* [denzil 00/18] Various fixes for Denzil branch
@ 2013-02-07 23:56 Mark Hatle
2013-02-07 23:56 ` [denzil 01/18] Patch ocf-linux.inc to work with the 2010 and 2012 versions Mark Hatle
` (17 more replies)
0 siblings, 18 replies; 22+ messages in thread
From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw)
To: openembedded-core
This patchset includes a number of fixes, backports and related items that
we feel are necessary for Denzil. (I'm not sure however if further versions
of Denzil are being created!)
(I don't believe any of these patches are applicable to master, a few are
backports from master...)
The following changes since commit 94c375a281378413d24a402ec6a59762d0eb5b85:
libtasn1: Upgrade to 2.13
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib mhatle/wr-denzil
Jason Wessel (1):
qemu-0.15.1: Add addition environment space to boot loader
qemu-system-mips
Khem Raj (1):
qemu: Fix illegal instruction errors on e500 emulation
Laurentiu Palcu (1):
nativesdk-qemu: fix SDK relocation issue
Li Wang (3):
qemu CVE-2012-3515
lighttpd: fixing invalid read in valgrind
lighttpd: CVE-2012-5533
Matthew McClintock (1):
qemu-0.15.1: add patch to fix compilatation problems on powerpc
Roy.Li (1):
qemu: backport patch to fix pl031 RTC
Wei Cai (2):
Summary:Security Advisory - libtiff - CVE-2012-3401
Summary: Security Advisory - boost - CVE-2012-2677
Yue Tao (6):
Security Advisory - libexif - CVE-2012-2813
Security Advisory - libexif - CVE-2012-2812
Security Advisory - libexif - CVE-2012-2841
Security Advisory - libexif - CVE-2012-2836
Security Advisory - libexif - CVE-2012-2837
Security Advisory - libexif - CVE-2012-2840
Zhai Edwin (1):
qemu: Add an option to remove host sdl/gl checking
dhall (1):
Patch ocf-linux.inc to work with the 2010 and 2012 versions
meta/recipes-connectivity/openssl/ocf-linux.inc | 11 +-
.../qemu/qemu-0.15.1/dummy-gl-config.patch | 31 ++
.../qemu/qemu-0.15.1/extra_mips_env_space.patch | 24 +
.../qemu/qemu-0.15.1/glflags.patch | 40 +-
...-Actually-raise-interrupt-on-timer-expiry.patch | 41 ++
.../qemu/qemu-0.15.1/opengl-disable-option.patch | 137 +++++
.../qemu-0.15.1/ppc-s500-set-invalid-mask.patch | 610 +++++++++++++++++++++
.../qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch | 129 +++++
.../qemu/qemu-0.15.1/relocatable_sdk.patch | 34 ++
meta/recipes-devtools/qemu/qemu.inc | 23 +-
meta/recipes-devtools/qemu/qemu_0.15.1.bb | 9 +-
.../lighttpd/files/lighttpd-CVE-2012-5533.patch | 120 ++++
.../lighttpd-fixing-invalid-read-in-valgrind.patch | 33 ++
meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb | 4 +-
.../libtiff/files/libtiff-CVE-2012-3401.patch | 10 +
meta/recipes-multimedia/libtiff/tiff_4.0.1.bb | 3 +-
meta/recipes-support/boost/boost_1.49.0.bb | 5 +-
.../boost/files/boost-CVE-2012-2677.patch | 30 +
.../libexif/0001-libexif-CVE-2012-2813.patch | 33 ++
.../libexif/0002-libexif-CVE-2012-2812.patch | 87 +++
.../libexif/0003-libexif-CVE-2012-2841.patch | 47 ++
.../libexif/0004-libexif-CVE-2012-2836.patch | 140 +++++
.../libexif/0005-libexif-CVE-2012-2837.patch | 114 ++++
.../libexif/0006-libexif-CVE-2012-2840.patch | 17 +
meta/recipes-support/libexif/libexif_0.6.20.bb | 10 +-
25 files changed, 1704 insertions(+), 38 deletions(-)
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/dummy-gl-config.patch
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/extra_mips_env_space.patch
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/opengl-disable-option.patch
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/ppc-s500-set-invalid-mask.patch
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch
create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/relocatable_sdk.patch
create mode 100644 meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch
create mode 100644 meta/recipes-extended/lighttpd/files/lighttpd-fixing-invalid-read-in-valgrind.patch
create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2012-3401.patch
create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch
create mode 100644 meta/recipes-support/libexif/libexif/0001-libexif-CVE-2012-2813.patch
create mode 100644 meta/recipes-support/libexif/libexif/0002-libexif-CVE-2012-2812.patch
create mode 100644 meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch
create mode 100644 meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch
create mode 100644 meta/recipes-support/libexif/libexif/0005-libexif-CVE-2012-2837.patch
create mode 100644 meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch
--
1.8.1.2.545.g2f19ada
^ permalink raw reply [flat|nested] 22+ messages in thread* [denzil 01/18] Patch ocf-linux.inc to work with the 2010 and 2012 versions 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 02/18] Security Advisory - libexif - CVE-2012-2813 Mark Hatle ` (16 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: dhall <dennis.hall@windriver.com> The 2010 version of the ocf-linux package contains an embedded tar file that has to be expanded. The 2012 version of the package comes with the contents of the tar file extracted in the source tree. This patch to ocf-linux.inc allows it to handle both versions. Signed-off-by: dhall <dennis.hall@windriver.com> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- meta/recipes-connectivity/openssl/ocf-linux.inc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/meta/recipes-connectivity/openssl/ocf-linux.inc b/meta/recipes-connectivity/openssl/ocf-linux.inc index f4ec7c9..15a553a 100644 --- a/meta/recipes-connectivity/openssl/ocf-linux.inc +++ b/meta/recipes-connectivity/openssl/ocf-linux.inc @@ -9,6 +9,12 @@ SRC_URI = "http://sourceforge.net/projects/ocf-linux/files/ocf-linux/${PV}/ocf-l S = "${WORKDIR}/ocf-linux-${PV}" +get_headers() { + if [ -f ocf-linux.tar.gz ]; then + tar -xf ocf-linux.tar.gz + fi +} + # Need to unpack the the ocf-linux.tar.gz file contained inside the # downloaded tarball # Install the OCF Linux headers so that other packages such as openssl @@ -16,7 +22,10 @@ S = "${WORKDIR}/ocf-linux-${PV}" # the README file. do_install() { cd ${S} - tar xzf ocf-linux.tar.gz + # if ocf-linux.tar.gz exists extract the contents or else go to + # the next do_install step + # Added to maintain compatibility between the 2010 and 2012+ versions + get_headers install -d ${D}${includedir}/crypto install -m 0644 ${S}/ocf/*.h ${D}${includedir}/crypto/ } -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 02/18] Security Advisory - libexif - CVE-2012-2813 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle 2013-02-07 23:56 ` [denzil 01/18] Patch ocf-linux.inc to work with the 2010 and 2012 versions Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 03/18] Security Advisory - libexif - CVE-2012-2812 Mark Hatle ` (15 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Yue Tao <Yue.Tao@windriver.com> [ CQID: WIND00366808 ] The exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libexif/0001-libexif-CVE-2012-2813.patch | 33 ++++++++++++++++++++++ meta/recipes-support/libexif/libexif_0.6.20.bb | 5 +++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libexif/libexif/0001-libexif-CVE-2012-2813.patch diff --git a/meta/recipes-support/libexif/libexif/0001-libexif-CVE-2012-2813.patch b/meta/recipes-support/libexif/libexif/0001-libexif-CVE-2012-2813.patch new file mode 100644 index 0000000..fbd0442 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/0001-libexif-CVE-2012-2813.patch @@ -0,0 +1,33 @@ +Index: libexif/exif-entry.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v +retrieving revision 1.146 +retrieving revision 1.147 +diff -c -u -r1.146 -r1.147 +--- a/libexif/exif-entry.c 12 Jul 2012 17:10:34 -0000 1.146 ++++ b/libexif/exif-entry.c 12 Jul 2012 17:12:24 -0000 1.147 +@@ -1346,10 +1346,23 @@ + case EXIF_TAG_XP_AUTHOR: + case EXIF_TAG_XP_KEYWORDS: + case EXIF_TAG_XP_SUBJECT: ++ { ++ /* Sanity check the size to prevent overflow */ ++ if (e->size+sizeof(unsigned short) < e->size) break; ++ ++ /* The tag may not be U+0000-terminated , so make a local ++ U+0000-terminated copy before converting it */ ++ unsigned short *utf16 = exif_mem_alloc (e->priv->mem, e->size+sizeof(unsigned short)); ++ if (!utf16) break; ++ memcpy(utf16, e->data, e->size); ++ utf16[e->size/sizeof(unsigned short)] = 0; ++ + /* Warning! The texts are converted from UTF16 to UTF8 */ + /* FIXME: use iconv to convert into the locale encoding */ +- exif_convert_utf16_to_utf8(val, (unsigned short*)e->data, MIN(maxlen, e->size)); ++ exif_convert_utf16_to_utf8(val, utf16, maxlen); ++ exif_mem_free(e->priv->mem, utf16); + break; ++ } + + default: + /* Use a generic value formatting */ diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb index f233d3f..a1a1816 100644 --- a/meta/recipes-support/libexif/libexif_0.6.20.bb +++ b/meta/recipes-support/libexif/libexif_0.6.20.bb @@ -4,7 +4,10 @@ SECTION = "libs" LICENSE = "LGPLv2.1" LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" -SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2" +PR = "r1" + +SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ + file://0001-libexif-CVE-2012-2813.patch" SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3" SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 03/18] Security Advisory - libexif - CVE-2012-2812 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle 2013-02-07 23:56 ` [denzil 01/18] Patch ocf-linux.inc to work with the 2010 and 2012 versions Mark Hatle 2013-02-07 23:56 ` [denzil 02/18] Security Advisory - libexif - CVE-2012-2813 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 04/18] Security Advisory - libexif - CVE-2012-2841 Mark Hatle ` (14 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Yue Tao <Yue.Tao@windriver.com> [ CQID: WIND00366794 ] The exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libexif/0002-libexif-CVE-2012-2812.patch | 87 ++++++++++++++++++++++ meta/recipes-support/libexif/libexif_0.6.20.bb | 3 +- 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libexif/libexif/0002-libexif-CVE-2012-2812.patch diff --git a/meta/recipes-support/libexif/libexif/0002-libexif-CVE-2012-2812.patch b/meta/recipes-support/libexif/libexif/0002-libexif-CVE-2012-2812.patch new file mode 100644 index 0000000..e4a6c66 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/0002-libexif-CVE-2012-2812.patch @@ -0,0 +1,87 @@ +Index: libexif/exif-entry.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v +retrieving revision 1.147 +retrieving revision 1.148 +diff -c -u -r1.147 -r1.148 +--- a/libexif/exif-entry.c 12 Jul 2012 17:12:24 -0000 1.147 ++++ b/libexif/exif-entry.c 12 Jul 2012 17:13:03 -0000 1.148 +@@ -611,6 +611,30 @@ + printf ("%s Value: %s\n", buf, exif_entry_get_value (e, value, sizeof(value))); + } + ++/*! Check if a string consists entirely of a single, repeated character. ++ * Up to first n bytes are checked. ++ * ++ * \param[in] data pointer of string to check ++ * \param[in] ch character to match ++ * \param[in] n maximum number of characters to match ++ * ++ * \return 0 if the string matches or is of zero length, nonzero otherwise ++ */ ++static int ++match_repeated_char(const unsigned char *data, unsigned char ch, size_t n) ++{ ++ int i; ++ for (i=n; i; --i, ++data) { ++ if (*data == 0) { ++ i = 0; /* all bytes before NUL matched */ ++ break; ++ } ++ if (*data != ch) ++ break; ++ } ++ return i; ++} ++ + #define CF(entry,target,v,maxlen) \ + { \ + if (entry->format != target) { \ +@@ -806,7 +830,6 @@ + exif_entry_get_value (ExifEntry *e, char *val, unsigned int maxlen) + { + unsigned int i, j, k; +- const unsigned char *t; + ExifShort v_short, v_short2, v_short3, v_short4; + ExifByte v_byte; + ExifRational v_rat; +@@ -948,9 +971,9 @@ + /* + * First part: Photographer. + * Some cameras store a string like " " here. Ignore it. ++ * Remember that a corrupted tag might not be NUL-terminated + */ +- if (e->size && e->data && +- (strspn ((char *)e->data, " ") != strlen ((char *) e->data))) ++ if (e->size && e->data && match_repeated_char(e->data, ' ', e->size)) + strncpy (val, (char *) e->data, MIN (maxlen, e->size)); + else + strncpy (val, _("[None]"), maxlen); +@@ -959,15 +982,20 @@ + + /* Second part: Editor. */ + strncat (val, " - ", maxlen - strlen (val)); ++ k = 0; + if (e->size && e->data) { +- size_t ts; +- t = e->data + strlen ((char *) e->data) + 1; +- ts = e->data + e->size - t; +- if ((ts > 0) && (strspn ((char *)t, " ") != ts)) +- strncat (val, (char *)t, MIN (maxlen - strlen (val), ts)); +- } else { +- strncat (val, _("[None]"), maxlen - strlen (val)); ++ const unsigned char *tagdata = memchr(e->data, 0, e->size); ++ if (tagdata++) { ++ int editor_ofs = tagdata - e->data; ++ int remaining = e->size - editor_ofs; ++ if (match_repeated_char(tagdata, ' ', remaining)) { ++ strncat (val, (const char*)tagdata, MIN (maxlen - strlen (val), remaining)); ++ ++k; ++ } ++ } + } ++ if (!k) ++ strncat (val, _("[None]"), maxlen - strlen (val)); + strncat (val, " ", maxlen - strlen (val)); + strncat (val, _("(Editor)"), maxlen - strlen (val)); + diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb index a1a1816..45b697d 100644 --- a/meta/recipes-support/libexif/libexif_0.6.20.bb +++ b/meta/recipes-support/libexif/libexif_0.6.20.bb @@ -7,7 +7,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=243b725d71bb5df4a1e5920b344b86ad" PR = "r1" SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ - file://0001-libexif-CVE-2012-2813.patch" + file://0001-libexif-CVE-2012-2813.patch \ + file://0002-libexif-CVE-2012-2812.patch" SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3" SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 04/18] Security Advisory - libexif - CVE-2012-2841 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (2 preceding siblings ...) 2013-02-07 23:56 ` [denzil 03/18] Security Advisory - libexif - CVE-2012-2812 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 05/18] Security Advisory - libexif - CVE-2012-2836 Mark Hatle ` (13 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Yue Tao <Yue.Tao@windriver.com> [ CQID: WIND00366809 ] Integer underflow in the exif_entry_get_value function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) 0.6.20 might allow remote attackers to execute arbitrary code via vectors involving a crafted buffer-size parameter during the formatting of an EXIF tag, leading to a heap-based buffer overflow. Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libexif/0003-libexif-CVE-2012-2841.patch | 47 ++++++++++++++++++++++ meta/recipes-support/libexif/libexif_0.6.20.bb | 3 +- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch diff --git a/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch b/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch new file mode 100644 index 0000000..2e2c949 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/0003-libexif-CVE-2012-2841.patch @@ -0,0 +1,47 @@ +Index: libexif/exif-entry.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/exif-entry.c,v +retrieving revision 1.148 +retrieving revision 1.149 +diff -c -u -r1.148 -r1.149 +--- a/libexif/exif-entry.c 12 Jul 2012 17:13:03 -0000 1.148 ++++ b/libexif/exif-entry.c 12 Jul 2012 17:26:01 -0000 1.149 +@@ -860,14 +860,15 @@ exif_entry_get_value (ExifEntry *e, char + */ + bindtextdomain (GETTEXT_PACKAGE, LOCALEDIR); + ++ if (!e || !e->parent || !e->parent->parent || !maxlen) ++ return val; ++ + /* make sure the returned string is zero terminated */ + memset (val, 0, maxlen); + maxlen--; + memset (b, 0, sizeof (b)); + + /* We need the byte order */ +- if (!e || !e->parent || !e->parent->parent) +- return val; + o = exif_data_get_byte_order (e->parent->parent); + + /* Sanity check */ +@@ -925,17 +926,16 @@ exif_entry_get_value (ExifEntry *e, char + + /* + * If we reach this point, the tag does not +- * comply with the standard and seems to contain data. ++ * comply with the standard but seems to contain data. + * Print as much as possible. + */ + exif_entry_log (e, EXIF_LOG_CODE_DEBUG, + _("Tag UserComment does not comply " + "with standard but contains data.")); +- for (; (i < e->size) && (strlen (val) < maxlen - 1); i++) { ++ for (j = 0; (i < e->size) && (j < maxlen); i++, j++) { + exif_entry_log (e, EXIF_LOG_CODE_DEBUG, + _("Byte at position %i: 0x%02x"), i, e->data[i]); +- val[strlen (val)] = +- isprint (e->data[i]) ? e->data[i] : '.'; ++ val[j] = isprint (e->data[i]) ? e->data[i] : '.'; + } + break; + diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb index 45b697d..7d8f8fd 100644 --- a/meta/recipes-support/libexif/libexif_0.6.20.bb +++ b/meta/recipes-support/libexif/libexif_0.6.20.bb @@ -8,7 +8,8 @@ PR = "r1" SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ file://0001-libexif-CVE-2012-2813.patch \ - file://0002-libexif-CVE-2012-2812.patch" + file://0002-libexif-CVE-2012-2812.patch \ + file://0003-libexif-CVE-2012-2841.patch" SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3" SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 05/18] Security Advisory - libexif - CVE-2012-2836 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (3 preceding siblings ...) 2013-02-07 23:56 ` [denzil 04/18] Security Advisory - libexif - CVE-2012-2841 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 06/18] Security Advisory - libexif - CVE-2012-2837 Mark Hatle ` (12 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Yue Tao <Yue.Tao@windriver.com> [ CQID: WIND00366788 ] The exif_data_load_data function in exif-data.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory via crafted EXIF tags in an image. Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libexif/0004-libexif-CVE-2012-2836.patch | 140 +++++++++++++++++++++ meta/recipes-support/libexif/libexif_0.6.20.bb | 3 +- 2 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch diff --git a/meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch b/meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch new file mode 100644 index 0000000..430e35c --- /dev/null +++ b/meta/recipes-support/libexif/libexif/0004-libexif-CVE-2012-2836.patch @@ -0,0 +1,140 @@ +Index: libexif/exif-data.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/exif-data.c,v +retrieving revision 1.129 +retrieving revision 1.131 +diff -c -u -r1.129 -r1.131 +--- a/libexif/exif-data.c 8 Oct 2010 06:50:19 -0000 1.129 ++++ b/libexif/exif-data.c 12 Jul 2012 17:28:26 -0000 1.131 +@@ -781,15 +781,15 @@ + + void + exif_data_load_data (ExifData *data, const unsigned char *d_orig, +- unsigned int ds_orig) ++ unsigned int ds) + { + unsigned int l; + ExifLong offset; + ExifShort n; + const unsigned char *d = d_orig; +- unsigned int ds = ds_orig, len; ++ unsigned int len, fullds; + +- if (!data || !data->priv || !d || !ds) ++ if (!data || !data->priv || !d || !ds) + return; + + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", +@@ -807,21 +807,21 @@ + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Found EXIF header."); + } else { +- while (1) { +- while ((d[0] == 0xff) && ds) { ++ while (ds >= 3) { ++ while (ds && (d[0] == 0xff)) { + d++; + ds--; + } + + /* JPEG_MARKER_SOI */ +- if (d[0] == JPEG_MARKER_SOI) { ++ if (ds && d[0] == JPEG_MARKER_SOI) { + d++; + ds--; + continue; + } + + /* JPEG_MARKER_APP0 */ +- if (d[0] == JPEG_MARKER_APP0) { ++ if (ds >= 3 && d[0] == JPEG_MARKER_APP0) { + d++; + ds--; + l = (d[0] << 8) | d[1]; +@@ -833,7 +833,7 @@ + } + + /* JPEG_MARKER_APP1 */ +- if (d[0] == JPEG_MARKER_APP1) ++ if (ds && d[0] == JPEG_MARKER_APP1) + break; + + /* Unknown marker or data. Give up. */ +@@ -841,12 +841,12 @@ + "ExifData", _("EXIF marker not found.")); + return; + } +- d++; +- ds--; +- if (ds < 2) { ++ if (ds < 3) { + LOG_TOO_SMALL; + return; + } ++ d++; ++ ds--; + len = (d[0] << 8) | d[1]; + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "We have to deal with %i byte(s) of EXIF data.", +@@ -872,9 +872,18 @@ + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "Found EXIF header."); + +- /* Byte order (offset 6, length 2) */ ++ /* Sanity check the data length */ + if (ds < 14) + return; ++ ++ /* The JPEG APP1 section can be no longer than 64 KiB (including a ++ 16-bit length), so cap the data length to protect against overflow ++ in future offset calculations */ ++ fullds = ds; ++ if (ds > 0xfffe) ++ ds = 0xfffe; ++ ++ /* Byte order (offset 6, length 2) */ + if (!memcmp (d + 6, "II", 2)) + data->priv->order = EXIF_BYTE_ORDER_INTEL; + else if (!memcmp (d + 6, "MM", 2)) +@@ -894,24 +903,25 @@ + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 0 at %i.", (int) offset); + ++ /* Sanity check the offset, being careful about overflow */ ++ if (offset > ds || offset + 6 + 2 > ds) ++ return; ++ + /* Parse the actual exif data (usually offset 14 from start) */ + exif_data_load_data_content (data, EXIF_IFD_0, d + 6, ds - 6, offset, 0); + + /* IFD 1 offset */ +- if (offset + 6 + 2 > ds) { +- return; +- } + n = exif_get_short (d + 6 + offset, data->priv->order); +- if (offset + 6 + 2 + 12 * n + 4 > ds) { ++ if (offset + 6 + 2 + 12 * n + 4 > ds) + return; +- } ++ + offset = exif_get_long (d + 6 + offset + 2 + 12 * n, data->priv->order); + if (offset) { + exif_log (data->priv->log, EXIF_LOG_CODE_DEBUG, "ExifData", + "IFD 1 at %i.", (int) offset); + + /* Sanity check. */ +- if (offset > ds - 6) { ++ if (offset > ds || offset + 6 > ds) { + exif_log (data->priv->log, EXIF_LOG_CODE_CORRUPT_DATA, + "ExifData", "Bogus offset of IFD1."); + } else { +@@ -925,7 +935,7 @@ + * space between IFDs. Here is the only place where we have access + * to that data. + */ +- interpret_maker_note(data, d, ds); ++ interpret_maker_note(data, d, fullds); + + /* Fixup tags if requested */ + if (data->priv->options & EXIF_DATA_OPTION_FOLLOW_SPECIFICATION) + diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb index 7d8f8fd..25de763 100644 --- a/meta/recipes-support/libexif/libexif_0.6.20.bb +++ b/meta/recipes-support/libexif/libexif_0.6.20.bb @@ -9,7 +9,8 @@ PR = "r1" SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ file://0001-libexif-CVE-2012-2813.patch \ file://0002-libexif-CVE-2012-2812.patch \ - file://0003-libexif-CVE-2012-2841.patch" + file://0003-libexif-CVE-2012-2841.patch \ + file://0004-libexif-CVE-2012-2836.patch" SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3" SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 06/18] Security Advisory - libexif - CVE-2012-2837 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (4 preceding siblings ...) 2013-02-07 23:56 ` [denzil 05/18] Security Advisory - libexif - CVE-2012-2836 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 07/18] Security Advisory - libexif - CVE-2012-2840 Mark Hatle ` (11 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Yue Tao <Yue.Tao@windriver.com> [ CQID: WIND00366798 ] The mnote_olympus_entry_get_value function in olympus/mnote-olympus-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service (divide-by-zero error) via an image with crafted EXIF tags that are not properly handled during the formatting of EXIF maker note tags. Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libexif/0005-libexif-CVE-2012-2837.patch | 114 +++++++++++++++++++++ meta/recipes-support/libexif/libexif_0.6.20.bb | 3 +- 2 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libexif/libexif/0005-libexif-CVE-2012-2837.patch diff --git a/meta/recipes-support/libexif/libexif/0005-libexif-CVE-2012-2837.patch b/meta/recipes-support/libexif/libexif/0005-libexif-CVE-2012-2837.patch new file mode 100644 index 0000000..7a6dd24 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/0005-libexif-CVE-2012-2837.patch @@ -0,0 +1,114 @@ +Index: libexif/olympus/mnote-olympus-entry.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/olympus/mnote-olympus-entry.c,v +retrieving revision 1.54 +retrieving revision 1.55 +diff -c -u -r1.54 -r1.55 +--- a/libexif/olympus/mnote-olympus-entry.c 18 Apr 2011 23:46:33 -0000 1.54 ++++ b/libexif/olympus/mnote-olympus-entry.c 12 Jul 2012 17:29:05 -0000 1.55 +@@ -76,6 +76,9 @@ + } \ + } + ++#define R2L(n) ((n).denominator ? (long)(n).numerator/(n).denominator : 0L) ++#define R2D(n) ((n).denominator ? (double)(n).numerator/(n).denominator : 0.0) ++ + static const struct { + ExifTag tag; + ExifFormat fmt; +@@ -372,20 +375,20 @@ + CF (entry->format, EXIF_FORMAT_RATIONAL, v, maxlen); + CC (entry->components, 4, v, maxlen); + vr = exif_get_rational (entry->data, entry->order); +- r = (double)vr.numerator / vr.denominator; ++ r = R2D(vr); + vr = exif_get_rational (entry->data+8, entry->order); +- b = (double)vr.numerator / vr.denominator; ++ b = R2D(vr); + snprintf (v, maxlen, _("Red Correction %f, blue Correction %f"), r,b); + break; + case MNOTE_NIKON_TAG_MANUALFOCUSDISTANCE: + CF (entry->format, EXIF_FORMAT_RATIONAL, v, maxlen); + CC (entry->components, 1, v, maxlen); + vr = exif_get_rational (entry->data, entry->order); +- if (vr.numerator) { +- r = (double)vr.numerator / vr.denominator; +- snprintf (v, maxlen, _("%2.2f meters"), r); +- } else { ++ if (!vr.numerator || !vr.denominator) { + strncpy (v, _("No manual focus selection"), maxlen); ++ } else { ++ r = R2D(vr); ++ snprintf (v, maxlen, _("%2.2f meters"), r); + } + break; + case MNOTE_NIKON_TAG_SENSORPIXELSIZE: +@@ -393,8 +396,8 @@ + CC (entry->components, 2, v, maxlen); + vr = exif_get_rational (entry->data, entry->order); + vr2 = exif_get_rational (entry->data+8, entry->order); +- r = (double)vr.numerator / vr.denominator; +- b = (double)vr2.numerator / vr2.denominator; ++ r = R2D(vr); ++ b = R2D(vr2); + snprintf (v, maxlen, "%2.2f x %2.2f um", r, b); + break; + case MNOTE_NIKON_TAG_BRACKETING: +@@ -450,10 +453,10 @@ + if (entry->format == EXIF_FORMAT_RATIONAL) { + CC (entry->components, 1, v, maxlen); + vr = exif_get_rational (entry->data, entry->order); +- if (!vr.numerator) { ++ if (!vr.numerator || !vr.denominator) { + strncpy (v, _("None"), maxlen); + } else { +- r = (double)vr.numerator / vr.denominator; ++ r = R2D(vr); + snprintf (v, maxlen, "%2.2f", r); + } + break; +@@ -568,13 +571,13 @@ + double c,d; + unsigned long a,b; + vr = exif_get_rational (entry->data, entry->order); +- a = vr.numerator / vr.denominator; ++ a = R2L(vr); + vr = exif_get_rational (entry->data+8, entry->order); +- b = vr.numerator / vr.denominator; ++ b = R2L(vr); + vr = exif_get_rational (entry->data+16, entry->order); +- c = (double)vr.numerator / vr.denominator; ++ c = R2D(vr); + vr = exif_get_rational (entry->data+24, entry->order); +- d = (double)vr.numerator / vr.denominator; ++ d = R2D(vr); + snprintf (v, maxlen, "%ld-%ldmm 1:%3.1f - %3.1f",a,b,c,d); + } + break; +@@ -682,7 +685,7 @@ + CF (entry->format, EXIF_FORMAT_RATIONAL, v, maxlen); + CC (entry->components, 1, v, maxlen); + vr = exif_get_rational (entry->data, entry->order); +- if (vr.numerator == 0) { ++ if (!vr.numerator || !vr.denominator) { + strncpy (v, _("Unknown"), maxlen); + } + else { +@@ -793,7 +796,7 @@ + if (!vr.denominator) { + strncpy (v, _("Infinite"), maxlen); + } else { +- r = (double)vr.numerator / vr.denominator; ++ r = R2D(vr); + snprintf (v, maxlen, "%2.3f", r); + } + break; +@@ -803,7 +806,7 @@ + if (!vsr.denominator) { + strncpy (v, _("Infinite"), maxlen); + } else { +- r = (double)vsr.numerator / vsr.denominator; ++ r = R2D(vsr); + snprintf (v, maxlen, "%2.3f", r); + } + break; diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb index 25de763..6affc9e 100644 --- a/meta/recipes-support/libexif/libexif_0.6.20.bb +++ b/meta/recipes-support/libexif/libexif_0.6.20.bb @@ -10,7 +10,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ file://0001-libexif-CVE-2012-2813.patch \ file://0002-libexif-CVE-2012-2812.patch \ file://0003-libexif-CVE-2012-2841.patch \ - file://0004-libexif-CVE-2012-2836.patch" + file://0004-libexif-CVE-2012-2836.patch \ + file://0005-libexif-CVE-2012-2837.patch" SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3" SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 07/18] Security Advisory - libexif - CVE-2012-2840 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (5 preceding siblings ...) 2013-02-07 23:56 ` [denzil 06/18] Security Advisory - libexif - CVE-2012-2837 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 08/18] Summary:Security Advisory - libtiff - CVE-2012-3401 Mark Hatle ` (10 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Yue Tao <Yue.Tao@windriver.com> [ CQID: WIND00366793 ] Off-by-one error in the exif_convert_utf16_to_utf8 function in exif-entry.c in the EXIF Tag Parsing Library (aka libexif) before 0.6.21 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted EXIF tags in an image. Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libexif/libexif/0006-libexif-CVE-2012-2840.patch | 17 +++++++++++++++++ meta/recipes-support/libexif/libexif_0.6.20.bb | 3 ++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch diff --git a/meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch b/meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch new file mode 100644 index 0000000..81c5821 --- /dev/null +++ b/meta/recipes-support/libexif/libexif/0006-libexif-CVE-2012-2840.patch @@ -0,0 +1,17 @@ +Index: libexif/exif-utils.c +=================================================================== +RCS file: /cvsroot/libexif/libexif/libexif/exif-utils.c,v +retrieving revision 1.16 +retrieving revision 1.17 +diff -c -u -r1.16 -r1.17 +--- a/libexif/exif-utils.c 27 Oct 2009 06:06:11 -0000 1.16 ++++ b/libexif/exif-utils.c 12 Jul 2012 17:11:30 -0000 1.17 +@@ -239,7 +239,7 @@ + break; + } + } else { +- if (maxlen > 2) { ++ if (maxlen > 3) { + *out++ = ((*in >> 12) & 0x0F) | 0xE0; + *out++ = ((*in >> 6) & 0x3F) | 0x80; + *out++ = (*in++ & 0x3F) | 0x80; diff --git a/meta/recipes-support/libexif/libexif_0.6.20.bb b/meta/recipes-support/libexif/libexif_0.6.20.bb index 6affc9e..757163b 100644 --- a/meta/recipes-support/libexif/libexif_0.6.20.bb +++ b/meta/recipes-support/libexif/libexif_0.6.20.bb @@ -11,7 +11,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/libexif/libexif-${PV}.tar.bz2 \ file://0002-libexif-CVE-2012-2812.patch \ file://0003-libexif-CVE-2012-2841.patch \ file://0004-libexif-CVE-2012-2836.patch \ - file://0005-libexif-CVE-2012-2837.patch" + file://0005-libexif-CVE-2012-2837.patch \ + file://0006-libexif-CVE-2012-2840.patch" SRC_URI[md5sum] = "19844ce6b5d075af16f0d45de1e8a6a3" SRC_URI[sha256sum] = "a772d20bd8fb9802d7f0d70fde6ac8872f87d0c66c52b0d14026dafcaa83d715" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 08/18] Summary:Security Advisory - libtiff - CVE-2012-3401 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (6 preceding siblings ...) 2013-02-07 23:56 ` [denzil 07/18] Security Advisory - libexif - CVE-2012-2840 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 09/18] Summary: Security Advisory - boost - CVE-2012-2677 Mark Hatle ` (9 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Wei Cai <wei.cai@windriver.com> [ CQID: WIND00374012 ] A heap-based buffer overflow flaw was found in the way tiff2pdf, a TIFF image to a PDF document conversion tool, of libtiff, a library of functions for manipulating TIFF (Tagged Image File Format) image format files, performed write of TIFF image content into particular PDF document file, when not properly initialized T2P context struct pointer has been provided by tiff2pdf (application requesting the conversion) as one of parameters for the routine performing the write. A remote attacker could provide a specially-crafted TIFF image format file, that when processed by tiff2pdf would lead to tiff2pdf executable crash or, potentially, arbitrary code execution with the privileges of the user running the tiff2pdf binary. Signed-off-by: Wei Cai <wei.cai@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Affects libtiff 4.0.2 and earlier. Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../libtiff/files/libtiff-CVE-2012-3401.patch | 10 ++++++++++ meta/recipes-multimedia/libtiff/tiff_4.0.1.bb | 3 ++- 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-multimedia/libtiff/files/libtiff-CVE-2012-3401.patch diff --git a/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2012-3401.patch b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2012-3401.patch new file mode 100644 index 0000000..e59addd --- /dev/null +++ b/meta/recipes-multimedia/libtiff/files/libtiff-CVE-2012-3401.patch @@ -0,0 +1,10 @@ +--- a/tools/tiff2pdf.c.orig 2012-11-22 17:24:46.000000000 +0800 ++++ b/tools/tiff2pdf.c 2012-11-22 17:25:41.000000000 +0800 +@@ -1038,6 +1038,7 @@ + "Can't set directory %u of input file %s", + i, + TIFFFileName(input)); ++ t2p->t2p_error = T2P_ERR_ERROR; + return; + } + if(TIFFGetField(input, TIFFTAG_PAGENUMBER, &pagen, &paged)){ diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.1.bb index 54c4cbc..4bc7499 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.0.1.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.0.1.bb @@ -6,7 +6,8 @@ DEPENDS = "zlib jpeg xz" PR = "r1" SRC_URI = "ftp://ftp.remotesensing.org/pub/libtiff/tiff-${PV}.tar.gz \ - file://libtool2.patch" + file://libtool2.patch \ + file://libtiff-CVE-2012-3401.patch" SRC_URI[md5sum] = "fae149cc9da35c598d8be897826dfc63" SRC_URI[sha256sum] = "9a7a039e516c37478038740f1642818250bfb1414cf404cc8b569e5f9d4bf2f0" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 09/18] Summary: Security Advisory - boost - CVE-2012-2677 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (7 preceding siblings ...) 2013-02-07 23:56 ` [denzil 08/18] Summary:Security Advisory - libtiff - CVE-2012-3401 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 10/18] qemu: Add an option to remove host sdl/gl checking Mark Hatle ` (8 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Wei Cai <wei.cai@windriver.com> [ CQID: WIND00366777 ] A security flaw was found in the way ordered_malloc() routine implementation in Boost, the free peer-reviewed portable C++ source libraries, performed 'next-size' and 'max_size' parameters sanitization, when allocating memory. If an application, using the Boost C++ source libraries for memory allocation, was missing application-level checks for safety of 'next_size' and 'max_size' values, a remote attacker could provide a specially-crafted application-specific file (requiring runtime memory allocation it to be processed correctly) that, when opened would lead to that application crash, or, potentially arbitrary code execution with the privileges of the user running the application. Signed-off-by: Wei Cai <wei.cai@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- meta/recipes-support/boost/boost_1.49.0.bb | 5 ++-- .../boost/files/boost-CVE-2012-2677.patch | 30 ++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 meta/recipes-support/boost/files/boost-CVE-2012-2677.patch diff --git a/meta/recipes-support/boost/boost_1.49.0.bb b/meta/recipes-support/boost/boost_1.49.0.bb index 71fdc48..b0094c1 100644 --- a/meta/recipes-support/boost/boost_1.49.0.bb +++ b/meta/recipes-support/boost/boost_1.49.0.bb @@ -2,9 +2,10 @@ include boost.inc LIC_FILES_CHKSUM = "file://LICENSE_1_0.txt;md5=e4224ccaecb14d942c71d31bef20d78c" -PR = "${INC_PR}.0" +PR = "${INC_PR}.1" -SRC_URI += "file://arm-intrinsics.patch" +SRC_URI += "file://arm-intrinsics.patch \ + file://boost-CVE-2012-2677.patch" SRC_URI[md5sum] = "0d202cb811f934282dea64856a175698" SRC_URI[sha256sum] = "dd748a7f5507a7e7af74f452e1c52a64e651ed1f7263fce438a06641d2180d3c" diff --git a/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch new file mode 100644 index 0000000..42e813d --- /dev/null +++ b/meta/recipes-support/boost/files/boost-CVE-2012-2677.patch @@ -0,0 +1,30 @@ +--- a/boost/pool/pool.hpp.orig ++++ b/boost/pool/pool.hpp +@@ -11,6 +11,8 @@ + + #include <boost/config.hpp> // for workarounds + ++// std::numeric_limits ++#include <boost/limits.hpp> + // std::less, std::less_equal, std::greater + #include <functional> + // new[], delete[], std::nothrow +@@ -792,7 +794,8 @@ + { //! Gets address of a chunk n, allocating new memory if not already available. + //! \returns Address of chunk n if allocated ok. + //! \returns 0 if not enough memory for n chunks. +- ++ if (requested_size && (n > (std::numeric_limits<size_type>::max)() / requested_size)) ++ return 0; + const size_type partition_size = alloc_size(); + const size_type total_req_size = n * requested_size; + const size_type num_chunks = total_req_size / partition_size + +@@ -975,6 +978,8 @@ + { + if(max_alloc_size && (n > max_alloc_size)) + return 0; ++ if(chunk_size && (n > (std::numeric_limits<size_type>::max)() / chunk_size)) ++ return 0; + void* ret = (user_allocator::malloc)(chunk_size * n); + used_list.insert(ret); + return ret; -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 10/18] qemu: Add an option to remove host sdl/gl checking 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (8 preceding siblings ...) 2013-02-07 23:56 ` [denzil 09/18] Summary: Security Advisory - boost - CVE-2012-2677 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc Mark Hatle ` (7 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Zhai Edwin <edwin.zhai@intel.com> Add an PACKAGECONFIG in qemu to disable GL acceleration: * By default configure try best to enable GL acceleration and fail when missing host dependency(libSDL and libGL). * End user can also choose to turn off GL capability, thus remove the host dependence in building. [YOCTO #2407] got fixed. (master rev: cfa93553e17057a1ea9d81e3a415fc8260c54067) Signed-off-by: Zhai Edwin <edwin.zhai@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeff Polk <jeff.polk@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../qemu/qemu-0.15.1/dummy-gl-config.patch | 31 +++++ .../qemu/qemu-0.15.1/glflags.patch | 40 ++++-- .../qemu/qemu-0.15.1/opengl-disable-option.patch | 137 +++++++++++++++++++++ meta/recipes-devtools/qemu/qemu.inc | 23 +--- meta/recipes-devtools/qemu/qemu_0.15.1.bb | 4 +- 5 files changed, 203 insertions(+), 32 deletions(-) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/dummy-gl-config.patch create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/opengl-disable-option.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/dummy-gl-config.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/dummy-gl-config.patch new file mode 100644 index 0000000..8aa30ae --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/dummy-gl-config.patch @@ -0,0 +1,31 @@ +Add a dummy option for GL acceleration to pass the configure when there is no +GL acceleration patch. The parsing function will be filled by following +opengl-disable-option.patch. + +Upstream-Status: Inappropriate [other] - depends on GL patch + +Signed-off-by: Zhai Edwin <edwin.zhai@intel.com> + +Index: qemu-0.15.1/configure +=================================================================== +--- qemu-0.15.1.orig/configure 2012-05-14 21:23:34.000000000 +0800 ++++ qemu-0.15.1/configure 2012-05-14 21:23:36.000000000 +0800 +@@ -179,6 +179,7 @@ + smartcard_nss="" + usb_redir="" + opengl="" ++gl_accel="yes" + guest_agent="yes" + + # parse CC options first +@@ -739,6 +740,10 @@ + ;; + --enable-opengl) opengl="yes" + ;; ++ --disable-gl-accel) gl_accel="no" ++ ;; ++ --enable-gl-accel) gl_accel="yes" ++ ;; + --*dir) + ;; + --disable-rbd) rbd="no" diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/glflags.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/glflags.patch index 0ad5551..638d262 100644 --- a/meta/recipes-devtools/qemu/qemu-0.15.1/glflags.patch +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/glflags.patch @@ -1,15 +1,33 @@ +Considering relocation, qemu-nativesdk is independent of host library except +libGL. Normal method like 'cat > $TMPC' doesn't work, so we check the library +directly. + Upstream-Status: Inappropriate [configuration] -Index: qemu-0.14.0/Makefile.target +Index: qemu-0.15.1/configure =================================================================== ---- qemu-0.14.0.orig/Makefile.target 2011-04-04 12:12:19.142871742 +0100 -+++ qemu-0.14.0/Makefile.target 2011-04-04 12:12:21.772871742 +0100 -@@ -362,7 +362,7 @@ - - monitor.o: hmp-commands.h qmp-commands.h - --LIBS += -lGL -lGLU -+LIBS += -lGL - - $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS) +--- qemu-0.15.1.orig/configure 2012-05-25 18:26:05.000000000 +0800 ++++ qemu-0.15.1/configure 2012-05-29 09:43:27.000000000 +0800 +@@ -2032,15 +2032,13 @@ + exit 1; + fi +- gl_accel_libs="-lGL -lGLU" +- cat > $TMPC << EOF +-#include <X11/Xlib.h> +-#include <GL/gl.h> +-#include <GL/glx.h> +-#include <GL/glu.h> +-int main(void) { GL_VERSION; return 0; } +-EOF +- if compile_prog "" "-lGL -lGLU" ; then ++ gl_accel_libs="-lGL" ++ libgl='no' ++ test -e /usr/lib/libGL.so && libgl='yes' ++ test -e /usr/lib64/libGL.so && libgl='yes' ++ test -e /usr/lib/*-linux-gnu/libGL.so && libgl='yes' ++ ++ if test "$libgl" = "yes" ; then + gl_accel=yes + libs_softmmu="$gl_accel_libs $libs_softmmu" + else diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/opengl-disable-option.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/opengl-disable-option.patch new file mode 100644 index 0000000..8dc272a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/opengl-disable-option.patch @@ -0,0 +1,137 @@ +Add an option gl-accel to disable GL acceleration: +* When enabled, configure try best to enable GL acceleration and fail when + missing host dependency(libSDL and libGL), which is the default. +* When disabled, end user choose to turn off GL capability, thus remove the + host dependence in building. + +Upstream-Status: Inappropriate [other] - depends on GL patch + +Signed-off-by: Zhai Edwin <edwin.zhai@intel.com> + +Index: qemu-0.15.1/Makefile.target +=================================================================== +--- qemu-0.15.1.orig/Makefile.target 2012-05-29 11:20:04.000000000 +0800 ++++ qemu-0.15.1/Makefile.target 2012-05-29 11:20:04.000000000 +0800 +@@ -80,13 +80,16 @@ + endif + libobj-$(CONFIG_NEED_MMU) += mmu.o + ifndef CONFIG_LINUX_USER ++ifdef CONFIG_GL_ACCEL + libobj-$(TARGET_I386) += helper_opengl.o opengl_exec.o + libobj-$(TARGET_X86_64) += helper_opengl.o opengl_exec.o + else +-ifdef CONFIG_SDL + libobj-$(TARGET_I386) += dummygl.o + libobj-$(TARGET_X86_64) += dummygl.o +-endif ++endif #CONFIG_GL_ACCEL ++else ++libobj-$(TARGET_I386) += dummygl.o ++libobj-$(TARGET_X86_64) += dummygl.o + endif #CONFIG_LINUX_USER + libobj-$(TARGET_ARM) += dummygl.o + libobj-$(TARGET_MIPS) += dummygl.o +@@ -262,8 +265,10 @@ + obj-i386-$(CONFIG_SPICE) += qxl.o qxl-logger.o qxl-render.o + + ifeq ($(TARGET_BASE_ARCH), i386) ++ifdef CONFIG_GL_ACCEL + QEMU_CFLAGS += -DTARGET_OPENGL_OK + endif ++endif + + # shared objects + obj-ppc-y = ppc.o +@@ -409,8 +414,6 @@ + + monitor.o: hmp-commands.h qmp-commands.h + +-LIBS += -lGL -lGLU +- + $(obj-y) $(obj-$(TARGET_BASE_ARCH)-y): $(GENERATED_HEADERS) + + obj-y += $(addprefix ../, $(common-obj-y)) +Index: qemu-0.15.1/configure +=================================================================== +--- qemu-0.15.1.orig/configure 2012-05-29 11:20:03.000000000 +0800 ++++ qemu-0.15.1/configure 2012-05-29 11:20:04.000000000 +0800 +@@ -2021,6 +2021,39 @@ + fi + fi + ++##################################################### ++# GL acceleration probe depending on gl, glu and sdl ++if test "$gl_accel" != "no" ; then ++ if test "$sdl" = "no" ; then ++ gl_accel=no ++ echo "libSDL and header no found to build opengl acceleration for qemu-native. ++ Ubuntu package names are: libsdl1.2-dev. ++ Fedora package names are: SDL-devel." ++ exit 1; ++ fi ++ ++ gl_accel_libs="-lGL -lGLU" ++ cat > $TMPC << EOF ++#include <X11/Xlib.h> ++#include <GL/gl.h> ++#include <GL/glx.h> ++#include <GL/glu.h> ++int main(void) { GL_VERSION; return 0; } ++EOF ++ if compile_prog "" "-lGL -lGLU" ; then ++ gl_accel=yes ++ libs_softmmu="$gl_accel_libs $libs_softmmu" ++ else ++ feature_not_found "gl_accel" ++ gl_accel=no ++ gl_accel_libs= ++ echo "libGL.so and libGLU.so not found to build opengl acceleration for qemu-native. ++ Ubuntu package names are: libgl1-mesa-dev, libglu1-mesa-dev and libsdl1.2-dev. ++ Fedora package names are: mesa-libGL mesa-libGLU SDL-devel." ++ exit 1; ++ fi ++fi ++ + # + # Check for xxxat() functions when we are building linux-user + # emulator. This is done because older glibc versions don't +@@ -2722,6 +2755,7 @@ + echo "nss used $smartcard_nss" + echo "usb net redir $usb_redir" + echo "OpenGL support $opengl" ++echo "GL acceleration support $gl_accel" + echo "build guest agent $guest_agent" + + if test $sdl_too_old = "yes"; then +@@ -3025,6 +3059,10 @@ + echo "CONFIG_OPENGL=y" >> $config_host_mak + fi + ++if test "$gl_accel" = "yes" ; then ++ echo "CONFIG_GL_ACCEL=y" >> $config_host_mak ++fi ++ + # XXX: suppress that + if [ "$bsd" = "yes" ] ; then + echo "CONFIG_BSD=y" >> $config_host_mak +Index: qemu-0.15.1/qemu-char.c +=================================================================== +--- qemu-0.15.1.orig/qemu-char.c 2012-05-29 11:20:03.000000000 +0800 ++++ qemu-0.15.1/qemu-char.c 2012-05-29 11:20:04.000000000 +0800 +@@ -2387,7 +2387,6 @@ + return d->outbuf_size; + } + +-#define TARGET_OPENGL_OK + #if defined(TARGET_OPENGL_OK) + static uint8_t buffer[32]; + static int buffer_len; +@@ -2447,7 +2446,7 @@ + return chr; + } + #else +-#define qemu_chr_open_opengl() 0 ++#define qemu_chr_open_opengl NULL + #endif + + QemuOpts *qemu_chr_parse_compat(const char *label, const char *filename) diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 93325c3..75ff962 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -19,26 +19,6 @@ EXTRA_OECONF += "--target-list=${@get_qemu_target_list(d)} --disable-werror --di inherit autotools -# For our gl powered QEMU you need libGL and SDL headers -do_configure_prepend_virtclass-native() { - libgl='no' - libsdl='no' - - test -e /usr/lib/libGL.so -a -e /usr/lib/libGLU.so && libgl='yes' - test -e /usr/lib64/libGL.so -a -e /usr/lib64/libGLU.so && libgl='yes' - test -e /usr/lib/*-linux-gnu/libGL.so -a -e /usr/lib/*-linux-gnu/libGLU.so && libgl='yes' - - test -e /usr/lib/pkgconfig/sdl.pc -o -e /usr/lib64/pkgconfig/sdl.pc -o -e /usr/include/SDL/SDL.h && libsdl='yes' - - - if [ "$libsdl" != 'yes' -o "$libgl" != 'yes' ]; then - echo "You need libGL.so and libGLU.so to exist in your library path and the development headers for SDL installed to build qemu-native. - Ubuntu package names are: libgl1-mesa-dev, libglu1-mesa-dev and libsdl1.2-dev. - Fedora package names are: mesa-libGL mesa-libGLU SDL-devel." - exit 1; - fi -} - do_configure() { # Handle distros such as CentOS 5 32-bit that do not have kvm support KVMOPTS="--disable-kvm" @@ -57,6 +37,9 @@ do_install () { install -m 0755 ${WORKDIR}/powerpc_rom.bin ${D}${datadir}/qemu } +PACKAGECONFIG ??= "gl" +PACKAGECONFIG[gl] = "--enable-gl-accel,--disable-gl-accel,," + DEPENDS_virtclass-native = "zlib-native alsa-lib-native glib-2.0-native" DEPENDS_virtclass-nativesdk = "zlib-nativesdk libsdl-nativesdk glib-2.0-nativesdk \ ${@base_contains('DISTRO_FEATURES', 'x11', 'qemugl-nativesdk', '', d)}" diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index 54f746b..b3fb354 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r7" +PR = "r8" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" @@ -19,6 +19,7 @@ SRC_URI = "\ file://larger_default_ram_size.patch \ file://arm-bgr.patch \ file://a4d1f142542935b90d2eb30f3aead4edcf455fe6.patch \ + file://dummy-gl-config.patch \ file://0001-ppc64-Fix-linker-script.patch \ " @@ -32,6 +33,7 @@ QEMUGLPATCHES = "\ file://qemugl-fix.patch \ file://opengl-sdl-fix.patch \ file://opengl-args-copy-fix.patch \ + file://opengl-disable-option.patch \ " SRC_URI_append_virtclass-native = "\ -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (9 preceding siblings ...) 2013-02-07 23:56 ` [denzil 10/18] qemu: Add an option to remove host sdl/gl checking Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-13 17:01 ` McClintock Matthew-B29882 2013-02-07 23:56 ` [denzil 12/18] qemu: Fix illegal instruction errors on e500 emulation Mark Hatle ` (6 subsequent siblings) 17 siblings, 1 reply; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Matthew McClintock <msm@freescale.com> ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) ERROR: Logfile of failure stored in: /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 Log data follows: | DEBUG: SITE files ['endian-big', 'bit-64', 'powerpc-common', 'common-linux', 'common-glibc', 'powerpc-linux', 'powerpc64-linux', 'common'] | ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) | NOTE: make -j 24 | LINK ppc-linux-user/qemu-ppc | /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/sysroots/x86_64-linux/usr/libexec/ppc64e5500-fsl-linux/gcc/powerpc64-fsl-linux/4.6.4/ld:/opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/qemu-0.15.1/ppc64.ld:84: syntax error | collect2: ld returned 1 exit status | make[1]: *** [qemu-ppc] Error 1 | make: *** [subdir-ppc-linux-user] Error 2 | make: *** Waiting for unfinished jobs.... | ERROR: oe_runmake failed Signed-off-by: Matthew McClintock <msm@freescale.com> (master rev: a9207aad5b163a071cd8298517d61514c587e0ed) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- meta/recipes-devtools/qemu/qemu_0.15.1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index b3fb354..2cc59f6 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r8" +PR = "r9" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc 2013-02-07 23:56 ` [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc Mark Hatle @ 2013-02-13 17:01 ` McClintock Matthew-B29882 2013-02-13 21:23 ` Mark Hatle 2013-02-13 22:02 ` Mark Hatle 0 siblings, 2 replies; 22+ messages in thread From: McClintock Matthew-B29882 @ 2013-02-13 17:01 UTC (permalink / raw) To: Mark Hatle; +Cc: openembedded-core@lists.openembedded.org On Thu, Feb 7, 2013 at 5:56 PM, Mark Hatle <mark.hatle@windriver.com> wrote: > From: Matthew McClintock <msm@freescale.com> > > ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) > ERROR: Logfile of failure stored in: /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 > Log data follows: > | DEBUG: SITE files ['endian-big', 'bit-64', 'powerpc-common', 'common-linux', 'common-glibc', 'powerpc-linux', 'powerpc64-linux', 'common'] > | ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) > | NOTE: make -j 24 > | LINK ppc-linux-user/qemu-ppc > | /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/sysroots/x86_64-linux/usr/libexec/ppc64e5500-fsl-linux/gcc/powerpc64-fsl-linux/4.6.4/ld:/opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/qemu-0.15.1/ppc64.ld:84: syntax error > | collect2: ld returned 1 exit status > | make[1]: *** [qemu-ppc] Error 1 > | make: *** [subdir-ppc-linux-user] Error 2 > | make: *** Waiting for unfinished jobs.... > | ERROR: oe_runmake failed > > Signed-off-by: Matthew McClintock <msm@freescale.com> > > (master rev: a9207aad5b163a071cd8298517d61514c587e0ed) > > Signed-off-by: Mark Hatle <mark.hatle@windriver.com> > --- > meta/recipes-devtools/qemu/qemu_0.15.1.bb | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb > index b3fb354..2cc59f6 100644 > --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb > +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb > @@ -3,7 +3,7 @@ require qemu.inc > LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ > file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" > > -PR = "r8" > +PR = "r9" > > FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" > FILESDIR = "${WORKDIR}" > -- > 1.8.1.2.545.g2f19ada Missing a patch? -M > > > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc 2013-02-13 17:01 ` McClintock Matthew-B29882 @ 2013-02-13 21:23 ` Mark Hatle 2013-02-13 22:02 ` Mark Hatle 1 sibling, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-13 21:23 UTC (permalink / raw) To: McClintock Matthew-B29882; +Cc: openembedded-core@lists.openembedded.org On 2/13/13 11:01 AM, McClintock Matthew-B29882 wrote: > On Thu, Feb 7, 2013 at 5:56 PM, Mark Hatle <mark.hatle@windriver.com> wrote: >> From: Matthew McClintock <msm@freescale.com> >> >> ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) >> ERROR: Logfile of failure stored in: /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 >> Log data follows: >> | DEBUG: SITE files ['endian-big', 'bit-64', 'powerpc-common', 'common-linux', 'common-glibc', 'powerpc-linux', 'powerpc64-linux', 'common'] >> | ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) >> | NOTE: make -j 24 >> | LINK ppc-linux-user/qemu-ppc >> | /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/sysroots/x86_64-linux/usr/libexec/ppc64e5500-fsl-linux/gcc/powerpc64-fsl-linux/4.6.4/ld:/opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/qemu-0.15.1/ppc64.ld:84: syntax error >> | collect2: ld returned 1 exit status >> | make[1]: *** [qemu-ppc] Error 1 >> | make: *** [subdir-ppc-linux-user] Error 2 >> | make: *** Waiting for unfinished jobs.... >> | ERROR: oe_runmake failed >> >> Signed-off-by: Matthew McClintock <msm@freescale.com> >> >> (master rev: a9207aad5b163a071cd8298517d61514c587e0ed) >> >> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> >> --- >> meta/recipes-devtools/qemu/qemu_0.15.1.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb >> index b3fb354..2cc59f6 100644 >> --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb >> +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb >> @@ -3,7 +3,7 @@ require qemu.inc >> LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ >> file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" >> >> -PR = "r8" >> +PR = "r9" >> >> FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" >> FILESDIR = "${WORKDIR}" >> -- >> 1.8.1.2.545.g2f19ada > > Missing a patch? Not sure I understand the question. The set I sent up had: Patches 10, 11, 12, 13, 14, 15, and 18 all affecting qemu. Together these are working for me. --Mark > -M > >> >> >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc 2013-02-13 17:01 ` McClintock Matthew-B29882 2013-02-13 21:23 ` Mark Hatle @ 2013-02-13 22:02 ` Mark Hatle 1 sibling, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-13 22:02 UTC (permalink / raw) To: McClintock Matthew-B29882; +Cc: openembedded-core@lists.openembedded.org On 2/13/13 11:01 AM, McClintock Matthew-B29882 wrote: > On Thu, Feb 7, 2013 at 5:56 PM, Mark Hatle <mark.hatle@windriver.com> wrote: >> From: Matthew McClintock <msm@freescale.com> >> >> ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) >> ERROR: Logfile of failure stored in: /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 >> Log data follows: >> | DEBUG: SITE files ['endian-big', 'bit-64', 'powerpc-common', 'common-linux', 'common-glibc', 'powerpc-linux', 'powerpc64-linux', 'common'] >> | ERROR: Function failed: do_compile (see /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/temp/log.do_compile.28447 for further information) >> | NOTE: make -j 24 >> | LINK ppc-linux-user/qemu-ppc >> | /opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/sysroots/x86_64-linux/usr/libexec/ppc64e5500-fsl-linux/gcc/powerpc64-fsl-linux/4.6.4/ld:/opt/yocto/cache-build/p5020ds-64b/build_p5020ds-64b_release/tmp/work/ppc64e5500-fsl-linux/qemu-0.15.1-r6/qemu-0.15.1/ppc64.ld:84: syntax error >> | collect2: ld returned 1 exit status >> | make[1]: *** [qemu-ppc] Error 1 >> | make: *** [subdir-ppc-linux-user] Error 2 >> | make: *** Waiting for unfinished jobs.... >> | ERROR: oe_runmake failed >> >> Signed-off-by: Matthew McClintock <msm@freescale.com> >> >> (master rev: a9207aad5b163a071cd8298517d61514c587e0ed) >> >> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> >> --- >> meta/recipes-devtools/qemu/qemu_0.15.1.bb | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb >> index b3fb354..2cc59f6 100644 >> --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb >> +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb >> @@ -3,7 +3,7 @@ require qemu.inc >> LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ >> file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" >> >> -PR = "r8" >> +PR = "r9" >> >> FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" >> FILESDIR = "${WORKDIR}" >> -- >> 1.8.1.2.545.g2f19ada > > Missing a patch? I finally understand.. Yes, my mistake, this one had been merged into Denzil already and when I rebased I didn't notice. 11/18 can be dropped from the set. (The other ones will need the PR's adjusted.) If anyone cares, I'll be happy to do this and send up a new set. --Mark > -M > >> >> >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-core ^ permalink raw reply [flat|nested] 22+ messages in thread
* [denzil 12/18] qemu: Fix illegal instruction errors on e500 emulation 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (10 preceding siblings ...) 2013-02-07 23:56 ` [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 13/18] qemu: backport patch to fix pl031 RTC Mark Hatle ` (5 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Khem Raj <raj.khem@gmail.com> I caught this when running user mode qemu for ppc/e500 applications which had SPE instructions in them will abort with illegal instruction error all the time. The patch is already applied upstream we needed a backport into 0.15.x Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> (master rev: febec229b27279345b756d2fd83f3766915fcd67) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../qemu-0.15.1/ppc-s500-set-invalid-mask.patch | 610 +++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_0.15.1.bb | 3 +- 2 files changed, 612 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/ppc-s500-set-invalid-mask.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/ppc-s500-set-invalid-mask.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/ppc-s500-set-invalid-mask.patch new file mode 100644 index 0000000..4c2134b --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/ppc-s500-set-invalid-mask.patch @@ -0,0 +1,610 @@ +Upstream-Status: Backport +Signed-off-by: Khem Raj <raj.khem@gmail.com> + +X-Git-Url: http://git.qemu.org/?p=qemu.git;a=blobdiff_plain;f=target-ppc%2Ftranslate.c;h=99e995c7b6094b0651d176f9b813525b44b7a74e;hp=1e362fc2385faeca53d0c1de37ccd7a7379202da;hb=70560da79d5be611bd7867f9c590847702c61fb5;hpb=bdcf9d6cd4ff987e58ba4f311ba7b1a33cf3ce5e + +Index: qemu-0.15.1/target-ppc/translate.c +=================================================================== +--- qemu-0.15.1.orig/target-ppc/translate.c 2011-10-12 09:41:43.000000000 -0700 ++++ qemu-0.15.1/target-ppc/translate.c 2012-07-20 08:14:33.192405920 -0700 +@@ -196,8 +196,10 @@ + } DisasContext; + + struct opc_handler_t { +- /* invalid bits */ +- uint32_t inval; ++ /* invalid bits for instruction 1 (Rc(opcode) == 0) */ ++ uint32_t inval1; ++ /* invalid bits for instruction 2 (Rc(opcode) == 1) */ ++ uint32_t inval2; + /* instruction type */ + uint64_t type; + /* extended instruction type */ +@@ -469,7 +471,23 @@ + .opc3 = op3, \ + .pad = { 0, }, \ + .handler = { \ +- .inval = invl, \ ++ .inval1 = invl, \ ++ .type = _typ, \ ++ .type2 = _typ2, \ ++ .handler = &gen_##name, \ ++ .oname = stringify(name), \ ++ }, \ ++ .oname = stringify(name), \ ++} ++#define GEN_OPCODE_DUAL(name, op1, op2, op3, invl1, invl2, _typ, _typ2) \ ++{ \ ++ .opc1 = op1, \ ++ .opc2 = op2, \ ++ .opc3 = op3, \ ++ .pad = { 0, }, \ ++ .handler = { \ ++ .inval1 = invl1, \ ++ .inval2 = invl2, \ + .type = _typ, \ + .type2 = _typ2, \ + .handler = &gen_##name, \ +@@ -484,7 +502,7 @@ + .opc3 = op3, \ + .pad = { 0, }, \ + .handler = { \ +- .inval = invl, \ ++ .inval1 = invl, \ + .type = _typ, \ + .type2 = _typ2, \ + .handler = &gen_##name, \ +@@ -500,7 +518,22 @@ + .opc3 = op3, \ + .pad = { 0, }, \ + .handler = { \ +- .inval = invl, \ ++ .inval1 = invl, \ ++ .type = _typ, \ ++ .type2 = _typ2, \ ++ .handler = &gen_##name, \ ++ }, \ ++ .oname = stringify(name), \ ++} ++#define GEN_OPCODE_DUAL(name, op1, op2, op3, invl1, invl2, _typ, _typ2) \ ++{ \ ++ .opc1 = op1, \ ++ .opc2 = op2, \ ++ .opc3 = op3, \ ++ .pad = { 0, }, \ ++ .handler = { \ ++ .inval1 = invl1, \ ++ .inval2 = invl2, \ + .type = _typ, \ + .type2 = _typ2, \ + .handler = &gen_##name, \ +@@ -514,7 +547,7 @@ + .opc3 = op3, \ + .pad = { 0, }, \ + .handler = { \ +- .inval = invl, \ ++ .inval1 = invl, \ + .type = _typ, \ + .type2 = _typ2, \ + .handler = &gen_##name, \ +@@ -541,7 +574,8 @@ + } + + static opc_handler_t invalid_handler = { +- .inval = 0xFFFFFFFF, ++ .inval1 = 0xFFFFFFFF, ++ .inval2 = 0xFFFFFFFF, + .type = PPC_NONE, + .type2 = PPC_NONE, + .handler = gen_invalid, +@@ -6672,7 +6706,7 @@ + #endif + } + +-#define GEN_SPE(name0, name1, opc2, opc3, inval, type) \ ++#define GEN_SPE(name0, name1, opc2, opc3, inval0, inval1, type) \ + static void glue(gen_, name0##_##name1)(DisasContext *ctx) \ + { \ + if (Rc(ctx->opcode)) \ +@@ -7395,35 +7429,35 @@ + tcg_temp_free_i64(tmp); + } + +-GEN_SPE(evaddw, speundef, 0x00, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evaddiw, speundef, 0x01, 0x08, 0x00000000, PPC_SPE); +-GEN_SPE(evsubfw, speundef, 0x02, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evsubifw, speundef, 0x03, 0x08, 0x00000000, PPC_SPE); +-GEN_SPE(evabs, evneg, 0x04, 0x08, 0x0000F800, PPC_SPE); //// +-GEN_SPE(evextsb, evextsh, 0x05, 0x08, 0x0000F800, PPC_SPE); //// +-GEN_SPE(evrndw, evcntlzw, 0x06, 0x08, 0x0000F800, PPC_SPE); //// +-GEN_SPE(evcntlsw, brinc, 0x07, 0x08, 0x00000000, PPC_SPE); // +-GEN_SPE(evmra, speundef, 0x02, 0x13, 0x0000F800, PPC_SPE); +-GEN_SPE(speundef, evand, 0x08, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evandc, speundef, 0x09, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evxor, evor, 0x0B, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evnor, eveqv, 0x0C, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evmwumi, evmwsmi, 0x0C, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(evmwumia, evmwsmia, 0x1C, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(evmwumiaa, evmwsmiaa, 0x0C, 0x15, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evorc, 0x0D, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evnand, speundef, 0x0F, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evsrwu, evsrws, 0x10, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evsrwiu, evsrwis, 0x11, 0x08, 0x00000000, PPC_SPE); +-GEN_SPE(evslw, speundef, 0x12, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evslwi, speundef, 0x13, 0x08, 0x00000000, PPC_SPE); +-GEN_SPE(evrlw, evsplati, 0x14, 0x08, 0x00000000, PPC_SPE); // +-GEN_SPE(evrlwi, evsplatfi, 0x15, 0x08, 0x00000000, PPC_SPE); +-GEN_SPE(evmergehi, evmergelo, 0x16, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evmergehilo, evmergelohi, 0x17, 0x08, 0x00000000, PPC_SPE); //// +-GEN_SPE(evcmpgtu, evcmpgts, 0x18, 0x08, 0x00600000, PPC_SPE); //// +-GEN_SPE(evcmpltu, evcmplts, 0x19, 0x08, 0x00600000, PPC_SPE); //// +-GEN_SPE(evcmpeq, speundef, 0x1A, 0x08, 0x00600000, PPC_SPE); //// ++GEN_SPE(evaddw, speundef, 0x00, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); //// ++GEN_SPE(evaddiw, speundef, 0x01, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); ++GEN_SPE(evsubfw, speundef, 0x02, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); //// ++GEN_SPE(evsubifw, speundef, 0x03, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); ++GEN_SPE(evabs, evneg, 0x04, 0x08, 0x0000F800, 0x0000F800, PPC_SPE); //// ++GEN_SPE(evextsb, evextsh, 0x05, 0x08, 0x0000F800, 0x0000F800, PPC_SPE); //// ++GEN_SPE(evrndw, evcntlzw, 0x06, 0x08, 0x0000F800, 0x0000F800, PPC_SPE); //// ++GEN_SPE(evcntlsw, brinc, 0x07, 0x08, 0x0000F800, 0x00000000, PPC_SPE); // ++GEN_SPE(evmra, speundef, 0x02, 0x13, 0x0000F800, 0xFFFFFFFF, PPC_SPE); ++GEN_SPE(speundef, evand, 0x08, 0x08, 0xFFFFFFFF, 0x00000000, PPC_SPE); //// ++GEN_SPE(evandc, speundef, 0x09, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); //// ++GEN_SPE(evxor, evor, 0x0B, 0x08, 0x00000000, 0x00000000, PPC_SPE); //// ++GEN_SPE(evnor, eveqv, 0x0C, 0x08, 0x00000000, 0x00000000, PPC_SPE); //// ++GEN_SPE(evmwumi, evmwsmi, 0x0C, 0x11, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(evmwumia, evmwsmia, 0x1C, 0x11, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(evmwumiaa, evmwsmiaa, 0x0C, 0x15, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evorc, 0x0D, 0x08, 0xFFFFFFFF, 0x00000000, PPC_SPE); //// ++GEN_SPE(evnand, speundef, 0x0F, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); //// ++GEN_SPE(evsrwu, evsrws, 0x10, 0x08, 0x00000000, 0x00000000, PPC_SPE); //// ++GEN_SPE(evsrwiu, evsrwis, 0x11, 0x08, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(evslw, speundef, 0x12, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); //// ++GEN_SPE(evslwi, speundef, 0x13, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE); ++GEN_SPE(evrlw, evsplati, 0x14, 0x08, 0x00000000, 0x0000F800, PPC_SPE); // ++GEN_SPE(evrlwi, evsplatfi, 0x15, 0x08, 0x00000000, 0x0000F800, PPC_SPE); ++GEN_SPE(evmergehi, evmergelo, 0x16, 0x08, 0x00000000, 0x00000000, PPC_SPE); //// ++GEN_SPE(evmergehilo, evmergelohi, 0x17, 0x08, 0x00000000, 0x00000000, PPC_SPE); //// ++GEN_SPE(evcmpgtu, evcmpgts, 0x18, 0x08, 0x00600000, 0x00600000, PPC_SPE); //// ++GEN_SPE(evcmpltu, evcmplts, 0x19, 0x08, 0x00600000, 0x00600000, PPC_SPE); //// ++GEN_SPE(evcmpeq, speundef, 0x1A, 0x08, 0x00600000, 0xFFFFFFFF, PPC_SPE); //// + + /* SPE load and stores */ + static inline void gen_addr_spe_imm_index(DisasContext *ctx, TCGv EA, int sh) +@@ -7782,74 +7816,74 @@ + + /* Multiply and add - TODO */ + #if 0 +-GEN_SPE(speundef, evmhessf, 0x01, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhossf, 0x03, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(evmheumi, evmhesmi, 0x04, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhesmf, 0x05, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(evmhoumi, evmhosmi, 0x06, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhosmf, 0x07, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhessfa, 0x11, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhossfa, 0x13, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(evmheumia, evmhesmia, 0x14, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhesmfa, 0x15, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(evmhoumia, evmhosmia, 0x16, 0x10, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhosmfa, 0x17, 0x10, 0x00000000, PPC_SPE); +- +-GEN_SPE(speundef, evmwhssf, 0x03, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(evmwlumi, speundef, 0x04, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(evmwhumi, evmwhsmi, 0x06, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwhsmf, 0x07, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwssf, 0x09, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwsmf, 0x0D, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwhssfa, 0x13, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(evmwlumia, speundef, 0x14, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(evmwhumia, evmwhsmia, 0x16, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwhsmfa, 0x17, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwssfa, 0x19, 0x11, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwsmfa, 0x1D, 0x11, 0x00000000, PPC_SPE); +- +-GEN_SPE(evadduiaaw, evaddsiaaw, 0x00, 0x13, 0x0000F800, PPC_SPE); +-GEN_SPE(evsubfusiaaw, evsubfssiaaw, 0x01, 0x13, 0x0000F800, PPC_SPE); +-GEN_SPE(evaddumiaaw, evaddsmiaaw, 0x04, 0x13, 0x0000F800, PPC_SPE); +-GEN_SPE(evsubfumiaaw, evsubfsmiaaw, 0x05, 0x13, 0x0000F800, PPC_SPE); +-GEN_SPE(evdivws, evdivwu, 0x06, 0x13, 0x00000000, PPC_SPE); +- +-GEN_SPE(evmheusiaaw, evmhessiaaw, 0x00, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhessfaaw, 0x01, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(evmhousiaaw, evmhossiaaw, 0x02, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhossfaaw, 0x03, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(evmheumiaaw, evmhesmiaaw, 0x04, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhesmfaaw, 0x05, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(evmhoumiaaw, evmhosmiaaw, 0x06, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhosmfaaw, 0x07, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(evmhegumiaa, evmhegsmiaa, 0x14, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhegsmfaa, 0x15, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(evmhogumiaa, evmhogsmiaa, 0x16, 0x14, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhogsmfaa, 0x17, 0x14, 0x00000000, PPC_SPE); +- +-GEN_SPE(evmwlusiaaw, evmwlssiaaw, 0x00, 0x15, 0x00000000, PPC_SPE); +-GEN_SPE(evmwlumiaaw, evmwlsmiaaw, 0x04, 0x15, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwssfaa, 0x09, 0x15, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwsmfaa, 0x0D, 0x15, 0x00000000, PPC_SPE); +- +-GEN_SPE(evmheusianw, evmhessianw, 0x00, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhessfanw, 0x01, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(evmhousianw, evmhossianw, 0x02, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhossfanw, 0x03, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(evmheumianw, evmhesmianw, 0x04, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhesmfanw, 0x05, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(evmhoumianw, evmhosmianw, 0x06, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhosmfanw, 0x07, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(evmhegumian, evmhegsmian, 0x14, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhegsmfan, 0x15, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(evmhigumian, evmhigsmian, 0x16, 0x16, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmhogsmfan, 0x17, 0x16, 0x00000000, PPC_SPE); +- +-GEN_SPE(evmwlusianw, evmwlssianw, 0x00, 0x17, 0x00000000, PPC_SPE); +-GEN_SPE(evmwlumianw, evmwlsmianw, 0x04, 0x17, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwssfan, 0x09, 0x17, 0x00000000, PPC_SPE); +-GEN_SPE(evmwumian, evmwsmian, 0x0C, 0x17, 0x00000000, PPC_SPE); +-GEN_SPE(speundef, evmwsmfan, 0x0D, 0x17, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhessf, 0x01, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE);// ++GEN_SPE(speundef, evmhossf, 0x03, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmheumi, evmhesmi, 0x04, 0x10, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhesmf, 0x05, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhoumi, evmhosmi, 0x06, 0x10, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhosmf, 0x07, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhessfa, 0x11, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhossfa, 0x13, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmheumia, evmhesmia, 0x14, 0x10, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhesmfa, 0x15, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhoumia, evmhosmia, 0x16, 0x10, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhosmfa, 0x17, 0x10, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++ ++GEN_SPE(speundef, evmwhssf, 0x03, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmwlumi, speundef, 0x04, 0x11, 0x00000000, 0xFFFFFFFF, PPC_SPE); ++GEN_SPE(evmwhumi, evmwhsmi, 0x06, 0x11, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwhsmf, 0x07, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwssf, 0x09, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwsmf, 0x0D, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwhssfa, 0x13, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmwlumia, speundef, 0x14, 0x11, 0x00000000, 0xFFFFFFFF, PPC_SPE); ++GEN_SPE(evmwhumia, evmwhsmia, 0x16, 0x11, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwhsmfa, 0x17, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwssfa, 0x19, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwsmfa, 0x1D, 0x11, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++ ++GEN_SPE(evadduiaaw, evaddsiaaw, 0x00, 0x13, 0x0000F800, 0x0000F800, PPC_SPE); ++GEN_SPE(evsubfusiaaw, evsubfssiaaw, 0x01, 0x13, 0x0000F800, 0x0000F800, PPC_SPE); ++GEN_SPE(evaddumiaaw, evaddsmiaaw, 0x04, 0x13, 0x0000F800, 0x0000F800, PPC_SPE); ++GEN_SPE(evsubfumiaaw, evsubfsmiaaw, 0x05, 0x13, 0x0000F800, 0x0000F800, PPC_SPE); ++GEN_SPE(evdivws, evdivwu, 0x06, 0x13, 0x00000000, 0x00000000, PPC_SPE); ++ ++GEN_SPE(evmheusiaaw, evmhessiaaw, 0x00, 0x14, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhessfaaw, 0x01, 0x14, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhousiaaw, evmhossiaaw, 0x02, 0x14, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhossfaaw, 0x03, 0x14, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmheumiaaw, evmhesmiaaw, 0x04, 0x14, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhesmfaaw, 0x05, 0x14, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhoumiaaw, evmhosmiaaw, 0x06, 0x14, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhosmfaaw, 0x07, 0x14, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhegumiaa, evmhegsmiaa, 0x14, 0x14, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhegsmfaa, 0x15, 0x14, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhogumiaa, evmhogsmiaa, 0x16, 0x14, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhogsmfaa, 0x17, 0x14, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++ ++GEN_SPE(evmwlusiaaw, evmwlssiaaw, 0x00, 0x15, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(evmwlumiaaw, evmwlsmiaaw, 0x04, 0x15, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwssfaa, 0x09, 0x15, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwsmfaa, 0x0D, 0x15, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++ ++GEN_SPE(evmheusianw, evmhessianw, 0x00, 0x16, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhessfanw, 0x01, 0x16, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhousianw, evmhossianw, 0x02, 0x16, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhossfanw, 0x03, 0x16, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmheumianw, evmhesmianw, 0x04, 0x16, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhesmfanw, 0x05, 0x16, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhoumianw, evmhosmianw, 0x06, 0x16, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhosmfanw, 0x07, 0x16, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhegumian, evmhegsmian, 0x14, 0x16, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhegsmfan, 0x15, 0x16, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmhigumian, evmhigsmian, 0x16, 0x16, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmhogsmfan, 0x17, 0x16, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++ ++GEN_SPE(evmwlusianw, evmwlssianw, 0x00, 0x17, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(evmwlumianw, evmwlsmianw, 0x04, 0x17, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwssfan, 0x09, 0x17, 0xFFFFFFFF, 0x00000000, PPC_SPE); ++GEN_SPE(evmwumian, evmwsmian, 0x0C, 0x17, 0x00000000, 0x00000000, PPC_SPE); ++GEN_SPE(speundef, evmwsmfan, 0x0D, 0x17, 0xFFFFFFFF, 0x00000000, PPC_SPE); + #endif + + /*** SPE floating-point extension ***/ +@@ -8110,20 +8144,20 @@ + GEN_SPEFPUOP_COMP_64(evfststeq); + + /* Opcodes definitions */ +-GEN_SPE(evfsadd, evfssub, 0x00, 0x0A, 0x00000000, PPC_SPE_SINGLE); // +-GEN_SPE(evfsabs, evfsnabs, 0x02, 0x0A, 0x0000F800, PPC_SPE_SINGLE); // +-GEN_SPE(evfsneg, speundef, 0x03, 0x0A, 0x0000F800, PPC_SPE_SINGLE); // +-GEN_SPE(evfsmul, evfsdiv, 0x04, 0x0A, 0x00000000, PPC_SPE_SINGLE); // +-GEN_SPE(evfscmpgt, evfscmplt, 0x06, 0x0A, 0x00600000, PPC_SPE_SINGLE); // +-GEN_SPE(evfscmpeq, speundef, 0x07, 0x0A, 0x00600000, PPC_SPE_SINGLE); // +-GEN_SPE(evfscfui, evfscfsi, 0x08, 0x0A, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(evfscfuf, evfscfsf, 0x09, 0x0A, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(evfsctui, evfsctsi, 0x0A, 0x0A, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(evfsctuf, evfsctsf, 0x0B, 0x0A, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(evfsctuiz, speundef, 0x0C, 0x0A, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(evfsctsiz, speundef, 0x0D, 0x0A, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(evfststgt, evfststlt, 0x0E, 0x0A, 0x00600000, PPC_SPE_SINGLE); // +-GEN_SPE(evfststeq, speundef, 0x0F, 0x0A, 0x00600000, PPC_SPE_SINGLE); // ++GEN_SPE(evfsadd, evfssub, 0x00, 0x0A, 0x00000000, 0x00000000, PPC_SPE_SINGLE); // ++GEN_SPE(evfsabs, evfsnabs, 0x02, 0x0A, 0x0000F800, 0x0000F800, PPC_SPE_SINGLE); // ++GEN_SPE(evfsneg, speundef, 0x03, 0x0A, 0x0000F800, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(evfsmul, evfsdiv, 0x04, 0x0A, 0x00000000, 0x00000000, PPC_SPE_SINGLE); // ++GEN_SPE(evfscmpgt, evfscmplt, 0x06, 0x0A, 0x00600000, 0x00600000, PPC_SPE_SINGLE); // ++GEN_SPE(evfscmpeq, speundef, 0x07, 0x0A, 0x00600000, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(evfscfui, evfscfsi, 0x08, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(evfscfuf, evfscfsf, 0x09, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(evfsctui, evfsctsi, 0x0A, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(evfsctuf, evfsctsf, 0x0B, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(evfsctuiz, speundef, 0x0C, 0x0A, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(evfsctsiz, speundef, 0x0D, 0x0A, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(evfststgt, evfststlt, 0x0E, 0x0A, 0x00600000, 0x00600000, PPC_SPE_SINGLE); // ++GEN_SPE(evfststeq, speundef, 0x0F, 0x0A, 0x00600000, 0xFFFFFFFF, PPC_SPE_SINGLE); // + + /* Single precision floating-point operations */ + /* Arithmetic */ +@@ -8178,20 +8212,20 @@ + GEN_SPEFPUOP_COMP_32(efststeq); + + /* Opcodes definitions */ +-GEN_SPE(efsadd, efssub, 0x00, 0x0B, 0x00000000, PPC_SPE_SINGLE); // +-GEN_SPE(efsabs, efsnabs, 0x02, 0x0B, 0x0000F800, PPC_SPE_SINGLE); // +-GEN_SPE(efsneg, speundef, 0x03, 0x0B, 0x0000F800, PPC_SPE_SINGLE); // +-GEN_SPE(efsmul, efsdiv, 0x04, 0x0B, 0x00000000, PPC_SPE_SINGLE); // +-GEN_SPE(efscmpgt, efscmplt, 0x06, 0x0B, 0x00600000, PPC_SPE_SINGLE); // +-GEN_SPE(efscmpeq, efscfd, 0x07, 0x0B, 0x00600000, PPC_SPE_SINGLE); // +-GEN_SPE(efscfui, efscfsi, 0x08, 0x0B, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(efscfuf, efscfsf, 0x09, 0x0B, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(efsctui, efsctsi, 0x0A, 0x0B, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(efsctuf, efsctsf, 0x0B, 0x0B, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(efsctuiz, speundef, 0x0C, 0x0B, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(efsctsiz, speundef, 0x0D, 0x0B, 0x00180000, PPC_SPE_SINGLE); // +-GEN_SPE(efststgt, efststlt, 0x0E, 0x0B, 0x00600000, PPC_SPE_SINGLE); // +-GEN_SPE(efststeq, speundef, 0x0F, 0x0B, 0x00600000, PPC_SPE_SINGLE); // ++GEN_SPE(efsadd, efssub, 0x00, 0x0B, 0x00000000, 0x00000000, PPC_SPE_SINGLE); // ++GEN_SPE(efsabs, efsnabs, 0x02, 0x0B, 0x0000F800, 0x0000F800, PPC_SPE_SINGLE); // ++GEN_SPE(efsneg, speundef, 0x03, 0x0B, 0x0000F800, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(efsmul, efsdiv, 0x04, 0x0B, 0x00000000, 0x00000000, PPC_SPE_SINGLE); // ++GEN_SPE(efscmpgt, efscmplt, 0x06, 0x0B, 0x00600000, 0x00600000, PPC_SPE_SINGLE); // ++GEN_SPE(efscmpeq, efscfd, 0x07, 0x0B, 0x00600000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(efscfui, efscfsi, 0x08, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(efscfuf, efscfsf, 0x09, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(efsctui, efsctsi, 0x0A, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(efsctuf, efsctsf, 0x0B, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE); // ++GEN_SPE(efsctuiz, speundef, 0x0C, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(efsctsiz, speundef, 0x0D, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE); // ++GEN_SPE(efststgt, efststlt, 0x0E, 0x0B, 0x00600000, 0x00600000, PPC_SPE_SINGLE); // ++GEN_SPE(efststeq, speundef, 0x0F, 0x0B, 0x00600000, 0xFFFFFFFF, PPC_SPE_SINGLE); // + + /* Double precision floating-point operations */ + /* Arithmetic */ +@@ -8265,22 +8299,22 @@ + GEN_SPEFPUOP_COMP_64(efdtsteq); + + /* Opcodes definitions */ +-GEN_SPE(efdadd, efdsub, 0x10, 0x0B, 0x00000000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdcfuid, efdcfsid, 0x11, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdabs, efdnabs, 0x12, 0x0B, 0x0000F800, PPC_SPE_DOUBLE); // +-GEN_SPE(efdneg, speundef, 0x13, 0x0B, 0x0000F800, PPC_SPE_DOUBLE); // +-GEN_SPE(efdmul, efddiv, 0x14, 0x0B, 0x00000000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdctuidz, efdctsidz, 0x15, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdcmpgt, efdcmplt, 0x16, 0x0B, 0x00600000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdcmpeq, efdcfs, 0x17, 0x0B, 0x00600000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdcfui, efdcfsi, 0x18, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdcfuf, efdcfsf, 0x19, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdctui, efdctsi, 0x1A, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdctuf, efdctsf, 0x1B, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdctuiz, speundef, 0x1C, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdctsiz, speundef, 0x1D, 0x0B, 0x00180000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdtstgt, efdtstlt, 0x1E, 0x0B, 0x00600000, PPC_SPE_DOUBLE); // +-GEN_SPE(efdtsteq, speundef, 0x1F, 0x0B, 0x00600000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdadd, efdsub, 0x10, 0x0B, 0x00000000, 0x00000000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdcfuid, efdcfsid, 0x11, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdabs, efdnabs, 0x12, 0x0B, 0x0000F800, 0x0000F800, PPC_SPE_DOUBLE); // ++GEN_SPE(efdneg, speundef, 0x13, 0x0B, 0x0000F800, 0xFFFFFFFF, PPC_SPE_DOUBLE); // ++GEN_SPE(efdmul, efddiv, 0x14, 0x0B, 0x00000000, 0x00000000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdctuidz, efdctsidz, 0x15, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdcmpgt, efdcmplt, 0x16, 0x0B, 0x00600000, 0x00600000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdcmpeq, efdcfs, 0x17, 0x0B, 0x00600000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdcfui, efdcfsi, 0x18, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdcfuf, efdcfsf, 0x19, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdctui, efdctsi, 0x1A, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdctuf, efdctsf, 0x1B, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdctuiz, speundef, 0x1C, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_DOUBLE); // ++GEN_SPE(efdctsiz, speundef, 0x1D, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_DOUBLE); // ++GEN_SPE(efdtstgt, efdtstlt, 0x1E, 0x0B, 0x00600000, 0x00600000, PPC_SPE_DOUBLE); // ++GEN_SPE(efdtsteq, speundef, 0x1F, 0x0B, 0x00600000, 0xFFFFFFFF, PPC_SPE_DOUBLE); // + + static opcode_t opcodes[] = { + GEN_HANDLER(invalid, 0x00, 0x00, 0x00, 0xFFFFFFFF, PPC_NONE), +@@ -9049,84 +9083,84 @@ + GEN_VAFORM_PAIRED(vmaddfp, vnmsubfp, 23), + + #undef GEN_SPE +-#define GEN_SPE(name0, name1, opc2, opc3, inval, type) \ +-GEN_HANDLER(name0##_##name1, 0x04, opc2, opc3, inval, type) +-GEN_SPE(evaddw, speundef, 0x00, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evaddiw, speundef, 0x01, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evsubfw, speundef, 0x02, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evsubifw, speundef, 0x03, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evabs, evneg, 0x04, 0x08, 0x0000F800, PPC_SPE), +-GEN_SPE(evextsb, evextsh, 0x05, 0x08, 0x0000F800, PPC_SPE), +-GEN_SPE(evrndw, evcntlzw, 0x06, 0x08, 0x0000F800, PPC_SPE), +-GEN_SPE(evcntlsw, brinc, 0x07, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evmra, speundef, 0x02, 0x13, 0x0000F800, PPC_SPE), +-GEN_SPE(speundef, evand, 0x08, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evandc, speundef, 0x09, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evxor, evor, 0x0B, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evnor, eveqv, 0x0C, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evmwumi, evmwsmi, 0x0C, 0x11, 0x00000000, PPC_SPE), +-GEN_SPE(evmwumia, evmwsmia, 0x1C, 0x11, 0x00000000, PPC_SPE), +-GEN_SPE(evmwumiaa, evmwsmiaa, 0x0C, 0x15, 0x00000000, PPC_SPE), +-GEN_SPE(speundef, evorc, 0x0D, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evnand, speundef, 0x0F, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evsrwu, evsrws, 0x10, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evsrwiu, evsrwis, 0x11, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evslw, speundef, 0x12, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evslwi, speundef, 0x13, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evrlw, evsplati, 0x14, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evrlwi, evsplatfi, 0x15, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evmergehi, evmergelo, 0x16, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evmergehilo, evmergelohi, 0x17, 0x08, 0x00000000, PPC_SPE), +-GEN_SPE(evcmpgtu, evcmpgts, 0x18, 0x08, 0x00600000, PPC_SPE), +-GEN_SPE(evcmpltu, evcmplts, 0x19, 0x08, 0x00600000, PPC_SPE), +-GEN_SPE(evcmpeq, speundef, 0x1A, 0x08, 0x00600000, PPC_SPE), +- +-GEN_SPE(evfsadd, evfssub, 0x00, 0x0A, 0x00000000, PPC_SPE_SINGLE), +-GEN_SPE(evfsabs, evfsnabs, 0x02, 0x0A, 0x0000F800, PPC_SPE_SINGLE), +-GEN_SPE(evfsneg, speundef, 0x03, 0x0A, 0x0000F800, PPC_SPE_SINGLE), +-GEN_SPE(evfsmul, evfsdiv, 0x04, 0x0A, 0x00000000, PPC_SPE_SINGLE), +-GEN_SPE(evfscmpgt, evfscmplt, 0x06, 0x0A, 0x00600000, PPC_SPE_SINGLE), +-GEN_SPE(evfscmpeq, speundef, 0x07, 0x0A, 0x00600000, PPC_SPE_SINGLE), +-GEN_SPE(evfscfui, evfscfsi, 0x08, 0x0A, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(evfscfuf, evfscfsf, 0x09, 0x0A, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(evfsctui, evfsctsi, 0x0A, 0x0A, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(evfsctuf, evfsctsf, 0x0B, 0x0A, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(evfsctuiz, speundef, 0x0C, 0x0A, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(evfsctsiz, speundef, 0x0D, 0x0A, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(evfststgt, evfststlt, 0x0E, 0x0A, 0x00600000, PPC_SPE_SINGLE), +-GEN_SPE(evfststeq, speundef, 0x0F, 0x0A, 0x00600000, PPC_SPE_SINGLE), +- +-GEN_SPE(efsadd, efssub, 0x00, 0x0B, 0x00000000, PPC_SPE_SINGLE), +-GEN_SPE(efsabs, efsnabs, 0x02, 0x0B, 0x0000F800, PPC_SPE_SINGLE), +-GEN_SPE(efsneg, speundef, 0x03, 0x0B, 0x0000F800, PPC_SPE_SINGLE), +-GEN_SPE(efsmul, efsdiv, 0x04, 0x0B, 0x00000000, PPC_SPE_SINGLE), +-GEN_SPE(efscmpgt, efscmplt, 0x06, 0x0B, 0x00600000, PPC_SPE_SINGLE), +-GEN_SPE(efscmpeq, efscfd, 0x07, 0x0B, 0x00600000, PPC_SPE_SINGLE), +-GEN_SPE(efscfui, efscfsi, 0x08, 0x0B, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(efscfuf, efscfsf, 0x09, 0x0B, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(efsctui, efsctsi, 0x0A, 0x0B, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(efsctuf, efsctsf, 0x0B, 0x0B, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(efsctuiz, speundef, 0x0C, 0x0B, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(efsctsiz, speundef, 0x0D, 0x0B, 0x00180000, PPC_SPE_SINGLE), +-GEN_SPE(efststgt, efststlt, 0x0E, 0x0B, 0x00600000, PPC_SPE_SINGLE), +-GEN_SPE(efststeq, speundef, 0x0F, 0x0B, 0x00600000, PPC_SPE_SINGLE), +- +-GEN_SPE(efdadd, efdsub, 0x10, 0x0B, 0x00000000, PPC_SPE_DOUBLE), +-GEN_SPE(efdcfuid, efdcfsid, 0x11, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdabs, efdnabs, 0x12, 0x0B, 0x0000F800, PPC_SPE_DOUBLE), +-GEN_SPE(efdneg, speundef, 0x13, 0x0B, 0x0000F800, PPC_SPE_DOUBLE), +-GEN_SPE(efdmul, efddiv, 0x14, 0x0B, 0x00000000, PPC_SPE_DOUBLE), +-GEN_SPE(efdctuidz, efdctsidz, 0x15, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdcmpgt, efdcmplt, 0x16, 0x0B, 0x00600000, PPC_SPE_DOUBLE), +-GEN_SPE(efdcmpeq, efdcfs, 0x17, 0x0B, 0x00600000, PPC_SPE_DOUBLE), +-GEN_SPE(efdcfui, efdcfsi, 0x18, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdcfuf, efdcfsf, 0x19, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdctui, efdctsi, 0x1A, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdctuf, efdctsf, 0x1B, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdctuiz, speundef, 0x1C, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdctsiz, speundef, 0x1D, 0x0B, 0x00180000, PPC_SPE_DOUBLE), +-GEN_SPE(efdtstgt, efdtstlt, 0x1E, 0x0B, 0x00600000, PPC_SPE_DOUBLE), +-GEN_SPE(efdtsteq, speundef, 0x1F, 0x0B, 0x00600000, PPC_SPE_DOUBLE), ++#define GEN_SPE(name0, name1, opc2, opc3, inval0, inval1, type) \ ++ GEN_OPCODE_DUAL(name0##_##name1, 0x04, opc2, opc3, inval0, inval1, type, PPC_NONE) ++GEN_SPE(evaddw, speundef, 0x00, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evaddiw, speundef, 0x01, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evsubfw, speundef, 0x02, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evsubifw, speundef, 0x03, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evabs, evneg, 0x04, 0x08, 0x0000F800, 0x0000F800, PPC_SPE), ++GEN_SPE(evextsb, evextsh, 0x05, 0x08, 0x0000F800, 0x0000F800, PPC_SPE), ++GEN_SPE(evrndw, evcntlzw, 0x06, 0x08, 0x0000F800, 0x0000F800, PPC_SPE), ++GEN_SPE(evcntlsw, brinc, 0x07, 0x08, 0x0000F800, 0x00000000, PPC_SPE), ++GEN_SPE(evmra, speundef, 0x02, 0x13, 0x0000F800, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(speundef, evand, 0x08, 0x08, 0xFFFFFFFF, 0x00000000, PPC_SPE), ++GEN_SPE(evandc, speundef, 0x09, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evxor, evor, 0x0B, 0x08, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evnor, eveqv, 0x0C, 0x08, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evmwumi, evmwsmi, 0x0C, 0x11, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evmwumia, evmwsmia, 0x1C, 0x11, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evmwumiaa, evmwsmiaa, 0x0C, 0x15, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(speundef, evorc, 0x0D, 0x08, 0xFFFFFFFF, 0x00000000, PPC_SPE), ++GEN_SPE(evnand, speundef, 0x0F, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evsrwu, evsrws, 0x10, 0x08, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evsrwiu, evsrwis, 0x11, 0x08, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evslw, speundef, 0x12, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evslwi, speundef, 0x13, 0x08, 0x00000000, 0xFFFFFFFF, PPC_SPE), ++GEN_SPE(evrlw, evsplati, 0x14, 0x08, 0x00000000, 0x0000F800, PPC_SPE), ++GEN_SPE(evrlwi, evsplatfi, 0x15, 0x08, 0x00000000, 0x0000F800, PPC_SPE), ++GEN_SPE(evmergehi, evmergelo, 0x16, 0x08, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evmergehilo, evmergelohi, 0x17, 0x08, 0x00000000, 0x00000000, PPC_SPE), ++GEN_SPE(evcmpgtu, evcmpgts, 0x18, 0x08, 0x00600000, 0x00600000, PPC_SPE), ++GEN_SPE(evcmpltu, evcmplts, 0x19, 0x08, 0x00600000, 0x00600000, PPC_SPE), ++GEN_SPE(evcmpeq, speundef, 0x1A, 0x08, 0x00600000, 0xFFFFFFFF, PPC_SPE), ++ ++GEN_SPE(evfsadd, evfssub, 0x00, 0x0A, 0x00000000, 0x00000000, PPC_SPE_SINGLE), ++GEN_SPE(evfsabs, evfsnabs, 0x02, 0x0A, 0x0000F800, 0x0000F800, PPC_SPE_SINGLE), ++GEN_SPE(evfsneg, speundef, 0x03, 0x0A, 0x0000F800, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(evfsmul, evfsdiv, 0x04, 0x0A, 0x00000000, 0x00000000, PPC_SPE_SINGLE), ++GEN_SPE(evfscmpgt, evfscmplt, 0x06, 0x0A, 0x00600000, 0x00600000, PPC_SPE_SINGLE), ++GEN_SPE(evfscmpeq, speundef, 0x07, 0x0A, 0x00600000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(evfscfui, evfscfsi, 0x08, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(evfscfuf, evfscfsf, 0x09, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(evfsctui, evfsctsi, 0x0A, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(evfsctuf, evfsctsf, 0x0B, 0x0A, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(evfsctuiz, speundef, 0x0C, 0x0A, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(evfsctsiz, speundef, 0x0D, 0x0A, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(evfststgt, evfststlt, 0x0E, 0x0A, 0x00600000, 0x00600000, PPC_SPE_SINGLE), ++GEN_SPE(evfststeq, speundef, 0x0F, 0x0A, 0x00600000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++ ++GEN_SPE(efsadd, efssub, 0x00, 0x0B, 0x00000000, 0x00000000, PPC_SPE_SINGLE), ++GEN_SPE(efsabs, efsnabs, 0x02, 0x0B, 0x0000F800, 0x0000F800, PPC_SPE_SINGLE), ++GEN_SPE(efsneg, speundef, 0x03, 0x0B, 0x0000F800, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(efsmul, efsdiv, 0x04, 0x0B, 0x00000000, 0x00000000, PPC_SPE_SINGLE), ++GEN_SPE(efscmpgt, efscmplt, 0x06, 0x0B, 0x00600000, 0x00600000, PPC_SPE_SINGLE), ++GEN_SPE(efscmpeq, efscfd, 0x07, 0x0B, 0x00600000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(efscfui, efscfsi, 0x08, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(efscfuf, efscfsf, 0x09, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(efsctui, efsctsi, 0x0A, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(efsctuf, efsctsf, 0x0B, 0x0B, 0x00180000, 0x00180000, PPC_SPE_SINGLE), ++GEN_SPE(efsctuiz, speundef, 0x0C, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(efsctsiz, speundef, 0x0D, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++GEN_SPE(efststgt, efststlt, 0x0E, 0x0B, 0x00600000, 0x00600000, PPC_SPE_SINGLE), ++GEN_SPE(efststeq, speundef, 0x0F, 0x0B, 0x00600000, 0xFFFFFFFF, PPC_SPE_SINGLE), ++ ++GEN_SPE(efdadd, efdsub, 0x10, 0x0B, 0x00000000, 0x00000000, PPC_SPE_DOUBLE), ++GEN_SPE(efdcfuid, efdcfsid, 0x11, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdabs, efdnabs, 0x12, 0x0B, 0x0000F800, 0x0000F800, PPC_SPE_DOUBLE), ++GEN_SPE(efdneg, speundef, 0x13, 0x0B, 0x0000F800, 0xFFFFFFFF, PPC_SPE_DOUBLE), ++GEN_SPE(efdmul, efddiv, 0x14, 0x0B, 0x00000000, 0x00000000, PPC_SPE_DOUBLE), ++GEN_SPE(efdctuidz, efdctsidz, 0x15, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdcmpgt, efdcmplt, 0x16, 0x0B, 0x00600000, 0x00600000, PPC_SPE_DOUBLE), ++GEN_SPE(efdcmpeq, efdcfs, 0x17, 0x0B, 0x00600000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdcfui, efdcfsi, 0x18, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdcfuf, efdcfsf, 0x19, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdctui, efdctsi, 0x1A, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdctuf, efdctsf, 0x1B, 0x0B, 0x00180000, 0x00180000, PPC_SPE_DOUBLE), ++GEN_SPE(efdctuiz, speundef, 0x1C, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_DOUBLE), ++GEN_SPE(efdctsiz, speundef, 0x1D, 0x0B, 0x00180000, 0xFFFFFFFF, PPC_SPE_DOUBLE), ++GEN_SPE(efdtstgt, efdtstlt, 0x1E, 0x0B, 0x00600000, 0x00600000, PPC_SPE_DOUBLE), ++GEN_SPE(efdtsteq, speundef, 0x1F, 0x0B, 0x00600000, 0xFFFFFFFF, PPC_SPE_DOUBLE), + + #undef GEN_SPEOP_LDST + #define GEN_SPEOP_LDST(name, opc2, sh) \ +@@ -9456,11 +9490,19 @@ + opc3(ctx.opcode), ctx.opcode, ctx.nip - 4, (int)msr_ir); + } + } else { +- if (unlikely((ctx.opcode & handler->inval) != 0)) { ++ uint32_t inval; ++ ++ if (unlikely(handler->type & (PPC_SPE | PPC_SPE_SINGLE | PPC_SPE_DOUBLE) && Rc(ctx.opcode))) { ++ inval = handler->inval2; ++ } else { ++ inval = handler->inval1; ++ } ++ ++ if (unlikely((ctx.opcode & inval) != 0)) { + if (qemu_log_enabled()) { + qemu_log("invalid bits: %08x for opcode: " + "%02x - %02x - %02x (%08x) " TARGET_FMT_lx "\n", +- ctx.opcode & handler->inval, opc1(ctx.opcode), ++ ctx.opcode & inval, opc1(ctx.opcode), + opc2(ctx.opcode), opc3(ctx.opcode), + ctx.opcode, ctx.nip - 4); + } diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index 2cc59f6..983e831 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r9" +PR = "r10" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" @@ -21,6 +21,7 @@ SRC_URI = "\ file://a4d1f142542935b90d2eb30f3aead4edcf455fe6.patch \ file://dummy-gl-config.patch \ file://0001-ppc64-Fix-linker-script.patch \ + file://ppc-s500-set-invalid-mask.patch \ " # Only use the GL passthrough patches for native/nativesdk versions -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 13/18] qemu: backport patch to fix pl031 RTC 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (11 preceding siblings ...) 2013-02-07 23:56 ` [denzil 12/18] qemu: Fix illegal instruction errors on e500 emulation Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 14/18] nativesdk-qemu: fix SDK relocation issue Mark Hatle ` (4 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: "Roy.Li" <rongqing.li@windriver.com> Intergrate the patch from: http://repo.or.cz/w/qemu.git/commit/13a16f1d91fc7a46b65b22a33f6ffea1b826a097 Signed-off-by: Roy.Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> (master rev: a2a47ebfc3c8afa93bbf28e4a243538ea61079ac) Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- ...-Actually-raise-interrupt-on-timer-expiry.patch | 41 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_0.15.1.bb | 1 + 2 files changed, 42 insertions(+) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch new file mode 100644 index 0000000..2ccc663 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch @@ -0,0 +1,41 @@ +Upstream-Status: Backport +commit 13a16f1d91fc7a46b65b22a33f6ffea1b826a097 +in git://git.qemu.org/qemu.git master + +From 13a16f1d91fc7a46b65b22a33f6ffea1b826a097 Mon Sep 17 00:00:00 2001 +From: Peter Maydell <peter.maydell@linaro.org> +Date: Thu, 16 Feb 2012 09:56:10 +0000 +Subject: [PATCH] hw/pl031: Actually raise interrupt on timer expiry +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Fix a typo in pl031_interrupt() which meant we were setting a bit +in the interrupt mask rather than the interrupt status register +and thus not actually raising an interrupt. This fix allows the +rtctest program from the kernel's Documentation/rtc.txt to pass +rather than hanging. + +Reported-by: Daniel Forsgren <daniel.forsgren@enea.com> +Signed-off-by: Peter Maydell <peter.maydell@linaro.org> +Acked-by: Andreas Färber <afaerber@suse.de> +--- + hw/pl031.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/hw/pl031.c b/hw/pl031.c +index 05b5b11..69abc4f 100644 +--- a/hw/pl031.c ++++ b/hw/pl031.c +@@ -76,7 +76,7 @@ static void pl031_interrupt(void * opaque) + { + pl031_state *s = (pl031_state *)opaque; + +- s->im = 1; ++ s->is = 1; + DPRINTF("Alarm raised\n"); + pl031_update(s); + } +-- +1.7.4.1 + diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index 983e831..0d0ef71 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -22,6 +22,7 @@ SRC_URI = "\ file://dummy-gl-config.patch \ file://0001-ppc64-Fix-linker-script.patch \ file://ppc-s500-set-invalid-mask.patch \ + file://hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch \ " # Only use the GL passthrough patches for native/nativesdk versions -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 14/18] nativesdk-qemu: fix SDK relocation issue 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (12 preceding siblings ...) 2013-02-07 23:56 ` [denzil 13/18] qemu: backport patch to fix pl031 RTC Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 15/18] qemu CVE-2012-3515 Mark Hatle ` (3 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Laurentiu Palcu <laurentiu.palcu@intel.com> User mode emulation binaries are linked using a local linker script. The nativesdk ones were not used and the resulting binaries did not have the interp section resized. Hence, those binaries could not be relocated. [YOCTO #3083] (master rev: da014e900adfe96f01290c5a8f5fb08e295ca204) Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> ported to qemu 0.15.1 Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../qemu/qemu-0.15.1/relocatable_sdk.patch | 34 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_0.15.1.bb | 3 +- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/relocatable_sdk.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/relocatable_sdk.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/relocatable_sdk.patch new file mode 100644 index 0000000..0a01a8a --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/relocatable_sdk.patch @@ -0,0 +1,34 @@ +Upstream-Status: Inappropriate [SDK specific] + +In order to be able to change the dynamic loader path when relocating +binaries, the interp section has to be made big enough to accomodate +the new path (4096 is the maximum path length in Linux). + +Signed-off-by: Laurentiu Palcu <laurentiu.palcu@intel.com> + +Index: qemu-1.2.0/i386.ld +=================================================================== +--- qemu-1.2.0.orig/i386.ld ++++ qemu-1.2.0/i386.ld +@@ -8,7 +8,7 @@ SECTIONS + { + /* Read-only sections, merged into text segment: */ + . = 0x60000000 + SIZEOF_HEADERS; +- .interp : { *(.interp) } ++ .interp : { *(.interp); . = 0x1000; } + .hash : { *(.hash) } + .dynsym : { *(.dynsym) } + .dynstr : { *(.dynstr) } +Index: qemu-1.2.0/x86_64.ld +=================================================================== +--- qemu-1.2.0.orig/x86_64.ld ++++ qemu-1.2.0/x86_64.ld +@@ -6,7 +6,7 @@ SECTIONS + { + /* Read-only sections, merged into text segment: */ + . = 0x60000000 + SIZEOF_HEADERS; +- .interp : { *(.interp) } ++ .interp : { *(.interp); . = 0x1000; } + .hash : { *(.hash) } + .dynsym : { *(.dynsym) } + .dynstr : { *(.dynstr) } diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index 0d0ef71..cb0e5dd 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r10" +PR = "r11" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" @@ -44,6 +44,7 @@ SRC_URI_append_virtclass-native = "\ SRC_URI_append_virtclass-nativesdk = "\ ${@base_contains('DISTRO_FEATURES', 'x11', '${QEMUGLPATCHES} file://glflags.patch', '', d)} \ + file://relocatable_sdk.patch \ " SRC_URI[md5sum] = "34f17737baaf1b3495c89cd6d4a607ed" SRC_URI[sha256sum] = "7705b14d9b8e4df4a0b1790980e618084261e8daef0672a1aa7a830a0f3db5ba" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 15/18] qemu CVE-2012-3515 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (13 preceding siblings ...) 2013-02-07 23:56 ` [denzil 14/18] nativesdk-qemu: fix SDK relocation issue Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 16/18] lighttpd: fixing invalid read in valgrind Mark Hatle ` (2 subsequent siblings) 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Li Wang <li.wang@windriver.com> [ CQID: WIND00392008 ] the patch come from: http://xenbits.xen.org/gitweb/?p=qemu-upstream-unstable.git;a=commit;h=87650d262dea07c955a683dcac75db86477c7ee3 console: bounds check whenever changing the cursor due to an escape code This is XSA-17 / CVE-2012-3515 Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a device model's address space. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3515 Signed-off-by: Ian Campbell <ian.campbell@citrix.com> Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch | 129 +++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_0.15.1.bb | 3 +- 2 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch new file mode 100644 index 0000000..10c8b21 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/qemu-CVE-2012-3515.patch @@ -0,0 +1,129 @@ +qemu CVE-2012-3515 + +the patch come from: +http://xenbits.xen.org/gitweb/?p=qemu-upstream-unstable.git;a=commit;h=87650d262dea07c955a683dcac75db86477c7ee3 +console: bounds check whenever changing the cursor due to an escape code +This is XSA-17 / CVE-2012-3515 + +Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating +certain devices with a virtual console backend, allows local OS guest +users to gain privileges via a crafted escape VT100 sequence that triggers +the overwrite of a device model's address space. +http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3515 + +Signed-off-by: Ian Campbell <ian.campbell@citrix.com> +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + console.c | 57 ++++++++++++++++++++++++++++----------------------------- + 1 files changed, 28 insertions(+), 29 deletions(-) + +diff --git a/console.c b/console.c +index acd8ca1..ed88462 100644 +--- a/console.c ++++ b/console.c +@@ -833,6 +833,26 @@ static void console_clear_xy(TextConsole *s, int x, int y) + update_xy(s, x, y); + } + ++/* set cursor, checking bounds */ ++static void set_cursor(TextConsole *s, int x, int y) ++{ ++ if (x < 0) { ++ x = 0; ++ } ++ if (y < 0) { ++ y = 0; ++ } ++ if (y >= s->height) { ++ y = s->height - 1; ++ } ++ if (x >= s->width) { ++ x = s->width - 1; ++ } ++ ++ s->x = x; ++ s->y = y; ++} ++ + static void console_putchar(TextConsole *s, int ch) + { + TextCell *c; +@@ -904,7 +924,8 @@ static void console_putchar(TextConsole *s, int ch) + s->esc_params[s->nb_esc_params] * 10 + ch - '0'; + } + } else { +- s->nb_esc_params++; ++ if (s->nb_esc_params < MAX_ESC_PARAMS) ++ s->nb_esc_params++; + if (ch == ';') + break; + #ifdef DEBUG_CONSOLE +@@ -918,59 +939,37 @@ static void console_putchar(TextConsole *s, int ch) + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y -= s->esc_params[0]; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->x, s->y - s->esc_params[0]); + break; + case 'B': + /* move cursor down */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->y += s->esc_params[0]; +- if (s->y >= s->height) { +- s->y = s->height - 1; +- } ++ set_cursor(s, s->x, s->y + s->esc_params[0]); + break; + case 'C': + /* move cursor right */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x += s->esc_params[0]; +- if (s->x >= s->width) { +- s->x = s->width - 1; +- } ++ set_cursor(s, s->x + s->esc_params[0], s->y); + break; + case 'D': + /* move cursor left */ + if (s->esc_params[0] == 0) { + s->esc_params[0] = 1; + } +- s->x -= s->esc_params[0]; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->x - s->esc_params[0], s->y); + break; + case 'G': + /* move cursor to column */ +- s->x = s->esc_params[0] - 1; +- if (s->x < 0) { +- s->x = 0; +- } ++ set_cursor(s, s->esc_params[0] - 1, s->y); + break; + case 'f': + case 'H': + /* move cursor to row, column */ +- s->x = s->esc_params[1] - 1; +- if (s->x < 0) { +- s->x = 0; +- } +- s->y = s->esc_params[0] - 1; +- if (s->y < 0) { +- s->y = 0; +- } ++ set_cursor(s, s->esc_params[1] - 1, s->esc_params[0] - 1); + break; + case 'J': + switch (s->esc_params[0]) { +-- +1.7.0.5 + diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index cb0e5dd..75d3d8e 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r11" +PR = "r12" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" @@ -23,6 +23,7 @@ SRC_URI = "\ file://0001-ppc64-Fix-linker-script.patch \ file://ppc-s500-set-invalid-mask.patch \ file://hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch \ + file://qemu-CVE-2012-3515.patch \ " # Only use the GL passthrough patches for native/nativesdk versions -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 16/18] lighttpd: fixing invalid read in valgrind 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (14 preceding siblings ...) 2013-02-07 23:56 ` [denzil 15/18] qemu CVE-2012-3515 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 17/18] lighttpd: CVE-2012-5533 Mark Hatle 2013-02-07 23:56 ` [denzil 18/18] qemu-0.15.1: Add addition environment space to boot loader qemu-system-mips Mark Hatle 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Li Wang <li.wang@windriver.com> [ CQID: WIND00393362 ] Fix handling of empty header list entries in http_request_split_value, fixing invalid read in valgrind (fixes #2413) http://redmine.lighttpd.net/issues/2413 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830 Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../lighttpd-fixing-invalid-read-in-valgrind.patch | 33 ++++++++++++++++++++++ meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb | 3 +- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/lighttpd/files/lighttpd-fixing-invalid-read-in-valgrind.patch diff --git a/meta/recipes-extended/lighttpd/files/lighttpd-fixing-invalid-read-in-valgrind.patch b/meta/recipes-extended/lighttpd/files/lighttpd-fixing-invalid-read-in-valgrind.patch new file mode 100644 index 0000000..9c2e574 --- /dev/null +++ b/meta/recipes-extended/lighttpd/files/lighttpd-fixing-invalid-read-in-valgrind.patch @@ -0,0 +1,33 @@ +lighttpd: fixing invalid read in valgrind + +Fix handling of empty header list entries in http_request_split_value, +fixing invalid read in valgrind (fixes #2413) + +http://redmine.lighttpd.net/issues/2413 +http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2830 + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + src/request.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletions(-) + +diff --git a/src/request.c b/src/request.c +index a48bf48..e76a98f 100644 +--- a/src/request.c ++++ b/src/request.c +@@ -241,9 +241,11 @@ static int http_request_split_value(array *vals, buffer *b) { + start = s; + + for (; *s != ',' && i < b->used - 1; i++, s++); ++ if (start == s) break; /* empty fields are skipped */ + end = s - 1; + +- for (; (*end == ' ' || *end == '\t') && end > start; end--); ++ for (; end > start && (*end == ' ' || *end == '\t'); end--); ++ if (start == end) break; /* empty fields are skipped */ + + if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { + ds = data_string_init(); +-- +1.7.0.5 + diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb index 3ae3867..c4008af 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb @@ -16,12 +16,13 @@ RDEPENDS_${PN} += " \ lighttpd-module-staticfile \ " -PR = "r0" +PR = "r1" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.bz2 \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ + file://lighttpd-fixing-invalid-read-in-valgrind.patch \ " SRC_URI[md5sum] = "63f9df52dcae0ab5689a95c99c54e48a" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 17/18] lighttpd: CVE-2012-5533 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (15 preceding siblings ...) 2013-02-07 23:56 ` [denzil 16/18] lighttpd: fixing invalid read in valgrind Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 2013-02-07 23:56 ` [denzil 18/18] qemu-0.15.1: Add addition environment space to boot loader qemu-system-mips Mark Hatle 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Li Wang <li.wang@windriver.com> [ CQID: WIND00392071 ] fix DoS in Connection header value split. http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../lighttpd/files/lighttpd-CVE-2012-5533.patch | 120 +++++++++++++++++++++ meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb | 3 +- 2 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch diff --git a/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch b/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch new file mode 100644 index 0000000..a9a35a6 --- /dev/null +++ b/meta/recipes-extended/lighttpd/files/lighttpd-CVE-2012-5533.patch @@ -0,0 +1,120 @@ +lighttpd: CVE-2012-5533 + +fix DoS in Connection header value split. +http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2012_01.txt +http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.31_fix_connection_header_dos.patch + +Signed-off-by: Li Wang <li.wang@windriver.com> +--- + src/request.c | 75 +++++++++++++++++++++++++++++---------------------------- + 1 files changed, 38 insertions(+), 37 deletions(-) + +diff --git a/src/request.c b/src/request.c +index e76a98f..46d636c 100644 +--- a/src/request.c ++++ b/src/request.c +@@ -209,9 +209,11 @@ static int request_check_hostname(server *srv, connection *con, buffer *host) { + #endif + + static int http_request_split_value(array *vals, buffer *b) { +- char *s; + size_t i; + int state = 0; ++ ++ const char *current; ++ const char *token_start = NULL, *token_end = NULL; + /* + * parse + * +@@ -222,53 +224,52 @@ static int http_request_split_value(array *vals, buffer *b) { + + if (b->used == 0) return 0; + +- s = b->ptr; +- +- for (i =0; i < b->used - 1; ) { +- char *start = NULL, *end = NULL; ++ current = b->ptr; ++ for (i = 0; i < b->used; ++i, ++current) { + data_string *ds; + + switch (state) { +- case 0: /* ws */ +- +- /* skip ws */ +- for (; (*s == ' ' || *s == '\t') && i < b->used - 1; i++, s++); +- +- +- state = 1; +- break; +- case 1: /* value */ +- start = s; +- +- for (; *s != ',' && i < b->used - 1; i++, s++); +- if (start == s) break; /* empty fields are skipped */ +- end = s - 1; +- +- for (; end > start && (*end == ' ' || *end == '\t'); end--); +- if (start == end) break; /* empty fields are skipped */ +- +- if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { +- ds = data_string_init(); ++ case 0: /* find start of a token */ ++ switch (*current) { ++ case ' ': ++ case '\t': /* skip white space */ ++ case ',': /* skip empty token */ ++ break; ++ case '\0': /* end of string */ ++ return 0; ++ default: ++ /* found real data, switch to state 1 to find the end of the token */ ++ token_start = token_end = current; ++ state = 1; ++ break; + } ++ break; ++ case 1: /* find end of token and last non white space character */ ++ switch (*current) { ++ case ' ': ++ case '\t': ++ /* space - don't update token_end */ ++ break; ++ case ',': ++ case '\0': /* end of string also marks the end of a token */ ++ if (NULL == (ds = (data_string *)array_get_unused_element(vals, TYPE_STRING))) { ++ ds = data_string_init(); ++ } + +- buffer_copy_string_len(ds->value, start, end-start+1); +- array_insert_unique(vals, (data_unset *)ds); ++ buffer_copy_string_len(ds->value, token_start, token_end-token_start+1); ++ array_insert_unique(vals, (data_unset *)ds); + +- if (*s == ',') { + state = 0; +- i++; +- s++; +- } else { +- /* end of string */ +- +- state = 2; ++ break; ++ default: ++ /* no white space, update token_end to include current character */ ++ token_end = current; ++ break; + } + break; +- default: +- i++; +- break; + } + } ++ + return 0; + } + +-- +1.7.0.5 + diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb index c4008af..b86fd4a 100644 --- a/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb +++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.30.bb @@ -16,13 +16,14 @@ RDEPENDS_${PN} += " \ lighttpd-module-staticfile \ " -PR = "r1" +PR = "r2" SRC_URI = "http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${PV}.tar.bz2 \ file://index.html.lighttpd \ file://lighttpd.conf \ file://lighttpd \ file://lighttpd-fixing-invalid-read-in-valgrind.patch \ + file://lighttpd-CVE-2012-5533.patch \ " SRC_URI[md5sum] = "63f9df52dcae0ab5689a95c99c54e48a" -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
* [denzil 18/18] qemu-0.15.1: Add addition environment space to boot loader qemu-system-mips 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle ` (16 preceding siblings ...) 2013-02-07 23:56 ` [denzil 17/18] lighttpd: CVE-2012-5533 Mark Hatle @ 2013-02-07 23:56 ` Mark Hatle 17 siblings, 0 replies; 22+ messages in thread From: Mark Hatle @ 2013-02-07 23:56 UTC (permalink / raw) To: openembedded-core From: Jason Wessel <jason.wessel@windriver.com> [ CQID: WIND00401085 ] The qemu mips malta base board boot loader uses environment strings with a max length of 256 bytes which is not long enough to accommodate a long NFS path in addition to the normal kernel boot command line arguments. The solution is to expand the environment string length to 512 bytes. Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> --- .../qemu/qemu-0.15.1/extra_mips_env_space.patch | 24 ++++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_0.15.1.bb | 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-devtools/qemu/qemu-0.15.1/extra_mips_env_space.patch diff --git a/meta/recipes-devtools/qemu/qemu-0.15.1/extra_mips_env_space.patch b/meta/recipes-devtools/qemu/qemu-0.15.1/extra_mips_env_space.patch new file mode 100644 index 0000000..62483a9 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu-0.15.1/extra_mips_env_space.patch @@ -0,0 +1,24 @@ +If you create a project with very long directory names like 128 characters +deep and use NFS, the kernel arguments will be truncated. The kernel will +accept longer strings such as 512 bytes, but the qemu boot loader defaulted +to only 256 bytes. This patch expands the limit. + +Upstream-Status: Inappropriate - OE uses deep paths + +Signed-off-by: Jason Wessel <jason.wessel@windriver.com> + +--- + hw/mips_malta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/hw/mips_malta.c ++++ b/hw/mips_malta.c +@@ -51,7 +51,7 @@ + + #define ENVP_ADDR 0x80002000l + #define ENVP_NB_ENTRIES 16 +-#define ENVP_ENTRY_SIZE 256 ++#define ENVP_ENTRY_SIZE 512 + + #define MAX_IDE_BUS 2 + diff --git a/meta/recipes-devtools/qemu/qemu_0.15.1.bb b/meta/recipes-devtools/qemu/qemu_0.15.1.bb index 75d3d8e..4567118 100644 --- a/meta/recipes-devtools/qemu/qemu_0.15.1.bb +++ b/meta/recipes-devtools/qemu/qemu_0.15.1.bb @@ -3,7 +3,7 @@ require qemu.inc LIC_FILES_CHKSUM = "file://COPYING;md5=441c28d2cf86e15a37fa47e15a72fbac \ file://COPYING.LIB;endline=24;md5=c04def7ae38850e7d3ef548588159913" -PR = "r12" +PR = "r13" FILESPATH = "${FILE_DIRNAME}/qemu-${PV}" FILESDIR = "${WORKDIR}" @@ -24,6 +24,7 @@ SRC_URI = "\ file://ppc-s500-set-invalid-mask.patch \ file://hw-pl031-Actually-raise-interrupt-on-timer-expiry.patch \ file://qemu-CVE-2012-3515.patch \ + file://extra_mips_env_space.patch \ " # Only use the GL passthrough patches for native/nativesdk versions -- 1.8.1.2.545.g2f19ada ^ permalink raw reply related [flat|nested] 22+ messages in thread
end of thread, other threads:[~2013-02-13 22:19 UTC | newest] Thread overview: 22+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-02-07 23:56 [denzil 00/18] Various fixes for Denzil branch Mark Hatle 2013-02-07 23:56 ` [denzil 01/18] Patch ocf-linux.inc to work with the 2010 and 2012 versions Mark Hatle 2013-02-07 23:56 ` [denzil 02/18] Security Advisory - libexif - CVE-2012-2813 Mark Hatle 2013-02-07 23:56 ` [denzil 03/18] Security Advisory - libexif - CVE-2012-2812 Mark Hatle 2013-02-07 23:56 ` [denzil 04/18] Security Advisory - libexif - CVE-2012-2841 Mark Hatle 2013-02-07 23:56 ` [denzil 05/18] Security Advisory - libexif - CVE-2012-2836 Mark Hatle 2013-02-07 23:56 ` [denzil 06/18] Security Advisory - libexif - CVE-2012-2837 Mark Hatle 2013-02-07 23:56 ` [denzil 07/18] Security Advisory - libexif - CVE-2012-2840 Mark Hatle 2013-02-07 23:56 ` [denzil 08/18] Summary:Security Advisory - libtiff - CVE-2012-3401 Mark Hatle 2013-02-07 23:56 ` [denzil 09/18] Summary: Security Advisory - boost - CVE-2012-2677 Mark Hatle 2013-02-07 23:56 ` [denzil 10/18] qemu: Add an option to remove host sdl/gl checking Mark Hatle 2013-02-07 23:56 ` [denzil 11/18] qemu-0.15.1: add patch to fix compilatation problems on powerpc Mark Hatle 2013-02-13 17:01 ` McClintock Matthew-B29882 2013-02-13 21:23 ` Mark Hatle 2013-02-13 22:02 ` Mark Hatle 2013-02-07 23:56 ` [denzil 12/18] qemu: Fix illegal instruction errors on e500 emulation Mark Hatle 2013-02-07 23:56 ` [denzil 13/18] qemu: backport patch to fix pl031 RTC Mark Hatle 2013-02-07 23:56 ` [denzil 14/18] nativesdk-qemu: fix SDK relocation issue Mark Hatle 2013-02-07 23:56 ` [denzil 15/18] qemu CVE-2012-3515 Mark Hatle 2013-02-07 23:56 ` [denzil 16/18] lighttpd: fixing invalid read in valgrind Mark Hatle 2013-02-07 23:56 ` [denzil 17/18] lighttpd: CVE-2012-5533 Mark Hatle 2013-02-07 23:56 ` [denzil 18/18] qemu-0.15.1: Add addition environment space to boot loader qemu-system-mips Mark Hatle
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox