @@ static void tulip_copy_rx_bytes(TULIPState *s, struct tulip_descriptor *desc)
+ } else {
+ len = s->rx_frame_len;
+ }
++
++ if (s->rx_frame_len + len > sizeof(s->rx_frame)) {
++ return;
++ }
+ pci_dma_write(&s->dev, desc->buf_addr2, s->rx_frame +
+ (s->rx_frame_size - s->rx_frame_len), len);
+ s->rx_frame_len -= len;
+@@ -227,7 +235,8 @@ static ssize_t tulip_receive(TULIPState *s, const uint8_t *buf, size_t size)
+
+ trace_tulip_receive(buf, size);
+
+- if (size < 14 || size > 2048 || s->rx_frame_len || tulip_rx_stopped(s)) {
++ if (size < 14 || size > sizeof(s->rx_frame) - 4
++ || s->rx_frame_len || tulip_rx_stopped(s)) {
+ return 0;
+ }
+
+@@ -275,7 +284,6 @@ static ssize_t tulip_receive_nc(NetClientState *nc,
+ return tulip_receive(qemu_get_nic_opaque(nc), buf, size);
+ }
+
+-
+ static NetClientInfo net_tulip_info = {
+ .type = NET_CLIENT_DRIVER_NIC,
+ .size = sizeof(NICState),
+@@ -558,7 +566,7 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
+ if ((s->csr[6] >> CSR6_OM_SHIFT) & CSR6_OM_MASK) {
+ /* Internal or external Loopback */
+ tulip_receive(s, s->tx_frame, s->tx_frame_len);
+- } else {
++ } else if (s->tx_frame_len <= sizeof(s->tx_frame)) {
+ qemu_send_packet(qemu_get_queue(s->nic),
+ s->tx_frame, s->tx_frame_len);
+ }
+@@ -570,23 +578,31 @@ static void tulip_tx(TULIPState *s, struct tulip_descriptor *desc)
+ }
+ }
+
+-static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
++static int tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc)
+ {
+ int len1 = (desc->control >> TDES1_BUF1_SIZE_SHIFT) & TDES1_BUF1_SIZE_MASK;
+ int len2 = (desc->control >> TDES1_BUF2_SIZE_SHIFT) & TDES1_BUF2_SIZE_MASK;
+
++ if (s->tx_frame_len + len1 > sizeof(s->tx_frame)) {
++ return -1;
++ }
+ if (len1) {
+ pci_dma_read(&s->dev, desc->buf_addr1,
+ s->tx_frame + s->tx_frame_len, len1);
+ s->tx_frame_len += len1;
+ }
+
++ if (s->tx_frame_len + len2 > sizeof(s->tx_frame)) {
++ return -1;
++ }
+ if (len2) {
+ pci_dma_read(&s->dev, desc->buf_addr2,
+ s->tx_frame + s->tx_frame_len, len2);
+ s->tx_frame_len += len2;
+ }
+ desc->status = (len1 + len2) ? 0 : 0x7fffffff;
++
++ return 0;
+ }
+
+ static void tulip_setup_filter_addr(TULIPState *s, uint8_t *buf, int n)
+@@ -651,13 +667,15 @@ static uint32_t tulip_ts(TULIPState *s)
+
+ static void tulip_xmit_list_update(TULIPState *s)
+ {
++#define TULIP_DESC_MAX 128
++ uint8_t i = 0;
+ struct tulip_descriptor desc;
+
+ if (tulip_ts(s) != CSR5_TS_SUSPENDED) {
+ return;
+ }
+
+- for (;;) {
++ for (i = 0; i < TULIP_DESC_MAX; i++) {
+ tulip_desc_read(s, s->current_tx_desc, &desc);
+ tulip_dump_tx_descriptor(s, &desc);
+
+@@ -675,10 +693,10 @@ static void tulip_xmit_list_update(TULIPState *s)
+ s->tx_frame_len = 0;
+ }
+
+- tulip_copy_tx_buffers(s, &desc);
+-
+- if (desc.control & TDES1_LS) {
+- tulip_tx(s, &desc);
++ if (!tulip_copy_tx_buffers(s, &desc)) {
++ if (desc.control & TDES1_LS) {
++ tulip_tx(s, &desc);
++ }
+ }
+ }
+ tulip_desc_write(s, s->current_tx_desc, &desc);
+--
+1.8.3.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch
new file mode 100644
index 0000000..aa7bc82
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-1711.patch
@@ -0,0 +1,64 @@
+From 693fd2acdf14dd86c0bf852610f1c2cca80a74dc Mon Sep 17 00:00:00 2001
+From: Felipe Franciosi <felipe@nutanix.com>
+Date: Thu, 23 Jan 2020 12:44:59 +0000
+Subject: [PATCH] iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711)
+
+When querying an iSCSI server for the provisioning status of blocks (via
+GET LBA STATUS), Qemu only validates that the response descriptor zero's
+LBA matches the one requested. Given the SCSI spec allows servers to
+respond with the status of blocks beyond the end of the LUN, Qemu may
+have its heap corrupted by clearing/setting too many bits at the end of
+its allocmap for the LUN.
+
+A malicious guest in control of the iSCSI server could carefully program
+Qemu's heap (by selectively setting the bitmap) and then smash it.
+
+This limits the number of bits that iscsi_co_block_status() will try to
+update in the allocmap so it can't overflow the bitmap.
+
+Upstream-Status: Backport [https://git.qemu.org/?p=qemu.git;a=patch;h=693fd2acdf14dd86c0bf852610f1c2cca80a74dc]
+CVE: CVE-2020-1711
+
+Fixes: CVE-2020-1711
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Felipe Franciosi <felipe@nutanix.com>
+Signed-off-by: Peter Turschmid <peter.turschm@nutanix.com>
+Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
+---
+ block/iscsi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/block/iscsi.c b/block/iscsi.c
+index 2aea7e3..cbd5729 100644
+--- a/block/iscsi.c
++++ b/block/iscsi.c
+@@ -701,7 +701,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ struct scsi_get_lba_status *lbas = NULL;
+ struct scsi_lba_status_descriptor *lbasd = NULL;
+ struct IscsiTask iTask;
+- uint64_t lba;
++ uint64_t lba, max_bytes;
+ int ret;
+
+ iscsi_co_init_iscsitask(iscsilun, &iTask);
+@@ -721,6 +721,7 @@ static int coroutine_fn iscsi_co_block_status(BlockDriverState *bs,
+ }
+
+ lba = offset / iscsilun->block_size;
++ max_bytes = (iscsilun->num_blocks - lba) * iscsilun->block_size;
+
+ qemu_mutex_lock(&iscsilun->mutex);
+ retry:
+@@ -764,7 +765,7 @@ retry:
+ goto out_unlock;
+ }
+
+- *pnum = (int64_t) lbasd->num_blocks * iscsilun->block_size;
++ *pnum = MIN((int64_t) lbasd->num_blocks * iscsilun->block_size, max_bytes);
+
+ if (lbasd->provisioning == SCSI_PROVISIONING_TYPE_DEALLOCATED ||
+ lbasd->provisioning == SCSI_PROVISIONING_TYPE_ANCHORED) {
+--
+1.8.3.1
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
new file mode 100644
index 0000000..df6bca6
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-1.patch
@@ -0,0 +1,44 @@
+From b2663d527a1992ba98c0266458b21ada3b9d0d2e Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:07:35 +0800
+Subject: [PATCH] tcp_emu: Fix oob access
+
+The main loop only checks for one available byte, while we sometimes
+need two bytes.
+
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index d6dd133..4bea2d4 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -886,6 +886,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ break;
+
+ case 5:
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
+ /*
+ * The difference between versions 1.0 and
+ * 2.0 is here. For future versions of
+@@ -901,6 +903,10 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ /* This is the field containing the port
+ * number that RA-player is listening to.
+ */
++
++ if (bptr == m->m_data + m->m_len - 1)
++ return 1; /* We need two bytes */
++
+ lport = (((uint8_t *)bptr)[0] << 8) + ((uint8_t *)bptr)[1];
+ if (lport < 6970)
+ lport += 256; /* don't know why */
+--
+2.7.4
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
new file mode 100644
index 0000000..4a00fa2
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-2.patch
@@ -0,0 +1,59 @@
+From 8f67e76e4148e37f3d8d2bcbdee7417fdedb7669 Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:10:34 +0800
+Subject: [PATCH] slirp: use correct size while emulating commands
+
+While emulating services in tcp_emu(), it uses 'mbuf' size
+'m->m_size' to write commands via snprintf(3). Use M_FREEROOM(m)
+size to avoid possible OOB access.
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Samuel Thibault's avatarSamuel Thibault
+<samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-3-ppandit@redhat.com>
+
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index 4bea2d4..e8ed4ef 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -696,7 +696,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size - m->m_len,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "ORT %d,%d,%d,%d,%d,%d\r\n%s", n1, n2, n3, n4,
+ n5, n6, x == 7 ? buff : "");
+ return 1;
+@@ -731,8 +731,7 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ n4 = (laddr & 0xff);
+
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len +=
+- snprintf(bptr, m->m_size - m->m_len,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
+ "27 Entering Passive Mode (%d,%d,%d,%d,%d,%d)\r\n%s",
+ n1, n2, n3, n4, n5, n6, x == 7 ? buff : "");
+
+@@ -758,8 +757,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ if (m->m_data[m->m_len - 1] == '\0' && lport != 0 &&
+ (so = tcp_listen(slirp, INADDR_ANY, 0, so->so_laddr.s_addr,
+ htons(lport), SS_FACCEPTONCE)) != NULL)
+- m->m_len =
+- snprintf(m->m_data, m->m_size, "%d", ntohs(so->so_fport)) + 1;
++ m->m_len = snprintf(m->m_data, M_ROOM(m),
++ "%d", ntohs(so->so_fport)) + 1;
+ return 1;
+
+ case EMU_IRC:
+--
+2.7.4
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
new file mode 100644
index 0000000..70ce480
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7039-3.patch
@@ -0,0 +1,64 @@
+From 0b03959b72036afce151783720d9e54988cf76ef Mon Sep 17 00:00:00 2001
+From: Changqing Li <changqing.li@windriver.com>
+Date: Thu, 27 Feb 2020 12:15:04 +0800
+Subject: [PATCH] slirp: use correct size while emulating IRC commands
+
+While emulating IRC DCC commands, tcp_emu() uses 'mbuf' size
+'m->m_size' to write DCC commands via snprintf(3). This may
+lead to OOB write access, because 'bptr' points somewhere in
+the middle of 'mbuf' buffer, not at the start. Use M_FREEROOM(m)
+size to avoid OOB access.
+Reported-by: default avatarVishnu Dev TJ <vishnudevtj@gmail.com>
+Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault's avatarSamuel Thibault
+<samuel.thibault@ens-lyon.org>
+Message-Id: <20200109094228.79764-2-ppandit@redhat.com>
+
+CVE: CVE-2020-7039
+Upstream-Status: Backport
+[https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ slirp/src/tcp_subr.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/slirp/src/tcp_subr.c b/slirp/src/tcp_subr.c
+index e8ed4ef..3a4a8ee 100644
+--- a/slirp/src/tcp_subr.c
++++ b/slirp/src/tcp_subr.c
+@@ -777,7 +777,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len += snprintf(bptr, m->m_size, "DCC CHAT chat %lu %u%c\n",
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
++ "DCC CHAT chat %lu %u%c\n",
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), 1);
+ } else if (sscanf(bptr, "DCC SEND %256s %u %u %u", buff, &laddr, &lport,
+@@ -787,8 +788,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len +=
+- snprintf(bptr, m->m_size, "DCC SEND %s %lu %u %u%c\n", buff,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
++ "DCC SEND %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+ } else if (sscanf(bptr, "DCC MOVE %256s %u %u %u", buff, &laddr, &lport,
+@@ -798,8 +799,8 @@ int tcp_emu(struct socket *so, struct mbuf *m)
+ return 1;
+ }
+ m->m_len = bptr - m->m_data; /* Adjust length */
+- m->m_len +=
+- snprintf(bptr, m->m_size, "DCC MOVE %s %lu %u %u%c\n", buff,
++ m->m_len += snprintf(bptr, M_FREEROOM(m),
++ "DCC MOVE %s %lu %u %u%c\n", buff,
+ (unsigned long)ntohl(so->so_faddr.s_addr),
+ ntohs(so->so_fport), n1, 1);
+ }
+--
+2.7.4
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
new file mode 100644
index 0000000..11be4c9
--- /dev/null
+++ b/poky/meta/recipes-devtools/qemu/qemu/CVE-2020-7211.patch
@@ -0,0 +1,46 @@
+From 14ec36e107a8c9af7d0a80c3571fe39b291ff1d4 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 13 Jan 2020 17:44:31 +0530
+Subject: [PATCH] slirp: tftp: restrict relative path access
+
+tftp restricts relative or directory path access on Linux systems.
+Apply same restrictions on Windows systems too. It helps to avoid
+directory traversal issue.
+
+Fixes: https://bugs.launchpad.net/qemu/+bug/1812451
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Message-Id: <20200113121431.156708-1-ppandit@redhat.com>
+
+Upstream-Status: Backport [https://gitlab.freedesktop.org/slirp/libslirp/-/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4.patch]
+CVE: CVE-2020-7211
+Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
+
+---
+ slirp/src/tftp.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/slirp/src/tftp.c b/slirp/src/tftp.c
+index 093c2e0..e52e71b 100644
+--- a/slirp/src/tftp.c
++++ b/slirp/src/tftp.c
+@@ -344,8 +344,13 @@ static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
+ k += 6; /* skipping octet */
+
+ /* do sanity checks on the filename */
+- if (!strncmp(req_fname, "../", 3) ||
+- req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
++ if (
++#ifdef G_OS_WIN32
++ strstr(req_fname, "..\\") ||
++ req_fname[strlen(req_fname) - 1] == '\\' ||
++#endif
++ strstr(req_fname, "../") ||
++ req_fname[strlen(req_fname) - 1] == '/') {
+ tftp_send_error(spt, 2, "Access violation", tp);
+ return;
+ }
+--
+2.24.1
+
diff --git a/poky/meta/recipes-devtools/qemu/qemu/run-ptest b/poky/meta/recipes-devtools/qemu/qemu/run-ptest
index 2206b31..b25a792 100644
--- a/poky/meta/recipes-devtools/qemu/qemu/run-ptest
+++ b/poky/meta/recipes-devtools/qemu/qemu/run-ptest
@@ -7,4 +7,4 @@
export SRC_PATH=$ptestdir
cd $ptestdir/tests
-make -f Makefile.include -k runtest-TESTS | sed '/: OK/ s/^/PASS: /g'
+make -f Makefile.include -k runtest-TESTS | sed '/^ok /s/ok /PASS: /g'