6 files changed, 21 insertions, 110 deletions

diff --git a/emulators/qemu/Makefile b/emulators/qemu/Makefile
index 4acd9eb3596..81f103d1121 100644
--- a/emulators/qemu/Makefile
+++ b/emulators/qemu/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.140 2015/06/12 10:50:04 wiz Exp $
+# $NetBSD: Makefile,v 1.141 2015/08/12 06:55:59 ryoon Exp $
 
-DISTNAME=	qemu-2.3.0
-PKGREVISION=	2
+DISTNAME=	qemu-2.4.0
 CATEGORIES=	emulators
 MASTER_SITES=	http://wiki.qemu.org/download/
 EXTRACT_SUFX=	.tar.bz2
@@ -38,10 +37,6 @@ CONFIGURE_ARGS+=	--enable-curses
 #HF#CONFIGURE_ARGS+=	--disable-fdt			# HF: build on OS X
 CONFIGURE_ENV+=		mansuffix=/${PKGMANDIR}
 
-CONF_FILES=		${EGDIR}/target-x86_64.conf \
-			${PKG_SYSCONFDIR}/target-x86_64.conf
-EGDIR=			${PREFIX}/share/examples/qemu
-INSTALL_MAKE_FLAGS=	egdir=${EGDIR}
 PKG_SYSCONFSUBDIR=	qemu
 
 REPLACE_PERL+=		scripts/texi2pod.pl
diff --git a/emulators/qemu/PLIST b/emulators/qemu/PLIST
index f391b28004b..69bc9e2fd55 100644
--- a/emulators/qemu/PLIST
+++ b/emulators/qemu/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.42 2015/06/10 20:40:11 ryoon Exp $
+@comment $NetBSD: PLIST,v 1.43 2015/08/12 06:55:59 ryoon Exp $
 ${PLIST.alpha}bin/qemu-alpha
 ${PLIST.arm}bin/qemu-arm
 ${PLIST.armeb}bin/qemu-armeb
@@ -60,7 +60,6 @@ share/doc/qemu/Makefile.multinode-NetBSD
 share/doc/qemu/qemu-doc.html
 share/doc/qemu/qemu-tech.html
 share/doc/qemu/qmp-commands.txt
-share/examples/qemu/target-x86_64.conf
 share/qemu/QEMU,cgthree.bin
 share/qemu/QEMU,tcx.bin
 share/qemu/acpi-dsdt.aml
@@ -139,5 +138,6 @@ share/qemu/u-boot.e500
 share/qemu/vgabios-cirrus.bin
 share/qemu/vgabios-qxl.bin
 share/qemu/vgabios-stdvga.bin
+share/qemu/vgabios-virtio.bin
 share/qemu/vgabios-vmware.bin
 share/qemu/vgabios.bin
diff --git a/emulators/qemu/distinfo b/emulators/qemu/distinfo
index f2d3be2ef36..80a0c5e0983 100644
--- a/emulators/qemu/distinfo
+++ b/emulators/qemu/distinfo
@@ -1,17 +1,16 @@
-$NetBSD: distinfo,v 1.104 2015/05/16 03:19:54 khorben Exp $
+$NetBSD: distinfo,v 1.105 2015/08/12 06:55:59 ryoon Exp $
 
-SHA1 (qemu-2.3.0.tar.bz2) = 373d74bfafce1ca45f85195190d0a5e22b29299e
-RMD160 (qemu-2.3.0.tar.bz2) = cb203bf3faa316c9eb4ceeb975441deab6f9b2f7
-Size (qemu-2.3.0.tar.bz2) = 24683085 bytes
+SHA1 (qemu-2.4.0.tar.bz2) = 27c4651243ad885a2a3b35fe6d2532e6a7f0711e
+RMD160 (qemu-2.4.0.tar.bz2) = f3b5ce602574aec28a5b5e43591248d4358ec5f7
+Size (qemu-2.4.0.tar.bz2) = 25070979 bytes
 SHA1 (patch-configure) = 2d0d2549056c9f53a932b236ed4d69a5ee58a856
 SHA1 (patch-ef) = 6e57de87f91067e8a9a1388c91133a31b3582b3a
-SHA1 (patch-et) = 036e1a254ce40df635dfb6107d2707879467e127
-SHA1 (patch-hw_block_fdc.c) = a49f714266b767953d78aa42492cde3ba4ecb06a
+SHA1 (patch-et) = e9b850ac5985cbe934b541acbfdb330cce421d50
 SHA1 (patch-hw_display_omap__dss.c) = 6b13242f28e32346bc70548c216c578d98fd3420
 SHA1 (patch-hw_net_etraxfs__eth.c) = e5dd1661d60dbcd27b332403e0843500ba9544bc
 SHA1 (patch-hw_net_xilinx__axienet.c) = ebcd2676d64ce6f31e4a8c976d4fdf530ad5e8b7
 SHA1 (patch-hw_ppc_mac__newworld.c) = 9a0ec3ba0b6da2879fdaba6a7937fb16a02685f5
 SHA1 (patch-hw_ppc_mac__oldworld.c) = 46322c77c87be6d517c43466325c344db99cd463
-SHA1 (patch-memory.c) = 14df9c835ca318fc79a8d3a46bb94d2f229277cc
+SHA1 (patch-memory.c) = f5193fb86a6fad5864477dafc4651d3d51147cc8
 SHA1 (patch-slirp_tcp__subr.c) = cfc8289384fa987289e32b64532c13a83a890820
 SHA1 (patch-tests_Makefile) = 44ec206f8061274d0c0a7ca0d4a3e2dbe936fafa
diff --git a/emulators/qemu/patches/patch-et b/emulators/qemu/patches/patch-et
index e8ed9a4736c..6ce599fabbf 100644
--- a/emulators/qemu/patches/patch-et
+++ b/emulators/qemu/patches/patch-et
@@ -1,8 +1,8 @@
-$NetBSD: patch-et,v 1.13 2014/01/15 18:26:20 wiz Exp $
+$NetBSD: patch-et,v 1.14 2015/08/12 06:55:59 ryoon Exp $
 
---- Makefile.orig	2013-11-27 22:15:55.000000000 +0000
+--- Makefile.orig	2015-08-11 19:11:05.000000000 +0000
 +++ Makefile
-@@ -155,6 +155,7 @@ $(SRC_PATH)/pixman/configure:
+@@ -189,6 +189,7 @@ $(SRC_PATH)/pixman/configure:
  DTC_MAKE_ARGS=-I$(SRC_PATH)/dtc VPATH=$(SRC_PATH)/dtc -C dtc V="$(V)" LIBFDT_srcdir=$(SRC_PATH)/dtc/libfdt
  DTC_CFLAGS=$(CFLAGS) $(QEMU_CFLAGS)
  DTC_CPPFLAGS=-I$(BUILD_DIR)/dtc -I$(SRC_PATH)/dtc -I$(SRC_PATH)/dtc/libfdt
@@ -10,15 +10,3 @@ $NetBSD: patch-et,v 1.13 2014/01/15 18:26:20 wiz Exp $
  
  subdir-dtc:dtc/libfdt dtc/tests
  	$(call quiet-command,$(MAKE) $(DTC_MAKE_ARGS) CPPFLAGS="$(DTC_CPPFLAGS)" CFLAGS="$(DTC_CFLAGS)" LDFLAGS="$(LDFLAGS)" ARFLAGS="$(ARFLAGS)" CC="$(CC)" AR="$(AR)" LD="$(LD)" $(SUBDIR_MAKEFLAGS) libfdt/libfdt.a,)
-@@ -340,8 +341,9 @@ endif
- install-confdir:
- 	$(INSTALL_DIR) "$(DESTDIR)$(qemu_confdir)"
- 
--install-sysconfig: install-datadir install-confdir
--	$(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(qemu_confdir)"
-+install-sysconfig:
-+	$(INSTALL_DIR) "$(DESTDIR)$(egdir)"
-+	$(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(egdir)"
- 
- install: all $(if $(BUILD_DOCS),install-doc) install-sysconfig \
- install-datadir install-localstatedir
diff --git a/emulators/qemu/patches/patch-hw_block_fdc.c b/emulators/qemu/patches/patch-hw_block_fdc.c
deleted file mode 100644
index baf23a3e69f..00000000000
--- a/emulators/qemu/patches/patch-hw_block_fdc.c
+++ /dev/null
@@ -1,71 +0,0 @@
-$NetBSD: patch-hw_block_fdc.c,v 1.1 2015/05/16 03:19:54 khorben Exp $
-
-fdc: force the fifo access to be in bounds of the allocated buffer
-
-During processing of certain commands such as FD_CMD_READ_ID and
-FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could
-get out of bounds leading to memory corruption with values coming
-from the guest.
-
-Fix this by making sure that the index is always bounded by the
-allocated memory.
-
-This is CVE-2015-3456.
-
---- hw/block/fdc.c.orig	2015-04-27 14:08:23.000000000 +0000
-+++ hw/block/fdc.c
-@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl 
- {
-     FDrive *cur_drv;
-     uint32_t retval = 0;
--    int pos;
-+    uint32_t pos;
- 
-     cur_drv = get_cur_drv(fdctrl);
-     fdctrl->dsr &= ~FD_DSR_PWRDOWN;
-@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl 
-         return 0;
-     }
-     pos = fdctrl->data_pos;
-+    pos %= FD_SECTOR_LEN;
-     if (fdctrl->msr & FD_MSR_NONDMA) {
--        pos %= FD_SECTOR_LEN;
-         if (pos == 0) {
-             if (fdctrl->data_pos != 0)
-                 if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) {
-@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl 
- static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction)
- {
-     FDrive *cur_drv = get_cur_drv(fdctrl);
-+    uint32_t pos;
- 
--    if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) {
-+    pos = fdctrl->data_pos - 1;
-+    pos %= FD_SECTOR_LEN;
-+    if (fdctrl->fifo[pos] & 0x80) {
-         /* Command parameters done */
--        if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) {
-+        if (fdctrl->fifo[pos] & 0x40) {
-             fdctrl->fifo[0] = fdctrl->fifo[1];
-             fdctrl->fifo[2] = 0;
-             fdctrl->fifo[3] = 0;
-@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256];
- static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value)
- {
-     FDrive *cur_drv;
--    int pos;
-+    uint32_t pos;
- 
-     /* Reset mode */
-     if (!(fdctrl->dor & FD_DOR_nRESET)) {
-@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fd
-     }
- 
-     FLOPPY_DPRINTF("%s: %02x\n", __func__, value);
--    fdctrl->fifo[fdctrl->data_pos++] = value;
-+    pos = fdctrl->data_pos++;
-+    pos %= FD_SECTOR_LEN;
-+    fdctrl->fifo[pos] = value;
-     if (fdctrl->data_pos == fdctrl->data_len) {
-         /* We now have all parameters
-          * and will be able to treat the command
diff --git a/emulators/qemu/patches/patch-memory.c b/emulators/qemu/patches/patch-memory.c
index 5b8dda15571..9f9671af278 100644
--- a/emulators/qemu/patches/patch-memory.c
+++ b/emulators/qemu/patches/patch-memory.c
@@ -1,13 +1,13 @@
-$NetBSD: patch-memory.c,v 1.8 2014/01/15 18:26:20 wiz Exp $
+$NetBSD: patch-memory.c,v 1.9 2015/08/12 06:55:59 ryoon Exp $
 
---- memory.c.orig	2013-11-27 22:15:55.000000000 +0000
+--- memory.c.orig	2015-08-11 19:11:09.000000000 +0000
 +++ memory.c
-@@ -404,7 +404,7 @@ static void memory_region_read_accessor(
-     if (mr->flush_coalesced_mmio) {
-         qemu_flush_coalesced_mmio_buffer();
-     }
+@@ -396,7 +396,7 @@ static MemTxResult  memory_region_read_a
+ {
+     uint64_t tmp;
+ 
 -    tmp = mr->ops->read(mr->opaque, addr, size);
-+    tmp = (*mr->ops->read)(mr->opaque, addr, size);
++    tmp = (mr->ops->read)(mr->opaque, addr, size);
      trace_memory_region_ops_read(mr, addr, tmp, size);
      *value |= (tmp & mask) << shift;
- }
+     return MEMTX_OK;