@@ -22,7 +22,7 @@ BINUVERSION ?= "2.39%"
GDBVERSION ?= "12.%"
GLIBCVERSION ?= "2.36"
LINUXLIBCVERSION ?= "5.19%"
-QEMUVERSION ?= "7.0%"
+QEMUVERSION ?= "7.1%"
GOVERSION ?= "1.19%"
# This can not use wildcards like 8.0.% since it is also used in mesa to denote
# llvm version being used, so always bump it with llvm recipe version bump
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu-native_7.0.0.bb
rename to meta/recipes-devtools/qemu/qemu-native_7.1.0.bb
similarity index 90%
rename from meta/recipes-devtools/qemu/qemu-system-native_7.0.0.bb
rename to meta/recipes-devtools/qemu/qemu-system-native_7.1.0.bb
@@ -28,5 +28,6 @@ do_install:append() {
rm -rf ${D}${includedir}/qemu-plugin.h
# Install qmp.py to be used with testimage
- install -D ${S}/python/qemu/qmp/__init__.py ${D}${libdir}/qemu-python/qmp.py
+ install -d ${D}${libdir}/qemu-python/qmp/
+ install -D ${S}/python/qemu/qmp/* ${D}${libdir}/qemu-python/qmp/
}
@@ -26,17 +26,11 @@ SRC_URI = "https://download.qemu.org/${BPN}-${PV}.tar.xz \
file://0007-qemu-Determinism-fixes.patch \
file://0008-tests-meson.build-use-relative-path-to-refer-to-file.patch \
file://0009-Define-MAP_SYNC-and-MAP_SHARED_VALIDATE-on-needed-li.patch \
- file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch \
- file://qemu-7.0.0-glibc-2.36.patch \
- file://CVE-2022-35414.patch \
- file://CVE-2021-3507_1.patch \
- file://CVE-2021-3507_2.patch \
- file://CVE-2022-0216_1.patch \
- file://CVE-2022-0216_2.patch \
"
+BAR = " file://0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch "
UPSTREAM_CHECK_REGEX = "qemu-(?P<pver>\d+(\.\d+)+)\.tar"
-SRC_URI[sha256sum] = "f6b375c7951f728402798b0baabb2d86478ca53d44cedbefabbe1c46bf46f839"
+SRC_URI[sha256sum] = "a0634e536bded57cf38ec8a751adb124b89c776fe0846f21ab6c6728f1cbbbe6"
SRC_URI:append:class-target = " file://cross.patch"
SRC_URI:append:class-nativesdk = " file://cross.patch"
@@ -75,8 +69,14 @@ do_install_ptest() {
# Strip the paths from the QEMU variable, we can use PATH
sed -i -e "s#^QEMU=.*/qemu-#QEMU=qemu-#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
- # Strip compiler flags as they break reproducibility
- sed -i -e "s,CROSS_CC_GUEST=.*,CROSS_CC_GUEST=," ${D}${PTEST_PATH}/tests/tcg/*.mak
+ # Strip compiler flags as they break reproducibility
+ sed -i -e "s,^CC=.*,CC=gcc," \
+ -e "s,^CCAS=.*,CCAS=gcc," \
+ -e "s,^LD=.*,LD=ld," ${D}${PTEST_PATH}/tests/tcg/*.mak
+
+ # Update SRC_PATH variable to the right place on target
+ sed -i -e "s#^SRC_PATH=.*#SRC_PATH=${PTEST_PATH}#g" ${D}${PTEST_PATH}/tests/tcg/*.mak
+
}
# QEMU_TARGETS is overridable variable
@@ -151,7 +151,6 @@ PACKAGECONFIG[uring] = "--enable-linux-io-uring,--disable-linux-io-uring,liburin
PACKAGECONFIG[xen] = "--enable-xen,--disable-xen,xen-tools,xen-tools-libxenstore xen-tools-libxenctrl xen-tools-libxenguest"
PACKAGECONFIG[vnc-sasl] = "--enable-vnc --enable-vnc-sasl,--disable-vnc-sasl,cyrus-sasl,"
PACKAGECONFIG[vnc-jpeg] = "--enable-vnc --enable-vnc-jpeg,--disable-vnc-jpeg,jpeg,"
-PACKAGECONFIG[vnc-png] = "--enable-vnc --enable-vnc-png,--disable-vnc-png,libpng,"
PACKAGECONFIG[libcurl] = "--enable-curl,--disable-curl,curl,"
PACKAGECONFIG[nss] = "--enable-smartcard,--disable-smartcard,nss,"
PACKAGECONFIG[curses] = "--enable-curses,--disable-curses,ncurses,"
deleted file mode 100644
@@ -1,57 +0,0 @@
-From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001
-From: Yuval Shaia <yuval.shaia.ml@gmail.com>
-Date: Tue, 12 Apr 2022 11:01:51 +0100
-Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest
- driver
-
-Guest driver might execute HW commands when shared buffers are not yet
-allocated.
-This might happen on purpose (malicious guest) or because some other
-guest/host address mapping.
-We need to protect againts such case.
-
-Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
-
-CVE: CVE-2022-1050
-Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]
-
----
- hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
- hw/rdma/vmw/pvrdma_main.c | 3 ++-
- 2 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
-index da7ddfa54..89db963c4 100644
---- a/hw/rdma/vmw/pvrdma_cmd.c
-+++ b/hw/rdma/vmw/pvrdma_cmd.c
-@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
-
- dsr_info = &dev->dsr_info;
-
-+ if (!dsr_info->dsr) {
-+ /* Buggy or malicious guest driver */
-+ rdma_error_report("Exec command without dsr, req or rsp buffers");
-+ goto out;
-+ }
-+
- if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
- sizeof(struct cmd_handler)) {
- rdma_error_report("Unsupported command");
-diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
-index 91206dbb8..0b7d908e2 100644
---- a/hw/rdma/vmw/pvrdma_main.c
-+++ b/hw/rdma/vmw/pvrdma_main.c
-@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
- {
- struct pvrdma_device_shared_region *dsr;
-
-- if (dev->dsr_info.dsr == NULL) {
-+ if (!dev->dsr_info.dsr) {
-+ /* Buggy or malicious guest driver */
- rdma_error_report("Can't initialized DSR");
- return;
- }
-2.30.2
-
deleted file mode 100644
@@ -1,92 +0,0 @@
-From 57a89cc36ead7234e540d0ecbe1a792ab6b04cb7 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
-Date: Thu, 18 Nov 2021 12:57:32 +0100
-Subject: [PATCH 1/2] hw/block/fdc: Prevent end-of-track overrun
- (CVE-2021-3507)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Per the 82078 datasheet, if the end-of-track (EOT byte in
-the FIFO) is more than the number of sectors per side, the
-command is terminated unsuccessfully:
-
-* 5.2.5 DATA TRANSFER TERMINATION
-
- The 82078 supports terminal count explicitly through
- the TC pin and implicitly through the underrun/over-
- run and end-of-track (EOT) functions. For full sector
- transfers, the EOT parameter can define the last
- sector to be transferred in a single or multisector
- transfer. If the last sector to be transferred is a par-
- tial sector, the host can stop transferring the data in
- mid-sector, and the 82078 will continue to complete
- the sector as if a hardware TC was received. The
- only difference between these implicit functions and
- TC is that they return "abnormal termination" result
- status. Such status indications can be ignored if they
- were expected.
-
-* 6.1.3 READ TRACK
-
- This command terminates when the EOT specified
- number of sectors have been read. If the 82078
- does not find an I D Address Mark on the diskette
- after the second· occurrence of a pulse on the
- INDX# pin, then it sets the IC code in Status Regis-
- ter 0 to "01" (Abnormal termination), sets the MA bit
- in Status Register 1 to "1", and terminates the com-
- mand.
-
-* 6.1.6 VERIFY
-
- Refer to Table 6-6 and Table 6-7 for information
- concerning the values of MT and EC versus SC and
- EOT value.
-
-* Table 6·6. Result Phase Table
-
-* Table 6-7. Verify Command Result Phase Table
-
-Fix by aborting the transfer when EOT > # Sectors Per Side.
-
-Cc: qemu-stable@nongnu.org
-Cc: Hervé Poussineau <hpoussin@reactos.org>
-Fixes: baca51faff0 ("floppy driver: disk geometry auto detect")
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/339
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-Id: <20211118115733.4038610-2-philmd@redhat.com>
-Reviewed-by: Hanna Reitz <hreitz@redhat.com>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-
-Upstream-Status: Backport [defac5e2fbddf8423a354ff0454283a2115e1367]
-CVE: CVE-2021-3507
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/block/fdc.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index 347875a0c..57bb35579 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1530,6 +1530,14 @@ static void fdctrl_start_transfer(FDCtrl *fdctrl, int direction)
- int tmp;
- fdctrl->data_len = 128 << (fdctrl->fifo[5] > 7 ? 7 : fdctrl->fifo[5]);
- tmp = (fdctrl->fifo[6] - ks + 1);
-+ if (tmp < 0) {
-+ FLOPPY_DPRINTF("invalid EOT: %d\n", tmp);
-+ fdctrl_stop_transfer(fdctrl, FD_SR0_ABNTERM, FD_SR1_MA, 0x00);
-+ fdctrl->fifo[3] = kt;
-+ fdctrl->fifo[4] = kh;
-+ fdctrl->fifo[5] = ks;
-+ return;
-+ }
- if (fdctrl->fifo[0] & 0x80)
- tmp += fdctrl->fifo[6];
- fdctrl->data_len *= tmp;
-2.33.0
-
deleted file mode 100644
@@ -1,115 +0,0 @@
-From 3e8601ec707dcbc3c768f7733d016dc70c947e4a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
-Date: Thu, 18 Nov 2021 12:57:33 +0100
-Subject: [PATCH 2/2] tests/qtest/fdc-test: Add a regression test for
- CVE-2021-3507
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add the reproducer from https://gitlab.com/qemu-project/qemu/-/issues/339
-
-Without the previous commit, when running 'make check-qtest-i386'
-with QEMU configured with '--enable-sanitizers' we get:
-
- ==4028352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000062a00 at pc 0x5626d03c491a bp 0x7ffdb4199410 sp 0x7ffdb4198bc0
- READ of size 786432 at 0x619000062a00 thread T0
- #0 0x5626d03c4919 in __asan_memcpy (qemu-system-i386+0x1e65919)
- #1 0x5626d1c023cc in flatview_write_continue softmmu/physmem.c:2787:13
- #2 0x5626d1bf0c0f in flatview_write softmmu/physmem.c:2822:14
- #3 0x5626d1bf0798 in address_space_write softmmu/physmem.c:2914:18
- #4 0x5626d1bf0f37 in address_space_rw softmmu/physmem.c:2924:16
- #5 0x5626d1bf14c8 in cpu_physical_memory_rw softmmu/physmem.c:2933:5
- #6 0x5626d0bd5649 in cpu_physical_memory_write include/exec/cpu-common.h:82:5
- #7 0x5626d0bd0a07 in i8257_dma_write_memory hw/dma/i8257.c:452:9
- #8 0x5626d09f825d in fdctrl_transfer_handler hw/block/fdc.c:1616:13
- #9 0x5626d0a048b4 in fdctrl_start_transfer hw/block/fdc.c:1539:13
- #10 0x5626d09f4c3e in fdctrl_write_data hw/block/fdc.c:2266:13
- #11 0x5626d09f22f7 in fdctrl_write hw/block/fdc.c:829:9
- #12 0x5626d1c20bc5 in portio_write softmmu/ioport.c:207:17
-
- 0x619000062a00 is located 0 bytes to the right of 512-byte region [0x619000062800,0x619000062a00)
- allocated by thread T0 here:
- #0 0x5626d03c66ec in posix_memalign (qemu-system-i386+0x1e676ec)
- #1 0x5626d2b988d4 in qemu_try_memalign util/oslib-posix.c:210:11
- #2 0x5626d2b98b0c in qemu_memalign util/oslib-posix.c:226:27
- #3 0x5626d09fbaf0 in fdctrl_realize_common hw/block/fdc.c:2341:20
- #4 0x5626d0a150ed in isabus_fdc_realize hw/block/fdc-isa.c:113:5
- #5 0x5626d2367935 in device_set_realized hw/core/qdev.c:531:13
-
- SUMMARY: AddressSanitizer: heap-buffer-overflow (qemu-system-i386+0x1e65919) in __asan_memcpy
- Shadow bytes around the buggy address:
- 0x0c32800044f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c3280004500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x0c3280004510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x0c3280004520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x0c3280004530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- =>0x0c3280004540:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c3280004550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c3280004560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c3280004570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c3280004580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c3280004590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Heap left redzone: fa
- Freed heap region: fd
- ==4028352==ABORTING
-
-[ kwolf: Added snapshot=on to prevent write file lock failure ]
-
-Reported-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
-Signed-off-by: Kevin Wolf <kwolf@redhat.com>
-
-Upstream-Status: Backport [46609b90d9e3a6304def11038a76b58ff43f77bc]
-CVE: CVE-2021-3507
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- tests/qtest/fdc-test.c | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/tests/qtest/fdc-test.c b/tests/qtest/fdc-test.c
-index b0d40012e..1d4f85212 100644
---- a/tests/qtest/fdc-test.c
-+++ b/tests/qtest/fdc-test.c
-@@ -583,6 +583,26 @@ static void test_cve_2021_20196(void)
- qtest_quit(s);
- }
-
-+static void test_cve_2021_3507(void)
-+{
-+ QTestState *s;
-+
-+ s = qtest_initf("-nographic -m 32M -nodefaults "
-+ "-drive file=%s,format=raw,if=floppy,snapshot=on",
-+ test_image);
-+ qtest_outl(s, 0x9, 0x0a0206);
-+ qtest_outw(s, 0x3f4, 0x1600);
-+ qtest_outw(s, 0x3f4, 0x0000);
-+ qtest_outw(s, 0x3f4, 0x0000);
-+ qtest_outw(s, 0x3f4, 0x0000);
-+ qtest_outw(s, 0x3f4, 0x0200);
-+ qtest_outw(s, 0x3f4, 0x0200);
-+ qtest_outw(s, 0x3f4, 0x0000);
-+ qtest_outw(s, 0x3f4, 0x0000);
-+ qtest_outw(s, 0x3f4, 0x0000);
-+ qtest_quit(s);
-+}
-+
- int main(int argc, char **argv)
- {
- int fd;
-@@ -614,6 +634,7 @@ int main(int argc, char **argv)
- qtest_add_func("/fdc/read_no_dma_19", test_read_no_dma_19);
- qtest_add_func("/fdc/fuzz-registers", fuzz_registers);
- qtest_add_func("/fdc/fuzz/cve_2021_20196", test_cve_2021_20196);
-+ qtest_add_func("/fdc/fuzz/cve_2021_3507", test_cve_2021_3507);
-
- ret = g_test_run();
-
-2.33.0
-
deleted file mode 100644
@@ -1,42 +0,0 @@
-From f37ac8619a39498edd225c4a0b3039b28814833d Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Tue, 5 Jul 2022 22:05:43 +0200
-Subject: [PATCH 1/2] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
- (CVE-2022-0216)
-
-Set current_req->req to NULL to prevent reusing a free'd buffer in case of
-repeated SCSI cancel requests. Thanks to Thomas Huth for suggesting the patch.
-
-Fixes: CVE-2022-0216
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Reviewed-by: Thomas Huth <thuth@redhat.com>
-Message-Id: <20220705200543.2366809-1-mcascell@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Upstream-Status: Backport [6c8fa961da5e60f574bb52fd3ad44b1e9e8ad4b8]
-CVE: CVE-2022-0216
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/scsi/lsi53c895a.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index c8773f73f..99ea42d49 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1028,8 +1028,9 @@ static void lsi_do_msgout(LSIState *s)
- case 0x0d:
- /* The ABORT TAG message clears the current I/O process only. */
- trace_lsi_do_msgout_abort(current_tag);
-- if (current_req) {
-+ if (current_req && current_req->req) {
- scsi_req_cancel(current_req->req);
-+ current_req->req = NULL;
- }
- lsi_disconnect(s);
- break;
-2.33.0
-
deleted file mode 100644
@@ -1,146 +0,0 @@
-From 5451bf6db85ce3da1238e9154d051ebccec8f171 Mon Sep 17 00:00:00 2001
-From: Mauro Matteo Cascella <mcascell@redhat.com>
-Date: Mon, 11 Jul 2022 14:33:16 +0200
-Subject: [PATCH 2/2] scsi/lsi53c895a: really fix use-after-free in
- lsi_do_msgout (CVE-2022-0216)
-
-Set current_req to NULL, not current_req->req, to prevent reusing a free'd
-buffer in case of repeated SCSI cancel requests. Also apply the fix to
-CLEAR QUEUE and BUS DEVICE RESET messages as well, since they also cancel
-the request.
-
-Thanks to Alexander Bulekov for providing a reproducer.
-
-Fixes: CVE-2022-0216
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/972
-Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
-Tested-by: Alexander Bulekov <alxndr@bu.edu>
-Message-Id: <20220711123316.421279-1-mcascell@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-
-Upstream-Status: Backport [4367a20cc442c56b05611b4224de9a61908f9eac]
-CVE: CVE-2022-0216
-
-Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
----
- hw/scsi/lsi53c895a.c | 3 +-
- tests/qtest/fuzz-lsi53c895a-test.c | 76 ++++++++++++++++++++++++++++++
- 2 files changed, 78 insertions(+), 1 deletion(-)
-
-diff --git a/hw/scsi/lsi53c895a.c b/hw/scsi/lsi53c895a.c
-index 99ea42d49..ad5f5e5f3 100644
---- a/hw/scsi/lsi53c895a.c
-+++ b/hw/scsi/lsi53c895a.c
-@@ -1030,7 +1030,7 @@ static void lsi_do_msgout(LSIState *s)
- trace_lsi_do_msgout_abort(current_tag);
- if (current_req && current_req->req) {
- scsi_req_cancel(current_req->req);
-- current_req->req = NULL;
-+ current_req = NULL;
- }
- lsi_disconnect(s);
- break;
-@@ -1056,6 +1056,7 @@ static void lsi_do_msgout(LSIState *s)
- /* clear the current I/O process */
- if (s->current) {
- scsi_req_cancel(s->current->req);
-+ current_req = NULL;
- }
-
- /* As the current implemented devices scsi_disk and scsi_generic
-diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
-index ba5d46897..c1af0ab1c 100644
---- a/tests/qtest/fuzz-lsi53c895a-test.c
-+++ b/tests/qtest/fuzz-lsi53c895a-test.c
-@@ -8,6 +8,79 @@
- #include "qemu/osdep.h"
- #include "libqos/libqtest.h"
-
-+/*
-+ * This used to trigger a UAF in lsi_do_msgout()
-+ * https://gitlab.com/qemu-project/qemu/-/issues/972
-+ */
-+static void test_lsi_do_msgout_cancel_req(void)
-+{
-+ QTestState *s;
-+
-+ if (sizeof(void *) == 4) {
-+ g_test_skip("memory size too big for 32-bit build");
-+ return;
-+ }
-+
-+ s = qtest_init("-M q35 -m 4G -display none -nodefaults "
-+ "-device lsi53c895a,id=scsi "
-+ "-device scsi-hd,drive=disk0 "
-+ "-drive file=null-co://,id=disk0,if=none,format=raw");
-+
-+ qtest_outl(s, 0xcf8, 0x80000810);
-+ qtest_outl(s, 0xcf8, 0xc000);
-+ qtest_outl(s, 0xcf8, 0x80000810);
-+ qtest_outw(s, 0xcfc, 0x7);
-+ qtest_outl(s, 0xcf8, 0x80000810);
-+ qtest_outl(s, 0xcfc, 0xc000);
-+ qtest_outl(s, 0xcf8, 0x80000804);
-+ qtest_outw(s, 0xcfc, 0x05);
-+ qtest_writeb(s, 0x69736c10, 0x08);
-+ qtest_writeb(s, 0x69736c13, 0x58);
-+ qtest_writeb(s, 0x69736c1a, 0x01);
-+ qtest_writeb(s, 0x69736c1b, 0x06);
-+ qtest_writeb(s, 0x69736c22, 0x01);
-+ qtest_writeb(s, 0x69736c23, 0x07);
-+ qtest_writeb(s, 0x69736c2b, 0x02);
-+ qtest_writeb(s, 0x69736c48, 0x08);
-+ qtest_writeb(s, 0x69736c4b, 0x58);
-+ qtest_writeb(s, 0x69736c52, 0x04);
-+ qtest_writeb(s, 0x69736c53, 0x06);
-+ qtest_writeb(s, 0x69736c5b, 0x02);
-+ qtest_outl(s, 0xc02d, 0x697300);
-+ qtest_writeb(s, 0x5a554662, 0x01);
-+ qtest_writeb(s, 0x5a554663, 0x07);
-+ qtest_writeb(s, 0x5a55466a, 0x10);
-+ qtest_writeb(s, 0x5a55466b, 0x22);
-+ qtest_writeb(s, 0x5a55466c, 0x5a);
-+ qtest_writeb(s, 0x5a55466d, 0x5a);
-+ qtest_writeb(s, 0x5a55466e, 0x34);
-+ qtest_writeb(s, 0x5a55466f, 0x5a);
-+ qtest_writeb(s, 0x5a345a5a, 0x77);
-+ qtest_writeb(s, 0x5a345a5b, 0x55);
-+ qtest_writeb(s, 0x5a345a5c, 0x51);
-+ qtest_writeb(s, 0x5a345a5d, 0x27);
-+ qtest_writeb(s, 0x27515577, 0x41);
-+ qtest_outl(s, 0xc02d, 0x5a5500);
-+ qtest_writeb(s, 0x364001d0, 0x08);
-+ qtest_writeb(s, 0x364001d3, 0x58);
-+ qtest_writeb(s, 0x364001da, 0x01);
-+ qtest_writeb(s, 0x364001db, 0x26);
-+ qtest_writeb(s, 0x364001dc, 0x0d);
-+ qtest_writeb(s, 0x364001dd, 0xae);
-+ qtest_writeb(s, 0x364001de, 0x41);
-+ qtest_writeb(s, 0x364001df, 0x5a);
-+ qtest_writeb(s, 0x5a41ae0d, 0xf8);
-+ qtest_writeb(s, 0x5a41ae0e, 0x36);
-+ qtest_writeb(s, 0x5a41ae0f, 0xd7);
-+ qtest_writeb(s, 0x5a41ae10, 0x36);
-+ qtest_writeb(s, 0x36d736f8, 0x0c);
-+ qtest_writeb(s, 0x36d736f9, 0x80);
-+ qtest_writeb(s, 0x36d736fa, 0x0d);
-+ qtest_outl(s, 0xc02d, 0x364000);
-+
-+ qtest_quit(s);
-+}
-+
- /*
- * This used to trigger the assert in lsi_do_dma()
- * https://bugs.launchpad.net/qemu/+bug/697510
-@@ -48,5 +121,8 @@ int main(int argc, char **argv)
- test_lsi_do_dma_empty_queue);
- }
-
-+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
-+ test_lsi_do_msgout_cancel_req);
-+
- return g_test_run();
- }
-2.33.0
-
deleted file mode 100644
@@ -1,53 +0,0 @@
-From a10c33942dc8cb31b3762b9dd4adde4c490eed9c Mon Sep 17 00:00:00 2001
-From: Hitendra Prajapati <hprajapati@mvista.com>
-Date: Wed, 3 Aug 2022 10:11:11 +0530
-Subject: [PATCH] CVE-2022-35414
-
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c]
-CVE: CVE-2022-35414
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- softmmu/physmem.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/softmmu/physmem.c b/softmmu/physmem.c
-index 4e1b27a20..ad8a90dec 100644
---- a/softmmu/physmem.c
-+++ b/softmmu/physmem.c
-@@ -669,7 +669,7 @@ void tcg_iommu_init_notifier_list(CPUState *cpu)
-
- /* Called from RCU critical section */
- MemoryRegionSection *
--address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
-+address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr orig_addr,
- hwaddr *xlat, hwaddr *plen,
- MemTxAttrs attrs, int *prot)
- {
-@@ -678,6 +678,7 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
- IOMMUMemoryRegionClass *imrc;
- IOMMUTLBEntry iotlb;
- int iommu_idx;
-+ hwaddr addr = orig_addr;
- AddressSpaceDispatch *d =
- qatomic_rcu_read(&cpu->cpu_ases[asidx].memory_dispatch);
-
-@@ -722,6 +723,16 @@ address_space_translate_for_iotlb(CPUState *cpu, int asidx, hwaddr addr,
- return section;
-
- translate_fail:
-+ /*
-+ * We should be given a page-aligned address -- certainly
-+ * tlb_set_page_with_attrs() does so. The page offset of xlat
-+ * is used to index sections[], and PHYS_SECTION_UNASSIGNED = 0.
-+ * The page portion of xlat will be logged by memory_region_access_valid()
-+ * when this memory access is rejected, so use the original untranslated
-+ * physical address.
-+ */
-+ assert((orig_addr & ~TARGET_PAGE_MASK) == 0);
-+ *xlat = orig_addr;
- return &d->map.sections[PHYS_SECTION_UNASSIGNED];
- }
-
-2.25.1
-
@@ -14,19 +14,19 @@ Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
configure | 4 ----
1 file changed, 4 deletions(-)
-diff --git a/configure b/configure
-index 7c08c1835..0613279f9 100755
---- a/configure
-+++ b/configure
-@@ -3118,7 +3118,6 @@ if test "$skip_meson" = no; then
- fi
+Index: qemu-7.1.0/configure
+===================================================================
+--- qemu-7.1.0.orig/configure
++++ qemu-7.1.0/configure
+@@ -2710,7 +2710,6 @@ if test "$skip_meson" = no; then
echo "strip = [$(meson_quote $strip)]" >> $cross
+ echo "widl = [$(meson_quote $widl)]" >> $cross
echo "windres = [$(meson_quote $windres)]" >> $cross
- if test "$cross_compile" = "yes"; then
cross_arg="--cross-file config-meson.cross"
echo "[host_machine]" >> $cross
echo "system = '$targetos'" >> $cross
-@@ -3136,9 +3135,6 @@ if test "$skip_meson" = no; then
+@@ -2728,9 +2727,6 @@ if test "$skip_meson" = no; then
else
echo "endian = 'little'" >> $cross
fi
@@ -36,6 +36,3 @@ index 7c08c1835..0613279f9 100755
mv $cross config-meson.cross
rm -rf meson-private meson-info meson-logs
-2.30.2
-
similarity index 100%
rename from meta/recipes-devtools/qemu/qemu_7.0.0.bb
rename to meta/recipes-devtools/qemu/qemu_7.1.0.bb
Drop CVE backports and backported patch for pvrdma which was also applied upstream. Refresh cross.patch. Drop vnc-png option removed upstream. Update ptest path manipulations for target. qmp now has consists of multiple files so install them all as a python module. The upgrade contains fixes for virtio block devices which we hope will address vda device tracebacks on the autobuilder from qemu. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> --- meta/conf/distro/include/tcmode-default.inc | 2 +- ...u-native_7.0.0.bb => qemu-native_7.1.0.bb} | 0 ...e_7.0.0.bb => qemu-system-native_7.1.0.bb} | 3 +- meta/recipes-devtools/qemu/qemu.inc | 21 ++- ...t-against-buggy-or-malicious-guest-d.patch | 57 ------- .../qemu/qemu/CVE-2021-3507_1.patch | 92 ----------- .../qemu/qemu/CVE-2021-3507_2.patch | 115 -------------- .../qemu/qemu/CVE-2022-0216_1.patch | 42 ----- .../qemu/qemu/CVE-2022-0216_2.patch | 146 ------------------ .../qemu/qemu/CVE-2022-35414.patch | 53 ------- meta/recipes-devtools/qemu/qemu/cross.patch | 17 +- .../qemu/{qemu_7.0.0.bb => qemu_7.1.0.bb} | 0 12 files changed, 20 insertions(+), 528 deletions(-) rename meta/recipes-devtools/qemu/{qemu-native_7.0.0.bb => qemu-native_7.1.0.bb} (100%) rename meta/recipes-devtools/qemu/{qemu-system-native_7.0.0.bb => qemu-system-native_7.1.0.bb} (90%) delete mode 100644 meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2021-3507_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_1.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-0216_2.patch delete mode 100644 meta/recipes-devtools/qemu/qemu/CVE-2022-35414.patch rename meta/recipes-devtools/qemu/{qemu_7.0.0.bb => qemu_7.1.0.bb} (100%)