qemu: Security fix CVE-2016-2858

Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-04-28 11:23:31 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-04-29 07:36:30 +0100
commit: 48909052e7b19ba108ee7813c1efdbed0c2e06ab (patch)
tree: 000eaf28530ebe1527e67336c71ad9a2eae72087 /meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
parent: d1b972a55c59a3f3336b3ebd309532dc204ea97b (diff)
download: openembedded-core-contrib-48909052e7b19ba108ee7813c1efdbed0c2e06ab.tar.gz
1 files changed, 138 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
new file mode 100644
index 0000000000..01928f91e8
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
@@ -0,0 +1,138 @@
+From 74074e8a7c60592cf1cc6469dbc2550d24aeded3 Mon Sep 17 00:00:00 2001
+From: Ladi Prosek <lprosek@redhat.com>
+Date: Thu, 3 Mar 2016 09:37:16 +0100
+Subject: [PATCH] rng: move request queue from RngEgd to RngBackend
+
+The 'requests' field now lives in the RngBackend parent class.
+There are no functional changes in this commit.
+
+Signed-off-by: Ladi Prosek <lprosek@redhat.com>
+Reviewed-by: Amit Shah <amit.shah@redhat.com>
+Message-Id: <1456994238-9585-3-git-send-email-lprosek@redhat.com>
+Signed-off-by: Amit Shah <amit.shah@redhat.com>
+
+Upstream-Status: Backport
+in support of CVE-2016-2858
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ backends/rng-egd.c   | 28 +++++++++-------------------
+ include/sysemu/rng.h | 11 +++++++++++
+ 2 files changed, 20 insertions(+), 19 deletions(-)
+
+Index: qemu-2.5.0/backends/rng-egd.c
+===================================================================
+--- qemu-2.5.0.orig/backends/rng-egd.c
++++ qemu-2.5.0/backends/rng-egd.c
+@@ -24,19 +24,8 @@ typedef struct RngEgd
+ 
+     CharDriverState *chr;
+     char *chr_name;
+-
+-    GSList *requests;
+ } RngEgd;
+ 
+-typedef struct RngRequest
+-{
+-    EntropyReceiveFunc *receive_entropy;
+-    uint8_t *data;
+-    void *opaque;
+-    size_t offset;
+-    size_t size;
+-} RngRequest;
+-
+ static void rng_egd_request_entropy(RngBackend *b, size_t size,
+                                     EntropyReceiveFunc *receive_entropy,
+                                     void *opaque)
+@@ -65,7 +54,7 @@ static void rng_egd_request_entropy(RngB
+         size -= len;
+     }
+ 
+-    s->requests = g_slist_append(s->requests, req);
++    s->parent.requests = g_slist_append(s->parent.requests, req);
+ }
+ 
+ static void rng_egd_free_request(RngRequest *req)
+@@ -80,7 +69,7 @@ static int rng_egd_chr_can_read(void *op
+     GSList *i;
+     int size = 0;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         RngRequest *req = i->data;
+         size += req->size - req->offset;
+     }
+@@ -93,8 +82,8 @@ static void rng_egd_chr_read(void *opaqu
+     RngEgd *s = RNG_EGD(opaque);
+     size_t buf_offset = 0;
+ 
+-    while (size > 0 && s->requests) {
+-        RngRequest *req = s->requests->data;
++    while (size > 0 && s->parent.requests) {
++        RngRequest *req = s->parent.requests->data;
+         int len = MIN(size, req->size - req->offset);
+ 
+         memcpy(req->data + req->offset, buf + buf_offset, len);
+@@ -103,7 +92,8 @@ static void rng_egd_chr_read(void *opaqu
+         size -= len;
+ 
+         if (req->offset == req->size) {
+-            s->requests = g_slist_remove_link(s->requests, s->requests);
++            s->parent.requests = g_slist_remove_link(s->parent.requests,
++                                                     s->parent.requests);
+ 
+             req->receive_entropy(req->opaque, req->data, req->size);
+ 
+@@ -116,12 +106,12 @@ static void rng_egd_free_requests(RngEgd
+ {
+     GSList *i;
+ 
+-    for (i = s->requests; i; i = i->next) {
++    for (i = s->parent.requests; i; i = i->next) {
+         rng_egd_free_request(i->data);
+     }
+ 
+-    g_slist_free(s->requests);
+-    s->requests = NULL;
++    g_slist_free(s->parent.requests);
++    s->parent.requests = NULL;
+ }
+ 
+ static void rng_egd_cancel_requests(RngBackend *b)
+Index: qemu-2.5.0/include/sysemu/rng.h
+===================================================================
+--- qemu-2.5.0.orig/include/sysemu/rng.h
++++ qemu-2.5.0/include/sysemu/rng.h
+@@ -25,6 +25,7 @@
+ #define RNG_BACKEND_CLASS(klass) \
+     OBJECT_CLASS_CHECK(RngBackendClass, (klass), TYPE_RNG_BACKEND)
+ 
++typedef struct RngRequest RngRequest;
+ typedef struct RngBackendClass RngBackendClass;
+ typedef struct RngBackend RngBackend;
+ 
+@@ -32,6 +33,15 @@ typedef void (EntropyReceiveFunc)(void *
+                                   const void *data,
+                                   size_t size);
+ 
++struct RngRequest
++{
++    EntropyReceiveFunc *receive_entropy;
++    uint8_t *data;
++    void *opaque;
++    size_t offset;
++    size_t size;
++};
++
+ struct RngBackendClass
+ {
+     ObjectClass parent_class;
+@@ -49,6 +59,7 @@ struct RngBackend
+ 
+     /*< protected >*/
+     bool opened;
++    GSList *requests;
+ };
+ 
+ /**
author	Armin Kuster <akuster@mvista.com>	2016-04-28 11:23:31 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-04-29 07:36:30 +0100
commit	48909052e7b19ba108ee7813c1efdbed0c2e06ab (patch)
tree	000eaf28530ebe1527e67336c71ad9a2eae72087 /meta/recipes-devtools/qemu/qemu/rng_move_request_from_RngEgd_to_RngBackend.patch
parent	d1b972a55c59a3f3336b3ebd309532dc204ea97b (diff)
download	openembedded-core-contrib-48909052e7b19ba108ee7813c1efdbed0c2e06ab.tar.gz