--- /dev/null
+From da4c6050712be98934918e348aa34a74be0e4e57 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 Jan 2017 17:54:15 +0530
+Subject: [PATCH 3/8] sd: sdhci: check transfer mode register in multi block
+ transfer
+
+In SDHCI device emulation the transfer mode register value
+is used during multi block transfer to check if block count
+register is enabled and should be updated. Transfer mode
+register could be set such that, block count register would
+not be updated, thus leading to an infinite loop. Add check
+to avoid it.
+
+Reported-by: Wjjzhang <wjjzhang@tencent.com>
+Reported-by: Jiang Xin <jiangxin1@huawei.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 01fbf22..35f953a 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -486,6 +486,12 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
+ uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
+
++ if (!(s->trnmod & SDHC_TRNS_MULTI)
++ || !(s->trnmod & SDHC_TRNS_BLK_CNT_EN)
++ || !s->blkcnt) {
++ return;
++ }
++
+ /* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
+ * possible stop at page boundary if initial address is not page aligned,
+ * allow them to work properly */
+@@ -797,11 +803,6 @@ static void sdhci_data_transfer(void *opaque)
+ if (s->trnmod & SDHC_TRNS_DMA) {
+ switch (SDHC_DMA_TYPE(s->hostctl)) {
+ case SDHC_CTRL_SDMA:
+- if ((s->trnmod & SDHC_TRNS_MULTI) &&
+- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
+- break;
+- }
+-
+ if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
+ sdhci_sdma_transfer_single_block(s);
+ } else {
+@@ -1050,7 +1051,7 @@ sdhci_write(void *opaque, hwaddr offset, uint64_t val, unsigned size)
+ if (!(s->capareg & SDHC_CAN_DO_DMA)) {
+ value &= ~SDHC_TRNS_DMA;
+ }
+- MASKED_WRITE(s->trnmod, mask, value);
++ MASKED_WRITE(s->trnmod, mask, value & 0x0037);
+ MASKED_WRITE(s->cmdreg, mask >> 16, value >> 16);
+
+ /* Writing to the upper byte of CMDREG triggers SD command generation */
+--
+2.1.4
+
--- /dev/null
+From b9bc05a3a687f9993c5c2a8890b53ab9e8dbc96c Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Tue, 31 Jan 2017 17:54:16 +0530
+Subject: [PATCH 4/8] sd: sdhci: block count enable not relevant in single
+ block transfer
+
+In SDHCI device emulation the 'Block count enable' bit
+of the Transfer Mode register is only relevant in multi block
+transfers. We need not check it in single block transfers.
+
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+---
+ hw/sd/sdhci.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
+index 35f953a..85cac42 100644
+--- a/hw/sd/sdhci.c
++++ b/hw/sd/sdhci.c
+@@ -570,7 +570,6 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
+ }
+
+ /* single block SDMA transfer */
+-
+ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+ {
+ int n;
+@@ -589,10 +588,7 @@ static void sdhci_sdma_transfer_single_block(SDHCIState *s)
+ sdbus_write_data(&s->sdbus, s->fifo_buffer[n]);
+ }
+ }
+-
+- if (s->trnmod & SDHC_TRNS_BLK_CNT_EN) {
+- s->blkcnt--;
+- }
++ s->blkcnt--;
+
+ sdhci_end_transfer(s);
+ }
+--
+2.1.4
+
--- /dev/null
+From b891912de9c0ef615955fccc043915eb36ce3c02 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Wed, 14 Dec 2016 12:31:56 +0530
+Subject: [PATCH 2/8] display: virtio-gpu-3d: check virgl capabilities max_size
+
+Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
+command, retrieves the maximum capabilities size to fill in the
+response object. It continues to fill in capabilities even if
+retrieved 'max_size' is zero(0), thus resulting in OOB access.
+Add check to avoid it.
+
+Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Message-id: 20161214070156.23368-1-ppandit@redhat.com
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+
+Notes:
+ CVE-2016-10028
+
+ hw/display/virtio-gpu-3d.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
+index d98b140..cdd03a4 100644
+--- a/hw/display/virtio-gpu-3d.c
++++ b/hw/display/virtio-gpu-3d.c
+@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
+
+ virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
+ &max_size);
+- resp = g_malloc0(sizeof(*resp) + max_size);
++ if (!max_size) {
++ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
++ return;
++ }
+
++ resp = g_malloc0(sizeof(*resp) + max_size);
+ resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
+ virgl_renderer_fill_caps(gc.capset_id,
+ gc.capset_version,
+--
+2.1.4
+
--- /dev/null
+From a8341ea109259c17ad18b02597e5e03e99db60ae Mon Sep 17 00:00:00 2001
+From: Li Qiang <liqiang6-s@360.cn>
+Date: Mon, 28 Nov 2016 17:49:04 -0800
+Subject: [PATCH 1/8] watchdog: 6300esb: add exit function
+
+When the Intel 6300ESB watchdog is hot unplug. The timer allocated
+in realize isn't freed thus leaking memory leak. This patch avoid
+this through adding the exit function.
+
+Signed-off-by: Li Qiang <liqiang6-s@360.cn>
+Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+---
+
+Notes:
+ CVE-2016-10155
+
+ hw/watchdog/wdt_i6300esb.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
+index a83d951..49b3cd1 100644
+--- a/hw/watchdog/wdt_i6300esb.c
++++ b/hw/watchdog/wdt_i6300esb.c
+@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
+ /* qemu_register_coalesced_mmio (addr, 0x10); ? */
+ }
+
++static void i6300esb_exit(PCIDevice *dev)
++{
++ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
++
++ timer_del(d->timer);
++ timer_free(d->timer);
++}
++
+ static WatchdogTimerModel model = {
+ .wdt_name = "i6300esb",
+ .wdt_description = "Intel 6300ESB",
+@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
+ k->config_read = i6300esb_config_read;
+ k->config_write = i6300esb_config_write;
+ k->realize = i6300esb_realize;
++ k->exit = i6300esb_exit;
+ k->vendor_id = PCI_VENDOR_ID_INTEL;
+ k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
+ k->class_id = PCI_CLASS_SYSTEM_OTHER;
+--
+2.1.4
+
extra/0002-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
extra/0003-cirrus-fix-blit-address-mask-handling.patch
extra/0004-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
+extra/CVE-2016-10028-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
+extra/CVE-2016-10155-watchdog-6300esb-add-exit-function.patch
+extra/0003-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
+extra/0004-sd-sdhci-block-count-enable-not-relevant-in-single-b.patch
projects / pve-qemu-kvm.git / commitdiff