Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
Fix crash with -vga qxl, sdl, and F19 guest (bz #949126) CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz #952574, bz #923219)
This commit is contained in:
parent
4a0d0c08f7
commit
72f684c1ae
|
@ -1,6 +1,7 @@
|
||||||
|
From 868600d91f1c165cdd91f293870af0ca351c6025 Mon Sep 17 00:00:00 2001
|
||||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
Subject: [PATCH 3/6] iscsi: look for pkg-config file too
|
Date: Fri, 22 Feb 2013 18:14:28 +0100
|
||||||
Date: Tue, 5 Mar 2013 18:05:22 +0100
|
Subject: [PATCH] iscsi: look for pkg-config file too
|
||||||
|
|
||||||
Due to library conflicts, Fedora will have to put libiscsi in
|
Due to library conflicts, Fedora will have to put libiscsi in
|
||||||
/usr/lib/iscsi. Simplify configuration by using a pkg-config
|
/usr/lib/iscsi. Simplify configuration by using a pkg-config
|
||||||
|
@ -9,15 +10,16 @@ to add it has been sent to upstream libiscsi as well.
|
||||||
|
|
||||||
Cc: qemu-stable@nongnu.org
|
Cc: qemu-stable@nongnu.org
|
||||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
(cherry picked from commit 3c33ea9640758bb625e110a77673e5abfd184e54)
|
||||||
---
|
---
|
||||||
configure | 8 +++++++-
|
configure | 8 +++++++-
|
||||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/configure b/configure
|
diff --git a/configure b/configure
|
||||||
index 2f98c5a..a9a7c99 100755
|
index 6af2806..12d506c 100755
|
||||||
--- a/configure
|
--- a/configure
|
||||||
+++ b/configure
|
+++ b/configure
|
||||||
@@ -2803,7 +2803,13 @@ if test "$libiscsi" != "no" ; then
|
@@ -2632,7 +2632,13 @@ if test "$libiscsi" != "no" ; then
|
||||||
#include <iscsi/iscsi.h>
|
#include <iscsi/iscsi.h>
|
||||||
int main(void) { iscsi_unmap_sync(NULL,0,0,0,NULL,0); return 0; }
|
int main(void) { iscsi_unmap_sync(NULL,0,0,0,NULL,0); return 0; }
|
||||||
EOF
|
EOF
|
||||||
|
@ -32,5 +34,3 @@ index 2f98c5a..a9a7c99 100755
|
||||||
libiscsi="yes"
|
libiscsi="yes"
|
||||||
LIBS="$LIBS -liscsi"
|
LIBS="$LIBS -liscsi"
|
||||||
else
|
else
|
||||||
--
|
|
||||||
1.8.1.2
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
From 9c8576aeca2d65e17748dc137f0e9abeb2959604 Mon Sep 17 00:00:00 2001
|
From c6e419cb392d9e1cca5de66da2be7cb53277bf85 Mon Sep 17 00:00:00 2001
|
||||||
From: Hans de Goede <hdegoede@redhat.com>
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
Date: Wed, 14 Nov 2012 16:21:36 +0000
|
Date: Wed, 14 Nov 2012 16:21:36 +0000
|
||||||
Subject: [PATCH 718/719] ehci: Don't access packet after freeing it
|
Subject: [PATCH] ehci: Don't access packet after freeing it
|
||||||
|
|
||||||
ehci_state_writeback() will free the packet, so we should not access
|
ehci_state_writeback() will free the packet, so we should not access
|
||||||
the packet after calling ehci_state_writeback().
|
the packet after calling ehci_state_writeback().
|
||||||
|
@ -35,6 +35,3 @@ index 46f6d99..4229061 100644
|
||||||
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
From f0a3e522543763cc5126283031309fdf6f8787c2 Mon Sep 17 00:00:00 2001
|
From b4d71f364924655c47f7e54a9726e303c91978d1 Mon Sep 17 00:00:00 2001
|
||||||
From: Hans de Goede <hdegoede@redhat.com>
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
Date: Wed, 14 Nov 2012 16:21:37 +0000
|
Date: Wed, 14 Nov 2012 16:21:37 +0000
|
||||||
Subject: [PATCH 719/719] ehci: Fixup q->qtdaddr after cancelling an already
|
Subject: [PATCH] ehci: Fixup q->qtdaddr after cancelling an already completed
|
||||||
completed packet
|
packet
|
||||||
|
|
||||||
This avoids the q->qtdaddr == p->qtdaddr asserts we have triggering, when
|
This avoids the q->qtdaddr == p->qtdaddr asserts we have triggering, when
|
||||||
a queue contains multiple completed packages when we cancel the queue.
|
a queue contains multiple completed packages when we cancel the queue.
|
||||||
|
@ -44,6 +44,3 @@ index 4229061..6be11c5 100644
|
||||||
ehci_set_state(q->ehci, q->async, state);
|
ehci_set_state(q->ehci, q->async, state);
|
||||||
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
/* state_writeback recurses into us with async == EHCI_ASYNC_NONE!! */
|
||||||
return;
|
return;
|
||||||
--
|
|
||||||
1.8.1.4
|
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
From 2d608503da16560546ed6c0f04cac87601856412 Mon Sep 17 00:00:00 2001
|
From 22df2caa52abc0df20709de04791d49f83792fd7 Mon Sep 17 00:00:00 2001
|
||||||
From: Hans de Goede <hdegoede@redhat.com>
|
From: Hans de Goede <hdegoede@redhat.com>
|
||||||
Date: Fri, 5 Apr 2013 12:05:49 +0200
|
Date: Fri, 5 Apr 2013 12:05:49 +0200
|
||||||
Subject: [PATCH] ehci_free_packet: Discard finished packets when the queue is
|
Subject: [PATCH] ehci_free_packet: Discard finished packets when the queue is
|
||||||
|
@ -75,6 +75,3 @@ index 6be11c5..6a787aa 100644
|
||||||
usb_packet_unmap(&p->packet, &p->sgl);
|
usb_packet_unmap(&p->packet, &p->sgl);
|
||||||
qemu_sglist_destroy(&p->sgl);
|
qemu_sglist_destroy(&p->sgl);
|
||||||
}
|
}
|
||||||
--
|
|
||||||
1.8.2
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,27 @@
|
||||||
|
From 3783ae2a82198962b1770b12db2dd3d67f400d7e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christoffer Dall <c.dall@virtualopensystems.com>
|
||||||
|
Date: Wed, 30 Jan 2013 15:39:01 +0000
|
||||||
|
Subject: [PATCH] hw/arm_sysctl: Clear sysctl cfgctrl start bit
|
||||||
|
|
||||||
|
The start bit should only be set to indicate that a function call is
|
||||||
|
underway, right now. When done with function, clear it.
|
||||||
|
|
||||||
|
Signed-off-by: Christoffer Dall <c.dall@virtualopensystems.com>
|
||||||
|
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||||
|
(cherry picked from commit 706872a56630a206897742b70c69ff99727672d3)
|
||||||
|
---
|
||||||
|
hw/arm_sysctl.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/hw/arm_sysctl.c b/hw/arm_sysctl.c
|
||||||
|
index 5f1237b..98943cb 100644
|
||||||
|
--- a/hw/arm_sysctl.c
|
||||||
|
+++ b/hw/arm_sysctl.c
|
||||||
|
@@ -330,6 +330,7 @@ static void arm_sysctl_write(void *opaque, target_phys_addr_t offset,
|
||||||
|
default:
|
||||||
|
s->sys_cfgstat |= 2; /* error */
|
||||||
|
}
|
||||||
|
+ s->sys_cfgctrl &= ~(1 << 31);
|
||||||
|
return;
|
||||||
|
case 0xa8: /* SYS_CFGSTAT */
|
||||||
|
if (board_id(s) != BOARD_ID_VEXPRESS) {
|
|
@ -0,0 +1,372 @@
|
||||||
|
From 82ffa03f372852a8e34775bf49a345a120b22be0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
Date: Tue, 16 Apr 2013 17:06:56 +0200
|
||||||
|
Subject: [PATCH] console: remove DisplayAllocator
|
||||||
|
|
||||||
|
Causes [temporary] preformance regression with 24bpp vga modes @ sdl.
|
||||||
|
|
||||||
|
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
|
||||||
|
console.h
|
||||||
|
ui/sdl.c
|
||||||
|
---
|
||||||
|
console.c | 52 ++++++++++----------------
|
||||||
|
console.h | 34 +++--------------
|
||||||
|
qemu-common.h | 1 -
|
||||||
|
ui/sdl.c | 117 +++-------------------------------------------------------
|
||||||
|
4 files changed, 31 insertions(+), 173 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/console.c b/console.c
|
||||||
|
index 314f5a5..13e4c0f 100644
|
||||||
|
--- a/console.c
|
||||||
|
+++ b/console.c
|
||||||
|
@@ -1290,9 +1290,10 @@ static TextConsole *new_console(DisplayState *ds, console_type_t console_type)
|
||||||
|
return s;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static DisplaySurface* defaultallocator_create_displaysurface(int width, int height)
|
||||||
|
+DisplaySurface *qemu_create_displaysurface(DisplayState *ds,
|
||||||
|
+ int width, int height)
|
||||||
|
{
|
||||||
|
- DisplaySurface *surface = (DisplaySurface*) g_malloc0(sizeof(DisplaySurface));
|
||||||
|
+ DisplaySurface *surface = g_new0(DisplaySurface, 1);
|
||||||
|
|
||||||
|
int linesize = width * 4;
|
||||||
|
qemu_alloc_display(surface, width, height, linesize,
|
||||||
|
@@ -1300,13 +1301,15 @@ static DisplaySurface* defaultallocator_create_displaysurface(int width, int hei
|
||||||
|
return surface;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static DisplaySurface* defaultallocator_resize_displaysurface(DisplaySurface *surface,
|
||||||
|
- int width, int height)
|
||||||
|
+DisplaySurface *qemu_resize_displaysurface(DisplayState *ds,
|
||||||
|
+ int width, int height)
|
||||||
|
{
|
||||||
|
int linesize = width * 4;
|
||||||
|
- qemu_alloc_display(surface, width, height, linesize,
|
||||||
|
+
|
||||||
|
+ trace_displaysurface_resize(ds, ds->surface, width, height);
|
||||||
|
+ qemu_alloc_display(ds->surface, width, height, linesize,
|
||||||
|
qemu_default_pixelformat(32), 0);
|
||||||
|
- return surface;
|
||||||
|
+ return ds->surface;
|
||||||
|
}
|
||||||
|
|
||||||
|
void qemu_alloc_display(DisplaySurface *surface, int width, int height,
|
||||||
|
@@ -1319,7 +1322,7 @@ void qemu_alloc_display(DisplaySurface *surface, int width, int height,
|
||||||
|
surface->pf = pf;
|
||||||
|
if (surface->flags & QEMU_ALLOCATED_FLAG) {
|
||||||
|
data = g_realloc(surface->data,
|
||||||
|
- surface->linesize * surface->height);
|
||||||
|
+ surface->linesize * surface->height);
|
||||||
|
} else {
|
||||||
|
data = g_malloc(surface->linesize * surface->height);
|
||||||
|
}
|
||||||
|
@@ -1330,7 +1333,7 @@ void qemu_alloc_display(DisplaySurface *surface, int width, int height,
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
-DisplaySurface* qemu_create_displaysurface_from(int width, int height, int bpp,
|
||||||
|
+DisplaySurface *qemu_create_displaysurface_from(int width, int height, int bpp,
|
||||||
|
int linesize, uint8_t *data)
|
||||||
|
{
|
||||||
|
DisplaySurface *surface = (DisplaySurface*) g_malloc0(sizeof(DisplaySurface));
|
||||||
|
@@ -1347,28 +1350,24 @@ DisplaySurface* qemu_create_displaysurface_from(int width, int height, int bpp,
|
||||||
|
return surface;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void defaultallocator_free_displaysurface(DisplaySurface *surface)
|
||||||
|
+void qemu_free_displaysurface(DisplayState *ds)
|
||||||
|
{
|
||||||
|
- if (surface == NULL)
|
||||||
|
+ trace_displaysurface_free(ds, ds->surface);
|
||||||
|
+ if (ds->surface == NULL) {
|
||||||
|
return;
|
||||||
|
- if (surface->flags & QEMU_ALLOCATED_FLAG)
|
||||||
|
- g_free(surface->data);
|
||||||
|
- g_free(surface);
|
||||||
|
+ }
|
||||||
|
+ if (ds->surface->flags & QEMU_ALLOCATED_FLAG) {
|
||||||
|
+ g_free(ds->surface->data);
|
||||||
|
+ }
|
||||||
|
+ g_free(ds->surface);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static struct DisplayAllocator default_allocator = {
|
||||||
|
- defaultallocator_create_displaysurface,
|
||||||
|
- defaultallocator_resize_displaysurface,
|
||||||
|
- defaultallocator_free_displaysurface
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
static void dumb_display_init(void)
|
||||||
|
{
|
||||||
|
DisplayState *ds = g_malloc0(sizeof(DisplayState));
|
||||||
|
int width = 640;
|
||||||
|
int height = 480;
|
||||||
|
|
||||||
|
- ds->allocator = &default_allocator;
|
||||||
|
if (is_fixedsize_console()) {
|
||||||
|
width = active_console->g_width;
|
||||||
|
height = active_console->g_height;
|
||||||
|
@@ -1398,18 +1397,6 @@ DisplayState *get_displaystate(void)
|
||||||
|
return display_state;
|
||||||
|
}
|
||||||
|
|
||||||
|
-DisplayAllocator *register_displayallocator(DisplayState *ds, DisplayAllocator *da)
|
||||||
|
-{
|
||||||
|
- if(ds->allocator == &default_allocator) {
|
||||||
|
- DisplaySurface *surf;
|
||||||
|
- surf = da->create_displaysurface(ds_get_width(ds), ds_get_height(ds));
|
||||||
|
- defaultallocator_free_displaysurface(ds->surface);
|
||||||
|
- ds->surface = surf;
|
||||||
|
- ds->allocator = da;
|
||||||
|
- }
|
||||||
|
- return ds->allocator;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
DisplayState *graphic_console_init(vga_hw_update_ptr update,
|
||||||
|
vga_hw_invalidate_ptr invalidate,
|
||||||
|
vga_hw_screen_dump_ptr screen_dump,
|
||||||
|
@@ -1420,7 +1407,6 @@ DisplayState *graphic_console_init(vga_hw_update_ptr update,
|
||||||
|
DisplayState *ds;
|
||||||
|
|
||||||
|
ds = (DisplayState *) g_malloc0(sizeof(DisplayState));
|
||||||
|
- ds->allocator = &default_allocator;
|
||||||
|
ds->surface = qemu_create_displaysurface(ds, 640, 480);
|
||||||
|
|
||||||
|
s = new_console(ds, GRAPHIC_CONSOLE);
|
||||||
|
diff --git a/console.h b/console.h
|
||||||
|
index 4334db5..755a537 100644
|
||||||
|
--- a/console.h
|
||||||
|
+++ b/console.h
|
||||||
|
@@ -105,7 +105,6 @@ void kbd_put_keysym(int keysym);
|
||||||
|
|
||||||
|
#define QEMU_BIG_ENDIAN_FLAG 0x01
|
||||||
|
#define QEMU_ALLOCATED_FLAG 0x02
|
||||||
|
-#define QEMU_REALPIXELS_FLAG 0x04
|
||||||
|
|
||||||
|
struct PixelFormat {
|
||||||
|
uint8_t bits_per_pixel;
|
||||||
|
@@ -165,18 +164,11 @@ struct DisplayChangeListener {
|
||||||
|
struct DisplayChangeListener *next;
|
||||||
|
};
|
||||||
|
|
||||||
|
-struct DisplayAllocator {
|
||||||
|
- DisplaySurface* (*create_displaysurface)(int width, int height);
|
||||||
|
- DisplaySurface* (*resize_displaysurface)(DisplaySurface *surface, int width, int height);
|
||||||
|
- void (*free_displaysurface)(DisplaySurface *surface);
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
struct DisplayState {
|
||||||
|
struct DisplaySurface *surface;
|
||||||
|
void *opaque;
|
||||||
|
struct QEMUTimer *gui_timer;
|
||||||
|
|
||||||
|
- struct DisplayAllocator* allocator;
|
||||||
|
struct DisplayChangeListener* listeners;
|
||||||
|
|
||||||
|
void (*mouse_set)(int x, int y, int on);
|
||||||
|
@@ -194,24 +186,11 @@ void qemu_alloc_display(DisplaySurface *surface, int width, int height,
|
||||||
|
PixelFormat qemu_different_endianness_pixelformat(int bpp);
|
||||||
|
PixelFormat qemu_default_pixelformat(int bpp);
|
||||||
|
|
||||||
|
-DisplayAllocator *register_displayallocator(DisplayState *ds, DisplayAllocator *da);
|
||||||
|
-
|
||||||
|
-static inline DisplaySurface* qemu_create_displaysurface(DisplayState *ds, int width, int height)
|
||||||
|
-{
|
||||||
|
- return ds->allocator->create_displaysurface(width, height);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static inline DisplaySurface* qemu_resize_displaysurface(DisplayState *ds, int width, int height)
|
||||||
|
-{
|
||||||
|
- trace_displaysurface_resize(ds, ds->surface, width, height);
|
||||||
|
- return ds->allocator->resize_displaysurface(ds->surface, width, height);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static inline void qemu_free_displaysurface(DisplayState *ds)
|
||||||
|
-{
|
||||||
|
- trace_displaysurface_free(ds, ds->surface);
|
||||||
|
- ds->allocator->free_displaysurface(ds->surface);
|
||||||
|
-}
|
||||||
|
+DisplaySurface *qemu_create_displaysurface(DisplayState *ds,
|
||||||
|
+ int width, int height);
|
||||||
|
+DisplaySurface *qemu_resize_displaysurface(DisplayState *ds,
|
||||||
|
+ int width, int height);
|
||||||
|
+void qemu_free_displaysurface(DisplayState *ds);
|
||||||
|
|
||||||
|
static inline int is_surface_bgr(DisplaySurface *surface)
|
||||||
|
{
|
||||||
|
@@ -223,8 +202,7 @@ static inline int is_surface_bgr(DisplaySurface *surface)
|
||||||
|
|
||||||
|
static inline int is_buffer_shared(DisplaySurface *surface)
|
||||||
|
{
|
||||||
|
- return (!(surface->flags & QEMU_ALLOCATED_FLAG) &&
|
||||||
|
- !(surface->flags & QEMU_REALPIXELS_FLAG));
|
||||||
|
+ return !(surface->flags & QEMU_ALLOCATED_FLAG);
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void register_displaychangelistener(DisplayState *ds, DisplayChangeListener *dcl)
|
||||||
|
diff --git a/qemu-common.h b/qemu-common.h
|
||||||
|
index 15d9e4e..7d6e1a9 100644
|
||||||
|
--- a/qemu-common.h
|
||||||
|
+++ b/qemu-common.h
|
||||||
|
@@ -254,7 +254,6 @@ typedef struct DriveInfo DriveInfo;
|
||||||
|
typedef struct DisplayState DisplayState;
|
||||||
|
typedef struct DisplayChangeListener DisplayChangeListener;
|
||||||
|
typedef struct DisplaySurface DisplaySurface;
|
||||||
|
-typedef struct DisplayAllocator DisplayAllocator;
|
||||||
|
typedef struct PixelFormat PixelFormat;
|
||||||
|
typedef struct TextConsole TextConsole;
|
||||||
|
typedef TextConsole QEMUConsole;
|
||||||
|
diff --git a/ui/sdl.c b/ui/sdl.c
|
||||||
|
index f6f711c..9e4a86e 100644
|
||||||
|
--- a/ui/sdl.c
|
||||||
|
+++ b/ui/sdl.c
|
||||||
|
@@ -55,7 +55,6 @@ static int absolute_enabled = 0;
|
||||||
|
static int guest_cursor = 0;
|
||||||
|
static int guest_x, guest_y;
|
||||||
|
static SDL_Cursor *guest_sprite = NULL;
|
||||||
|
-static uint8_t allocator;
|
||||||
|
static SDL_PixelFormat host_format;
|
||||||
|
static int scaling_active = 0;
|
||||||
|
static Notifier mouse_mode_notifier;
|
||||||
|
@@ -117,108 +116,13 @@ static void do_sdl_resize(int width, int height, int bpp)
|
||||||
|
|
||||||
|
static void sdl_resize(DisplayState *ds)
|
||||||
|
{
|
||||||
|
- if (!allocator) {
|
||||||
|
- if (!scaling_active)
|
||||||
|
- do_sdl_resize(ds_get_width(ds), ds_get_height(ds), 0);
|
||||||
|
- else if (real_screen->format->BitsPerPixel != ds_get_bits_per_pixel(ds))
|
||||||
|
- do_sdl_resize(real_screen->w, real_screen->h, ds_get_bits_per_pixel(ds));
|
||||||
|
- sdl_setdata(ds);
|
||||||
|
- } else {
|
||||||
|
- if (guest_screen != NULL) {
|
||||||
|
- SDL_FreeSurface(guest_screen);
|
||||||
|
- guest_screen = NULL;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static PixelFormat sdl_to_qemu_pixelformat(SDL_PixelFormat *sdl_pf)
|
||||||
|
-{
|
||||||
|
- PixelFormat qemu_pf;
|
||||||
|
-
|
||||||
|
- memset(&qemu_pf, 0x00, sizeof(PixelFormat));
|
||||||
|
-
|
||||||
|
- qemu_pf.bits_per_pixel = sdl_pf->BitsPerPixel;
|
||||||
|
- qemu_pf.bytes_per_pixel = sdl_pf->BytesPerPixel;
|
||||||
|
- qemu_pf.depth = (qemu_pf.bits_per_pixel) == 32 ? 24 : (qemu_pf.bits_per_pixel);
|
||||||
|
-
|
||||||
|
- qemu_pf.rmask = sdl_pf->Rmask;
|
||||||
|
- qemu_pf.gmask = sdl_pf->Gmask;
|
||||||
|
- qemu_pf.bmask = sdl_pf->Bmask;
|
||||||
|
- qemu_pf.amask = sdl_pf->Amask;
|
||||||
|
-
|
||||||
|
- qemu_pf.rshift = sdl_pf->Rshift;
|
||||||
|
- qemu_pf.gshift = sdl_pf->Gshift;
|
||||||
|
- qemu_pf.bshift = sdl_pf->Bshift;
|
||||||
|
- qemu_pf.ashift = sdl_pf->Ashift;
|
||||||
|
-
|
||||||
|
- qemu_pf.rbits = 8 - sdl_pf->Rloss;
|
||||||
|
- qemu_pf.gbits = 8 - sdl_pf->Gloss;
|
||||||
|
- qemu_pf.bbits = 8 - sdl_pf->Bloss;
|
||||||
|
- qemu_pf.abits = 8 - sdl_pf->Aloss;
|
||||||
|
-
|
||||||
|
- qemu_pf.rmax = ((1 << qemu_pf.rbits) - 1);
|
||||||
|
- qemu_pf.gmax = ((1 << qemu_pf.gbits) - 1);
|
||||||
|
- qemu_pf.bmax = ((1 << qemu_pf.bbits) - 1);
|
||||||
|
- qemu_pf.amax = ((1 << qemu_pf.abits) - 1);
|
||||||
|
-
|
||||||
|
- return qemu_pf;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static DisplaySurface* sdl_create_displaysurface(int width, int height)
|
||||||
|
-{
|
||||||
|
- DisplaySurface *surface = (DisplaySurface*) g_malloc0(sizeof(DisplaySurface));
|
||||||
|
-
|
||||||
|
- surface->width = width;
|
||||||
|
- surface->height = height;
|
||||||
|
-
|
||||||
|
- if (scaling_active) {
|
||||||
|
- int linesize;
|
||||||
|
- PixelFormat pf;
|
||||||
|
- if (host_format.BytesPerPixel != 2 && host_format.BytesPerPixel != 4) {
|
||||||
|
- linesize = width * 4;
|
||||||
|
- pf = qemu_default_pixelformat(32);
|
||||||
|
- } else {
|
||||||
|
- linesize = width * host_format.BytesPerPixel;
|
||||||
|
- pf = sdl_to_qemu_pixelformat(&host_format);
|
||||||
|
- }
|
||||||
|
- qemu_alloc_display(surface, width, height, linesize, pf, 0);
|
||||||
|
- return surface;
|
||||||
|
+ if (!scaling_active) {
|
||||||
|
+ do_sdl_resize(ds_get_width(ds), ds_get_height(ds), 0);
|
||||||
|
+ } else if (real_screen->format->BitsPerPixel != ds_get_bits_per_pixel(ds)) {
|
||||||
|
+ do_sdl_resize(real_screen->w, real_screen->h,
|
||||||
|
+ ds_get_bits_per_pixel(ds));
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- if (host_format.BitsPerPixel == 16)
|
||||||
|
- do_sdl_resize(width, height, 16);
|
||||||
|
- else
|
||||||
|
- do_sdl_resize(width, height, 32);
|
||||||
|
-
|
||||||
|
- surface->pf = sdl_to_qemu_pixelformat(real_screen->format);
|
||||||
|
- surface->linesize = real_screen->pitch;
|
||||||
|
- surface->data = real_screen->pixels;
|
||||||
|
-
|
||||||
|
-#ifdef HOST_WORDS_BIGENDIAN
|
||||||
|
- surface->flags = QEMU_REALPIXELS_FLAG | QEMU_BIG_ENDIAN_FLAG;
|
||||||
|
-#else
|
||||||
|
- surface->flags = QEMU_REALPIXELS_FLAG;
|
||||||
|
-#endif
|
||||||
|
- allocator = 1;
|
||||||
|
-
|
||||||
|
- return surface;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void sdl_free_displaysurface(DisplaySurface *surface)
|
||||||
|
-{
|
||||||
|
- allocator = 0;
|
||||||
|
- if (surface == NULL)
|
||||||
|
- return;
|
||||||
|
-
|
||||||
|
- if (surface->flags & QEMU_ALLOCATED_FLAG)
|
||||||
|
- g_free(surface->data);
|
||||||
|
- g_free(surface);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static DisplaySurface* sdl_resize_displaysurface(DisplaySurface *surface, int width, int height)
|
||||||
|
-{
|
||||||
|
- sdl_free_displaysurface(surface);
|
||||||
|
- return sdl_create_displaysurface(width, height);
|
||||||
|
+ sdl_setdata(ds);
|
||||||
|
}
|
||||||
|
|
||||||
|
/* generic keyboard conversion */
|
||||||
|
@@ -955,7 +859,6 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
|
||||||
|
{
|
||||||
|
int flags;
|
||||||
|
uint8_t data = 0;
|
||||||
|
- DisplayAllocator *da;
|
||||||
|
const SDL_VideoInfo *vi;
|
||||||
|
char *filename;
|
||||||
|
|
||||||
|
@@ -1029,14 +932,6 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
|
||||||
|
ds->cursor_define = sdl_mouse_define;
|
||||||
|
register_displaychangelistener(ds, dcl);
|
||||||
|
|
||||||
|
- da = g_malloc0(sizeof(DisplayAllocator));
|
||||||
|
- da->create_displaysurface = sdl_create_displaysurface;
|
||||||
|
- da->resize_displaysurface = sdl_resize_displaysurface;
|
||||||
|
- da->free_displaysurface = sdl_free_displaysurface;
|
||||||
|
- if (register_displayallocator(ds, da) == da) {
|
||||||
|
- dpy_resize(ds);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
mouse_mode_notifier.notify = sdl_mouse_mode_change;
|
||||||
|
qemu_add_mouse_mode_change_notifier(&mouse_mode_notifier);
|
||||||
|
|
|
@ -0,0 +1,121 @@
|
||||||
|
From 849967d707bb55bfbe93feae78969aaeb5e71dfd Mon Sep 17 00:00:00 2001
|
||||||
|
From: "Daniel P. Berrange" <berrange@redhat.com>
|
||||||
|
Date: Tue, 19 Mar 2013 11:20:20 +0000
|
||||||
|
Subject: [PATCH] Add -f FMT / --format FMT arg to qemu-nbd
|
||||||
|
|
||||||
|
Currently the qemu-nbd program will auto-detect the format of
|
||||||
|
any disk it is given. This behaviour is known to be insecure.
|
||||||
|
For example, if qemu-nbd initially exposes a 'raw' file to an
|
||||||
|
unprivileged app, and that app runs
|
||||||
|
|
||||||
|
'qemu-img create -f qcow2 -o backing_file=/etc/shadow /dev/nbd0'
|
||||||
|
|
||||||
|
then the next time the app is started, the qemu-nbd will now
|
||||||
|
detect it as a 'qcow2' file and expose /etc/shadow to the
|
||||||
|
unprivileged app.
|
||||||
|
|
||||||
|
The only way to avoid this is to explicitly tell qemu-nbd what
|
||||||
|
disk format to use on the command line, completely disabling
|
||||||
|
auto-detection. This patch adds a '-f' / '--format' arg for
|
||||||
|
this purpose, mirroring what is already available via qemu-img
|
||||||
|
and qemu commands.
|
||||||
|
|
||||||
|
qemu-nbd --format raw -p 9000 evil.img
|
||||||
|
|
||||||
|
will now always use raw, regardless of what format 'evil.img'
|
||||||
|
looks like it contains
|
||||||
|
|
||||||
|
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
|
||||||
|
[Use errx, not err. - Paolo]
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
|
||||||
|
(cherry picked from commit e6b636779b51c97e67694be740ee972c52460c59)
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
qemu-nbd.c
|
||||||
|
---
|
||||||
|
qemu-nbd.c | 20 ++++++++++++++++++--
|
||||||
|
qemu-nbd.texi | 2 ++
|
||||||
|
2 files changed, 20 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/qemu-nbd.c b/qemu-nbd.c
|
||||||
|
index 1c1cf6a..abf654e 100644
|
||||||
|
--- a/qemu-nbd.c
|
||||||
|
+++ b/qemu-nbd.c
|
||||||
|
@@ -291,6 +291,7 @@ static void nbd_accept(void *opaque)
|
||||||
|
int main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
BlockDriverState *bs;
|
||||||
|
+ BlockDriver *drv;
|
||||||
|
off_t dev_offset = 0;
|
||||||
|
uint32_t nbdflags = 0;
|
||||||
|
bool disconnect = false;
|
||||||
|
@@ -298,7 +299,7 @@ int main(int argc, char **argv)
|
||||||
|
char *device = NULL;
|
||||||
|
int port = NBD_DEFAULT_PORT;
|
||||||
|
off_t fd_size;
|
||||||
|
- const char *sopt = "hVb:o:p:rsnP:c:dvk:e:t";
|
||||||
|
+ const char *sopt = "hVb:o:p:rsnP:c:dvk:e:f:t";
|
||||||
|
struct option lopt[] = {
|
||||||
|
{ "help", 0, NULL, 'h' },
|
||||||
|
{ "version", 0, NULL, 'V' },
|
||||||
|
@@ -317,6 +318,7 @@ int main(int argc, char **argv)
|
||||||
|
{ "aio", 1, NULL, QEMU_NBD_OPT_AIO },
|
||||||
|
#endif
|
||||||
|
{ "shared", 1, NULL, 'e' },
|
||||||
|
+ { "format", 1, NULL, 'f' },
|
||||||
|
{ "persistent", 0, NULL, 't' },
|
||||||
|
{ "verbose", 0, NULL, 'v' },
|
||||||
|
{ NULL, 0, NULL, 0 }
|
||||||
|
@@ -335,6 +337,7 @@ int main(int argc, char **argv)
|
||||||
|
bool seen_aio = false;
|
||||||
|
#endif
|
||||||
|
pthread_t client_thread;
|
||||||
|
+ const char *fmt = NULL;
|
||||||
|
|
||||||
|
/* The client thread uses SIGTERM to interrupt the server. A signal
|
||||||
|
* handler ensures that "qemu-nbd -v -c" exits with a nice status code.
|
||||||
|
@@ -429,6 +432,9 @@ int main(int argc, char **argv)
|
||||||
|
errx(EXIT_FAILURE, "Shared device number must be greater than 0\n");
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+ case 'f':
|
||||||
|
+ fmt = optarg;
|
||||||
|
+ break;
|
||||||
|
case 't':
|
||||||
|
persistent = 1;
|
||||||
|
break;
|
||||||
|
@@ -529,9 +535,19 @@ int main(int argc, char **argv)
|
||||||
|
bdrv_init();
|
||||||
|
atexit(bdrv_close_all);
|
||||||
|
|
||||||
|
+ if (fmt) {
|
||||||
|
+ drv = bdrv_find_format(fmt);
|
||||||
|
+ if (!drv) {
|
||||||
|
+ errx(EXIT_FAILURE, "Unknown file format '%s'", fmt);
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ drv = NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
bs = bdrv_new("hda");
|
||||||
|
srcpath = argv[optind];
|
||||||
|
- if ((ret = bdrv_open(bs, srcpath, flags, NULL)) < 0) {
|
||||||
|
+ ret = bdrv_open(bs, srcpath, flags, drv);
|
||||||
|
+ if (ret < 0) {
|
||||||
|
errno = -ret;
|
||||||
|
err(EXIT_FAILURE, "Failed to bdrv_open '%s'", argv[optind]);
|
||||||
|
}
|
||||||
|
diff --git a/qemu-nbd.texi b/qemu-nbd.texi
|
||||||
|
index 6955d90..70abfeb 100644
|
||||||
|
--- a/qemu-nbd.texi
|
||||||
|
+++ b/qemu-nbd.texi
|
||||||
|
@@ -36,6 +36,8 @@ Export QEMU disk image using NBD protocol.
|
||||||
|
disconnect the specified device
|
||||||
|
@item -e, --shared=@var{num}
|
||||||
|
device can be shared by @var{num} clients (default @samp{1})
|
||||||
|
+@item -f, --format=@var{fmt}
|
||||||
|
+ force block driver for format @var{fmt} instead of auto-detecting
|
||||||
|
@item -t, --persistent
|
||||||
|
don't exit on the last connection
|
||||||
|
@item -v, --verbose
|
22
qemu.spec
22
qemu.spec
|
@ -109,7 +109,7 @@
|
||||||
Summary: QEMU is a FAST! processor emulator
|
Summary: QEMU is a FAST! processor emulator
|
||||||
Name: qemu
|
Name: qemu
|
||||||
Version: 1.2.2
|
Version: 1.2.2
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: GPLv2+ and LGPLv2+ and BSD
|
License: GPLv2+ and LGPLv2+ and BSD
|
||||||
|
@ -549,6 +549,13 @@ Patch0717: 0717-qxl-Add-rom_size-compat-property-fix-migration-from-.patch
|
||||||
Patch0718: 0718-ehci-Don-t-access-packet-after-freeing-it.patch
|
Patch0718: 0718-ehci-Don-t-access-packet-after-freeing-it.patch
|
||||||
Patch0719: 0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
|
Patch0719: 0719-ehci-Fixup-q-qtdaddr-after-cancelling-an-already-com.patch
|
||||||
Patch0720: 0720-ehci_free_packet-Discard-finished-packets-when-the-q.patch
|
Patch0720: 0720-ehci_free_packet-Discard-finished-packets-when-the-q.patch
|
||||||
|
# Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
|
||||||
|
Patch0721: 0721-hw-arm_sysctl-Clear-sysctl-cfgctrl-start-bit.patch
|
||||||
|
# Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
|
||||||
|
Patch0722: 0722-console-remove-DisplayAllocator.patch
|
||||||
|
# CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz
|
||||||
|
# #952574, bz #923219)
|
||||||
|
Patch0723: 0723-Add-f-FMT-format-FMT-arg-to-qemu-nbd.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: SDL-devel
|
BuildRequires: SDL-devel
|
||||||
|
@ -1385,6 +1392,13 @@ CAC emulation development files.
|
||||||
%patch0718 -p1
|
%patch0718 -p1
|
||||||
%patch0719 -p1
|
%patch0719 -p1
|
||||||
%patch0720 -p1
|
%patch0720 -p1
|
||||||
|
# Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
|
||||||
|
%patch0721 -p1
|
||||||
|
# Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
|
||||||
|
%patch0722 -p1
|
||||||
|
# CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz
|
||||||
|
# #952574, bz #923219)
|
||||||
|
%patch0723 -p1
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
@ -1994,6 +2008,12 @@ getent passwd qemu >/dev/null || \
|
||||||
%{_libdir}/pkgconfig/libcacard.pc
|
%{_libdir}/pkgconfig/libcacard.pc
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Apr 20 2013 Cole Robinson <crobinso@redhat.com> - 2:1.2.2-11
|
||||||
|
- Fix booting 3.8 kernels with qemu-system-arm (bz #922796)
|
||||||
|
- Fix crash with -vga qxl, sdl, and F19 guest (bz #949126)
|
||||||
|
- CVE-2013-1922: qemu-nbd block format auto-detection vulnerability (bz
|
||||||
|
#952574, bz #923219)
|
||||||
|
|
||||||
* Mon Apr 08 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-10
|
* Mon Apr 08 2013 Hans de Goede <hdegoede@redhat.com> - 2:1.2.2-10
|
||||||
- Add an extra patch to really fix (bz #890320)
|
- Add an extra patch to really fix (bz #890320)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue