rpms/qemu
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix xen pv graphical display failure (bz #1350264)

Browse Source 
CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
This commit is contained in:
Cole Robinson 2017-04-13 20:39:51 -04:00
parent dfb84783bc
commit 6a2f9fd5cf
5 changed files with 268 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch Normal file
View File

@ -0,0 +1,99 @@
From: Peter Lieven <pl@kamp.de>
Date: Thu, 30 Jun 2016 12:00:46 +0200
Subject: [PATCH] vnc-enc-tight: use thread local storage for palette
currently the color counting palette is allocated from heap, used and destroyed
for each single subrect. Use a static palette per thread for this purpose and
avoid the malloc and free for each update.
Signed-off-by: Peter Lieven <pl@kamp.de>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Message-id: 1467280846-9674-1-git-send-email-pl@kamp.de
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 095497ffc66b7f031ff2a17f1e50f5cb105ce588)
---
ui/vnc-enc-tight.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index 678c5df..877c093 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -349,7 +349,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
tight_fill_palette##bpp(VncState *vs, int x, int y, \
int max, size_t count, \
uint32_t *bg, uint32_t *fg, \
- VncPalette **palette) { \
+ VncPalette *palette) { \
uint##bpp##_t *data; \
uint##bpp##_t c0, c1, ci; \
int i, n0, n1; \
@@ -396,23 +396,23 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
return 0; \
} \
\
- *palette = palette_new(max, bpp); \
- palette_put(*palette, c0); \
- palette_put(*palette, c1); \
- palette_put(*palette, ci); \
+ palette_init(palette, max, bpp); \
+ palette_put(palette, c0); \
+ palette_put(palette, c1); \
+ palette_put(palette, ci); \
\
for (i++; i < count; i++) { \
if (data[i] == ci) { \
continue; \
} else { \
ci = data[i]; \
- if (!palette_put(*palette, (uint32_t)ci)) { \
+ if (!palette_put(palette, (uint32_t)ci)) { \
return 0; \
} \
} \
} \
\
- return palette_size(*palette); \
+ return palette_size(palette); \
}
DEFINE_FILL_PALETTE_FUNCTION(8)
@@ -421,7 +421,7 @@ DEFINE_FILL_PALETTE_FUNCTION(32)
static int tight_fill_palette(VncState *vs, int x, int y,
size_t count, uint32_t *bg, uint32_t *fg,
- VncPalette **palette)
+ VncPalette *palette)
{
int max;
@@ -1458,9 +1458,11 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
}
#endif
+static __thread VncPalette color_count_palette;
+
static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
{
- VncPalette *palette = NULL;
+ VncPalette *palette = &color_count_palette;
uint32_t bg = 0, fg = 0;
int colors;
int ret = 0;
@@ -1489,7 +1491,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
}
#endif
- colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, &palette);
+ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette);
#ifdef CONFIG_VNC_JPEG
if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
@@ -1502,7 +1504,6 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
#endif
- palette_destroy(palette);
return ret;
}

84
0066-vnc-tight-fix-regression-with-libxenstore.patch Normal file
View File

@ -0,0 +1,84 @@
From: Peter Lieven <pl@kamp.de>
Date: Fri, 15 Jul 2016 11:45:11 +0200
Subject: [PATCH] vnc-tight: fix regression with libxenstore
commit 095497ff added thread local storage for the color counting
palette. Unfortunately, a VncPalette is about 7kB on a x86_64 system.
This memory is reserved from the stack of every thread and it
exhausted the stack space of a libxenstore thread.
Fix this by allocating memory only for the VNC encoding thread.
Fixes: 095497ffc66b7f031ff2a17f1e50f5cb105ce588
Reported-by: Juergen Gross <jgross@suse.com>
Tested-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Peter Lieven <pl@kamp.de>
Message-id: 1468575911-20656-1-git-send-email-pl@kamp.de
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
(cherry picked from commit 66668d197fa40747e835e15617eda2f1bc80982f)
---
ui/vnc-enc-tight.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
index 877c093..49df85e 100644
--- a/ui/vnc-enc-tight.c
+++ b/ui/vnc-enc-tight.c
@@ -1458,11 +1458,17 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
}
#endif
-static __thread VncPalette color_count_palette;
+static __thread VncPalette *color_count_palette;
+static __thread Notifier vnc_tight_cleanup_notifier;
+
+static void vnc_tight_cleanup(Notifier *n, void *value)
+{
+ g_free(color_count_palette);
+ color_count_palette = NULL;
+}
static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
{
- VncPalette *palette = &color_count_palette;
uint32_t bg = 0, fg = 0;
int colors;
int ret = 0;
@@ -1471,6 +1477,12 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
bool allow_jpeg = true;
#endif
+ if (!color_count_palette) {
+ color_count_palette = g_malloc(sizeof(VncPalette));
+ vnc_tight_cleanup_notifier.notify = vnc_tight_cleanup;
+ qemu_thread_atexit_add(&vnc_tight_cleanup_notifier);
+ }
+
vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
vnc_tight_start(vs);
@@ -1491,17 +1503,19 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
}
#endif
- colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette);
+ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette);
#ifdef CONFIG_VNC_JPEG
if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
- ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, palette,
- force_jpeg);
+ ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors,
+ color_count_palette, force_jpeg);
} else {
- ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
+ ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors,
+ color_count_palette);
}
#else
- ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
+ ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors,
+ color_count_palette);
#endif
return ret;

35
0067-dma-rc4030-limit-interval-timer-reload-value.patch Normal file
View File

@ -0,0 +1,35 @@
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Wed, 12 Oct 2016 18:07:41 +0530
Subject: [PATCH] dma: rc4030: limit interval timer reload value
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The JAZZ RC4030 chipset emulator has a periodic timer and
associated interval reload register. The reload value is used
as divider when computing timer's next tick value. If reload
value is large, it could lead to divide by zero error. Limit
the interval reload value to avoid it.
Reported-by: Huawei PSIRT <psirt@huawei.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
(cherry picked from commit c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c)
---
hw/dma/rc4030.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
index a06c235..1814ca6 100644
--- a/hw/dma/rc4030.c
+++ b/hw/dma/rc4030.c
@@ -459,7 +459,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
break;
/* Interval timer reload */
case 0x0228:
- s->itr = val;
+ s->itr = val & 0x01FF;
qemu_irq_lower(s->timer_irq);
set_next_tick(s);
break;

37
0068-serial-fix-memory-leak-in-serial-exit.patch Normal file
View File

@ -0,0 +1,37 @@
From: Li Qiang <liqiang6-s@360.cn>
Date: Wed, 4 Jan 2017 00:43:16 -0800
Subject: [PATCH] serial: fix memory leak in serial exit
The serial_exit_core function doesn't free some resources.
This can lead memory leak when hotplug and unplug. This
patch avoid this.
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b)
---
hw/char/serial.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/char/serial.c b/hw/char/serial.c
index 3998131..ebf507b 100644
--- a/hw/char/serial.c
+++ b/hw/char/serial.c
@@ -869,6 +869,16 @@ void serial_realize_core(SerialState *s, Error **errp)
void serial_exit_core(SerialState *s)
{
qemu_chr_add_handlers(s->chr, NULL, NULL, NULL, NULL);
+
+ timer_del(s->modem_status_poll);
+ timer_free(s->modem_status_poll);
+
+ timer_del(s->fifo_timeout_timer);
+ timer_free(s->fifo_timeout_timer);
+
+ fifo8_destroy(&s->recv_fifo);
+ fifo8_destroy(&s->xmit_fifo);
+
qemu_unregister_reset(serial_reset, s);
}

14
qemu.spec
View File

@ -65,7 +65,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.6.2
Release: 7%{?rcrel}%{?dist}
Release: 8%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -237,6 +237,13 @@ Patch0061: 0061-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
Patch0062: 0062-cirrus-fix-patterncopy-checks.patch
Patch0063: 0063-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
Patch0064: 0064-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
# Fix xen pv graphical display failure (bz #1350264)
Patch0065: 0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch
Patch0066: 0066-vnc-tight-fix-regression-with-libxenstore.patch
# CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
Patch0067: 0067-dma-rc4030-limit-interval-timer-reload-value.patch
# CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
Patch0068: 0068-serial-fix-memory-leak-in-serial-exit.patch
# documentation deps
@ -1698,6 +1705,11 @@ getent passwd qemu >/dev/null || \
%changelog
* Thu Apr 13 2017 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-8
- Fix xen pv graphical display failure (bz #1350264)
- CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
- CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
* Wed Mar 15 2017 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-7
- CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110)
- CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)