Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/app-emulation/qemu/files
diff options
context:
space:
mode:
authorFelix Janda <felix.janda@posteo.de>2016-01-30 16:58:50 +0100
committerAnthony G. Basile <blueness@gentoo.org>2016-01-30 12:28:05 -0500
commitdb375501bb3b42701ab7b00e15a76ec00779332b (patch)
tree30b6f35dc72b81649c0c9b8a7150f0c8ac0ab34a /app-emulation/qemu/files
parentdev-libs/boehm-gc: Make it pass its testsuite (diff)
downloadmusl-db375501bb3b42701ab7b00e15a76ec00779332b.tar.gz
musl-db375501bb3b42701ab7b00e15a76ec00779332b.tar.bz2
musl-db375501bb3b42701ab7b00e15a76ec00779332b.zip
app-emulation/qemu: bump to 2.5.0
Diffstat (limited to 'app-emulation/qemu/files')
-rw-r--r--app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch241
-rw-r--r--app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch58
-rw-r--r--app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch86
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch50
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch95
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch49
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch50
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch41
-rw-r--r--app-emulation/qemu/files/qemu-2.5.0-cflags.patch13
9 files changed, 298 insertions, 385 deletions
diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
deleted file mode 100644
index 35ef8fde..00000000
--- a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-1.patch
+++ /dev/null
@@ -1,241 +0,0 @@
-From a2bebfd6e09d285aa793cae3fb0fc3a39a9fee6e Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Mon, 23 Mar 2015 22:58:21 +0000
-Subject: [PATCH] CVE-2015-1779: incrementally decode websocket frames
-
-The logic for decoding websocket frames wants to fully
-decode the frame header and payload, before allowing the
-VNC server to see any of the payload data. There is no
-size limit on websocket payloads, so this allows a
-malicious network client to consume 2^64 bytes in memory
-in QEMU. It can trigger this denial of service before
-the VNC server even performs any authentication.
-
-The fix is to decode the header, and then incrementally
-decode the payload data as it is needed. With this fix
-the websocket decoder will allow at most 4k of data to
-be buffered before decoding and processing payload.
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-
-[ kraxel: fix frequent spurious disconnects, suggested by Peter Maydell ]
-
- @@ -361,7 +361,7 @@ int vncws_decode_frame_payload(Buffer *input,
- - *payload_size = input->offset;
- + *payload_size = *payload_remain;
-
-[ kraxel: fix 32bit build ]
-
- @@ -306,7 +306,7 @@ struct VncState
- - uint64_t ws_payload_remain;
- + size_t ws_payload_remain;
-
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- ui/vnc-ws.c | 105 ++++++++++++++++++++++++++++++++++++++++--------------------
- ui/vnc-ws.h | 9 ++++--
- ui/vnc.h | 2 ++
- 3 files changed, 80 insertions(+), 36 deletions(-)
-
-diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
-index 85dbb7e..0b7de4e 100644
---- a/ui/vnc-ws.c
-+++ b/ui/vnc-ws.c
-@@ -107,7 +107,7 @@ long vnc_client_read_ws(VncState *vs)
- {
- int ret, err;
- uint8_t *payload;
-- size_t payload_size, frame_size;
-+ size_t payload_size, header_size;
- VNC_DEBUG("Read websocket %p size %zd offset %zd\n", vs->ws_input.buffer,
- vs->ws_input.capacity, vs->ws_input.offset);
- buffer_reserve(&vs->ws_input, 4096);
-@@ -117,18 +117,39 @@ long vnc_client_read_ws(VncState *vs)
- }
- vs->ws_input.offset += ret;
-
-- /* make sure that nothing is left in the ws_input buffer */
-+ ret = 0;
-+ /* consume as much of ws_input buffer as possible */
- do {
-- err = vncws_decode_frame(&vs->ws_input, &payload,
-- &payload_size, &frame_size);
-- if (err <= 0) {
-- return err;
-+ if (vs->ws_payload_remain == 0) {
-+ err = vncws_decode_frame_header(&vs->ws_input,
-+ &header_size,
-+ &vs->ws_payload_remain,
-+ &vs->ws_payload_mask);
-+ if (err <= 0) {
-+ return err;
-+ }
-+
-+ buffer_advance(&vs->ws_input, header_size);
- }
-+ if (vs->ws_payload_remain != 0) {
-+ err = vncws_decode_frame_payload(&vs->ws_input,
-+ &vs->ws_payload_remain,
-+ &vs->ws_payload_mask,
-+ &payload,
-+ &payload_size);
-+ if (err < 0) {
-+ return err;
-+ }
-+ if (err == 0) {
-+ return ret;
-+ }
-+ ret += err;
-
-- buffer_reserve(&vs->input, payload_size);
-- buffer_append(&vs->input, payload, payload_size);
-+ buffer_reserve(&vs->input, payload_size);
-+ buffer_append(&vs->input, payload, payload_size);
-
-- buffer_advance(&vs->ws_input, frame_size);
-+ buffer_advance(&vs->ws_input, payload_size);
-+ }
- } while (vs->ws_input.offset > 0);
-
- return ret;
-@@ -265,15 +286,14 @@ void vncws_encode_frame(Buffer *output, const void *payload,
- buffer_append(output, payload, payload_size);
- }
-
--int vncws_decode_frame(Buffer *input, uint8_t **payload,
-- size_t *payload_size, size_t *frame_size)
-+int vncws_decode_frame_header(Buffer *input,
-+ size_t *header_size,
-+ size_t *payload_remain,
-+ WsMask *payload_mask)
- {
- unsigned char opcode = 0, fin = 0, has_mask = 0;
-- size_t header_size = 0;
-- uint32_t *payload32;
-+ size_t payload_len;
- WsHeader *header = (WsHeader *)input->buffer;
-- WsMask mask;
-- int i;
-
- if (input->offset < WS_HEAD_MIN_LEN + 4) {
- /* header not complete */
-@@ -283,7 +303,7 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
- fin = (header->b0 & 0x80) >> 7;
- opcode = header->b0 & 0x0f;
- has_mask = (header->b1 & 0x80) >> 7;
-- *payload_size = header->b1 & 0x7f;
-+ payload_len = header->b1 & 0x7f;
-
- if (opcode == WS_OPCODE_CLOSE) {
- /* disconnect */
-@@ -300,40 +320,57 @@ int vncws_decode_frame(Buffer *input, uint8_t **payload,
- return -2;
- }
-
-- if (*payload_size < 126) {
-- header_size = 6;
-- mask = header->u.m;
-- } else if (*payload_size == 126 && input->offset >= 8) {
-- *payload_size = be16_to_cpu(header->u.s16.l16);
-- header_size = 8;
-- mask = header->u.s16.m16;
-- } else if (*payload_size == 127 && input->offset >= 14) {
-- *payload_size = be64_to_cpu(header->u.s64.l64);
-- header_size = 14;
-- mask = header->u.s64.m64;
-+ if (payload_len < 126) {
-+ *payload_remain = payload_len;
-+ *header_size = 6;
-+ *payload_mask = header->u.m;
-+ } else if (payload_len == 126 && input->offset >= 8) {
-+ *payload_remain = be16_to_cpu(header->u.s16.l16);
-+ *header_size = 8;
-+ *payload_mask = header->u.s16.m16;
-+ } else if (payload_len == 127 && input->offset >= 14) {
-+ *payload_remain = be64_to_cpu(header->u.s64.l64);
-+ *header_size = 14;
-+ *payload_mask = header->u.s64.m64;
- } else {
- /* header not complete */
- return 0;
- }
-
-- *frame_size = header_size + *payload_size;
-+ return 1;
-+}
-+
-+int vncws_decode_frame_payload(Buffer *input,
-+ size_t *payload_remain, WsMask *payload_mask,
-+ uint8_t **payload, size_t *payload_size)
-+{
-+ size_t i;
-+ uint32_t *payload32;
-
-- if (input->offset < *frame_size) {
-- /* frame not complete */
-+ *payload = input->buffer;
-+ /* If we aren't at the end of the payload, then drop
-+ * off the last bytes, so we're always multiple of 4
-+ * for purpose of unmasking, except at end of payload
-+ */
-+ if (input->offset < *payload_remain) {
-+ *payload_size = input->offset - (input->offset % 4);
-+ } else {
-+ *payload_size = *payload_remain;
-+ }
-+ if (*payload_size == 0) {
- return 0;
- }
--
-- *payload = input->buffer + header_size;
-+ *payload_remain -= *payload_size;
-
- /* unmask frame */
- /* process 1 frame (32 bit op) */
- payload32 = (uint32_t *)(*payload);
- for (i = 0; i < *payload_size / 4; i++) {
-- payload32[i] ^= mask.u;
-+ payload32[i] ^= payload_mask->u;
- }
- /* process the remaining bytes (if any) */
- for (i *= 4; i < *payload_size; i++) {
-- (*payload)[i] ^= mask.c[i % 4];
-+ (*payload)[i] ^= payload_mask->c[i % 4];
- }
-
- return 1;
-diff --git a/ui/vnc-ws.h b/ui/vnc-ws.h
-index ef229b7..14d4230 100644
---- a/ui/vnc-ws.h
-+++ b/ui/vnc-ws.h
-@@ -83,7 +83,12 @@ long vnc_client_read_ws(VncState *vs);
- void vncws_process_handshake(VncState *vs, uint8_t *line, size_t size);
- void vncws_encode_frame(Buffer *output, const void *payload,
- const size_t payload_size);
--int vncws_decode_frame(Buffer *input, uint8_t **payload,
-- size_t *payload_size, size_t *frame_size);
-+int vncws_decode_frame_header(Buffer *input,
-+ size_t *header_size,
-+ size_t *payload_remain,
-+ WsMask *payload_mask);
-+int vncws_decode_frame_payload(Buffer *input,
-+ size_t *payload_remain, WsMask *payload_mask,
-+ uint8_t **payload, size_t *payload_size);
-
- #endif /* __QEMU_UI_VNC_WS_H */
-diff --git a/ui/vnc.h b/ui/vnc.h
-index e19ac39..3f7c6a9 100644
---- a/ui/vnc.h
-+++ b/ui/vnc.h
-@@ -306,6 +306,8 @@ struct VncState
- #ifdef CONFIG_VNC_WS
- Buffer ws_input;
- Buffer ws_output;
-+ size_t ws_payload_remain;
-+ WsMask ws_payload_mask;
- #endif
- /* current output mode information */
- VncWritePixels *write_pixels;
---
-2.3.5
-
diff --git a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch b/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
deleted file mode 100644
index c7a8c8b3..00000000
--- a/app-emulation/qemu/files/qemu-2.2.1-CVE-2015-1779-2.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 2cdb5e142fb93e875fa53c52864ef5eb8d5d8b41 Mon Sep 17 00:00:00 2001
-From: "Daniel P. Berrange" <berrange@redhat.com>
-Date: Mon, 23 Mar 2015 22:58:22 +0000
-Subject: [PATCH] CVE-2015-1779: limit size of HTTP headers from websockets
- clients
-
-The VNC server websockets decoder will read and buffer data from
-websockets clients until it sees the end of the HTTP headers,
-as indicated by \r\n\r\n. In theory this allows a malicious to
-trick QEMU into consuming an arbitrary amount of RAM. In practice,
-because QEMU runs g_strstr_len() across the buffered header data,
-it will spend increasingly long burning CPU time searching for
-the substring match and less & less time reading data. So while
-this does cause arbitrary memory growth, the bigger problem is
-that QEMU will be burning 100% of available CPU time.
-
-A novnc websockets client typically sends headers of around
-512 bytes in length. As such it is reasonable to place a 4096
-byte limit on the amount of data buffered while searching for
-the end of HTTP headers.
-
-Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
-Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
----
- ui/vnc-ws.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/ui/vnc-ws.c b/ui/vnc-ws.c
-index 0b7de4e..62eb97f 100644
---- a/ui/vnc-ws.c
-+++ b/ui/vnc-ws.c
-@@ -81,8 +81,11 @@ void vncws_handshake_read(void *opaque)
- VncState *vs = opaque;
- uint8_t *handshake_end;
- long ret;
-- buffer_reserve(&vs->ws_input, 4096);
-- ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), 4096);
-+ /* Typical HTTP headers from novnc are 512 bytes, so limiting
-+ * total header size to 4096 is easily enough. */
-+ size_t want = 4096 - vs->ws_input.offset;
-+ buffer_reserve(&vs->ws_input, want);
-+ ret = vnc_client_read_buf(vs, buffer_end(&vs->ws_input), want);
-
- if (!ret) {
- if (vs->csock == -1) {
-@@ -99,6 +102,9 @@ void vncws_handshake_read(void *opaque)
- vncws_process_handshake(vs, vs->ws_input.buffer, vs->ws_input.offset);
- buffer_advance(&vs->ws_input, handshake_end - vs->ws_input.buffer +
- strlen(WS_HANDSHAKE_END));
-+ } else if (vs->ws_input.offset >= 4096) {
-+ VNC_DEBUG("End of headers not found in first 4096 bytes\n");
-+ vnc_client_error(vs);
- }
- }
-
---
-2.3.5
-
diff --git a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch b/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
deleted file mode 100644
index 87697d08..00000000
--- a/app-emulation/qemu/files/qemu-2.3.0-CVE-2015-3456.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-https://bugs.gentoo.org/549404
-
-From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001
-From: Petr Matousek <pmatouse@redhat.com>
-Date: Wed, 6 May 2015 09:48:59 +0200
-Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer
-
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-
-This is CVE-2015-3456.
-
-Signed-off-by: Petr Matousek <pmatouse@redhat.com>
-Reviewed-by: John Snow <jsnow@redhat.com>
-Signed-off-by: John Snow <jsnow@redhat.com>
----
- hw/block/fdc.c | 17 +++++++++++------
- 1 files changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/hw/block/fdc.c b/hw/block/fdc.c
-index f72a392..d8a8edd 100644
---- a/hw/block/fdc.c
-+++ b/hw/block/fdc.c
-@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- {
- FDrive *cur_drv;
- uint32_t retval = 0;
-- int pos;
-+ uint32_t pos;
-
- cur_drv = get_cur_drv(fdctrl);
- fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl)
- return 0;
- }
- pos = fdctrl->data_pos;
-+ pos %= FD_SECTOR_LEN;
- if (fdctrl->msr & FD_MSR_NONDMA) {
-- pos %= FD_SECTOR_LEN;
- if (pos == 0) {
- if (fdctrl->data_pos != 0)
- if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction)
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
- FDrive *cur_drv = get_cur_drv(fdctrl);
-+ uint32_t pos;
-
-- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+ pos = fdctrl->data_pos - 1;
-+ pos %= FD_SECTOR_LEN;
-+ if (fdctrl->fifo[pos] & 0x80) {
- /* Command parameters done */
-- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+ if (fdctrl->fifo[pos] & 0x40) {
- fdctrl->fifo[0] = fdctrl->fifo[1];
- fdctrl->fifo[2] = 0;
- fdctrl->fifo[3] = 0;
-@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
- FDrive *cur_drv;
-- int pos;
-+ uint32_t pos;
-
- /* Reset mode */
- if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- }
-
- FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
-- fdctrl->fifo[fdctrl->data_pos++] = value;
-+ pos = fdctrl->data_pos++;
-+ pos %= FD_SECTOR_LEN;
-+ fdctrl->fifo[pos] = value;
- if (fdctrl->data_pos == fdctrl->data_len) {
- /* We now have all parameters
- * and will be able to treat the command
---
-1.7.0.4
-
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch
new file mode 100644
index 00000000..fbc6a0ad
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8558.patch
@@ -0,0 +1,50 @@
+https://bugs.gentoo.org/568246
+
+From 156a2e4dbffa85997636a7a39ef12da6f1b40254 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 14 Dec 2015 09:21:23 +0100
+Subject: [PATCH] ehci: make idt processing more robust
+
+Make ehci_process_itd return an error in case we didn't do any actual
+iso transfer because we've found no active transaction. That'll avoid
+ehci happily run in circles forever if the guest builds a loop out of
+idts.
+
+This is CVE-2015-8558.
+
+Cc: qemu-stable@nongnu.org
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Tested-by: P J P <ppandit@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/usb/hcd-ehci.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
+index 4e2161b..d07f228 100644
+--- a/hw/usb/hcd-ehci.c
++++ b/hw/usb/hcd-ehci.c
+@@ -1389,7 +1389,7 @@ static int ehci_process_itd(EHCIState *ehci,
+ {
+ USBDevice *dev;
+ USBEndpoint *ep;
+- uint32_t i, len, pid, dir, devaddr, endp;
++ uint32_t i, len, pid, dir, devaddr, endp, xfers = 0;
+ uint32_t pg, off, ptr1, ptr2, max, mult;
+
+ ehci->periodic_sched_active = PERIODIC_ACTIVE;
+@@ -1479,9 +1479,10 @@ static int ehci_process_itd(EHCIState *ehci,
+ ehci_raise_irq(ehci, USBSTS_INT);
+ }
+ itd->transact[i] &= ~ITD_XACT_ACTIVE;
++ xfers++;
+ }
+ }
+- return 0;
++ return xfers ? 0 : -1;
+ }
+
+
+--
+2.6.2
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
new file mode 100644
index 00000000..e1960436
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8567.patch
@@ -0,0 +1,95 @@
+https://bugs.gentoo.org/567868
+
+From aa4a3dce1c88ed51b616806b8214b7c8428b7470 Mon Sep 17 00:00:00 2001
+From: P J P <ppandit@redhat.com>
+Date: Tue, 15 Dec 2015 12:27:54 +0530
+Subject: [PATCH] net: vmxnet3: avoid memory leakage in activate_device
+
+Vmxnet3 device emulator does not check if the device is active
+before activating it, also it did not free the transmit & receive
+buffers while deactivating the device, thus resulting in memory
+leakage on the host. This patch fixes both these issues to avoid
+host memory leakage.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/vmxnet3.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
+index a5dd79a..9c1adfc 100644
+--- a/hw/net/vmxnet3.c
++++ b/hw/net/vmxnet3.c
+@@ -1194,8 +1194,13 @@ static void vmxnet3_reset_mac(VMXNET3State *s)
+
+ static void vmxnet3_deactivate_device(VMXNET3State *s)
+ {
+- VMW_CBPRN("Deactivating vmxnet3...");
+- s->device_active = false;
++ if (s->device_active) {
++ VMW_CBPRN("Deactivating vmxnet3...");
++ vmxnet_tx_pkt_reset(s->tx_pkt);
++ vmxnet_tx_pkt_uninit(s->tx_pkt);
++ vmxnet_rx_pkt_uninit(s->rx_pkt);
++ s->device_active = false;
++ }
+ }
+
+ static void vmxnet3_reset(VMXNET3State *s)
+@@ -1204,7 +1209,6 @@ static void vmxnet3_reset(VMXNET3State *s)
+
+ vmxnet3_deactivate_device(s);
+ vmxnet3_reset_interrupt_states(s);
+- vmxnet_tx_pkt_reset(s->tx_pkt);
+ s->drv_shmem = 0;
+ s->tx_sop = true;
+ s->skip_current_tx_pkt = false;
+@@ -1431,6 +1435,12 @@ static void vmxnet3_activate_device(VMXNET3State *s)
+ return;
+ }
+
++ /* Verify if device is active */
++ if (s->device_active) {
++ VMW_CFPRN("Vmxnet3 device is active");
++ return;
++ }
++
+ vmxnet3_adjust_by_guest_type(s);
+ vmxnet3_update_features(s);
+ vmxnet3_update_pm_state(s);
+@@ -1627,7 +1637,7 @@ static void vmxnet3_handle_command(VMXNET3State *s, uint64_t cmd)
+ break;
+
+ case VMXNET3_CMD_QUIESCE_DEV:
+- VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - pause the device");
++ VMW_CBPRN("Set: VMXNET3_CMD_QUIESCE_DEV - deactivate the device");
+ vmxnet3_deactivate_device(s);
+ break;
+
+@@ -1741,7 +1751,7 @@ vmxnet3_io_bar1_write(void *opaque,
+ * shared address only after we get the high part
+ */
+ if (val == 0) {
+- s->device_active = false;
++ vmxnet3_deactivate_device(s);
+ }
+ s->temp_shared_guest_driver_memory = val;
+ s->drv_shmem = 0;
+@@ -2021,9 +2031,7 @@ static bool vmxnet3_peer_has_vnet_hdr(VMXNET3State *s)
+ static void vmxnet3_net_uninit(VMXNET3State *s)
+ {
+ g_free(s->mcast_list);
+- vmxnet_tx_pkt_reset(s->tx_pkt);
+- vmxnet_tx_pkt_uninit(s->tx_pkt);
+- vmxnet_rx_pkt_uninit(s->rx_pkt);
++ vmxnet3_deactivate_device(s);
+ qemu_del_nic(s->nic);
+ }
+
+--
+2.6.2
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
new file mode 100644
index 00000000..0dab1c3e
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8701.patch
@@ -0,0 +1,49 @@
+https://bugs.gentoo.org/570110
+
+From 007cd223de527b5f41278f2d886c1a4beb3e67aa Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 28 Dec 2015 16:24:08 +0530
+Subject: [PATCH] net: rocker: fix an incorrect array bounds check
+
+While processing transmit(tx) descriptors in 'tx_consume' routine
+the switch emulator suffers from an off-by-one error, if a
+descriptor was to have more than allowed(ROCKER_TX_FRAGS_MAX=16)
+fragments. Fix an incorrect bounds check to avoid it.
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/rocker/rocker.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
+index c57f1a6..2e77e50 100644
+--- a/hw/net/rocker/rocker.c
++++ b/hw/net/rocker/rocker.c
+@@ -232,6 +232,9 @@ static int tx_consume(Rocker *r, DescInfo *info)
+ frag_addr = rocker_tlv_get_le64(tlvs[ROCKER_TLV_TX_FRAG_ATTR_ADDR]);
+ frag_len = rocker_tlv_get_le16(tlvs[ROCKER_TLV_TX_FRAG_ATTR_LEN]);
+
++ if (iovcnt >= ROCKER_TX_FRAGS_MAX) {
++ goto err_too_many_frags;
++ }
+ iov[iovcnt].iov_len = frag_len;
+ iov[iovcnt].iov_base = g_malloc(frag_len);
+ if (!iov[iovcnt].iov_base) {
+@@ -244,10 +247,7 @@ static int tx_consume(Rocker *r, DescInfo *info)
+ err = -ROCKER_ENXIO;
+ goto err_bad_io;
+ }
+-
+- if (++iovcnt > ROCKER_TX_FRAGS_MAX) {
+- goto err_too_many_frags;
+- }
++ iovcnt++;
+ }
+
+ if (iovcnt) {
+--
+2.6.2
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
new file mode 100644
index 00000000..b2bca569
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2015-8743.patch
@@ -0,0 +1,50 @@
+https://bugs.gentoo.org/570988
+
+From aa7f9966dfdff500bbbf1956d9e115b1fa8987a6 Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Thu, 31 Dec 2015 17:05:27 +0530
+Subject: [PATCH] net: ne2000: fix bounds check in ioport operations
+
+While doing ioport r/w operations, ne2000 device emulation suffers
+from OOB r/w errors. Update respective array bounds check to avoid
+OOB access.
+
+Reported-by: Ling Liu <liuling-it@360.cn>
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Signed-off-by: Jason Wang <jasowang@redhat.com>
+---
+ hw/net/ne2000.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/hw/net/ne2000.c b/hw/net/ne2000.c
+index 010f9ef..a3dffff 100644
+--- a/hw/net/ne2000.c
++++ b/hw/net/ne2000.c
+@@ -467,8 +467,9 @@ static inline void ne2000_mem_writel(NE2000State *s, uint32_t addr,
+ uint32_t val)
+ {
+ addr &= ~1; /* XXX: check exact behaviour if not even */
+- if (addr < 32 ||
+- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++ if (addr < 32
++ || (addr >= NE2000_PMEM_START
++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+ stl_le_p(s->mem + addr, val);
+ }
+ }
+@@ -497,8 +498,9 @@ static inline uint32_t ne2000_mem_readw(NE2000State *s, uint32_t addr)
+ static inline uint32_t ne2000_mem_readl(NE2000State *s, uint32_t addr)
+ {
+ addr &= ~1; /* XXX: check exact behaviour if not even */
+- if (addr < 32 ||
+- (addr >= NE2000_PMEM_START && addr < NE2000_MEM_SIZE)) {
++ if (addr < 32
++ || (addr >= NE2000_PMEM_START
++ && addr + sizeof(uint32_t) <= NE2000_MEM_SIZE)) {
+ return ldl_le_p(s->mem + addr);
+ } else {
+ return 0xffffffff;
+--
+2.6.2
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
new file mode 100644
index 00000000..4ce9a35c
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-CVE-2016-1568.patch
@@ -0,0 +1,41 @@
+https://bugs.gentoo.org/571566
+
+From 4ab0359a8ae182a7ac5c99609667273167703fab Mon Sep 17 00:00:00 2001
+From: Prasad J Pandit <pjp@fedoraproject.org>
+Date: Mon, 11 Jan 2016 14:10:42 -0500
+Subject: [PATCH] ide: ahci: reset ncq object to unused on error
+
+When processing NCQ commands, AHCI device emulation prepares a
+NCQ transfer object; To which an aio control block(aiocb) object
+is assigned in 'execute_ncq_command'. In case, when the NCQ
+command is invalid, the 'aiocb' object is not assigned, and NCQ
+transfer object is left as 'used'. This leads to a use after
+free kind of error in 'bdrv_aio_cancel_async' via 'ahci_reset_port'.
+Reset NCQ transfer object to 'unused' to avoid it.
+
+[Maintainer edit: s/ACHI/AHCI/ in the commit message. --js]
+
+Reported-by: Qinghao Tang <luodalongde@gmail.com>
+Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
+Reviewed-by: John Snow <jsnow@redhat.com>
+Message-id: 1452282511-4116-1-git-send-email-ppandit@redhat.com
+Signed-off-by: John Snow <jsnow@redhat.com>
+---
+ hw/ide/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
+index dd1912e..17f1cbd 100644
+--- a/hw/ide/ahci.c
++++ b/hw/ide/ahci.c
+@@ -910,6 +910,7 @@ static void ncq_err(NCQTransferState *ncq_tfs)
+ ide_state->error = ABRT_ERR;
+ ide_state->status = READY_STAT | ERR_STAT;
+ ncq_tfs->drive->port_regs.scr_err |= (1 << ncq_tfs->tag);
++ ncq_tfs->used = 0;
+ }
+
+ static void ncq_finish(NCQTransferState *ncq_tfs)
+--
+2.6.2
+
diff --git a/app-emulation/qemu/files/qemu-2.5.0-cflags.patch b/app-emulation/qemu/files/qemu-2.5.0-cflags.patch
new file mode 100644
index 00000000..173394fd
--- /dev/null
+++ b/app-emulation/qemu/files/qemu-2.5.0-cflags.patch
@@ -0,0 +1,13 @@
+--- a/configure
++++ b/configure
+@@ -4468,10 +4468,6 @@ fi
+ if test "$gcov" = "yes" ; then
+ CFLAGS="-fprofile-arcs -ftest-coverage -g $CFLAGS"
+ LDFLAGS="-fprofile-arcs -ftest-coverage $LDFLAGS"
+-elif test "$fortify_source" = "yes" ; then
+- CFLAGS="-O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 $CFLAGS"
+-elif test "$debug" = "no"; then
+- CFLAGS="-O2 $CFLAGS"
+ fi
+
+ ##########################################