rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CVE-2017-7718: cirrus: OOB read access issue (bz #1443443)

Browse Source 
CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz #1432040)
CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872)
CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372)
CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622)
CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578)
CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz #1452598)
CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623)
CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz #1457699)
CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz #1459137)
CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz #1468497)
This commit is contained in:
Cole Robinson 2017-07-12 18:19:21 -04:00
parent f081074661
commit 3d039dc5d8
90 changed files with 2044 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
View File

@ -25,7 +25,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 4d94b36..a5ce7de 100644
index 4d94b363a9..a5ce7dea8e 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@

2
0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
index e51a05e..6599cf0 100644
index e51a05ea7e..6599cf078d 100644
--- a/hw/display/vmware_vga.c
+++ b/hw/display/vmware_vga.c
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)

2
0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
View File

@ -14,7 +14,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 188f954..281a2a5 100644
index 188f95416a..281a2a59f0 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3709,8 +3709,7 @@ static void usb_xhci_exit(PCIDevice *dev)

2
0004-virtio-add-check-for-descriptor-s-mapped-address.patch
View File

@ -18,7 +18,7 @@ Reviewed-by: Laszlo Ersek <lersek@redhat.com>
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index f31140a..58edd99 100644
index f31140aba4..58edd9952a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove

2
0005-net-mcf-limit-buffer-descriptor-count.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index 0ee8ad9..d31fea1 100644
index 0ee8ad9d66..d31fea1f18 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)

2
0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
View File

@ -15,7 +15,7 @@ Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
1 file changed, 10 insertions(+)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index 281a2a5..8a9a31a 100644
index 281a2a59f0..8a9a31a2f7 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -54,6 +54,8 @@

2
0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index b093db7..f4ece9a 100644
index b093db729c..f4ece9abed 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,

2
0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 444672a..d4ca026 100644
index 444672a000..d4ca026f00 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -2036,18 +2036,22 @@ static void usbredir_interrupt_packet(void *priv, uint64_t id,

2
0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
View File

@ -33,7 +33,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 36 insertions(+), 1 deletion(-)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 0e2682d..62d0c80 100644
index 0e2682d28b..62d0c80dcf 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -992,6 +992,34 @@ static uint32_t qxl_crc32(const uint8_t *p, unsigned len)

4
0010-ui-use-evdev-keymap-when-running-under-wayland.patch
View File

@ -12,7 +12,7 @@ Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2 files changed, 11 insertions(+)
diff --git a/include/ui/gtk.h b/include/ui/gtk.h
index 42ca0fe..b3b5005 100644
index 42ca0fea8b..b3b50059c7 100644
--- a/include/ui/gtk.h
+++ b/include/ui/gtk.h
@@ -18,6 +18,10 @@
@ -27,7 +27,7 @@ index 42ca0fe..b3b5005 100644
#include "ui/egl-helpers.h"
#include "ui/egl-context.h"
diff --git a/ui/gtk.c b/ui/gtk.c
index 21ae4cb..c641e49 100644
index 21ae4cbccc..c641e49033 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -90,6 +90,9 @@

2
0011-net-vmxnet-initialise-local-tx-descriptor.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
index 90f6943..92f6af9 100644
index 90f6943668..92f6af9620 100644
--- a/hw/net/vmxnet3.c
+++ b/hw/net/vmxnet3.c
@@ -531,6 +531,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)

2
0012-net-pcnet-check-rx-tx-descriptor-ring-length.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 3 insertions(+)
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
index 198a01f..3078de8 100644
index 198a01f92d..3078de8aba 100644
--- a/hw/net/pcnet.c
+++ b/hw/net/pcnet.c
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)

2
0013-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 7fe6ed8..5b6d17b 100644
index 7fe6ed8bf0..5b6d17be00 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -333,6 +333,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,

2
0014-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
View File

@ -13,7 +13,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 91a4970..1a9ec7e 100644
index 91a497079a..1a9ec7ede9 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1813,14 +1813,15 @@ static void v9fs_read(void *opaque)

4
0015-9pfs-allocate-space-for-guest-originated-empty-strin.patch
View File

@ -29,7 +29,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
index 663cad5..1d16f8d 100644
index 663cad5429..1d16f8df4b 100644
--- a/fsdev/9p-iov-marshal.c
+++ b/fsdev/9p-iov-marshal.c
@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
@ -42,7 +42,7 @@ index 663cad5..1d16f8d 100644
} else {
v9fs_string_free(str);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 1a9ec7e..2b161ed 100644
index 1a9ec7ede9..2b161ed6c0 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3162,7 +3162,7 @@ static void v9fs_xattrwalk(void *opaque)

2
0016-net-rocker-set-limit-to-DMA-buffer-size.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
index 30f2ce4..e9d215a 100644
index 30f2ce417b..e9d215aa4d 100644
--- a/hw/net/rocker/rocker.c
+++ b/hw/net/rocker/rocker.c
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)

2
0017-char-serial-check-divider-value-against-baud-base.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3442f47..eec72b7 100644
index 3442f47d36..eec72b7b9e 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -153,8 +153,9 @@ static void serial_update_parameters(SerialState *s)

2
0018-audio-intel-hda-check-stream-entry-count-during-tran.patch
View File

@ -20,7 +20,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
index cd95340..537face 100644
index cd95340cd9..537face94d 100644
--- a/hw/audio/intel-hda.c
+++ b/hw/audio/intel-hda.c
@@ -416,7 +416,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,

2
0019-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch
View File

@ -20,7 +20,7 @@ Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
index 772f85f..ce1dc63 100644
index 772f85f5fd..ce1dc63911 100644
--- a/hw/timer/a9gtimer.c
+++ b/hw/timer/a9gtimer.c
@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)

2
0020-net-eepro100-fix-memory-leak-in-device-uninit.patch
View File

@ -14,7 +14,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
index bab4dbf..4bf71f2 100644
index bab4dbfc98..4bf71f2d85 100644
--- a/hw/net/eepro100.c
+++ b/hw/net/eepro100.c
@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)

2
0021-9pfs-fix-information-leak-in-xattr-read.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 2b161ed..0c0645f 100644
index 2b161ed6c0..0c0645fe9a 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3270,7 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)

2
0022-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 0c0645f..54554ba 100644
index 0c0645fe9a..54554bac51 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3270,6 +3270,7 @@ static void v9fs_xattrcreate(void *opaque)

4
0023-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 54554ba..ad57123 100644
index 54554bac51..ad57123aaf 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -310,7 +310,7 @@ static int v9fs_xattr_fid_clunk(V9fsPDU *pdu, V9fsFidState *fidp)
@ -57,7 +57,7 @@ index 54554ba..ad57123 100644
xattr_fidp->fs.xattr.flags = flags;
v9fs_string_init(&xattr_fidp->fs.xattr.name);
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index a386033..699235d 100644
index a38603398e..699235d81c 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -164,6 +164,7 @@ typedef struct V9fsXattr

2
0024-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch
View File

@ -28,7 +28,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
index 699235d..2067863 100644
index 699235d81c..2067863100 100644
--- a/hw/9pfs/9p.h
+++ b/hw/9pfs/9p.h
@@ -159,8 +159,8 @@ typedef struct V9fsConf

2
0025-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
View File

@ -27,7 +27,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 12 insertions(+), 20 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index ad57123..9c18322 100644
index ad57123aaf..9c18322945 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1629,20 +1629,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,

2
0026-9pfs-fix-memory-leak-in-v9fs_link.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 1 insertion(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 9c18322..a4ee24f 100644
index 9c18322945..a4ee24fe74 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2396,6 +2396,7 @@ static void v9fs_link(void *opaque)

2
0027-9pfs-fix-memory-leak-in-v9fs_write.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index a4ee24f..03a5a35 100644
index a4ee24fe74..03a5a35ea4 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -2073,7 +2073,7 @@ static void v9fs_write(void *opaque)

2
0028-xen-fix-ioreq-handling.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/xen-hvm.c b/xen-hvm.c
index 2f348ed..097007d 100644
index 2f348edf86..097007d3ed 100644
--- a/xen-hvm.c
+++ b/xen-hvm.c
@@ -810,6 +810,10 @@ static void cpu_ioreq_pio(ioreq_t *req)

2
0029-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 3d712d5..bdb092e 100644
index 3d712d592f..bdb092ee9d 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);

2
0030-net-mcf-check-receive-buffer-size-register-value.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
index d31fea1..3d4b3b3 100644
index d31fea1f18..3d4b3b3b39 100644
--- a/hw/net/mcf_fec.c
+++ b/hw/net/mcf_fec.c
@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,

2
0031-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
View File

@ -21,7 +21,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 758d33a..23f39de 100644
index 758d33a09d..23f39de94d 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -347,6 +347,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,

2
0032-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
View File

@ -20,7 +20,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 5b6d17b..41f8096 100644
index 5b6d17be00..41f80965a6 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -84,6 +84,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,

2
0033-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
View File

@ -20,7 +20,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index d4ca026..d064961 100644
index d4ca026f00..d064961203 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -132,6 +132,7 @@ struct USBRedirDevice {

2
0034-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+)
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index f4ece9a..7622a3a 100644
index f4ece9abed..7622a3ae72 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)

2
0035-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 03a5a35..1b7dd84 100644
index 03a5a35ea4..1b7dd8437c 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3492,8 +3492,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)

4
0036-9pfs-add-cleanup-operation-in-FileOperations.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
2 files changed, 7 insertions(+)
diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
index 6db9fea..a56dc84 100644
index 6db9feac8f..a56dc8488d 100644
--- a/fsdev/file-op-9p.h
+++ b/fsdev/file-op-9p.h
@@ -100,6 +100,7 @@ struct FileOperations
@ -28,7 +28,7 @@ index 6db9fea..a56dc84 100644
ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
int (*chmod)(FsContext *, V9fsPath *, FsCred *);
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 1b7dd84..641a348 100644
index 1b7dd8437c..641a348234 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3492,6 +3492,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)

2
0037-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 9 insertions(+)
diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
index 3d77594..1687661 100644
index 3d77594f92..1687661bc9 100644
--- a/hw/9pfs/9p-handle.c
+++ b/hw/9pfs/9p-handle.c
@@ -649,6 +649,14 @@ out:

2
0038-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Greg Kurz <groug@kaod.org>
1 file changed, 13 insertions(+)
diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
index f265501..336e9fe 100644
index f265501eac..336e9fef84 100644
--- a/hw/9pfs/9p-proxy.c
+++ b/hw/9pfs/9p-proxy.c
@@ -1179,9 +1179,22 @@ static int proxy_init(FsContext *ctx)

2
0039-9pfs-fix-crash-when-fsdev-is-missing.patch
View File

@ -15,7 +15,7 @@ Reviewed-by: Li Qiang <liq3ea@gmail.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 641a348..9a89f75 100644
index 641a348234..9a89f75d90 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3492,7 +3492,7 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)

2
0040-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index 23f39de..e29f099 100644
index 23f39de94d..e29f099bd5 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -371,8 +371,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,

2
0041-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
View File

@ -23,7 +23,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index e29f099..cdd03a4 100644
index e29f099bd5..cdd03a47bd 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -376,7 +376,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,

2
0042-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 3 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 41f8096..8903dee 100644
index 41f80965a6..8903dee4f5 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -28,6 +28,8 @@

2
0043-net-imx-limit-buffer-descriptor-count.patch
View File

@ -17,7 +17,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/hw/net/imx_fec.c b/hw/net/imx_fec.c
index 1c415ab..6b42c10 100644
index 1c415ab3b1..6b42c10d96 100644
--- a/hw/net/imx_fec.c
+++ b/hw/net/imx_fec.c
@@ -55,6 +55,8 @@

2
0044-audio-ac97-add-exit-function.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 11 insertions(+)
diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
index cbd959e..c306575 100644
index cbd959e0bd..c30657501c 100644
--- a/hw/audio/ac97.c
+++ b/hw/audio/ac97.c
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)

2
0045-audio-es1370-add-exit-function.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 14 insertions(+)
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
index 8449b5f..883ec69 100644
index 8449b5f436..883ec69b30 100644
--- a/hw/audio/es1370.c
+++ b/hw/audio/es1370.c
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)

2
0046-watchdog-6300esb-add-exit-function.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 9 insertions(+)
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
index a83d951..49b3cd1 100644
index a83d951213..49b3cd188a 100644
--- a/hw/watchdog/wdt_i6300esb.c
+++ b/hw/watchdog/wdt_i6300esb.c
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)

2
0047-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index cdd03a4..f96a0c2 100644
index cdd03a47bd..f96a0c2e59 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -291,8 +291,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,

2
0048-virtio-gpu-fix-memory-leak-in-resource-attach-backin.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 5 insertions(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 8903dee..cadd7d8 100644
index 8903dee4f5..cadd7d899d 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -708,6 +708,11 @@ virtio_gpu_resource_attach_backing(VirtIOGPU *g,

2
0049-sd-sdhci-check-data-length-during-dma_memory_read.patch
View File

@ -20,7 +20,7 @@ Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 01fbf22..5bd5ab6 100644
index 01fbf228be..5bd5ab6319 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -536,7 +536,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)

2
0050-megasas-fix-guest-triggered-memory-leak.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index 52a4123..ebf0302 100644
index 52a41239cf..ebf03022ed 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -672,14 +672,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)

2
0051-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch
View File

@ -21,7 +21,7 @@ Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
1 file changed, 8 insertions(+)
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
index f96a0c2..ecb09d1 100644
index f96a0c2e59..ecb09d17a1 100644
--- a/hw/display/virtio-gpu-3d.c
+++ b/hw/display/virtio-gpu-3d.c
@@ -77,10 +77,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,

2
0052-usb-ccid-check-ccid-apdu-length.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
index af4b851..fc32b00 100644
index af4b851356..fc32b00363 100644
--- a/hw/usb/dev-smartcard-reader.c
+++ b/hw/usb/dev-smartcard-reader.c
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)

2
0053-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
View File

@ -22,7 +22,7 @@ Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
index 5bd5ab6..a9c744b 100644
index 5bd5ab6319..a9c744b50a 100644
--- a/hw/sd/sdhci.c
+++ b/hw/sd/sdhci.c
@@ -486,6 +486,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)

4
0054-eth-Extend-vlan-stripping-functions.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
2 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/include/net/eth.h b/include/net/eth.h
index 2013175..afeb45b 100644
index 2013175857..afeb45be34 100644
--- a/include/net/eth.h
+++ b/include/net/eth.h
@@ -331,12 +331,12 @@ eth_get_pkt_tci(const void *p)
@ -37,7 +37,7 @@ index 2013175..afeb45b 100644
uint16_t vet, uint8_t *new_ehdr_buf,
uint16_t *payload_offset, uint16_t *tci);
diff --git a/net/eth.c b/net/eth.c
index df81efb..5b9ba26 100644
index df81efb676..5b9ba26a56 100644
--- a/net/eth.c
+++ b/net/eth.c
@@ -232,7 +232,7 @@ void eth_get_protocols(const struct iovec *iov, int iovcnt,

2
0055-NetRxPkt-Fix-memory-corruption-on-VLAN-header-stripp.patch
View File

@ -23,7 +23,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 1019b50..7c0beac 100644
index 1019b50c18..7c0beace9e 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -23,13 +23,13 @@

2
0056-NetRxPkt-Do-not-try-to-pull-more-data-than-present.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index 7c0beac..d38babe 100644
index 7c0beace9e..d38babec88 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -96,7 +96,8 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,

2
0057-NetRxPkt-Account-buffer-with-ETH-header-in-IOV-lengt.patch
View File

@ -20,7 +20,7 @@ Signed-off-by: Jason Wang <jasowang@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/net/net_rx_pkt.c b/hw/net/net_rx_pkt.c
index d38babe..c7ae33d 100644
index d38babec88..c7ae33d0d3 100644
--- a/hw/net/net_rx_pkt.c
+++ b/hw/net/net_rx_pkt.c
@@ -97,7 +97,7 @@ net_rx_pkt_pull_data(struct NetRxPkt *pkt,

2
0058-usb-ohci-limit-the-number-of-link-eds.patch
View File

@ -14,7 +14,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index fa57038..48307fe 100644
index fa5703832c..48307febd3 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -42,6 +42,8 @@

2
0059-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index bdb092e..379910d 100644
index bdb092ee9d..379910db2d 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,

2
0060-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
View File

@ -27,7 +27,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 5 insertions(+)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 379910d..0f05e45 100644
index 379910db2d..0f05e4596e 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,

2
0061-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 0f05e45..98f089e 100644
index 0f05e4596e..98f089e4e9 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);

2
0062-cirrus-fix-blit-address-mask-handling.patch
View File

@ -15,7 +15,7 @@ Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 98f089e..7db6409 100644
index 98f089e4e9..7db6409dc5 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,

2
0063-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
View File

@ -26,7 +26,7 @@ Reviewed-by: Laszlo Ersek <lersek@redhat.com>
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 7db6409..16f27e8 100644
index 7db6409dc5..16f27e8ac5 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,

2
0064-cirrus-fix-patterncopy-checks.patch
View File

@ -34,7 +34,7 @@ Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
1 file changed, 30 insertions(+), 6 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 16f27e8..6bd13fc 100644
index 16f27e8ac5..6bd13fc78f 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,

2
0065-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
View File

@ -19,7 +19,7 @@ Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
1 file changed, 8 insertions(+), 18 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 6bd13fc..0e47cf8 100644
index 6bd13fc78f..0e47cf85ad 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);

2
0066-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
View File

@ -19,7 +19,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 8 insertions(+)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 0e47cf8..a093dc8 100644
index 0e47cf85ad..a093dc8b16 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)

2
0067-egl-helpers-Support-newer-MESA-versions.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
1 file changed, 4 insertions(+)
diff --git a/ui/egl-helpers.c b/ui/egl-helpers.c
index 79cee05..d8d57c4 100644
index 79cee0503a..d8d57c4bbe 100644
--- a/ui/egl-helpers.c
+++ b/ui/egl-helpers.c
@@ -203,7 +203,11 @@ int qemu_egl_init_dpy(EGLNativeDisplayType dpy, bool gles, bool debug)

2
0068-char-drop-data-written-to-a-disconnected-pty.patch
View File

@ -18,7 +18,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/qemu-char.c b/qemu-char.c
index 90e9627..4ec9ae5 100644
index 90e96271dd..4ec9ae5b94 100644
--- a/qemu-char.c
+++ b/qemu-char.c
@@ -1328,7 +1328,7 @@ static int pty_chr_write(CharDriverState *chr, const uint8_t *buf, int len)

2
0069-dma-rc4030-limit-interval-timer-reload-value.patch
View File

@ -21,7 +21,7 @@ Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index 2f2576f..c1b4997 100644
index 2f2576fafb..c1b4997c73 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -460,7 +460,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,

2
0070-slirp-Make-RA-build-more-flexible.patch
View File

@ -18,7 +18,7 @@ Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/slirp/ip6_icmp.c b/slirp/ip6_icmp.c
index 6d18e28..3f74389 100644
index 6d18e28985..3f7438996f 100644
--- a/slirp/ip6_icmp.c
+++ b/slirp/ip6_icmp.c
@@ -143,17 +143,10 @@ void ndp_send_ra(Slirp *slirp)

2
0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch
View File

@ -20,7 +20,7 @@ Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/slirp/ip6_icmp.c b/slirp/ip6_icmp.c
index 3f74389..4c71f4c 100644
index 3f7438996f..4c71f4c2fc 100644
--- a/slirp/ip6_icmp.c
+++ b/slirp/ip6_icmp.c
@@ -144,6 +144,9 @@ void ndp_send_ra(Slirp *slirp)

2
0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch
View File

@ -20,7 +20,7 @@ Message-id: 1488789111-27340-1-git-send-email-kraxel@redhat.com
1 file changed, 5 insertions(+)
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
index 62d0c80..e09ce10 100644
index 62d0c80dcf..e09ce10660 100644
--- a/hw/display/qxl.c
+++ b/hw/display/qxl.c
@@ -478,6 +478,11 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)

2
0073-serial-fix-memory-leak-in-serial-exit.patch
View File

@ -15,7 +15,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 10 insertions(+)
diff --git a/hw/char/serial.c b/hw/char/serial.c
index eec72b7..455119f 100644
index eec72b7b9e..455119f3d7 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -904,6 +904,16 @@ void serial_realize_core(SerialState *s, Error **errp)

48
0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch Normal file
View File

@ -0,0 +1,48 @@
From: hangaohuai <hangaohuai@huawei.com>
Date: Tue, 14 Mar 2017 14:39:19 +0800
Subject: [PATCH] fix :cirrus_vga fix OOB read case qemu Segmentation fault
check the validity of parameters in cirrus_bitblt_rop_fwd_transp_xxx
and cirrus_bitblt_rop_fwd_xxx to avoid the OOB read which causes qemu Segmentation fault.
After the fix, we will touch the assert in
cirrus_invalidate_region:
assert(off_cur_end >= off_cur);
Signed-off-by: fangying <fangying1@huawei.com>
Signed-off-by: hangaohuai <hangaohuai@huawei.com>
Message-id: 20170314063919.16200-1-hangaohuai@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 215902d7b6fb50c6fc216fc74f770858278ed904)
---
hw/display/cirrus_vga_rop.h | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
index 0925a009fe..b7447f8733 100644
--- a/hw/display/cirrus_vga_rop.h
+++ b/hw/display/cirrus_vga_rop.h
@@ -97,6 +97,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
uint8_t p;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
+
+ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
+ return;
+ }
+
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
p = *dst;
@@ -143,6 +148,11 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
uint8_t p1, p2;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
+
+ if (bltheight > 1 && (dstpitch < 0 || srcpitch < 0)) {
+ return;
+ }
+
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x+=2) {
p1 = *dst;

269
0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch Normal file
View File

@ -0,0 +1,269 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 14 Mar 2017 13:26:59 +0100
Subject: [PATCH] cirrus/vnc: zap bitblit support from console code.
There is a special code path (dpy_gfx_copy) to allow graphic emulation
notify user interface code about bitblit operations carryed out by
guests. It is supported by cirrus and vnc server. The intended purpose
is to optimize display scrolls and just send over the scroll op instead
of a full display update.
This is rarely used these days though because modern guests simply don't
use the cirrus blitter any more. Any linux guest using the cirrus drm
driver doesn't. Any windows guest newer than winxp doesn't ship with a
cirrus driver any more and thus uses the cirrus as simple framebuffer.
So this code tends to bitrot and bugs can go unnoticed for a long time.
See for example commit "3e10c3e vnc: fix qemu crash because of SIGSEGV"
which fixes a bug lingering in the code for almost a year, added by
commit "c7628bf vnc: only alloc server surface with clients connected".
Also the vnc server will throttle the frame rate in case it figures the
network can't keep up (send buffers are full). This doesn't work with
dpy_gfx_copy, for any copy operation sent to the vnc client we have to
send all outstanding updates beforehand, otherwise the vnc client might
run the client side blit on outdated data and thereby corrupt the
display. So this dpy_gfx_copy "optimization" might even make things
worse on slow network links.
Lets kill it once for all.
Oh, and one more reason: Turns out (after writing the patch) we have a
security bug in that code path ...
Fixes: CVE-2016-9603
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489494419-14340-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 50628d3479e4f9aa97e323506856e394fe7ad7a6)
---
hw/display/cirrus_vga.c | 12 ++----
include/ui/console.h | 7 ----
ui/console.c | 28 --------------
ui/vnc.c | 100 ------------------------------------------------
4 files changed, 3 insertions(+), 144 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index a093dc8b16..2ef2884823 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -795,21 +795,15 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
}
}
- /* we have to flush all pending changes so that the copy
- is generated at the appropriate moment in time */
- if (notify)
- graphic_hw_update(s->vga.con);
-
(*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
s->vga.vram_ptr + s->cirrus_blt_srcaddr,
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
if (notify) {
- qemu_console_copy(s->vga.con,
- sx, sy, dx, dy,
- s->cirrus_blt_width / depth,
- s->cirrus_blt_height);
+ dpy_gfx_update(s->vga.con, dx, dy,
+ s->cirrus_blt_width / depth,
+ s->cirrus_blt_height);
}
/* we don't have to notify the display that this portion has
diff --git a/include/ui/console.h b/include/ui/console.h
index 2703a3aa5a..67927ed851 100644
--- a/include/ui/console.h
+++ b/include/ui/console.h
@@ -189,9 +189,6 @@ typedef struct DisplayChangeListenerOps {
int x, int y, int w, int h);
void (*dpy_gfx_switch)(DisplayChangeListener *dcl,
struct DisplaySurface *new_surface);
- void (*dpy_gfx_copy)(DisplayChangeListener *dcl,
- int src_x, int src_y,
- int dst_x, int dst_y, int w, int h);
bool (*dpy_gfx_check_format)(DisplayChangeListener *dcl,
pixman_format_code_t format);
@@ -273,8 +270,6 @@ int dpy_set_ui_info(QemuConsole *con, QemuUIInfo *info);
void dpy_gfx_update(QemuConsole *con, int x, int y, int w, int h);
void dpy_gfx_replace_surface(QemuConsole *con,
DisplaySurface *surface);
-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
- int dst_x, int dst_y, int w, int h);
void dpy_text_cursor(QemuConsole *con, int x, int y);
void dpy_text_update(QemuConsole *con, int x, int y, int w, int h);
void dpy_text_resize(QemuConsole *con, int w, int h);
@@ -398,8 +393,6 @@ void text_consoles_set_display(DisplayState *ds);
void console_select(unsigned int index);
void console_color_init(DisplayState *ds);
void qemu_console_resize(QemuConsole *con, int width, int height);
-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
- int dst_x, int dst_y, int w, int h);
DisplaySurface *qemu_console_surface(QemuConsole *con);
/* console-gl.c */
diff --git a/ui/console.c b/ui/console.c
index c24bfe422d..ece0c04ddf 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -1558,27 +1558,6 @@ static void dpy_refresh(DisplayState *s)
}
}
-void dpy_gfx_copy(QemuConsole *con, int src_x, int src_y,
- int dst_x, int dst_y, int w, int h)
-{
- DisplayState *s = con->ds;
- DisplayChangeListener *dcl;
-
- if (!qemu_console_is_visible(con)) {
- return;
- }
- QLIST_FOREACH(dcl, &s->listeners, next) {
- if (con != (dcl->con ? dcl->con : active_console)) {
- continue;
- }
- if (dcl->ops->dpy_gfx_copy) {
- dcl->ops->dpy_gfx_copy(dcl, src_x, src_y, dst_x, dst_y, w, h);
- } else { /* TODO */
- dcl->ops->dpy_gfx_update(dcl, dst_x, dst_y, w, h);
- }
- }
-}
-
void dpy_text_cursor(QemuConsole *con, int x, int y)
{
DisplayState *s = con->ds;
@@ -2104,13 +2083,6 @@ void qemu_console_resize(QemuConsole *s, int width, int height)
dpy_gfx_replace_surface(s, surface);
}
-void qemu_console_copy(QemuConsole *con, int src_x, int src_y,
- int dst_x, int dst_y, int w, int h)
-{
- assert(con->console_type == GRAPHIC_CONSOLE);
- dpy_gfx_copy(con, src_x, src_y, dst_x, dst_y, w, h);
-}
-
DisplaySurface *qemu_console_surface(QemuConsole *console)
{
return console->surface;
diff --git a/ui/vnc.c b/ui/vnc.c
index 76a3273e0b..b45bb2c4b8 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -872,105 +872,6 @@ int vnc_send_framebuffer_update(VncState *vs, int x, int y, int w, int h)
return n;
}
-static void vnc_copy(VncState *vs, int src_x, int src_y, int dst_x, int dst_y, int w, int h)
-{
- /* send bitblit op to the vnc client */
- vnc_lock_output(vs);
- vnc_write_u8(vs, VNC_MSG_SERVER_FRAMEBUFFER_UPDATE);
- vnc_write_u8(vs, 0);
- vnc_write_u16(vs, 1); /* number of rects */
- vnc_framebuffer_update(vs, dst_x, dst_y, w, h, VNC_ENCODING_COPYRECT);
- vnc_write_u16(vs, src_x);
- vnc_write_u16(vs, src_y);
- vnc_unlock_output(vs);
- vnc_flush(vs);
-}
-
-static void vnc_dpy_copy(DisplayChangeListener *dcl,
- int src_x, int src_y,
- int dst_x, int dst_y, int w, int h)
-{
- VncDisplay *vd = container_of(dcl, VncDisplay, dcl);
- VncState *vs, *vn;
- uint8_t *src_row;
- uint8_t *dst_row;
- int i, x, y, pitch, inc, w_lim, s;
- int cmp_bytes;
-
- if (!vd->server) {
- /* no client connected */
- return;
- }
-
- vnc_refresh_server_surface(vd);
- QTAILQ_FOREACH_SAFE(vs, &vd->clients, next, vn) {
- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
- vs->force_update = 1;
- vnc_update_client(vs, 1, true);
- /* vs might be free()ed here */
- }
- }
-
- if (!vd->server) {
- /* no client connected */
- return;
- }
- /* do bitblit op on the local surface too */
- pitch = vnc_server_fb_stride(vd);
- src_row = vnc_server_fb_ptr(vd, src_x, src_y);
- dst_row = vnc_server_fb_ptr(vd, dst_x, dst_y);
- y = dst_y;
- inc = 1;
- if (dst_y > src_y) {
- /* copy backwards */
- src_row += pitch * (h-1);
- dst_row += pitch * (h-1);
- pitch = -pitch;
- y = dst_y + h - 1;
- inc = -1;
- }
- w_lim = w - (VNC_DIRTY_PIXELS_PER_BIT - (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
- if (w_lim < 0) {
- w_lim = w;
- } else {
- w_lim = w - (w_lim % VNC_DIRTY_PIXELS_PER_BIT);
- }
- for (i = 0; i < h; i++) {
- for (x = 0; x <= w_lim;
- x += s, src_row += cmp_bytes, dst_row += cmp_bytes) {
- if (x == w_lim) {
- if ((s = w - w_lim) == 0)
- break;
- } else if (!x) {
- s = (VNC_DIRTY_PIXELS_PER_BIT -
- (dst_x % VNC_DIRTY_PIXELS_PER_BIT));
- s = MIN(s, w_lim);
- } else {
- s = VNC_DIRTY_PIXELS_PER_BIT;
- }
- cmp_bytes = s * VNC_SERVER_FB_BYTES;
- if (memcmp(src_row, dst_row, cmp_bytes) == 0)
- continue;
- memmove(dst_row, src_row, cmp_bytes);
- QTAILQ_FOREACH(vs, &vd->clients, next) {
- if (!vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
- set_bit(((x + dst_x) / VNC_DIRTY_PIXELS_PER_BIT),
- vs->dirty[y]);
- }
- }
- }
- src_row += pitch - w * VNC_SERVER_FB_BYTES;
- dst_row += pitch - w * VNC_SERVER_FB_BYTES;
- y += inc;
- }
-
- QTAILQ_FOREACH(vs, &vd->clients, next) {
- if (vnc_has_feature(vs, VNC_FEATURE_COPYRECT)) {
- vnc_copy(vs, src_x, src_y, dst_x, dst_y, w, h);
- }
- }
-}
-
static void vnc_mouse_set(DisplayChangeListener *dcl,
int x, int y, int visible)
{
@@ -3123,7 +3024,6 @@ static gboolean vnc_listen_io(QIOChannel *ioc,
static const DisplayChangeListenerOps dcl_ops = {
.dpy_name = "vnc",
.dpy_refresh = vnc_refresh,
- .dpy_gfx_copy = vnc_dpy_copy,
.dpy_gfx_update = vnc_dpy_update,
.dpy_gfx_switch = vnc_dpy_switch,
.dpy_gfx_check_format = qemu_pixman_check_format,

46
0076-9pfs-fix-file-descriptor-leak.patch Normal file
View File

@ -0,0 +1,46 @@
From: Li Qiang <liq3ea@gmail.com>
Date: Mon, 27 Mar 2017 21:13:19 +0200
Subject: [PATCH] 9pfs: fix file descriptor leak
The v9fs_create() and v9fs_lcreate() functions are used to create a file
on the backend and to associate it to a fid. The fid shouldn't be already
in-use, otherwise both functions may silently leak a file descriptor or
allocated memory. The current code doesn't check that.
This patch ensures that the fid isn't already associated to anything
before using it.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
(reworded the changelog, Greg Kurz)
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit d63fb193e71644a073b77ff5ac6f1216f2f6cf6e)
---
hw/9pfs/9p.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index 9a89f75d90..9d6b2caf1b 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -1530,6 +1530,10 @@ static void v9fs_lcreate(void *opaque)
err = -ENOENT;
goto out_nofid;
}
+ if (fidp->fid_type != P9_FID_NONE) {
+ err = -EINVAL;
+ goto out;
+ }
flags = get_dotl_openflags(pdu->s, flags);
err = v9fs_co_open2(pdu, fidp, &name, gid,
@@ -2127,6 +2131,10 @@ static void v9fs_create(void *opaque)
err = -EINVAL;
goto out_nofid;
}
+ if (fidp->fid_type != P9_FID_NONE) {
+ err = -EINVAL;
+ goto out;
+ }
if (perm & P9_STAT_MODE_DIR) {
err = v9fs_co_mkdir(pdu, fidp, &name, perm & 0777,
fidp->uid, -1, &stbuf);

37
0077-cirrus-fix-cirrus_invalidate_region.patch Normal file
View File

@ -0,0 +1,37 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 15 Mar 2017 13:06:46 +0100
Subject: [PATCH] cirrus: fix cirrus_invalidate_region
off_cur_end is exclusive, so off_cur_end == cirrus_addr_mask is valid.
Fix calculation to make sure to allow that, otherwise the assert added
by commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3 can trigger for valid
blits.
Test case: boot windows nt 4.0
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489579606-26020-1-git-send-email-kraxel@redhat.com
(cherry picked from commit e048dac616748273c2153490e9fdf1da242f0cad)
---
hw/display/cirrus_vga.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 2ef2884823..444335f7c1 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -665,11 +665,11 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
}
for (y = 0; y < lines; y++) {
- off_cur = off_begin;
- off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
+ off_cur = off_begin;
+ off_cur_end = ((off_cur + bytesperline - 1) & s->cirrus_addr_mask) + 1;
assert(off_cur_end >= off_cur);
memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
- off_begin += off_pitch;
+ off_begin += off_pitch;
}
}

616
0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch Normal file
View File

@ -0,0 +1,616 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 15 Mar 2017 11:47:52 +0100
Subject: [PATCH] cirrus: stop passing around dst pointers in the blitter
Instead pass around the address (aka offset into vga memory). Calculate
the pointer in the rop_* functions, after applying the mask to the
address, to make sure the address stays within the valid range.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489574872-8679-1-git-send-email-kraxel@redhat.com
(cherry picked from commit 026aeffcb4752054830ba203020ed6eb05bcaba8)
---
hw/display/cirrus_vga.c | 20 +++---
hw/display/cirrus_vga_rop.h | 161 +++++++++++++++++++++++++------------------
hw/display/cirrus_vga_rop2.h | 97 +++++++++++++-------------
3 files changed, 153 insertions(+), 125 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index 444335f7c1..f1952a00a8 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -177,11 +177,12 @@
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
- uint8_t * dst, const uint8_t * src,
+ uint32_t dstaddr, const uint8_t *src,
int dstpitch, int srcpitch,
int bltwidth, int bltheight);
typedef void (*cirrus_fill_t)(struct CirrusVGAState *s,
- uint8_t *dst, int dst_pitch, int width, int height);
+ uint32_t dstaddr, int dst_pitch,
+ int width, int height);
typedef struct CirrusVGAState {
VGACommonState vga;
@@ -319,14 +320,14 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
}
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
+ uint32_t dstaddr, const uint8_t *src,
int dstpitch,int srcpitch,
int bltwidth,int bltheight)
{
}
static void cirrus_bitblt_fill_nop(CirrusVGAState *s,
- uint8_t *dst,
+ uint32_t dstaddr,
int dstpitch, int bltwidth,int bltheight)
{
}
@@ -676,11 +677,8 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
{
uint32_t patternsize;
- uint8_t *dst;
uint8_t *src;
- dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
-
if (videosrc) {
switch (s->vga.get_bpp(&s->vga)) {
case 8:
@@ -709,7 +707,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
return 0;
}
- (*s->cirrus_rop) (s, dst, src,
+ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, src,
s->cirrus_blt_dstpitch, 0,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -728,7 +726,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
return 0;
}
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
- rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
+ rop_func(s, s->cirrus_blt_dstaddr,
s->cirrus_blt_dstpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -795,7 +793,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
}
}
- (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
+ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
s->vga.vram_ptr + s->cirrus_blt_srcaddr,
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -846,7 +844,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
} else {
/* at least one scan line */
do {
- (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
+ (*s->cirrus_rop)(s, s->cirrus_blt_dstaddr,
s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
s->cirrus_blt_width, 1);
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
index b7447f8733..1aa778d3e8 100644
--- a/hw/display/cirrus_vga_rop.h
+++ b/hw/display/cirrus_vga_rop.h
@@ -22,31 +22,65 @@
* THE SOFTWARE.
*/
-static inline void glue(rop_8_,ROP_NAME)(uint8_t *dst, uint8_t src)
+static inline void glue(rop_8_, ROP_NAME)(CirrusVGAState *s,
+ uint32_t dstaddr, uint8_t src)
{
+ uint8_t *dst = &s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask];
*dst = ROP_FN(*dst, src);
}
-static inline void glue(rop_16_,ROP_NAME)(uint16_t *dst, uint16_t src)
+static inline void glue(rop_tr_8_, ROP_NAME)(CirrusVGAState *s,
+ uint32_t dstaddr, uint8_t src,
+ uint8_t transp)
{
+ uint8_t *dst = &s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask];
+ uint8_t pixel = ROP_FN(*dst, src);
+ if (pixel != transp) {
+ *dst = pixel;
+ }
+}
+
+static inline void glue(rop_16_, ROP_NAME)(CirrusVGAState *s,
+ uint32_t dstaddr, uint16_t src)
+{
+ uint16_t *dst = (uint16_t *)
+ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~1]);
*dst = ROP_FN(*dst, src);
}
-static inline void glue(rop_32_,ROP_NAME)(uint32_t *dst, uint32_t src)
+static inline void glue(rop_tr_16_, ROP_NAME)(CirrusVGAState *s,
+ uint32_t dstaddr, uint16_t src,
+ uint16_t transp)
+{
+ uint16_t *dst = (uint16_t *)
+ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~1]);
+ uint16_t pixel = ROP_FN(*dst, src);
+ if (pixel != transp) {
+ *dst = pixel;
+ }
+}
+
+static inline void glue(rop_32_, ROP_NAME)(CirrusVGAState *s,
+ uint32_t dstaddr, uint32_t src)
{
+ uint32_t *dst = (uint32_t *)
+ (&s->vga.vram_ptr[dstaddr & s->cirrus_addr_mask & ~3]);
*dst = ROP_FN(*dst, src);
}
-#define ROP_OP(d, s) glue(rop_8_,ROP_NAME)(d, s)
-#define ROP_OP_16(d, s) glue(rop_16_,ROP_NAME)(d, s)
-#define ROP_OP_32(d, s) glue(rop_32_,ROP_NAME)(d, s)
+#define ROP_OP(st, d, s) glue(rop_8_, ROP_NAME)(st, d, s)
+#define ROP_OP_TR(st, d, s, t) glue(rop_tr_8_, ROP_NAME)(st, d, s, t)
+#define ROP_OP_16(st, d, s) glue(rop_16_, ROP_NAME)(st, d, s)
+#define ROP_OP_TR_16(st, d, s, t) glue(rop_tr_16_, ROP_NAME)(st, d, s, t)
+#define ROP_OP_32(st, d, s) glue(rop_32_, ROP_NAME)(st, d, s)
#undef ROP_FN
static void
glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
- int dstpitch,int srcpitch,
- int bltwidth,int bltheight)
+ uint32_t dstaddr,
+ const uint8_t *src,
+ int dstpitch, int srcpitch,
+ int bltwidth, int bltheight)
{
int x,y;
dstpitch -= bltwidth;
@@ -58,43 +92,47 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- ROP_OP(dst, *src);
- dst++;
+ ROP_OP(s, dstaddr, *src);
+ dstaddr++;
src++;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
src += srcpitch;
}
}
static void
glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
- int dstpitch,int srcpitch,
- int bltwidth,int bltheight)
+ uint32_t dstaddr,
+ const uint8_t *src,
+ int dstpitch, int srcpitch,
+ int bltwidth, int bltheight)
{
int x,y;
dstpitch += bltwidth;
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- ROP_OP(dst, *src);
- dst--;
+ ROP_OP(s, dstaddr, *src);
+ dstaddr--;
src--;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
src += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
- int dstpitch,int srcpitch,
- int bltwidth,int bltheight)
+ uint32_t dstaddr,
+ const uint8_t *src,
+ int dstpitch,
+ int srcpitch,
+ int bltwidth,
+ int bltheight)
{
int x,y;
- uint8_t p;
+ uint8_t transp = s->vga.gr[0x34];
dstpitch -= bltwidth;
srcpitch -= bltwidth;
@@ -104,48 +142,50 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- p = *dst;
- ROP_OP(&p, *src);
- if (p != s->vga.gr[0x34]) *dst = p;
- dst++;
+ ROP_OP_TR(s, dstaddr, *src, transp);
+ dstaddr++;
src++;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
src += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
- int dstpitch,int srcpitch,
- int bltwidth,int bltheight)
+ uint32_t dstaddr,
+ const uint8_t *src,
+ int dstpitch,
+ int srcpitch,
+ int bltwidth,
+ int bltheight)
{
int x,y;
- uint8_t p;
+ uint8_t transp = s->vga.gr[0x34];
dstpitch += bltwidth;
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- p = *dst;
- ROP_OP(&p, *src);
- if (p != s->vga.gr[0x34]) *dst = p;
- dst--;
+ ROP_OP_TR(s, dstaddr, *src, transp);
+ dstaddr--;
src--;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
src += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
- int dstpitch,int srcpitch,
- int bltwidth,int bltheight)
+ uint32_t dstaddr,
+ const uint8_t *src,
+ int dstpitch,
+ int srcpitch,
+ int bltwidth,
+ int bltheight)
{
int x,y;
- uint8_t p1, p2;
+ uint16_t transp = s->vga.gr[0x34] | (uint16_t)s->vga.gr[0x35] << 8;
dstpitch -= bltwidth;
srcpitch -= bltwidth;
@@ -155,46 +195,35 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x+=2) {
- p1 = *dst;
- p2 = *(dst+1);
- ROP_OP(&p1, *src);
- ROP_OP(&p2, *(src + 1));
- if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) {
- *dst = p1;
- *(dst+1) = p2;
- }
- dst+=2;
- src+=2;
+ ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
+ dstaddr += 2;
+ src += 2;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
src += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
- uint8_t *dst,const uint8_t *src,
- int dstpitch,int srcpitch,
- int bltwidth,int bltheight)
+ uint32_t dstaddr,
+ const uint8_t *src,
+ int dstpitch,
+ int srcpitch,
+ int bltwidth,
+ int bltheight)
{
int x,y;
- uint8_t p1, p2;
+ uint16_t transp = s->vga.gr[0x34] | (uint16_t)s->vga.gr[0x35] << 8;
dstpitch += bltwidth;
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x+=2) {
- p1 = *(dst-1);
- p2 = *dst;
- ROP_OP(&p1, *(src - 1));
- ROP_OP(&p2, *src);
- if ((p1 != s->vga.gr[0x34]) || (p2 != s->vga.gr[0x35])) {
- *(dst-1) = p1;
- *dst = p2;
- }
- dst-=2;
- src-=2;
+ ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
+ dstaddr -= 2;
+ src -= 2;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
src += srcpitch;
}
}
diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h
index d28bcc6f25..bc92f0e0e7 100644
--- a/hw/display/cirrus_vga_rop2.h
+++ b/hw/display/cirrus_vga_rop2.h
@@ -23,27 +23,29 @@
*/
#if DEPTH == 8
-#define PUTPIXEL() ROP_OP(&d[0], col)
+#define PUTPIXEL(s, a, c) ROP_OP(s, a, c)
#elif DEPTH == 16
-#define PUTPIXEL() ROP_OP_16((uint16_t *)&d[0], col)
+#define PUTPIXEL(s, a, c) ROP_OP_16(s, a, c)
#elif DEPTH == 24
-#define PUTPIXEL() ROP_OP(&d[0], col); \
- ROP_OP(&d[1], (col >> 8)); \
- ROP_OP(&d[2], (col >> 16))
+#define PUTPIXEL(s, a, c) do { \
+ ROP_OP(s, a, c); \
+ ROP_OP(s, a + 1, (col >> 8)); \
+ ROP_OP(s, a + 2, (col >> 16)); \
+ } while (0)
#elif DEPTH == 32
-#define PUTPIXEL() ROP_OP_32(((uint32_t *)&d[0]), col)
+#define PUTPIXEL(s, a, c) ROP_OP_32(s, a, c)
#else
#error unsupported DEPTH
#endif
static void
glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
- (CirrusVGAState * s, uint8_t * dst,
- const uint8_t * src,
+ (CirrusVGAState *s, uint32_t dstaddr,
+ const uint8_t *src,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
- uint8_t *d;
+ uint32_t addr;
int x, y, pattern_y, pattern_pitch, pattern_x;
unsigned int col;
const uint8_t *src1;
@@ -63,7 +65,7 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
pattern_y = s->cirrus_blt_srcaddr & 7;
for(y = 0; y < bltheight; y++) {
pattern_x = skipleft;
- d = dst + skipleft;
+ addr = dstaddr + skipleft;
src1 = src + pattern_y * pattern_pitch;
for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
#if DEPTH == 8
@@ -82,23 +84,23 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
col = ((uint32_t *)(src1 + pattern_x))[0];
pattern_x = (pattern_x + 4) & 31;
#endif
- PUTPIXEL();
- d += (DEPTH / 8);
+ PUTPIXEL(s, addr, col);
+ addr += (DEPTH / 8);
}
pattern_y = (pattern_y + 1) & 7;
- dst += dstpitch;
+ dstaddr += dstpitch;
}
}
/* NOTE: srcpitch is ignored */
static void
glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
- (CirrusVGAState * s, uint8_t * dst,
- const uint8_t * src,
+ (CirrusVGAState *s, uint32_t dstaddr,
+ const uint8_t *src,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
- uint8_t *d;
+ uint32_t addr;
int x, y;
unsigned bits, bits_xor;
unsigned int col;
@@ -123,7 +125,7 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
for(y = 0; y < bltheight; y++) {
bitmask = 0x80 >> srcskipleft;
bits = *src++ ^ bits_xor;
- d = dst + dstskipleft;
+ addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
if ((bitmask & 0xff) == 0) {
bitmask = 0x80;
@@ -131,24 +133,24 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
}
index = (bits & bitmask);
if (index) {
- PUTPIXEL();
+ PUTPIXEL(s, addr, col);
}
- d += (DEPTH / 8);
+ addr += (DEPTH / 8);
bitmask >>= 1;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
}
}
static void
glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
- (CirrusVGAState * s, uint8_t * dst,
- const uint8_t * src,
+ (CirrusVGAState *s, uint32_t dstaddr,
+ const uint8_t *src,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
uint32_t colors[2];
- uint8_t *d;
+ uint32_t addr;
int x, y;
unsigned bits;
unsigned int col;
@@ -161,29 +163,29 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
for(y = 0; y < bltheight; y++) {
bitmask = 0x80 >> srcskipleft;
bits = *src++;
- d = dst + dstskipleft;
+ addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
if ((bitmask & 0xff) == 0) {
bitmask = 0x80;
bits = *src++;
}
col = colors[!!(bits & bitmask)];
- PUTPIXEL();
- d += (DEPTH / 8);
+ PUTPIXEL(s, addr, col);
+ addr += (DEPTH / 8);
bitmask >>= 1;
}
- dst += dstpitch;
+ dstaddr += dstpitch;
}
}
static void
glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
- (CirrusVGAState * s, uint8_t * dst,
- const uint8_t * src,
+ (CirrusVGAState *s, uint32_t dstaddr,
+ const uint8_t *src,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
- uint8_t *d;
+ uint32_t addr;
int x, y, bitpos, pattern_y;
unsigned int bits, bits_xor;
unsigned int col;
@@ -207,28 +209,28 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
for(y = 0; y < bltheight; y++) {
bits = src[pattern_y] ^ bits_xor;
bitpos = 7 - srcskipleft;
- d = dst + dstskipleft;
+ addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
if ((bits >> bitpos) & 1) {
- PUTPIXEL();
+ PUTPIXEL(s, addr, col);
}
- d += (DEPTH / 8);
+ addr += (DEPTH / 8);
bitpos = (bitpos - 1) & 7;
}
pattern_y = (pattern_y + 1) & 7;
- dst += dstpitch;
+ dstaddr += dstpitch;
}
}
static void
glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
- (CirrusVGAState * s, uint8_t * dst,
- const uint8_t * src,
+ (CirrusVGAState *s, uint32_t dstaddr,
+ const uint8_t *src,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
uint32_t colors[2];
- uint8_t *d;
+ uint32_t addr;
int x, y, bitpos, pattern_y;
unsigned int bits;
unsigned int col;
@@ -242,38 +244,37 @@ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
for(y = 0; y < bltheight; y++) {
bits = src[pattern_y];
bitpos = 7 - srcskipleft;
- d = dst + dstskipleft;
+ addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
col = colors[(bits >> bitpos) & 1];
- PUTPIXEL();
- d += (DEPTH / 8);
+ PUTPIXEL(s, addr, col);
+ addr += (DEPTH / 8);
bitpos = (bitpos - 1) & 7;
}
pattern_y = (pattern_y + 1) & 7;
- dst += dstpitch;
+ dstaddr += dstpitch;
}
}
static void
glue(glue(glue(cirrus_fill_, ROP_NAME), _),DEPTH)
(CirrusVGAState *s,
- uint8_t *dst, int dst_pitch,
+ uint32_t dstaddr, int dst_pitch,
int width, int height)
{
- uint8_t *d, *d1;
+ uint32_t addr;
uint32_t col;
int x, y;
col = s->cirrus_blt_fgcol;
- d1 = dst;
for(y = 0; y < height; y++) {
- d = d1;
+ addr = dstaddr;
for(x = 0; x < width; x += (DEPTH / 8)) {
- PUTPIXEL();
- d += (DEPTH / 8);
+ PUTPIXEL(s, addr, col);
+ addr += (DEPTH / 8);
}
- d1 += dst_pitch;
+ dstaddr += dst_pitch;
}
}

441
0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch Normal file
View File

@ -0,0 +1,441 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 15 Mar 2017 14:28:07 +0100
Subject: [PATCH] cirrus: stop passing around src pointers in the blitter
Does basically the same as "cirrus: stop passing around dst pointers in
the blitter", just for the src pointer instead of the dst pointer.
For the src we have to care about cputovideo blits though and fetch the
data from s->cirrus_bltbuf instead of vga memory. The cirrus_src*()
helper functions handle that.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 1489584487-3489-1-git-send-email-kraxel@redhat.com
(cherry picked from commit ffaf857778286ca54e3804432a2369a279e73aa7)
---
hw/display/cirrus_vga.c | 61 +++++++++++++++++++++++++++++++++++---------
hw/display/cirrus_vga_rop.h | 48 +++++++++++++++++-----------------
hw/display/cirrus_vga_rop2.h | 38 ++++++++++++++-------------
3 files changed, 93 insertions(+), 54 deletions(-)
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
index f1952a00a8..9274c25f46 100644
--- a/hw/display/cirrus_vga.c
+++ b/hw/display/cirrus_vga.c
@@ -177,7 +177,7 @@
struct CirrusVGAState;
typedef void (*cirrus_bitblt_rop_t) (struct CirrusVGAState *s,
- uint32_t dstaddr, const uint8_t *src,
+ uint32_t dstaddr, uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight);
typedef void (*cirrus_fill_t)(struct CirrusVGAState *s,
@@ -320,7 +320,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
}
static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
- uint32_t dstaddr, const uint8_t *src,
+ uint32_t dstaddr, uint32_t srcaddr,
int dstpitch,int srcpitch,
int bltwidth,int bltheight)
{
@@ -332,6 +332,45 @@ static void cirrus_bitblt_fill_nop(CirrusVGAState *s,
{
}
+static inline uint8_t cirrus_src(CirrusVGAState *s, uint32_t srcaddr)
+{
+ if (s->cirrus_srccounter) {
+ /* cputovideo */
+ return s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1)];
+ } else {
+ /* videotovideo */
+ return s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask];
+ }
+}
+
+static inline uint16_t cirrus_src16(CirrusVGAState *s, uint32_t srcaddr)
+{
+ uint16_t *src;
+
+ if (s->cirrus_srccounter) {
+ /* cputovideo */
+ src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~1];
+ } else {
+ /* videotovideo */
+ src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~1];
+ }
+ return *src;
+}
+
+static inline uint32_t cirrus_src32(CirrusVGAState *s, uint32_t srcaddr)
+{
+ uint32_t *src;
+
+ if (s->cirrus_srccounter) {
+ /* cputovideo */
+ src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~3];
+ } else {
+ /* videotovideo */
+ src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~3];
+ }
+ return *src;
+}
+
#define ROP_NAME 0
#define ROP_FN(d, s) 0
#include "cirrus_vga_rop.h"
@@ -674,10 +713,10 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
}
}
-static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s)
{
uint32_t patternsize;
- uint8_t *src;
+ bool videosrc = !s->cirrus_srccounter;
if (videosrc) {
switch (s->vga.get_bpp(&s->vga)) {
@@ -698,16 +737,14 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
return 0;
}
- src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
- } else {
- src = s->cirrus_bltbuf;
}
if (blit_is_unsafe(s, true)) {
return 0;
}
- (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr, src,
+ (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
+ videosrc ? s->cirrus_blt_srcaddr : 0,
s->cirrus_blt_dstpitch, 0,
s->cirrus_blt_width, s->cirrus_blt_height);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
@@ -744,7 +781,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
{
- return cirrus_bitblt_common_patterncopy(s, true);
+ return cirrus_bitblt_common_patterncopy(s);
}
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
@@ -794,7 +831,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
}
(*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
- s->vga.vram_ptr + s->cirrus_blt_srcaddr,
+ s->cirrus_blt_srcaddr,
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
s->cirrus_blt_width, s->cirrus_blt_height);
@@ -837,7 +874,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
if (s->cirrus_srccounter > 0) {
if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
- cirrus_bitblt_common_patterncopy(s, false);
+ cirrus_bitblt_common_patterncopy(s);
the_end:
s->cirrus_srccounter = 0;
cirrus_bitblt_reset(s);
@@ -845,7 +882,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
/* at least one scan line */
do {
(*s->cirrus_rop)(s, s->cirrus_blt_dstaddr,
- s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
+ 0, 0, 0, s->cirrus_blt_width, 1);
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
s->cirrus_blt_width, 1);
s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
index 1aa778d3e8..c61a677353 100644
--- a/hw/display/cirrus_vga_rop.h
+++ b/hw/display/cirrus_vga_rop.h
@@ -78,7 +78,7 @@ static inline void glue(rop_32_, ROP_NAME)(CirrusVGAState *s,
static void
glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
@@ -92,19 +92,19 @@ glue(cirrus_bitblt_rop_fwd_, ROP_NAME)(CirrusVGAState *s,
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- ROP_OP(s, dstaddr, *src);
+ ROP_OP(s, dstaddr, cirrus_src(s, srcaddr));
dstaddr++;
- src++;
+ srcaddr++;
}
dstaddr += dstpitch;
- src += srcpitch;
+ srcaddr += srcpitch;
}
}
static void
glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
@@ -113,19 +113,19 @@ glue(cirrus_bitblt_rop_bkwd_, ROP_NAME)(CirrusVGAState *s,
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- ROP_OP(s, dstaddr, *src);
+ ROP_OP(s, dstaddr, cirrus_src(s, srcaddr));
dstaddr--;
- src--;
+ srcaddr--;
}
dstaddr += dstpitch;
- src += srcpitch;
+ srcaddr += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch,
int srcpitch,
int bltwidth,
@@ -142,19 +142,19 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- ROP_OP_TR(s, dstaddr, *src, transp);
+ ROP_OP_TR(s, dstaddr, cirrus_src(s, srcaddr), transp);
dstaddr++;
- src++;
+ srcaddr++;
}
dstaddr += dstpitch;
- src += srcpitch;
+ srcaddr += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch,
int srcpitch,
int bltwidth,
@@ -166,19 +166,19 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_8)(CirrusVGAState *s,
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x++) {
- ROP_OP_TR(s, dstaddr, *src, transp);
+ ROP_OP_TR(s, dstaddr, cirrus_src(s, srcaddr), transp);
dstaddr--;
- src--;
+ srcaddr--;
}
dstaddr += dstpitch;
- src += srcpitch;
+ srcaddr += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch,
int srcpitch,
int bltwidth,
@@ -195,19 +195,19 @@ glue(glue(cirrus_bitblt_rop_fwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x+=2) {
- ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
+ ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp);
dstaddr += 2;
- src += 2;
+ srcaddr += 2;
}
dstaddr += dstpitch;
- src += srcpitch;
+ srcaddr += srcpitch;
}
}
static void
glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch,
int srcpitch,
int bltwidth,
@@ -219,12 +219,12 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x+=2) {
- ROP_OP_TR_16(s, dstaddr, *(uint16_t *)src, transp);
+ ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp);
dstaddr -= 2;
- src -= 2;
+ srcaddr -= 2;
}
dstaddr += dstpitch;
- src += srcpitch;
+ srcaddr += srcpitch;
}
}
diff --git a/hw/display/cirrus_vga_rop2.h b/hw/display/cirrus_vga_rop2.h
index bc92f0e0e7..b86bcd6e09 100644
--- a/hw/display/cirrus_vga_rop2.h
+++ b/hw/display/cirrus_vga_rop2.h
@@ -41,14 +41,14 @@
static void
glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
(CirrusVGAState *s, uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
uint32_t addr;
int x, y, pattern_y, pattern_pitch, pattern_x;
unsigned int col;
- const uint8_t *src1;
+ uint32_t src1addr;
#if DEPTH == 24
int skipleft = s->vga.gr[0x2f] & 0x1f;
#else
@@ -66,22 +66,24 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
for(y = 0; y < bltheight; y++) {
pattern_x = skipleft;
addr = dstaddr + skipleft;
- src1 = src + pattern_y * pattern_pitch;
+ src1addr = srcaddr + pattern_y * pattern_pitch;
for (x = skipleft; x < bltwidth; x += (DEPTH / 8)) {
#if DEPTH == 8
- col = src1[pattern_x];
+ col = cirrus_src(s, src1addr + pattern_x);
pattern_x = (pattern_x + 1) & 7;
#elif DEPTH == 16
- col = ((uint16_t *)(src1 + pattern_x))[0];
+ col = cirrus_src16(s, src1addr + pattern_x);
pattern_x = (pattern_x + 2) & 15;
#elif DEPTH == 24
{
- const uint8_t *src2 = src1 + pattern_x * 3;
- col = src2[0] | (src2[1] << 8) | (src2[2] << 16);
+ uint32_t src2addr = src1addr + pattern_x * 3;
+ col = cirrus_src(s, src2addr) |
+ (cirrus_src(s, src2addr + 1) << 8) |
+ (cirrus_src(s, src2addr + 2) << 16);
pattern_x = (pattern_x + 1) & 7;
}
#else
- col = ((uint32_t *)(src1 + pattern_x))[0];
+ col = cirrus_src32(s, src1addr + pattern_x);
pattern_x = (pattern_x + 4) & 31;
#endif
PUTPIXEL(s, addr, col);
@@ -96,7 +98,7 @@ glue(glue(glue(cirrus_patternfill_, ROP_NAME), _),DEPTH)
static void
glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
(CirrusVGAState *s, uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
@@ -124,12 +126,12 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
for(y = 0; y < bltheight; y++) {
bitmask = 0x80 >> srcskipleft;
- bits = *src++ ^ bits_xor;
+ bits = cirrus_src(s, srcaddr++) ^ bits_xor;
addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
if ((bitmask & 0xff) == 0) {
bitmask = 0x80;
- bits = *src++ ^ bits_xor;
+ bits = cirrus_src(s, srcaddr++) ^ bits_xor;
}
index = (bits & bitmask);
if (index) {
@@ -145,7 +147,7 @@ glue(glue(glue(cirrus_colorexpand_transp_, ROP_NAME), _),DEPTH)
static void
glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
(CirrusVGAState *s, uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
@@ -162,12 +164,12 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
colors[1] = s->cirrus_blt_fgcol;
for(y = 0; y < bltheight; y++) {
bitmask = 0x80 >> srcskipleft;
- bits = *src++;
+ bits = cirrus_src(s, srcaddr++);
addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
if ((bitmask & 0xff) == 0) {
bitmask = 0x80;
- bits = *src++;
+ bits = cirrus_src(s, srcaddr++);
}
col = colors[!!(bits & bitmask)];
PUTPIXEL(s, addr, col);
@@ -181,7 +183,7 @@ glue(glue(glue(cirrus_colorexpand_, ROP_NAME), _),DEPTH)
static void
glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
(CirrusVGAState *s, uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
@@ -207,7 +209,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
pattern_y = s->cirrus_blt_srcaddr & 7;
for(y = 0; y < bltheight; y++) {
- bits = src[pattern_y] ^ bits_xor;
+ bits = cirrus_src(s, srcaddr + pattern_y) ^ bits_xor;
bitpos = 7 - srcskipleft;
addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {
@@ -225,7 +227,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_transp_, ROP_NAME), _),DEPTH)
static void
glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
(CirrusVGAState *s, uint32_t dstaddr,
- const uint8_t *src,
+ uint32_t srcaddr,
int dstpitch, int srcpitch,
int bltwidth, int bltheight)
{
@@ -242,7 +244,7 @@ glue(glue(glue(cirrus_colorexpand_pattern_, ROP_NAME), _),DEPTH)
pattern_y = s->cirrus_blt_srcaddr & 7;
for(y = 0; y < bltheight; y++) {
- bits = src[pattern_y];
+ bits = cirrus_src(s, srcaddr + pattern_y);
bitpos = 7 - srcskipleft;
addr = dstaddr + dstskipleft;
for (x = dstskipleft; x < bltwidth; x += (DEPTH / 8)) {

34
0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch Normal file
View File

@ -0,0 +1,34 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 17 Mar 2017 08:21:36 +0100
Subject: [PATCH] cirrus: fix off-by-one in cirrus_bitblt_rop_bkwd_transp_*_16
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The switch from pointers to addresses (commit
026aeffcb4752054830ba203020ed6eb05bcaba8 and
ffaf857778286ca54e3804432a2369a279e73aa7) added
a off-by-one bug to 16bit backward blits. Fix.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 1489735296-19047-1-git-send-email-kraxel@redhat.com
(cherry picked from commit f019722cbbb45aea153294fc8921fcc96a4d3fa2)
---
hw/display/cirrus_vga_rop.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/display/cirrus_vga_rop.h b/hw/display/cirrus_vga_rop.h
index c61a677353..0841b9efa9 100644
--- a/hw/display/cirrus_vga_rop.h
+++ b/hw/display/cirrus_vga_rop.h
@@ -219,7 +219,7 @@ glue(glue(cirrus_bitblt_rop_bkwd_transp_, ROP_NAME),_16)(CirrusVGAState *s,
srcpitch += bltwidth;
for (y = 0; y < bltheight; y++) {
for (x = 0; x < bltwidth; x+=2) {
- ROP_OP_TR_16(s, dstaddr, cirrus_src16(s, srcaddr), transp);
+ ROP_OP_TR_16(s, dstaddr - 1, cirrus_src16(s, srcaddr - 1), transp);
dstaddr -= 2;
srcaddr -= 2;
}

30
0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch Normal file
View File

@ -0,0 +1,30 @@
From: P J P <ppandit@redhat.com>
Date: Tue, 25 Apr 2017 18:36:23 +0530
Subject: [PATCH] vmw_pvscsi: check message ring page count at initialisation
A guest could set the message ring page count to zero, resulting in
infinite loop. Add check to avoid it.
Reported-by: YY Z <bigbird475958471@gmail.com>
Signed-off-by: P J P <ppandit@redhat.com>
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit f68826989cd4d1217797251339579c57b3c0934e)
---
hw/scsi/vmw_pvscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index a5ce7dea8e..44141322de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
uint32_t len_log2;
uint32_t ring_size;
- if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
+ if (!ri->numPages || ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
return -1;
}
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;

35
0082-audio-release-capture-buffers.patch Normal file
View File

@ -0,0 +1,35 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 28 Apr 2017 09:56:12 +0200
Subject: [PATCH] audio: release capture buffers
AUD_add_capture() allocates two buffers which are never released.
Add the missing calls to AUD_del_capture().
Impact: Allows vnc clients to exhaust host memory by repeatedly
starting and stopping audio capture.
Fixes: CVE-2017-8309
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: "Jiangxin (hunter, SCC)" <jiangxin1@huawei.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-id: 20170428075612.9997-1-kraxel@redhat.com
(cherry picked from commit 3268a845f41253fb55852a8429c32b50f36f349a)
---
audio/audio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/audio/audio.c b/audio/audio.c
index c845a44f0a..adede3c9ef 100644
--- a/audio/audio.c
+++ b/audio/audio.c
@@ -2023,6 +2023,8 @@ void AUD_del_capture (CaptureVoiceOut *cap, void *cb_opaque)
sw = sw1;
}
QLIST_REMOVE (cap, entries);
+ g_free (cap->hw.mix_buf);
+ g_free (cap->buf);
g_free (cap);
}
return;

87
0083-input-limit-kbd-queue-depth.patch Normal file
View File

@ -0,0 +1,87 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Fri, 28 Apr 2017 10:42:37 +0200
Subject: [PATCH] input: limit kbd queue depth
Apply a limit to the number of items we accept into the keyboard queue.
Impact: Without this limit vnc clients can exhaust host memory by
sending keyboard events faster than qemu feeds them to the guest.
Fixes: CVE-2017-8379
Cc: P J P <ppandit@redhat.com>
Cc: Huawei PSIRT <PSIRT@huawei.com>
Reported-by: jiangxin1@huawei.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170428084237.23960-1-kraxel@redhat.com
(cherry picked from commit fa18f36a461984eae50ab957e47ec78dae3c14fc)
---
ui/input.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ui/input.c b/ui/input.c
index ed88cda6d6..fb1f404095 100644
--- a/ui/input.c
+++ b/ui/input.c
@@ -41,6 +41,8 @@ static QTAILQ_HEAD(QemuInputEventQueueHead, QemuInputEventQueue) kbd_queue =
QTAILQ_HEAD_INITIALIZER(kbd_queue);
static QEMUTimer *kbd_timer;
static uint32_t kbd_default_delay_ms = 10;
+static uint32_t queue_count;
+static uint32_t queue_limit = 1024;
QemuInputHandlerState *qemu_input_handler_register(DeviceState *dev,
QemuInputHandler *handler)
@@ -268,6 +270,7 @@ static void qemu_input_queue_process(void *opaque)
break;
}
QTAILQ_REMOVE(queue, item, node);
+ queue_count--;
g_free(item);
}
}
@@ -282,6 +285,7 @@ static void qemu_input_queue_delay(struct QemuInputEventQueueHead *queue,
item->delay_ms = delay_ms;
item->timer = timer;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
if (start_timer) {
timer_mod(item->timer, qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL)
@@ -298,6 +302,7 @@ static void qemu_input_queue_event(struct QemuInputEventQueueHead *queue,
item->src = src;
item->evt = evt;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
@@ -306,6 +311,7 @@ static void qemu_input_queue_sync(struct QemuInputEventQueueHead *queue)
item->type = QEMU_INPUT_QUEUE_SYNC;
QTAILQ_INSERT_TAIL(queue, item, node);
+ queue_count++;
}
void qemu_input_event_send_impl(QemuConsole *src, InputEvent *evt)
@@ -381,7 +387,7 @@ void qemu_input_event_send_key(QemuConsole *src, KeyValue *key, bool down)
qemu_input_event_send(src, evt);
qemu_input_event_sync();
qapi_free_InputEvent(evt);
- } else {
+ } else if (queue_count < queue_limit) {
qemu_input_queue_event(&kbd_queue, src, evt);
qemu_input_queue_sync(&kbd_queue);
}
@@ -409,8 +415,10 @@ void qemu_input_event_send_key_delay(uint32_t delay_ms)
kbd_timer = timer_new_ms(QEMU_CLOCK_VIRTUAL, qemu_input_queue_process,
&kbd_queue);
}
- qemu_input_queue_delay(&kbd_queue, kbd_timer,
- delay_ms ? delay_ms : kbd_default_delay_ms);
+ if (queue_count < queue_limit) {
+ qemu_input_queue_delay(&kbd_queue, kbd_timer,
+ delay_ms ? delay_ms : kbd_default_delay_ms);
+ }
}
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down)

42
0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch Normal file
View File

@ -0,0 +1,42 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 24 Apr 2017 17:36:34 +0530
Subject: [PATCH] scsi: avoid an off-by-one error in megasas_mmio_write
While reading magic sequence(MFI_SEQ) in megasas_mmio_write,
an off-by-one error could occur as 's->adp_reset' index is not
reset after reading the last sequence.
Reported-by: YY Z <bigbird475958471@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170424120634.12268-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f)
---
hw/scsi/megasas.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
index ebf03022ed..efcbaa9c8d 100644
--- a/hw/scsi/megasas.c
+++ b/hw/scsi/megasas.c
@@ -2132,15 +2132,15 @@ static void megasas_mmio_write(void *opaque, hwaddr addr,
case MFI_SEQ:
trace_megasas_mmio_writel("MFI_SEQ", val);
/* Magic sequence to start ADP reset */
- if (adp_reset_seq[s->adp_reset] == val) {
- s->adp_reset++;
+ if (adp_reset_seq[s->adp_reset++] == val) {
+ if (s->adp_reset == 6) {
+ s->adp_reset = 0;
+ s->diag = MFI_DIAG_WRITE_ENABLE;
+ }
} else {
s->adp_reset = 0;
s->diag = 0;
}
- if (s->adp_reset == 6) {
- s->diag = MFI_DIAG_WRITE_ENABLE;
- }
break;
case MFI_DIAG:
trace_megasas_mmio_writel("MFI_DIAG", val);

33
0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch Normal file
View File

@ -0,0 +1,33 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Sat, 21 Jan 2017 23:42:33 -0800
Subject: [PATCH] virtio-gpu: fix memory leak in set scanout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In virtio_gpu_set_scanout function, when creating the 'rect'
its refcount is set to 2, by pixman_image_create_bits and
qemu_create_displaysurface_pixman function. This can lead
a memory leak issues. This patch avoid this issue.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Message-id: 5884626f.5b2f6b0a.1bfff.3037@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit dd248ed7e204ee8a1873914e02b8b526e8f1b80d)
---
hw/display/virtio-gpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index cadd7d899d..7c8fda1733 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -602,6 +602,7 @@ static void virtio_gpu_set_scanout(VirtIOGPU *g,
cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;
return;
}
+ pixman_image_unref(rect);
dpy_gfx_replace_surface(g->scanout[ss.scanout_id].con, scanout->ds);
}

41
0086-net-e1000e-fix-an-infinite-loop-issue.patch Normal file
View File

@ -0,0 +1,41 @@
From: Li Qiang <liq3ea@gmail.com>
Date: Thu, 9 Feb 2017 18:19:19 -0800
Subject: [PATCH] net: e1000e: fix an infinite loop issue
This issue is like the issue in e1000 network card addressed in
this commit:
e1000: eliminate infinite loops on out-of-bounds transfer start.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit 4154c7e03fa55b4cf52509a83d50d6c09d743b77)
---
hw/net/e1000e_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/hw/net/e1000e_core.c b/hw/net/e1000e_core.c
index badb1feb7d..718154bc56 100644
--- a/hw/net/e1000e_core.c
+++ b/hw/net/e1000e_core.c
@@ -806,7 +806,8 @@ typedef struct E1000E_RingInfo_st {
static inline bool
e1000e_ring_empty(E1000ECore *core, const E1000E_RingInfo *r)
{
- return core->mac[r->dh] == core->mac[r->dt];
+ return core->mac[r->dh] == core->mac[r->dt] ||
+ core->mac[r->dt] >= core->mac[r->dlen] / E1000_RING_DESC_LEN;
}
static inline uint64_t
@@ -1522,6 +1523,10 @@ e1000e_write_packet_to_guest(E1000ECore *core, struct NetRxPkt *pkt,
desc_size = core->rx_desc_buf_size;
}
+ if (e1000e_ring_empty(core, rxi)) {
+ return;
+ }
+
base = e1000e_ring_head_descr(core, rxi);
pci_dma_read(d, base, &desc, core->rx_desc_len);

28
0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch Normal file
View File

@ -0,0 +1,28 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 7 Feb 2017 03:15:03 -0800
Subject: [PATCH] usb: ohci: fix error return code in servicing iso td
It should return 1 if an error occurs when reading iso td.
This will avoid an infinite loop issue in ohci_service_ed_list.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 5899ac3e.1033240a.944d5.9a2d@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 26f670a244982335cc08943fb1ec099a2c81e42d)
---
hw/usb/hcd-ohci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
index 48307febd3..27130fe08f 100644
--- a/hw/usb/hcd-ohci.c
+++ b/hw/usb/hcd-ohci.c
@@ -727,7 +727,7 @@ static int ohci_service_iso_td(OHCIState *ohci, struct ohci_ed *ed,
if (ohci_read_iso_td(ohci, addr, &iso_td)) {
trace_usb_ohci_iso_td_read_failed(addr);
ohci_die(ohci);
- return 0;
+ return 1;
}
starting_frame = OHCI_BM(iso_td.flags, TD_SF);

75
0088-usb-ehci-fix-memory-leak-in-ehci.patch Normal file
View File

@ -0,0 +1,75 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Tue, 7 Feb 2017 18:42:55 -0800
Subject: [PATCH] usb: ehci: fix memory leak in ehci
In usb_ehci_init function, it initializes 's->ipacket', but there
is no corresponding function to free this. As the ehci can be hotplug
and unplug, this will leak host memory leak. In order to make the
hierarchy clean, we should add a ehci pci finalize function, then call
the clean function in ehci device.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-id: 589a85b8.3c2b9d0a.b8e6.1434@mx.google.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit d710e1e7bd3d5bfc26b631f02ae87901ebe646b0)
---
hw/usb/hcd-ehci-pci.c | 9 +++++++++
hw/usb/hcd-ehci.c | 5 +++++
hw/usb/hcd-ehci.h | 1 +
3 files changed, 15 insertions(+)
diff --git a/hw/usb/hcd-ehci-pci.c b/hw/usb/hcd-ehci-pci.c
index 56577051e2..6dedcb8989 100644
--- a/hw/usb/hcd-ehci-pci.c
+++ b/hw/usb/hcd-ehci-pci.c
@@ -89,6 +89,14 @@ static void usb_ehci_pci_init(Object *obj)
usb_ehci_init(s, DEVICE(obj));
}
+static void usb_ehci_pci_finalize(Object *obj)
+{
+ EHCIPCIState *i = PCI_EHCI(obj);
+ EHCIState *s = &i->ehci;
+
+ usb_ehci_finalize(s);
+}
+
static void usb_ehci_pci_exit(PCIDevice *dev)
{
EHCIPCIState *i = PCI_EHCI(dev);
@@ -159,6 +167,7 @@ static const TypeInfo ehci_pci_type_info = {
.parent = TYPE_PCI_DEVICE,
.instance_size = sizeof(EHCIPCIState),
.instance_init = usb_ehci_pci_init,
+ .instance_finalize = usb_ehci_pci_finalize,
.abstract = true,
.class_init = ehci_class_init,
};
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
index 7622a3ae72..50ef817f93 100644
--- a/hw/usb/hcd-ehci.c
+++ b/hw/usb/hcd-ehci.c
@@ -2545,6 +2545,11 @@ void usb_ehci_init(EHCIState *s, DeviceState *dev)
&s->mem_ports);
}
+void usb_ehci_finalize(EHCIState *s)
+{
+ usb_packet_cleanup(&s->ipacket);
+}
+
/*
* vim: expandtab ts=4
*/
diff --git a/hw/usb/hcd-ehci.h b/hw/usb/hcd-ehci.h
index 3fd7038658..938d8aa284 100644
--- a/hw/usb/hcd-ehci.h
+++ b/hw/usb/hcd-ehci.h
@@ -323,6 +323,7 @@ struct EHCIState {
extern const VMStateDescription vmstate_ehci;
void usb_ehci_init(EHCIState *s, DeviceState *dev);
+void usb_ehci_finalize(EHCIState *s);
void usb_ehci_realize(EHCIState *s, DeviceState *dev, Error **errp);
void usb_ehci_unrealize(EHCIState *s, DeviceState *dev, Error **errp);
void ehci_reset(void *opaque);

47
0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch Normal file
View File

@ -0,0 +1,47 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 9 May 2017 13:01:28 +0200
Subject: [PATCH] usb-redir: fix stack overflow in usbredir_log_data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Don't reinvent a broken wheel, just use the hexdump function we have.
Impact: low, broken code doesn't run unless you have debug logging
enabled.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170509110128.27261-1-kraxel@redhat.com
(cherry picked from commit bd4a683505b27adc1ac809f71e918e58573d851d)
---
hw/usb/redirect.c | 13 +------------
1 file changed, 1 insertion(+), 12 deletions(-)
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index d064961203..94249ec0b5 100644
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -229,21 +229,10 @@ static void usbredir_log(void *priv, int level, const char *msg)
static void usbredir_log_data(USBRedirDevice *dev, const char *desc,
const uint8_t *data, int len)
{
- int i, j, n;
-
if (dev->debug < usbredirparser_debug_data) {
return;
}
-
- for (i = 0; i < len; i += j) {
- char buf[128];
-
- n = sprintf(buf, "%s", desc);
- for (j = 0; j < 8 && i + j < len; j++) {
- n += sprintf(buf + n, " %02X", data[i + j]);
- }
- error_report("%s", buf);
- }
+ qemu_hexdump((char *)data, stderr, desc, len);
}
/*

58
qemu.spec
View File

@ -68,7 +68,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.7.1
Release: 6%{?rcrel}%{?dist}
Release: 7%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -254,6 +254,41 @@ Patch0071: 0071-slirp-Send-RDNSS-in-RA-only-if-host-has-an-IPv6-DNS-.patch
Patch0072: 0072-qxl-clear-guest_cursor-on-QXL_CURSOR_HIDE.patch
# CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
Patch0073: 0073-serial-fix-memory-leak-in-serial-exit.patch
# CVE-2017-7718: cirrus: OOB read access issue (bz #1443443)
Patch0074: 0074-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f.patch
# CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz
# #1432040)
Patch0075: 0075-cirrus-vnc-zap-bitblit-support-from-console-code.patch
# CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872)
Patch0076: 0076-9pfs-fix-file-descriptor-leak.patch
# CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372)
Patch0077: 0077-cirrus-fix-cirrus_invalidate_region.patch
Patch0078: 0078-cirrus-stop-passing-around-dst-pointers-in-the-blitt.patch
Patch0079: 0079-cirrus-stop-passing-around-src-pointers-in-the-blitt.patch
Patch0080: 0080-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran.patch
# CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622)
Patch0081: 0081-vmw_pvscsi-check-message-ring-page-count-at-initiali.patch
# CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
Patch0082: 0082-audio-release-capture-buffers.patch
# CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
Patch0083: 0083-input-limit-kbd-queue-depth.patch
# CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz
# #1446578)
Patch0084: 0084-scsi-avoid-an-off-by-one-error-in-megasas_mmio_write.patch
# CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz
# #1452598)
Patch0085: 0085-virtio-gpu-fix-memory-leak-in-set-scanout.patch
# CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623)
Patch0086: 0086-net-e1000e-fix-an-infinite-loop-issue.patch
# CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz
# #1457699)
Patch0087: 0087-usb-ohci-fix-error-return-code-in-servicing-iso-td.patch
# CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz
# #1459137)
Patch0088: 0088-usb-ehci-fix-memory-leak-in-ehci.patch
# CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz
# #1468497)
Patch0089: 0089-usb-redir-fix-stack-overflow-in-usbredir_log_data.patch
# documentation deps
BuildRequires: texinfo
@ -1727,6 +1762,27 @@ getent passwd qemu >/dev/null || \
%changelog
* Wed Jul 12 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-7
- CVE-2017-7718: cirrus: OOB read access issue (bz #1443443)
- CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz
#1432040)
- CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872)
- CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372)
- CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622)
- CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520)
- CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560)
- CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz
#1446578)
- CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz
#1452598)
- CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623)
- CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz
#1457699)
- CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz
#1459137)
- CVE-2017-10806: usb-redirect: stack buffer overflow in debug logging (bz
#1468497)
* Thu Apr 13 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-6
- chardev data is dropped when host side closed (bz #1352977)
- CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)