Update to qemu 2.7.1

This commit is contained in:
Cole Robinson 2017-01-09 09:27:44 -05:00
parent 6438461c91
commit 633dc2ad9f
19 changed files with 20 additions and 376 deletions

View File

@ -25,7 +25,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 4245c15..babac5a 100644
index 4d94b36..a5ce7de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -40,6 +40,8 @@
@ -37,7 +37,7 @@ index 4245c15..babac5a 100644
#define PVSCSI_MAX_CMD_DATA_WORDS \
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
@@ -631,17 +633,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
static void
pvscsi_convert_sglist(PVSCSIRequest *r)
{

View File

@ -1,82 +0,0 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 31 Aug 2016 12:19:29 +0530
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
rings
Vmware Paravirtual SCSI emulation uses command descriptors to
process SCSI commands. These descriptors come with their ring
buffers. A guest could set the page count for these rings to
an arbitrary value, leading to infinite loop or OOB access.
Add check to avoid it.
Reported-by: Tom Victor <vv474172261@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
---
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index 5116f4a..4245c15 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
return log;
}
-static int
+static void
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
{
int i;
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
uint32_t req_ring_size, cmp_ring_size;
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
- return -1;
- }
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
/* Flush ring state page changes */
smp_wmb();
-
- return 0;
}
static int
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
for (i = 0; i < rc->cmpRingNumPages; i++) {
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
}
}
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
- pvscsi_dbg_dump_tx_rings_config(rc);
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
+ if (!rc->reqRingNumPages
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
+ || !rc->cmpRingNumPages
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
return PVSCSI_COMMAND_PROCESSING_FAILED;
}
+ pvscsi_dbg_dump_tx_rings_config(rc);
+ pvscsi_ring_init_data(&s->rings, rc);
+
s->rings_info_valid = TRUE;
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
}

View File

@ -1,35 +0,0 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 14 Sep 2016 15:09:12 +0530
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
Vmware Paravirtual SCSI emulator while processing IO requests
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
always returned positive value. Limit IO loop to the ring size.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
---
hw/scsi/vmw_pvscsi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
index babac5a..a5ce7de 100644
--- a/hw/scsi/vmw_pvscsi.c
+++ b/hw/scsi/vmw_pvscsi.c
@@ -247,8 +247,11 @@ static hwaddr
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
{
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
- if (ready_ptr != mgr->consumed_ptr) {
+ if (ready_ptr != mgr->consumed_ptr
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
uint32_t next_ready_ptr =
mgr->consumed_ptr++ & mgr->txr_len_mask;
uint32_t next_ready_page =

View File

@ -18,7 +18,7 @@ Reviewed-by: Laszlo Ersek <lersek@redhat.com>
1 file changed, 5 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 74c085c..eabe573 100644
index f31140a..58edd99 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove

View File

@ -1,33 +0,0 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 31 Aug 2016 17:36:07 +0530
Subject: [PATCH] scsi: mptconfig: fix an assert expression
When LSI SAS1068 Host Bus emulator builds configuration page
headers, mptsas_config_pack() should assert that the size
fits in a byte. However, the size is expressed in 32-bit
units, so up to 1020 bytes fit. The assertion was only
allowing replies up to 252 bytes, so fix it.
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
---
hw/scsi/mptconfig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 7071854..3e4f400 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
va_end(ap);
if (data) {
- assert(ret < 256 && (ret % 4) == 0);
+ assert(ret / 4 < 256 && (ret % 4) == 0);
stb_p(*data + 1, ret / 4);
}
return ret;

View File

@ -1,37 +0,0 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 29 Aug 2016 11:35:37 +0200
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
These issues cause respectively a QEMU crash and a leak of 2 bytes of
stack. They were discovered by VictorV of 360 Marvel Team.
Reported-by: Tom Victor <i-tangtianwen@360.cm>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
---
hw/scsi/mptconfig.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
index 3e4f400..87a416a 100644
--- a/hw/scsi/mptconfig.c
+++ b/hw/scsi/mptconfig.c
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
{
/* VPD - all zeros */
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
- "s256");
+ "*s256");
}
static
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
"*l*lwwb*b*b*blww",
pcic->vendor_id, pcic->device_id, pcic->revision,
- pcic->subsystem_vendor_id,
+ pcic->class_id, pcic->subsystem_vendor_id,
pcic->subsystem_id);
}

View File

@ -1,32 +0,0 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Mon, 12 Sep 2016 18:14:11 +0530
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
When processing IO request in mptsas, it uses g_new to allocate
a 'req' object. If an error occurs before 'req->sreq' is
allocated, It could lead to an OOB write in mptsas_free_request
function. Use g_new0 to avoid it.
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
---
hw/scsi/mptsas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
index 0e0a22f..eaae1bb 100644
--- a/hw/scsi/mptsas.c
+++ b/hw/scsi/mptsas.c
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
goto bad;
}
- req = g_new(MPTSASRequest, 1);
+ req = g_new0(MPTSASRequest, 1);
QTAILQ_INSERT_TAIL(&s->pending, req, next);
req->scsi_io = *scsi_io;
req->dev = s;

View File

@ -27,7 +27,7 @@ index 42ca0fe..b3b5005 100644
#include "ui/egl-helpers.h"
#include "ui/egl-context.h"
diff --git a/ui/gtk.c b/ui/gtk.c
index 58d20ee..e8cf785 100644
index 21ae4cb..c641e49 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -90,6 +90,9 @@

View File

@ -1,54 +0,0 @@
From: Thomas Huth <thuth@redhat.com>
Date: Wed, 21 Sep 2016 11:42:15 +0200
Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not
available
QEMU currently refuses to start with KVM-PR and only prints out
qemu: fatal: Unknown MMU model 851972
when being started there. This is because commit 4322e8ced5aaac719
("ppc: Fix 64K pages support in full emulation") introduced a new
POWERPC_MMU_64K bit to indicate support for this page size, but
it never gets cleared on KVM-PR if the host kernel does not support
this. Thus we've got to turn off this bit in the mmu_model for KVM-PR.
Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7)
---
target-ppc/kvm.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
index dcb68b9..6bdc804 100644
--- a/target-ppc/kvm.c
+++ b/target-ppc/kvm.c
@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
CPUPPCState *env = &cpu->env;
long rampagesize;
int iq, ik, jq, jk;
+ bool has_64k_pages = false;
/* We only handle page sizes for 64-bit server guests for now */
if (!(env->mmu_model & POWERPC_MMU_64)) {
@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
ksps->enc[jk].page_shift)) {
continue;
}
+ if (ksps->enc[jk].page_shift == 16) {
+ has_64k_pages = true;
+ }
qsps->enc[jq].page_shift = ksps->enc[jk].page_shift;
qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc;
if (++jq >= PPC_PAGE_SIZES_MAX_SZ) {
@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
env->mmu_model &= ~POWERPC_MMU_1TSEG;
}
+ if (!has_64k_pages) {
+ env->mmu_model &= ~POWERPC_MMU_64K;
+ }
}
#else /* defined (TARGET_PPC64) */

View File

@ -1,72 +0,0 @@
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Fri, 4 Nov 2016 15:46:33 +0000
Subject: [PATCH] net: fix sending of data with -net socket, listen backend
The use of -net socket,listen was broken in the following
commit
commit 16a3df403b10c4ac347159e39005fd520b2648bb
Author: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Date: Fri May 13 15:35:19 2016 +0800
net/net: Add SocketReadState for reuse codes
This function is from net/socket.c, move it to net.c and net.h.
Add SocketReadState to make others reuse net_fill_rstate().
suggestion from jason.
This refactored the state out of NetSocketState into a
separate SocketReadState. This refactoring requires
that a callback is provided to be triggered upon
completion of a packet receive from the guest.
The patch only registered this callback in the codepaths
hit by -net socket,connect, not -net socket,listen. So
as a result packets sent by the guest in the latter case
get dropped on the floor.
This bug is hidden because net_fill_rstate() silently
does nothing if the callback is not set.
This patch adds in the middle callback registration
and also adds an assert so that QEMU aborts if there
are any other codepaths hit which are missing the
callback.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Reviewed-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
(cherry picked from commit e79cd4068063ea2859199002a049010a11202939)
---
net/net.c | 5 ++---
net/socket.c | 1 +
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/net.c b/net/net.c
index d51cb29..19b4d9e 100644
--- a/net/net.c
+++ b/net/net.c
@@ -1648,9 +1648,8 @@ int net_fill_rstate(SocketReadState *rs, const uint8_t *buf, int size)
if (rs->index >= rs->packet_len) {
rs->index = 0;
rs->state = 0;
- if (rs->finalize) {
- rs->finalize(rs);
- }
+ assert(rs->finalize);
+ rs->finalize(rs);
}
break;
}
diff --git a/net/socket.c b/net/socket.c
index 3f98eef..dcae1ae 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -522,6 +522,7 @@ static int net_socket_listen_init(NetClientState *peer,
s->fd = -1;
s->listen_fd = fd;
s->nc.link_down = true;
+ net_socket_rs_init(&s->rs, net_socket_rs_finalize);
qemu_set_fd_handler(s->listen_fd, net_socket_accept, NULL, s);
return 0;

View File

@ -67,8 +67,8 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.7.0
Release: 8%{?rcrel}%{?dist}
Version: 2.7.1
Release: 1%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -102,42 +102,28 @@ Source21: 50-kvm-s390x.conf
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
Source22: 95-kvm-ppc64-memlock.conf
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
# #1373480)
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
Patch0001: 0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
Patch0002: 0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
Patch0003: 0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
Patch0004: 0004-virtio-add-check-for-descriptor-s-mapped-address.patch
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
Patch0005: 0005-net-mcf-limit-buffer-descriptor-count.patch
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
Patch0006: 0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
Patch0007: 0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
# Fix interrupt endpoints not working with network/spice USB redirection on
# guest with an emulated xhci controller (bz #1382331)
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
# Fix nested PPC 'Unknown MMU model' error (bz #1374749)
Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
Patch0008: 0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch
# Fix flickering display with boxes + wayland VM (bz #1266484)
Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
# Fix sending of data with -net socket (bz #1391497)
Patch0016: 0016-net-fix-sending-of-data-with-net-socket-listen-backe.patch
Patch0009: 0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
# Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
# Posted but not yet applied upstream
Patch0017: 0017-ui-use-evdev-keymap-when-running-under-wayland.patch
Patch0010: 0010-ui-use-evdev-keymap-when-running-under-wayland.patch
# documentation deps
BuildRequires: texi2html
@ -1609,6 +1595,9 @@ getent passwd qemu >/dev/null || \
%changelog
* Mon Jan 09 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-1
- Update to qemu 2.7.1
* Mon Dec 12 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-8
- Fix sending of data with -net socket (bz #1391497)
- Fix keyboard issues with -ui gtk + host wayland (bz #1401211)

View File

@ -1 +1 @@
08d4d06d1cb598efecd796137f4844ab qemu-2.7.0.tar.bz2
SHA512 (qemu-2.7.1.tar.bz2) = 16a83946e9064733254c82c961749bf9c56a0a2a8ee46145b4a78e1452ac0e2548d888963d18c80e28f65202890fd643b0011951b5b1c66ef16234767ed91898