rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to qemu 2.1-rc0

This commit is contained in:
Cole Robinson 2014-07-04 15:08:59 -04:00
parent 0410ae29c0
commit ad339ad339
44 changed files with 21 additions and 3197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -29,3 +29,4 @@ qemu-kvm-0.13.0-25fdf4a.tar.gz
/qemu-2.0.0-rc0.tar.bz2
/qemu-2.0.0-rc3.tar.bz2
/qemu-2.0.0.tar.bz2
/qemu-2.1.0-rc0.tar.bz2

37
0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
View File

@ -1,37 +0,0 @@
From 9d8e4e500dca987531be3666422f17c9486940b2 Mon Sep 17 00:00:00 2001
From: Cole Robinson <crobinso@redhat.com>
Date: Wed, 19 Mar 2014 14:57:27 -0400
Subject: [PATCH] Change gtk quit accelerator to ctrl+shift+q (bz 1062393)
Similar patches queued for 2.1
---
ui/gtk.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ui/gtk.c b/ui/gtk.c
index 00fbbcc..264326a 100644
--- a/ui/gtk.c
+++ b/ui/gtk.c
@@ -1351,7 +1351,6 @@ static GtkWidget *gd_create_menu_machine(GtkDisplayState *s, GtkAccelGroup *acce
{
GtkWidget *machine_menu;
GtkWidget *separator;
- GtkStockItem item;
machine_menu = gtk_menu_new();
gtk_menu_set_accel_group(GTK_MENU(machine_menu), accel_group);
@@ -1371,11 +1370,11 @@ static GtkWidget *gd_create_menu_machine(GtkDisplayState *s, GtkAccelGroup *acce
separator = gtk_separator_menu_item_new();
gtk_menu_shell_append(GTK_MENU_SHELL(machine_menu), separator);
- s->quit_item = gtk_image_menu_item_new_from_stock(GTK_STOCK_QUIT, NULL);
- gtk_stock_lookup(GTK_STOCK_QUIT, &item);
+ s->quit_item = gtk_menu_item_new_with_mnemonic(_("_Quit"));
gtk_menu_item_set_accel_path(GTK_MENU_ITEM(s->quit_item),
"<QEMU>/Machine/Quit");
- gtk_accel_map_add_entry("<QEMU>/Machine/Quit", item.keyval, item.modifier);
+ gtk_accel_map_add_entry("<QEMU>/Machine/Quit",
+ GDK_KEY_q, HOTKEY_MODIFIERS);
gtk_menu_shell_append(GTK_MENU_SHELL(machine_menu), s->quit_item);
return machine_menu;

57
0002-vmstate-add-VMS_MUST_EXIST.patch
View File

@ -1,57 +0,0 @@
From 105071cc70a454680e6bf11e2d9d7b73c7ce7491 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:31 +0300
Subject: [PATCH] vmstate: add VMS_MUST_EXIST
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1)
---
include/migration/vmstate.h | 1 +
vmstate.c | 10 ++++++++++
2 files changed, 11 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index e7e1705..de970ab 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -100,6 +100,7 @@ enum VMStateFlags {
VMS_MULTIPLY = 0x200, /* multiply "size" field by field_size */
VMS_VARRAY_UINT8 = 0x400, /* Array with size in uint8_t field*/
VMS_VARRAY_UINT32 = 0x800, /* Array with size in uint32_t field*/
+ VMS_MUST_EXIST = 0x1000, /* Field must exist in input */
};
typedef struct {
diff --git a/vmstate.c b/vmstate.c
index b689f2f..d856319 100644
--- a/vmstate.c
+++ b/vmstate.c
@@ -78,6 +78,10 @@ int vmstate_load_state(QEMUFile *f, const VMStateDescription *vmsd,
return ret;
}
}
+ } else if (field->flags & VMS_MUST_EXIST) {
+ fprintf(stderr, "Input validation failed: %s/%s\n",
+ vmsd->name, field->name);
+ return -1;
}
field++;
}
@@ -138,6 +142,12 @@ void vmstate_save_state(QEMUFile *f, const VMStateDescription *vmsd,
field->info->put(f, addr, size);
}
}
+ } else {
+ if (field->flags & VMS_MUST_EXIST) {
+ fprintf(stderr, "Output state validation failed: %s/%s\n",
+ vmsd->name, field->name);
+ assert(!(field->flags & VMS_MUST_EXIST));
+ }
}
field++;
}

33
0003-vmstate-add-VMSTATE_VALIDATE.patch
View File

@ -1,33 +0,0 @@
From d9e0cb134eefe5104b404b91eaf969a2cd74bd9f Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:35 +0300
Subject: [PATCH] vmstate: add VMSTATE_VALIDATE
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4082f0889ba04678fc14816c53e1b9251ea9207e)
---
include/migration/vmstate.h | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index de970ab..5b71370 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -204,6 +204,14 @@ extern const VMStateInfo vmstate_info_bitmap;
.offset = vmstate_offset_value(_state, _field, _type), \
}
+/* Validate state using a boolean predicate. */
+#define VMSTATE_VALIDATE(_name, _test) { \
+ .name = (_name), \
+ .field_exists = (_test), \
+ .flags = VMS_ARRAY | VMS_MUST_EXIST, \
+ .num = 0, /* 0 elements: no data, only run _test */ \
+}
+
#define VMSTATE_POINTER(_field, _state, _version, _info, _type) { \
.name = (stringify(_field)), \
.version_id = (_version), \

59
0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
View File

@ -1,59 +0,0 @@
From ea96c6a9c91da1923aa922a781fd7abbf9f51b6c Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:39 +0300
Subject: [PATCH] virtio-net: fix buffer overflow on invalid state load
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MAC_TABLE_ENTRIES may be different from the saved image */
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
passing this check ^^^
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 71f7fe48e10a8437c9d42d859389f37157f59980)
---
include/hw/virtio/virtio-net.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/hw/virtio/virtio-net.h b/include/hw/virtio/virtio-net.h
index df60f16..4b32440 100644
--- a/include/hw/virtio/virtio-net.h
+++ b/include/hw/virtio/virtio-net.h
@@ -176,8 +176,8 @@ typedef struct VirtIONet {
uint8_t nobcast;
uint8_t vhost_started;
struct {
- int in_use;
- int first_multi;
+ uint32_t in_use;
+ uint32_t first_multi;
uint8_t multi_overflow;
uint8_t uni_overflow;
uint8_t *macs;

55
0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
View File

@ -1,55 +0,0 @@
From 9229c44bfa3549085ac68265d9be95a8552c4fa4 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:50:56 +0300
Subject: [PATCH] virtio-net: out-of-bounds buffer write on invalid state load
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit eea750a5623ddac7a61982eec8f1c93481857578)
---
hw/net/virtio-net.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 33bd233..0a8cb40 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1407,6 +1407,11 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
}
n->curr_queues = qemu_get_be16(f);
+ if (n->curr_queues > n->max_queues) {
+ error_report("virtio-net: curr_queues %x > max_queues %x",
+ n->curr_queues, n->max_queues);
+ return -1;
+ }
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}

52
0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
View File

@ -1,52 +0,0 @@
From 23f0db5c309893195025bc75402f3f9e1b4de743 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:14 +0300
Subject: [PATCH] virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
virtio_load@hw/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit cc45995294b92d95319b4782750a3580cabdbc0c)
---
hw/virtio/virtio.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index aeabf3a..05f05e7 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -891,7 +891,8 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
- int num, i, ret;
+ int i, ret;
+ uint32_t num;
uint32_t features;
uint32_t supported_features;
BusState *qbus = qdev_get_parent_bus(DEVICE(vdev));
@@ -919,6 +920,11 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
num = qemu_get_be32(f);
+ if (num > VIRTIO_PCI_QUEUE_MAX) {
+ error_report("Invalid number of PCI queues: 0x%x", num);
+ return -1;
+ }
+
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
if (k->has_variable_vring_alignment) {

36
0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch
View File

@ -1,36 +0,0 @@
From 95fa012ed61e1e8b88d701b8f75b38dc5edb16e2 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:18 +0300
Subject: [PATCH] ahci: fix buffer overrun on invalid state load
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5)
---
hw/ide/ahci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/ide/ahci.c b/hw/ide/ahci.c
index bfe633f..457a7a1 100644
--- a/hw/ide/ahci.c
+++ b/hw/ide/ahci.c
@@ -1293,7 +1293,7 @@ const VMStateDescription vmstate_ahci = {
VMSTATE_UINT32(control_regs.impl, AHCIState),
VMSTATE_UINT32(control_regs.version, AHCIState),
VMSTATE_UINT32(idp_index, AHCIState),
- VMSTATE_INT32(ports, AHCIState),
+ VMSTATE_INT32_EQUAL(ports, AHCIState),
VMSTATE_END_OF_LIST()
},
};

51
0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch
View File

@ -1,51 +0,0 @@
From 5e0e0a12887c9e70356c23d20b08b08eabd4a6df Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:23 +0300
Subject: [PATCH] hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3f1c49e2136fa08ab1ef3183fd55def308829584)
---
hw/timer/hpet.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/hw/timer/hpet.c b/hw/timer/hpet.c
index e15d6bc..2792f89 100644
--- a/hw/timer/hpet.c
+++ b/hw/timer/hpet.c
@@ -239,6 +239,18 @@ static int hpet_pre_load(void *opaque)
return 0;
}
+static bool hpet_validate_num_timers(void *opaque, int version_id)
+{
+ HPETState *s = opaque;
+
+ if (s->num_timers < HPET_MIN_TIMERS) {
+ return false;
+ } else if (s->num_timers > HPET_MAX_TIMERS) {
+ return false;
+ }
+ return true;
+}
+
static int hpet_post_load(void *opaque, int version_id)
{
HPETState *s = opaque;
@@ -307,6 +319,7 @@ static const VMStateDescription vmstate_hpet = {
VMSTATE_UINT64(isr, HPETState),
VMSTATE_UINT64(hpet_counter, HPETState),
VMSTATE_UINT8_V(num_timers, HPETState, 2),
+ VMSTATE_VALIDATE("num_timers in range", hpet_validate_num_timers),
VMSTATE_STRUCT_VARRAY_UINT8(timer, HPETState, num_timers, 0,
vmstate_hpet_timer, HPETTimer),
VMSTATE_END_OF_LIST()

55
0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
View File

@ -1,55 +0,0 @@
From b6f53085cc618bc7e58be702afacad1b5dcae5ba Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:31 +0300
Subject: [PATCH] hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5f691ff91d323b6f97c6600405a7f9dc115a0ad1)
---
hw/pci/pcie_aer.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/hw/pci/pcie_aer.c b/hw/pci/pcie_aer.c
index 991502e..535be2c 100644
--- a/hw/pci/pcie_aer.c
+++ b/hw/pci/pcie_aer.c
@@ -795,6 +795,13 @@ static const VMStateDescription vmstate_pcie_aer_err = {
}
};
+static bool pcie_aer_state_log_num_valid(void *opaque, int version_id)
+{
+ PCIEAERLog *s = opaque;
+
+ return s->log_num <= s->log_max;
+}
+
const VMStateDescription vmstate_pcie_aer_log = {
.name = "PCIE_AER_ERROR_LOG",
.version_id = 1,
@@ -802,7 +809,8 @@ const VMStateDescription vmstate_pcie_aer_log = {
.minimum_version_id_old = 1,
.fields = (VMStateField[]) {
VMSTATE_UINT16(log_num, PCIEAERLog),
- VMSTATE_UINT16(log_max, PCIEAERLog),
+ VMSTATE_UINT16_EQUAL(log_max, PCIEAERLog),
+ VMSTATE_VALIDATE("log_num <= log_max", pcie_aer_state_log_num_valid),
VMSTATE_STRUCT_VARRAY_POINTER_UINT16(log, PCIEAERLog, log_num,
vmstate_pcie_aer_err, PCIEAERErr),
VMSTATE_END_OF_LIST()

50
0010-pl022-fix-buffer-overun-on-invalid-state-load.patch
View File

@ -1,50 +0,0 @@
From 872fc04ecd90e0ca4d8ac4565b3a9f246c070873 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:35 +0300
Subject: [PATCH] pl022: fix buffer overun on invalid state load
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin <mst@redhat.com
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d8d0a0bc7e194300e53a346d25fe5724fd588387)
---
hw/ssi/pl022.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/hw/ssi/pl022.c b/hw/ssi/pl022.c
index fd479ef..b19bc71 100644
--- a/hw/ssi/pl022.c
+++ b/hw/ssi/pl022.c
@@ -240,11 +240,25 @@ static const MemoryRegionOps pl022_ops = {
.endianness = DEVICE_NATIVE_ENDIAN,
};
+static int pl022_post_load(void *opaque, int version_id)
+{
+ PL022State *s = opaque;
+
+ if (s->tx_fifo_head < 0 ||
+ s->tx_fifo_head >= ARRAY_SIZE(s->tx_fifo) ||
+ s->rx_fifo_head < 0 ||
+ s->rx_fifo_head >= ARRAY_SIZE(s->rx_fifo)) {
+ return -1;
+ }
+ return 0;
+}
+
static const VMStateDescription vmstate_pl022 = {
.name = "pl022_ssp",
.version_id = 1,
.minimum_version_id = 1,
.minimum_version_id_old = 1,
+ .post_load = pl022_post_load,
.fields = (VMStateField[]) {
VMSTATE_UINT32(cr0, PL022State),
VMSTATE_UINT32(cr1, PL022State),

52
0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch
View File

@ -1,52 +0,0 @@
From acf45756e165664f6d70025c02ddca563adee496 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:42 +0300
Subject: [PATCH] vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <anthony@codemonkey.ws>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62)
---
vmstate.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/vmstate.c b/vmstate.c
index d856319..105f184 100644
--- a/vmstate.c
+++ b/vmstate.c
@@ -333,8 +333,9 @@ const VMStateInfo vmstate_info_int32_equal = {
.put = put_int32,
};
-/* 32 bit int. Check that the received value is less than or equal to
- the one in the field */
+/* 32 bit int. Check that the received value is non-negative
+ * and less than or equal to the one in the field.
+ */
static int get_int32_le(QEMUFile *f, void *pv, size_t size)
{
@@ -342,7 +343,7 @@ static int get_int32_le(QEMUFile *f, void *pv, size_t size)
int32_t loaded;
qemu_get_sbe32s(f, &loaded);
- if (loaded <= *cur) {
+ if (loaded >= 0 && loaded <= *cur) {
*cur = loaded;
return 0;
}

40
0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch
View File

@ -1,40 +0,0 @@
From 9b5cc034e1ed5b2ebc133029d4f865f186c6b895 Mon Sep 17 00:00:00 2001
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Date: Thu, 3 Apr 2014 19:51:46 +0300
Subject: [PATCH] virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1)
---
hw/virtio/virtio.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 05f05e7..0072542 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -907,6 +907,9 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
qemu_get_8s(f, &vdev->status);
qemu_get_8s(f, &vdev->isr);
qemu_get_be16s(f, &vdev->queue_sel);
+ if (vdev->queue_sel >= VIRTIO_PCI_QUEUE_MAX) {
+ return -1;
+ }
qemu_get_be32s(f, &features);
if (virtio_set_features(vdev, features) < 0) {

41
0013-virtio-validate-num_sg-when-mapping.patch
View File

@ -1,41 +0,0 @@
From f1344659fd93ea0dfb9d8d1af25993e57584c773 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:53 +0300
Subject: [PATCH] virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 36cf2a37132c7f01fa9adb5f95f5312b27742fd4)
---
hw/virtio/virtio.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 0072542..a70169a 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -430,6 +430,12 @@ void virtqueue_map_sg(struct iovec *sg, hwaddr *addr,
unsigned int i;
hwaddr len;
+ if (num_sg >= VIRTQUEUE_MAX_SIZE) {
+ error_report("virtio: map attempt out of bounds: %zd > %d",
+ num_sg, VIRTQUEUE_MAX_SIZE);
+ exit(1);
+ }
+
for (i = 0; i < num_sg; i++) {
len = sg[i].iov_len;
sg[i].iov_base = cpu_physical_memory_map(addr[i], &len, is_write);

51
0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch
View File

@ -1,51 +0,0 @@
From 43b30dec4d07aa81ff5f2dc3b0a064fa589fd3af Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:51:57 +0300
Subject: [PATCH] pxa2xx: avoid buffer overrun on incoming migration
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <dkoch@verizon.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Don Koch <dkoch@verizon.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit caa881abe0e01f9931125a0977ec33c5343e4aa7)
---
hw/arm/pxa2xx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/hw/arm/pxa2xx.c b/hw/arm/pxa2xx.c
index 0429148..e0cd847 100644
--- a/hw/arm/pxa2xx.c
+++ b/hw/arm/pxa2xx.c
@@ -732,7 +732,7 @@ static void pxa2xx_ssp_save(QEMUFile *f, void *opaque)
static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
{
PXA2xxSSPState *s = (PXA2xxSSPState *) opaque;
- int i;
+ int i, v;
s->enable = qemu_get_be32(f);
@@ -746,7 +746,11 @@ static int pxa2xx_ssp_load(QEMUFile *f, void *opaque, int version_id)
qemu_get_8s(f, &s->ssrsa);
qemu_get_8s(f, &s->ssacd);
- s->rx_level = qemu_get_byte(f);
+ v = qemu_get_byte(f);
+ if (v < 0 || v > ARRAY_SIZE(s->rx_fifo)) {
+ return -EINVAL;
+ }
+ s->rx_level = v;
s->rx_start = 0;
for (i = 0; i < s->rx_level; i ++)
s->rx_fifo[i] = qemu_get_byte(f);

77
0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch
View File

@ -1,77 +0,0 @@
From 0cbd8c5754d6f56b53717e92353772777a799b87 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:05 +0300
Subject: [PATCH] ssd0323: fix buffer overun on invalid state load
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit ead7a57df37d2187813a121308213f41591bd811)
---
hw/display/ssd0323.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/hw/display/ssd0323.c b/hw/display/ssd0323.c
index 971152e..9727007 100644
--- a/hw/display/ssd0323.c
+++ b/hw/display/ssd0323.c
@@ -312,18 +312,42 @@ static int ssd0323_load(QEMUFile *f, void *opaque, int version_id)
return -EINVAL;
s->cmd_len = qemu_get_be32(f);
+ if (s->cmd_len < 0 || s->cmd_len > ARRAY_SIZE(s->cmd_data)) {
+ return -EINVAL;
+ }
s->cmd = qemu_get_be32(f);
for (i = 0; i < 8; i++)
s->cmd_data[i] = qemu_get_be32(f);
s->row = qemu_get_be32(f);
+ if (s->row < 0 || s->row >= 80) {
+ return -EINVAL;
+ }
s->row_start = qemu_get_be32(f);
+ if (s->row_start < 0 || s->row_start >= 80) {
+ return -EINVAL;
+ }
s->row_end = qemu_get_be32(f);
+ if (s->row_end < 0 || s->row_end >= 80) {
+ return -EINVAL;
+ }
s->col = qemu_get_be32(f);
+ if (s->col < 0 || s->col >= 64) {
+ return -EINVAL;
+ }
s->col_start = qemu_get_be32(f);
+ if (s->col_start < 0 || s->col_start >= 64) {
+ return -EINVAL;
+ }
s->col_end = qemu_get_be32(f);
+ if (s->col_end < 0 || s->col_end >= 64) {
+ return -EINVAL;
+ }
s->redraw = qemu_get_be32(f);
s->remap = qemu_get_be32(f);
s->mode = qemu_get_be32(f);
+ if (s->mode != SSD0323_CMD && s->mode != SSD0323_DATA) {
+ return -EINVAL;
+ }
qemu_get_buffer(f, s->framebuffer, sizeof(s->framebuffer));
ss->cs = qemu_get_be32(f);

50
0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
View File

@ -1,50 +0,0 @@
From 984fcc9ad2abc4429422c045d68e17f1eb1fa4b2 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:09 +0300
Subject: [PATCH] tsc210x: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 5193be3be35f29a35bc465036cd64ad60d43385f)
---
hw/input/tsc210x.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/hw/input/tsc210x.c b/hw/input/tsc210x.c
index 485c9e5..aa5b688 100644
--- a/hw/input/tsc210x.c
+++ b/hw/input/tsc210x.c
@@ -1070,9 +1070,21 @@ static int tsc210x_load(QEMUFile *f, void *opaque, int version_id)
s->enabled = qemu_get_byte(f);
s->host_mode = qemu_get_byte(f);
s->function = qemu_get_byte(f);
+ if (s->function < 0 || s->function >= ARRAY_SIZE(mode_regs)) {
+ return -EINVAL;
+ }
s->nextfunction = qemu_get_byte(f);
+ if (s->nextfunction < 0 || s->nextfunction >= ARRAY_SIZE(mode_regs)) {
+ return -EINVAL;
+ }
s->precision = qemu_get_byte(f);
+ if (s->precision < 0 || s->precision >= ARRAY_SIZE(resolution)) {
+ return -EINVAL;
+ }
s->nextprecision = qemu_get_byte(f);
+ if (s->nextprecision < 0 || s->nextprecision >= ARRAY_SIZE(resolution)) {
+ return -EINVAL;
+ }
s->filter = qemu_get_byte(f);
s->pin_func = qemu_get_byte(f);
s->ref = qemu_get_byte(f);

54
0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch
View File

@ -1,54 +0,0 @@
From 985b046012f258fd5a2164fb85e9d792f574697c Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:13 +0300
Subject: [PATCH] zaurus: fix buffer overrun on invalid state load
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 52f91c3723932f8340fe36c8ec8b18a757c37b2b)
---
hw/gpio/zaurus.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/gpio/zaurus.c b/hw/gpio/zaurus.c
index dc79a8b..8e2ce04 100644
--- a/hw/gpio/zaurus.c
+++ b/hw/gpio/zaurus.c
@@ -203,6 +203,15 @@ static bool is_version_0 (void *opaque, int version_id)
return version_id == 0;
}
+static bool vmstate_scoop_validate(void *opaque, int version_id)
+{
+ ScoopInfo *s = opaque;
+
+ return !(s->prev_level & 0xffff0000) &&
+ !(s->gpio_level & 0xffff0000) &&
+ !(s->gpio_dir & 0xffff0000);
+}
+
static const VMStateDescription vmstate_scoop_regs = {
.name = "scoop",
.version_id = 1,
@@ -215,6 +224,7 @@ static const VMStateDescription vmstate_scoop_regs = {
VMSTATE_UINT32(gpio_level, ScoopInfo),
VMSTATE_UINT32(gpio_dir, ScoopInfo),
VMSTATE_UINT32(prev_level, ScoopInfo),
+ VMSTATE_VALIDATE("irq levels are 16 bit", vmstate_scoop_validate),
VMSTATE_UINT16(mcr, ScoopInfo),
VMSTATE_UINT16(cdr, ScoopInfo),
VMSTATE_UINT16(ccr, ScoopInfo),

67
0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
View File

@ -1,67 +0,0 @@
From 579bb2000dbcd8a415660e76d31f521d87ac1302 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:17 +0300
Subject: [PATCH] virtio-scsi: fix buffer overrun on invalid state load
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <afaerber@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3c3ce981423e0d6c18af82ee62f1850c2cda5976)
---
hw/scsi/virtio-scsi.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/scsi/virtio-scsi.c b/hw/scsi/virtio-scsi.c
index b0d7517..1752193 100644
--- a/hw/scsi/virtio-scsi.c
+++ b/hw/scsi/virtio-scsi.c
@@ -147,6 +147,15 @@ static void *virtio_scsi_load_request(QEMUFile *f, SCSIRequest *sreq)
qemu_get_be32s(f, &n);
assert(n < vs->conf.num_queues);
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
+ /* TODO: add a way for SCSIBusInfo's load_request to fail,
+ * and fail migration instead of asserting here.
+ * When we do, we might be able to re-enable NDEBUG below.
+ */
+#ifdef NDEBUG
+#error building with NDEBUG is not supported
+#endif
+ assert(req->elem.in_num <= ARRAY_SIZE(req->elem.in_sg));
+ assert(req->elem.out_num <= ARRAY_SIZE(req->elem.out_sg));
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
scsi_req_ref(sreq);

65
0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch
View File

@ -1,65 +0,0 @@
From 83bb87c00e9970a1771ddcad3fd99091f5b2719c Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:21 +0300
Subject: [PATCH] vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 3476436a44c29725efef0cabf5b3ea4e70054d57)
---
hw/pci/pci.c | 4 ++--
include/migration/vmstate.h | 2 +-
target-arm/machine.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 2a9f08e..517ff2a 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -475,7 +475,7 @@ const VMStateDescription vmstate_pci_device = {
.minimum_version_id = 1,
.minimum_version_id_old = 1,
.fields = (VMStateField []) {
- VMSTATE_INT32_LE(version_id, PCIDevice),
+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
vmstate_info_pci_config,
PCI_CONFIG_SPACE_SIZE),
@@ -492,7 +492,7 @@ const VMStateDescription vmstate_pcie_device = {
.minimum_version_id = 1,
.minimum_version_id_old = 1,
.fields = (VMStateField []) {
- VMSTATE_INT32_LE(version_id, PCIDevice),
+ VMSTATE_INT32_POSITIVE_LE(version_id, PCIDevice),
VMSTATE_BUFFER_UNSAFE_INFO(config, PCIDevice, 0,
vmstate_info_pci_config,
PCIE_CONFIG_SPACE_SIZE),
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
index 5b71370..7e45048 100644
--- a/include/migration/vmstate.h
+++ b/include/migration/vmstate.h
@@ -601,7 +601,7 @@ extern const VMStateInfo vmstate_info_bitmap;
#define VMSTATE_UINT64_EQUAL(_f, _s) \
VMSTATE_UINT64_EQUAL_V(_f, _s, 0)
-#define VMSTATE_INT32_LE(_f, _s) \
+#define VMSTATE_INT32_POSITIVE_LE(_f, _s) \
VMSTATE_SINGLE(_f, _s, 0, vmstate_info_int32_le, int32_t)
#define VMSTATE_UINT8_TEST(_f, _s, _t) \
diff --git a/target-arm/machine.c b/target-arm/machine.c
index 7ced87a..5746ffd 100644
--- a/target-arm/machine.c
+++ b/target-arm/machine.c
@@ -246,7 +246,7 @@ const VMStateDescription vmstate_arm_cpu = {
/* The length-check must come before the arrays to avoid
* incoming data possibly overflowing the array.
*/
- VMSTATE_INT32_LE(cpreg_vmstate_array_len, ARMCPU),
+ VMSTATE_INT32_POSITIVE_LE(cpreg_vmstate_array_len, ARMCPU),
VMSTATE_VARRAY_INT32(cpreg_vmstate_indexes, ARMCPU,
cpreg_vmstate_array_len,
0, vmstate_info_uint64, uint64_t),

38
0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch
View File

@ -1,38 +0,0 @@
From a608c9c4150820ec64f5f25f6ebe244906c015da Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Thu, 3 Apr 2014 19:52:25 +0300
Subject: [PATCH] usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a)
---
hw/usb/bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index fe70429..e48b19f 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -49,7 +49,9 @@ static int usb_device_post_load(void *opaque, int version_id)
} else {
dev->attached = 1;
}
- if (dev->setup_index >= sizeof(dev->data_buf) ||
+ if (dev->setup_index < 0 ||
+ dev->setup_len < 0 ||
+ dev->setup_index >= sizeof(dev->data_buf) ||
dev->setup_len >= sizeof(dev->data_buf)) {
return -EINVAL;
}

41
0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
View File

@ -1,41 +0,0 @@
From d2c50b94a808f06d778746aec63ce2cb4eb1222f Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:14 +0300
Subject: [PATCH] ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a9c380db3b8c6af19546a68145c8d1438a09c92b)
---
hw/sd/ssi-sd.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/hw/sd/ssi-sd.c b/hw/sd/ssi-sd.c
index 3273c8a..b012e57 100644
--- a/hw/sd/ssi-sd.c
+++ b/hw/sd/ssi-sd.c
@@ -230,8 +230,17 @@ static int ssi_sd_load(QEMUFile *f, void *opaque, int version_id)
for (i = 0; i < 5; i++)
s->response[i] = qemu_get_be32(f);
s->arglen = qemu_get_be32(f);
+ if (s->mode == SSI_SD_CMDARG &&
+ (s->arglen < 0 || s->arglen >= ARRAY_SIZE(s->cmdarg))) {
+ return -EINVAL;
+ }
s->response_pos = qemu_get_be32(f);
s->stopping = qemu_get_be32(f);
+ if (s->mode == SSI_SD_RESPONSE &&
+ (s->response_pos < 0 || s->response_pos >= ARRAY_SIZE(s->response) ||
+ (!s->stopping && s->arglen > ARRAY_SIZE(s->response)))) {
+ return -EINVAL;
+ }
ss->cs = qemu_get_be32(f);

72
0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch
View File

@ -1,72 +0,0 @@
From 70488d5f1746b720bc141ea6b9850585e9c42121 Mon Sep 17 00:00:00 2001
From: Michael Roth <mdroth@linux.vnet.ibm.com>
Date: Mon, 28 Apr 2014 16:08:17 +0300
Subject: [PATCH] openpic: avoid buffer overrun on incoming migration
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e)
---
hw/intc/openpic.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/hw/intc/openpic.c b/hw/intc/openpic.c
index be76fbd..17136c9 100644
--- a/hw/intc/openpic.c
+++ b/hw/intc/openpic.c
@@ -41,6 +41,7 @@
#include "hw/sysbus.h"
#include "hw/pci/msi.h"
#include "qemu/bitops.h"
+#include "qapi/qmp/qerror.h"
//#define DEBUG_OPENPIC
@@ -1416,7 +1417,7 @@ static void openpic_load_IRQ_queue(QEMUFile* f, IRQQueue *q)
static int openpic_load(QEMUFile* f, void *opaque, int version_id)
{
OpenPICState *opp = (OpenPICState *)opaque;
- unsigned int i;
+ unsigned int i, nb_cpus;
if (version_id != 1) {
return -EINVAL;
@@ -1428,7 +1429,11 @@ static int openpic_load(QEMUFile* f, void *opaque, int version_id)
qemu_get_be32s(f, &opp->spve);
qemu_get_be32s(f, &opp->tfrr);
- qemu_get_be32s(f, &opp->nb_cpus);
+ qemu_get_be32s(f, &nb_cpus);
+ if (opp->nb_cpus != nb_cpus) {
+ return -EINVAL;
+ }
+ assert(nb_cpus > 0 && nb_cpus <= MAX_CPU);
for (i = 0; i < opp->nb_cpus; i++) {
qemu_get_sbe32s(f, &opp->dst[i].ctpr);
@@ -1567,6 +1572,13 @@ static void openpic_realize(DeviceState *dev, Error **errp)
{NULL}
};
+ if (opp->nb_cpus > MAX_CPU) {
+ error_set(errp, QERR_PROPERTY_VALUE_OUT_OF_RANGE,
+ TYPE_OPENPIC, "nb_cpus", (uint64_t)opp->nb_cpus,
+ (uint64_t)0, (uint64_t)MAX_CPU);
+ return;
+ }
+
switch (opp->model) {
case OPENPIC_MODEL_FSL_MPIC_20:
default:

55
0023-virtio-net-out-of-bounds-buffer-write-on-load.patch
View File

@ -1,55 +0,0 @@
From 1a29e58f9f23846d0e105a3157629786fc624f65 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:21 +0300
Subject: [PATCH] virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 98f93ddd84800f207889491e0b5d851386b459cf)
---
hw/net/virtio-net.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/net/virtio-net.c b/hw/net/virtio-net.c
index 0a8cb40..940a7cf 100644
--- a/hw/net/virtio-net.c
+++ b/hw/net/virtio-net.c
@@ -1362,10 +1362,17 @@ static int virtio_net_load(QEMUFile *f, void *opaque, int version_id)
if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
qemu_get_buffer(f, n->mac_table.macs,
n->mac_table.in_use * ETH_ALEN);
- } else if (n->mac_table.in_use) {
- uint8_t *buf = g_malloc0(n->mac_table.in_use);
- qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
- g_free(buf);
+ } else {
+ int64_t i;
+
+ /* Overflow detected - can happen if source has a larger MAC table.
+ * We simply set overflow flag so there's no need to maintain the
+ * table of addresses, discard them all.
+ * Note: 64 bit math to avoid integer overflow.
+ */
+ for (i = 0; i < (int64_t)n->mac_table.in_use * ETH_ALEN; ++i) {
+ qemu_get_byte(f);
+ }
n->mac_table.multi_overflow = n->mac_table.uni_overflow = 1;
n->mac_table.in_use = 0;
}

52
0024-virtio-validate-config_len-on-load.patch
View File

@ -1,52 +0,0 @@
From 94998eaa5ef06ba17ad12976ac84801033a28582 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Mon, 28 Apr 2014 16:08:23 +0300
Subject: [PATCH] virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit a890a2f9137ac3cf5b607649e66a6f3a5512d8dc)
---
hw/virtio/virtio.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index a70169a..7f4e7ec 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -898,6 +898,7 @@ int virtio_set_features(VirtIODevice *vdev, uint32_t val)
int virtio_load(VirtIODevice *vdev, QEMUFile *f)
{
int i, ret;
+ int32_t config_len;
uint32_t num;
uint32_t features;
uint32_t supported_features;
@@ -924,7 +925,12 @@ int virtio_load(VirtIODevice *vdev, QEMUFile *f)
features, supported_features);
return -1;
}
- vdev->config_len = qemu_get_be32(f);
+ config_len = qemu_get_be32(f);
+ if (config_len != vdev->config_len) {
+ error_report("Unexpected config length 0x%x. Expected 0x%zx",
+ config_len, vdev->config_len);
+ return -1;
+ }
qemu_get_buffer(f, vdev->config, vdev->config_len);
num = qemu_get_be32(f);

34
0101-qcow1-Make-padding-in-the-header-explicit.patch
View File

@ -1,34 +0,0 @@
From 709786ed4fa98cd281beaac3c6770292bd045a30 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 7 May 2014 16:56:10 +0200
Subject: [PATCH] qcow1: Make padding in the header explicit
We were relying on all compilers inserting the same padding in the
header struct that is used for the on-disk format. Let's not do that.
Mark the struct as packed and insert an explicit padding field for
compatibility.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit ea54feff58efedc809641474b25a3130309678e7)
---
block/qcow.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/qcow.c b/block/qcow.c
index d5a7d5f..9018f44 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -48,9 +48,10 @@ typedef struct QCowHeader {
uint64_t size; /* in bytes */
uint8_t cluster_bits;
uint8_t l2_bits;
+ uint16_t padding;
uint32_t crypt_method;
uint64_t l1_table_offset;
-} QCowHeader;
+} QEMU_PACKED QCowHeader;
#define L2_CACHE_SIZE 16

48
0102-qcow1-Check-maximum-cluster-size.patch
View File

@ -1,48 +0,0 @@
From 6893e96e6b58d809a08c6491f76df221fd1a6473 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Wed, 7 May 2014 17:30:30 +0200
Subject: [PATCH] qcow1: Check maximum cluster size
Huge values for header.cluster_bits cause unbounded allocations (e.g.
for s->cluster_cache) and crash qemu this way. Less huge values may
survive those allocations, but can cause integer overflows later on.
The only cluster sizes that qemu can create are 4k (for standalone
images) and 512 (for images with backing files), so we can limit it
to 64k.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit 7159a45b2bf2dcb9f49f1e27d1d3d135a0247a2f)
Conflicts:
tests/qemu-iotests/group
---
block/qcow.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 9018f44..26bb923 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -127,11 +127,17 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
goto fail;
}
- if (header.size <= 1 || header.cluster_bits < 9) {
- error_setg(errp, "invalid value in qcow header");
+ if (header.size <= 1) {
+ error_setg(errp, "Image size is too small (must be at least 2 bytes)");
ret = -EINVAL;
goto fail;
}
+ if (header.cluster_bits < 9 || header.cluster_bits > 16) {
+ error_setg(errp, "Cluster size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
error_setg(errp, "invalid encryption method in qcow header");
ret = -EINVAL;

48
0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
View File

@ -1,48 +0,0 @@
From 71ae37ec9806ab76afcdb40cf5f080af378848ac Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 15 May 2014 16:10:11 +0200
Subject: [PATCH] qcow1: Validate L2 table size (CVE-2014-0222)
Too large L2 table sizes cause unbounded allocations. Images actually
created by qemu-img only have 512 byte or 4k L2 tables.
To keep things consistent with cluster sizes, allow ranges between 512
bytes and 64k (in fact, down to 1 entry = 8 bytes is technically
working, but L2 table sizes smaller than a cluster don't make a lot of
sense).
This also means that the number of bytes on the virtual disk that are
described by the same L2 table is limited to at most 8k * 64k or 2^29,
preventively avoiding any integer overflows.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit 42eb58179b3b215bb507da3262b682b8a2ec10b5)
Conflicts:
tests/qemu-iotests/092
tests/qemu-iotests/092.out
---
block/qcow.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/block/qcow.c b/block/qcow.c
index 26bb923..8718ca5 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -138,6 +138,14 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
goto fail;
}
+ /* l2_bits specifies number of entries; storing a uint64_t in each entry,
+ * so bytes = num_entries << 3. */
+ if (header.l2_bits < 9 - 3 || header.l2_bits > 16 - 3) {
+ error_setg(errp, "L2 table size must be between 512 and 64k");
+ ret = -EINVAL;
+ goto fail;
+ }
+
if (header.crypt_method > QCOW_CRYPT_AES) {
error_setg(errp, "invalid encryption method in qcow header");
ret = -EINVAL;

57
0104-qcow1-Validate-image-size-CVE-2014-0223.patch
View File

@ -1,57 +0,0 @@
From 92e1dd206a3bb8ddbea0ece22bc05e9446a69436 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 8 May 2014 13:08:20 +0200
Subject: [PATCH] qcow1: Validate image size (CVE-2014-0223)
A huge image size could cause s->l1_size to overflow. Make sure that
images never require a L1 table larger than what fits in s->l1_size.
This cannot only cause unbounded allocations, but also the allocation of
a too small L1 table, resulting in out-of-bounds array accesses (both
reads and writes).
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
(cherry picked from commit 46485de0cb357b57373e1ca895adedf1f3ed46ec)
Conflicts:
tests/qemu-iotests/092
tests/qemu-iotests/092.out
---
block/qcow.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index 8718ca5..f9cb009 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -61,7 +61,7 @@ typedef struct BDRVQcowState {
int cluster_sectors;
int l2_bits;
int l2_size;
- int l1_size;
+ unsigned int l1_size;
uint64_t cluster_offset_mask;
uint64_t l1_table_offset;
uint64_t *l1_table;
@@ -165,7 +165,19 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
/* read the level 1 table */
shift = s->cluster_bits + s->l2_bits;
- s->l1_size = (header.size + (1LL << shift) - 1) >> shift;
+ if (header.size > UINT64_MAX - (1LL << shift)) {
+ error_setg(errp, "Image too large");
+ ret = -EINVAL;
+ goto fail;
+ } else {
+ uint64_t l1_size = (header.size + (1LL << shift) - 1) >> shift;
+ if (l1_size > INT_MAX / sizeof(uint64_t)) {
+ error_setg(errp, "Image too large");
+ ret = -EINVAL;
+ goto fail;
+ }
+ s->l1_size = l1_size;
+ }
s->l1_table_offset = header.l1_table_offset;
s->l1_table = g_malloc(s->l1_size * sizeof(uint64_t));

48
0105-qcow1-Stricter-backing-file-length-check.patch
View File

@ -1,48 +0,0 @@
From deaa4693c8533862fdda9bf584c24d4f2ef50029 Mon Sep 17 00:00:00 2001
From: Kevin Wolf <kwolf@redhat.com>
Date: Thu, 8 May 2014 13:35:09 +0200
Subject: [PATCH] qcow1: Stricter backing file length check
Like qcow2 since commit 6d33e8e7, error out on invalid lengths instead
of silently truncating them to 1023.
Also don't rely on bdrv_pread() catching integer overflows that make len
negative, but use unsigned variables in the first place.
Cc: qemu-stable@nongnu.org
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
Reviewed-by: Benoit Canet <benoit@irqsave.net>
(cherry picked from commit d66e5cee002c471b78139228a4e7012736b375f9)
Conflicts:
tests/qemu-iotests/092
tests/qemu-iotests/092.out
---
block/qcow.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/block/qcow.c b/block/qcow.c
index f9cb009..c0a3b89 100644
--- a/block/qcow.c
+++ b/block/qcow.c
@@ -97,7 +97,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
Error **errp)
{
BDRVQcowState *s = bs->opaque;
- int len, i, shift, ret;
+ unsigned int len, i, shift;
+ int ret;
QCowHeader header;
ret = bdrv_pread(bs->file, 0, &header, sizeof(header));
@@ -201,7 +202,9 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
if (header.backing_file_offset != 0) {
len = header.backing_file_size;
if (len > 1023) {
- len = 1023;
+ error_setg(errp, "Backing file name too long");
+ ret = -EINVAL;
+ goto fail;
}
ret = bdrv_pread(bs->file, header.backing_file_offset,
bs->backing_file, len);

37
0106-usb-fix-up-post-load-checks.patch
View File

@ -1,37 +0,0 @@
From 40e49e4fab60b3b323263f06b7a8385fa9b62e89 Mon Sep 17 00:00:00 2001
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Tue, 13 May 2014 12:33:16 +0300
Subject: [PATCH] usb: fix up post load checks
Correct post load checks:
1. dev->setup_len == sizeof(dev->data_buf)
seems fine, no need to fail migration
2. When state is DATA, passing index > len
will cause memcpy with negative length,
resulting in heap overflow
First of the issues was reported by dgilbert.
Reported-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
(cherry picked from commit 719ffe1f5f72b1c7ace4afe9ba2815bcb53a829e)
---
hw/usb/bus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/usb/bus.c b/hw/usb/bus.c
index e48b19f..ff1dfe6 100644
--- a/hw/usb/bus.c
+++ b/hw/usb/bus.c
@@ -51,8 +51,8 @@ static int usb_device_post_load(void *opaque, int version_id)
}
if (dev->setup_index < 0 ||
dev->setup_len < 0 ||
- dev->setup_index >= sizeof(dev->data_buf) ||
- dev->setup_len >= sizeof(dev->data_buf)) {
+ dev->setup_index > dev->setup_len ||
+ dev->setup_len > sizeof(dev->data_buf)) {
return -EINVAL;
}
return 0;

70
0107-trace-add-pid-field-to-simpletrace-record.patch
View File

@ -1,70 +0,0 @@
From 32f3e4afa3c9e67c6448b2f3e3aefc4d7cf5a0d3 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 7 May 2014 19:24:10 +0200
Subject: [PATCH] trace: add pid field to simpletrace record
It is useful to know the QEMU process ID when working with traces from
multiple VMs. Although the trace filename may contain the pid, tools
that aggregate traces or even trace globally need somewhere to record
the pid.
There is a reserved field in the trace event header struct that we can
use.
It is not necessary to bump the simpletrace file format version number
because it has already been incremented for the QEMU 2.1 release cycle
in commit "trace: [simple] Bump up log version number".
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 26896cbf353e3017f76da8193074839b6e875250)
---
trace/simple.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/trace/simple.c b/trace/simple.c
index aaa010e..1584bf7 100644
--- a/trace/simple.c
+++ b/trace/simple.c
@@ -75,6 +75,7 @@ uint8_t trace_buf[TRACE_BUF_LEN];
static volatile gint trace_idx;
static unsigned int writeout_idx;
static volatile gint dropped_events;
+static uint32_t trace_pid;
static FILE *trace_fp;
static char *trace_file_name;
@@ -83,7 +84,7 @@ typedef struct {
uint64_t event; /* TraceEventID */
uint64_t timestamp_ns;
uint32_t length; /* in bytes */
- uint32_t reserved; /* unused */
+ uint32_t pid;
uint64_t arguments[];
} TraceRecord;
@@ -190,7 +191,7 @@ static gpointer writeout_thread(gpointer opaque)
dropped.rec.event = DROPPED_EVENT_ID,
dropped.rec.timestamp_ns = get_clock();
dropped.rec.length = sizeof(TraceRecord) + sizeof(uint64_t),
- dropped.rec.reserved = 0;
+ dropped.rec.pid = trace_pid;
do {
dropped_count = g_atomic_int_get(&dropped_events);
} while (!g_atomic_int_compare_and_exchange(&dropped_events,
@@ -249,6 +250,7 @@ int trace_record_start(TraceBufferRecord *rec, TraceEventID event, size_t datasi
rec_off = write_to_buffer(rec_off, &event_u64, sizeof(event_u64));
rec_off = write_to_buffer(rec_off, &timestamp_ns, sizeof(timestamp_ns));
rec_off = write_to_buffer(rec_off, &rec_len, sizeof(rec_len));
+ rec_off = write_to_buffer(rec_off, &trace_pid, sizeof(trace_pid));
rec->tbuf_idx = idx;
rec->rec_off = (idx + sizeof(TraceRecord)) % TRACE_BUF_LEN;
@@ -414,6 +416,8 @@ bool trace_backend_init(const char *events, const char *file)
{
GThread *thread;
+ trace_pid = getpid();
+
#if !GLIB_CHECK_VERSION(2, 31, 0)
trace_available_cond = g_cond_new();
trace_empty_cond = g_cond_new();

100
0108-simpletrace-add-support-for-trace-record-pid-field.patch
View File

@ -1,100 +0,0 @@
From 012d97190b01b0726c47aa46d723b81fa4d193d4 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Wed, 7 May 2014 19:24:11 +0200
Subject: [PATCH] simpletrace: add support for trace record pid field
Extract the pid field from the trace record and print it.
Change the trace record tuple from:
(event_num, timestamp, arg1, ..., arg6)
to:
(event_num, timestamp, pid, arg1, ..., arg6)
Trace event methods now support 3 prototypes:
1. <event-name>(arg1, arg2, arg3)
2. <event-name>(timestamp, arg1, arg2, arg3)
3. <event-name>(timestamp, pid, arg1, arg2, arg3)
Existing script continue to work without changes, they only know about
prototypes 1 and 2.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 80ff35cd3ff451e8f200413ddf27816058630c1f)
---
scripts/simpletrace.py | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/scripts/simpletrace.py b/scripts/simpletrace.py
index 8bbcb42..e1b97d4 100755
--- a/scripts/simpletrace.py
+++ b/scripts/simpletrace.py
@@ -31,10 +31,10 @@ def read_header(fobj, hfmt):
return struct.unpack(hfmt, hdr)
def get_record(edict, rechdr, fobj):
- """Deserialize a trace record from a file into a tuple (event_num, timestamp, arg1, ..., arg6)."""
+ """Deserialize a trace record from a file into a tuple (event_num, timestamp, pid, arg1, ..., arg6)."""
if rechdr is None:
return None
- rec = (rechdr[0], rechdr[1])
+ rec = (rechdr[0], rechdr[1], rechdr[3])
if rechdr[0] != dropped_event_id:
event_id = rechdr[0]
event = edict[event_id]
@@ -54,12 +54,12 @@ def get_record(edict, rechdr, fobj):
def read_record(edict, fobj):
- """Deserialize a trace record from a file into a tuple (event_num, timestamp, arg1, ..., arg6)."""
+ """Deserialize a trace record from a file into a tuple (event_num, timestamp, pid, arg1, ..., arg6)."""
rechdr = read_header(fobj, rec_header_fmt)
return get_record(edict, rechdr, fobj) # return tuple of record elements
def read_trace_file(edict, fobj):
- """Deserialize trace records from a file, yielding record tuples (event_num, timestamp, arg1, ..., arg6)."""
+ """Deserialize trace records from a file, yielding record tuples (event_num, timestamp, pid, arg1, ..., arg6)."""
header = read_header(fobj, log_header_fmt)
if header is None or \
header[0] != header_event_id or \
@@ -131,10 +131,13 @@ def process(events, log, analyzer):
fn_argcount = len(inspect.getargspec(fn)[0]) - 1
if fn_argcount == event_argcount + 1:
# Include timestamp as first argument
- return lambda _, rec: fn(*rec[1:2 + event_argcount])
+ return lambda _, rec: fn(*((rec[1:2],) + rec[3:3 + event_argcount]))
+ elif fn_argcount == event_argcount + 2:
+ # Include timestamp and pid
+ return lambda _, rec: fn(*rec[1:3 + event_argcount])
else:
- # Just arguments, no timestamp
- return lambda _, rec: fn(*rec[2:2 + event_argcount])
+ # Just arguments, no timestamp or pid
+ return lambda _, rec: fn(*rec[3:3 + event_argcount])
analyzer.begin()
fn_cache = {}
@@ -166,19 +169,20 @@ if __name__ == '__main__':
self.last_timestamp = None
def catchall(self, event, rec):
- i = 1
timestamp = rec[1]
if self.last_timestamp is None:
self.last_timestamp = timestamp
delta_ns = timestamp - self.last_timestamp
self.last_timestamp = timestamp
- fields = [event.name, '%0.3f' % (delta_ns / 1000.0)]
+ fields = [event.name, '%0.3f' % (delta_ns / 1000.0),
+ 'pid=%d' % rec[2]]
+ i = 3
for type, name in event.args:
if is_string(type):
- fields.append('%s=%s' % (name, rec[i + 1]))
+ fields.append('%s=%s' % (name, rec[i]))
else:
- fields.append('%s=0x%x' % (name, rec[i + 1]))
+ fields.append('%s=0x%x' % (name, rec[i]))
i += 1
print ' '.join(fields)

46
0109-trace-Replace-error-with-warning-if-event-is-not-def.patch
View File

@ -1,46 +0,0 @@
From 2e6870993d226dd8af3e2db502e8e183ee63d66a Mon Sep 17 00:00:00 2001
From: Alexey Kardashevskiy <aik@ozlabs.ru>
Date: Wed, 21 May 2014 18:16:01 +1000
Subject: [PATCH] trace: Replace error with warning if event is not defined
At the moment QEMU exits if trace point is not defined which makes
a developer life harder if he has to switch between branches with
different traces implemented.
This replaces error+exit wit WARNING if the tracepoint does not exist or
not traceable.
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 82432638ebeedda8a2e18838b6fbef4b14a94f31)
---
trace/control.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/trace/control.c b/trace/control.c
index 49f61e1..4aa02cf 100644
--- a/trace/control.c
+++ b/trace/control.c
@@ -112,15 +112,15 @@ void trace_backend_init_events(const char *fname)
TraceEvent *ev = trace_event_name(line_ptr);
if (ev == NULL) {
fprintf(stderr,
- "error: trace event '%s' does not exist\n", line_ptr);
- exit(1);
- }
- if (!trace_event_get_state_static(ev)) {
+ "WARNING: trace event '%s' does not exist\n",
+ line_ptr);
+ } else if (!trace_event_get_state_static(ev)) {
fprintf(stderr,
- "error: trace event '%s' is not traceable\n", line_ptr);
- exit(1);
+ "WARNING: trace event '%s' is not traceable\n",
+ line_ptr);
+ } else {
+ trace_event_set_state_dynamic(ev, enable);
}
- trace_event_set_state_dynamic(ev, enable);
}
}
}

78
0110-do-not-call-g_thread_init-for-glib-2.31.patch
View File

@ -1,78 +0,0 @@
From 6b1371a666af982f2d6c0b7dba98c425ea56d3dd Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Fri, 2 May 2014 18:35:55 +0400
Subject: [PATCH] do not call g_thread_init() for glib >= 2.31
glib >= 2.31 always enables thread support and g_thread_supported()
is #defined to 1, there's no need to call g_thread_init() anymore,
and it definitely does not need to report error which never happens.
Keep code for old < 2.31 glibc anyway for now, just #ifdef it
differently.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Cc: qemu-trivial@nongnu.org
(cherry picked from commit f33cc84dd4af7776309d118412df008ec4108a57)
---
coroutine-gthread.c | 7 ++-----
util/osdep.c | 21 +++++++++------------
2 files changed, 11 insertions(+), 17 deletions(-)
diff --git a/coroutine-gthread.c b/coroutine-gthread.c
index d3e5b99..a61efe0 100644
--- a/coroutine-gthread.c
+++ b/coroutine-gthread.c
@@ -115,14 +115,11 @@ static inline GThread *create_thread(GThreadFunc func, gpointer data)
static void __attribute__((constructor)) coroutine_init(void)
{
- if (!g_thread_supported()) {
#if !GLIB_CHECK_VERSION(2, 31, 0)
+ if (!g_thread_supported()) {
g_thread_init(NULL);
-#else
- fprintf(stderr, "glib threading failed to initialize.\n");
- exit(1);
-#endif
}
+#endif
init_coroutine_cond();
}
diff --git a/util/osdep.c b/util/osdep.c
index a9029f8..b2bd154 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -436,23 +436,20 @@ int socket_init(void)
return 0;
}
-/* Ensure that glib is running in multi-threaded mode */
+#if !GLIB_CHECK_VERSION(2, 31, 0)
+/* Ensure that glib is running in multi-threaded mode
+ * Old versions of glib require explicit initialization. Failure to do
+ * this results in the single-threaded code paths being taken inside
+ * glib. For example, the g_slice allocator will not be thread-safe
+ * and cause crashes.
+ */
static void __attribute__((constructor)) thread_init(void)
{
if (!g_thread_supported()) {
-#if !GLIB_CHECK_VERSION(2, 31, 0)
- /* Old versions of glib require explicit initialization. Failure to do
- * this results in the single-threaded code paths being taken inside
- * glib. For example, the g_slice allocator will not be thread-safe
- * and cause crashes.
- */
- g_thread_init(NULL);
-#else
- fprintf(stderr, "glib threading failed to initialize.\n");
- exit(1);
-#endif
+ g_thread_init(NULL);
}
}
+#endif
#ifndef CONFIG_IOVEC
/* helper function for iov_send_recv() */

62
0111-glib-move-g_poll-replacement-into-glib-compat.h.patch
View File

@ -1,62 +0,0 @@
From 6c1369c499e74fccbbfb97b3ec3e5da59d382031 Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <stefanha@redhat.com>
Date: Fri, 2 May 2014 18:35:56 +0400
Subject: [PATCH] glib: move g_poll() replacement into glib-compat.h
We have a dedicated header file for wrappers to smooth over glib version
differences. Move the g_poll() definition into glib-compat.h for
consistency.
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Cc: qemu-trivial@nongnu.org
(cherry picked from commit f95c967a7950797109d2a96fcfa2e3a2899f2c99)
---
include/glib-compat.h | 12 ++++++++++++
include/qemu-common.h | 12 ------------
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/include/glib-compat.h b/include/glib-compat.h
index 8aa77af..8d25900 100644
--- a/include/glib-compat.h
+++ b/include/glib-compat.h
@@ -24,4 +24,16 @@ static inline guint g_timeout_add_seconds(guint interval, GSourceFunc function,
}
#endif
+#if !GLIB_CHECK_VERSION(2, 20, 0)
+/*
+ * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly
+ * on older systems.
+ */
+static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout)
+{
+ GMainContext *ctx = g_main_context_default();
+ return g_main_context_get_poll_func(ctx)(fds, nfds, timeout);
+}
+#endif
+
#endif
diff --git a/include/qemu-common.h b/include/qemu-common.h
index a998e8d..3f3fd60 100644
--- a/include/qemu-common.h
+++ b/include/qemu-common.h
@@ -124,18 +124,6 @@ int qemu_main(int argc, char **argv, char **envp);
void qemu_get_timedate(struct tm *tm, int offset);
int qemu_timedate_diff(struct tm *tm);
-#if !GLIB_CHECK_VERSION(2, 20, 0)
-/*
- * Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly
- * on older systems.
- */
-static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout)
-{
- GMainContext *ctx = g_main_context_default();
- return g_main_context_get_poll_func(ctx)(fds, nfds, timeout);
-}
-#endif
-
/**
* is_help_option:
* @s: string to test

171
0112-glib-fix-g_poll-early-timeout-on-windows.patch
View File

@ -1,171 +0,0 @@
From 488f948b9f89a0dd90ed465f5d692230af2ecb05 Mon Sep 17 00:00:00 2001
From: Sangho Park <sangho1206.park@samsung.com>
Date: Thu, 8 May 2014 12:47:10 +0400
Subject: [PATCH] glib: fix g_poll early timeout on windows
g_poll has a problem on Windows when using
timeouts < 10ms, in glib/gpoll.c:
/* If not, and we have a significant timeout, poll again with
* timeout then. Note that this will return indication for only
* one event, or only for messages. We ignore timeouts less than
* ten milliseconds as they are mostly pointless on Windows, the
* MsgWaitForMultipleObjectsEx() call will timeout right away
* anyway.
*/
if (retval == 0 && (timeout == INFINITE || timeout >= 10))
retval = poll_rest (poll_msgs, handles, nhandles, fds, nfds, timeout);
so whenever g_poll is called with timeout < 10ms it does
a quick poll instead of wait, this causes significant performance
degradation of QEMU, thus we should use WaitForMultipleObjectsEx
directly
Signed-off-by: Stanislav Vorobiov <s.vorobiov@samsung.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit 5a007547df76446ab891df93ebc55749716609bf)
---
include/glib-compat.h | 9 +++-
util/oslib-win32.c | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 120 insertions(+), 1 deletion(-)
diff --git a/include/glib-compat.h b/include/glib-compat.h
index 8d25900..1280fb2 100644
--- a/include/glib-compat.h
+++ b/include/glib-compat.h
@@ -24,7 +24,14 @@ static inline guint g_timeout_add_seconds(guint interval, GSourceFunc function,
}
#endif
-#if !GLIB_CHECK_VERSION(2, 20, 0)
+#ifdef _WIN32
+/*
+ * g_poll has a problem on Windows when using
+ * timeouts < 10ms, so use wrapper.
+ */
+#define g_poll(fds, nfds, timeout) g_poll_fixed(fds, nfds, timeout)
+gint g_poll_fixed(GPollFD *fds, guint nfds, gint timeout);
+#elif !GLIB_CHECK_VERSION(2, 20, 0)
/*
* Glib before 2.20.0 doesn't implement g_poll, so wrap it to compile properly
* on older systems.
diff --git a/util/oslib-win32.c b/util/oslib-win32.c
index 93f7d35..69552f7 100644
--- a/util/oslib-win32.c
+++ b/util/oslib-win32.c
@@ -238,3 +238,115 @@ char *qemu_get_exec_dir(void)
{
return g_strdup(exec_dir);
}
+
+/*
+ * g_poll has a problem on Windows when using
+ * timeouts < 10ms, in glib/gpoll.c:
+ *
+ * // If not, and we have a significant timeout, poll again with
+ * // timeout then. Note that this will return indication for only
+ * // one event, or only for messages. We ignore timeouts less than
+ * // ten milliseconds as they are mostly pointless on Windows, the
+ * // MsgWaitForMultipleObjectsEx() call will timeout right away
+ * // anyway.
+ *
+ * if (retval == 0 && (timeout == INFINITE || timeout >= 10))
+ * retval = poll_rest (poll_msgs, handles, nhandles, fds, nfds, timeout);
+ *
+ * So whenever g_poll is called with timeout < 10ms it does
+ * a quick poll instead of wait, this causes significant performance
+ * degradation of QEMU, thus we should use WaitForMultipleObjectsEx
+ * directly
+ */
+gint g_poll_fixed(GPollFD *fds, guint nfds, gint timeout)
+{
+ guint i;
+ HANDLE handles[MAXIMUM_WAIT_OBJECTS];
+ gint nhandles = 0;
+ int num_completed = 0;
+
+ for (i = 0; i < nfds; i++) {
+ gint j;
+
+ if (fds[i].fd <= 0) {
+ continue;
+ }
+
+ /* don't add same handle several times
+ */
+ for (j = 0; j < nhandles; j++) {
+ if (handles[j] == (HANDLE)fds[i].fd) {
+ break;
+ }
+ }
+
+ if (j == nhandles) {
+ if (nhandles == MAXIMUM_WAIT_OBJECTS) {
+ fprintf(stderr, "Too many handles to wait for!\n");
+ break;
+ } else {
+ handles[nhandles++] = (HANDLE)fds[i].fd;
+ }
+ }
+ }
+
+ for (i = 0; i < nfds; ++i) {
+ fds[i].revents = 0;
+ }
+
+ if (timeout == -1) {
+ timeout = INFINITE;
+ }
+
+ if (nhandles == 0) {
+ if (timeout == INFINITE) {
+ return -1;
+ } else {
+ SleepEx(timeout, TRUE);
+ return 0;
+ }
+ }
+
+ while (1) {
+ DWORD res;
+ gint j;
+
+ res = WaitForMultipleObjectsEx(nhandles, handles, FALSE,
+ timeout, TRUE);
+
+ if (res == WAIT_FAILED) {
+ for (i = 0; i < nfds; ++i) {
+ fds[i].revents = 0;
+ }
+
+ return -1;
+ } else if ((res == WAIT_TIMEOUT) || (res == WAIT_IO_COMPLETION) ||
+ ((int)res < (int)WAIT_OBJECT_0) ||
+ (res >= (WAIT_OBJECT_0 + nhandles))) {
+ break;
+ }
+
+ for (i = 0; i < nfds; ++i) {
+ if (handles[res - WAIT_OBJECT_0] == (HANDLE)fds[i].fd) {
+ fds[i].revents = fds[i].events;
+ }
+ }
+
+ ++num_completed;
+
+ if (nhandles <= 1) {
+ break;
+ }
+
+ /* poll the rest of the handles
+ */
+ for (j = res - WAIT_OBJECT_0 + 1; j < nhandles; j++) {
+ handles[j - 1] = handles[j];
+ }
+ --nhandles;
+
+ timeout = 0;
+ }
+
+ return num_completed;
+}

350
0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch
View File

@ -1,350 +0,0 @@
From 57a1d211179279727d5afa21a7feba2d249d6867 Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 8 May 2014 12:30:46 +0400
Subject: [PATCH] glib-compat.h: add new thread API emulation on top of
pre-2.31 API
Thread API changed in glib-2.31 significantly. Before that version,
conditionals and mutexes were only allocated dynamically, using
_new()/_free() interface. in 2.31 and up, they're allocated statically
as regular variables, and old interface is deprecated.
(Note: glib docs says the new interface is available since version
2.32, but it was actually introduced in version 2.31).
Create the new interface using old primitives, by providing non-opaque
definitions of the base types (GCond and GMutex) using GOnces.
Replace #ifdeffery around GCond and GMutex in trace/simple.c and
coroutine-gthread.c too because it does not work anymore with the new
glib-compat.h.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
[Use GOnce to support lazy initialization; introduce CompatGMutex
and CompatGCond. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 86946a2d835614050b90bc8e5c82982fe45deff2)
---
coroutine-gthread.c | 29 ++++--------
include/glib-compat.h | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++
trace/simple.c | 50 +++++----------------
3 files changed, 138 insertions(+), 60 deletions(-)
diff --git a/coroutine-gthread.c b/coroutine-gthread.c
index a61efe0..6bd6d6b 100644
--- a/coroutine-gthread.c
+++ b/coroutine-gthread.c
@@ -30,20 +30,14 @@ typedef struct {
CoroutineAction action;
} CoroutineGThread;
-static GStaticMutex coroutine_lock = G_STATIC_MUTEX_INIT;
+static CompatGMutex coroutine_lock;
+static CompatGCond coroutine_cond;
/* GLib 2.31 and beyond deprecated various parts of the thread API,
* but the new interfaces are not available in older GLib versions
* so we have to cope with both.
*/
#if GLIB_CHECK_VERSION(2, 31, 0)
-/* Default zero-initialisation is sufficient for 2.31+ GCond */
-static GCond the_coroutine_cond;
-static GCond *coroutine_cond = &the_coroutine_cond;
-static inline void init_coroutine_cond(void)
-{
-}
-
/* Awkwardly, the GPrivate API doesn't provide a way to update the
* GDestroyNotify handler for the coroutine key dynamically. So instead
* we track whether or not the CoroutineGThread should be freed on
@@ -84,11 +78,6 @@ static inline GThread *create_thread(GThreadFunc func, gpointer data)
#else
/* Handle older GLib versions */
-static GCond *coroutine_cond;
-static inline void init_coroutine_cond(void)
-{
- coroutine_cond = g_cond_new();
-}
static GStaticPrivate coroutine_key = G_STATIC_PRIVATE_INIT;
@@ -120,22 +109,20 @@ static void __attribute__((constructor)) coroutine_init(void)
g_thread_init(NULL);
}
#endif
-
- init_coroutine_cond();
}
static void coroutine_wait_runnable_locked(CoroutineGThread *co)
{
while (!co->runnable) {
- g_cond_wait(coroutine_cond, g_static_mutex_get_mutex(&coroutine_lock));
+ g_cond_wait(&coroutine_cond, &coroutine_lock);
}
}
static void coroutine_wait_runnable(CoroutineGThread *co)
{
- g_static_mutex_lock(&coroutine_lock);
+ g_mutex_lock(&coroutine_lock);
coroutine_wait_runnable_locked(co);
- g_static_mutex_unlock(&coroutine_lock);
+ g_mutex_unlock(&coroutine_lock);
}
static gpointer coroutine_thread(gpointer opaque)
@@ -177,17 +164,17 @@ CoroutineAction qemu_coroutine_switch(Coroutine *from_,
CoroutineGThread *from = DO_UPCAST(CoroutineGThread, base, from_);
CoroutineGThread *to = DO_UPCAST(CoroutineGThread, base, to_);
- g_static_mutex_lock(&coroutine_lock);
+ g_mutex_lock(&coroutine_lock);
from->runnable = false;
from->action = action;
to->runnable = true;
to->action = action;
- g_cond_broadcast(coroutine_cond);
+ g_cond_broadcast(&coroutine_cond);
if (action != COROUTINE_TERMINATE) {
coroutine_wait_runnable_locked(from);
}
- g_static_mutex_unlock(&coroutine_lock);
+ g_mutex_unlock(&coroutine_lock);
return from->action;
}
diff --git a/include/glib-compat.h b/include/glib-compat.h
index 1280fb2..4ae0671 100644
--- a/include/glib-compat.h
+++ b/include/glib-compat.h
@@ -5,6 +5,8 @@
*
* Authors:
* Anthony Liguori <aliguori@us.ibm.com>
+ * Michael Tokarev <mjt@tls.msk.ru>
+ * Paolo Bonzini <pbonzini@redhat.com>
*
* This work is licensed under the terms of the GNU GPL, version 2 or later.
* See the COPYING file in the top-level directory.
@@ -43,4 +45,121 @@ static inline gint g_poll(GPollFD *fds, guint nfds, gint timeout)
}
#endif
+#if !GLIB_CHECK_VERSION(2, 31, 0)
+/* before glib-2.31, GMutex and GCond was dynamic-only (there was a separate
+ * GStaticMutex, but it didn't work with condition variables).
+ *
+ * Our implementation uses GOnce to fake a static implementation that does
+ * not require separate initialization.
+ * We need to rename the types to avoid passing our CompatGMutex/CompatGCond
+ * by mistake to a function that expects GMutex/GCond. However, for ease
+ * of use we keep the GLib function names. GLib uses macros for the
+ * implementation, we use inline functions instead and undefine the macros.
+ */
+
+typedef struct CompatGMutex {
+ GOnce once;
+} CompatGMutex;
+
+typedef struct CompatGCond {
+ GOnce once;
+} CompatGCond;
+
+static inline gpointer do_g_mutex_new(gpointer unused)
+{
+ return (gpointer) g_mutex_new();
+}
+
+static inline void g_mutex_init(CompatGMutex *mutex)
+{
+ mutex->once = (GOnce) G_ONCE_INIT;
+}
+
+static inline void g_mutex_clear(CompatGMutex *mutex)
+{
+ assert(mutex->once.status != G_ONCE_STATUS_PROGRESS);
+ if (mutex->once.retval) {
+ g_mutex_free((GMutex *) mutex->once.retval);
+ }
+ mutex->once = (GOnce) G_ONCE_INIT;
+}
+
+static inline void (g_mutex_lock)(CompatGMutex *mutex)
+{
+ g_once(&mutex->once, do_g_mutex_new, NULL);
+ g_mutex_lock((GMutex *) mutex->once.retval);
+}
+#undef g_mutex_lock
+
+static inline gboolean (g_mutex_trylock)(CompatGMutex *mutex)
+{
+ g_once(&mutex->once, do_g_mutex_new, NULL);
+ return g_mutex_trylock((GMutex *) mutex->once.retval);
+}
+#undef g_mutex_trylock
+
+
+static inline void (g_mutex_unlock)(CompatGMutex *mutex)
+{
+ g_mutex_unlock((GMutex *) mutex->once.retval);
+}
+#undef g_mutex_unlock
+
+static inline gpointer do_g_cond_new(gpointer unused)
+{
+ return (gpointer) g_cond_new();
+}
+
+static inline void g_cond_init(CompatGCond *cond)
+{
+ cond->once = (GOnce) G_ONCE_INIT;
+}
+
+static inline void g_cond_clear(CompatGCond *cond)
+{
+ assert(cond->once.status != G_ONCE_STATUS_PROGRESS);
+ if (cond->once.retval) {
+ g_cond_free((GCond *) cond->once.retval);
+ }
+ cond->once = (GOnce) G_ONCE_INIT;
+}
+
+static inline void (g_cond_wait)(CompatGCond *cond, CompatGMutex *mutex)
+{
+ assert(mutex->once.status != G_ONCE_STATUS_PROGRESS);
+ g_once(&cond->once, do_g_cond_new, NULL);
+ g_cond_wait((GCond *) cond->once.retval, (GMutex *) mutex->once.retval);
+}
+#undef g_cond_wait
+
+static inline void (g_cond_broadcast)(CompatGCond *cond)
+{
+ g_once(&cond->once, do_g_cond_new, NULL);
+ g_cond_broadcast((GCond *) cond->once.retval);
+}
+#undef g_cond_broadcast
+
+static inline void (g_cond_signal)(CompatGCond *cond)
+{
+ g_once(&cond->once, do_g_cond_new, NULL);
+ g_cond_signal((GCond *) cond->once.retval);
+}
+#undef g_cond_signal
+
+
+/* before 2.31 there was no g_thread_new() */
+static inline GThread *g_thread_new(const char *name,
+ GThreadFunc func, gpointer data)
+{
+ GThread *thread = g_thread_create(func, data, TRUE, NULL);
+ if (!thread) {
+ g_error("creating thread");
+ }
+ return thread;
+}
+#else
+#define CompatGMutex GMutex
+#define CompatGCond GCond
+#endif /* glib 2.31 */
+
#endif
diff --git a/trace/simple.c b/trace/simple.c
index 1584bf7..8fc96fe 100644
--- a/trace/simple.c
+++ b/trace/simple.c
@@ -40,28 +40,9 @@
* Trace records are written out by a dedicated thread. The thread waits for
* records to become available, writes them out, and then waits again.
*/
-#if GLIB_CHECK_VERSION(2, 32, 0)
-static GMutex trace_lock;
-#define lock_trace_lock() g_mutex_lock(&trace_lock)
-#define unlock_trace_lock() g_mutex_unlock(&trace_lock)
-#define get_trace_lock_mutex() (&trace_lock)
-#else
-static GStaticMutex trace_lock = G_STATIC_MUTEX_INIT;
-#define lock_trace_lock() g_static_mutex_lock(&trace_lock)
-#define unlock_trace_lock() g_static_mutex_unlock(&trace_lock)
-#define get_trace_lock_mutex() g_static_mutex_get_mutex(&trace_lock)
-#endif
-
-/* g_cond_new() was deprecated in glib 2.31 but we still need to support it */
-#if GLIB_CHECK_VERSION(2, 31, 0)
-static GCond the_trace_available_cond;
-static GCond the_trace_empty_cond;
-static GCond *trace_available_cond = &the_trace_available_cond;
-static GCond *trace_empty_cond = &the_trace_empty_cond;
-#else
-static GCond *trace_available_cond;
-static GCond *trace_empty_cond;
-#endif
+static CompatGMutex trace_lock;
+static CompatGCond trace_available_cond;
+static CompatGCond trace_empty_cond;
static bool trace_available;
static bool trace_writeout_enabled;
@@ -151,26 +132,26 @@ static bool get_trace_record(unsigned int idx, TraceRecord **recordptr)
*/
static void flush_trace_file(bool wait)
{
- lock_trace_lock();
+ g_mutex_lock(&trace_lock);
trace_available = true;
- g_cond_signal(trace_available_cond);
+ g_cond_signal(&trace_available_cond);
if (wait) {
- g_cond_wait(trace_empty_cond, get_trace_lock_mutex());
+ g_cond_wait(&trace_empty_cond, &trace_lock);
}
- unlock_trace_lock();
+ g_mutex_unlock(&trace_lock);
}
static void wait_for_trace_records_available(void)
{
- lock_trace_lock();
+ g_mutex_lock(&trace_lock);
while (!(trace_available && trace_writeout_enabled)) {
- g_cond_signal(trace_empty_cond);
- g_cond_wait(trace_available_cond, get_trace_lock_mutex());
+ g_cond_signal(&trace_empty_cond);
+ g_cond_wait(&trace_available_cond, &trace_lock);
}
trace_available = false;
- unlock_trace_lock();
+ g_mutex_unlock(&trace_lock);
}
static gpointer writeout_thread(gpointer opaque)
@@ -399,11 +380,7 @@ static GThread *trace_thread_create(GThreadFunc fn)
pthread_sigmask(SIG_SETMASK, &set, &oldset);
#endif
-#if GLIB_CHECK_VERSION(2, 31, 0)
thread = g_thread_new("trace-thread", fn, NULL);
-#else
- thread = g_thread_create(fn, NULL, FALSE, NULL);
-#endif
#ifndef _WIN32
pthread_sigmask(SIG_SETMASK, &oldset, NULL);
@@ -418,11 +395,6 @@ bool trace_backend_init(const char *events, const char *file)
trace_pid = getpid();
-#if !GLIB_CHECK_VERSION(2, 31, 0)
- trace_available_cond = g_cond_new();
- trace_empty_cond = g_cond_new();
-#endif
-
thread = trace_thread_create(writeout_thread);
if (!thread) {
fprintf(stderr, "warning: unable to initialize simple trace backend\n");

38
0114-libcacard-replace-pstrcpy-with-memcpy.patch
View File

@ -1,38 +0,0 @@
From c916d06403eec41a92eabf52b31102d3b7068da8 Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Fri, 2 May 2014 18:35:59 +0400
Subject: [PATCH] libcacard: replace pstrcpy() with memcpy()
Commit 2e679780ae86c6ca8 replaced strncpy() with pstrcpy()
in one place in libcacard. This is a qemu-specific function,
while libcacard is a stand-alone library (or tries to be).
But since we know the exact length of the string to copy,
and know that it definitely will fit in the destination
buffer, use memcpy() instead, and null-terminate the string
after that.
An alternative is to use g_strlcpy() or strncpy(), but memcpy()
is more than adequate in this place.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Cc: qemu-trivial@nongnu.org
Cc: Alon Levy <alevy@redhat.com>
(cherry picked from commit a22f8f38942623dc473bf5ced5b4117b8bdf4821)
---
libcacard/vcard_emul_nss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c
index ee2dfae..e2b196d 100644
--- a/libcacard/vcard_emul_nss.c
+++ b/libcacard/vcard_emul_nss.c
@@ -1162,7 +1162,8 @@ vcard_emul_options(const char *args)
NEXT_TOKEN(vname)
NEXT_TOKEN(type_params)
type_params_length = MIN(type_params_length, sizeof(type_str)-1);
- pstrcpy(type_str, type_params_length, type_params);
+ memcpy(type_str, type_params, type_params_length);
+ type_str[type_params_length] = '\0';
type = vcard_emul_type_from_string(type_str);
NEXT_TOKEN(type_params)

236
0115-libcacard-g_malloc-cleanups.patch
View File

@ -1,236 +0,0 @@
From 118436ff47d7269f4bf3e3c1cd83df4b44b7d5c2 Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 8 May 2014 19:51:01 +0400
Subject: [PATCH] libcacard: g_malloc cleanups
This patch replaces g_malloc() in libcacard into g_new()
or g_new0() where appropriate (removing some init-to-zero
surrounding code), g_malloc+memcpy into g_memdup() and the
like.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Alon Levy <alevy@redhat.com>
(cherry picked from commit 78a4b8d2051bff8e8794e9419b7925122212b096)
---
libcacard/cac.c | 11 +++--------
libcacard/card_7816.c | 11 +++++------
libcacard/event.c | 2 +-
libcacard/vcard.c | 22 +++++-----------------
libcacard/vcard_emul_nss.c | 12 ++++++------
libcacard/vreader.c | 11 +++--------
6 files changed, 23 insertions(+), 46 deletions(-)
diff --git a/libcacard/cac.c b/libcacard/cac.c
index 74ef3e3..122129e 100644
--- a/libcacard/cac.c
+++ b/libcacard/cac.c
@@ -310,16 +310,11 @@ static VCardAppletPrivate *
cac_new_pki_applet_private(const unsigned char *cert,
int cert_len, VCardKey *key)
{
- CACPKIAppletData *pki_applet_data = NULL;
- VCardAppletPrivate *applet_private = NULL;
- applet_private = (VCardAppletPrivate *)g_malloc(sizeof(VCardAppletPrivate));
+ CACPKIAppletData *pki_applet_data;
+ VCardAppletPrivate *applet_private;
+ applet_private = g_new0(VCardAppletPrivate, 1);
pki_applet_data = &(applet_private->u.pki_data);
- pki_applet_data->cert_buffer = NULL;
- pki_applet_data->cert_buffer_len = 0;
- pki_applet_data->sign_buffer = NULL;
- pki_applet_data->sign_buffer_len = 0;
- pki_applet_data->key = NULL;
pki_applet_data->cert = (unsigned char *)g_malloc(cert_len+1);
/*
* if we want to support compression, then we simply change the 0 to a 1
diff --git a/libcacard/card_7816.c b/libcacard/card_7816.c
index c28bb60..bca8c4a 100644
--- a/libcacard/card_7816.c
+++ b/libcacard/card_7816.c
@@ -51,7 +51,7 @@ vcard_response_new_data(unsigned char *buf, int len)
{
VCardResponse *new_response;
- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse));
+ new_response = g_new(VCardResponse, 1);
new_response->b_data = g_malloc(len + 2);
memcpy(new_response->b_data, buf, len);
new_response->b_total_len = len+2;
@@ -132,7 +132,7 @@ vcard_response_new_status(vcard_7816_status_t status)
{
VCardResponse *new_response;
- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse));
+ new_response = g_new(VCardResponse, 1);
new_response->b_data = &new_response->b_sw1;
new_response->b_len = 0;
new_response->b_total_len = 2;
@@ -149,7 +149,7 @@ vcard_response_new_status_bytes(unsigned char sw1, unsigned char sw2)
{
VCardResponse *new_response;
- new_response = (VCardResponse *)g_malloc(sizeof(VCardResponse));
+ new_response = g_new(VCardResponse, 1);
new_response->b_data = &new_response->b_sw1;
new_response->b_len = 0;
new_response->b_total_len = 2;
@@ -336,9 +336,8 @@ vcard_apdu_new(unsigned char *raw_apdu, int len, vcard_7816_status_t *status)
return NULL;
}
- new_apdu = (VCardAPDU *)g_malloc(sizeof(VCardAPDU));
- new_apdu->a_data = g_malloc(len);
- memcpy(new_apdu->a_data, raw_apdu, len);
+ new_apdu = g_new(VCardAPDU, 1);
+ new_apdu->a_data = g_memdup(raw_apdu, len);
new_apdu->a_len = len;
*status = vcard_apdu_set_class(new_apdu);
if (*status != VCARD7816_STATUS_SUCCESS) {
diff --git a/libcacard/event.c b/libcacard/event.c
index 2d7500f..a2e6c7d 100644
--- a/libcacard/event.c
+++ b/libcacard/event.c
@@ -17,7 +17,7 @@ vevent_new(VEventType type, VReader *reader, VCard *card)
{
VEvent *new_vevent;
- new_vevent = (VEvent *)g_malloc(sizeof(VEvent));
+ new_vevent = g_new(VEvent, 1);
new_vevent->next = NULL;
new_vevent->type = type;
new_vevent->reader = vreader_reference(reader);
diff --git a/libcacard/vcard.c b/libcacard/vcard.c
index 539177b..227e477 100644
--- a/libcacard/vcard.c
+++ b/libcacard/vcard.c
@@ -37,9 +37,8 @@ vcard_buffer_response_new(unsigned char *buffer, int size)
{
VCardBufferResponse *new_buffer;
- new_buffer = (VCardBufferResponse *)g_malloc(sizeof(VCardBufferResponse));
- new_buffer->buffer = (unsigned char *)g_malloc(size);
- memcpy(new_buffer->buffer, buffer, size);
+ new_buffer = g_new(VCardBufferResponse, 1);
+ new_buffer->buffer = (unsigned char *)g_memdup(buffer, size);
new_buffer->buffer_len = size;
new_buffer->current = new_buffer->buffer;
new_buffer->len = size;
@@ -102,15 +101,11 @@ vcard_new_applet(VCardProcessAPDU applet_process_function,
{
VCardApplet *applet;
- applet = (VCardApplet *)g_malloc(sizeof(VCardApplet));
- applet->next = NULL;
- applet->applet_private = NULL;
- applet->applet_private_free = NULL;
+ applet = g_new0(VCardApplet, 1);
applet->process_apdu = applet_process_function;
applet->reset_applet = applet_reset_function;
- applet->aid = g_malloc(aid_len);
- memcpy(applet->aid, aid, aid_len);
+ applet->aid = g_memdup(aid, aid_len);
applet->aid_len = aid_len;
return applet;
}
@@ -149,18 +144,11 @@ VCard *
vcard_new(VCardEmul *private, VCardEmulFree private_free)
{
VCard *new_card;
- int i;
- new_card = (VCard *)g_malloc(sizeof(VCard));
- new_card->applet_list = NULL;
- for (i = 0; i < MAX_CHANNEL; i++) {
- new_card->current_applet[i] = NULL;
- }
- new_card->vcard_buffer_response = NULL;
+ new_card = g_new0(VCard, 1);
new_card->type = VCARD_VM;
new_card->vcard_private = private;
new_card->vcard_private_free = private_free;
- new_card->vcard_get_atr = NULL;
new_card->reference_count = 1;
return new_card;
}
diff --git a/libcacard/vcard_emul_nss.c b/libcacard/vcard_emul_nss.c
index e2b196d..75b9d79 100644
--- a/libcacard/vcard_emul_nss.c
+++ b/libcacard/vcard_emul_nss.c
@@ -94,9 +94,9 @@ static void
vcard_emul_alloc_arrays(unsigned char ***certsp, int **cert_lenp,
VCardKey ***keysp, int cert_count)
{
- *certsp = (unsigned char **)g_malloc(sizeof(unsigned char *)*cert_count);
- *cert_lenp = (int *)g_malloc(sizeof(int)*cert_count);
- *keysp = (VCardKey **)g_malloc(sizeof(VCardKey *)*cert_count);
+ *certsp = g_new(unsigned char *, cert_count);
+ *cert_lenp = g_new(int, cert_count);
+ *keysp = g_new(VCardKey *, cert_count);
}
/*
@@ -139,7 +139,7 @@ vcard_emul_make_key(PK11SlotInfo *slot, CERTCertificate *cert)
{
VCardKey *key;
- key = (VCardKey *)g_malloc(sizeof(VCardKey));
+ key = g_new(VCardKey, 1);
key->slot = PK11_ReferenceSlot(slot);
key->cert = CERT_DupCertificate(cert);
/* NOTE: if we aren't logged into the token, this could return NULL */
@@ -449,7 +449,7 @@ vreader_emul_new(PK11SlotInfo *slot, VCardEmulType type, const char *params)
{
VReaderEmul *new_reader_emul;
- new_reader_emul = (VReaderEmul *)g_malloc(sizeof(VReaderEmul));
+ new_reader_emul = g_new(VReaderEmul, 1);
new_reader_emul->slot = PK11_ReferenceSlot(slot);
new_reader_emul->default_type = type;
@@ -1189,7 +1189,7 @@ vcard_emul_options(const char *args)
g_strndup(type_params, type_params_length);
count = count_tokens(args, ',', ')') + 1;
vreaderOpt->cert_count = count;
- vreaderOpt->cert_name = (char **)g_malloc(count*sizeof(char *));
+ vreaderOpt->cert_name = g_new(char *, count);
for (i = 0; i < count; i++) {
const char *cert = args;
args = strpbrk(args, ",)");
diff --git a/libcacard/vreader.c b/libcacard/vreader.c
index 5793d73..215a2f6 100644
--- a/libcacard/vreader.c
+++ b/libcacard/vreader.c
@@ -115,7 +115,7 @@ vreader_new(const char *name, VReaderEmul *private,
{
VReader *reader;
- reader = (VReader *)g_malloc(sizeof(VReader));
+ reader = g_new(VReader, 1);
qemu_mutex_init(&reader->lock);
reader->reference_count = 1;
reader->name = g_strdup(name);
@@ -312,10 +312,7 @@ vreader_list_entry_new(VReader *reader)
{
VReaderListEntry *new_reader_list_entry;
- new_reader_list_entry = (VReaderListEntry *)
- g_malloc(sizeof(VReaderListEntry));
- new_reader_list_entry->next = NULL;
- new_reader_list_entry->prev = NULL;
+ new_reader_list_entry = g_new0(VReaderListEntry, 1);
new_reader_list_entry->reader = vreader_reference(reader);
return new_reader_list_entry;
}
@@ -336,9 +333,7 @@ vreader_list_new(void)
{
VReaderList *new_reader_list;
- new_reader_list = (VReaderList *)g_malloc(sizeof(VReaderList));
- new_reader_list->head = NULL;
- new_reader_list->tail = NULL;
+ new_reader_list = g_new0(VReaderList, 1);
return new_reader_list;
}

218
0116-vscclient-use-glib-thread-primitives-not-qemu.patch
View File

@ -1,218 +0,0 @@
From 4a609afa4206d7af9fe2c8dcfbe7850509701aff Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 8 May 2014 12:30:47 +0400
Subject: [PATCH] vscclient: use glib thread primitives not qemu
Use glib-provided thread primitives in vscclient instead of
qemu ones, and do not use qemu sockets in there (open-code
call to WSAStartup() for windows to initialize things).
This way, vscclient becomes more stand-alone, independent on
qemu internals.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Alon Levy <alevy@redhat.com>
Tested-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit 2a0c46da967e5dc8cfe73b1b6fe7a1600c04f461)
---
libcacard/vscclient.c | 70 +++++++++++++++++++++++++++------------------------
1 file changed, 37 insertions(+), 33 deletions(-)
diff --git a/libcacard/vscclient.c b/libcacard/vscclient.c
index 3477ab3..598206b 100644
--- a/libcacard/vscclient.c
+++ b/libcacard/vscclient.c
@@ -12,12 +12,10 @@
#ifndef _WIN32
#include <netdb.h>
+#define closesocket(x) close(x)
#endif
-#include <glib.h>
#include "qemu-common.h"
-#include "qemu/thread.h"
-#include "qemu/sockets.h"
#include "vscard_common.h"
@@ -54,7 +52,7 @@ print_usage(void) {
static GIOChannel *channel_socket;
static GByteArray *socket_to_send;
-static QemuMutex socket_to_send_lock;
+static CompatGMutex socket_to_send_lock;
static guint socket_tag;
static void
@@ -103,7 +101,7 @@ send_msg(
) {
VSCMsgHeader mhHeader;
- qemu_mutex_lock(&socket_to_send_lock);
+ g_mutex_lock(&socket_to_send_lock);
if (verbose > 10) {
printf("sending type=%d id=%u, len =%u (0x%x)\n",
@@ -117,18 +115,18 @@ send_msg(
g_byte_array_append(socket_to_send, (guint8 *)msg, length);
g_idle_add(socket_prepare_sending, NULL);
- qemu_mutex_unlock(&socket_to_send_lock);
+ g_mutex_unlock(&socket_to_send_lock);
return 0;
}
static VReader *pending_reader;
-static QemuMutex pending_reader_lock;
-static QemuCond pending_reader_condition;
+static CompatGMutex pending_reader_lock;
+static CompatGCond pending_reader_condition;
#define MAX_ATR_LEN 40
-static void *
-event_thread(void *arg)
+static gpointer
+event_thread(gpointer arg)
{
unsigned char atr[MAX_ATR_LEN];
int atr_len = MAX_ATR_LEN;
@@ -149,20 +147,20 @@ event_thread(void *arg)
/* ignore events from readers qemu has rejected */
/* if qemu is still deciding on this reader, wait to see if need to
* forward this event */
- qemu_mutex_lock(&pending_reader_lock);
+ g_mutex_lock(&pending_reader_lock);
if (!pending_reader || (pending_reader != event->reader)) {
/* wasn't for a pending reader, this reader has already been
* rejected by qemu */
- qemu_mutex_unlock(&pending_reader_lock);
+ g_mutex_unlock(&pending_reader_lock);
vevent_delete(event);
continue;
}
/* this reader hasn't been told its status from qemu yet, wait for
* that status */
while (pending_reader != NULL) {
- qemu_cond_wait(&pending_reader_condition, &pending_reader_lock);
+ g_cond_wait(&pending_reader_condition, &pending_reader_lock);
}
- qemu_mutex_unlock(&pending_reader_lock);
+ g_mutex_unlock(&pending_reader_lock);
/* now recheck the id */
reader_id = vreader_get_id(event->reader);
if (reader_id == VSCARD_UNDEFINED_READER_ID) {
@@ -178,12 +176,12 @@ event_thread(void *arg)
/* wait until qemu has responded to our first reader insert
* before we send a second. That way we won't confuse the responses
* */
- qemu_mutex_lock(&pending_reader_lock);
+ g_mutex_lock(&pending_reader_lock);
while (pending_reader != NULL) {
- qemu_cond_wait(&pending_reader_condition, &pending_reader_lock);
+ g_cond_wait(&pending_reader_condition, &pending_reader_lock);
}
pending_reader = vreader_reference(event->reader);
- qemu_mutex_unlock(&pending_reader_lock);
+ g_mutex_unlock(&pending_reader_lock);
reader_name = vreader_get_name(event->reader);
if (verbose > 10) {
printf(" READER INSERT: %s\n", reader_name);
@@ -246,7 +244,6 @@ on_host_init(VSCMsgHeader *mhHeader, VSCMsgInit *incoming)
int num_capabilities =
1 + ((mhHeader->length - sizeof(VSCMsgInit)) / sizeof(uint32_t));
int i;
- QemuThread thread_id;
incoming->version = ntohl(incoming->version);
if (incoming->version != VSCARD_VERSION) {
@@ -269,7 +266,7 @@ on_host_init(VSCMsgHeader *mhHeader, VSCMsgInit *incoming)
send_msg(VSC_ReaderRemove, VSCARD_MINIMAL_READER_ID, NULL, 0);
/* launch the event_thread. This will trigger reader adds for all the
* existing readers */
- qemu_thread_create(&thread_id, "vsc/event", event_thread, NULL, 0);
+ g_thread_new("vsc/event", event_thread, NULL);
return 0;
}
@@ -379,26 +376,26 @@ do_socket_read(GIOChannel *source,
case VSC_Error:
error_msg = (VSCMsgError *) pbSendBuffer;
if (error_msg->code == VSC_SUCCESS) {
- qemu_mutex_lock(&pending_reader_lock);
+ g_mutex_lock(&pending_reader_lock);
if (pending_reader) {
vreader_set_id(pending_reader, mhHeader.reader_id);
vreader_free(pending_reader);
pending_reader = NULL;
- qemu_cond_signal(&pending_reader_condition);
+ g_cond_signal(&pending_reader_condition);
}
- qemu_mutex_unlock(&pending_reader_lock);
+ g_mutex_unlock(&pending_reader_lock);
break;
}
printf("warning: qemu refused to add reader\n");
if (error_msg->code == VSC_CANNOT_ADD_MORE_READERS) {
/* clear pending reader, qemu can't handle any more */
- qemu_mutex_lock(&pending_reader_lock);
+ g_mutex_lock(&pending_reader_lock);
if (pending_reader) {
pending_reader = NULL;
/* make sure the event loop doesn't hang */
- qemu_cond_signal(&pending_reader_condition);
+ g_cond_signal(&pending_reader_condition);
}
- qemu_mutex_unlock(&pending_reader_lock);
+ g_mutex_unlock(&pending_reader_lock);
}
break;
case VSC_Init:
@@ -602,7 +599,7 @@ connect_to_qemu(
struct addrinfo *server;
int ret, sock;
- sock = qemu_socket(AF_INET, SOCK_STREAM, 0);
+ sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
/* Error */
fprintf(stderr, "Error opening socket!\n");
@@ -655,8 +652,20 @@ main(
int cert_count = 0;
int c, sock;
- if (socket_init() != 0)
+#ifdef _WIN32
+ WSADATA Data;
+
+ if (WSAStartup(MAKEWORD(2, 2), &Data) != 0) {
+ c = WSAGetLastError();
+ fprintf(stderr, "WSAStartup: %d\n", c);
return 1;
+ }
+#endif
+#if !GLIB_CHECK_VERSION(2, 31, 0)
+ if (!g_thread_supported()) {
+ g_thread_init(NULL);
+ }
+#endif
while ((c = getopt(argc, argv, "c:e:pd:")) != -1) {
switch (c) {
@@ -723,13 +732,8 @@ main(
}
socket_to_send = g_byte_array_new();
- qemu_mutex_init(&socket_to_send_lock);
- qemu_mutex_init(&pending_reader_lock);
- qemu_cond_init(&pending_reader_condition);
-
vcard_emul_init(command_line_options);
-
- loop = g_main_loop_new(NULL, true);
+ loop = g_main_loop_new(NULL, TRUE);
printf("> ");
fflush(stdout);

204
0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch
View File

@ -1,204 +0,0 @@
From 95d830ad782262bac47e4cc368e8dff108b789f1 Mon Sep 17 00:00:00 2001
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Thu, 8 May 2014 12:30:48 +0400
Subject: [PATCH] libcacard: replace qemu thread primitives with glib ones
Replace QemuMutex with GMutex and QemuCond with GCond
(with corresponding function changes), to make libcacard
independent of qemu internal functions.
After this step, none of libcacard internals use any
qemu-provided symbols. Maybe it's a good idea to
stop including qemu-common.h internally too.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Alon Levy <alevy@redhat.com>
Tested-by: Alon Levy <alevy@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit fd25c0e6dd1ed2aa932fa7ef814b32457bf270fd)
---
libcacard/Makefile | 8 +-------
libcacard/event.c | 23 ++++++++++-------------
libcacard/vreader.c | 18 ++++++++----------
3 files changed, 19 insertions(+), 30 deletions(-)
diff --git a/libcacard/Makefile b/libcacard/Makefile
index 6b06448..89a5942 100644
--- a/libcacard/Makefile
+++ b/libcacard/Makefile
@@ -3,13 +3,7 @@ libcacard_includedir=$(includedir)/cacard
TOOLS += vscclient$(EXESUF)
# objects linked into a shared library, built with libtool with -fPIC if required
-libcacard-obj-y = $(stub-obj-y) $(libcacard-y)
-libcacard-obj-y += util/osdep.o util/cutils.o util/qemu-timer-common.o
-libcacard-obj-y += util/error.o util/qemu-error.o
-libcacard-obj-$(CONFIG_WIN32) += util/oslib-win32.o util/qemu-thread-win32.o
-libcacard-obj-$(CONFIG_POSIX) += util/oslib-posix.o util/qemu-thread-posix.o
-libcacard-obj-y += $(filter trace/%, $(util-obj-y))
-
+libcacard-obj-y = $(libcacard-y)
libcacard-lobj-y=$(patsubst %.o,%.lo,$(libcacard-obj-y))
# libtool will build the .o files, too
diff --git a/libcacard/event.c b/libcacard/event.c
index a2e6c7d..4c551e4 100644
--- a/libcacard/event.c
+++ b/libcacard/event.c
@@ -6,7 +6,6 @@
*/
#include "qemu-common.h"
-#include "qemu/thread.h"
#include "vcard.h"
#include "vreader.h"
@@ -43,13 +42,11 @@ vevent_delete(VEvent *vevent)
static VEvent *vevent_queue_head;
static VEvent *vevent_queue_tail;
-static QemuMutex vevent_queue_lock;
-static QemuCond vevent_queue_condition;
+static CompatGMutex vevent_queue_lock;
+static CompatGCond vevent_queue_condition;
void vevent_queue_init(void)
{
- qemu_mutex_init(&vevent_queue_lock);
- qemu_cond_init(&vevent_queue_condition);
vevent_queue_head = vevent_queue_tail = NULL;
}
@@ -57,7 +54,7 @@ void
vevent_queue_vevent(VEvent *vevent)
{
vevent->next = NULL;
- qemu_mutex_lock(&vevent_queue_lock);
+ g_mutex_lock(&vevent_queue_lock);
if (vevent_queue_head) {
assert(vevent_queue_tail);
vevent_queue_tail->next = vevent;
@@ -65,8 +62,8 @@ vevent_queue_vevent(VEvent *vevent)
vevent_queue_head = vevent;
}
vevent_queue_tail = vevent;
- qemu_cond_signal(&vevent_queue_condition);
- qemu_mutex_unlock(&vevent_queue_lock);
+ g_cond_signal(&vevent_queue_condition);
+ g_mutex_unlock(&vevent_queue_lock);
}
/* must have lock */
@@ -86,11 +83,11 @@ VEvent *vevent_wait_next_vevent(void)
{
VEvent *vevent;
- qemu_mutex_lock(&vevent_queue_lock);
+ g_mutex_lock(&vevent_queue_lock);
while ((vevent = vevent_dequeue_vevent()) == NULL) {
- qemu_cond_wait(&vevent_queue_condition, &vevent_queue_lock);
+ g_cond_wait(&vevent_queue_condition, &vevent_queue_lock);
}
- qemu_mutex_unlock(&vevent_queue_lock);
+ g_mutex_unlock(&vevent_queue_lock);
return vevent;
}
@@ -98,9 +95,9 @@ VEvent *vevent_get_next_vevent(void)
{
VEvent *vevent;
- qemu_mutex_lock(&vevent_queue_lock);
+ g_mutex_lock(&vevent_queue_lock);
vevent = vevent_dequeue_vevent();
- qemu_mutex_unlock(&vevent_queue_lock);
+ g_mutex_unlock(&vevent_queue_lock);
return vevent;
}
diff --git a/libcacard/vreader.c b/libcacard/vreader.c
index 215a2f6..75b5b28 100644
--- a/libcacard/vreader.c
+++ b/libcacard/vreader.c
@@ -9,10 +9,8 @@
#undef G_LOG_DOMAIN
#endif
#define G_LOG_DOMAIN "libcacard"
-#include <glib.h>
#include "qemu-common.h"
-#include "qemu/thread.h"
#include "vcard.h"
#include "vcard_emul.h"
@@ -28,7 +26,7 @@ struct VReaderStruct {
VCard *card;
char *name;
vreader_id_t id;
- QemuMutex lock;
+ CompatGMutex lock;
VReaderEmul *reader_private;
VReaderEmulFree reader_private_free;
};
@@ -97,13 +95,13 @@ apdu_ins_to_string(int ins)
static inline void
vreader_lock(VReader *reader)
{
- qemu_mutex_lock(&reader->lock);
+ g_mutex_lock(&reader->lock);
}
static inline void
vreader_unlock(VReader *reader)
{
- qemu_mutex_unlock(&reader->lock);
+ g_mutex_unlock(&reader->lock);
}
/*
@@ -116,7 +114,7 @@ vreader_new(const char *name, VReaderEmul *private,
VReader *reader;
reader = g_new(VReader, 1);
- qemu_mutex_init(&reader->lock);
+ g_mutex_init(&reader->lock);
reader->reference_count = 1;
reader->name = g_strdup(name);
reader->card = NULL;
@@ -152,6 +150,7 @@ vreader_free(VReader *reader)
return;
}
vreader_unlock(reader);
+ g_mutex_clear(&reader->lock);
if (reader->card) {
vcard_free(reader->card);
}
@@ -408,25 +407,24 @@ vreader_dequeue(VReaderList *list, VReaderListEntry *entry)
}
static VReaderList *vreader_list;
-static QemuMutex vreader_list_mutex;
+static CompatGMutex vreader_list_mutex;
static void
vreader_list_init(void)
{
vreader_list = vreader_list_new();
- qemu_mutex_init(&vreader_list_mutex);
}
static void
vreader_list_lock(void)
{
- qemu_mutex_lock(&vreader_list_mutex);
+ g_mutex_lock(&vreader_list_mutex);
}
static void
vreader_list_unlock(void)
{
- qemu_mutex_unlock(&vreader_list_mutex);
+ g_mutex_unlock(&vreader_list_mutex);
}
static VReaderList *

130
qemu.spec
View File

@ -154,11 +154,10 @@
%define with_xen 1
%endif
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.0.0
Release: 7%{?dist}
Version: 2.1.0
Release: 0.1.rc0%{?dist}
Epoch: 2
License: GPLv2+ and LGPLv2+ and BSD
Group: Development/Tools
@ -173,7 +172,8 @@ ExclusiveArch: %{kvm_archs}
%define _smp_mflags %{nil}
%endif
Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2
#Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2
Source0: http://wiki.qemu-project.org/download/%{name}-%{version}-rc0.tar.bz2
Source1: qemu.binfmt
@ -198,57 +198,6 @@ Source12: bridge.conf
# qemu-kvm back compat wrapper
Source13: qemu-kvm.sh
# Change gtk quit accelerator to ctrl+shift+q (bz #1062393)
# Patches queued for 2.1
Patch0001: 0001-Change-gtk-quit-accelerator-to-ctrl-shift-q-bz-10623.patch
# Migration CVEs: CVE-2014-0182 etc.
Patch0002: 0002-vmstate-add-VMS_MUST_EXIST.patch
Patch0003: 0003-vmstate-add-VMSTATE_VALIDATE.patch
Patch0004: 0004-virtio-net-fix-buffer-overflow-on-invalid-state-load.patch
Patch0005: 0005-virtio-net-out-of-bounds-buffer-write-on-invalid-sta.patch
Patch0006: 0006-virtio-out-of-bounds-buffer-write-on-invalid-state-l.patch
Patch0007: 0007-ahci-fix-buffer-overrun-on-invalid-state-load.patch
Patch0008: 0008-hpet-fix-buffer-overrun-on-invalid-state-load.patch
Patch0009: 0009-hw-pci-pcie_aer.c-fix-buffer-overruns-on-invalid-sta.patch
Patch0010: 0010-pl022-fix-buffer-overun-on-invalid-state-load.patch
Patch0011: 0011-vmstate-fix-buffer-overflow-in-target-arm-machine.c.patch
Patch0012: 0012-virtio-avoid-buffer-overrun-on-incoming-migration.patch
Patch0013: 0013-virtio-validate-num_sg-when-mapping.patch
Patch0014: 0014-pxa2xx-avoid-buffer-overrun-on-incoming-migration.patch
Patch0015: 0015-ssd0323-fix-buffer-overun-on-invalid-state-load.patch
Patch0016: 0016-tsc210x-fix-buffer-overrun-on-invalid-state-load.patch
Patch0017: 0017-zaurus-fix-buffer-overrun-on-invalid-state-load.patch
Patch0018: 0018-virtio-scsi-fix-buffer-overrun-on-invalid-state-load.patch
Patch0019: 0019-vmstate-s-VMSTATE_INT32_LE-VMSTATE_INT32_POSITIVE_LE.patch
Patch0020: 0020-usb-sanity-check-setup_index-setup_len-in-post_load.patch
Patch0021: 0021-ssi-sd-fix-buffer-overrun-on-invalid-state-load.patch
Patch0022: 0022-openpic-avoid-buffer-overrun-on-incoming-migration.patch
Patch0023: 0023-virtio-net-out-of-bounds-buffer-write-on-load.patch
Patch0024: 0024-virtio-validate-config_len-on-load.patch
# QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz
# #1097238, bz #1097222, bz #1097216)
Patch0101: 0101-qcow1-Make-padding-in-the-header-explicit.patch
Patch0102: 0102-qcow1-Check-maximum-cluster-size.patch
Patch0103: 0103-qcow1-Validate-L2-table-size-CVE-2014-0222.patch
Patch0104: 0104-qcow1-Validate-image-size-CVE-2014-0223.patch
Patch0105: 0105-qcow1-Stricter-backing-file-length-check.patch
# CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz
# #1096821)
Patch0106: 0106-usb-fix-up-post-load-checks.patch
# Don't use libtool on dtrace, fixes rawhide build (bz #1106968)
Patch0107: 0107-trace-add-pid-field-to-simpletrace-record.patch
Patch0108: 0108-simpletrace-add-support-for-trace-record-pid-field.patch
Patch0109: 0109-trace-Replace-error-with-warning-if-event-is-not-def.patch
Patch0110: 0110-do-not-call-g_thread_init-for-glib-2.31.patch
Patch0111: 0111-glib-move-g_poll-replacement-into-glib-compat.h.patch
Patch0112: 0112-glib-fix-g_poll-early-timeout-on-windows.patch
Patch0113: 0113-glib-compat.h-add-new-thread-API-emulation-on-top-of.patch
Patch0114: 0114-libcacard-replace-pstrcpy-with-memcpy.patch
Patch0115: 0115-libcacard-g_malloc-cleanups.patch
Patch0116: 0116-vscclient-use-glib-thread-primitives-not-qemu.patch
Patch0117: 0117-libcacard-replace-qemu-thread-primitives-with-glib-o.patch
BuildRequires: SDL-devel
BuildRequires: zlib-devel
BuildRequires: which
@ -343,7 +292,10 @@ BuildRequires: iasl
%if %{with_xen}
BuildRequires: xen-devel
%endif
%ifarch %{ix86} x86_64
# memdev hostmem backend added in 2.1
Requires: numactl-devel
%endif
%if 0%{?user:1}
Requires: %{name}-%{user} = %{epoch}:%{version}-%{release}
@ -768,58 +720,7 @@ CAC emulation development files.
%prep
%setup -q
# Change gtk quit accelerator to ctrl+shift+q (bz #1062393)
# Patches queued for 2.1
%patch0001 -p1
# Migration CVEs: CVE-2014-0182 etc.
%patch0002 -p1
%patch0003 -p1
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
%patch0007 -p1
%patch0008 -p1
%patch0009 -p1
%patch0010 -p1
%patch0011 -p1
%patch0012 -p1
%patch0013 -p1
%patch0014 -p1
%patch0015 -p1
%patch0016 -p1
%patch0017 -p1
%patch0018 -p1
%patch0019 -p1
%patch0020 -p1
%patch0021 -p1
%patch0022 -p1
%patch0023 -p1
%patch0024 -p1
# QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz
# #1097238, bz #1097222, bz #1097216)
%patch0101 -p1
%patch0102 -p1
%patch0103 -p1
%patch0104 -p1
%patch0105 -p1
# CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz
# #1096821)
%patch0106 -p1
# Don't use libtool on dtrace, fixes rawhide build (bz #1106968)
%patch0107 -p1
%patch0108 -p1
%patch0109 -p1
%patch0110 -p1
%patch0111 -p1
%patch0112 -p1
%patch0113 -p1
%patch0114 -p1
%patch0115 -p1
%patch0116 -p1
%patch0117 -p1
%setup -q -n %{name}-%{version}-rc0
%build
@ -837,7 +738,7 @@ arm-linux-user armeb-linux-user cris-linux-user m68k-linux-user \
microblaze-linux-user microblazeel-linux-user mips-linux-user \
mipsel-linux-user mips64-linux-user mips64el-linux-user \
mipsn32-linux-user mipsn32el-linux-user \
or32-linux-user ppc-linux-user ppc64-linux-user \
or32-linux-user ppc-linux-user ppc64-linux-user ppc64le-linux-user \
ppc64abi32-linux-user s390x-linux-user sh4-linux-user sh4eb-linux-user \
sparc-linux-user sparc64-linux-user sparc32plus-linux-user \
unicore32-linux-user"
@ -858,6 +759,10 @@ buildldflags="VL_LDFLAGS=-Wl,--build-id"
sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
%endif
# As of qemu 2.1, --enable-trace-backends supports multiple backends,
# but there's a performance impact for non-dtrace so we don't use them
./configure \
--prefix=%{_prefix} \
--libdir=%{_libdir} \
@ -873,7 +778,6 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
--audio-drv-list=pa,sdl,alsa,oss \
--enable-trace-backend=dtrace \
--enable-kvm \
--enable-tpm \
%if %{with_xen}
--enable-xen \
%else
@ -903,7 +807,6 @@ sed -i.debug 's/"-g $CFLAGS"/"$CFLAGS"/g' configure
%ifarch s390
--enable-tcg-interpreter \
%endif
--enable-quorum \
"$@"
echo "config-host.mak contents:"
@ -1291,6 +1194,7 @@ getent passwd qemu >/dev/null || \
%{_bindir}/qemu-ppc
%{_bindir}/qemu-ppc64
%{_bindir}/qemu-ppc64abi32
%{_bindir}/qemu-ppc64le
%{_bindir}/qemu-s390x
%{_bindir}/qemu-sh4
%{_bindir}/qemu-sh4eb
@ -1318,6 +1222,7 @@ getent passwd qemu >/dev/null || \
%{_datadir}/systemtap/tapset/qemu-ppc.stp
%{_datadir}/systemtap/tapset/qemu-ppc64.stp
%{_datadir}/systemtap/tapset/qemu-ppc64abi32.stp
%{_datadir}/systemtap/tapset/qemu-ppc64le.stp
%{_datadir}/systemtap/tapset/qemu-s390x.stp
%{_datadir}/systemtap/tapset/qemu-sh4.stp
%{_datadir}/systemtap/tapset/qemu-sh4eb.stp
@ -1587,6 +1492,9 @@ getent passwd qemu >/dev/null || \
%endif
%changelog
* Fri Jul 04 2014 Cole Robinson <crobinso@redhat.com> - 2:2.1.0-0.1.rc0
- Update to qemu 2.1-rc0
* Sun Jun 15 2014 Cole Robinson <crobinso@redhat.com> - 2:2.0.0-7
- Don't use libtool on dtrace, fixes rawhide build (bz #1106968)

2
sources
View File

@ -1 +1 @@
2790f44fd76da5de5024b4aafeb594c2 qemu-2.0.0.tar.bz2
b8e7af12112d4859ea30196975b1fd57 qemu-2.1.0-rc0.tar.bz2