diff --git a/emulators/qemu-devel/Makefile b/emulators/qemu-devel/Makefile index 7148bb0b2a39..934d0b594509 100644 --- a/emulators/qemu-devel/Makefile +++ b/emulators/qemu-devel/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= qemu -PORTVERSION= 2.3.0 -PORTREVISION= 2 +PORTVERSION= 2.4.0 CATEGORIES= emulators MASTER_SITES= http://wiki.qemu.org/download/:release \ LOCAL/nox:snapshot @@ -119,7 +118,7 @@ CONFIGURE_ARGS+= --prefix=${PREFIX} --cc=${CC} --enable-docs \ --smbd=${LOCALBASE}/sbin/smbd \ --enable-debug \ --enable-debug-info \ - --extra-cflags=-I${WRKSRC}\ -I${LOCALBASE}/include\ -DPREFIX=\\\"${PREFIX}\\\" + --extra-cflags=-I${WRKSRC}\ -I${LOCALBASE}/include\ -DPREFIX=\\\"\"${PREFIX}\\\"\" .if empty(PORT_OPTIONS:MX11) CONFIGURE_ARGS+= --disable-sdl @@ -277,8 +276,6 @@ post-install: .endif ${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifup.sample ${STAGEDIR}${PREFIX}/etc ${INSTALL_SCRIPT} ${FILESDIR}/qemu-ifdown.sample ${STAGEDIR}${PREFIX}/etc - @(cd ${STAGEDIR}${PREFIX}/etc/qemu && \ - ${MV} -i target-x86_64.conf target-x86_64.conf.sample) @${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/qemu-* .endif diff --git a/emulators/qemu-devel/distinfo b/emulators/qemu-devel/distinfo index dd1431d05608..5ce437759e67 100644 --- a/emulators/qemu-devel/distinfo +++ b/emulators/qemu-devel/distinfo @@ -1,2 +1,2 @@ -SHA256 (qemu/2.3.0/qemu-2.3.0.tar.bz2) = b6bab7f763d5be73e7cb5ee7d4c8365b7a8df2972c52fa5ded18893bd8281588 -SIZE (qemu/2.3.0/qemu-2.3.0.tar.bz2) = 24683085 +SHA256 (qemu/2.4.0/qemu-2.4.0.tar.bz2) = 72b0b991bbcc540663a019e1e8c4f714053b691dda32c9b9ee80b25f367e6620 +SIZE (qemu/2.4.0/qemu-2.4.0.tar.bz2) = 25070979 diff --git a/emulators/qemu-devel/files/patch-90_security b/emulators/qemu-devel/files/patch-90_security deleted file mode 100644 index ffd22741dd2e..000000000000 --- a/emulators/qemu-devel/files/patch-90_security +++ /dev/null @@ -1,30 +0,0 @@ -Index: qemu/hw/dma/i8257.c -@@ -344,9 +344,11 @@ static void channel_run (int ncont, int - } - #endif - -- n = r->transfer_handler (r->opaque, ichan + (ncont << 2), -- r->now[COUNT], (r->base[COUNT] + 1) << ncont); -- r->now[COUNT] = n; -+ if (r->transfer_handler) { -+ n = r->transfer_handler (r->opaque, ichan + (ncont << 2), -+ r->now[COUNT], (r->base[COUNT] + 1) << ncont); -+ r->now[COUNT] = n; -+ } - ldebug ("dma_pos %d size %d\n", n, (r->base[COUNT] + 1) << ncont); - } - -Index: qemu-0.8.2/hw/audio/sb16.c -@@ -1235,8 +1235,10 @@ static int SB_read_DMA (void *opaque, in - s->block_size); - #endif - -- while (s->left_till_irq <= 0) { -- s->left_till_irq = s->block_size + s->left_till_irq; -+ if (s->block_size) { -+ while (s->left_till_irq <= 0) { -+ s->left_till_irq = s->block_size + s->left_till_irq; -+ } - } - - return dma_pos; diff --git a/emulators/qemu-devel/files/patch-CVE-2015-3209 b/emulators/qemu-devel/files/patch-CVE-2015-3209 deleted file mode 100644 index 4fe7df5440fd..000000000000 --- a/emulators/qemu-devel/files/patch-CVE-2015-3209 +++ /dev/null @@ -1,45 +0,0 @@ -From 2630672ab22255de252f877709851c0557a1c647 Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Sun, 24 May 2015 10:53:44 +0200 -Subject: [PATCH] pcnet: force the buffer access to be in bounds during tx - -4096 is the maximum length per TMD and it is also currently the size of -the relay buffer pcnet driver uses for sending the packet data to QEMU -for further processing. With packet spanning multiple TMDs it can -happen that the overall packet size will be bigger than sizeof(buffer), -which results in memory corruption. - -Fix this by only allowing to queue maximum sizeof(buffer) bytes. - -This is CVE-2015-3209. - -Signed-off-by: Petr Matousek -Reported-by: Matt Tait -Reviewed-by: Peter Maydell -Reviewed-by: Stefan Hajnoczi ---- - hw/net/pcnet.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c -index bdfd38f..6d32e4c 100644 ---- a/hw/net/pcnet.c -+++ b/hw/net/pcnet.c -@@ -1241,6 +1241,14 @@ static void pcnet_transmit(PCNetState *s) - } - - bcnt = 4096 - GET_FIELD(tmd.length, TMDL, BCNT); -+ -+ /* if multi-tmd packet outsizes s->buffer then skip it silently. -+ Note: this is not what real hw does */ -+ if (s->xmit_pos + bcnt > sizeof(s->buffer)) { -+ s->xmit_pos = -1; -+ goto txdone; -+ } -+ - s->phys_mem_read(s->dma_opaque, PHYSADDR(s, tmd.tbadr), - s->buffer + s->xmit_pos, bcnt, CSR_BSWP(s)); - s->xmit_pos += bcnt; --- -2.1.0 - diff --git a/emulators/qemu-devel/files/patch-CVE-2015-3456 b/emulators/qemu-devel/files/patch-CVE-2015-3456 deleted file mode 100644 index 50c19d9f08fe..000000000000 --- a/emulators/qemu-devel/files/patch-CVE-2015-3456 +++ /dev/null @@ -1,84 +0,0 @@ -From e907746266721f305d67bc0718795fedee2e824c Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index f72a392..d8a8edd 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1497,7 +1497,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1506,8 +1506,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1852,10 +1852,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1955,7 +1958,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2004,7 +2007,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command --- -1.7.0.4 - diff --git a/emulators/qemu-devel/files/patch-include-qemu-aes.h b/emulators/qemu-devel/files/patch-include-qemu-aes.h deleted file mode 100644 index 7c9b8d1d52d9..000000000000 --- a/emulators/qemu-devel/files/patch-include-qemu-aes.h +++ /dev/null @@ -1,18 +0,0 @@ ---- a/include/qemu/aes.h -+++ b/include/qemu/aes.h -@@ -10,6 +10,15 @@ struct aes_key_st { - }; - typedef struct aes_key_st AES_KEY; - -+/* FreeBSD has it's own AES_set_decrypt_key in -lcrypto, avoid conflicts */ -+#ifdef __FreeBSD__ -+#define AES_set_encrypt_key QEMU_AES_set_encrypt_key -+#define AES_set_decrypt_key QEMU_AES_set_decrypt_key -+#define AES_encrypt QEMU_AES_encrypt -+#define AES_decrypt QEMU_AES_decrypt -+#define AES_cbc_encrypt QEMU_AES_cbc_encrypt -+#endif -+ - int AES_set_encrypt_key(const unsigned char *userKey, const int bits, - AES_KEY *key); - int AES_set_decrypt_key(const unsigned char *userKey, const int bits, diff --git a/emulators/qemu-devel/files/patch-tapclose b/emulators/qemu-devel/files/patch-tapclose deleted file mode 100644 index d4a27c268197..000000000000 --- a/emulators/qemu-devel/files/patch-tapclose +++ /dev/null @@ -1,18 +0,0 @@ -Index: qemu/net/tap.c -@@ -286,12 +286,13 @@ static void tap_cleanup(NetClientState * - - qemu_purge_queued_packets(nc); - -- if (s->down_script[0]) -- launch_script(s->down_script, s->down_script_arg, s->fd); -- - tap_read_poll(s, false); - tap_write_poll(s, false); - close(s->fd); -+ -+ if (s->down_script[0]) -+ launch_script(s->down_script, s->down_script_arg, s->fd); -+ - s->fd = -1; - } - diff --git a/emulators/qemu-devel/pkg-plist b/emulators/qemu-devel/pkg-plist index bf5abfd7c319..2205a4cc99cf 100644 --- a/emulators/qemu-devel/pkg-plist +++ b/emulators/qemu-devel/pkg-plist @@ -44,7 +44,6 @@ %%SOFTMMU%%man/man8/qemu-nbd.8.gz %%SOFTMMU%%@sample etc/qemu-ifup.sample %%SOFTMMU%%@sample etc/qemu-ifdown.sample -%%SOFTMMU%%@sample etc/qemu/target-x86_64.conf.sample %%SOFTMMU%%%%DATADIR%%/QEMU,tcx.bin %%SOFTMMU%%%%DATADIR%%/QEMU,cgthree.bin %%SOFTMMU%%%%DATADIR%%/acpi-dsdt.aml @@ -62,6 +61,7 @@ %%SOFTMMU%%%%DATADIR%%/vgabios-cirrus.bin %%SOFTMMU%%%%DATADIR%%/vgabios-qxl.bin %%SOFTMMU%%%%DATADIR%%/vgabios-stdvga.bin +%%SOFTMMU%%%%DATADIR%%/vgabios-virtio.bin %%SOFTMMU%%%%DATADIR%%/vgabios-vmware.bin %%SOFTMMU%%%%DATADIR%%/palcode-clipper %%SOFTMMU%%%%DATADIR%%/ppc_rom.bin