diff --git a/0002-xhci-relax-link-check.patch b/0002-xhci-relax-link-check.patch new file mode 100644 index 0000000..6ef5571 --- /dev/null +++ b/0002-xhci-relax-link-check.patch @@ -0,0 +1,37 @@ +From: Ladi Prosek +Date: Fri, 12 May 2017 12:21:00 +0200 +Subject: [PATCH] xhci: relax link check + +The strict td link limit added by commit "05f43d4 xhci: limit the +number of link trbs we are willing to process" causes problems with +Windows guests. Let's raise the limit. + +This change is analogous to: + + commit ab6b1105a2259c7072905887f71caa850ce63190 + Author: Gerd Hoffmann + Date: Tue Mar 7 09:40:18 2017 +0100 + + ohci: relax link check + +Signed-off-by: Ladi Prosek +Message-id: 20170512102100.22675-1-lprosek@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 99f9aeba5d461f79c9ce73f968ba0feb77fc1f5a) +--- + hw/usb/hcd-xhci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index ed0f13f37b..95f127d152 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -50,7 +50,7 @@ + /* Very pessimistic, let's hope it's enough for all cases */ + #define EV_QUEUE (((3 * 24) + 16) * MAXSLOTS) + +-#define TRB_LINK_LIMIT 4 ++#define TRB_LINK_LIMIT 32 + #define COMMAND_LIMIT 256 + #define TRANSFER_LIMIT 256 + diff --git a/0003-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch b/0003-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch new file mode 100644 index 0000000..854ce6b --- /dev/null +++ b/0003-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch @@ -0,0 +1,40 @@ +From: Prasad J Pandit +Date: Mon, 16 Oct 2017 14:21:59 +0200 +Subject: [PATCH] 9pfs: use g_malloc0 to allocate space for xattr + +9p back-end first queries the size of an extended attribute, +allocates space for it via g_malloc() and then retrieves its +value into allocated buffer. Race between querying attribute +size and retrieving its could lead to memory bytes disclosure. +Use g_malloc0() to avoid it. + +Reported-by: Tuomas Tynkkynen +Signed-off-by: Prasad J Pandit +Signed-off-by: Greg Kurz +(cherry picked from commit 7bd92756303f2158a68d5166264dc30139b813b6) +--- + hw/9pfs/9p.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index c80ba67389..aaf9935ef4 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -3220,7 +3220,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_llistxattr(pdu, &xattr_fidp->path, + xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); +@@ -3253,7 +3253,7 @@ static void coroutine_fn v9fs_xattrwalk(void *opaque) + xattr_fidp->fid_type = P9_FID_XATTR; + xattr_fidp->fs.xattr.xattrwalk_fid = true; + if (size) { +- xattr_fidp->fs.xattr.value = g_malloc(size); ++ xattr_fidp->fs.xattr.value = g_malloc0(size); + err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path, + &name, xattr_fidp->fs.xattr.value, + xattr_fidp->fs.xattr.len); diff --git a/0004-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch b/0004-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch new file mode 100644 index 0000000..7828f2b --- /dev/null +++ b/0004-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch @@ -0,0 +1,51 @@ +From: "Daniel P. Berrange" +Date: Mon, 9 Oct 2017 14:43:42 +0100 +Subject: [PATCH] io: monitor encoutput buffer size from websocket GSource + +The websocket GSource is monitoring the size of the rawoutput +buffer to determine if the channel can accepts more writes. +The rawoutput buffer, however, is merely a temporary staging +buffer before data is copied into the encoutput buffer. Thus +its size will always be zero when the GSource runs. + +This flaw causes the encoutput buffer to grow without bound +if the other end of the underlying data channel doesn't +read data being sent. This can be seen with VNC if a client +is on a slow WAN link and the guest OS is sending many screen +updates. A malicious VNC client can act like it is on a slow +link by playing a video in the guest and then reading data +very slowly, causing QEMU host memory to expand arbitrarily. + +This issue is assigned CVE-2017-15268, publically reported in + + https://bugs.launchpad.net/qemu/+bug/1718964 + +Reviewed-by: Eric Blake +Signed-off-by: Daniel P. Berrange +(cherry picked from commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493) +--- + io/channel-websock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/io/channel-websock.c b/io/channel-websock.c +index 8fabadea2f..882bbb4cbc 100644 +--- a/io/channel-websock.c ++++ b/io/channel-websock.c +@@ -26,7 +26,7 @@ + #include "trace.h" + + +-/* Max amount to allow in rawinput/rawoutput buffers */ ++/* Max amount to allow in rawinput/encoutput buffers */ + #define QIO_CHANNEL_WEBSOCK_MAX_BUFFER 8192 + + #define QIO_CHANNEL_WEBSOCK_CLIENT_KEY_LEN 24 +@@ -1006,7 +1006,7 @@ qio_channel_websock_source_prepare(GSource *source, + if (wsource->wioc->rawinput.offset) { + cond |= G_IO_IN; + } +- if (wsource->wioc->rawoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { ++ if (wsource->wioc->encoutput.offset < QIO_CHANNEL_WEBSOCK_MAX_BUFFER) { + cond |= G_IO_OUT; + } + diff --git a/0005-multiboot-validate-multiboot-header-address-values.patch b/0005-multiboot-validate-multiboot-header-address-values.patch new file mode 100644 index 0000000..db33c53 --- /dev/null +++ b/0005-multiboot-validate-multiboot-header-address-values.patch @@ -0,0 +1,60 @@ +From: Prasad J Pandit +Date: Thu, 7 Sep 2017 12:02:56 +0530 +Subject: [PATCH] multiboot: validate multiboot header address values + +While loading kernel via multiboot-v1 image, (flags & 0x00010000) +indicates that multiboot header contains valid addresses to load +the kernel image. These addresses are used to compute kernel +size and kernel text offset in the OS image. Validate these +address values to avoid an OOB access issue. + +This is CVE-2017-14167. + +Reported-by: Thomas Garnier +Signed-off-by: Prasad J Pandit +Message-Id: <20170907063256.7418-1-ppandit@redhat.com> +Signed-off-by: Paolo Bonzini +(cherry picked from commit ed4f86e8b6eff8e600c69adee68c7cd34dd2cccb) +--- + hw/i386/multiboot.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/hw/i386/multiboot.c b/hw/i386/multiboot.c +index f13e23139b..22688d376d 100644 +--- a/hw/i386/multiboot.c ++++ b/hw/i386/multiboot.c +@@ -221,15 +221,34 @@ int load_multiboot(FWCfgState *fw_cfg, + uint32_t mh_header_addr = ldl_p(header+i+12); + uint32_t mh_load_end_addr = ldl_p(header+i+20); + uint32_t mh_bss_end_addr = ldl_p(header+i+24); ++ + mh_load_addr = ldl_p(header+i+16); ++ if (mh_header_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_load_addr address\n"); ++ exit(1); ++ } ++ + uint32_t mb_kernel_text_offset = i - (mh_header_addr - mh_load_addr); + uint32_t mb_load_size = 0; + mh_entry_addr = ldl_p(header+i+28); + + if (mh_load_end_addr) { ++ if (mh_bss_end_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_bss_end_addr address\n"); ++ exit(1); ++ } + mb_kernel_size = mh_bss_end_addr - mh_load_addr; ++ ++ if (mh_load_end_addr < mh_load_addr) { ++ fprintf(stderr, "invalid mh_load_end_addr address\n"); ++ exit(1); ++ } + mb_load_size = mh_load_end_addr - mh_load_addr; + } else { ++ if (kernel_file_size < mb_kernel_text_offset) { ++ fprintf(stderr, "invalid kernel_file_size\n"); ++ exit(1); ++ } + mb_kernel_size = kernel_file_size - mb_kernel_text_offset; + mb_load_size = mb_kernel_size; + } diff --git a/0006-vga-stop-passing-pointers-to-vga_draw_line-functions.patch b/0006-vga-stop-passing-pointers-to-vga_draw_line-functions.patch new file mode 100644 index 0000000..3cccc09 --- /dev/null +++ b/0006-vga-stop-passing-pointers-to-vga_draw_line-functions.patch @@ -0,0 +1,494 @@ +From: Gerd Hoffmann +Date: Mon, 28 Aug 2017 14:29:06 +0200 +Subject: [PATCH] vga: stop passing pointers to vga_draw_line* functions + +Instead pass around the address (aka offset into vga memory). +Add vga_read_* helper functions which apply vbe_size_mask to +the address, to make sure the address stays within the valid +range, similar to the cirrus blitter fixes (commits ffaf857778 +and 026aeffcb4). + +Impact: DoS for privileged guest users. qemu crashes with +a segfault, when hitting the guard page after vga memory +allocation, while reading vga memory for display updates. + +Fixes: CVE-2017-13672 +Cc: P J P +Reported-by: David Buchanan +Signed-off-by: Gerd Hoffmann +Message-id: 20170828122906.18993-1-kraxel@redhat.com +(cherry picked from commit 3d90c6254863693a6b13d918d2b8682e08bbc681) +--- + hw/display/vga-helpers.h | 202 ++++++++++++++++++++++++++--------------------- + hw/display/vga.c | 5 +- + hw/display/vga_int.h | 1 + + 3 files changed, 114 insertions(+), 94 deletions(-) + +diff --git a/hw/display/vga-helpers.h b/hw/display/vga-helpers.h +index 94f6de2046..5a752b3f9e 100644 +--- a/hw/display/vga-helpers.h ++++ b/hw/display/vga-helpers.h +@@ -95,20 +95,46 @@ static void vga_draw_glyph9(uint8_t *d, int linesize, + } while (--h); + } + ++static inline uint8_t vga_read_byte(VGACommonState *vga, uint32_t addr) ++{ ++ return vga->vram_ptr[addr & vga->vbe_size_mask]; ++} ++ ++static inline uint16_t vga_read_word_le(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~1; ++ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); ++ return lduw_le_p(ptr); ++} ++ ++static inline uint16_t vga_read_word_be(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~1; ++ uint16_t *ptr = (uint16_t *)(vga->vram_ptr + offset); ++ return lduw_be_p(ptr); ++} ++ ++static inline uint32_t vga_read_dword_le(VGACommonState *vga, uint32_t addr) ++{ ++ uint32_t offset = addr & vga->vbe_size_mask & ~3; ++ uint32_t *ptr = (uint32_t *)(vga->vram_ptr + offset); ++ return ldl_le_p(ptr); ++} ++ + /* + * 4 color mode + */ +-static void vga_draw_line2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, *palette, data, v; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand2[GET_PLANE(data, 0)]; + v |= expand2[GET_PLANE(data, 2)] << 2; +@@ -124,7 +150,7 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, + ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; + ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; + d += 32; +- s += 4; ++ addr += 4; + } + } + +@@ -134,17 +160,17 @@ static void vga_draw_line2(VGACommonState *s1, uint8_t *d, + /* + * 4 color mode, dup2 horizontal + */ +-static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line2d2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, *palette, data, v; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand2[GET_PLANE(data, 0)]; + v |= expand2[GET_PLANE(data, 2)] << 2; +@@ -160,24 +186,24 @@ static void vga_draw_line2d2(VGACommonState *s1, uint8_t *d, + PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); + PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); + d += 64; +- s += 4; ++ addr += 4; + } + } + + /* + * 16 color mode + */ +-static void vga_draw_line4(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line4(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, data, v, *palette; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand4[GET_PLANE(data, 0)]; + v |= expand4[GET_PLANE(data, 1)] << 1; +@@ -192,24 +218,24 @@ static void vga_draw_line4(VGACommonState *s1, uint8_t *d, + ((uint32_t *)d)[6] = palette[(v >> 4) & 0xf]; + ((uint32_t *)d)[7] = palette[(v >> 0) & 0xf]; + d += 32; +- s += 4; ++ addr += 4; + } + } + + /* + * 16 color mode, dup2 horizontal + */ +-static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line4d2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t plane_mask, data, v, *palette; + int x; + +- palette = s1->last_palette; +- plane_mask = mask16[s1->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; ++ palette = vga->last_palette; ++ plane_mask = mask16[vga->ar[VGA_ATC_PLANE_ENABLE] & 0xf]; + width >>= 3; + for(x = 0; x < width; x++) { +- data = ((uint32_t *)s)[0]; ++ data = vga_read_dword_le(vga, addr); + data &= plane_mask; + v = expand4[GET_PLANE(data, 0)]; + v |= expand4[GET_PLANE(data, 1)] << 1; +@@ -224,7 +250,7 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, + PUT_PIXEL2(d, 6, palette[(v >> 4) & 0xf]); + PUT_PIXEL2(d, 7, palette[(v >> 0) & 0xf]); + d += 64; +- s += 4; ++ addr += 4; + } + } + +@@ -233,21 +259,21 @@ static void vga_draw_line4d2(VGACommonState *s1, uint8_t *d, + * + * XXX: add plane_mask support (never used in standard VGA modes) + */ +-static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line8d2(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t *palette; + int x; + +- palette = s1->last_palette; ++ palette = vga->last_palette; + width >>= 3; + for(x = 0; x < width; x++) { +- PUT_PIXEL2(d, 0, palette[s[0]]); +- PUT_PIXEL2(d, 1, palette[s[1]]); +- PUT_PIXEL2(d, 2, palette[s[2]]); +- PUT_PIXEL2(d, 3, palette[s[3]]); ++ PUT_PIXEL2(d, 0, palette[vga_read_byte(vga, addr + 0)]); ++ PUT_PIXEL2(d, 1, palette[vga_read_byte(vga, addr + 1)]); ++ PUT_PIXEL2(d, 2, palette[vga_read_byte(vga, addr + 2)]); ++ PUT_PIXEL2(d, 3, palette[vga_read_byte(vga, addr + 3)]); + d += 32; +- s += 4; ++ addr += 4; + } + } + +@@ -256,63 +282,63 @@ static void vga_draw_line8d2(VGACommonState *s1, uint8_t *d, + * + * XXX: add plane_mask support (never used in standard VGA modes) + */ +-static void vga_draw_line8(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line8(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + uint32_t *palette; + int x; + +- palette = s1->last_palette; ++ palette = vga->last_palette; + width >>= 3; + for(x = 0; x < width; x++) { +- ((uint32_t *)d)[0] = palette[s[0]]; +- ((uint32_t *)d)[1] = palette[s[1]]; +- ((uint32_t *)d)[2] = palette[s[2]]; +- ((uint32_t *)d)[3] = palette[s[3]]; +- ((uint32_t *)d)[4] = palette[s[4]]; +- ((uint32_t *)d)[5] = palette[s[5]]; +- ((uint32_t *)d)[6] = palette[s[6]]; +- ((uint32_t *)d)[7] = palette[s[7]]; ++ ((uint32_t *)d)[0] = palette[vga_read_byte(vga, addr + 0)]; ++ ((uint32_t *)d)[1] = palette[vga_read_byte(vga, addr + 1)]; ++ ((uint32_t *)d)[2] = palette[vga_read_byte(vga, addr + 2)]; ++ ((uint32_t *)d)[3] = palette[vga_read_byte(vga, addr + 3)]; ++ ((uint32_t *)d)[4] = palette[vga_read_byte(vga, addr + 4)]; ++ ((uint32_t *)d)[5] = palette[vga_read_byte(vga, addr + 5)]; ++ ((uint32_t *)d)[6] = palette[vga_read_byte(vga, addr + 6)]; ++ ((uint32_t *)d)[7] = palette[vga_read_byte(vga, addr + 7)]; + d += 32; +- s += 8; ++ addr += 8; + } + } + + /* + * 15 bit color + */ +-static void vga_draw_line15_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line15_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_le_p((void *)s); ++ v = vga_read_word_le(vga, addr); + r = (v >> 7) & 0xf8; + g = (v >> 2) & 0xf8; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } + +-static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line15_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_be_p((void *)s); ++ v = vga_read_word_be(vga, addr); + r = (v >> 7) & 0xf8; + g = (v >> 2) & 0xf8; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } +@@ -320,38 +346,38 @@ static void vga_draw_line15_be(VGACommonState *s1, uint8_t *d, + /* + * 16 bit color + */ +-static void vga_draw_line16_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line16_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_le_p((void *)s); ++ v = vga_read_word_le(vga, addr); + r = (v >> 8) & 0xf8; + g = (v >> 3) & 0xfc; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } + +-static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line16_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t v, r, g, b; + + w = width; + do { +- v = lduw_be_p((void *)s); ++ v = vga_read_word_be(vga, addr); + r = (v >> 8) & 0xf8; + g = (v >> 3) & 0xfc; + b = (v << 3) & 0xf8; + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 2; ++ addr += 2; + d += 4; + } while (--w != 0); + } +@@ -359,36 +385,36 @@ static void vga_draw_line16_be(VGACommonState *s1, uint8_t *d, + /* + * 24 bit color + */ +-static void vga_draw_line24_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line24_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t r, g, b; + + w = width; + do { +- b = s[0]; +- g = s[1]; +- r = s[2]; ++ b = vga_read_byte(vga, addr + 0); ++ g = vga_read_byte(vga, addr + 1); ++ r = vga_read_byte(vga, addr + 2); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 3; ++ addr += 3; + d += 4; + } while (--w != 0); + } + +-static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line24_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { + int w; + uint32_t r, g, b; + + w = width; + do { +- r = s[0]; +- g = s[1]; +- b = s[2]; ++ r = vga_read_byte(vga, addr + 0); ++ g = vga_read_byte(vga, addr + 1); ++ b = vga_read_byte(vga, addr + 2); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 3; ++ addr += 3; + d += 4; + } while (--w != 0); + } +@@ -396,44 +422,36 @@ static void vga_draw_line24_be(VGACommonState *s1, uint8_t *d, + /* + * 32 bit color + */ +-static void vga_draw_line32_le(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line32_le(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { +-#ifndef HOST_WORDS_BIGENDIAN +- memcpy(d, s, width * 4); +-#else + int w; + uint32_t r, g, b; + + w = width; + do { +- b = s[0]; +- g = s[1]; +- r = s[2]; ++ b = vga_read_byte(vga, addr + 0); ++ g = vga_read_byte(vga, addr + 1); ++ r = vga_read_byte(vga, addr + 2); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 4; ++ addr += 4; + d += 4; + } while (--w != 0); +-#endif + } + +-static void vga_draw_line32_be(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width) ++static void vga_draw_line32_be(VGACommonState *vga, uint8_t *d, ++ uint32_t addr, int width) + { +-#ifdef HOST_WORDS_BIGENDIAN +- memcpy(d, s, width * 4); +-#else + int w; + uint32_t r, g, b; + + w = width; + do { +- r = s[1]; +- g = s[2]; +- b = s[3]; ++ r = vga_read_byte(vga, addr + 1); ++ g = vga_read_byte(vga, addr + 2); ++ b = vga_read_byte(vga, addr + 3); + ((uint32_t *)d)[0] = rgb_to_pixel32(r, g, b); +- s += 4; ++ addr += 4; + d += 4; + } while (--w != 0); +-#endif + } +diff --git a/hw/display/vga.c b/hw/display/vga.c +index 69c3e1d674..086509db98 100644 +--- a/hw/display/vga.c ++++ b/hw/display/vga.c +@@ -1005,7 +1005,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val) + } + + typedef void vga_draw_line_func(VGACommonState *s1, uint8_t *d, +- const uint8_t *s, int width); ++ uint32_t srcaddr, int width); + + #include "vga-helpers.h" + +@@ -1648,7 +1648,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update) + if (page1 > page_max) + page_max = page1; + if (!(is_buffer_shared(surface))) { +- vga_draw_line(s, d, s->vram_ptr + addr, width); ++ vga_draw_line(s, d, addr, width); + if (s->cursor_draw_line) + s->cursor_draw_line(s, d, y); + } +@@ -2158,6 +2158,7 @@ void vga_common_init(VGACommonState *s, Object *obj, bool global_vmstate) + if (!s->vbe_size) { + s->vbe_size = s->vram_size; + } ++ s->vbe_size_mask = s->vbe_size - 1; + + s->is_vbe_vmstate = 1; + memory_region_init_ram(&s->vram, obj, "vga.vram", s->vram_size, +diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h +index dd6c958da3..ad34a1f048 100644 +--- a/hw/display/vga_int.h ++++ b/hw/display/vga_int.h +@@ -94,6 +94,7 @@ typedef struct VGACommonState { + uint32_t vram_size; + uint32_t vram_size_mb; /* property */ + uint32_t vbe_size; ++ uint32_t vbe_size_mask; + uint32_t latch; + bool has_chain4_alias; + MemoryRegion chain4_alias; diff --git a/0007-IDE-Do-not-flush-empty-CDROM-drives.patch b/0007-IDE-Do-not-flush-empty-CDROM-drives.patch new file mode 100644 index 0000000..91c52bd --- /dev/null +++ b/0007-IDE-Do-not-flush-empty-CDROM-drives.patch @@ -0,0 +1,41 @@ +From: Stefan Hajnoczi +Date: Wed, 9 Aug 2017 17:02:11 +0100 +Subject: [PATCH] IDE: Do not flush empty CDROM drives + +The block backend changed in a way that flushing empty CDROM drives now +crashes. Amend IDE to avoid doing so until the root problem can be +addressed for 2.11. + +Original patch by John Snow . + +Reported-by: Kieron Shorrock +Signed-off-by: Stefan Hajnoczi +Reviewed-by: Eric Blake +Message-id: 20170809160212.29976-2-stefanha@redhat.com +Signed-off-by: Stefan Hajnoczi +(cherry picked from commit 4da97120d51a4383aa96d741a2b837f8c4bbcd0b) +--- + hw/ide/core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/hw/ide/core.c b/hw/ide/core.c +index 0b48b64d3a..bea39536b0 100644 +--- a/hw/ide/core.c ++++ b/hw/ide/core.c +@@ -1063,7 +1063,15 @@ static void ide_flush_cache(IDEState *s) + s->status |= BUSY_STAT; + ide_set_retry(s); + block_acct_start(blk_get_stats(s->blk), &s->acct, 0, BLOCK_ACCT_FLUSH); +- s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s); ++ ++ if (blk_bs(s->blk)) { ++ s->pio_aiocb = blk_aio_flush(s->blk, ide_flush_cb, s); ++ } else { ++ /* XXX blk_aio_flush() crashes when blk_bs(blk) is NULL, remove this ++ * temporary workaround when blk_aio_*() functions handle NULL blk_bs. ++ */ ++ ide_flush_cb(s, 0); ++ } + } + + static void ide_cfata_metadata_inquiry(IDEState *s) diff --git a/0008-slirp-check-len-against-dhcp-options-array-end.patch b/0008-slirp-check-len-against-dhcp-options-array-end.patch new file mode 100644 index 0000000..e0c08c8 --- /dev/null +++ b/0008-slirp-check-len-against-dhcp-options-array-end.patch @@ -0,0 +1,32 @@ +From: Prasad J Pandit +Date: Mon, 17 Jul 2017 17:33:26 +0530 +Subject: [PATCH] slirp: check len against dhcp options array end + +While parsing dhcp options string in 'dhcp_decode', if an options' +length 'len' appeared towards the end of 'bp_vend' array, ensuing +read could lead to an OOB memory access issue. Add check to avoid it. + +This is CVE-2017-11434. + +Reported-by: Reno Robert +Signed-off-by: Prasad J Pandit +Signed-off-by: Samuel Thibault +(cherry picked from commit 413d463f43fbc4dd3a601e80a5724aa384a265a0) +--- + slirp/bootp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/slirp/bootp.c b/slirp/bootp.c +index 5a4646c182..5dd1a415b5 100644 +--- a/slirp/bootp.c ++++ b/slirp/bootp.c +@@ -123,6 +123,9 @@ static void dhcp_decode(const struct bootp_t *bp, int *pmsg_type, + if (p >= p_end) + break; + len = *p++; ++ if (p + len > p_end) { ++ break; ++ } + DPRINTF("dhcp: tag=%d len=%d\n", tag, len); + + switch(tag) { diff --git a/0009-ui-add-next-and-prior-keysyms.patch b/0009-ui-add-next-and-prior-keysyms.patch new file mode 100644 index 0000000..06a58c4 --- /dev/null +++ b/0009-ui-add-next-and-prior-keysyms.patch @@ -0,0 +1,45 @@ +From: Gerd Hoffmann +Date: Wed, 26 Jul 2017 17:29:14 +0200 +Subject: [PATCH] ui: add next and prior keysyms + +Page-up and Page-down were renamed. Add the names to the keysym list +so we can parse both old and new names. The keypad versions are already +present in the vnc map. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Eric Blake +Message-id: 20170726152918.11995-2-kraxel@redhat.com +(cherry picked from commit d52a1a9102a4236dfbc7c95b3c7057f107dbf71d) +--- + ui/curses_keys.h | 2 ++ + ui/vnc_keysym.h | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/ui/curses_keys.h b/ui/curses_keys.h +index e39ef9e718..e9195a1671 100644 +--- a/ui/curses_keys.h ++++ b/ui/curses_keys.h +@@ -480,7 +480,9 @@ static const name2keysym_t name2keysym[] = { + { "Left", KEY_LEFT }, + { "Up", KEY_UP }, + { "Down", KEY_DOWN }, ++ { "Next", KEY_NPAGE }, + { "Page_Down", KEY_NPAGE }, ++ { "Prior", KEY_PPAGE }, + { "Page_Up", KEY_PPAGE }, + { "Insert", KEY_IC }, + { "Delete", KEY_DC }, +diff --git a/ui/vnc_keysym.h b/ui/vnc_keysym.h +index 7fa2bc1f1c..e8a2ec73c5 100644 +--- a/ui/vnc_keysym.h ++++ b/ui/vnc_keysym.h +@@ -254,7 +254,9 @@ static const name2keysym_t name2keysym[]={ + {"Left", 0xff51}, /* XK_Left */ + {"Up", 0xff52}, /* XK_Up */ + {"Down", 0xff54}, /* XK_Down */ ++{"Next", 0xff56}, + {"Page_Down", 0xff56}, /* XK_Page_Down */ ++{"Prior", 0xff55}, + {"Page_Up", 0xff55}, /* XK_Page_Up */ + {"Insert", 0xff63}, /* XK_Insert */ + {"Delete", 0xffff}, /* XK_Delete */ diff --git a/0010-ui-move-qemu_input_linux_to_qcode.patch b/0010-ui-move-qemu_input_linux_to_qcode.patch new file mode 100644 index 0000000..de3d85f --- /dev/null +++ b/0010-ui-move-qemu_input_linux_to_qcode.patch @@ -0,0 +1,286 @@ +From: Gerd Hoffmann +Date: Wed, 26 Jul 2017 17:29:15 +0200 +Subject: [PATCH] ui: move qemu_input_linux_to_qcode() + +Move from input-linux.c to input-keymap.c and export it, +so the function is available elsewhere too. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Eric Blake +Message-id: 20170726152918.11995-3-kraxel@redhat.com +(cherry picked from commit 606eb0c64991d59a9d5e249508867dc0cb3707e1) +--- + include/ui/input.h | 1 + + ui/input-keymap.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + ui/input-linux.c | 113 ---------------------------------------------------- + 3 files changed, 116 insertions(+), 113 deletions(-) + +diff --git a/include/ui/input.h b/include/ui/input.h +index d06a12dd4c..b93c4ed5aa 100644 +--- a/include/ui/input.h ++++ b/include/ui/input.h +@@ -47,6 +47,7 @@ int qemu_input_key_value_to_number(const KeyValue *value); + int qemu_input_key_value_to_qcode(const KeyValue *value); + int qemu_input_key_value_to_scancode(const KeyValue *value, bool down, + int *codes); ++int qemu_input_linux_to_qcode(unsigned int lnx); + + InputEvent *qemu_input_event_new_btn(InputButton btn, bool down); + void qemu_input_queue_btn(QemuConsole *src, InputButton btn, bool down); +diff --git a/ui/input-keymap.c b/ui/input-keymap.c +index 8a1476fc48..d4972bb364 100644 +--- a/ui/input-keymap.c ++++ b/ui/input-keymap.c +@@ -3,6 +3,115 @@ + #include "ui/keymaps.h" + #include "ui/input.h" + ++#include "standard-headers/linux/input.h" ++ ++static int linux_to_qcode[KEY_CNT] = { ++ [KEY_ESC] = Q_KEY_CODE_ESC, ++ [KEY_1] = Q_KEY_CODE_1, ++ [KEY_2] = Q_KEY_CODE_2, ++ [KEY_3] = Q_KEY_CODE_3, ++ [KEY_4] = Q_KEY_CODE_4, ++ [KEY_5] = Q_KEY_CODE_5, ++ [KEY_6] = Q_KEY_CODE_6, ++ [KEY_7] = Q_KEY_CODE_7, ++ [KEY_8] = Q_KEY_CODE_8, ++ [KEY_9] = Q_KEY_CODE_9, ++ [KEY_0] = Q_KEY_CODE_0, ++ [KEY_MINUS] = Q_KEY_CODE_MINUS, ++ [KEY_EQUAL] = Q_KEY_CODE_EQUAL, ++ [KEY_BACKSPACE] = Q_KEY_CODE_BACKSPACE, ++ [KEY_TAB] = Q_KEY_CODE_TAB, ++ [KEY_Q] = Q_KEY_CODE_Q, ++ [KEY_W] = Q_KEY_CODE_W, ++ [KEY_E] = Q_KEY_CODE_E, ++ [KEY_R] = Q_KEY_CODE_R, ++ [KEY_T] = Q_KEY_CODE_T, ++ [KEY_Y] = Q_KEY_CODE_Y, ++ [KEY_U] = Q_KEY_CODE_U, ++ [KEY_I] = Q_KEY_CODE_I, ++ [KEY_O] = Q_KEY_CODE_O, ++ [KEY_P] = Q_KEY_CODE_P, ++ [KEY_LEFTBRACE] = Q_KEY_CODE_BRACKET_LEFT, ++ [KEY_RIGHTBRACE] = Q_KEY_CODE_BRACKET_RIGHT, ++ [KEY_ENTER] = Q_KEY_CODE_RET, ++ [KEY_LEFTCTRL] = Q_KEY_CODE_CTRL, ++ [KEY_A] = Q_KEY_CODE_A, ++ [KEY_S] = Q_KEY_CODE_S, ++ [KEY_D] = Q_KEY_CODE_D, ++ [KEY_F] = Q_KEY_CODE_F, ++ [KEY_G] = Q_KEY_CODE_G, ++ [KEY_H] = Q_KEY_CODE_H, ++ [KEY_J] = Q_KEY_CODE_J, ++ [KEY_K] = Q_KEY_CODE_K, ++ [KEY_L] = Q_KEY_CODE_L, ++ [KEY_SEMICOLON] = Q_KEY_CODE_SEMICOLON, ++ [KEY_APOSTROPHE] = Q_KEY_CODE_APOSTROPHE, ++ [KEY_GRAVE] = Q_KEY_CODE_GRAVE_ACCENT, ++ [KEY_LEFTSHIFT] = Q_KEY_CODE_SHIFT, ++ [KEY_BACKSLASH] = Q_KEY_CODE_BACKSLASH, ++ [KEY_102ND] = Q_KEY_CODE_LESS, ++ [KEY_Z] = Q_KEY_CODE_Z, ++ [KEY_X] = Q_KEY_CODE_X, ++ [KEY_C] = Q_KEY_CODE_C, ++ [KEY_V] = Q_KEY_CODE_V, ++ [KEY_B] = Q_KEY_CODE_B, ++ [KEY_N] = Q_KEY_CODE_N, ++ [KEY_M] = Q_KEY_CODE_M, ++ [KEY_COMMA] = Q_KEY_CODE_COMMA, ++ [KEY_DOT] = Q_KEY_CODE_DOT, ++ [KEY_SLASH] = Q_KEY_CODE_SLASH, ++ [KEY_RIGHTSHIFT] = Q_KEY_CODE_SHIFT_R, ++ [KEY_LEFTALT] = Q_KEY_CODE_ALT, ++ [KEY_SPACE] = Q_KEY_CODE_SPC, ++ [KEY_CAPSLOCK] = Q_KEY_CODE_CAPS_LOCK, ++ [KEY_F1] = Q_KEY_CODE_F1, ++ [KEY_F2] = Q_KEY_CODE_F2, ++ [KEY_F3] = Q_KEY_CODE_F3, ++ [KEY_F4] = Q_KEY_CODE_F4, ++ [KEY_F5] = Q_KEY_CODE_F5, ++ [KEY_F6] = Q_KEY_CODE_F6, ++ [KEY_F7] = Q_KEY_CODE_F7, ++ [KEY_F8] = Q_KEY_CODE_F8, ++ [KEY_F9] = Q_KEY_CODE_F9, ++ [KEY_F10] = Q_KEY_CODE_F10, ++ [KEY_NUMLOCK] = Q_KEY_CODE_NUM_LOCK, ++ [KEY_SCROLLLOCK] = Q_KEY_CODE_SCROLL_LOCK, ++ [KEY_KP0] = Q_KEY_CODE_KP_0, ++ [KEY_KP1] = Q_KEY_CODE_KP_1, ++ [KEY_KP2] = Q_KEY_CODE_KP_2, ++ [KEY_KP3] = Q_KEY_CODE_KP_3, ++ [KEY_KP4] = Q_KEY_CODE_KP_4, ++ [KEY_KP5] = Q_KEY_CODE_KP_5, ++ [KEY_KP6] = Q_KEY_CODE_KP_6, ++ [KEY_KP7] = Q_KEY_CODE_KP_7, ++ [KEY_KP8] = Q_KEY_CODE_KP_8, ++ [KEY_KP9] = Q_KEY_CODE_KP_9, ++ [KEY_KPMINUS] = Q_KEY_CODE_KP_SUBTRACT, ++ [KEY_KPPLUS] = Q_KEY_CODE_KP_ADD, ++ [KEY_KPDOT] = Q_KEY_CODE_KP_DECIMAL, ++ [KEY_KPENTER] = Q_KEY_CODE_KP_ENTER, ++ [KEY_KPSLASH] = Q_KEY_CODE_KP_DIVIDE, ++ [KEY_KPASTERISK] = Q_KEY_CODE_KP_MULTIPLY, ++ [KEY_F11] = Q_KEY_CODE_F11, ++ [KEY_F12] = Q_KEY_CODE_F12, ++ [KEY_RIGHTCTRL] = Q_KEY_CODE_CTRL_R, ++ [KEY_SYSRQ] = Q_KEY_CODE_SYSRQ, ++ [KEY_RIGHTALT] = Q_KEY_CODE_ALT_R, ++ [KEY_HOME] = Q_KEY_CODE_HOME, ++ [KEY_UP] = Q_KEY_CODE_UP, ++ [KEY_PAGEUP] = Q_KEY_CODE_PGUP, ++ [KEY_LEFT] = Q_KEY_CODE_LEFT, ++ [KEY_RIGHT] = Q_KEY_CODE_RIGHT, ++ [KEY_END] = Q_KEY_CODE_END, ++ [KEY_DOWN] = Q_KEY_CODE_DOWN, ++ [KEY_PAGEDOWN] = Q_KEY_CODE_PGDN, ++ [KEY_INSERT] = Q_KEY_CODE_INSERT, ++ [KEY_DELETE] = Q_KEY_CODE_DELETE, ++ [KEY_LEFTMETA] = Q_KEY_CODE_META_L, ++ [KEY_RIGHTMETA] = Q_KEY_CODE_META_R, ++ [KEY_MENU] = Q_KEY_CODE_MENU, ++}; ++ + static const int qcode_to_number[] = { + [Q_KEY_CODE_SHIFT] = 0x2a, + [Q_KEY_CODE_SHIFT_R] = 0x36, +@@ -141,6 +250,12 @@ static const int qcode_to_number[] = { + + static int number_to_qcode[0x100]; + ++int qemu_input_linux_to_qcode(unsigned int lnx) ++{ ++ assert(lnx < KEY_CNT); ++ return linux_to_qcode[lnx]; ++} ++ + int qemu_input_key_value_to_number(const KeyValue *value) + { + if (value->type == KEY_VALUE_KIND_QCODE) { +diff --git a/ui/input-linux.c b/ui/input-linux.c +index dc0613ca1f..5938fef628 100644 +--- a/ui/input-linux.c ++++ b/ui/input-linux.c +@@ -16,119 +16,6 @@ + #include + #include "standard-headers/linux/input.h" + +-static int linux_to_qcode[KEY_CNT] = { +- [KEY_ESC] = Q_KEY_CODE_ESC, +- [KEY_1] = Q_KEY_CODE_1, +- [KEY_2] = Q_KEY_CODE_2, +- [KEY_3] = Q_KEY_CODE_3, +- [KEY_4] = Q_KEY_CODE_4, +- [KEY_5] = Q_KEY_CODE_5, +- [KEY_6] = Q_KEY_CODE_6, +- [KEY_7] = Q_KEY_CODE_7, +- [KEY_8] = Q_KEY_CODE_8, +- [KEY_9] = Q_KEY_CODE_9, +- [KEY_0] = Q_KEY_CODE_0, +- [KEY_MINUS] = Q_KEY_CODE_MINUS, +- [KEY_EQUAL] = Q_KEY_CODE_EQUAL, +- [KEY_BACKSPACE] = Q_KEY_CODE_BACKSPACE, +- [KEY_TAB] = Q_KEY_CODE_TAB, +- [KEY_Q] = Q_KEY_CODE_Q, +- [KEY_W] = Q_KEY_CODE_W, +- [KEY_E] = Q_KEY_CODE_E, +- [KEY_R] = Q_KEY_CODE_R, +- [KEY_T] = Q_KEY_CODE_T, +- [KEY_Y] = Q_KEY_CODE_Y, +- [KEY_U] = Q_KEY_CODE_U, +- [KEY_I] = Q_KEY_CODE_I, +- [KEY_O] = Q_KEY_CODE_O, +- [KEY_P] = Q_KEY_CODE_P, +- [KEY_LEFTBRACE] = Q_KEY_CODE_BRACKET_LEFT, +- [KEY_RIGHTBRACE] = Q_KEY_CODE_BRACKET_RIGHT, +- [KEY_ENTER] = Q_KEY_CODE_RET, +- [KEY_LEFTCTRL] = Q_KEY_CODE_CTRL, +- [KEY_A] = Q_KEY_CODE_A, +- [KEY_S] = Q_KEY_CODE_S, +- [KEY_D] = Q_KEY_CODE_D, +- [KEY_F] = Q_KEY_CODE_F, +- [KEY_G] = Q_KEY_CODE_G, +- [KEY_H] = Q_KEY_CODE_H, +- [KEY_J] = Q_KEY_CODE_J, +- [KEY_K] = Q_KEY_CODE_K, +- [KEY_L] = Q_KEY_CODE_L, +- [KEY_SEMICOLON] = Q_KEY_CODE_SEMICOLON, +- [KEY_APOSTROPHE] = Q_KEY_CODE_APOSTROPHE, +- [KEY_GRAVE] = Q_KEY_CODE_GRAVE_ACCENT, +- [KEY_LEFTSHIFT] = Q_KEY_CODE_SHIFT, +- [KEY_BACKSLASH] = Q_KEY_CODE_BACKSLASH, +- [KEY_102ND] = Q_KEY_CODE_LESS, +- [KEY_Z] = Q_KEY_CODE_Z, +- [KEY_X] = Q_KEY_CODE_X, +- [KEY_C] = Q_KEY_CODE_C, +- [KEY_V] = Q_KEY_CODE_V, +- [KEY_B] = Q_KEY_CODE_B, +- [KEY_N] = Q_KEY_CODE_N, +- [KEY_M] = Q_KEY_CODE_M, +- [KEY_COMMA] = Q_KEY_CODE_COMMA, +- [KEY_DOT] = Q_KEY_CODE_DOT, +- [KEY_SLASH] = Q_KEY_CODE_SLASH, +- [KEY_RIGHTSHIFT] = Q_KEY_CODE_SHIFT_R, +- [KEY_LEFTALT] = Q_KEY_CODE_ALT, +- [KEY_SPACE] = Q_KEY_CODE_SPC, +- [KEY_CAPSLOCK] = Q_KEY_CODE_CAPS_LOCK, +- [KEY_F1] = Q_KEY_CODE_F1, +- [KEY_F2] = Q_KEY_CODE_F2, +- [KEY_F3] = Q_KEY_CODE_F3, +- [KEY_F4] = Q_KEY_CODE_F4, +- [KEY_F5] = Q_KEY_CODE_F5, +- [KEY_F6] = Q_KEY_CODE_F6, +- [KEY_F7] = Q_KEY_CODE_F7, +- [KEY_F8] = Q_KEY_CODE_F8, +- [KEY_F9] = Q_KEY_CODE_F9, +- [KEY_F10] = Q_KEY_CODE_F10, +- [KEY_NUMLOCK] = Q_KEY_CODE_NUM_LOCK, +- [KEY_SCROLLLOCK] = Q_KEY_CODE_SCROLL_LOCK, +- [KEY_KP0] = Q_KEY_CODE_KP_0, +- [KEY_KP1] = Q_KEY_CODE_KP_1, +- [KEY_KP2] = Q_KEY_CODE_KP_2, +- [KEY_KP3] = Q_KEY_CODE_KP_3, +- [KEY_KP4] = Q_KEY_CODE_KP_4, +- [KEY_KP5] = Q_KEY_CODE_KP_5, +- [KEY_KP6] = Q_KEY_CODE_KP_6, +- [KEY_KP7] = Q_KEY_CODE_KP_7, +- [KEY_KP8] = Q_KEY_CODE_KP_8, +- [KEY_KP9] = Q_KEY_CODE_KP_9, +- [KEY_KPMINUS] = Q_KEY_CODE_KP_SUBTRACT, +- [KEY_KPPLUS] = Q_KEY_CODE_KP_ADD, +- [KEY_KPDOT] = Q_KEY_CODE_KP_DECIMAL, +- [KEY_KPENTER] = Q_KEY_CODE_KP_ENTER, +- [KEY_KPSLASH] = Q_KEY_CODE_KP_DIVIDE, +- [KEY_KPASTERISK] = Q_KEY_CODE_KP_MULTIPLY, +- [KEY_F11] = Q_KEY_CODE_F11, +- [KEY_F12] = Q_KEY_CODE_F12, +- [KEY_RIGHTCTRL] = Q_KEY_CODE_CTRL_R, +- [KEY_SYSRQ] = Q_KEY_CODE_SYSRQ, +- [KEY_RIGHTALT] = Q_KEY_CODE_ALT_R, +- [KEY_HOME] = Q_KEY_CODE_HOME, +- [KEY_UP] = Q_KEY_CODE_UP, +- [KEY_PAGEUP] = Q_KEY_CODE_PGUP, +- [KEY_LEFT] = Q_KEY_CODE_LEFT, +- [KEY_RIGHT] = Q_KEY_CODE_RIGHT, +- [KEY_END] = Q_KEY_CODE_END, +- [KEY_DOWN] = Q_KEY_CODE_DOWN, +- [KEY_PAGEDOWN] = Q_KEY_CODE_PGDN, +- [KEY_INSERT] = Q_KEY_CODE_INSERT, +- [KEY_DELETE] = Q_KEY_CODE_DELETE, +- [KEY_LEFTMETA] = Q_KEY_CODE_META_L, +- [KEY_RIGHTMETA] = Q_KEY_CODE_META_R, +- [KEY_MENU] = Q_KEY_CODE_MENU, +-}; +- +-static int qemu_input_linux_to_qcode(unsigned int lnx) +-{ +- assert(lnx < KEY_CNT); +- return linux_to_qcode[lnx]; +-} +- + static bool linux_is_button(unsigned int lnx) + { + if (lnx < 0x100) { diff --git a/0011-ui-update-keymaps.patch b/0011-ui-update-keymaps.patch new file mode 100644 index 0000000..cfea160 --- /dev/null +++ b/0011-ui-update-keymaps.patch @@ -0,0 +1,46 @@ +From: Gerd Hoffmann +Date: Wed, 26 Jul 2017 17:29:16 +0200 +Subject: [PATCH] ui: update keymaps + +Add recently added QKeyCodes to the keymaps. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Eric Blake +Message-id: 20170726152918.11995-4-kraxel@redhat.com +(cherry picked from commit 9ade7759edbbdafa980ea974a629a8d193de5bc2) +--- + ui/input-keymap.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ui/input-keymap.c b/ui/input-keymap.c +index d4972bb364..7461e1edde 100644 +--- a/ui/input-keymap.c ++++ b/ui/input-keymap.c +@@ -94,6 +94,9 @@ static int linux_to_qcode[KEY_CNT] = { + [KEY_KPASTERISK] = Q_KEY_CODE_KP_MULTIPLY, + [KEY_F11] = Q_KEY_CODE_F11, + [KEY_F12] = Q_KEY_CODE_F12, ++ [KEY_RO] = Q_KEY_CODE_RO, ++ [KEY_HIRAGANA] = Q_KEY_CODE_HIRAGANA, ++ [KEY_HENKAN] = Q_KEY_CODE_HENKAN, + [KEY_RIGHTCTRL] = Q_KEY_CODE_CTRL_R, + [KEY_SYSRQ] = Q_KEY_CODE_SYSRQ, + [KEY_RIGHTALT] = Q_KEY_CODE_ALT_R, +@@ -107,6 +110,9 @@ static int linux_to_qcode[KEY_CNT] = { + [KEY_PAGEDOWN] = Q_KEY_CODE_PGDN, + [KEY_INSERT] = Q_KEY_CODE_INSERT, + [KEY_DELETE] = Q_KEY_CODE_DELETE, ++ [KEY_POWER] = Q_KEY_CODE_POWER, ++ [KEY_KPCOMMA] = Q_KEY_CODE_KP_COMMA, ++ [KEY_YEN] = Q_KEY_CODE_YEN, + [KEY_LEFTMETA] = Q_KEY_CODE_META_L, + [KEY_RIGHTMETA] = Q_KEY_CODE_META_R, + [KEY_MENU] = Q_KEY_CODE_MENU, +@@ -242,6 +248,7 @@ static const int qcode_to_number[] = { + [Q_KEY_CODE_RO] = 0x73, + [Q_KEY_CODE_HIRAGANA] = 0x70, + [Q_KEY_CODE_HENKAN] = 0x79, ++ [Q_KEY_CODE_POWER] = 0xde, + [Q_KEY_CODE_YEN] = 0x7d, + [Q_KEY_CODE_KP_COMMA] = 0x7e, + diff --git a/0012-ui-add-multimedia-keys.patch b/0012-ui-add-multimedia-keys.patch new file mode 100644 index 0000000..e4d0f6e --- /dev/null +++ b/0012-ui-add-multimedia-keys.patch @@ -0,0 +1,123 @@ +From: Gerd Hoffmann +Date: Wed, 26 Jul 2017 17:29:17 +0200 +Subject: [PATCH] ui: add multimedia keys + +Add multimedia keys to QKeyCodes and to the keymaps. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Eric Blake +Message-id: 20170726152918.11995-5-kraxel@redhat.com +(cherry picked from commit 37810e80553c19f0dac3644924895a9bf5c70785) +--- + qapi-schema.json | 28 +++++++++++++++++++++++++++- + ui/input-keymap.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 71 insertions(+), 1 deletion(-) + +diff --git a/qapi-schema.json b/qapi-schema.json +index 250e4dc49b..b298b349cb 100644 +--- a/qapi-schema.json ++++ b/qapi-schema.json +@@ -4730,6 +4730,27 @@ + # @henkan: since 2.9 + # @yen: since 2.9 + # ++# @sleep: since 2.10 ++# @wake: since 2.10 ++# @audionext: since 2.10 ++# @audioprev: since 2.10 ++# @audiostop: since 2.10 ++# @audioplay: since 2.10 ++# @audiomute: since 2.10 ++# @volumeup: since 2.10 ++# @volumedown: since 2.10 ++# @mediaselect: since 2.10 ++# @mail: since 2.10 ++# @calculator: since 2.10 ++# @computer: since 2.10 ++# @ac_search: since 2.10 ++# @ac_home: since 2.10 ++# @ac_back: since 2.10 ++# @ac_forward: since 2.10 ++# @ac_stop: since 2.10 ++# @ac_refresh: since 2.10 ++# @ac_bookmarks: since 2.10 ++# + # Since: 1.3.0 + # + ## +@@ -4751,7 +4772,12 @@ + 'props', 'undo', 'front', 'copy', 'open', 'paste', 'find', 'cut', + 'lf', 'help', 'meta_l', 'meta_r', 'compose', 'pause', + 'ro', 'hiragana', 'henkan', 'yen', +- 'kp_comma', 'kp_equals', 'power' ] } ++ 'kp_comma', 'kp_equals', 'power', 'sleep', 'wake', ++ 'audionext', 'audioprev', 'audiostop', 'audioplay', 'audiomute', ++ 'volumeup', 'volumedown', 'mediaselect', ++ 'mail', 'calculator', 'computer', ++ 'ac_search', 'ac_home', 'ac_back', 'ac_forward', 'ac_stop', ++ 'ac_refresh', 'ac_bookmarks' ] } + + ## + # @KeyValue: +diff --git a/ui/input-keymap.c b/ui/input-keymap.c +index 7461e1edde..ae781beae9 100644 +--- a/ui/input-keymap.c ++++ b/ui/input-keymap.c +@@ -116,6 +116,28 @@ static int linux_to_qcode[KEY_CNT] = { + [KEY_LEFTMETA] = Q_KEY_CODE_META_L, + [KEY_RIGHTMETA] = Q_KEY_CODE_META_R, + [KEY_MENU] = Q_KEY_CODE_MENU, ++ ++ [KEY_SLEEP] = Q_KEY_CODE_SLEEP, ++ [KEY_WAKEUP] = Q_KEY_CODE_WAKE, ++ [KEY_CALC] = Q_KEY_CODE_CALCULATOR, ++ [KEY_MAIL] = Q_KEY_CODE_MAIL, ++ [KEY_COMPUTER] = Q_KEY_CODE_COMPUTER, ++ ++ [KEY_STOP] = Q_KEY_CODE_AC_STOP, ++ [KEY_BOOKMARKS] = Q_KEY_CODE_AC_BOOKMARKS, ++ [KEY_BACK] = Q_KEY_CODE_AC_BACK, ++ [KEY_FORWARD] = Q_KEY_CODE_AC_FORWARD, ++ [KEY_HOMEPAGE] = Q_KEY_CODE_AC_HOME, ++ [KEY_REFRESH] = Q_KEY_CODE_AC_REFRESH, ++ [KEY_FIND] = Q_KEY_CODE_AC_SEARCH, ++ ++ [KEY_NEXTSONG] = Q_KEY_CODE_AUDIONEXT, ++ [KEY_PREVIOUSSONG] = Q_KEY_CODE_AUDIOPREV, ++ [KEY_STOPCD] = Q_KEY_CODE_AUDIOSTOP, ++ [KEY_PLAYCD] = Q_KEY_CODE_AUDIOPLAY, ++ [KEY_MUTE] = Q_KEY_CODE_AUDIOMUTE, ++ [KEY_VOLUMEDOWN] = Q_KEY_CODE_VOLUMEDOWN, ++ [KEY_VOLUMEUP] = Q_KEY_CODE_VOLUMEUP, + }; + + static const int qcode_to_number[] = { +@@ -252,6 +274,28 @@ static const int qcode_to_number[] = { + [Q_KEY_CODE_YEN] = 0x7d, + [Q_KEY_CODE_KP_COMMA] = 0x7e, + ++ [Q_KEY_CODE_SLEEP] = 0xdf, ++ [Q_KEY_CODE_WAKE] = 0xe3, ++ [Q_KEY_CODE_CALCULATOR] = 0xa1, ++ [Q_KEY_CODE_MAIL] = 0xec, ++ [Q_KEY_CODE_COMPUTER] = 0xeb, ++ ++ [Q_KEY_CODE_AC_STOP] = 0xe8, ++ [Q_KEY_CODE_AC_BOOKMARKS] = 0xe6, ++ [Q_KEY_CODE_AC_BACK] = 0xea, ++ [Q_KEY_CODE_AC_FORWARD] = 0xe9, ++ [Q_KEY_CODE_AC_HOME] = 0xb2, ++ [Q_KEY_CODE_AC_REFRESH] = 0xe7, ++ [Q_KEY_CODE_AC_SEARCH] = 0xe5, ++ ++ [Q_KEY_CODE_AUDIONEXT] = 0x99, ++ [Q_KEY_CODE_AUDIOPREV] = 0x90, ++ [Q_KEY_CODE_AUDIOSTOP] = 0xa4, ++ [Q_KEY_CODE_AUDIOPLAY] = 0xa2, ++ [Q_KEY_CODE_AUDIOMUTE] = 0xa0, ++ [Q_KEY_CODE_VOLUMEDOWN] = 0xae, ++ [Q_KEY_CODE_VOLUMEUP] = 0xb0, ++ + [Q_KEY_CODE__MAX] = 0, + }; + diff --git a/0013-ps2-enable-multimedia-keys.patch b/0013-ps2-enable-multimedia-keys.patch new file mode 100644 index 0000000..e368e1c --- /dev/null +++ b/0013-ps2-enable-multimedia-keys.patch @@ -0,0 +1,49 @@ +From: Gerd Hoffmann +Date: Wed, 26 Jul 2017 17:29:18 +0200 +Subject: [PATCH] ps2: enable multimedia keys + +Fixes: 8c10e0baf0260b59a4e984744462a18016662e3e +Signed-off-by: Gerd Hoffmann +Reviewed-by: Eric Blake +Message-id: 20170726152918.11995-6-kraxel@redhat.com +(cherry picked from commit 0500cb1d25e69108ae1a2474412bbd255bbc34b2) +--- + hw/input/ps2.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/hw/input/ps2.c b/hw/input/ps2.c +index 1d3a440bbd..fbf2f8b171 100644 +--- a/hw/input/ps2.c ++++ b/hw/input/ps2.c +@@ -224,7 +224,6 @@ static const uint16_t qcode_to_keycode_set1[Q_KEY_CODE__MAX] = { + [Q_KEY_CODE_DOT] = 0x34, + [Q_KEY_CODE_SLASH] = 0x35, + +-#if 0 + [Q_KEY_CODE_POWER] = 0x0e5e, + [Q_KEY_CODE_SLEEP] = 0x0e5f, + [Q_KEY_CODE_WAKE] = 0x0e63, +@@ -247,7 +246,6 @@ static const uint16_t qcode_to_keycode_set1[Q_KEY_CODE__MAX] = { + [Q_KEY_CODE_AC_STOP] = 0xe068, + [Q_KEY_CODE_AC_REFRESH] = 0xe067, + [Q_KEY_CODE_AC_BOOKMARKS] = 0xe066, +-#endif + + [Q_KEY_CODE_ASTERISK] = 0x37, + [Q_KEY_CODE_LESS] = 0x56, +@@ -366,7 +364,6 @@ static const uint16_t qcode_to_keycode_set2[Q_KEY_CODE__MAX] = { + [Q_KEY_CODE_DOT] = 0x49, + [Q_KEY_CODE_SLASH] = 0x4a, + +-#if 0 + [Q_KEY_CODE_POWER] = 0x0e37, + [Q_KEY_CODE_SLEEP] = 0x0e3f, + [Q_KEY_CODE_WAKE] = 0x0e5e, +@@ -389,7 +386,6 @@ static const uint16_t qcode_to_keycode_set2[Q_KEY_CODE__MAX] = { + [Q_KEY_CODE_AC_STOP] = 0xe028, + [Q_KEY_CODE_AC_REFRESH] = 0xe020, + [Q_KEY_CODE_AC_BOOKMARKS] = 0xe018, +-#endif + + [Q_KEY_CODE_ALTGR] = 0x08, + [Q_KEY_CODE_ALTGR_R] = 0xe008, diff --git a/0014-ui-drop-altgr-and-altgr_r-QKeyCodes.patch b/0014-ui-drop-altgr-and-altgr_r-QKeyCodes.patch new file mode 100644 index 0000000..c25af13 --- /dev/null +++ b/0014-ui-drop-altgr-and-altgr_r-QKeyCodes.patch @@ -0,0 +1,89 @@ +From: Gerd Hoffmann +Date: Thu, 27 Jul 2017 12:47:20 +0200 +Subject: [PATCH] ui: drop altgr and altgr_r QKeyCodes + +The right alt key (alt_r aka KEY_RIGHTALT) is used for AltGr. +The altgr and altgr_r keys simply don't exist. Drop them. + +Signed-off-by: Gerd Hoffmann +Reviewed-by: Eric Blake +Message-id: 20170727104720.30061-1-kraxel@redhat.com +(cherry picked from commit 912092b8e47f31c3db25e088af8460d9e752da29) +--- + hw/char/escc.c | 1 - + hw/input/adb.c | 1 - + hw/input/ps2.c | 2 -- + qapi-schema.json | 3 ++- + ui/input-keymap.c | 2 -- + 5 files changed, 2 insertions(+), 7 deletions(-) + +diff --git a/hw/char/escc.c b/hw/char/escc.c +index 9228091cec..a7a54e55c2 100644 +--- a/hw/char/escc.c ++++ b/hw/char/escc.c +@@ -721,7 +721,6 @@ static const uint8_t qcode_to_keycode[Q_KEY_CODE__MAX] = { + [Q_KEY_CODE_SHIFT_R] = 110, + [Q_KEY_CODE_ALT] = 19, + [Q_KEY_CODE_ALT_R] = 13, +- [Q_KEY_CODE_ALTGR] = 13, + [Q_KEY_CODE_CTRL] = 76, + [Q_KEY_CODE_CTRL_R] = 76, + [Q_KEY_CODE_ESC] = 29, +diff --git a/hw/input/adb.c b/hw/input/adb.c +index 43d3205472..fcca3a8eb9 100644 +--- a/hw/input/adb.c ++++ b/hw/input/adb.c +@@ -201,7 +201,6 @@ int qcode_to_adb_keycode[] = { + [Q_KEY_CODE_SHIFT_R] = ADB_KEY_RIGHT_SHIFT, + [Q_KEY_CODE_ALT] = ADB_KEY_LEFT_OPTION, + [Q_KEY_CODE_ALT_R] = ADB_KEY_RIGHT_OPTION, +- [Q_KEY_CODE_ALTGR] = ADB_KEY_RIGHT_OPTION, + [Q_KEY_CODE_CTRL] = ADB_KEY_LEFT_CONTROL, + [Q_KEY_CODE_CTRL_R] = ADB_KEY_RIGHT_CONTROL, + [Q_KEY_CODE_META_L] = ADB_KEY_COMMAND, +diff --git a/hw/input/ps2.c b/hw/input/ps2.c +index fbf2f8b171..776d6abdd2 100644 +--- a/hw/input/ps2.c ++++ b/hw/input/ps2.c +@@ -387,8 +387,6 @@ static const uint16_t qcode_to_keycode_set2[Q_KEY_CODE__MAX] = { + [Q_KEY_CODE_AC_REFRESH] = 0xe020, + [Q_KEY_CODE_AC_BOOKMARKS] = 0xe018, + +- [Q_KEY_CODE_ALTGR] = 0x08, +- [Q_KEY_CODE_ALTGR_R] = 0xe008, + [Q_KEY_CODE_ASTERISK] = 0x7c, + [Q_KEY_CODE_LESS] = 0x61, + [Q_KEY_CODE_SYSRQ] = 0x7f, +diff --git a/qapi-schema.json b/qapi-schema.json +index b298b349cb..e93ae014eb 100644 +--- a/qapi-schema.json ++++ b/qapi-schema.json +@@ -4750,13 +4750,14 @@ + # @ac_stop: since 2.10 + # @ac_refresh: since 2.10 + # @ac_bookmarks: since 2.10 ++# altgr, altgr_r: dropped in 2.10 + # + # Since: 1.3.0 + # + ## + { 'enum': 'QKeyCode', + 'data': [ 'unmapped', +- 'shift', 'shift_r', 'alt', 'alt_r', 'altgr', 'altgr_r', 'ctrl', ++ 'shift', 'shift_r', 'alt', 'alt_r', 'ctrl', + 'ctrl_r', 'menu', 'esc', '1', '2', '3', '4', '5', '6', '7', '8', + '9', '0', 'minus', 'equal', 'backspace', 'tab', 'q', 'w', 'e', + 'r', 't', 'y', 'u', 'i', 'o', 'p', 'bracket_left', 'bracket_right', +diff --git a/ui/input-keymap.c b/ui/input-keymap.c +index ae781beae9..f96adf4165 100644 +--- a/ui/input-keymap.c ++++ b/ui/input-keymap.c +@@ -146,8 +146,6 @@ static const int qcode_to_number[] = { + + [Q_KEY_CODE_ALT] = 0x38, + [Q_KEY_CODE_ALT_R] = 0xb8, +- [Q_KEY_CODE_ALTGR] = 0x64, +- [Q_KEY_CODE_ALTGR_R] = 0xe4, + [Q_KEY_CODE_CTRL] = 0x1d, + [Q_KEY_CODE_CTRL_R] = 0x9d, + diff --git a/0015-ps2-fix-sending-of-PAUSE-BREAK-scancodes.patch b/0015-ps2-fix-sending-of-PAUSE-BREAK-scancodes.patch new file mode 100644 index 0000000..22a8014 --- /dev/null +++ b/0015-ps2-fix-sending-of-PAUSE-BREAK-scancodes.patch @@ -0,0 +1,105 @@ +From: "Daniel P. Berrange" +Date: Thu, 27 Jul 2017 12:32:43 +0100 +Subject: [PATCH] ps2: fix sending of PAUSE/BREAK scancodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The processing of the scancodes for PAUSE/BREAK has been broken since +the conversion to qcodes in: + + commit 8c10e0baf0260b59a4e984744462a18016662e3e + Author: Hervé Poussineau + Date: Thu Sep 15 22:06:26 2016 +0200 + + ps2: use QEMU qcodes instead of scancodes + +When using a VNC client, with the raw scancode extension, the client +will send a scancode of 0xc6 for both PAUSE and BREAK. There is mistakenly +no entry in the qcode_to_number table for this scancode, so +ps2_keyboard_event() just generates a log message and discards the +scancode + +When using a SPICE client, it will also send 0xc6 for BREAK, but +will send 0xe1 0x1d 0x45 0xe1 0x9d 0xc5 for PAUSE. There is no +entry in the qcode_to_number table for the scancode 0xe1 because +it is a special XT keyboard prefix not mapping to any QKeyCode. +Again ps2_keyboard_event() just generates a log message and discards +the scancode. The following 0x1d, 0x45, 0x9d, 0xc5 scancodes get +handled correctly. Rather than trying to handle 3 byte sequences +of scancodes in the PS/2 driver, special case the SPICE input +code so that it captures the 3 byte pause sequence and turns it +into a Pause QKeyCode. + +Signed-off-by: Daniel P. Berrange +Message-id: 20170727113243.23991-1-berrange@redhat.com +Signed-off-by: Gerd Hoffmann +(cherry picked from commit 7c388dbd0b2c54b3d836c23ea43e2cee38de66a4) +--- + ui/input-keymap.c | 1 + + ui/keymaps.h | 1 + + ui/spice-input.c | 20 ++++++++++++++++++++ + 3 files changed, 22 insertions(+) + +diff --git a/ui/input-keymap.c b/ui/input-keymap.c +index f96adf4165..0d9ddde9c9 100644 +--- a/ui/input-keymap.c ++++ b/ui/input-keymap.c +@@ -233,6 +233,7 @@ static const int qcode_to_number[] = { + [Q_KEY_CODE_KP_ENTER] = 0x9c, + [Q_KEY_CODE_KP_DECIMAL] = 0x53, + [Q_KEY_CODE_SYSRQ] = 0x54, ++ [Q_KEY_CODE_PAUSE] = 0xc6, + + [Q_KEY_CODE_KP_0] = 0x52, + [Q_KEY_CODE_KP_1] = 0x4f, +diff --git a/ui/keymaps.h b/ui/keymaps.h +index 47d061343e..8757465529 100644 +--- a/ui/keymaps.h ++++ b/ui/keymaps.h +@@ -59,6 +59,7 @@ typedef struct { + /* "grey" keys will usually need a 0xe0 prefix */ + #define SCANCODE_GREY 0x80 + #define SCANCODE_EMUL0 0xE0 ++#define SCANCODE_EMUL1 0xE1 + /* "up" flag */ + #define SCANCODE_UP 0x80 + +diff --git a/ui/spice-input.c b/ui/spice-input.c +index 8eeebdbb2e..4ea8fc61ed 100644 +--- a/ui/spice-input.c ++++ b/ui/spice-input.c +@@ -32,6 +32,7 @@ typedef struct QemuSpiceKbd { + SpiceKbdInstance sin; + int ledstate; + bool emul0; ++ size_t pauseseq; + } QemuSpiceKbd; + + static void kbd_push_key(SpiceKbdInstance *sin, uint8_t frag); +@@ -64,6 +65,25 @@ static void kbd_push_key(SpiceKbdInstance *sin, uint8_t scancode) + keycode |= SCANCODE_GREY; + } + ++ if (scancode == SCANCODE_EMUL1) { ++ kbd->pauseseq++; ++ return; ++ } else if (kbd->pauseseq == 1) { ++ if (keycode == 0x1d) { ++ kbd->pauseseq++; ++ return; ++ } else { ++ kbd->pauseseq = 0; ++ } ++ } else if (kbd->pauseseq == 2) { ++ if (keycode == 0x45) { ++ qemu_input_event_send_key_qcode(NULL, Q_KEY_CODE_PAUSE, !up); ++ kbd->pauseseq = 0; ++ return; ++ } ++ kbd->pauseseq = 0; ++ } ++ + qemu_input_event_send_key_number(NULL, keycode, !up); + } + diff --git a/qemu.binfmt b/qemu.binfmt index ba5b1ec..36b380f 100644 --- a/qemu.binfmt +++ b/qemu.binfmt @@ -13,7 +13,7 @@ :qemu-mipsel:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-mipsel: :qemu-mips:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x08:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-mips: :qemu-ppc64abi32:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64abi32: -:qemu-ppc64le:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64le: +:qemu-ppc64le:M::\x7fELF\x02\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15\x00:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfe\xff\xff\xff:/usr/bin/qemu-ppc64le: :qemu-ppc64:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x15:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc64: :qemu-ppc:M::\x7fELF\x01\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x14:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-ppc: :qemu-s390x:M::\x7fELF\x02\x02\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x16:\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe\xff\xff:/usr/bin/qemu-s390x: diff --git a/qemu.spec b/qemu.spec index 9a971c4..c6b9497 100644 --- a/qemu.spec +++ b/qemu.spec @@ -92,7 +92,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.9.1 -Release: 1%{?rcrel}%{?dist} +Release: 2%{?rcrel}%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools @@ -129,6 +129,33 @@ Source22: 95-kvm-ppc64-memlock.conf # CVE-2017-9503: megasas: null pointer dereference while processing megasas # command (bz #1459478) Patch0001: 0001-megasas-always-store-SCSIRequest-into-MegasasCmd.patch +# Fix usb3 drive issues with windows guests (bz #1493196) +Patch0002: 0002-xhci-relax-link-check.patch +# CVE-2017-15038: 9p: information disclosure when reading extended +# attributes (bz #1499111) +Patch0003: 0003-9pfs-use-g_malloc0-to-allocate-space-for-xattr.patch +# CVE-2017-15268: potential memory exhaustion via websock connection to VNC +# (bz #1496882) +Patch0004: 0004-io-monitor-encoutput-buffer-size-from-websocket-GSou.patch +# CVE-2017-14167: multiboot OOB access while loading kernel image (bz +# #1489376) +Patch0005: 0005-multiboot-validate-multiboot-header-address-values.patch +# CVE-2017-13672: vga: OOB read access during display update (bz #1486561) +Patch0006: 0006-vga-stop-passing-pointers-to-vga_draw_line-functions.patch +# CVE-2017-12809: flushing of empty CDROM drives leads to NULL deref (bz +# #1483536) +Patch0007: 0007-IDE-Do-not-flush-empty-CDROM-drives.patch +# CVE-2017-11434 slirp: out-of-bounds read while parsing dhcp options (bz +# #1472612) +Patch0008: 0008-slirp-check-len-against-dhcp-options-array-end.patch +# Fix sending multimedia keys through spice (bz #1471758) +Patch0009: 0009-ui-add-next-and-prior-keysyms.patch +Patch0010: 0010-ui-move-qemu_input_linux_to_qcode.patch +Patch0011: 0011-ui-update-keymaps.patch +Patch0012: 0012-ui-add-multimedia-keys.patch +Patch0013: 0013-ps2-enable-multimedia-keys.patch +Patch0014: 0014-ui-drop-altgr-and-altgr_r-QKeyCodes.patch +Patch0015: 0015-ps2-fix-sending-of-PAUSE-BREAK-scancodes.patch # documentation deps BuildRequires: texinfo @@ -2007,6 +2034,22 @@ getent passwd qemu >/dev/null || \ %changelog +* Thu Oct 19 2017 Cole Robinson - 2:2.9.1-2 +- Fix usb3 drive issues with windows guests (bz #1493196) +- CVE-2017-15038: 9p: information disclosure when reading extended + attributes (bz #1499111) +- CVE-2017-15268: potential memory exhaustion via websock connection to VNC + (bz #1496882) +- CVE-2017-14167: multiboot OOB access while loading kernel image (bz + #1489376) +- CVE-2017-13672: vga: OOB read access during display update (bz #1486561) +- CVE-2017-12809: flushing of empty CDROM drives leads to NULL deref (bz + #1483536) +- CVE-2017-11434 slirp: out-of-bounds read while parsing dhcp options (bz + #1472612) +- Fix sending multimedia keys through spice (bz #1471758) +- Another ppc64le binfmt fix (bz #1500526) + * Fri Sep 08 2017 Cole Robinson - 2:2.9.1-1 - Rebase to 2.9.1 stable release