Update to qemu 2.7.1
This commit is contained in:
Cole Robinson
parent
6438461c91
commit
633dc2ad9f
|
|
@ -25,7 +25,7 @@ Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
|||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 4245c15..babac5a 100644
|
||||
index 4d94b36..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
|
|
@ -37,7 +37,7 @@ index 4245c15..babac5a 100644
|
|||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -628,17 +630,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
@@ -631,17 +633,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
|
|
@ -1,82 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 12:19:29 +0530
|
||||
Subject: [PATCH] vmw_pvscsi: check page count while initialising descriptor
|
||||
rings
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the page count for these rings to
|
||||
an arbitrary value, leading to infinite loop or OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Tom Victor <vv474172261@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472626169-12989-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f61f4690dd153be98900a2a508b88989e692753)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 19 +++++++++----------
|
||||
1 file changed, 9 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index 5116f4a..4245c15 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -152,7 +152,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static int
|
||||
+static void
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -160,10 +160,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
- if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
- || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
- return -1;
|
||||
- }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -195,8 +191,6 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
-
|
||||
- return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
@@ -746,7 +740,7 @@ pvscsi_dbg_dump_tx_rings_config(PVSCSICmdDescSetupRings *rc)
|
||||
|
||||
trace_pvscsi_tx_rings_num_pages("Confirm Ring", rc->cmpRingNumPages);
|
||||
for (i = 0; i < rc->cmpRingNumPages; i++) {
|
||||
- trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->reqRingPPNs[i]);
|
||||
+ trace_pvscsi_tx_rings_ppn("Confirm Ring", rc->cmpRingPPNs[i]);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -779,11 +773,16 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
- pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ if (!rc->reqRingNumPages
|
||||
+ || rc->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES
|
||||
+ || !rc->cmpRingNumPages
|
||||
+ || rc->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES) {
|
||||
return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
}
|
||||
|
||||
+ pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
+ pvscsi_ring_init_data(&s->rings, rc);
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Sep 2016 15:09:12 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit process IO loop to ring size
|
||||
|
||||
Vmware Paravirtual SCSI emulator while processing IO requests
|
||||
could run into an infinite loop if 'pvscsi_ring_pop_req_descr'
|
||||
always returned positive value. Limit IO loop to the ring size.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473845952-30785-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d251157ac1928191af851d199a9ff255d330bec9)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index babac5a..a5ce7de 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -247,8 +247,11 @@ static hwaddr
|
||||
pvscsi_ring_pop_req_descr(PVSCSIRingInfo *mgr)
|
||||
{
|
||||
uint32_t ready_ptr = RS_GET_FIELD(mgr, reqProdIdx);
|
||||
+ uint32_t ring_size = PVSCSI_MAX_NUM_PAGES_REQ_RING
|
||||
+ * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
|
||||
- if (ready_ptr != mgr->consumed_ptr) {
|
||||
+ if (ready_ptr != mgr->consumed_ptr
|
||||
+ && ready_ptr - mgr->consumed_ptr < ring_size) {
|
||||
uint32_t next_ready_ptr =
|
||||
mgr->consumed_ptr++ & mgr->txr_len_mask;
|
||||
uint32_t next_ready_page =
|
||||
|
|
@ -18,7 +18,7 @@ Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
|||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 74c085c..eabe573 100644
|
||||
index f31140a..58edd99 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -473,6 +473,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 31 Aug 2016 17:36:07 +0530
|
||||
Subject: [PATCH] scsi: mptconfig: fix an assert expression
|
||||
|
||||
When LSI SAS1068 Host Bus emulator builds configuration page
|
||||
headers, mptsas_config_pack() should assert that the size
|
||||
fits in a byte. However, the size is expressed in 32-bit
|
||||
units, so up to 1020 bytes fit. The assertion was only
|
||||
allowing replies up to 252 bytes, so fix it.
|
||||
|
||||
Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1472645167-30765-2-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit cf2bce203a45d7437029d108357fb23fea0967b6)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 7071854..3e4f400 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -158,7 +158,7 @@ static size_t mptsas_config_pack(uint8_t **data, const char *fmt, ...)
|
||||
va_end(ap);
|
||||
|
||||
if (data) {
|
||||
- assert(ret < 256 && (ret % 4) == 0);
|
||||
+ assert(ret / 4 < 256 && (ret % 4) == 0);
|
||||
stb_p(*data + 1, ret / 4);
|
||||
}
|
||||
return ret;
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 29 Aug 2016 11:35:37 +0200
|
||||
Subject: [PATCH] scsi: mptconfig: fix misuse of MPTSAS_CONFIG_PACK
|
||||
|
||||
These issues cause respectively a QEMU crash and a leak of 2 bytes of
|
||||
stack. They were discovered by VictorV of 360 Marvel Team.
|
||||
|
||||
Reported-by: Tom Victor <i-tangtianwen@360.cm>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 65a8e1f6413a0f6f79894da710b5d6d43361d27d)
|
||||
---
|
||||
hw/scsi/mptconfig.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptconfig.c b/hw/scsi/mptconfig.c
|
||||
index 3e4f400..87a416a 100644
|
||||
--- a/hw/scsi/mptconfig.c
|
||||
+++ b/hw/scsi/mptconfig.c
|
||||
@@ -203,7 +203,7 @@ size_t mptsas_config_manufacturing_1(MPTSASState *s, uint8_t **data, int address
|
||||
{
|
||||
/* VPD - all zeros */
|
||||
return MPTSAS_CONFIG_PACK(1, MPI_CONFIG_PAGETYPE_MANUFACTURING, 0x00,
|
||||
- "s256");
|
||||
+ "*s256");
|
||||
}
|
||||
|
||||
static
|
||||
@@ -328,7 +328,7 @@ size_t mptsas_config_ioc_0(MPTSASState *s, uint8_t **data, int address)
|
||||
return MPTSAS_CONFIG_PACK(0, MPI_CONFIG_PAGETYPE_IOC, 0x01,
|
||||
"*l*lwwb*b*b*blww",
|
||||
pcic->vendor_id, pcic->device_id, pcic->revision,
|
||||
- pcic->subsystem_vendor_id,
|
||||
+ pcic->class_id, pcic->subsystem_vendor_id,
|
||||
pcic->subsystem_id);
|
||||
}
|
||||
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 12 Sep 2016 18:14:11 +0530
|
||||
Subject: [PATCH] scsi: mptsas: use g_new0 to allocate MPTSASRequest object
|
||||
|
||||
When processing IO request in mptsas, it uses g_new to allocate
|
||||
a 'req' object. If an error occurs before 'req->sreq' is
|
||||
allocated, It could lead to an OOB write in mptsas_free_request
|
||||
function. Use g_new0 to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473684251-17476-1-git-send-email-ppandit@redhat.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 670e56d3ed2918b3861d9216f2c0540d9e9ae0d5)
|
||||
---
|
||||
hw/scsi/mptsas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 0e0a22f..eaae1bb 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -304,7 +304,7 @@ static int mptsas_process_scsi_io_request(MPTSASState *s,
|
||||
goto bad;
|
||||
}
|
||||
|
||||
- req = g_new(MPTSASRequest, 1);
|
||||
+ req = g_new0(MPTSASRequest, 1);
|
||||
QTAILQ_INSERT_TAIL(&s->pending, req, next);
|
||||
req->scsi_io = *scsi_io;
|
||||
req->dev = s;
|
||||
|
|
@ -27,7 +27,7 @@ index 42ca0fe..b3b5005 100644
|
|||
#include "ui/egl-helpers.h"
|
||||
#include "ui/egl-context.h"
|
||||
diff --git a/ui/gtk.c b/ui/gtk.c
|
||||
index 58d20ee..e8cf785 100644
|
||||
index 21ae4cb..c641e49 100644
|
||||
--- a/ui/gtk.c
|
||||
+++ b/ui/gtk.c
|
||||
@@ -90,6 +90,9 @@
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
From: Thomas Huth <thuth@redhat.com>
|
||||
Date: Wed, 21 Sep 2016 11:42:15 +0200
|
||||
Subject: [PATCH] ppc/kvm: Mark 64kB page size support as disabled if not
|
||||
available
|
||||
|
||||
QEMU currently refuses to start with KVM-PR and only prints out
|
||||
|
||||
qemu: fatal: Unknown MMU model 851972
|
||||
|
||||
when being started there. This is because commit 4322e8ced5aaac719
|
||||
("ppc: Fix 64K pages support in full emulation") introduced a new
|
||||
POWERPC_MMU_64K bit to indicate support for this page size, but
|
||||
it never gets cleared on KVM-PR if the host kernel does not support
|
||||
this. Thus we've got to turn off this bit in the mmu_model for KVM-PR.
|
||||
|
||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||||
(cherry picked from commit 0d594f5565837fe2886a8aa307ef8abb65eab8f7)
|
||||
---
|
||||
target-ppc/kvm.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/target-ppc/kvm.c b/target-ppc/kvm.c
|
||||
index dcb68b9..6bdc804 100644
|
||||
--- a/target-ppc/kvm.c
|
||||
+++ b/target-ppc/kvm.c
|
||||
@@ -427,6 +427,7 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
CPUPPCState *env = &cpu->env;
|
||||
long rampagesize;
|
||||
int iq, ik, jq, jk;
|
||||
+ bool has_64k_pages = false;
|
||||
|
||||
/* We only handle page sizes for 64-bit server guests for now */
|
||||
if (!(env->mmu_model & POWERPC_MMU_64)) {
|
||||
@@ -470,6 +471,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
ksps->enc[jk].page_shift)) {
|
||||
continue;
|
||||
}
|
||||
+ if (ksps->enc[jk].page_shift == 16) {
|
||||
+ has_64k_pages = true;
|
||||
+ }
|
||||
qsps->enc[jq].page_shift = ksps->enc[jk].page_shift;
|
||||
qsps->enc[jq].pte_enc = ksps->enc[jk].pte_enc;
|
||||
if (++jq >= PPC_PAGE_SIZES_MAX_SZ) {
|
||||
@@ -484,6 +488,9 @@ static void kvm_fixup_page_sizes(PowerPCCPU *cpu)
|
||||
if (!(smmu_info.flags & KVM_PPC_1T_SEGMENTS)) {
|
||||
env->mmu_model &= ~POWERPC_MMU_1TSEG;
|
||||
}
|
||||
+ if (!has_64k_pages) {
|
||||
+ env->mmu_model &= ~POWERPC_MMU_64K;
|
||||
+ }
|
||||
}
|
||||
#else /* defined (TARGET_PPC64) */
|
||||
|
||||
|
|
@ -1,72 +0,0 @@
|
|||
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||
Date: Fri, 4 Nov 2016 15:46:33 +0000
|
||||
Subject: [PATCH] net: fix sending of data with -net socket, listen backend
|
||||
|
||||
The use of -net socket,listen was broken in the following
|
||||
commit
|
||||
|
||||
commit 16a3df403b10c4ac347159e39005fd520b2648bb
|
||||
Author: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
|
||||
Date: Fri May 13 15:35:19 2016 +0800
|
||||
|
||||
net/net: Add SocketReadState for reuse codes
|
||||
|
||||
This function is from net/socket.c, move it to net.c and net.h.
|
||||
Add SocketReadState to make others reuse net_fill_rstate().
|
||||
suggestion from jason.
|
||||
|
||||
This refactored the state out of NetSocketState into a
|
||||
separate SocketReadState. This refactoring requires
|
||||
that a callback is provided to be triggered upon
|
||||
completion of a packet receive from the guest.
|
||||
|
||||
The patch only registered this callback in the codepaths
|
||||
hit by -net socket,connect, not -net socket,listen. So
|
||||
as a result packets sent by the guest in the latter case
|
||||
get dropped on the floor.
|
||||
|
||||
This bug is hidden because net_fill_rstate() silently
|
||||
does nothing if the callback is not set.
|
||||
|
||||
This patch adds in the middle callback registration
|
||||
and also adds an assert so that QEMU aborts if there
|
||||
are any other codepaths hit which are missing the
|
||||
callback.
|
||||
|
||||
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||
Reviewed-by: Zhang Chen <zhangchen.fnst@cn.fujitsu.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit e79cd4068063ea2859199002a049010a11202939)
|
||||
---
|
||||
net/net.c | 5 ++---
|
||||
net/socket.c | 1 +
|
||||
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/net.c b/net/net.c
|
||||
index d51cb29..19b4d9e 100644
|
||||
--- a/net/net.c
|
||||
+++ b/net/net.c
|
||||
@@ -1648,9 +1648,8 @@ int net_fill_rstate(SocketReadState *rs, const uint8_t *buf, int size)
|
||||
if (rs->index >= rs->packet_len) {
|
||||
rs->index = 0;
|
||||
rs->state = 0;
|
||||
- if (rs->finalize) {
|
||||
- rs->finalize(rs);
|
||||
- }
|
||||
+ assert(rs->finalize);
|
||||
+ rs->finalize(rs);
|
||||
}
|
||||
break;
|
||||
}
|
||||
diff --git a/net/socket.c b/net/socket.c
|
||||
index 3f98eef..dcae1ae 100644
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -522,6 +522,7 @@ static int net_socket_listen_init(NetClientState *peer,
|
||||
s->fd = -1;
|
||||
s->listen_fd = fd;
|
||||
s->nc.link_down = true;
|
||||
+ net_socket_rs_init(&s->rs, net_socket_rs_finalize);
|
||||
|
||||
qemu_set_fd_handler(s->listen_fd, net_socket_accept, NULL, s);
|
||||
return 0;
|
||||
41
qemu.spec
41
qemu.spec
|
|
@ -67,8 +67,8 @@
|
|||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.7.0
|
||||
Release: 8%{?rcrel}%{?dist}
|
||||
Version: 2.7.1
|
||||
Release: 1%{?rcrel}%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
|
@ -102,42 +102,28 @@ Source21: 50-kvm-s390x.conf
|
|||
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
|
||||
Source22: 95-kvm-ppc64-memlock.conf
|
||||
|
||||
# CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463)
|
||||
Patch0001: 0001-vmw_pvscsi-check-page-count-while-initialising-descr.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
Patch0002: 0002-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz
|
||||
# #1373480)
|
||||
Patch0003: 0003-scsi-pvscsi-limit-process-IO-loop-to-ring-size.patch
|
||||
Patch0001: 0001-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
Patch0004: 0004-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7157: mptsas: invalid memory access (bz #1373505)
|
||||
Patch0005: 0005-scsi-mptconfig-fix-an-assert-expression.patch
|
||||
Patch0006: 0006-scsi-mptconfig-fix-misuse-of-MPTSAS_CONFIG_PACK.patch
|
||||
Patch0002: 0002-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
Patch0007: 0007-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777)
|
||||
Patch0008: 0008-scsi-mptsas-use-g_new0-to-allocate-MPTSASRequest-obj.patch
|
||||
Patch0003: 0003-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
Patch0004: 0004-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
||||
Patch0005: 0005-net-mcf-limit-buffer-descriptor-count.patch
|
||||
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
Patch0006: 0006-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
Patch0007: 0007-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
# Fix interrupt endpoints not working with network/spice USB redirection on
|
||||
# guest with an emulated xhci controller (bz #1382331)
|
||||
Patch0013: 0013-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||
# Fix nested PPC 'Unknown MMU model' error (bz #1374749)
|
||||
Patch0014: 0014-ppc-kvm-Mark-64kB-page-size-support-as-disabled-if-n.patch
|
||||
Patch0008: 0008-usb-redir-allocate-buffers-before-waking-up-the-host.patch
|
||||
# Fix flickering display with boxes + wayland VM (bz #1266484)
|
||||
Patch0015: 0015-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
# Fix sending of data with -net socket (bz #1391497)
|
||||
Patch0016: 0016-net-fix-sending-of-data-with-net-socket-listen-backe.patch
|
||||
Patch0009: 0009-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
# Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
||||
# Posted but not yet applied upstream
|
||||
Patch0017: 0017-ui-use-evdev-keymap-when-running-under-wayland.patch
|
||||
Patch0010: 0010-ui-use-evdev-keymap-when-running-under-wayland.patch
|
||||
|
||||
# documentation deps
|
||||
BuildRequires: texi2html
|
||||
|
|
@ -1609,6 +1595,9 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Jan 09 2017 Cole Robinson <crobinso@redhat.com> - 2:2.7.1-1
|
||||
- Update to qemu 2.7.1
|
||||
|
||||
* Mon Dec 12 2016 Cole Robinson <crobinso@redhat.com> - 2:2.7.0-8
|
||||
- Fix sending of data with -net socket (bz #1391497)
|
||||
- Fix keyboard issues with -ui gtk + host wayland (bz #1401211)
|
||||
|
|
|
|||
Loading…
Reference in New Issue