rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix usb3 drive issues with windows guests (bz #1493196)

Browse Source 
CVE-2017-15038: 9p: information disclosure when reading extended attributes (bz #1499111)
CVE-2017-15268: potential memory exhaustion via websock connection to VNC (bz #1496882)
CVE-2017-14167: multiboot OOB access while loading kernel image (bz #1489376)
CVE-2017-13672: vga: OOB read access during display update (bz #1486561)
CVE-2017-12809: flushing of empty CDROM drives leads to NULL deref (bz #1483536)
CVE-2017-11434 slirp: out-of-bounds read while parsing dhcp options (bz #1472612)
Fix sending multimedia keys through spice (bz #1471758)
Another ppc64le binfmt fix (bz #1500526)
This commit is contained in:
Cole Robinson 2017-10-19 13:00:46 -04:00
parent 78f76fb238
commit 43b563a3f6
16 changed files with 1543 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
0002-xhci-relax-link-check.patch Normal file
View File

@ -0,0 +1,37 @@
From: Ladi Prosek <lprosek@redhat.com>
Date: Fri, 12 May 2017 12:21:00 +0200
Subject: [PATCH] xhci: relax link check
The strict td link limit added by commit "05f43d4 xhci: limit the
number of link trbs we are willing to process" causes problems with
Windows guests. Let's raise the limit.
This change is analogous to:
commit ab6b1105a2259c7072905887f71caa850ce63190
Author: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue Mar 7 09:40:18 2017 +0100
ohci: relax link check
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Message-id: 20170512102100.22675-1-lprosek@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 99f9aeba5d461f79c9ce73f968ba0feb77fc1f5a)
---
hw/usb/hcd-xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index ed0f13f37b..95f127d152 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -50,7 +50,7 @@
/* Very pessimistic, let's hope it's enough for all cases */
#define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS)
-#define TRB_LINK_LIMIT 4
+#define TRB_LINK_LIMIT 32
#define COMMAND_LIMIT 256
#define TRANSFER_LIMIT 256

40
0003-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch Normal file
View File

@ -0,0 +1,40 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 16 Oct 2017 14:21:59 +0200
Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr
9p back-end first queries the size of an extended attribute,
allocates space for it via g_malloc() and then retrieves its
value into allocated buffer. Race between querying attribute
size and retrieving its could lead to memory bytes disclosure.
Use g_malloc0() to avoid it.
Reported-by: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Greg Kurz <groug@kaod.org>
(cherry picked from commit 7bd92756303f2158a68d5166264dc30139b813b6)
---
hw/9pfs/9p.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
index c80ba67389..aaf9935ef4 100644
--- a/hw/9pfs/9p.c
+++ b/hw/9pfs/9p.c
@@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);
@@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque)
xattr_fidp->fid_type = P9_FID_XATTR;
xattr_fidp->fs.xattr.xattrwalk_fid = true;
if (size) {
- xattr_fidp->fs.xattr.value = g_malloc(size);
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
&name, xattr_fidp->fs.xattr.value,
xattr_fidp->fs.xattr.len);

51
0004-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch Normal file
View File

@ -0,0 +1,51 @@
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Mon, 9 Oct 2017 14:43:42 +0100
Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource
The websocket GSource is monitoring the size of the rawoutput
buffer to determine if the channel can accepts more writes.
The rawoutput buffer, however, is merely a temporary staging
buffer before data is copied into the encoutput buffer. Thus
its size will always be zero when the GSource runs.
This flaw causes the encoutput buffer to grow without bound
if the other end of the underlying data channel doesn't
read data being sent. This can be seen with VNC if a client
is on a slow WAN link and the guest OS is sending many screen
updates. A malicious VNC client can act like it is on a slow
link by playing a video in the guest and then reading data
very slowly, causing QEMU host memory to expand arbitrarily.
This issue is assigned CVE-2017-15268, publically reported in
https://bugs.launchpad.net/qemu/+bug/1718964
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493)
---
io/channel-websock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/io/channel-websock.c b/io/channel-websock.c
index 8fabadea2f..882bbb4cbc 100644
--- a/io/channel-websock.c
+++ b/io/channel-websock.c
@@ -26,7 +26,7 @@
#include "trace.h"
-/* Max amount to allow in rawinput/rawoutput buffers */
+/* Max amount to allow in rawinput/encoutput buffers */
#define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192
#define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24
@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source,
if (wsource->wioc->rawinput.offset) {
cond |= G_IO_IN;
}
- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
+ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) {
cond |= G_IO_OUT;
}

60
0005-multiboot-validate-multiboot-header-address-values.patch Normal file
View File

@ -0,0 +1,60 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 7 Sep 2017 12:02:56 +0530
Subject: [PATCH] multiboot: validate multiboot header address values
While loading kernel via multiboot-v1 image, (flags & 0x00010000)
indicates that multiboot header contains valid addresses to load
the kernel image. These addresses are used to compute kernel
size and kernel text offset in the OS image. Validate these
address values to avoid an OOB access issue.
This is CVE-2017-14167.
Reported-by: Thomas Garnier <thgarnie@google.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20170907063256.7418-1-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb)
---
hw/i386/multiboot.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c
index f13e23139b..22688d376d 100644
--- a/hw/i386/multiboot.c
+++ b/hw/i386/multiboot.c
@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg,
uint32_t mh_header_addr = ldl_p(header+i+12);
uint32_t mh_load_end_addr = ldl_p(header+i+20);
uint32_t mh_bss_end_addr = ldl_p(header+i+24);
+
mh_load_addr = ldl_p(header+i+16);
+ if (mh_header_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_load_addr address\n");
+ exit(1);
+ }
+
uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr);
uint32_t mb_load_size = 0;
mh_entry_addr = ldl_p(header+i+28);
if (mh_load_end_addr) {
+ if (mh_bss_end_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_bss_end_addr address\n");
+ exit(1);
+ }
mb_kernel_size = mh_bss_end_addr - mh_load_addr;
+
+ if (mh_load_end_addr < mh_load_addr) {
+ fprintf(stderr, "invalid mh_load_end_addr address\n");
+ exit(1);
+ }
mb_load_size = mh_load_end_addr - mh_load_addr;
} else {
+ if (kernel_file_size < mb_kernel_text_offset) {
+ fprintf(stderr, "invalid kernel_file_size\n");
+ exit(1);
+ }
mb_kernel_size = kernel_file_size - mb_kernel_text_offset;
mb_load_size = mb_kernel_size;
}

494
0006-vga-stop-passing-pointers-to-vga_draw_line-functions.patch Normal file
View File

@ -0,0 +1,494 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 28 Aug 2017 14:29:06 +0200
Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions
Instead pass around the address (aka offset into vga memory).
Add vga_read_* helper functions which apply vbe_size_mask to
the address, to make sure the address stays within the valid
range, similar to the cirrus blitter fixes (commits ffaf857778
and 026aeffcb4).
Impact: DoS for privileged guest users. qemu crashes with
a segfault, when hitting the guard page after vga memory
allocation, while reading vga memory for display updates.
Fixes: CVE-2017-13672
Cc: P J P <ppandit@redhat.com>
Reported-by: David Buchanan <d@vidbuchanan.co.uk>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Message-id: 20170828122906.18993-1-kraxel@redhat.com
(cherry picked from commit 3d90c6254863693a6b13d918d2b8682e08bbc681)
---
hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++---------------------
hw/display/vga.c | 5 +-
hw/display/vga_int.h | 1 +
3 files changed, 114 insertions(+), 94 deletions(-)
diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h
index 94f6de2046..5a752b3f9e 100644
--- a/hw/display/vga-helpers.h
+++ b/hw/display/vga-helpers.h
@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize,
} while (--h);
}
+static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr)
+{
+ return vga->vram_ptr[addr & vga->vbe_size_mask];
+}
+
+static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr)
+{
+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+ return lduw_le_p(ptr);
+}
+
+static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr)
+{
+ uint32_t offset = addr & vga->vbe_size_mask & ~1;
+ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset);
+ return lduw_be_p(ptr);
+}
+
+static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr)
+{
+ uint32_t offset = addr & vga->vbe_size_mask & ~3;
+ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset);
+ return ldl_le_p(ptr);
+}
+
/*
* 4 color mode
*/
-static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line2(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, *palette, data, v;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand2[GET_PLANE(data, 0)];
v |= expand2[GET_PLANE(data, 2)] << 2;
@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
d += 32;
- s += 4;
+ addr += 4;
}
}
@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d,
/*
* 4 color mode, dup2 horizontal
*/
-static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, *palette, data, v;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand2[GET_PLANE(data, 0)];
v |= expand2[GET_PLANE(data, 2)] << 2;
@@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d,
PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
d += 64;
- s += 4;
+ addr += 4;
}
}
/*
* 16 color mode
*/
-static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line4(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, data, v, *palette;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand4[GET_PLANE(data, 0)];
v |= expand4[GET_PLANE(data, 1)] << 1;
@@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d,
((uint32_t *)d)[6] = palette[(v >> 4) & 0xf];
((uint32_t *)d)[7] = palette[(v >> 0) & 0xf];
d += 32;
- s += 4;
+ addr += 4;
}
}
/*
* 16 color mode, dup2 horizontal
*/
-static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t plane_mask, data, v, *palette;
int x;
- palette = s1->last_palette;
- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
+ palette = vga->last_palette;
+ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf];
width >>= 3;
for(x = 0; x < width; x++) {
- data = ((uint32_t *)s)[0];
+ data = vga_read_dword_le(vga, addr);
data &= plane_mask;
v = expand4[GET_PLANE(data, 0)];
v |= expand4[GET_PLANE(data, 1)] << 1;
@@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]);
PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]);
d += 64;
- s += 4;
+ addr += 4;
}
}
@@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d,
*
* XXX: add plane_mask support (never used in standard VGA modes)
*/
-static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t *palette;
int x;
- palette = s1->last_palette;
+ palette = vga->last_palette;
width >>= 3;
for(x = 0; x < width; x++) {
- PUT_PIXEL2(d, 0, palette[s[0]]);
- PUT_PIXEL2(d, 1, palette[s[1]]);
- PUT_PIXEL2(d, 2, palette[s[2]]);
- PUT_PIXEL2(d, 3, palette[s[3]]);
+ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]);
+ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]);
+ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]);
+ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]);
d += 32;
- s += 4;
+ addr += 4;
}
}
@@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d,
*
* XXX: add plane_mask support (never used in standard VGA modes)
*/
-static void vga_draw_line8(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line8(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
uint32_t *palette;
int x;
- palette = s1->last_palette;
+ palette = vga->last_palette;
width >>= 3;
for(x = 0; x < width; x++) {
- ((uint32_t *)d)[0] = palette[s[0]];
- ((uint32_t *)d)[1] = palette[s[1]];
- ((uint32_t *)d)[2] = palette[s[2]];
- ((uint32_t *)d)[3] = palette[s[3]];
- ((uint32_t *)d)[4] = palette[s[4]];
- ((uint32_t *)d)[5] = palette[s[5]];
- ((uint32_t *)d)[6] = palette[s[6]];
- ((uint32_t *)d)[7] = palette[s[7]];
+ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)];
+ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)];
+ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)];
+ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)];
+ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)];
+ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)];
+ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)];
+ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)];
d += 32;
- s += 8;
+ addr += 8;
}
}
/*
* 15 bit color
*/
-static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t v, r, g, b;
w = width;
do {
- v = lduw_le_p((void *)s);
+ v = vga_read_word_le(vga, addr);
r = (v >> 7) & 0xf8;
g = (v >> 2) & 0xf8;
b = (v << 3) & 0xf8;
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 2;
+ addr += 2;
d += 4;
} while (--w != 0);
}
-static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t v, r, g, b;
w = width;
do {
- v = lduw_be_p((void *)s);
+ v = vga_read_word_be(vga, addr);
r = (v >> 7) & 0xf8;
g = (v >> 2) & 0xf8;
b = (v << 3) & 0xf8;
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 2;
+ addr += 2;
d += 4;
} while (--w != 0);
}
@@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d,
/*
* 16 bit color
*/
-static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t v, r, g, b;
w = width;
do {
- v = lduw_le_p((void *)s);
+ v = vga_read_word_le(vga, addr);
r = (v >> 8) & 0xf8;
g = (v >> 3) & 0xfc;
b = (v << 3) & 0xf8;
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 2;
+ addr += 2;
d += 4;
} while (--w != 0);
}
-static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t v, r, g, b;
w = width;
do {
- v = lduw_be_p((void *)s);
+ v = vga_read_word_be(vga, addr);
r = (v >> 8) & 0xf8;
g = (v >> 3) & 0xfc;
b = (v << 3) & 0xf8;
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 2;
+ addr += 2;
d += 4;
} while (--w != 0);
}
@@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d,
/*
* 24 bit color
*/
-static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t r, g, b;
w = width;
do {
- b = s[0];
- g = s[1];
- r = s[2];
+ b = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ r = vga_read_byte(vga, addr + 2);
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 3;
+ addr += 3;
d += 4;
} while (--w != 0);
}
-static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
int w;
uint32_t r, g, b;
w = width;
do {
- r = s[0];
- g = s[1];
- b = s[2];
+ r = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ b = vga_read_byte(vga, addr + 2);
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 3;
+ addr += 3;
d += 4;
} while (--w != 0);
}
@@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d,
/*
* 32 bit color
*/
-static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
-#ifndef HOST_WORDS_BIGENDIAN
- memcpy(d, s, width * 4);
-#else
int w;
uint32_t r, g, b;
w = width;
do {
- b = s[0];
- g = s[1];
- r = s[2];
+ b = vga_read_byte(vga, addr + 0);
+ g = vga_read_byte(vga, addr + 1);
+ r = vga_read_byte(vga, addr + 2);
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 4;
+ addr += 4;
d += 4;
} while (--w != 0);
-#endif
}
-static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width)
+static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d,
+ uint32_t addr, int width)
{
-#ifdef HOST_WORDS_BIGENDIAN
- memcpy(d, s, width * 4);
-#else
int w;
uint32_t r, g, b;
w = width;
do {
- r = s[1];
- g = s[2];
- b = s[3];
+ r = vga_read_byte(vga, addr + 1);
+ g = vga_read_byte(vga, addr + 2);
+ b = vga_read_byte(vga, addr + 3);
((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b);
- s += 4;
+ addr += 4;
d += 4;
} while (--w != 0);
-#endif
}
diff --git a/hw/display/vga.c b/hw/display/vga.c
index 69c3e1d674..086509db98 100644
--- a/hw/display/vga.c
+++ b/hw/display/vga.c
@@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
}
typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d,
- const uint8_t *s, int width);
+ uint32_t srcaddr, int width);
#include "vga-helpers.h"
@@ -1648,7 +1648,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
if (page1 > page_max)
page_max = page1;
if (!(is_buffer_shared(surface))) {
- vga_draw_line(s, d, s->vram_ptr + addr, width);
+ vga_draw_line(s, d, addr, width);
if (s->cursor_draw_line)
s->cursor_draw_line(s, d, y);
}
@@ -2158,6 +2158,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate)
if (!s->vbe_size) {
s->vbe_size = s->vram_size;
}
+ s->vbe_size_mask = s->vbe_size - 1;
s->is_vbe_vmstate = 1;
memory_region_init_ram(&s->vram, obj, "vga.vram", s->vram_size,
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
index dd6c958da3..ad34a1f048 100644
--- a/hw/display/vga_int.h
+++ b/hw/display/vga_int.h
@@ -94,6 +94,7 @@ typedef struct VGACommonState {
uint32_t vram_size;
uint32_t vram_size_mb; /* property */
uint32_t vbe_size;
+ uint32_t vbe_size_mask;
uint32_t latch;
bool has_chain4_alias;
MemoryRegion chain4_alias;

41
0007-IDE-Do-not-flush-empty-CDROM-drives.patch Normal file
View File

@ -0,0 +1,41 @@
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 9 Aug 2017 17:02:11 +0100
Subject: [PATCH] IDE: Do not flush empty CDROM drives
The block backend changed in a way that flushing empty CDROM drives now
crashes. Amend IDE to avoid doing so until the root problem can be
addressed for 2.11.
Original patch by John Snow <jsnow@redhat.com>.
Reported-by: Kieron Shorrock <kshorrock@paloaltonetworks.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170809160212.29976-2-stefanha@redhat.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 4da97120d51a4383aa96d741a2b837f8c4bbcd0b)
---
hw/ide/core.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/hw/ide/core.c b/hw/ide/core.c
index 0b48b64d3a..bea39536b0 100644
--- a/hw/ide/core.c
+++ b/hw/ide/core.c
@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s)
s->status |= BUSY_STAT;
ide_set_retry(s);
block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH);
- s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
+
+ if (blk_bs(s->blk)) {
+ s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s);
+ } else {
+ /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this
+ * temporary workaround when blk_aio_*() functions handle NULL blk_bs.
+ */
+ ide_flush_cb(s, 0);
+ }
}
static void ide_cfata_metadata_inquiry(IDEState *s)

32
0008-slirp-check-len-against-dhcp-options-array-end.patch Normal file
View File

@ -0,0 +1,32 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Mon, 17 Jul 2017 17:33:26 +0530
Subject: [PATCH] slirp: check len against dhcp options array end
While parsing dhcp options string in 'dhcp_decode', if an options'
length 'len' appeared towards the end of 'bp_vend' array, ensuing
read could lead to an OOB memory access issue. Add check to avoid it.
This is CVE-2017-11434.
Reported-by: Reno Robert <renorobert@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
(cherry picked from commit 413d463f43fbc4dd3a601e80a5724aa384a265a0)
---
slirp/bootp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/slirp/bootp.c b/slirp/bootp.c
index 5a4646c182..5dd1a415b5 100644
--- a/slirp/bootp.c
+++ b/slirp/bootp.c
@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type,
if (p >= p_end)
break;
len = *p++;
+ if (p + len > p_end) {
+ break;
+ }
DPRINTF("dhcp: tag=%d len=%d\n", tag, len);
switch(tag) {

45
0009-ui-add-next-and-prior-keysyms.patch Normal file
View File

@ -0,0 +1,45 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 26 Jul 2017 17:29:14 +0200
Subject: [PATCH] ui: add next and prior keysyms
Page-up and Page-down were renamed. Add the names to the keysym list
so we can parse both old and new names. The keypad versions are already
present in the vnc map.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-2-kraxel@redhat.com
(cherry picked from commit d52a1a9102a4236dfbc7c95b3c7057f107dbf71d)
---
ui/curses_keys.h | 2 ++
ui/vnc_keysym.h | 2 ++
2 files changed, 4 insertions(+)
diff --git a/ui/curses_keys.h b/ui/curses_keys.h
index e39ef9e718..e9195a1671 100644
--- a/ui/curses_keys.h
+++ b/ui/curses_keys.h
@@ -480,7 +480,9 @@ static const name2keysym_t name2keysym[] = {
{ "Left", KEY_LEFT },
{ "Up", KEY_UP },
{ "Down", KEY_DOWN },
+ { "Next", KEY_NPAGE },
{ "Page_Down", KEY_NPAGE },
+ { "Prior", KEY_PPAGE },
{ "Page_Up", KEY_PPAGE },
{ "Insert", KEY_IC },
{ "Delete", KEY_DC },
diff --git a/ui/vnc_keysym.h b/ui/vnc_keysym.h
index 7fa2bc1f1c..e8a2ec73c5 100644
--- a/ui/vnc_keysym.h
+++ b/ui/vnc_keysym.h
@@ -254,7 +254,9 @@ static const name2keysym_t name2keysym[]={
{"Left", 0xff51}, /* XK_Left */
{"Up", 0xff52}, /* XK_Up */
{"Down", 0xff54}, /* XK_Down */
+{"Next", 0xff56},
{"Page_Down", 0xff56}, /* XK_Page_Down */
+{"Prior", 0xff55},
{"Page_Up", 0xff55}, /* XK_Page_Up */
{"Insert", 0xff63}, /* XK_Insert */
{"Delete", 0xffff}, /* XK_Delete */

286
0010-ui-move-qemu_input_linux_to_qcode.patch Normal file
View File

@ -0,0 +1,286 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 26 Jul 2017 17:29:15 +0200
Subject: [PATCH] ui: move qemu_input_linux_to_qcode()
Move from input-linux.c to input-keymap.c and export it,
so the function is available elsewhere too.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-3-kraxel@redhat.com
(cherry picked from commit 606eb0c64991d59a9d5e249508867dc0cb3707e1)
---
include/ui/input.h | 1 +
ui/input-keymap.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++
ui/input-linux.c | 113 ----------------------------------------------------
3 files changed, 116 insertions(+), 113 deletions(-)
diff --git a/include/ui/input.h b/include/ui/input.h
index d06a12dd4c..b93c4ed5aa 100644
--- a/include/ui/input.h
+++ b/include/ui/input.h
@@ -47,6 +47,7 @@ int qemu_input_key_value_to_number(const KeyValue *value);
int qemu_input_key_value_to_qcode(const KeyValue *value);
int qemu_input_key_value_to_scancode(const KeyValue *value, bool down,
int *codes);
+int qemu_input_linux_to_qcode(unsigned int lnx);
InputEvent *qemu_input_event_new_btn(InputButton btn, bool down);
void qemu_input_queue_btn(QemuConsole *src, InputButton btn, bool down);
diff --git a/ui/input-keymap.c b/ui/input-keymap.c
index 8a1476fc48..d4972bb364 100644
--- a/ui/input-keymap.c
+++ b/ui/input-keymap.c
@@ -3,6 +3,115 @@
#include "ui/keymaps.h"
#include "ui/input.h"
+#include "standard-headers/linux/input.h"
+
+static int linux_to_qcode[KEY_CNT] = {
+ [KEY_ESC] = Q_KEY_CODE_ESC,
+ [KEY_1] = Q_KEY_CODE_1,
+ [KEY_2] = Q_KEY_CODE_2,
+ [KEY_3] = Q_KEY_CODE_3,
+ [KEY_4] = Q_KEY_CODE_4,
+ [KEY_5] = Q_KEY_CODE_5,
+ [KEY_6] = Q_KEY_CODE_6,
+ [KEY_7] = Q_KEY_CODE_7,
+ [KEY_8] = Q_KEY_CODE_8,
+ [KEY_9] = Q_KEY_CODE_9,
+ [KEY_0] = Q_KEY_CODE_0,
+ [KEY_MINUS] = Q_KEY_CODE_MINUS,
+ [KEY_EQUAL] = Q_KEY_CODE_EQUAL,
+ [KEY_BACKSPACE] = Q_KEY_CODE_BACKSPACE,
+ [KEY_TAB] = Q_KEY_CODE_TAB,
+ [KEY_Q] = Q_KEY_CODE_Q,
+ [KEY_W] = Q_KEY_CODE_W,
+ [KEY_E] = Q_KEY_CODE_E,
+ [KEY_R] = Q_KEY_CODE_R,
+ [KEY_T] = Q_KEY_CODE_T,
+ [KEY_Y] = Q_KEY_CODE_Y,
+ [KEY_U] = Q_KEY_CODE_U,
+ [KEY_I] = Q_KEY_CODE_I,
+ [KEY_O] = Q_KEY_CODE_O,
+ [KEY_P] = Q_KEY_CODE_P,
+ [KEY_LEFTBRACE] = Q_KEY_CODE_BRACKET_LEFT,
+ [KEY_RIGHTBRACE] = Q_KEY_CODE_BRACKET_RIGHT,
+ [KEY_ENTER] = Q_KEY_CODE_RET,
+ [KEY_LEFTCTRL] = Q_KEY_CODE_CTRL,
+ [KEY_A] = Q_KEY_CODE_A,
+ [KEY_S] = Q_KEY_CODE_S,
+ [KEY_D] = Q_KEY_CODE_D,
+ [KEY_F] = Q_KEY_CODE_F,
+ [KEY_G] = Q_KEY_CODE_G,
+ [KEY_H] = Q_KEY_CODE_H,
+ [KEY_J] = Q_KEY_CODE_J,
+ [KEY_K] = Q_KEY_CODE_K,
+ [KEY_L] = Q_KEY_CODE_L,
+ [KEY_SEMICOLON] = Q_KEY_CODE_SEMICOLON,
+ [KEY_APOSTROPHE] = Q_KEY_CODE_APOSTROPHE,
+ [KEY_GRAVE] = Q_KEY_CODE_GRAVE_ACCENT,
+ [KEY_LEFTSHIFT] = Q_KEY_CODE_SHIFT,
+ [KEY_BACKSLASH] = Q_KEY_CODE_BACKSLASH,
+ [KEY_102ND] = Q_KEY_CODE_LESS,
+ [KEY_Z] = Q_KEY_CODE_Z,
+ [KEY_X] = Q_KEY_CODE_X,
+ [KEY_C] = Q_KEY_CODE_C,
+ [KEY_V] = Q_KEY_CODE_V,
+ [KEY_B] = Q_KEY_CODE_B,
+ [KEY_N] = Q_KEY_CODE_N,
+ [KEY_M] = Q_KEY_CODE_M,
+ [KEY_COMMA] = Q_KEY_CODE_COMMA,
+ [KEY_DOT] = Q_KEY_CODE_DOT,
+ [KEY_SLASH] = Q_KEY_CODE_SLASH,
+ [KEY_RIGHTSHIFT] = Q_KEY_CODE_SHIFT_R,
+ [KEY_LEFTALT] = Q_KEY_CODE_ALT,
+ [KEY_SPACE] = Q_KEY_CODE_SPC,
+ [KEY_CAPSLOCK] = Q_KEY_CODE_CAPS_LOCK,
+ [KEY_F1] = Q_KEY_CODE_F1,
+ [KEY_F2] = Q_KEY_CODE_F2,
+ [KEY_F3] = Q_KEY_CODE_F3,
+ [KEY_F4] = Q_KEY_CODE_F4,
+ [KEY_F5] = Q_KEY_CODE_F5,
+ [KEY_F6] = Q_KEY_CODE_F6,
+ [KEY_F7] = Q_KEY_CODE_F7,
+ [KEY_F8] = Q_KEY_CODE_F8,
+ [KEY_F9] = Q_KEY_CODE_F9,
+ [KEY_F10] = Q_KEY_CODE_F10,
+ [KEY_NUMLOCK] = Q_KEY_CODE_NUM_LOCK,
+ [KEY_SCROLLLOCK] = Q_KEY_CODE_SCROLL_LOCK,
+ [KEY_KP0] = Q_KEY_CODE_KP_0,
+ [KEY_KP1] = Q_KEY_CODE_KP_1,
+ [KEY_KP2] = Q_KEY_CODE_KP_2,
+ [KEY_KP3] = Q_KEY_CODE_KP_3,
+ [KEY_KP4] = Q_KEY_CODE_KP_4,
+ [KEY_KP5] = Q_KEY_CODE_KP_5,
+ [KEY_KP6] = Q_KEY_CODE_KP_6,
+ [KEY_KP7] = Q_KEY_CODE_KP_7,
+ [KEY_KP8] = Q_KEY_CODE_KP_8,
+ [KEY_KP9] = Q_KEY_CODE_KP_9,
+ [KEY_KPMINUS] = Q_KEY_CODE_KP_SUBTRACT,
+ [KEY_KPPLUS] = Q_KEY_CODE_KP_ADD,
+ [KEY_KPDOT] = Q_KEY_CODE_KP_DECIMAL,
+ [KEY_KPENTER] = Q_KEY_CODE_KP_ENTER,
+ [KEY_KPSLASH] = Q_KEY_CODE_KP_DIVIDE,
+ [KEY_KPASTERISK] = Q_KEY_CODE_KP_MULTIPLY,
+ [KEY_F11] = Q_KEY_CODE_F11,
+ [KEY_F12] = Q_KEY_CODE_F12,
+ [KEY_RIGHTCTRL] = Q_KEY_CODE_CTRL_R,
+ [KEY_SYSRQ] = Q_KEY_CODE_SYSRQ,
+ [KEY_RIGHTALT] = Q_KEY_CODE_ALT_R,
+ [KEY_HOME] = Q_KEY_CODE_HOME,
+ [KEY_UP] = Q_KEY_CODE_UP,
+ [KEY_PAGEUP] = Q_KEY_CODE_PGUP,
+ [KEY_LEFT] = Q_KEY_CODE_LEFT,
+ [KEY_RIGHT] = Q_KEY_CODE_RIGHT,
+ [KEY_END] = Q_KEY_CODE_END,
+ [KEY_DOWN] = Q_KEY_CODE_DOWN,
+ [KEY_PAGEDOWN] = Q_KEY_CODE_PGDN,
+ [KEY_INSERT] = Q_KEY_CODE_INSERT,
+ [KEY_DELETE] = Q_KEY_CODE_DELETE,
+ [KEY_LEFTMETA] = Q_KEY_CODE_META_L,
+ [KEY_RIGHTMETA] = Q_KEY_CODE_META_R,
+ [KEY_MENU] = Q_KEY_CODE_MENU,
+};
+
static const int qcode_to_number[] = {
[Q_KEY_CODE_SHIFT] = 0x2a,
[Q_KEY_CODE_SHIFT_R] = 0x36,
@@ -141,6 +250,12 @@ static const int qcode_to_number[] = {
static int number_to_qcode[0x100];
+int qemu_input_linux_to_qcode(unsigned int lnx)
+{
+ assert(lnx < KEY_CNT);
+ return linux_to_qcode[lnx];
+}
+
int qemu_input_key_value_to_number(const KeyValue *value)
{
if (value->type == KEY_VALUE_KIND_QCODE) {
diff --git a/ui/input-linux.c b/ui/input-linux.c
index dc0613ca1f..5938fef628 100644
--- a/ui/input-linux.c
+++ b/ui/input-linux.c
@@ -16,119 +16,6 @@
#include <sys/ioctl.h>
#include "standard-headers/linux/input.h"
-static int linux_to_qcode[KEY_CNT] = {
- [KEY_ESC] = Q_KEY_CODE_ESC,
- [KEY_1] = Q_KEY_CODE_1,
- [KEY_2] = Q_KEY_CODE_2,
- [KEY_3] = Q_KEY_CODE_3,
- [KEY_4] = Q_KEY_CODE_4,
- [KEY_5] = Q_KEY_CODE_5,
- [KEY_6] = Q_KEY_CODE_6,
- [KEY_7] = Q_KEY_CODE_7,
- [KEY_8] = Q_KEY_CODE_8,
- [KEY_9] = Q_KEY_CODE_9,
- [KEY_0] = Q_KEY_CODE_0,
- [KEY_MINUS] = Q_KEY_CODE_MINUS,
- [KEY_EQUAL] = Q_KEY_CODE_EQUAL,
- [KEY_BACKSPACE] = Q_KEY_CODE_BACKSPACE,
- [KEY_TAB] = Q_KEY_CODE_TAB,
- [KEY_Q] = Q_KEY_CODE_Q,
- [KEY_W] = Q_KEY_CODE_W,
- [KEY_E] = Q_KEY_CODE_E,
- [KEY_R] = Q_KEY_CODE_R,
- [KEY_T] = Q_KEY_CODE_T,
- [KEY_Y] = Q_KEY_CODE_Y,
- [KEY_U] = Q_KEY_CODE_U,
- [KEY_I] = Q_KEY_CODE_I,
- [KEY_O] = Q_KEY_CODE_O,
- [KEY_P] = Q_KEY_CODE_P,
- [KEY_LEFTBRACE] = Q_KEY_CODE_BRACKET_LEFT,
- [KEY_RIGHTBRACE] = Q_KEY_CODE_BRACKET_RIGHT,
- [KEY_ENTER] = Q_KEY_CODE_RET,
- [KEY_LEFTCTRL] = Q_KEY_CODE_CTRL,
- [KEY_A] = Q_KEY_CODE_A,
- [KEY_S] = Q_KEY_CODE_S,
- [KEY_D] = Q_KEY_CODE_D,
- [KEY_F] = Q_KEY_CODE_F,
- [KEY_G] = Q_KEY_CODE_G,
- [KEY_H] = Q_KEY_CODE_H,
- [KEY_J] = Q_KEY_CODE_J,
- [KEY_K] = Q_KEY_CODE_K,
- [KEY_L] = Q_KEY_CODE_L,
- [KEY_SEMICOLON] = Q_KEY_CODE_SEMICOLON,
- [KEY_APOSTROPHE] = Q_KEY_CODE_APOSTROPHE,
- [KEY_GRAVE] = Q_KEY_CODE_GRAVE_ACCENT,
- [KEY_LEFTSHIFT] = Q_KEY_CODE_SHIFT,
- [KEY_BACKSLASH] = Q_KEY_CODE_BACKSLASH,
- [KEY_102ND] = Q_KEY_CODE_LESS,
- [KEY_Z] = Q_KEY_CODE_Z,
- [KEY_X] = Q_KEY_CODE_X,
- [KEY_C] = Q_KEY_CODE_C,
- [KEY_V] = Q_KEY_CODE_V,
- [KEY_B] = Q_KEY_CODE_B,
- [KEY_N] = Q_KEY_CODE_N,
- [KEY_M] = Q_KEY_CODE_M,
- [KEY_COMMA] = Q_KEY_CODE_COMMA,
- [KEY_DOT] = Q_KEY_CODE_DOT,
- [KEY_SLASH] = Q_KEY_CODE_SLASH,
- [KEY_RIGHTSHIFT] = Q_KEY_CODE_SHIFT_R,
- [KEY_LEFTALT] = Q_KEY_CODE_ALT,
- [KEY_SPACE] = Q_KEY_CODE_SPC,
- [KEY_CAPSLOCK] = Q_KEY_CODE_CAPS_LOCK,
- [KEY_F1] = Q_KEY_CODE_F1,
- [KEY_F2] = Q_KEY_CODE_F2,
- [KEY_F3] = Q_KEY_CODE_F3,
- [KEY_F4] = Q_KEY_CODE_F4,
- [KEY_F5] = Q_KEY_CODE_F5,
- [KEY_F6] = Q_KEY_CODE_F6,
- [KEY_F7] = Q_KEY_CODE_F7,
- [KEY_F8] = Q_KEY_CODE_F8,
- [KEY_F9] = Q_KEY_CODE_F9,
- [KEY_F10] = Q_KEY_CODE_F10,
- [KEY_NUMLOCK] = Q_KEY_CODE_NUM_LOCK,
- [KEY_SCROLLLOCK] = Q_KEY_CODE_SCROLL_LOCK,
- [KEY_KP0] = Q_KEY_CODE_KP_0,
- [KEY_KP1] = Q_KEY_CODE_KP_1,
- [KEY_KP2] = Q_KEY_CODE_KP_2,
- [KEY_KP3] = Q_KEY_CODE_KP_3,
- [KEY_KP4] = Q_KEY_CODE_KP_4,
- [KEY_KP5] = Q_KEY_CODE_KP_5,
- [KEY_KP6] = Q_KEY_CODE_KP_6,
- [KEY_KP7] = Q_KEY_CODE_KP_7,
- [KEY_KP8] = Q_KEY_CODE_KP_8,
- [KEY_KP9] = Q_KEY_CODE_KP_9,
- [KEY_KPMINUS] = Q_KEY_CODE_KP_SUBTRACT,
- [KEY_KPPLUS] = Q_KEY_CODE_KP_ADD,
- [KEY_KPDOT] = Q_KEY_CODE_KP_DECIMAL,
- [KEY_KPENTER] = Q_KEY_CODE_KP_ENTER,
- [KEY_KPSLASH] = Q_KEY_CODE_KP_DIVIDE,
- [KEY_KPASTERISK] = Q_KEY_CODE_KP_MULTIPLY,
- [KEY_F11] = Q_KEY_CODE_F11,
- [KEY_F12] = Q_KEY_CODE_F12,
- [KEY_RIGHTCTRL] = Q_KEY_CODE_CTRL_R,
- [KEY_SYSRQ] = Q_KEY_CODE_SYSRQ,
- [KEY_RIGHTALT] = Q_KEY_CODE_ALT_R,
- [KEY_HOME] = Q_KEY_CODE_HOME,
- [KEY_UP] = Q_KEY_CODE_UP,
- [KEY_PAGEUP] = Q_KEY_CODE_PGUP,
- [KEY_LEFT] = Q_KEY_CODE_LEFT,
- [KEY_RIGHT] = Q_KEY_CODE_RIGHT,
- [KEY_END] = Q_KEY_CODE_END,
- [KEY_DOWN] = Q_KEY_CODE_DOWN,
- [KEY_PAGEDOWN] = Q_KEY_CODE_PGDN,
- [KEY_INSERT] = Q_KEY_CODE_INSERT,
- [KEY_DELETE] = Q_KEY_CODE_DELETE,
- [KEY_LEFTMETA] = Q_KEY_CODE_META_L,
- [KEY_RIGHTMETA] = Q_KEY_CODE_META_R,
- [KEY_MENU] = Q_KEY_CODE_MENU,
-};
-
-static int qemu_input_linux_to_qcode(unsigned int lnx)
-{
- assert(lnx < KEY_CNT);
- return linux_to_qcode[lnx];
-}
-
static bool linux_is_button(unsigned int lnx)
{
if (lnx < 0x100) {

46
0011-ui-update-keymaps.patch Normal file
View File

@ -0,0 +1,46 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 26 Jul 2017 17:29:16 +0200
Subject: [PATCH] ui: update keymaps
Add recently added QKeyCodes to the keymaps.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-4-kraxel@redhat.com
(cherry picked from commit 9ade7759edbbdafa980ea974a629a8d193de5bc2)
---
ui/input-keymap.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ui/input-keymap.c b/ui/input-keymap.c
index d4972bb364..7461e1edde 100644
--- a/ui/input-keymap.c
+++ b/ui/input-keymap.c
@@ -94,6 +94,9 @@ static int linux_to_qcode[KEY_CNT] = {
[KEY_KPASTERISK] = Q_KEY_CODE_KP_MULTIPLY,
[KEY_F11] = Q_KEY_CODE_F11,
[KEY_F12] = Q_KEY_CODE_F12,
+ [KEY_RO] = Q_KEY_CODE_RO,
+ [KEY_HIRAGANA] = Q_KEY_CODE_HIRAGANA,
+ [KEY_HENKAN] = Q_KEY_CODE_HENKAN,
[KEY_RIGHTCTRL] = Q_KEY_CODE_CTRL_R,
[KEY_SYSRQ] = Q_KEY_CODE_SYSRQ,
[KEY_RIGHTALT] = Q_KEY_CODE_ALT_R,
@@ -107,6 +110,9 @@ static int linux_to_qcode[KEY_CNT] = {
[KEY_PAGEDOWN] = Q_KEY_CODE_PGDN,
[KEY_INSERT] = Q_KEY_CODE_INSERT,
[KEY_DELETE] = Q_KEY_CODE_DELETE,
+ [KEY_POWER] = Q_KEY_CODE_POWER,
+ [KEY_KPCOMMA] = Q_KEY_CODE_KP_COMMA,
+ [KEY_YEN] = Q_KEY_CODE_YEN,
[KEY_LEFTMETA] = Q_KEY_CODE_META_L,
[KEY_RIGHTMETA] = Q_KEY_CODE_META_R,
[KEY_MENU] = Q_KEY_CODE_MENU,
@@ -242,6 +248,7 @@ static const int qcode_to_number[] = {
[Q_KEY_CODE_RO] = 0x73,
[Q_KEY_CODE_HIRAGANA] = 0x70,
[Q_KEY_CODE_HENKAN] = 0x79,
+ [Q_KEY_CODE_POWER] = 0xde,
[Q_KEY_CODE_YEN] = 0x7d,
[Q_KEY_CODE_KP_COMMA] = 0x7e,

123
0012-ui-add-multimedia-keys.patch Normal file
View File

@ -0,0 +1,123 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 26 Jul 2017 17:29:17 +0200
Subject: [PATCH] ui: add multimedia keys
Add multimedia keys to QKeyCodes and to the keymaps.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-5-kraxel@redhat.com
(cherry picked from commit 37810e80553c19f0dac3644924895a9bf5c70785)
---
qapi-schema.json | 28 +++++++++++++++++++++++++++-
ui/input-keymap.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 71 insertions(+), 1 deletion(-)
diff --git a/qapi-schema.json b/qapi-schema.json
index 250e4dc49b..b298b349cb 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -4730,6 +4730,27 @@
# @henkan: since 2.9
# @yen: since 2.9
#
+# @sleep: since 2.10
+# @wake: since 2.10
+# @audionext: since 2.10
+# @audioprev: since 2.10
+# @audiostop: since 2.10
+# @audioplay: since 2.10
+# @audiomute: since 2.10
+# @volumeup: since 2.10
+# @volumedown: since 2.10
+# @mediaselect: since 2.10
+# @mail: since 2.10
+# @calculator: since 2.10
+# @computer: since 2.10
+# @ac_search: since 2.10
+# @ac_home: since 2.10
+# @ac_back: since 2.10
+# @ac_forward: since 2.10
+# @ac_stop: since 2.10
+# @ac_refresh: since 2.10
+# @ac_bookmarks: since 2.10
+#
# Since: 1.3.0
#
##
@@ -4751,7 +4772,12 @@
'props', 'undo', 'front', 'copy', 'open', 'paste', 'find', 'cut',
'lf', 'help', 'meta_l', 'meta_r', 'compose', 'pause',
'ro', 'hiragana', 'henkan', 'yen',
- 'kp_comma', 'kp_equals', 'power' ] }
+ 'kp_comma', 'kp_equals', 'power', 'sleep', 'wake',
+ 'audionext', 'audioprev', 'audiostop', 'audioplay', 'audiomute',
+ 'volumeup', 'volumedown', 'mediaselect',
+ 'mail', 'calculator', 'computer',
+ 'ac_search', 'ac_home', 'ac_back', 'ac_forward', 'ac_stop',
+ 'ac_refresh', 'ac_bookmarks' ] }
##
# @KeyValue:
diff --git a/ui/input-keymap.c b/ui/input-keymap.c
index 7461e1edde..ae781beae9 100644
--- a/ui/input-keymap.c
+++ b/ui/input-keymap.c
@@ -116,6 +116,28 @@ static int linux_to_qcode[KEY_CNT] = {
[KEY_LEFTMETA] = Q_KEY_CODE_META_L,
[KEY_RIGHTMETA] = Q_KEY_CODE_META_R,
[KEY_MENU] = Q_KEY_CODE_MENU,
+
+ [KEY_SLEEP] = Q_KEY_CODE_SLEEP,
+ [KEY_WAKEUP] = Q_KEY_CODE_WAKE,
+ [KEY_CALC] = Q_KEY_CODE_CALCULATOR,
+ [KEY_MAIL] = Q_KEY_CODE_MAIL,
+ [KEY_COMPUTER] = Q_KEY_CODE_COMPUTER,
+
+ [KEY_STOP] = Q_KEY_CODE_AC_STOP,
+ [KEY_BOOKMARKS] = Q_KEY_CODE_AC_BOOKMARKS,
+ [KEY_BACK] = Q_KEY_CODE_AC_BACK,
+ [KEY_FORWARD] = Q_KEY_CODE_AC_FORWARD,
+ [KEY_HOMEPAGE] = Q_KEY_CODE_AC_HOME,
+ [KEY_REFRESH] = Q_KEY_CODE_AC_REFRESH,
+ [KEY_FIND] = Q_KEY_CODE_AC_SEARCH,
+
+ [KEY_NEXTSONG] = Q_KEY_CODE_AUDIONEXT,
+ [KEY_PREVIOUSSONG] = Q_KEY_CODE_AUDIOPREV,
+ [KEY_STOPCD] = Q_KEY_CODE_AUDIOSTOP,
+ [KEY_PLAYCD] = Q_KEY_CODE_AUDIOPLAY,
+ [KEY_MUTE] = Q_KEY_CODE_AUDIOMUTE,
+ [KEY_VOLUMEDOWN] = Q_KEY_CODE_VOLUMEDOWN,
+ [KEY_VOLUMEUP] = Q_KEY_CODE_VOLUMEUP,
};
static const int qcode_to_number[] = {
@@ -252,6 +274,28 @@ static const int qcode_to_number[] = {
[Q_KEY_CODE_YEN] = 0x7d,
[Q_KEY_CODE_KP_COMMA] = 0x7e,
+ [Q_KEY_CODE_SLEEP] = 0xdf,
+ [Q_KEY_CODE_WAKE] = 0xe3,
+ [Q_KEY_CODE_CALCULATOR] = 0xa1,
+ [Q_KEY_CODE_MAIL] = 0xec,
+ [Q_KEY_CODE_COMPUTER] = 0xeb,
+
+ [Q_KEY_CODE_AC_STOP] = 0xe8,
+ [Q_KEY_CODE_AC_BOOKMARKS] = 0xe6,
+ [Q_KEY_CODE_AC_BACK] = 0xea,
+ [Q_KEY_CODE_AC_FORWARD] = 0xe9,
+ [Q_KEY_CODE_AC_HOME] = 0xb2,
+ [Q_KEY_CODE_AC_REFRESH] = 0xe7,
+ [Q_KEY_CODE_AC_SEARCH] = 0xe5,
+
+ [Q_KEY_CODE_AUDIONEXT] = 0x99,
+ [Q_KEY_CODE_AUDIOPREV] = 0x90,
+ [Q_KEY_CODE_AUDIOSTOP] = 0xa4,
+ [Q_KEY_CODE_AUDIOPLAY] = 0xa2,
+ [Q_KEY_CODE_AUDIOMUTE] = 0xa0,
+ [Q_KEY_CODE_VOLUMEDOWN] = 0xae,
+ [Q_KEY_CODE_VOLUMEUP] = 0xb0,
+
[Q_KEY_CODE__MAX] = 0,
};

49
0013-ps2-enable-multimedia-keys.patch Normal file
View File

@ -0,0 +1,49 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Wed, 26 Jul 2017 17:29:18 +0200
Subject: [PATCH] ps2: enable multimedia keys
Fixes: 8c10e0baf0260b59a4e984744462a18016662e3e
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170726152918.11995-6-kraxel@redhat.com
(cherry picked from commit 0500cb1d25e69108ae1a2474412bbd255bbc34b2)
---
hw/input/ps2.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index 1d3a440bbd..fbf2f8b171 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -224,7 +224,6 @@ static const uint16_t qcode_to_keycode_set1[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_DOT] = 0x34,
[Q_KEY_CODE_SLASH] = 0x35,
-#if 0
[Q_KEY_CODE_POWER] = 0x0e5e,
[Q_KEY_CODE_SLEEP] = 0x0e5f,
[Q_KEY_CODE_WAKE] = 0x0e63,
@@ -247,7 +246,6 @@ static const uint16_t qcode_to_keycode_set1[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_AC_STOP] = 0xe068,
[Q_KEY_CODE_AC_REFRESH] = 0xe067,
[Q_KEY_CODE_AC_BOOKMARKS] = 0xe066,
-#endif
[Q_KEY_CODE_ASTERISK] = 0x37,
[Q_KEY_CODE_LESS] = 0x56,
@@ -366,7 +364,6 @@ static const uint16_t qcode_to_keycode_set2[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_DOT] = 0x49,
[Q_KEY_CODE_SLASH] = 0x4a,
-#if 0
[Q_KEY_CODE_POWER] = 0x0e37,
[Q_KEY_CODE_SLEEP] = 0x0e3f,
[Q_KEY_CODE_WAKE] = 0x0e5e,
@@ -389,7 +386,6 @@ static const uint16_t qcode_to_keycode_set2[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_AC_STOP] = 0xe028,
[Q_KEY_CODE_AC_REFRESH] = 0xe020,
[Q_KEY_CODE_AC_BOOKMARKS] = 0xe018,
-#endif
[Q_KEY_CODE_ALTGR] = 0x08,
[Q_KEY_CODE_ALTGR_R] = 0xe008,

89
0014-ui-drop-altgr-and-altgr_r-QKeyCodes.patch Normal file
View File

@ -0,0 +1,89 @@
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Thu, 27 Jul 2017 12:47:20 +0200
Subject: [PATCH] ui: drop altgr and altgr_r QKeyCodes
The right alt key (alt_r aka KEY_RIGHTALT) is used for AltGr.
The altgr and altgr_r keys simply don't exist. Drop them.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-id: 20170727104720.30061-1-kraxel@redhat.com
(cherry picked from commit 912092b8e47f31c3db25e088af8460d9e752da29)
---
hw/char/escc.c | 1 -
hw/input/adb.c | 1 -
hw/input/ps2.c | 2 --
qapi-schema.json | 3 ++-
ui/input-keymap.c | 2 --
5 files changed, 2 insertions(+), 7 deletions(-)
diff --git a/hw/char/escc.c b/hw/char/escc.c
index 9228091cec..a7a54e55c2 100644
--- a/hw/char/escc.c
+++ b/hw/char/escc.c
@@ -721,7 +721,6 @@ static const uint8_t qcode_to_keycode[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_SHIFT_R] = 110,
[Q_KEY_CODE_ALT] = 19,
[Q_KEY_CODE_ALT_R] = 13,
- [Q_KEY_CODE_ALTGR] = 13,
[Q_KEY_CODE_CTRL] = 76,
[Q_KEY_CODE_CTRL_R] = 76,
[Q_KEY_CODE_ESC] = 29,
diff --git a/hw/input/adb.c b/hw/input/adb.c
index 43d3205472..fcca3a8eb9 100644
--- a/hw/input/adb.c
+++ b/hw/input/adb.c
@@ -201,7 +201,6 @@ int qcode_to_adb_keycode[] = {
[Q_KEY_CODE_SHIFT_R] = ADB_KEY_RIGHT_SHIFT,
[Q_KEY_CODE_ALT] = ADB_KEY_LEFT_OPTION,
[Q_KEY_CODE_ALT_R] = ADB_KEY_RIGHT_OPTION,
- [Q_KEY_CODE_ALTGR] = ADB_KEY_RIGHT_OPTION,
[Q_KEY_CODE_CTRL] = ADB_KEY_LEFT_CONTROL,
[Q_KEY_CODE_CTRL_R] = ADB_KEY_RIGHT_CONTROL,
[Q_KEY_CODE_META_L] = ADB_KEY_COMMAND,
diff --git a/hw/input/ps2.c b/hw/input/ps2.c
index fbf2f8b171..776d6abdd2 100644
--- a/hw/input/ps2.c
+++ b/hw/input/ps2.c
@@ -387,8 +387,6 @@ static const uint16_t qcode_to_keycode_set2[Q_KEY_CODE__MAX] = {
[Q_KEY_CODE_AC_REFRESH] = 0xe020,
[Q_KEY_CODE_AC_BOOKMARKS] = 0xe018,
- [Q_KEY_CODE_ALTGR] = 0x08,
- [Q_KEY_CODE_ALTGR_R] = 0xe008,
[Q_KEY_CODE_ASTERISK] = 0x7c,
[Q_KEY_CODE_LESS] = 0x61,
[Q_KEY_CODE_SYSRQ] = 0x7f,
diff --git a/qapi-schema.json b/qapi-schema.json
index b298b349cb..e93ae014eb 100644
--- a/qapi-schema.json
+++ b/qapi-schema.json
@@ -4750,13 +4750,14 @@
# @ac_stop: since 2.10
# @ac_refresh: since 2.10
# @ac_bookmarks: since 2.10
+# altgr, altgr_r: dropped in 2.10
#
# Since: 1.3.0
#
##
{ 'enum': 'QKeyCode',
'data': [ 'unmapped',
- 'shift', 'shift_r', 'alt', 'alt_r', 'altgr', 'altgr_r', 'ctrl',
+ 'shift', 'shift_r', 'alt', 'alt_r', 'ctrl',
'ctrl_r', 'menu', 'esc', '1', '2', '3', '4', '5', '6', '7', '8',
'9', '0', 'minus', 'equal', 'backspace', 'tab', 'q', 'w', 'e',
'r', 't', 'y', 'u', 'i', 'o', 'p', 'bracket_left', 'bracket_right',
diff --git a/ui/input-keymap.c b/ui/input-keymap.c
index ae781beae9..f96adf4165 100644
--- a/ui/input-keymap.c
+++ b/ui/input-keymap.c
@@ -146,8 +146,6 @@ static const int qcode_to_number[] = {
[Q_KEY_CODE_ALT] = 0x38,
[Q_KEY_CODE_ALT_R] = 0xb8,
- [Q_KEY_CODE_ALTGR] = 0x64,
- [Q_KEY_CODE_ALTGR_R] = 0xe4,
[Q_KEY_CODE_CTRL] = 0x1d,
[Q_KEY_CODE_CTRL_R] = 0x9d,

105
0015-ps2-fix-sending-of-PAUSE-BREAK-scancodes.patch Normal file
View File

@ -0,0 +1,105 @@
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Thu, 27 Jul 2017 12:32:43 +0100
Subject: [PATCH] ps2: fix sending of PAUSE/BREAK scancodes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The processing of the scancodes for PAUSE/BREAK has been broken since
the conversion to qcodes in:
commit 8c10e0baf0260b59a4e984744462a18016662e3e
Author: Hervé Poussineau <hpoussin@reactos.org>
Date: Thu Sep 15 22:06:26 2016 +0200
ps2: use QEMU qcodes instead of scancodes
When using a VNC client, with the raw scancode extension, the client
will send a scancode of 0xc6 for both PAUSE and BREAK. There is mistakenly
no entry in the qcode_to_number table for this scancode, so
ps2_keyboard_event() just generates a log message and discards the
scancode
When using a SPICE client, it will also send 0xc6 for BREAK, but
will send 0xe1 0x1d 0x45 0xe1 0x9d 0xc5 for PAUSE. There is no
entry in the qcode_to_number table for the scancode 0xe1 because
it is a special XT keyboard prefix not mapping to any QKeyCode.
Again ps2_keyboard_event() just generates a log message and discards
the scancode. The following 0x1d, 0x45, 0x9d, 0xc5 scancodes get
handled correctly. Rather than trying to handle 3 byte sequences
of scancodes in the PS/2 driver, special case the SPICE input
code so that it captures the 3 byte pause sequence and turns it
into a Pause QKeyCode.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Message-id: 20170727113243.23991-1-berrange@redhat.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 7c388dbd0b2c54b3d836c23ea43e2cee38de66a4)
---
ui/input-keymap.c | 1 +
ui/keymaps.h | 1 +
ui/spice-input.c | 20 ++++++++++++++++++++
3 files changed, 22 insertions(+)
diff --git a/ui/input-keymap.c b/ui/input-keymap.c
index f96adf4165..0d9ddde9c9 100644
--- a/ui/input-keymap.c
+++ b/ui/input-keymap.c
@@ -233,6 +233,7 @@ static const int qcode_to_number[] = {
[Q_KEY_CODE_KP_ENTER] = 0x9c,
[Q_KEY_CODE_KP_DECIMAL] = 0x53,
[Q_KEY_CODE_SYSRQ] = 0x54,
+ [Q_KEY_CODE_PAUSE] = 0xc6,
[Q_KEY_CODE_KP_0] = 0x52,
[Q_KEY_CODE_KP_1] = 0x4f,
diff --git a/ui/keymaps.h b/ui/keymaps.h
index 47d061343e..8757465529 100644
--- a/ui/keymaps.h
+++ b/ui/keymaps.h
@@ -59,6 +59,7 @@ typedef struct {
/* "grey" keys will usually need a 0xe0 prefix */
#define SCANCODE_GREY 0x80
#define SCANCODE_EMUL0 0xE0
+#define SCANCODE_EMUL1 0xE1
/* "up" flag */
#define SCANCODE_UP 0x80
diff --git a/ui/spice-input.c b/ui/spice-input.c
index 8eeebdbb2e..4ea8fc61ed 100644
--- a/ui/spice-input.c
+++ b/ui/spice-input.c
@@ -32,6 +32,7 @@ typedef struct QemuSpiceKbd {
SpiceKbdInstance sin;
int ledstate;
bool emul0;
+ size_t pauseseq;
} QemuSpiceKbd;
static void kbd_push_key(SpiceKbdInstance *sin, uint8_t frag);
@@ -64,6 +65,25 @@ static void kbd_push_key(SpiceKbdInstance *sin, uint8_t scancode)
keycode |= SCANCODE_GREY;
}
+ if (scancode == SCANCODE_EMUL1) {
+ kbd->pauseseq++;
+ return;
+ } else if (kbd->pauseseq == 1) {
+ if (keycode == 0x1d) {
+ kbd->pauseseq++;
+ return;
+ } else {
+ kbd->pauseseq = 0;
+ }
+ } else if (kbd->pauseseq == 2) {
+ if (keycode == 0x45) {
+ qemu_input_event_send_key_qcode(NULL, Q_KEY_CODE_PAUSE, !up);
+ kbd->pauseseq = 0;
+ return;
+ }
+ kbd->pauseseq = 0;
+ }
+
qemu_input_event_send_key_number(NULL, keycode, !up);
}

2
qemu.binfmt
View File

@ -13,7 +13,7 @@
:qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-mipsel:
:qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-mips:
:qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32:
:qemu-ppc64le:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64le:
:qemu-ppc64le:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-ppc64le:
:qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64:
:qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc:
:qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-s390x:

45
qemu.spec
View File

@ -92,7 +92,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.9.1
Release: 1%{?rcrel}%{?dist}
Release: 2%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -129,6 +129,33 @@ Source22: 95-kvm-ppc64-memlock.conf
# CVE-2017-9503: megasas: null pointer dereference while processing megasas
# command (bz #1459478)
Patch0001: 0001-megasas-always-store-SCSIRequest-into-MegasasCmd.patch
# Fix usb3 drive issues with windows guests (bz #1493196)
Patch0002: 0002-xhci-relax-link-check.patch
# CVE-2017-15038: 9p: information disclosure when reading extended
# attributes (bz #1499111)
Patch0003: 0003-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch
# CVE-2017-15268: potential memory exhaustion via websock connection to VNC
# (bz #1496882)
Patch0004: 0004-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch
# CVE-2017-14167: multiboot OOB access while loading kernel image (bz
# #1489376)
Patch0005: 0005-multiboot-validate-multiboot-header-address-values.patch
# CVE-2017-13672: vga: OOB read access during display update (bz #1486561)
Patch0006: 0006-vga-stop-passing-pointers-to-vga_draw_line-functions.patch
# CVE-2017-12809: flushing of empty CDROM drives leads to NULL deref (bz
# #1483536)
Patch0007: 0007-IDE-Do-not-flush-empty-CDROM-drives.patch
# CVE-2017-11434 slirp: out-of-bounds read while parsing dhcp options (bz
# #1472612)
Patch0008: 0008-slirp-check-len-against-dhcp-options-array-end.patch
# Fix sending multimedia keys through spice (bz #1471758)
Patch0009: 0009-ui-add-next-and-prior-keysyms.patch
Patch0010: 0010-ui-move-qemu_input_linux_to_qcode.patch
Patch0011: 0011-ui-update-keymaps.patch
Patch0012: 0012-ui-add-multimedia-keys.patch
Patch0013: 0013-ps2-enable-multimedia-keys.patch
Patch0014: 0014-ui-drop-altgr-and-altgr_r-QKeyCodes.patch
Patch0015: 0015-ps2-fix-sending-of-PAUSE-BREAK-scancodes.patch
# documentation deps
BuildRequires: texinfo
@ -2007,6 +2034,22 @@ getent passwd qemu >/dev/null || \
%changelog
* Thu Oct 19 2017 Cole Robinson <crobinso@redhat.com> - 2:2.9.1-2
- Fix usb3 drive issues with windows guests (bz #1493196)
- CVE-2017-15038: 9p: information disclosure when reading extended
attributes (bz #1499111)
- CVE-2017-15268: potential memory exhaustion via websock connection to VNC
(bz #1496882)
- CVE-2017-14167: multiboot OOB access while loading kernel image (bz
#1489376)
- CVE-2017-13672: vga: OOB read access during display update (bz #1486561)
- CVE-2017-12809: flushing of empty CDROM drives leads to NULL deref (bz
#1483536)
- CVE-2017-11434 slirp: out-of-bounds read while parsing dhcp options (bz
#1472612)
- Fix sending multimedia keys through spice (bz #1471758)
- Another ppc64le binfmt fix (bz #1500526)
* Fri Sep 08 2017 Cole Robinson <crobinso@redhat.com> - 2:2.9.1-1
- Rebase to 2.9.1 stable release