[pve-devel] [PATCH kvm 1/4] remove patches already in 2.6.1 upstream
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Aug 22 13:24:34 CEST 2016
---
...1-i386-kvmvapic-initialise-imm32-variable.patch | 32 ---
...ke-cmdbuf-big-enough-for-maximum-CDB-size.patch | 88 --------
.../extra/0001-vga-add-sr_vbe-register-set.patch | 234 ---------------------
...-fifo-sanity-checks-to-vmsvga_fifo_length.patch | 71 -------
.../extra/0005-vmsvga-add-more-fifo-checks.patch | 37 ----
.../extra/0006-vmsvga-shadow-fifo-registers.patch | 144 -------------
...t-process-more-than-1024-fifo-commands-at.patch | 44 ----
...6-2391-usb-ohci-avoid-multiple-eof-timers.patch | 43 ----
...-check-command-descriptor-ring-buffer-siz.patch | 97 ---------
...s-initialise-local-configuration-data-buf.patch | 38 ----
...asas-use-appropriate-property-buffer-size.patch | 38 ----
...megasas-check-read_queue_head-index-value.patch | 40 ----
...-avoid-potential-overflow-of-acb-task-cdb.patch | 41 ----
debian/patches/series | 13 --
14 files changed, 960 deletions(-)
delete mode 100644 debian/patches/extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
delete mode 100644 debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
delete mode 100644 debian/patches/extra/0001-vga-add-sr_vbe-register-set.patch
delete mode 100644 debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
delete mode 100644 debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch
delete mode 100644 debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch
delete mode 100644 debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
delete mode 100644 debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
delete mode 100644 debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
delete mode 100644 debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
delete mode 100644 debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
delete mode 100644 debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
delete mode 100644 debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
diff --git a/debian/patches/extra/0001-i386-kvmvapic-initialise-imm32-variable.patch b/debian/patches/extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
deleted file mode 100644
index 30dd40e..0000000
--- a/debian/patches/extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 45fcb0d1c15d7be4915404cd0e6e1ce380e6cd1f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 7 Apr 2016 12:50:08 +0530
-Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
-
-When processing Task Priorty Register(TPR) access, it could leak
-automatic stack variable 'imm32' in patch_instruction().
-Initialise the variable to avoid it.
-
-Reported by: Donghai Zdh <donghai.zdh at alibaba-inc.com>
-
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/i386/kvmvapic.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
-index f0922da..97f3646 100644
---- a/hw/i386/kvmvapic.c
-+++ b/hw/i386/kvmvapic.c
-@@ -393,7 +393,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
- CPUX86State *env = &cpu->env;
- VAPICHandlers *handlers;
- uint8_t opcode[2];
-- uint32_t imm32;
-+ uint32_t imm32 = 0;
- target_ulong current_pc = 0;
- target_ulong current_cs_base = 0;
- int current_flags = 0;
---
-2.1.4
-
diff --git a/debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch b/debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
deleted file mode 100644
index 5beeb50..0000000
--- a/debian/patches/extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 0988f56451a246d5b72484e0c6dd37fe1bd69d12 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Thu, 16 Jun 2016 00:22:35 +0200
-Subject: [PATCH 1/2] scsi: esp: make cmdbuf big enough for maximum CDB size
-
-While doing DMA read into ESP command buffer 's->cmdbuf', it could
-write past the 's->cmdbuf' area, if it was transferring more than 16
-bytes. Increase the command buffer size to 32, which is maximum when
-'s->do_cmd' is set, and add a check on 'len' to avoid OOB access.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
-
-Conflicts:
- hw/scsi/esp.c
-commit ff589551c8e8e9e95e211b9d8daafb4ed39f1aec
-scsi: esp: check TI buffer index before read/write
-
-added additional control variables to ESPState as ti_size
-wasn't enough, we thus ran in a conflict here, use only
-ti_size for now as conflict resolution.
-
-Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
----
- hw/scsi/esp.c | 10 ++++++++--
- include/hw/scsi/esp.h | 3 ++-
- 2 files changed, 10 insertions(+), 3 deletions(-)
-
-diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
-index 8961be2..e533522 100644
---- a/hw/scsi/esp.c
-+++ b/hw/scsi/esp.c
-@@ -243,6 +243,8 @@ static void esp_do_dma(ESPState *s)
- len = s->dma_left;
- if (s->do_cmd) {
- trace_esp_do_dma(s->cmdlen, len);
-+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
-+ len <= sizeof(s->cmdbuf) - s->cmdlen);
- s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
- s->ti_size = 0;
- s->cmdlen = 0;
-@@ -342,7 +344,7 @@ static void handle_ti(ESPState *s)
- s->dma_counter = dmalen;
-
- if (s->do_cmd)
-- minlen = (dmalen < 32) ? dmalen : 32;
-+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
- else if (s->ti_size < 0)
- minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
- else
-@@ -448,7 +450,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
- break;
- case ESP_FIFO:
- if (s->do_cmd) {
-- s->cmdbuf[s->cmdlen++] = val & 0xff;
-+ if (s->cmdlen < ESP_CMDBUF_SZ) {
-+ s->cmdbuf[s->cmdlen++] = val & 0xff;
-+ } else {
-+ trace_esp_error_fifo_overrun();
-+ }
- } else if (s->ti_size == TI_BUFSZ - 1) {
- trace_esp_error_fifo_overrun();
- } else {
-diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
-index 6c79527..d2c4886 100644
---- a/include/hw/scsi/esp.h
-+++ b/include/hw/scsi/esp.h
-@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
-
- #define ESP_REGS 16
- #define TI_BUFSZ 16
-+#define ESP_CMDBUF_SZ 32
-
- typedef struct ESPState ESPState;
-
-@@ -31,7 +32,7 @@ struct ESPState {
- SCSIBus bus;
- SCSIDevice *current_dev;
- SCSIRequest *current_req;
-- uint8_t cmdbuf[TI_BUFSZ];
-+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
- uint32_t cmdlen;
- uint32_t do_cmd;
-
---
-2.1.4
-
diff --git a/debian/patches/extra/0001-vga-add-sr_vbe-register-set.patch b/debian/patches/extra/0001-vga-add-sr_vbe-register-set.patch
deleted file mode 100644
index 483e968..0000000
--- a/debian/patches/extra/0001-vga-add-sr_vbe-register-set.patch
+++ /dev/null
@@ -1,234 +0,0 @@
-From 838ff135013302a85478ec3dd96d8ad985d1f01d Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel at redhat.com>
-Date: Tue, 17 May 2016 10:54:54 +0200
-Subject: [PATCH] vga: add sr_vbe register set
-
-Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
-(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
-because it can't freely modify vga registers any more while in vbe mode.
-
-This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
-will fill sr_vbe[] instead of sr[]. Normal vga register reads and
-writes go to sr[]. Any sr register read access happens through a new
-sr() helper function which will read from sr_vbe[] with vbe active and
-from sr[] otherwise.
-
-This way we can allow guests update sr[] registers as they want, without
-allowing them disrupt vbe video modes that way.
-
-Reported-by: Thomas Lamprecht <thomas at lamprecht.org>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
----
- hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
- hw/display/vga_int.h | 1 +
- 2 files changed, 29 insertions(+), 22 deletions(-)
-
-diff --git a/hw/display/vga.c b/hw/display/vga.c
-index 679070e..25d8bff 100644
---- a/hw/display/vga.c
-+++ b/hw/display/vga.c
-@@ -147,6 +147,11 @@ static inline bool vbe_enabled(VGACommonState *s)
- return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
- }
-
-+static inline uint8_t sr(VGACommonState *s, int idx)
-+{
-+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
-+}
-+
- static void vga_update_memory_access(VGACommonState *s)
- {
- hwaddr base, offset, size;
-@@ -161,8 +166,8 @@ static void vga_update_memory_access(VGACommonState *s)
- s->has_chain4_alias = false;
- s->plane_updated = 0xf;
- }
-- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
-- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
-+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
- offset = 0;
- switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
- case 0:
-@@ -232,7 +237,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
- ((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
- vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
-
-- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
-+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
- clock_sel = (s->msr >> 2) & 3;
- dots = (s->msr & 1) ? 8 : 9;
-
-@@ -484,7 +489,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
- printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
- #endif
- s->sr[s->sr_index] = val & sr_mask[s->sr_index];
-- vbe_update_vgaregs(s);
- if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
- s->update_retrace_info(s);
- }
-@@ -678,13 +682,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
-
- if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
- shift_control = 0;
-- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
-+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
- } else {
- shift_control = 2;
- /* set chain 4 mode */
-- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
-+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
- /* activate all planes */
-- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
-+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
- }
- s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
- (shift_control << 5);
-@@ -834,7 +838,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
- break;
- }
-
-- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
- /* chain 4 mode : simplest access */
- assert(addr < s->vram_size);
- ret = s->vram_ptr[addr];
-@@ -902,11 +906,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
- break;
- }
-
-- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
-+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
- /* chain 4 mode : simplest access */
- plane = addr & 3;
- mask = (1 << plane);
-- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
- assert(addr < s->vram_size);
- s->vram_ptr[addr] = val;
- #ifdef DEBUG_VGA_MEM
-@@ -919,7 +923,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
- /* odd/even mode (aka text mode mapping) */
- plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
- mask = (1 << plane);
-- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
-+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
- addr = ((addr & ~1) << 1) | plane;
- if (addr >= s->vram_size) {
- return;
-@@ -994,7 +998,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
-
- do_write:
- /* mask data according to sr[2] */
-- mask = s->sr[VGA_SEQ_PLANE_WRITE];
-+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
- s->plane_updated |= mask; /* only used to detect font change */
- write_mask = mask16[mask];
- if (addr * sizeof(uint32_t) >= s->vram_size) {
-@@ -1150,10 +1154,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
- /* total width & height */
- cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
- cwidth = 8;
-- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
- cwidth = 9;
- }
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
- cwidth = 16; /* NOTE: no 18 pixel wide */
- }
- width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -1195,7 +1199,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
- int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
-
- /* compute font data address (in plane 2) */
-- v = s->sr[VGA_SEQ_CHARACTER_MAP];
-+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
- offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
- if (offset != s->font_offsets[0]) {
- s->font_offsets[0] = offset;
-@@ -1504,11 +1508,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- }
-
- if (shift_control == 0) {
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- disp_width <<= 1;
- }
- } else if (shift_control == 1) {
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- disp_width <<= 1;
- }
- }
-@@ -1572,7 +1576,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
-
- if (shift_control == 0) {
- full_update |= update_palette16(s);
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- v = VGA_DRAW_LINE4D2;
- } else {
- v = VGA_DRAW_LINE4;
-@@ -1580,7 +1584,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- bits = 4;
- } else if (shift_control == 1) {
- full_update |= update_palette16(s);
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
- v = VGA_DRAW_LINE2D2;
- } else {
- v = VGA_DRAW_LINE2;
-@@ -1627,7 +1631,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
- #if 0
- printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
- width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
-- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
-+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
- #endif
- addr1 = (s->start_addr * 4);
- bwidth = (width * bits + 7) / 8;
-@@ -1779,6 +1783,7 @@ void vga_common_reset(VGACommonState *s)
- {
- s->sr_index = 0;
- memset(s->sr, '\0', sizeof(s->sr));
-+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
- s->gr_index = 0;
- memset(s->gr, '\0', sizeof(s->gr));
- s->ar_index = 0;
-@@ -1881,10 +1886,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
- /* total width & height */
- cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
- cw = 8;
-- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
-+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
- cw = 9;
- }
-- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
-+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
- cw = 16; /* NOTE: no 18 pixel wide */
- }
- width = (s->cr[VGA_CRTC_H_DISP] + 1);
-@@ -2050,6 +2055,7 @@ static int vga_common_post_load(void *opaque, int version_id)
-
- /* force refresh */
- s->graphic_mode = -1;
-+ vbe_update_vgaregs(s);
- return 0;
- }
-
-diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
-index 40ba6a4..103cac2 100644
---- a/hw/display/vga_int.h
-+++ b/hw/display/vga_int.h
-@@ -99,6 +99,7 @@ typedef struct VGACommonState {
- MemoryRegion chain4_alias;
- uint8_t sr_index;
- uint8_t sr[256];
-+ uint8_t sr_vbe[256];
- uint8_t gr_index;
- uint8_t gr[256];
- uint8_t ar_index;
---
-2.1.4
-
diff --git a/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch b/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
deleted file mode 100644
index 8182db1..0000000
--- a/debian/patches/extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 4aa79a8818711d475bd79b906cd7d060d4e8a441 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel at redhat.com>
-Date: Mon, 30 May 2016 09:09:18 +0200
-Subject: [PATCH 4/9] vmsvga: move fifo sanity checks to vmsvga_fifo_length
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sanity checks are applied when the fifo is enabled by the guest
-(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
-changes the fifo registers afterwards. Move the checks to
-vmsvga_fifo_length so they are done each time qemu is about to read
-from the fifo.
-
-Fixes: CVE-2016-4454
-Cc: P J P <ppandit at redhat.com>
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
----
- hw/display/vmware_vga.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 9354037..3ce1717 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -553,6 +553,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- if (!s->config || !s->enable) {
- return 0;
- }
-+
-+ /* Check range and alignment. */
-+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+ return 0;
-+ }
-+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+ return 0;
-+ }
-+ if (CMD(max) > SVGA_FIFO_SIZE) {
-+ return 0;
-+ }
-+ if (CMD(max) < CMD(min) + 10 * 1024) {
-+ return 0;
-+ }
-+
- num = CMD(next_cmd) - CMD(stop);
- if (num < 0) {
- num += CMD(max) - CMD(min);
-@@ -1003,19 +1018,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
- case SVGA_REG_CONFIG_DONE:
- if (value) {
- s->fifo = (uint32_t *) s->fifo_ptr;
-- /* Check range and alignment. */
-- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-- break;
-- }
-- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-- break;
-- }
-- if (CMD(max) > SVGA_FIFO_SIZE) {
-- break;
-- }
-- if (CMD(max) < CMD(min) + 10 * 1024) {
-- break;
-- }
- vga_dirty_log_stop(&s->vga);
- }
- s->config = !!value;
---
-2.1.4
-
diff --git a/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch b/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch
deleted file mode 100644
index 59fa672..0000000
--- a/debian/patches/extra/0005-vmsvga-add-more-fifo-checks.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From aafca5995f11e0cd69e0607bfb7b3b7333f96be8 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel at redhat.com>
-Date: Mon, 30 May 2016 09:09:19 +0200
-Subject: [PATCH 5/9] vmsvga: add more fifo checks
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Make sure all fifo ptrs are within range.
-
-Fixes: CVE-2016-4454
-Cc: P J P <ppandit at redhat.com>
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
----
- hw/display/vmware_vga.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 3ce1717..f2663ee 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -561,7 +561,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
- return 0;
- }
-- if (CMD(max) > SVGA_FIFO_SIZE) {
-+ if (CMD(max) > SVGA_FIFO_SIZE ||
-+ CMD(min) >= SVGA_FIFO_SIZE ||
-+ CMD(stop) >= SVGA_FIFO_SIZE ||
-+ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
- return 0;
- }
- if (CMD(max) < CMD(min) + 10 * 1024) {
---
-2.1.4
-
diff --git a/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch b/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch
deleted file mode 100644
index 402e952..0000000
--- a/debian/patches/extra/0006-vmsvga-shadow-fifo-registers.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From a2273296a948a2f6f36d858c18893315030702d6 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel at redhat.com>
-Date: Mon, 30 May 2016 09:09:20 +0200
-Subject: [PATCH 6/9] vmsvga: shadow fifo registers
-
-The fifo is normal ram. So kvm vcpu threads and qemu iothread can
-access the fifo in parallel without syncronization. Which in turn
-implies we can't use the fifo pointers in-place because the guest
-can try changing them underneath us. So add shadows for them, to
-make sure the guest can't modify them after we've applied sanity
-checks.
-
-Fixes: CVE-2016-4454
-Cc: P J P <ppandit at redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
----
- hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
- 1 file changed, 28 insertions(+), 29 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index f2663ee..99e128b 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -64,17 +64,11 @@ struct vmsvga_state_s {
- uint8_t *fifo_ptr;
- unsigned int fifo_size;
-
-- union {
-- uint32_t *fifo;
-- struct QEMU_PACKED {
-- uint32_t min;
-- uint32_t max;
-- uint32_t next_cmd;
-- uint32_t stop;
-- /* Add registers here when adding capabilities. */
-- uint32_t fifo[0];
-- } *cmd;
-- };
-+ uint32_t *fifo;
-+ uint32_t fifo_min;
-+ uint32_t fifo_max;
-+ uint32_t fifo_next;
-+ uint32_t fifo_stop;
-
- #define REDRAW_FIFO_LEN 512
- struct vmsvga_rect_s {
-@@ -196,7 +190,7 @@ enum {
- */
- SVGA_FIFO_MIN = 0,
- SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
-- SVGA_FIFO_NEXT_CMD,
-+ SVGA_FIFO_NEXT,
- SVGA_FIFO_STOP,
-
- /*
-@@ -544,8 +538,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
- }
- #endif
-
--#define CMD(f) le32_to_cpu(s->cmd->f)
--
- static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- {
- int num;
-@@ -554,38 +546,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
- return 0;
- }
-
-+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
-+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
-+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
-+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
-+
- /* Check range and alignment. */
-- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
-+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
- return 0;
- }
-- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
-+ if (s->fifo_min < sizeof(uint32_t) * 4) {
- return 0;
- }
-- if (CMD(max) > SVGA_FIFO_SIZE ||
-- CMD(min) >= SVGA_FIFO_SIZE ||
-- CMD(stop) >= SVGA_FIFO_SIZE ||
-- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
-+ if (s->fifo_max > SVGA_FIFO_SIZE ||
-+ s->fifo_min >= SVGA_FIFO_SIZE ||
-+ s->fifo_stop >= SVGA_FIFO_SIZE ||
-+ s->fifo_next >= SVGA_FIFO_SIZE) {
- return 0;
- }
-- if (CMD(max) < CMD(min) + 10 * 1024) {
-+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
- return 0;
- }
-
-- num = CMD(next_cmd) - CMD(stop);
-+ num = s->fifo_next - s->fifo_stop;
- if (num < 0) {
-- num += CMD(max) - CMD(min);
-+ num += s->fifo_max - s->fifo_min;
- }
- return num >> 2;
- }
-
- static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
- {
-- uint32_t cmd = s->fifo[CMD(stop) >> 2];
-+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
-
-- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
-- if (CMD(stop) >= CMD(max)) {
-- s->cmd->stop = s->cmd->min;
-+ s->fifo_stop += 4;
-+ if (s->fifo_stop >= s->fifo_max) {
-+ s->fifo_stop = s->fifo_min;
- }
-+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
- return cmd;
- }
-
-@@ -605,7 +603,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- len = vmsvga_fifo_length(s);
- while (len > 0) {
- /* May need to go back to the start of the command if incomplete */
-- cmd_start = s->cmd->stop;
-+ cmd_start = s->fifo_stop;
-
- switch (cmd = vmsvga_fifo_read(s)) {
- case SVGA_CMD_UPDATE:
-@@ -764,7 +762,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- break;
-
- rewind:
-- s->cmd->stop = cmd_start;
-+ s->fifo_stop = cmd_start;
-+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
- break;
- }
- }
---
-2.1.4
-
diff --git a/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch b/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
deleted file mode 100644
index 4c4f486..0000000
--- a/debian/patches/extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 6e964a410da04c4519a4e1e3e7196bc7dcfd59b7 Mon Sep 17 00:00:00 2001
-From: Gerd Hoffmann <kraxel at redhat.com>
-Date: Mon, 30 May 2016 09:09:21 +0200
-Subject: [PATCH 7/9] vmsvga: don't process more than 1024 fifo commands at
- once
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-vmsvga_fifo_run is called in regular intervals (on each display update)
-and will resume where it left off. So we can simply exit the loop,
-without having to worry about how processing will continue.
-
-Fixes: CVE-2016-4453
-Cc: P J P <ppandit at redhat.com>
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Gerd Hoffmann <kraxel at redhat.com>
----
- hw/display/vmware_vga.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
-index 99e128b..b143a86 100644
---- a/hw/display/vmware_vga.c
-+++ b/hw/display/vmware_vga.c
-@@ -595,13 +595,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
- static void vmsvga_fifo_run(struct vmsvga_state_s *s)
- {
- uint32_t cmd, colour;
-- int args, len;
-+ int args, len, maxloop = 1024;
- int x, y, dx, dy, width, height;
- struct vmsvga_cursor_definition_s cursor;
- uint32_t cmd_start;
-
- len = vmsvga_fifo_length(s);
-- while (len > 0) {
-+ while (len > 0 && --maxloop > 0) {
- /* May need to go back to the start of the command if incomplete */
- cmd_start = s->fifo_stop;
-
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch b/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
deleted file mode 100644
index c02218a..0000000
--- a/debian/patches/extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From a0dad3b2a4841f70f96145a2f60ffd04e5d584ad Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Tue, 16 Feb 2016 15:34:14 +0530
-Subject: [PATCH] usb: ohci avoid multiple eof timers
-
-When transitioning an OHCI controller to the OHCI_USB_OPERATIONAL
-state, it creates an eof timer object in 'ohci_bus_start'.
-It does not check if one already exists. This results in memory
-leakage and null dereference issue. Add a check to avoid it.
-
-Reported-by: Zuozhi Fzz <zuozhi.fzz at alibaba-inc.com>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-
-Conflicts:
- hw/usb/hcd-ohci.c
----
- hw/usb/hcd-ohci.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
-index ffab561..ccd5ac4 100644
---- a/hw/usb/hcd-ohci.c
-+++ b/hw/usb/hcd-ohci.c
-@@ -1348,6 +1348,16 @@ static void ohci_frame_boundary(void *opaque)
- */
- static int ohci_bus_start(OHCIState *ohci)
- {
-+ if (!ohci->eof_timer) {
-+ ohci->eof_timer = timer_new_ns(QEMU_CLOCK_VIRTUAL,
-+ ohci_frame_boundary, ohci);
-+ }
-+ if (!ohci->eof_timer) {
-+ trace_usb_ohci_bus_eof_timer_failed(ohci->name);
-+ ohci_die(ohci);
-+ return 0;
-+ }
-+
- trace_usb_ohci_start(ohci->name);
-
- /* Delay the first SOF event by one frame time as
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch b/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
deleted file mode 100644
index b3187f9..0000000
--- a/debian/patches/extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 6b7e3826cdc316808bd6e866320237049665c417 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Mon, 23 May 2016 16:18:05 +0530
-Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
-
-Vmware Paravirtual SCSI emulation uses command descriptors to
-process SCSI commands. These descriptors come with their ring
-buffers. A guest could set the ring buffer size to an arbitrary
-value leading to OOB access issue. Add check to avoid it.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
----
- hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
- 1 file changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
-index 9c71f31..a6c5cc4 100644
---- a/hw/scsi/vmw_pvscsi.c
-+++ b/hw/scsi/vmw_pvscsi.c
-@@ -126,7 +126,7 @@ pvscsi_log2(uint32_t input)
- return log;
- }
-
--static void
-+static int
- pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- {
- int i;
-@@ -134,6 +134,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
- uint32_t req_ring_size, cmp_ring_size;
- m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
-
-+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
-+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
-+ return -1;
-+ }
- req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
- txr_len_log2 = pvscsi_log2(req_ring_size - 1);
-@@ -165,15 +169,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
-
- /* Flush ring state page changes */
- smp_wmb();
-+
-+ return 0;
- }
-
--static void
-+static int
- pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
- {
- int i;
- uint32_t len_log2;
- uint32_t ring_size;
-
-+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
-+ return -1;
-+ }
- ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
- len_log2 = pvscsi_log2(ring_size - 1);
-
-@@ -193,6 +202,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
-
- /* Flush ring state page changes */
- smp_wmb();
-+
-+ return 0;
- }
-
- static void
-@@ -743,7 +754,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
- trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
-
- pvscsi_dbg_dump_tx_rings_config(rc);
-- pvscsi_ring_init_data(&s->rings, rc);
-+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
-+ return PVSCSI_COMMAND_PROCESSING_FAILED;
-+ }
-+
- s->rings_info_valid = TRUE;
- return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
- }
-@@ -823,7 +837,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
- }
-
- if (s->rings_info_valid) {
-- pvscsi_ring_init_msg(&s->rings, rc);
-+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
-+ return PVSCSI_COMMAND_PROCESSING_FAILED;
-+ }
- s->msg_ring_info_valid = TRUE;
- }
- return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch b/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
deleted file mode 100644
index e6be3b5..0000000
--- a/debian/patches/extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From e74703fab04c39c9a01385bbe3d79e47f7db4ccb Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 25 May 2016 17:41:44 +0530
-Subject: [PATCH 1/9] scsi: megasas: initialise local configuration data buffer
-
-When reading MegaRAID SAS controller configuration via MegaRAID
-Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
-uses an uninitialised local data buffer. Initialise this buffer
-to avoid stack information leakage.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1464178304-12831-1-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
-
-Notes:
- CVE-2016-5105
-
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 576f56c..8526c01 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1292,7 +1292,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
-
- static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
- {
-- uint8_t data[4096];
-+ uint8_t data[4096] = { 0 };
- struct mfi_config_data *info;
- int num_pd_disks = 0, array_offset, ld_offset;
- BusChild *kid;
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch b/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
deleted file mode 100644
index c4c2523..0000000
--- a/debian/patches/extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From fdcbd7ebf09947c2b65cbb10366eba6382e3c0d6 Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 25 May 2016 16:01:29 +0530
-Subject: [PATCH 2/9] scsi: megasas: use appropriate property buffer size
-
-When setting MegaRAID SAS controller properties via MegaRAID
-Firmware Interface(MFI) commands, a user supplied size parameter
-is used to set property value. Use appropriate size value to avoid
-OOB access issues.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1464172291-2856-2-git-send-email-ppandit at redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
-
-Notes:
- CVE-2016-5106
-
- hw/scsi/megasas.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 8526c01..05c72b0 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -1445,7 +1445,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
- dcmd_size);
- return MFI_STAT_INVALID_PARAMETER;
- }
-- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
-+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
- trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
- return MFI_STAT_OK;
- }
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch b/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
deleted file mode 100644
index 6321e22..0000000
--- a/debian/patches/extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 97f8f06928e2a0d3db6157f6cd8dcf3b002dfb9f Mon Sep 17 00:00:00 2001
-From: Prasad J Pandit <pjp at fedoraproject.org>
-Date: Wed, 25 May 2016 17:55:10 +0530
-Subject: [PATCH 3/9] scsi: megasas: check 'read_queue_head' index value
-
-While doing MegaRAID SAS controller command frame lookup, routine
-'megasas_lookup_frame' uses 'read_queue_head' value as an index
-into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
-within array bounds to avoid any OOB access.
-
-Reported-by: Li Qiang <liqiang6-s at 360.cn>
-Signed-off-by: Prasad J Pandit <pjp at fedoraproject.org>
-Message-Id: <1464179110-18593-1-git-send-email-ppandit at redhat.com>
-Reviewed-by: Alexander Graf <agraf at suse.de>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
-
-Notes:
- CVE-2016-5107
-
- hw/scsi/megasas.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
-index 05c72b0..ebbe270 100644
---- a/hw/scsi/megasas.c
-+++ b/hw/scsi/megasas.c
-@@ -649,7 +649,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
- pa_hi = le32_to_cpu(initq->pi_addr_hi);
- s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
- s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
-+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
- s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
-+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
- flags = le32_to_cpu(initq->flags);
- if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
- s->flags |= MEGASAS_MASK_USE_QUEUE64;
---
-2.1.4
-
diff --git a/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch b/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
deleted file mode 100644
index e0e2262..0000000
--- a/debian/patches/extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From f684109f3a14cfe0c7a9aa7b478dd6da67ea6b6c Mon Sep 17 00:00:00 2001
-From: Peter Lieven <pl at kamp.de>
-Date: Tue, 24 May 2016 10:59:28 +0200
-Subject: [PATCH 8/9] block/iscsi: avoid potential overflow of acb->task->cdb
-
-at least in the path via virtio-blk the maximum size is not
-restricted.
-
-Cc: qemu-stable at nongnu.org
-Signed-off-by: Peter Lieven <pl at kamp.de>
-Message-Id: <1464080368-29584-1-git-send-email-pl at kamp.de>
-Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
----
-
-Notes:
- CVE-2016-5126
-
- block/iscsi.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/block/iscsi.c b/block/iscsi.c
-index bd1f1bf..e424f7d 100644
---- a/block/iscsi.c
-+++ b/block/iscsi.c
-@@ -834,6 +834,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
- return &acb->common;
- }
-
-+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
-+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
-+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
-+ qemu_aio_unref(acb);
-+ return NULL;
-+ }
-+
- acb->task = malloc(sizeof(struct scsi_task));
- if (acb->task == NULL) {
- error_report("iSCSI: Failed to allocate task for scsi command. %s",
---
-2.1.4
-
diff --git a/debian/patches/series b/debian/patches/series
index 21cf2f0..27301d6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -54,18 +54,5 @@ pve/0053-vma-use-BlockBackend-on-extract.patch
pve/0054-rbd-disable-rbd_cache_writethrough_until_flush-with-.patch
#see https://bugs.launchpad.net/qemu/+bug/1488363?comments=all
extra/0001-Revert-target-i386-disable-LINT0-after-reset.patch
-extra/CVE-2016-2391-usb-ohci-avoid-multiple-eof-timers.patch
-extra/0001-i386-kvmvapic-initialise-imm32-variable.patch
-extra/CVE-2016-4952-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
-extra/CVE-2016-5105-scsi-megasas-initialise-local-configuration-data-buf.patch
-extra/CVE-2016-5106-scsi-megasas-use-appropriate-property-buffer-size.patch
-extra/CVE-2016-5107-scsi-megasas-check-read_queue_head-index-value.patch
-extra/0004-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
-extra/0005-vmsvga-add-more-fifo-checks.patch
-extra/0006-vmsvga-shadow-fifo-registers.patch
-extra/0007-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
-extra/CVE-2016-5126-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
-extra/0001-vga-add-sr_vbe-register-set.patch
-extra/0001-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
extra/0002-scsi-esp-fix-migration.patch
extra/CVE-2016-6490-virtio-check-vring-descriptor-buffer-length.patch
--
2.1.4
More information about the pve-devel
mailing list