From de4550957e9b42388242895ee152209384961ce0 Mon Sep 17 00:00:00 2001 From: Cole Robinson Date: Tue, 14 Jul 2015 15:31:59 -0400 Subject: [PATCH] Rebased to v2.4.0-rc0 --- 0001-configure-Add-support-for-tcmalloc.patch | 102 ------------------ ...fo-access-to-be-in-bounds-of-the-all.patch | 82 -------------- ...redictable-directory-name-in-tmp-for.patch | 50 --------- qemu.spec | 25 +++-- sources | 2 +- 5 files changed, 13 insertions(+), 248 deletions(-) delete mode 100644 0001-configure-Add-support-for-tcmalloc.patch delete mode 100644 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch delete mode 100644 0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch diff --git a/0001-configure-Add-support-for-tcmalloc.patch b/0001-configure-Add-support-for-tcmalloc.patch deleted file mode 100644 index 390da29..0000000 --- a/0001-configure-Add-support-for-tcmalloc.patch +++ /dev/null @@ -1,102 +0,0 @@ -From: Fam Zheng -Date: Thu, 26 Mar 2015 11:03:12 +0800 -Subject: [PATCH] configure: Add support for tcmalloc - -This adds "--enable-tcmalloc" and "--disable-tcmalloc" to allow linking -to libtcmalloc from gperftools. - -tcmalloc is a malloc implementation that works well with threads and is -fast, so it is good for performance. - -It is disabled by default, because the MALLOC_PERTURB_ flag we use in -tests doesn't work with tcmalloc. However we can enable tcmalloc -specific heap checker and profilers later. - -An IOPS gain can be observed with virtio-blk-dataplane, other parts of -QEMU will directly benefit from it as well: - -========================================================== - glibc malloc ----------------------------------------------------------- -rw bs iodepth bw iops latency -read 4k 1 150 38511 24 ----------------------------------------------------------- - -========================================================== - tcmalloc ----------------------------------------------------------- -rw bs iodepth bw iops latency -read 4k 1 156 39969 23 ----------------------------------------------------------- - -Signed-off-by: Fam Zheng -Message-Id: <1427338992-27057-1-git-send-email-famz@redhat.com> -Signed-off-by: Paolo Bonzini -(cherry picked from commit 2847b46958ab0bd604e1b3fcafba0f5ba4375833) ---- - configure | 24 ++++++++++++++++++++++++ - 1 file changed, 24 insertions(+) - -diff --git a/configure b/configure -index 6969f6f..75a4def 100755 ---- a/configure -+++ b/configure -@@ -336,6 +336,7 @@ libssh2="" - vhdx="" - quorum="" - numa="" -+tcmalloc="no" - - # parse CC options first - for opt do -@@ -1134,6 +1135,10 @@ for opt do - ;; - --enable-numa) numa="yes" - ;; -+ --disable-tcmalloc) tcmalloc="no" -+ ;; -+ --enable-tcmalloc) tcmalloc="yes" -+ ;; - *) - echo "ERROR: unknown option $opt" - echo "Try '$0 --help' for more information" -@@ -1407,6 +1412,8 @@ Advanced options (experts only): - --enable-quorum enable quorum block filter support - --disable-numa disable libnuma support - --enable-numa enable libnuma support -+ --disable-tcmalloc disable tcmalloc support -+ --enable-tcmalloc enable tcmalloc support - - NOTE: The object files are built at the place where configure is launched - EOF -@@ -3331,6 +3338,22 @@ EOF - fi - - ########################################## -+# tcmalloc probe -+ -+if test "$tcmalloc" = "yes" ; then -+ cat > $TMPC << EOF -+#include -+int main(void) { malloc(1); return 0; } -+EOF -+ -+ if compile_prog "" "-ltcmalloc" ; then -+ LIBS="-ltcmalloc $LIBS" -+ else -+ feature_not_found "tcmalloc" "install gperftools devel" -+ fi -+fi -+ -+########################################## - # signalfd probe - signalfd="no" - cat > $TMPC << EOF -@@ -4441,6 +4464,7 @@ echo "lzo support $lzo" - echo "snappy support $snappy" - echo "bzip2 support $bzip2" - echo "NUMA host support $numa" -+echo "tcmalloc support $tcmalloc" - - if test "$sdl_too_old" = "yes"; then - echo "-> Your SDL version is too old - please upgrade to have SDL support" diff --git a/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch b/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch deleted file mode 100644 index 80cc267..0000000 --- a/0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch +++ /dev/null @@ -1,82 +0,0 @@ -From: Petr Matousek -Date: Wed, 6 May 2015 09:48:59 +0200 -Subject: [PATCH] fdc: force the fifo access to be in bounds of the allocated - buffer - -During processing of certain commands such as FD_CMD_READ_ID and -FD_CMD_DRIVE_SPECIFICATION_COMMAND the fifo memory access could -get out of bounds leading to memory corruption with values coming -from the guest. - -Fix this by making sure that the index is always bounded by the -allocated memory. - -This is CVE-2015-3456. - -Signed-off-by: Petr Matousek -Reviewed-by: John Snow -Signed-off-by: John Snow -(cherry picked from commit e907746266721f305d67bc0718795fedee2e824c) ---- - hw/block/fdc.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/hw/block/fdc.c b/hw/block/fdc.c -index 2bf87c9..a9de4ab 100644 ---- a/hw/block/fdc.c -+++ b/hw/block/fdc.c -@@ -1512,7 +1512,7 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - { - FDrive *cur_drv; - uint32_t retval = 0; -- int pos; -+ uint32_t pos; - - cur_drv = get_cur_drv(fdctrl); - fdctrl->dsr &= ~FD_DSR_PWRDOWN; -@@ -1521,8 +1521,8 @@ static uint32_t fdctrl_read_data(FDCtrl *fdctrl) - return 0; - } - pos = fdctrl->data_pos; -+ pos %= FD_SECTOR_LEN; - if (fdctrl->msr & FD_MSR_NONDMA) { -- pos %= FD_SECTOR_LEN; - if (pos == 0) { - if (fdctrl->data_pos != 0) - if (!fdctrl_seek_to_next_sect(fdctrl, cur_drv)) { -@@ -1867,10 +1867,13 @@ static void fdctrl_handle_option(FDCtrl *fdctrl, int direction) - static void fdctrl_handle_drive_specification_command(FDCtrl *fdctrl, int direction) - { - FDrive *cur_drv = get_cur_drv(fdctrl); -+ uint32_t pos; - -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x80) { -+ pos = fdctrl->data_pos - 1; -+ pos %= FD_SECTOR_LEN; -+ if (fdctrl->fifo[pos] & 0x80) { - /* Command parameters done */ -- if (fdctrl->fifo[fdctrl->data_pos - 1] & 0x40) { -+ if (fdctrl->fifo[pos] & 0x40) { - fdctrl->fifo[0] = fdctrl->fifo[1]; - fdctrl->fifo[2] = 0; - fdctrl->fifo[3] = 0; -@@ -1970,7 +1973,7 @@ static uint8_t command_to_handler[256]; - static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - { - FDrive *cur_drv; -- int pos; -+ uint32_t pos; - - /* Reset mode */ - if (!(fdctrl->dor & FD_DOR_nRESET)) { -@@ -2019,7 +2022,9 @@ static void fdctrl_write_data(FDCtrl *fdctrl, uint32_t value) - } - - FLOPPY_DPRINTF("%s: %02x\n", __func__, value); -- fdctrl->fifo[fdctrl->data_pos++] = value; -+ pos = fdctrl->data_pos++; -+ pos %= FD_SECTOR_LEN; -+ fdctrl->fifo[pos] = value; - if (fdctrl->data_pos == fdctrl->data_len) { - /* We now have all parameters - * and will be able to treat the command diff --git a/0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch b/0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch deleted file mode 100644 index fb36234..0000000 --- a/0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: Michael Tokarev -Date: Thu, 28 May 2015 14:12:26 +0300 -Subject: [PATCH] slirp: use less predictable directory name in /tmp for smb - config (CVE-2015-4037) - -In this version I used mkdtemp(3) which is: - - _BSD_SOURCE - || /* Since glibc 2.10: */ - (_POSIX_C_SOURCE >= 200809L || _XOPEN_SOURCE >= 700) - -(POSIX.1-2008), so should be available on systems we care about. - -While at it, reset the resulting directory name within smb structure -on error so cleanup function wont try to remove directory which we -failed to create. - -Signed-off-by: Michael Tokarev -Reviewed-by: Markus Armbruster -(cherry picked from commit 8b8f1c7e9ddb2e88a144638f6527bf70e32343e3) ---- - net/slirp.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/net/slirp.c b/net/slirp.c -index 9bbed74..3090c10 100644 ---- a/net/slirp.c -+++ b/net/slirp.c -@@ -481,7 +481,6 @@ static void slirp_smb_cleanup(SlirpState *s) - static int slirp_smb(SlirpState* s, const char *exported_dir, - struct in_addr vserver_addr) - { -- static int instance; - char smb_conf[128]; - char smb_cmdline[128]; - struct passwd *passwd; -@@ -505,10 +504,10 @@ static int slirp_smb(SlirpState* s, const char *exported_dir, - return -1; - } - -- snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d", -- (long)getpid(), instance++); -- if (mkdir(s->smb_dir, 0700) < 0) { -+ snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.XXXXXX"); -+ if (!mkdtemp(s->smb_dir)) { - error_report("could not create samba server dir '%s'", s->smb_dir); -+ s->smb_dir[0] = 0; - return -1; - } - snprintf(smb_conf, sizeof(smb_conf), "%s/%s", s->smb_dir, "smb.conf"); diff --git a/qemu.spec b/qemu.spec index 14a71c2..271e88c 100644 --- a/qemu.spec +++ b/qemu.spec @@ -39,14 +39,14 @@ Summary: QEMU is a FAST! processor emulator Name: qemu -Version: 2.3.0 -Release: 15%{?dist} +Version: 2.4.0 +Release: 0.1.rc0%{?dist} Epoch: 2 License: GPLv2+ and LGPLv2+ and BSD Group: Development/Tools URL: http://www.qemu.org/ -Source0: http://wiki.qemu-project.org/download/%{name}-%{version}.tar.bz2 +Source0: http://wiki.qemu-project.org/download/%{name}-%{version}-rc0.tar.bz2 Source1: qemu.binfmt @@ -68,14 +68,6 @@ Source12: bridge.conf # qemu-kvm back compat wrapper Source13: qemu-kvm.sh -# Backport upstream 2.4 patch to link with tcmalloc, enable it -Patch0001: 0001-configure-Add-support-for-tcmalloc.patch -# CVE-2015-3456: (VENOM) fdc: out-of-bounds fifo buffer memory access -# (bz #1221152) -Patch0002: 0002-fdc-force-the-fifo-access-to-be-in-bounds-of-the-all.patch -# CVE-2015-4037: insecure temporary file use in /net/slirp.c (bz -# #1222894) -Patch0003: 0003-slirp-use-less-predictable-directory-name-in-tmp-for.patch BuildRequires: SDL2-devel BuildRequires: zlib-devel @@ -164,6 +156,8 @@ BuildRequires: numactl-devel %endif # Added in qemu 2.3 BuildRequires: bzip2-devel +# Added in qemu 2.4 for opengl bits +Requires: libepoxy-devel Requires: %{name}-user = %{epoch}:%{version}-%{release} @@ -546,7 +540,7 @@ CAC emulation development files. %prep -%setup -q -n qemu-%{version} +%setup -q -n qemu-%{version}-rc0 %autopatch -p1 @@ -661,6 +655,7 @@ gcc %{_sourcedir}/ksmctl.c -O2 -g -o ksmctl mkdir -p %{buildroot}%{_udevdir} mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{_sysconfdir}/qemu install -D -p -m 0644 %{_sourcedir}/ksm.service %{buildroot}%{_unitdir} install -D -p -m 0644 %{_sourcedir}/ksm.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/ksm @@ -741,6 +736,7 @@ rom_link ../seavgabios/vgabios-cirrus.bin vgabios-cirrus.bin rom_link ../seavgabios/vgabios-qxl.bin vgabios-qxl.bin rom_link ../seavgabios/vgabios-stdvga.bin vgabios-stdvga.bin rom_link ../seavgabios/vgabios-vmware.bin vgabios-vmware.bin +rom_link ../seavgabios/vgabios-virtio.bin vgabios-virtio.bin rom_link ../seabios/bios.bin bios.bin rom_link ../seabios/bios-256k.bin bios-256k.bin rom_link ../seabios/acpi-dsdt.aml acpi-dsdt.aml @@ -1015,6 +1011,7 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/vgabios-qxl.bin %{_datadir}/%{name}/vgabios-stdvga.bin %{_datadir}/%{name}/vgabios-vmware.bin +%{_datadir}/%{name}/vgabios-virtio.bin %{_datadir}/%{name}/pxe-e1000.rom %{_datadir}/%{name}/efi-e1000.rom %{_datadir}/%{name}/pxe-virtio.rom @@ -1025,7 +1022,6 @@ getent passwd qemu >/dev/null || \ %{_datadir}/%{name}/efi-rtl8139.rom %{_datadir}/%{name}/pxe-ne2k_pci.rom %{_datadir}/%{name}/efi-ne2k_pci.rom -%config(noreplace) %{_sysconfdir}/qemu/target-x86_64.conf %ifarch %{ix86} x86_64 %{?kvm_files:} %endif @@ -1204,6 +1200,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Tue Jul 14 2015 Cole Robinson 2:2.4.0-0.1-rc0 +- Rebased to version 2.4.0-rc0 + * Fri Jul 3 2015 Richard W.M. Jones - 2:2.3.0-15 - Bump and rebuild. diff --git a/sources b/sources index acbd37d..1bc518d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2fab3ea4460de9b57192e5b8b311f221 qemu-2.3.0.tar.bz2 +0c890db3811f2ad9cc7bb2a5afe08e4c qemu-2.4.0-rc0.tar.bz2