mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-24 04:33:24 +00:00
Fix translation block local denial of service vulnerability
Obtained from: qemu cvs Security: http://www.freebsd.org/ports/portaudit/30f5ca1d-a90b-11dc-bf13-0211060005df.html
This commit is contained in:
parent
c45ff3e5a1
commit
62d040db7a
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=203428
@ -7,6 +7,7 @@
|
||||
|
||||
PORTNAME= qemu
|
||||
PORTVERSION= 0.9.0s.20070802
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= emulators
|
||||
MASTER_SITES= http://qemu.org/:release \
|
||||
http://qemu-forum.ipi.fi/qemu-snapshots/:snapshot \
|
||||
|
92
emulators/qemu-devel/files/patch-tlb-vuln
Normal file
92
emulators/qemu-devel/files/patch-tlb-vuln
Normal file
@ -0,0 +1,92 @@
|
||||
Index: qemu/cpu-exec.c
|
||||
diff -u qemu/cpu-exec.c:1.128 qemu/cpu-exec.c:1.129
|
||||
--- qemu/cpu-exec.c:1.128 Sun Dec 2 06:18:23 2007
|
||||
+++ qemu/cpu-exec.c Tue Dec 11 19:35:45 2007
|
||||
@@ -133,7 +133,7 @@
|
||||
tb->tc_ptr = tc_ptr;
|
||||
tb->cs_base = cs_base;
|
||||
tb->flags = flags;
|
||||
- cpu_gen_code(env, tb, CODE_GEN_MAX_SIZE, &code_gen_size);
|
||||
+ cpu_gen_code(env, tb, &code_gen_size);
|
||||
code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
|
||||
|
||||
/* check next page if needed */
|
||||
Index: qemu/exec-all.h
|
||||
diff -u qemu/exec-all.h:1.72 qemu/exec-all.h:1.73
|
||||
--- qemu/exec-all.h:1.72 Mon Nov 19 00:38:33 2007
|
||||
+++ qemu/exec-all.h Tue Dec 11 19:35:45 2007
|
||||
@@ -64,8 +64,9 @@
|
||||
int gen_intermediate_code(CPUState *env, struct TranslationBlock *tb);
|
||||
int gen_intermediate_code_pc(CPUState *env, struct TranslationBlock *tb);
|
||||
void dump_ops(const uint16_t *opc_buf, const uint32_t *opparam_buf);
|
||||
+unsigned long code_gen_max_block_size(void);
|
||||
int cpu_gen_code(CPUState *env, struct TranslationBlock *tb,
|
||||
- int max_code_size, int *gen_code_size_ptr);
|
||||
+ int *gen_code_size_ptr);
|
||||
int cpu_restore_state(struct TranslationBlock *tb,
|
||||
CPUState *env, unsigned long searched_pc,
|
||||
void *puc);
|
||||
@@ -94,7 +95,6 @@
|
||||
return tlb_set_page_exec(env, vaddr, paddr, prot, mmu_idx, is_softmmu);
|
||||
}
|
||||
|
||||
-#define CODE_GEN_MAX_SIZE 65536
|
||||
#define CODE_GEN_ALIGN 16 /* must be >= of the size of a icache line */
|
||||
|
||||
#define CODE_GEN_PHYS_HASH_BITS 15
|
||||
Index: qemu/exec.c
|
||||
diff -u qemu/exec.c:1.117 qemu/exec.c:1.118
|
||||
--- qemu/exec.c:1.117 Sun Dec 9 02:22:56 2007
|
||||
+++ qemu/exec.c Tue Dec 11 19:35:45 2007
|
||||
@@ -56,7 +56,7 @@
|
||||
#endif
|
||||
|
||||
/* threshold to flush the translated code buffer */
|
||||
-#define CODE_GEN_BUFFER_MAX_SIZE (CODE_GEN_BUFFER_SIZE - CODE_GEN_MAX_SIZE)
|
||||
+#define CODE_GEN_BUFFER_MAX_SIZE (CODE_GEN_BUFFER_SIZE - code_gen_max_block_size())
|
||||
|
||||
#define SMC_BITMAP_USE_THRESHOLD 10
|
||||
|
||||
@@ -622,7 +622,7 @@
|
||||
tb->cs_base = cs_base;
|
||||
tb->flags = flags;
|
||||
tb->cflags = cflags;
|
||||
- cpu_gen_code(env, tb, CODE_GEN_MAX_SIZE, &code_gen_size);
|
||||
+ cpu_gen_code(env, tb, &code_gen_size);
|
||||
code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
|
||||
|
||||
/* check next page if needed */
|
||||
Index: qemu/translate-all.c
|
||||
diff -u qemu/translate-all.c:1.23 qemu/translate-all.c:1.24
|
||||
--- qemu/translate-all.c:1.23 Sun Dec 2 06:10:02 2007
|
||||
+++ qemu/translate-all.c Tue Dec 11 19:35:45 2007
|
||||
@@ -132,14 +132,27 @@
|
||||
}
|
||||
}
|
||||
|
||||
+unsigned long code_gen_max_block_size(void)
|
||||
+{
|
||||
+ static unsigned long max;
|
||||
+
|
||||
+ if (max == 0) {
|
||||
+#define DEF(s, n, copy_size) max = copy_size > max? copy_size : max;
|
||||
+#include "opc.h"
|
||||
+#undef DEF
|
||||
+ max *= OPC_MAX_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ return max;
|
||||
+}
|
||||
+
|
||||
/* return non zero if the very first instruction is invalid so that
|
||||
the virtual CPU can trigger an exception.
|
||||
|
||||
'*gen_code_size_ptr' contains the size of the generated code (host
|
||||
code).
|
||||
*/
|
||||
-int cpu_gen_code(CPUState *env, TranslationBlock *tb,
|
||||
- int max_code_size, int *gen_code_size_ptr)
|
||||
+int cpu_gen_code(CPUState *env, TranslationBlock *tb, int *gen_code_size_ptr)
|
||||
{
|
||||
uint8_t *gen_code_buf;
|
||||
int gen_code_size;
|
@ -7,7 +7,7 @@
|
||||
|
||||
PORTNAME= qemu
|
||||
PORTVERSION= 0.9.0
|
||||
PORTREVISION= 3
|
||||
PORTREVISION= 4
|
||||
CATEGORIES= emulators
|
||||
MASTER_SITES= http://fabrice.bellard.free.fr/qemu/:release \
|
||||
http://qemu.org/:release \
|
||||
|
92
emulators/qemu/files/patch-tlb-vuln
Normal file
92
emulators/qemu/files/patch-tlb-vuln
Normal file
@ -0,0 +1,92 @@
|
||||
Index: qemu/cpu-exec.c
|
||||
diff -u qemu/cpu-exec.c:1.128 qemu/cpu-exec.c:1.129
|
||||
--- qemu/cpu-exec.c:1.128 Sun Dec 2 06:18:23 2007
|
||||
+++ qemu/cpu-exec.c Tue Dec 11 19:35:45 2007
|
||||
@@ -133,7 +133,7 @@
|
||||
tb->tc_ptr = tc_ptr;
|
||||
tb->cs_base = cs_base;
|
||||
tb->flags = flags;
|
||||
- cpu_gen_code(env, tb, CODE_GEN_MAX_SIZE, &code_gen_size);
|
||||
+ cpu_gen_code(env, tb, &code_gen_size);
|
||||
code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
|
||||
|
||||
/* check next page if needed */
|
||||
Index: qemu/exec-all.h
|
||||
diff -u qemu/exec-all.h:1.72 qemu/exec-all.h:1.73
|
||||
--- qemu/exec-all.h:1.72 Mon Nov 19 00:38:33 2007
|
||||
+++ qemu/exec-all.h Tue Dec 11 19:35:45 2007
|
||||
@@ -64,8 +64,9 @@
|
||||
int gen_intermediate_code(CPUState *env, struct TranslationBlock *tb);
|
||||
int gen_intermediate_code_pc(CPUState *env, struct TranslationBlock *tb);
|
||||
void dump_ops(const uint16_t *opc_buf, const uint32_t *opparam_buf);
|
||||
+unsigned long code_gen_max_block_size(void);
|
||||
int cpu_gen_code(CPUState *env, struct TranslationBlock *tb,
|
||||
- int max_code_size, int *gen_code_size_ptr);
|
||||
+ int *gen_code_size_ptr);
|
||||
int cpu_restore_state(struct TranslationBlock *tb,
|
||||
CPUState *env, unsigned long searched_pc,
|
||||
void *puc);
|
||||
@@ -94,7 +95,6 @@
|
||||
return tlb_set_page_exec(env, vaddr, paddr, prot, mmu_idx, is_softmmu);
|
||||
}
|
||||
|
||||
-#define CODE_GEN_MAX_SIZE 65536
|
||||
#define CODE_GEN_ALIGN 16 /* must be >= of the size of a icache line */
|
||||
|
||||
#define CODE_GEN_PHYS_HASH_BITS 15
|
||||
Index: qemu/exec.c
|
||||
diff -u qemu/exec.c:1.117 qemu/exec.c:1.118
|
||||
--- qemu/exec.c:1.117 Sun Dec 9 02:22:56 2007
|
||||
+++ qemu/exec.c Tue Dec 11 19:35:45 2007
|
||||
@@ -56,7 +56,7 @@
|
||||
#endif
|
||||
|
||||
/* threshold to flush the translated code buffer */
|
||||
-#define CODE_GEN_BUFFER_MAX_SIZE (CODE_GEN_BUFFER_SIZE - CODE_GEN_MAX_SIZE)
|
||||
+#define CODE_GEN_BUFFER_MAX_SIZE (CODE_GEN_BUFFER_SIZE - code_gen_max_block_size())
|
||||
|
||||
#define SMC_BITMAP_USE_THRESHOLD 10
|
||||
|
||||
@@ -622,7 +622,7 @@
|
||||
tb->cs_base = cs_base;
|
||||
tb->flags = flags;
|
||||
tb->cflags = cflags;
|
||||
- cpu_gen_code(env, tb, CODE_GEN_MAX_SIZE, &code_gen_size);
|
||||
+ cpu_gen_code(env, tb, &code_gen_size);
|
||||
code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
|
||||
|
||||
/* check next page if needed */
|
||||
Index: qemu/translate-all.c
|
||||
diff -u qemu/translate-all.c:1.23 qemu/translate-all.c:1.24
|
||||
--- qemu/translate-all.c:1.23 Sun Dec 2 06:10:02 2007
|
||||
+++ qemu/translate-all.c Tue Dec 11 19:35:45 2007
|
||||
@@ -132,14 +132,27 @@
|
||||
}
|
||||
}
|
||||
|
||||
+unsigned long code_gen_max_block_size(void)
|
||||
+{
|
||||
+ static unsigned long max;
|
||||
+
|
||||
+ if (max == 0) {
|
||||
+#define DEF(s, n, copy_size) max = copy_size > max? copy_size : max;
|
||||
+#include "opc.h"
|
||||
+#undef DEF
|
||||
+ max *= OPC_MAX_SIZE;
|
||||
+ }
|
||||
+
|
||||
+ return max;
|
||||
+}
|
||||
+
|
||||
/* return non zero if the very first instruction is invalid so that
|
||||
the virtual CPU can trigger an exception.
|
||||
|
||||
'*gen_code_size_ptr' contains the size of the generated code (host
|
||||
code).
|
||||
*/
|
||||
-int cpu_gen_code(CPUState *env, TranslationBlock *tb,
|
||||
- int max_code_size, int *gen_code_size_ptr)
|
||||
+int cpu_gen_code(CPUState *env, TranslationBlock *tb, int *gen_code_size_ptr)
|
||||
{
|
||||
uint8_t *gen_code_buf;
|
||||
int gen_code_size;
|
Loading…
Reference in New Issue
Block a user