rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix booting 3.8 kernels with qemu-system-arm (bz #922796) 

Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz #952574, bz #923219)
This commit is contained in:
Cole Robinson 2013-04-20 20:14:03 -04:00
parent 4a0d0c08f7
commit 72f684c1ae
8 changed files with 553 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
0712-iscsi-look-for-pkg-config-file-too.patch
View File

@ -1,6 +1,7 @@
From 868600d91f1c165cdd91f293870af0ca351c6025 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: [PATCH 3/6] iscsi: look for pkg-config file too
Date: Tue, 5 Mar 2013 18:05:22 +0100
Date: Fri, 22 Feb 2013 18:14:28 +0100
Subject: [PATCH] iscsi: look for pkg-config file too
Due to library conflicts, Fedora will have to put libiscsi in
/usr/lib/iscsi. Simplify configuration by using a pkg-config
@ -9,15 +10,16 @@ to add it has been sent to upstream libiscsi as well.
Cc: qemu-stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 3c33ea9640758bb625e110a77673e5abfd184e54)
---
configure | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
index 2f98c5a..a9a7c99 100755
index 6af2806..12d506c 100755
--- a/configure
+++ b/configure
@@ -2803,7 +2803,13 @@ if test "$libiscsi" != "no" ; then
@@ -2632,7 +2632,13 @@ if test "$libiscsi" != "no" ; then
#include <iscsi/iscsi.h>
int main(void) { iscsi_unmap_sync(NULL,0,0,0,NULL,0); return 0; }
EOF
@ -32,5 +34,3 @@ index 2f98c5a..a9a7c99 100755
libiscsi="yes"
LIBS="$LIBS -liscsi"
else
--
1.8.1.2

7
0718-ehci-Don-t-access-packet-after-freeing-it.patch
View File

@ -1,7 +1,7 @@
From 9c8576aeca2d65e17748dc137f0e9abeb2959604 Mon Sep 17 00:00:00 2001
From c6e419cb392d9e1cca5de66da2be7cb53277bf85 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Wed, 14 Nov 2012 16:21:36 +0000
Subject: [PATCH 718/719] ehci: Don't access packet after freeing it
Subject: [PATCH] ehci: Don't access packet after freeing it
ehci_state_writeback() will free the packet, so we should not access
the packet after calling ehci_state_writeback().
@ -35,6 +35,3 @@ index 46f6d99..4229061 100644
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
return;
}
--
1.8.1.4

9
0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
View File

@ -1,8 +1,8 @@
From f0a3e522543763cc5126283031309fdf6f8787c2 Mon Sep 17 00:00:00 2001
From b4d71f364924655c47f7e54a9726e303c91978d1 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Wed, 14 Nov 2012 16:21:37 +0000
Subject: [PATCH 719/719] ehci: Fixup q->qtdaddr after cancelling an already
completed packet
Subject: [PATCH] ehci: Fixup q->qtdaddr after cancelling an already completed
packet
This avoids the q->qtdaddr == p->qtdaddr asserts we have triggering, when
a queue contains multiple completed packages when we cancel the queue.
@ -44,6 +44,3 @@ index 4229061..6be11c5 100644
ehci_set_state(q->ehci, q->async, state);
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
return;
--
1.8.1.4

5
0720-ehci_free_packet-Discard-finished-packets-when-the-q.patch
View File

@ -1,4 +1,4 @@
From 2d608503da16560546ed6c0f04cac87601856412 Mon Sep 17 00:00:00 2001
From 22df2caa52abc0df20709de04791d49f83792fd7 Mon Sep 17 00:00:00 2001
From: Hans de Goede <hdegoede@redhat.com>
Date: Fri, 5 Apr 2013 12:05:49 +0200
Subject: [PATCH] ehci_free_packet: Discard finished packets when the queue is
@ -75,6 +75,3 @@ index 6be11c5..6a787aa 100644
usb_packet_unmap(&p->packet, &p->sgl);
qemu_sglist_destroy(&p->sgl);
}
--
1.8.2

27
0721-hw-arm_sysctl-Clear-sysctl-cfgctrl-start-bit.patch Normal file
View File

@ -0,0 +1,27 @@
From 3783ae2a82198962b1770b12db2dd3d67f400d7e Mon Sep 17 00:00:00 2001
From: Christoffer Dall <c.dall@virtualopensystems.com>
Date: Wed, 30 Jan 2013 15:39:01 +0000
Subject: [PATCH] hw/arm_sysctl: Clear sysctl cfgctrl start bit
The start bit should only be set to indicate that a function call is
underway, right now. When done with function, clear it.
Signed-off-by: Christoffer Dall <c.dall@virtualopensystems.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
(cherry picked from commit 706872a56630a206897742b70c69ff99727672d3)
---
hw/arm_sysctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/hw/arm_sysctl.c b/hw/arm_sysctl.c
index 5f1237b..98943cb 100644
--- a/hw/arm_sysctl.c
+++ b/hw/arm_sysctl.c
@@ -330,6 +330,7 @@ static void arm_sysctl_write(void *opaque, target_phys_addr_t offset,
default:
s->sys_cfgstat |= 2; /* error */
}
+ s->sys_cfgctrl &= ~(1 << 31);
return;
case 0xa8: /* SYS_CFGSTAT */
if (board_id(s) != BOARD_ID_VEXPRESS) {

372
0722-console-remove-DisplayAllocator.patch Normal file
View File

@ -0,0 +1,372 @@
From 82ffa03f372852a8e34775bf49a345a120b22be0 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Tue, 16 Apr 2013 17:06:56 +0200
Subject: [PATCH] console: remove DisplayAllocator
Causes [temporary] preformance regression with 24bpp vga modes @ sdl.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Conflicts:
console.h
ui/sdl.c
---
console.c | 52 ++++++++++----------------
console.h | 34 +++--------------
qemu-common.h | 1 -
ui/sdl.c | 117 +++-------------------------------------------------------
4 files changed, 31 insertions(+), 173 deletions(-)
diff --git a/console.c b/console.c
index 314f5a5..13e4c0f 100644
--- a/console.c
+++ b/console.c
@@ -1290,9 +1290,10 @@ static TextConsole *new_console(DisplayState *ds, console_type_t console_type)
return s;
}
-static DisplaySurface* defaultallocator_create_displaysurface(int width, int height)
+DisplaySurface *qemu_create_displaysurface(DisplayState *ds,
+ int width, int height)
{
- DisplaySurface *surface = (DisplaySurface*) g_malloc0(sizeof(DisplaySurface));
+ DisplaySurface *surface = g_new0(DisplaySurface, 1);
int linesize = width * 4;
qemu_alloc_display(surface, width, height, linesize,
@@ -1300,13 +1301,15 @@ static DisplaySurface* defaultallocator_create_displaysurface(int width, int hei
return surface;
}
-static DisplaySurface* defaultallocator_resize_displaysurface(DisplaySurface *surface,
- int width, int height)
+DisplaySurface *qemu_resize_displaysurface(DisplayState *ds,
+ int width, int height)
{
int linesize = width * 4;
- qemu_alloc_display(surface, width, height, linesize,
+
+ trace_displaysurface_resize(ds, ds->surface, width, height);
+ qemu_alloc_display(ds->surface, width, height, linesize,
qemu_default_pixelformat(32), 0);
- return surface;
+ return ds->surface;
}
void qemu_alloc_display(DisplaySurface *surface, int width, int height,
@@ -1319,7 +1322,7 @@ void qemu_alloc_display(DisplaySurface *surface, int width, int height,
surface->pf = pf;
if (surface->flags & QEMU_ALLOCATED_FLAG) {
data = g_realloc(surface->data,
- surface->linesize * surface->height);
+ surface->linesize * surface->height);
} else {
data = g_malloc(surface->linesize * surface->height);
}
@@ -1330,7 +1333,7 @@ void qemu_alloc_display(DisplaySurface *surface, int width, int height,
#endif
}
-DisplaySurface* qemu_create_displaysurface_from(int width, int height, int bpp,
+DisplaySurface *qemu_create_displaysurface_from(int width, int height, int bpp,
int linesize, uint8_t *data)
{
DisplaySurface *surface = (DisplaySurface*) g_malloc0(sizeof(DisplaySurface));
@@ -1347,28 +1350,24 @@ DisplaySurface* qemu_create_displaysurface_from(int width, int height, int bpp,
return surface;
}
-static void defaultallocator_free_displaysurface(DisplaySurface *surface)
+void qemu_free_displaysurface(DisplayState *ds)
{
- if (surface == NULL)
+ trace_displaysurface_free(ds, ds->surface);
+ if (ds->surface == NULL) {
return;
- if (surface->flags & QEMU_ALLOCATED_FLAG)
- g_free(surface->data);
- g_free(surface);
+ }
+ if (ds->surface->flags & QEMU_ALLOCATED_FLAG) {
+ g_free(ds->surface->data);
+ }
+ g_free(ds->surface);
}
-static struct DisplayAllocator default_allocator = {
- defaultallocator_create_displaysurface,
- defaultallocator_resize_displaysurface,
- defaultallocator_free_displaysurface
-};
-
static void dumb_display_init(void)
{
DisplayState *ds = g_malloc0(sizeof(DisplayState));
int width = 640;
int height = 480;
- ds->allocator = &default_allocator;
if (is_fixedsize_console()) {
width = active_console->g_width;
height = active_console->g_height;
@@ -1398,18 +1397,6 @@ DisplayState *get_displaystate(void)
return display_state;
}
-DisplayAllocator *register_displayallocator(DisplayState *ds, DisplayAllocator *da)
-{
- if(ds->allocator == &default_allocator) {
- DisplaySurface *surf;
- surf = da->create_displaysurface(ds_get_width(ds), ds_get_height(ds));
- defaultallocator_free_displaysurface(ds->surface);
- ds->surface = surf;
- ds->allocator = da;
- }
- return ds->allocator;
-}
-
DisplayState *graphic_console_init(vga_hw_update_ptr update,
vga_hw_invalidate_ptr invalidate,
vga_hw_screen_dump_ptr screen_dump,
@@ -1420,7 +1407,6 @@ DisplayState *graphic_console_init(vga_hw_update_ptr update,
DisplayState *ds;
ds = (DisplayState *) g_malloc0(sizeof(DisplayState));
- ds->allocator = &default_allocator;
ds->surface = qemu_create_displaysurface(ds, 640, 480);
s = new_console(ds, GRAPHIC_CONSOLE);
diff --git a/console.h b/console.h
index 4334db5..755a537 100644
--- a/console.h
+++ b/console.h
@@ -105,7 +105,6 @@ void kbd_put_keysym(int keysym);
#define QEMU_BIG_ENDIAN_FLAG 0x01
#define QEMU_ALLOCATED_FLAG 0x02
-#define QEMU_REALPIXELS_FLAG 0x04
struct PixelFormat {
uint8_t bits_per_pixel;
@@ -165,18 +164,11 @@ struct DisplayChangeListener {
struct DisplayChangeListener *next;
};
-struct DisplayAllocator {
- DisplaySurface* (*create_displaysurface)(int width, int height);
- DisplaySurface* (*resize_displaysurface)(DisplaySurface *surface, int width, int height);
- void (*free_displaysurface)(DisplaySurface *surface);
-};
-
struct DisplayState {
struct DisplaySurface *surface;
void *opaque;
struct QEMUTimer *gui_timer;
- struct DisplayAllocator* allocator;
struct DisplayChangeListener* listeners;
void (*mouse_set)(int x, int y, int on);
@@ -194,24 +186,11 @@ void qemu_alloc_display(DisplaySurface *surface, int width, int height,
PixelFormat qemu_different_endianness_pixelformat(int bpp);
PixelFormat qemu_default_pixelformat(int bpp);
-DisplayAllocator *register_displayallocator(DisplayState *ds, DisplayAllocator *da);
-
-static inline DisplaySurface* qemu_create_displaysurface(DisplayState *ds, int width, int height)
-{
- return ds->allocator->create_displaysurface(width, height);
-}
-
-static inline DisplaySurface* qemu_resize_displaysurface(DisplayState *ds, int width, int height)
-{
- trace_displaysurface_resize(ds, ds->surface, width, height);
- return ds->allocator->resize_displaysurface(ds->surface, width, height);
-}
-
-static inline void qemu_free_displaysurface(DisplayState *ds)
-{
- trace_displaysurface_free(ds, ds->surface);
- ds->allocator->free_displaysurface(ds->surface);
-}
+DisplaySurface *qemu_create_displaysurface(DisplayState *ds,
+ int width, int height);
+DisplaySurface *qemu_resize_displaysurface(DisplayState *ds,
+ int width, int height);
+void qemu_free_displaysurface(DisplayState *ds);
static inline int is_surface_bgr(DisplaySurface *surface)
{
@@ -223,8 +202,7 @@ static inline int is_surface_bgr(DisplaySurface *surface)
static inline int is_buffer_shared(DisplaySurface *surface)
{
- return (!(surface->flags & QEMU_ALLOCATED_FLAG) &&
- !(surface->flags & QEMU_REALPIXELS_FLAG));
+ return !(surface->flags & QEMU_ALLOCATED_FLAG);
}
static inline void register_displaychangelistener(DisplayState *ds, DisplayChangeListener *dcl)
diff --git a/qemu-common.h b/qemu-common.h
index 15d9e4e..7d6e1a9 100644
--- a/qemu-common.h
+++ b/qemu-common.h
@@ -254,7 +254,6 @@ typedef struct DriveInfo DriveInfo;
typedef struct DisplayState DisplayState;
typedef struct DisplayChangeListener DisplayChangeListener;
typedef struct DisplaySurface DisplaySurface;
-typedef struct DisplayAllocator DisplayAllocator;
typedef struct PixelFormat PixelFormat;
typedef struct TextConsole TextConsole;
typedef TextConsole QEMUConsole;
diff --git a/ui/sdl.c b/ui/sdl.c
index f6f711c..9e4a86e 100644
--- a/ui/sdl.c
+++ b/ui/sdl.c
@@ -55,7 +55,6 @@ static int absolute_enabled = 0;
static int guest_cursor = 0;
static int guest_x, guest_y;
static SDL_Cursor *guest_sprite = NULL;
-static uint8_t allocator;
static SDL_PixelFormat host_format;
static int scaling_active = 0;
static Notifier mouse_mode_notifier;
@@ -117,108 +116,13 @@ static void do_sdl_resize(int width, int height, int bpp)
static void sdl_resize(DisplayState *ds)
{
- if (!allocator) {
- if (!scaling_active)
- do_sdl_resize(ds_get_width(ds), ds_get_height(ds), 0);
- else if (real_screen->format->BitsPerPixel != ds_get_bits_per_pixel(ds))
- do_sdl_resize(real_screen->w, real_screen->h, ds_get_bits_per_pixel(ds));
- sdl_setdata(ds);
- } else {
- if (guest_screen != NULL) {
- SDL_FreeSurface(guest_screen);
- guest_screen = NULL;
- }
- }
-}
-
-static PixelFormat sdl_to_qemu_pixelformat(SDL_PixelFormat *sdl_pf)
-{
- PixelFormat qemu_pf;
-
- memset(&qemu_pf, 0x00, sizeof(PixelFormat));
-
- qemu_pf.bits_per_pixel = sdl_pf->BitsPerPixel;
- qemu_pf.bytes_per_pixel = sdl_pf->BytesPerPixel;
- qemu_pf.depth = (qemu_pf.bits_per_pixel) == 32 ? 24 : (qemu_pf.bits_per_pixel);
-
- qemu_pf.rmask = sdl_pf->Rmask;
- qemu_pf.gmask = sdl_pf->Gmask;
- qemu_pf.bmask = sdl_pf->Bmask;
- qemu_pf.amask = sdl_pf->Amask;
-
- qemu_pf.rshift = sdl_pf->Rshift;
- qemu_pf.gshift = sdl_pf->Gshift;
- qemu_pf.bshift = sdl_pf->Bshift;
- qemu_pf.ashift = sdl_pf->Ashift;
-
- qemu_pf.rbits = 8 - sdl_pf->Rloss;
- qemu_pf.gbits = 8 - sdl_pf->Gloss;
- qemu_pf.bbits = 8 - sdl_pf->Bloss;
- qemu_pf.abits = 8 - sdl_pf->Aloss;
-
- qemu_pf.rmax = ((1 << qemu_pf.rbits) - 1);
- qemu_pf.gmax = ((1 << qemu_pf.gbits) - 1);
- qemu_pf.bmax = ((1 << qemu_pf.bbits) - 1);
- qemu_pf.amax = ((1 << qemu_pf.abits) - 1);
-
- return qemu_pf;
-}
-
-static DisplaySurface* sdl_create_displaysurface(int width, int height)
-{
- DisplaySurface *surface = (DisplaySurface*) g_malloc0(sizeof(DisplaySurface));
-
- surface->width = width;
- surface->height = height;
-
- if (scaling_active) {
- int linesize;
- PixelFormat pf;
- if (host_format.BytesPerPixel != 2 && host_format.BytesPerPixel != 4) {
- linesize = width * 4;
- pf = qemu_default_pixelformat(32);
- } else {
- linesize = width * host_format.BytesPerPixel;
- pf = sdl_to_qemu_pixelformat(&host_format);
- }
- qemu_alloc_display(surface, width, height, linesize, pf, 0);
- return surface;
+ if (!scaling_active) {
+ do_sdl_resize(ds_get_width(ds), ds_get_height(ds), 0);
+ } else if (real_screen->format->BitsPerPixel != ds_get_bits_per_pixel(ds)) {
+ do_sdl_resize(real_screen->w, real_screen->h,
+ ds_get_bits_per_pixel(ds));
}
-
- if (host_format.BitsPerPixel == 16)
- do_sdl_resize(width, height, 16);
- else
- do_sdl_resize(width, height, 32);
-
- surface->pf = sdl_to_qemu_pixelformat(real_screen->format);
- surface->linesize = real_screen->pitch;
- surface->data = real_screen->pixels;
-
-#ifdef HOST_WORDS_BIGENDIAN
- surface->flags = QEMU_REALPIXELS_FLAG | QEMU_BIG_ENDIAN_FLAG;
-#else
- surface->flags = QEMU_REALPIXELS_FLAG;
-#endif
- allocator = 1;
-
- return surface;
-}
-
-static void sdl_free_displaysurface(DisplaySurface *surface)
-{
- allocator = 0;
- if (surface == NULL)
- return;
-
- if (surface->flags & QEMU_ALLOCATED_FLAG)
- g_free(surface->data);
- g_free(surface);
-}
-
-static DisplaySurface* sdl_resize_displaysurface(DisplaySurface *surface, int width, int height)
-{
- sdl_free_displaysurface(surface);
- return sdl_create_displaysurface(width, height);
+ sdl_setdata(ds);
}
/* generic keyboard conversion */
@@ -955,7 +859,6 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
{
int flags;
uint8_t data = 0;
- DisplayAllocator *da;
const SDL_VideoInfo *vi;
char *filename;
@@ -1029,14 +932,6 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
ds->cursor_define = sdl_mouse_define;
register_displaychangelistener(ds, dcl);
- da = g_malloc0(sizeof(DisplayAllocator));
- da->create_displaysurface = sdl_create_displaysurface;
- da->resize_displaysurface = sdl_resize_displaysurface;
- da->free_displaysurface = sdl_free_displaysurface;
- if (register_displayallocator(ds, da) == da) {
- dpy_resize(ds);
- }
-
mouse_mode_notifier.notify = sdl_mouse_mode_change;
qemu_add_mouse_mode_change_notifier(&mouse_mode_notifier);

121
0723-Add-f-FMT-format-FMT-arg-to-qemu-nbd.patch Normal file
View File

@ -0,0 +1,121 @@
From 849967d707bb55bfbe93feae78969aaeb5e71dfd Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Tue, 19 Mar 2013 11:20:20 +0000
Subject: [PATCH] Add -f FMT / --format FMT arg to qemu-nbd
Currently the qemu-nbd program will auto-detect the format of
any disk it is given. This behaviour is known to be insecure.
For example, if qemu-nbd initially exposes a 'raw' file to an
unprivileged app, and that app runs
'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
then the next time the app is started, the qemu-nbd will now
detect it as a 'qcow2' file and expose /etc/shadow to the
unprivileged app.
The only way to avoid this is to explicitly tell qemu-nbd what
disk format to use on the command line, completely disabling
auto-detection. This patch adds a '-f' / '--format' arg for
this purpose, mirroring what is already available via qemu-img
and qemu commands.
qemu-nbd --format raw -p 9000 evil.img
will now always use raw, regardless of what format 'evil.img'
looks like it contains
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
[Use errx, not err. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
(cherry picked from commit e6b636779b51c97e67694be740ee972c52460c59)
Conflicts:
qemu-nbd.c
---
qemu-nbd.c | 20 ++++++++++++++++++--
qemu-nbd.texi | 2 ++
2 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/qemu-nbd.c b/qemu-nbd.c
index 1c1cf6a..abf654e 100644
--- a/qemu-nbd.c
+++ b/qemu-nbd.c
@@ -291,6 +291,7 @@ static void nbd_accept(void *opaque)
int main(int argc, char **argv)
{
BlockDriverState *bs;
+ BlockDriver *drv;
off_t dev_offset = 0;
uint32_t nbdflags = 0;
bool disconnect = false;
@@ -298,7 +299,7 @@ int main(int argc, char **argv)
char *device = NULL;
int port = NBD_DEFAULT_PORT;
off_t fd_size;
- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
+ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t";
struct option lopt[] = {
{ "help", 0, NULL, 'h' },
{ "version", 0, NULL, 'V' },
@@ -317,6 +318,7 @@ int main(int argc, char **argv)
{ "aio", 1, NULL, QEMU_NBD_OPT_AIO },
#endif
{ "shared", 1, NULL, 'e' },
+ { "format", 1, NULL, 'f' },
{ "persistent", 0, NULL, 't' },
{ "verbose", 0, NULL, 'v' },
{ NULL, 0, NULL, 0 }
@@ -335,6 +337,7 @@ int main(int argc, char **argv)
bool seen_aio = false;
#endif
pthread_t client_thread;
+ const char *fmt = NULL;
/* The client thread uses SIGTERM to interrupt the server. A signal
* handler ensures that "qemu-nbd -v -c" exits with a nice status code.
@@ -429,6 +432,9 @@ int main(int argc, char **argv)
errx(EXIT_FAILURE, "Shared device number must be greater than 0\n");
}
break;
+ case 'f':
+ fmt = optarg;
+ break;
case 't':
persistent = 1;
break;
@@ -529,9 +535,19 @@ int main(int argc, char **argv)
bdrv_init();
atexit(bdrv_close_all);
+ if (fmt) {
+ drv = bdrv_find_format(fmt);
+ if (!drv) {
+ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt);
+ }
+ } else {
+ drv = NULL;
+ }
+
bs = bdrv_new("hda");
srcpath = argv[optind];
- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) {
+ ret = bdrv_open(bs, srcpath, flags, drv);
+ if (ret < 0) {
errno = -ret;
err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]);
}
diff --git a/qemu-nbd.texi b/qemu-nbd.texi
index 6955d90..70abfeb 100644
--- a/qemu-nbd.texi
+++ b/qemu-nbd.texi
@@ -36,6 +36,8 @@ Export QEMU disk image using NBD protocol.
disconnect the specified device
@item -e, --shared=@var{num}
device can be shared by @var{num} clients (default @samp{1})
+@item -f, --format=@var{fmt}
+ force block driver for format @var{fmt} instead of auto-detecting
@item -t, --persistent
don't exit on the last connection
@item -v, --verbose

22
qemu.spec
View File

@ -109,7 +109,7 @@
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 1.2.2
Release: 10%{?dist}
Release: 11%{?dist}
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
@ -549,6 +549,13 @@ Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
Patch0718: 0718-ehci-Don-t-access-packet-after-freeing-it.patch
Patch0719: 0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
Patch0720: 0720-ehci_free_packet-Discard-finished-packets-when-the-q.patch
# Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
Patch0721: 0721-hw-arm_sysctl-Clear-sysctl-cfgctrl-start-bit.patch
# Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
Patch0722: 0722-console-remove-DisplayAllocator.patch
# CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz
# #952574, bz #923219)
Patch0723: 0723-Add-f-FMT-format-FMT-arg-to-qemu-nbd.patch
BuildRequires: SDL-devel
@ -1385,6 +1392,13 @@ CAC emulation development files.
%patch0718 -p1
%patch0719 -p1
%patch0720 -p1
# Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
%patch0721 -p1
# Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
%patch0722 -p1
# CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz
# #952574, bz #923219)
%patch0723 -p1
%build
@ -1994,6 +2008,12 @@ getent passwd qemu >/dev/null || \
%{_libdir}/pkgconfig/libcacard.pc
%changelog
* Sat Apr 20 2013 Cole Robinson <crobinso@redhat.com> - 2:1.2.2-11
- Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
- Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
- CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz
#952574, bz #923219)
* Mon Apr 08 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-10
- Add an extra patch to really fix (bz #890320)