Compare commits
7 Commits
1176069249
...
dae2b79d15
Author | SHA1 | Date |
---|---|---|
Mauro Matteo Cascella | dae2b79d15 | |
Daniel P. Berrangé | abc86a585d | |
Richard W.M. Jones | da4ef4b66e | |
Eduardo Lima (Etrunko) | 09bf21d16d | |
Christophe Fergeau | ce7904b88e | |
Mauro Matteo Cascella | a75c8ea61f | |
Richard W.M. Jones | daaab58bcb |
|
@ -1,10 +1,10 @@
|
|||
From 375a476bcdefe65057a38fe6ae3f50b941e63ddd Mon Sep 17 00:00:00 2001
|
||||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 1 Feb 2022 20:09:37 +0100
|
||||
Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Content-type: text/plain
|
||||
|
||||
The sgx_epc_get_section stub is reachable from cpu_x86_cpuid. It
|
||||
should not assert, instead it should just return true just like
|
||||
|
@ -28,3 +28,6 @@ index 26833eb233..16b1dfd90b 100644
|
|||
- g_assert_not_reached();
|
||||
+ return true;
|
||||
}
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
From 7a5a6dbbf40f7d2313173573b99dd26069f7e309 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Wed, 27 Apr 2022 15:35:36 +0100
|
||||
Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in
|
||||
dataplane mode
|
||||
Content-type: text/plain
|
||||
|
||||
Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare
|
||||
virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd
|
||||
|
@ -106,3 +106,6 @@ index 34a968ecfb..417fbc71d6 100644
|
|||
virtio_scsi_acquire(s);
|
||||
virtio_scsi_handle_event_vq(s, vq);
|
||||
virtio_scsi_release(s);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 5a595325d84fe48fcef921b0810073906ff9284b Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:27:45 +0100
|
||||
Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue
|
||||
Content-type: text/plain
|
||||
|
||||
The virtio-scsi event virtqueue is not emptied by its handler function.
|
||||
This is typical for rx virtqueues where the device uses buffers when
|
||||
|
@ -89,3 +89,6 @@ index b31c4507f5..b62a35fdca 100644
|
|||
void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx);
|
||||
VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector);
|
||||
VirtQueue *virtio_vector_next_queue(VirtQueue *vq);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 5edca84f63de972dd08e0c63c7c67003df237f23 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:06 +0100
|
||||
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq()
|
||||
Content-type: text/plain
|
||||
|
||||
virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c
|
||||
now and its return value is no longer used. Remove the function
|
||||
|
@ -49,3 +49,6 @@ index 543681bc18..5957597825 100644
|
|||
bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||
bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
|
||||
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 4c4bec46e2ccbcb1e8360b118b46681369e3f05c Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:12 +0100
|
||||
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq()
|
||||
Content-type: text/plain
|
||||
|
||||
virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c
|
||||
now and its return value is no longer used. Remove the function
|
||||
|
@ -52,3 +52,6 @@ index 5957597825..44dc3b81ec 100644
|
|||
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||
void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||
void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 67a97290efc0e89c7c48bba46ed68de35121b9de Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:19 +0100
|
||||
Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq()
|
||||
Content-type: text/plain
|
||||
|
||||
virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c
|
||||
now and its return value is no longer used. Remove the function
|
||||
|
@ -64,3 +64,6 @@ index 44dc3b81ec..2497530064 100644
|
|||
void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
|
||||
void virtio_scsi_free_req(VirtIOSCSIReq *req);
|
||||
void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 8c2d952c608b15e188db90e26b7238d35f5cf289 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Date: Tue, 17 May 2022 09:28:26 +0100
|
||||
Subject: [PATCH] virtio-scsi: move request-related items from .h to .c
|
||||
Content-type: text/plain
|
||||
|
||||
There is no longer a need to expose the request and related APIs in
|
||||
virtio-scsi.h since there are no callers outside virtio-scsi.c.
|
||||
|
@ -155,3 +155,6 @@ index 2497530064..abdda2cbd0 100644
|
|||
|
||||
void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp);
|
||||
int virtio_scsi_dataplane_start(VirtIODevice *s);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 7bbf88bfd6b5200926294788386398193afe623f Mon Sep 17 00:00:00 2001
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Sat, 4 Jun 2022 20:28:58 -0400
|
||||
Subject: [PATCH] Disable flakey dbus-display-test
|
||||
Content-type: text/plain
|
||||
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
|
@ -34,3 +34,6 @@ index d25f82bb5a..d085604727 100644
|
|||
qtest_executables = {}
|
||||
foreach dir : target_dirs
|
||||
if not dir.endswith('-softmmu')
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 1917ca47ce2234b7d279f16aa7ef1ff165902d1f Mon Sep 17 00:00:00 2001
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Sat, 4 Jun 2022 20:29:46 -0400
|
||||
Subject: [PATCH] Fix iotests with modules and qemu-system-s390x
|
||||
Content-type: text/plain
|
||||
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
|
@ -30,3 +30,6 @@ index 227e0a5be9..97f8e0a15f 100644
|
|||
grep ^name | sed -e 's/^name "//' -e 's/".*$//')
|
||||
for device
|
||||
do
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From 830cda479ec661b752c9c2566bcca0ac22bb478b Mon Sep 17 00:00:00 2001
|
||||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Sun, 5 Jun 2022 12:48:29 -0400
|
||||
Subject: [PATCH] Skip iotests entirely
|
||||
Content-type: text/plain
|
||||
|
||||
Getting sporadic failures like described here:
|
||||
https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html
|
||||
|
@ -24,3 +24,6 @@ index f59496396c..09cc735da4 100755
|
|||
# QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests
|
||||
export QEMU_CHECK_BLOCK_AUTO=1
|
||||
export PYTHONUTF8=1
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From a7f14aae85022007a4c77e0792a1abb0509a08eb Mon Sep 17 00:00:00 2001
|
||||
From 7605dc625bfd03c4f6bb8daddde909aac3e4badb Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Tue, 2 Aug 2022 12:34:23 -0400
|
||||
Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h
|
||||
|
@ -53,7 +53,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|||
2 files changed, 20 insertions(+)
|
||||
|
||||
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
|
||||
index b27a6552aa..52d178afe7 100644
|
||||
index f65045efe6..834a86183c 100644
|
||||
--- a/linux-user/syscall.c
|
||||
+++ b/linux-user/syscall.c
|
||||
@@ -95,7 +95,25 @@
|
||||
|
@ -83,10 +83,10 @@ index b27a6552aa..52d178afe7 100644
|
|||
#if defined(CONFIG_FIEMAP)
|
||||
#include <linux/fiemap.h>
|
||||
diff --git a/meson.build b/meson.build
|
||||
index 294e9a8f32..30a380752c 100644
|
||||
index 861de93c4f..8ca99671ec 100644
|
||||
--- a/meson.build
|
||||
+++ b/meson.build
|
||||
@@ -1963,6 +1963,8 @@ config_host_data.set('HAVE_OPTRESET',
|
||||
@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET',
|
||||
cc.has_header_symbol('getopt.h', 'optreset'))
|
||||
config_host_data.set('HAVE_IPPROTO_MPTCP',
|
||||
cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
|
||||
|
@ -96,5 +96,5 @@ index 294e9a8f32..30a380752c 100644
|
|||
# has_member
|
||||
config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
|
||||
--
|
||||
2.37.1
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
From ac42f1e87f4f963836461691be22e39128b4eff2 Mon Sep 17 00:00:00 2001
|
||||
From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
|
||||
Date: Tue, 3 May 2022 17:17:24 +0800
|
||||
Subject: [PATCH] vga: avoid crash if no default vga card
|
||||
|
@ -21,7 +22,7 @@ index 6f646531a0..b16c1c48fa 100644
|
|||
--- a/softmmu/vl.c
|
||||
+++ b/softmmu/vl.c
|
||||
@@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
|
||||
|
||||
|
||||
if (vga_interface_available(t) && ti->opt_name) {
|
||||
printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
|
||||
- g_str_equal(ti->opt_name, def) ? " (default)" : "");
|
||||
|
@ -30,3 +31,6 @@ index 6f646531a0..b16c1c48fa 100644
|
|||
}
|
||||
}
|
||||
exit(0);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
From 754371b1f2f872156dda4cb4aa16b510c142c381 Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Tue, 5 Jul 2022 22:05:43 +0200
|
||||
Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
|
||||
|
@ -39,7 +40,7 @@ index c8773f73f7..ad5f5e5f39 100644
|
|||
scsi_req_cancel(s->current->req);
|
||||
+ current_req = NULL;
|
||||
}
|
||||
|
||||
|
||||
/* As the current implemented devices scsi_disk and scsi_generic
|
||||
diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
|
||||
index ba5d468970..0f968024c8 100644
|
||||
|
@ -48,7 +49,7 @@ index ba5d468970..0f968024c8 100644
|
|||
@@ -8,6 +8,79 @@
|
||||
#include "qemu/osdep.h"
|
||||
#include "libqos/libqtest.h"
|
||||
|
||||
|
||||
+/*
|
||||
+ * This used to trigger a UAF in lsi_do_msgout()
|
||||
+ * https://gitlab.com/qemu-project/qemu/-/issues/972
|
||||
|
@ -132,5 +133,8 @@ index ba5d468970..0f968024c8 100644
|
|||
+ qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
|
||||
+ test_lsi_do_msgout_cancel_req);
|
||||
}
|
||||
|
||||
|
||||
return g_test_run();
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
From effa979582e34687688df36c9a10b33862f2581f Mon Sep 17 00:00:00 2001
|
||||
From: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Date: Sun, 25 Sep 2022 22:45:11 +0200
|
||||
Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
|
||||
|
@ -35,7 +36,7 @@ index 310a873c21..8a2e176b64 100644
|
|||
" which exceeds our limit of 1MB.", dlen);
|
||||
@@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
|
||||
}
|
||||
|
||||
|
||||
if (read_s32(data, 4) < 0) {
|
||||
- vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
|
||||
- read_u32(data, 8), data + 12);
|
||||
|
@ -49,3 +50,6 @@ index 310a873c21..8a2e176b64 100644
|
|||
break;
|
||||
}
|
||||
vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
||||
|
|
|
@ -0,0 +1,92 @@
|
|||
From 9be9b8e36940756582c453c6bf08daa6955f916e Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Tue, 10 May 2022 17:10:19 +0200
|
||||
Subject: [PATCH] coroutine: Rename qemu_coroutine_inc/dec_pool_size()
|
||||
|
||||
It's true that these functions currently affect the batch size in which
|
||||
coroutines are reused (i.e. moved from the global release pool to the
|
||||
allocation pool of a specific thread), but this is a bug and will be
|
||||
fixed in a separate patch.
|
||||
|
||||
In fact, the comment in the header file already just promises that it
|
||||
influences the pool size, so reflect this in the name of the functions.
|
||||
As a nice side effect, the shorter function name makes some line
|
||||
wrapping unnecessary.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Message-Id: <20220510151020.105528-2-kwolf@redhat.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit 98e3ab35054b946f7c2aba5408822532b0920b53)
|
||||
---
|
||||
hw/block/virtio-blk.c | 6 ++----
|
||||
include/qemu/coroutine.h | 6 +++---
|
||||
util/qemu-coroutine.c | 4 ++--
|
||||
3 files changed, 7 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
|
||||
index 540c38f829..6a1cc41877 100644
|
||||
--- a/hw/block/virtio-blk.c
|
||||
+++ b/hw/block/virtio-blk.c
|
||||
@@ -1215,8 +1215,7 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)
|
||||
for (i = 0; i < conf->num_queues; i++) {
|
||||
virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
|
||||
}
|
||||
- qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size
|
||||
- / 2);
|
||||
+ qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2);
|
||||
virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err);
|
||||
if (err != NULL) {
|
||||
error_propagate(errp, err);
|
||||
@@ -1253,8 +1252,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev)
|
||||
for (i = 0; i < conf->num_queues; i++) {
|
||||
virtio_del_queue(vdev, i);
|
||||
}
|
||||
- qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size
|
||||
- / 2);
|
||||
+ qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2);
|
||||
qemu_del_vm_change_state_handler(s->change);
|
||||
blockdev_mark_auto_del(s->blk);
|
||||
virtio_cleanup(vdev);
|
||||
diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
|
||||
index c828a95ee0..5b621d1295 100644
|
||||
--- a/include/qemu/coroutine.h
|
||||
+++ b/include/qemu/coroutine.h
|
||||
@@ -334,12 +334,12 @@ void coroutine_fn yield_until_fd_readable(int fd);
|
||||
/**
|
||||
* Increase coroutine pool size
|
||||
*/
|
||||
-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size);
|
||||
+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size);
|
||||
|
||||
/**
|
||||
- * Devcrease coroutine pool size
|
||||
+ * Decrease coroutine pool size
|
||||
*/
|
||||
-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size);
|
||||
+void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size);
|
||||
|
||||
#include "qemu/lockable.h"
|
||||
|
||||
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
|
||||
index c03b2422ff..faca0ca97c 100644
|
||||
--- a/util/qemu-coroutine.c
|
||||
+++ b/util/qemu-coroutine.c
|
||||
@@ -205,12 +205,12 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
|
||||
return co->ctx;
|
||||
}
|
||||
|
||||
-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size)
|
||||
+void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
|
||||
{
|
||||
qatomic_add(&pool_batch_size, additional_pool_size);
|
||||
}
|
||||
|
||||
-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size)
|
||||
+void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
|
||||
{
|
||||
qatomic_sub(&pool_batch_size, removing_pool_size);
|
||||
}
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
|
@ -0,0 +1,123 @@
|
|||
From f1ea4c55f0e9bb05db980f27b392617ef6615954 Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Wolf <kwolf@redhat.com>
|
||||
Date: Tue, 10 May 2022 17:10:20 +0200
|
||||
Subject: [PATCH] coroutine: Revert to constant batch size
|
||||
|
||||
Commit 4c41c69e changed the way the coroutine pool is sized because for
|
||||
virtio-blk devices with a large queue size and heavy I/O, it was just
|
||||
too small and caused coroutines to be deleted and reallocated soon
|
||||
afterwards. The change made the size dynamic based on the number of
|
||||
queues and the queue size of virtio-blk devices.
|
||||
|
||||
There are two important numbers here: Slightly simplified, when a
|
||||
coroutine terminates, it is generally stored in the global release pool
|
||||
up to a certain pool size, and if the pool is full, it is freed.
|
||||
Conversely, when allocating a new coroutine, the coroutines in the
|
||||
release pool are reused if the pool already has reached a certain
|
||||
minimum size (the batch size), otherwise we allocate new coroutines.
|
||||
|
||||
The problem after commit 4c41c69e is that it not only increases the
|
||||
maximum pool size (which is the intended effect), but also the batch
|
||||
size for reusing coroutines (which is a bug). It means that in cases
|
||||
with many devices and/or a large queue size (which defaults to the
|
||||
number of vcpus for virtio-blk-pci), many thousand coroutines could be
|
||||
sitting in the release pool without being reused.
|
||||
|
||||
This is not only a waste of memory and allocations, but it actually
|
||||
makes the QEMU process likely to hit the vm.max_map_count limit on Linux
|
||||
because each coroutine requires two mappings (its stack and the guard
|
||||
page for the stack), causing it to abort() in qemu_alloc_stack() because
|
||||
when the limit is hit, mprotect() starts to fail with ENOMEM.
|
||||
|
||||
In order to fix the problem, change the batch size back to 64 to avoid
|
||||
uselessly accumulating coroutines in the release pool, but keep the
|
||||
dynamic maximum pool size so that coroutines aren't freed too early
|
||||
in heavy I/O scenarios.
|
||||
|
||||
Note that this fix doesn't strictly make it impossible to hit the limit,
|
||||
but this would only happen if most of the coroutines are actually in use
|
||||
at the same time, not just sitting in a pool. This is the same behaviour
|
||||
as we already had before commit 4c41c69e. Fully preventing this would
|
||||
require allowing qemu_coroutine_create() to return an error, but it
|
||||
doesn't seem to be a scenario that people hit in practice.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938
|
||||
Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Message-Id: <20220510151020.105528-3-kwolf@redhat.com>
|
||||
Tested-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit 9ec7a59b5aad4b736871c378d30f5ef5ec51cb52)
|
||||
---
|
||||
util/qemu-coroutine.c | 22 ++++++++++++++--------
|
||||
1 file changed, 14 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
|
||||
index faca0ca97c..804f672e0a 100644
|
||||
--- a/util/qemu-coroutine.c
|
||||
+++ b/util/qemu-coroutine.c
|
||||
@@ -20,14 +20,20 @@
|
||||
#include "qemu/coroutine_int.h"
|
||||
#include "block/aio.h"
|
||||
|
||||
-/** Initial batch size is 64, and is increased on demand */
|
||||
+/**
|
||||
+ * The minimal batch size is always 64, coroutines from the release_pool are
|
||||
+ * reused as soon as there are 64 coroutines in it. The maximum pool size starts
|
||||
+ * with 64 and is increased on demand so that coroutines are not deleted even if
|
||||
+ * they are not immediately reused.
|
||||
+ */
|
||||
enum {
|
||||
- POOL_INITIAL_BATCH_SIZE = 64,
|
||||
+ POOL_MIN_BATCH_SIZE = 64,
|
||||
+ POOL_INITIAL_MAX_SIZE = 64,
|
||||
};
|
||||
|
||||
/** Free list to speed up creation */
|
||||
static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool);
|
||||
-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE;
|
||||
+static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE;
|
||||
static unsigned int release_pool_size;
|
||||
static __thread QSLIST_HEAD(, Coroutine) alloc_pool = QSLIST_HEAD_INITIALIZER(pool);
|
||||
static __thread unsigned int alloc_pool_size;
|
||||
@@ -51,7 +57,7 @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque)
|
||||
if (CONFIG_COROUTINE_POOL) {
|
||||
co = QSLIST_FIRST(&alloc_pool);
|
||||
if (!co) {
|
||||
- if (release_pool_size > qatomic_read(&pool_batch_size)) {
|
||||
+ if (release_pool_size > POOL_MIN_BATCH_SIZE) {
|
||||
/* Slow path; a good place to register the destructor, too. */
|
||||
if (!coroutine_pool_cleanup_notifier.notify) {
|
||||
coroutine_pool_cleanup_notifier.notify = coroutine_pool_cleanup;
|
||||
@@ -88,12 +94,12 @@ static void coroutine_delete(Coroutine *co)
|
||||
co->caller = NULL;
|
||||
|
||||
if (CONFIG_COROUTINE_POOL) {
|
||||
- if (release_pool_size < qatomic_read(&pool_batch_size) * 2) {
|
||||
+ if (release_pool_size < qatomic_read(&pool_max_size) * 2) {
|
||||
QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next);
|
||||
qatomic_inc(&release_pool_size);
|
||||
return;
|
||||
}
|
||||
- if (alloc_pool_size < qatomic_read(&pool_batch_size)) {
|
||||
+ if (alloc_pool_size < qatomic_read(&pool_max_size)) {
|
||||
QSLIST_INSERT_HEAD(&alloc_pool, co, pool_next);
|
||||
alloc_pool_size++;
|
||||
return;
|
||||
@@ -207,10 +213,10 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
|
||||
|
||||
void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
|
||||
{
|
||||
- qatomic_add(&pool_batch_size, additional_pool_size);
|
||||
+ qatomic_add(&pool_max_size, additional_pool_size);
|
||||
}
|
||||
|
||||
void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
|
||||
{
|
||||
- qatomic_sub(&pool_batch_size, removing_pool_size);
|
||||
+ qatomic_sub(&pool_max_size, removing_pool_size);
|
||||
}
|
||||
--
|
||||
2.37.0.rc2
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
From: Thomas Huth <thuth@redhat.com>
|
||||
Date: Thu, 4 Aug 2022 15:13:00 +0200
|
||||
Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
|
||||
xhci_ring_chain_length() (CVE-2020-14394)
|
||||
|
||||
The loop condition in xhci_ring_chain_length() is under control of
|
||||
the guest, and additionally the code does not check for failed DMA
|
||||
transfers (e.g. if reaching the end of the RAM), so the loop there
|
||||
could run for a very long time or even forever. Fix it by checking
|
||||
the return value of dma_memory_read() and by introducing a maximum
|
||||
loop length.
|
||||
|
||||
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
|
||||
Message-Id: <20220804131300.96368-1-thuth@redhat.com>
|
||||
Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Thomas Huth <thuth@redhat.com>
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 23 +++++++++++++++++++----
|
||||
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 0cd0a5e540..213d0be6b6 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
#include "qemu/osdep.h"
|
||||
#include "qemu/timer.h"
|
||||
+#include "qemu/log.h"
|
||||
#include "qemu/module.h"
|
||||
#include "qemu/queue.h"
|
||||
#include "migration/vmstate.h"
|
||||
@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool control_td_set = 0;
|
||||
uint32_t link_cnt = 0;
|
||||
|
||||
- while (1) {
|
||||
+ do {
|
||||
TRBType type;
|
||||
- dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
|
||||
- MEMTXATTRS_UNSPECIFIED);
|
||||
+ if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
|
||||
+ MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
|
||||
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
|
||||
+ __func__);
|
||||
+ return -1;
|
||||
+ }
|
||||
le64_to_cpus(&trb.parameter);
|
||||
le32_to_cpus(&trb.status);
|
||||
le32_to_cpus(&trb.control);
|
||||
@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
if (!control_td_set && !(trb.control & TRB_TR_CH)) {
|
||||
return length;
|
||||
}
|
||||
- }
|
||||
+
|
||||
+ /*
|
||||
+ * According to the xHCI spec, Transfer Ring segments should have
|
||||
+ * a maximum size of 64 kB (see chapter "6 Data Structures")
|
||||
+ */
|
||||
+ } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
|
||||
+
|
||||
+ qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n",
|
||||
+ __func__);
|
||||
+
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
static void xhci_er_reset(XHCIState *xhci, int v)
|
|
@ -0,0 +1,78 @@
|
|||
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
|
||||
Date: Mon, 6 Sep 2021 17:31:03 +0200
|
||||
Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt
|
||||
(CVE-2021-3638)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When building QEMU with DEBUG_ATI defined then running with
|
||||
'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
|
||||
we get:
|
||||
|
||||
ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
|
||||
ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
|
||||
ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
|
||||
ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
|
||||
ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
|
||||
ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
|
||||
ati_mm_write 4 0x1420 DST_Y <- 0x3fff
|
||||
ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
|
||||
ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
|
||||
ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
|
||||
ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
|
||||
ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
|
||||
Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
|
||||
(gdb) bt
|
||||
#0 0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
|
||||
#1 0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
|
||||
#2 0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
|
||||
#3 0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
|
||||
#4 0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
|
||||
|
||||
Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
|
||||
the local dst_x and dst_y which adjust the (x, y) coordinates
|
||||
depending on the direction in the SRCCOPY ROP3 operation, but
|
||||
forgot to address the same issue for the PATCOPY, BLACKNESS and
|
||||
WHITENESS operations, which also call pixman_fill().
|
||||
|
||||
Fix that now by using the adjusted coordinates in the pixman_fill
|
||||
call, and update the related debug printf().
|
||||
|
||||
Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
|
||||
Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
|
||||
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||||
Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
|
||||
Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
---
|
||||
hw/display/ati_2d.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
|
||||
index 4dc10ea795..692bec91de 100644
|
||||
--- a/hw/display/ati_2d.c
|
||||
+++ b/hw/display/ati_2d.c
|
||||
@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
|
||||
DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
|
||||
s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
|
||||
s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
|
||||
- s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
|
||||
+ s->regs.src_x, s->regs.src_y, dst_x, dst_y,
|
||||
s->regs.dst_width, s->regs.dst_height,
|
||||
(s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
|
||||
(s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
|
||||
@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
|
||||
dst_stride /= sizeof(uint32_t);
|
||||
DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
|
||||
dst_bits, dst_stride, bpp,
|
||||
- s->regs.dst_x, s->regs.dst_y,
|
||||
+ dst_x, dst_y,
|
||||
s->regs.dst_width, s->regs.dst_height,
|
||||
filler);
|
||||
pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
|
||||
- s->regs.dst_x, s->regs.dst_y,
|
||||
+ dst_x, dst_y,
|
||||
s->regs.dst_width, s->regs.dst_height,
|
||||
filler);
|
||||
if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&
|
|
@ -0,0 +1,58 @@
|
|||
From: "Christian A. Ehrhardt" <lk@c--e.de>
|
||||
Date: Mon, 24 Oct 2022 17:42:33 +0200
|
||||
Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
|
||||
|
||||
- Fix memset argument order: The second argument is
|
||||
the value, the length goes last.
|
||||
- Fix an integer overflow reported by Alexander Bulekov.
|
||||
|
||||
Both issues allow the guest to overrun the host buffer
|
||||
allocated for the ERST memory device.
|
||||
|
||||
Cc: Eric DeVolder <eric.devolder@oracle.com
|
||||
Cc: Alexander Bulekov <alxndr@bu.edu>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
|
||||
Tested-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
|
||||
Message-Id: <20221024154233.1043347-1-lk@c--e.de>
|
||||
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
|
||||
Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
|
||||
Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
---
|
||||
hw/acpi/erst.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
|
||||
index de509c2b48..f092ce4d49 100644
|
||||
--- a/hw/acpi/erst.c
|
||||
+++ b/hw/acpi/erst.c
|
||||
@@ -632,7 +632,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
|
||||
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
|
||||
rc = STATUS_FAILED;
|
||||
}
|
||||
- if ((s->record_offset + record_length) > exchange_length) {
|
||||
+ if (record_length > exchange_length - s->record_offset) {
|
||||
rc = STATUS_FAILED;
|
||||
}
|
||||
/* If all is ok, copy the record to the exchange buffer */
|
||||
@@ -681,7 +681,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
|
||||
if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
|
||||
return STATUS_FAILED;
|
||||
}
|
||||
- if ((s->record_offset + record_length) > exchange_length) {
|
||||
+ if (record_length > exchange_length - s->record_offset) {
|
||||
return STATUS_FAILED;
|
||||
}
|
||||
|
||||
@@ -713,7 +713,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
|
||||
if (nvram) {
|
||||
/* Write the record into the slot */
|
||||
memcpy(nvram, exchange, record_length);
|
||||
- memset(nvram + record_length, exchange_length - record_length, 0xFF);
|
||||
+ memset(nvram + record_length, 0xFF, exchange_length - record_length);
|
||||
/* If a new record, increment the record_count */
|
||||
if (!record_found) {
|
||||
uint32_t record_count;
|
|
@ -0,0 +1,438 @@
|
|||
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||
Date: Mon, 28 Nov 2022 21:27:37 +0100
|
||||
Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no
|
||||
log_cmd handler
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Only 3 command types are logged: no need to call qxl_phys2virt()
|
||||
for the other types. Using different cases will help to pass
|
||||
different structure sizes to qxl_phys2virt() in a pair of commits.
|
||||
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20221128202741.4945-2-philmd@linaro.org>
|
||||
---
|
||||
hw/display/qxl-logger.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
|
||||
index 68bfa47568..1bcf803db6 100644
|
||||
--- a/hw/display/qxl-logger.c
|
||||
+++ b/hw/display/qxl-logger.c
|
||||
@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||
qxl_name(qxl_type, ext->cmd.type),
|
||||
compat ? "(compat)" : "");
|
||||
|
||||
+ switch (ext->cmd.type) {
|
||||
+ case QXL_CMD_DRAW:
|
||||
+ break;
|
||||
+ case QXL_CMD_SURFACE:
|
||||
+ break;
|
||||
+ case QXL_CMD_CURSOR:
|
||||
+ break;
|
||||
+ default:
|
||||
+ goto out;
|
||||
+ }
|
||||
data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||
if (!data) {
|
||||
return 1;
|
||||
@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||
qxl_log_cmd_cursor(qxl, data, ext->group_id);
|
||||
break;
|
||||
}
|
||||
+out:
|
||||
fprintf(stderr, "\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||
Date: Mon, 28 Nov 2022 21:27:38 +0100
|
||||
Subject: [PATCH] hw/display/qxl: Document qxl_phys2virt()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20221128202741.4945-3-philmd@linaro.org>
|
||||
---
|
||||
hw/display/qxl.h | 19 +++++++++++++++++++
|
||||
1 file changed, 19 insertions(+)
|
||||
|
||||
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
|
||||
index e74de9579d..78b3a6c9ba 100644
|
||||
--- a/hw/display/qxl.h
|
||||
+++ b/hw/display/qxl.h
|
||||
@@ -147,6 +147,25 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||
#define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1)
|
||||
|
||||
/* qxl.c */
|
||||
+/**
|
||||
+ * qxl_phys2virt: Get a pointer within a PCI VRAM memory region.
|
||||
+ *
|
||||
+ * @qxl: QXL device
|
||||
+ * @phys: physical offset of buffer within the VRAM
|
||||
+ * @group_id: memory slot group
|
||||
+ *
|
||||
+ * Returns a host pointer to a buffer placed at offset @phys within the
|
||||
+ * active slot @group_id of the PCI VGA RAM memory region associated with
|
||||
+ * the @qxl device. If the slot is inactive, or the offset is out
|
||||
+ * of the memory region, returns NULL.
|
||||
+ *
|
||||
+ * Use with care; by the time this function returns, the returned pointer is
|
||||
+ * not protected by RCU anymore. If the caller is not within an RCU critical
|
||||
+ * section and does not hold the iothread lock, it must have other means of
|
||||
+ * protecting the pointer, such as a reference to the region that includes
|
||||
+ * the incoming ram_addr_t.
|
||||
+ *
|
||||
+ */
|
||||
void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
|
||||
void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
|
||||
G_GNUC_PRINTF(2, 3);
|
||||
|
||||
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||
Date: Mon, 28 Nov 2022 21:27:39 +0100
|
||||
Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently qxl_phys2virt() doesn't check for buffer overrun.
|
||||
In order to do so in the next commit, pass the buffer size
|
||||
as argument.
|
||||
|
||||
For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
|
||||
verify the size of the chunked data ahead, checking we can
|
||||
access 'sizeof(QXLCursor) + chunk->data_size' bytes.
|
||||
Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
|
||||
assumed to fit in one chunk, no change are required.
|
||||
In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
|
||||
qxl_unpack_chunks().
|
||||
|
||||
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20221128202741.4945-4-philmd@linaro.org>
|
||||
---
|
||||
hw/display/qxl-logger.c | 11 ++++++++---
|
||||
hw/display/qxl-render.c | 20 ++++++++++++++++----
|
||||
hw/display/qxl.c | 14 +++++++++-----
|
||||
hw/display/qxl.h | 4 +++-
|
||||
4 files changed, 36 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
|
||||
index 1bcf803db6..35c38f6252 100644
|
||||
--- a/hw/display/qxl-logger.c
|
||||
+++ b/hw/display/qxl-logger.c
|
||||
@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
|
||||
QXLImage *image;
|
||||
QXLImageDescriptor *desc;
|
||||
|
||||
- image = qxl_phys2virt(qxl, addr, group_id);
|
||||
+ image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage));
|
||||
if (!image) {
|
||||
return 1;
|
||||
}
|
||||
@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
|
||||
cmd->u.set.position.y,
|
||||
cmd->u.set.visible ? "yes" : "no",
|
||||
cmd->u.set.shape);
|
||||
- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
|
||||
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id,
|
||||
+ sizeof(QXLCursor));
|
||||
if (!cursor) {
|
||||
return 1;
|
||||
}
|
||||
@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||
{
|
||||
bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
|
||||
void *data;
|
||||
+ size_t datasz;
|
||||
int ret;
|
||||
|
||||
if (!qxl->cmdlog) {
|
||||
@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
|
||||
|
||||
switch (ext->cmd.type) {
|
||||
case QXL_CMD_DRAW:
|
||||
+ datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable);
|
||||
break;
|
||||
case QXL_CMD_SURFACE:
|
||||
+ datasz = sizeof(QXLSurfaceCmd);
|
||||
break;
|
||||
case QXL_CMD_CURSOR:
|
||||
+ datasz = sizeof(QXLCursorCmd);
|
||||
break;
|
||||
default:
|
||||
goto out;
|
||||
}
|
||||
- data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||
+ data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz);
|
||||
if (!data) {
|
||||
return 1;
|
||||
}
|
||||
diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
|
||||
index ca217004bf..fcfd40c3ac 100644
|
||||
--- a/hw/display/qxl-render.c
|
||||
+++ b/hw/display/qxl-render.c
|
||||
@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
|
||||
qxl->guest_primary.resized = 0;
|
||||
qxl->guest_primary.data = qxl_phys2virt(qxl,
|
||||
qxl->guest_primary.surface.mem,
|
||||
- MEMSLOT_GROUP_GUEST);
|
||||
+ MEMSLOT_GROUP_GUEST,
|
||||
+ qxl->guest_primary.abs_stride
|
||||
+ * height);
|
||||
if (!qxl->guest_primary.data) {
|
||||
goto end;
|
||||
}
|
||||
@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
|
||||
if (offset == size) {
|
||||
return;
|
||||
}
|
||||
- chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
|
||||
+ chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
|
||||
+ sizeof(QXLDataChunk) + chunk->data_size);
|
||||
if (!chunk) {
|
||||
return;
|
||||
}
|
||||
@@ -295,7 +298,8 @@ fail:
|
||||
/* called from spice server thread context only */
|
||||
int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
|
||||
{
|
||||
- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||
+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
|
||||
+ sizeof(QXLCursorCmd));
|
||||
QXLCursor *cursor;
|
||||
QEMUCursor *c;
|
||||
|
||||
@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
|
||||
}
|
||||
switch (cmd->type) {
|
||||
case QXL_CURSOR_SET:
|
||||
- cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
|
||||
+ /* First read the QXLCursor to get QXLDataChunk::data_size ... */
|
||||
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
|
||||
+ sizeof(QXLCursor));
|
||||
+ if (!cursor) {
|
||||
+ return 1;
|
||||
+ }
|
||||
+ /* Then read including the chunked data following QXLCursor. */
|
||||
+ cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
|
||||
+ sizeof(QXLCursor) + cursor->chunk.data_size);
|
||||
if (!cursor) {
|
||||
return 1;
|
||||
}
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index adbdbcaeb6..c1ab202f98 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
|
||||
QXL_IO_MONITORS_CONFIG_ASYNC));
|
||||
}
|
||||
|
||||
- cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST);
|
||||
+ cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST,
|
||||
+ sizeof(QXLMonitorsConfig));
|
||||
if (cfg != NULL && cfg->count == 1) {
|
||||
qxl->guest_primary.resized = 1;
|
||||
qxl->guest_head0_width = cfg->heads[0].width;
|
||||
@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
|
||||
switch (le32_to_cpu(ext->cmd.type)) {
|
||||
case QXL_CMD_SURFACE:
|
||||
{
|
||||
- QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||
+ QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
|
||||
+ sizeof(QXLSurfaceCmd));
|
||||
|
||||
if (!cmd) {
|
||||
return 1;
|
||||
@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
|
||||
}
|
||||
case QXL_CMD_CURSOR:
|
||||
{
|
||||
- QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
|
||||
+ QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
|
||||
+ sizeof(QXLCursorCmd));
|
||||
|
||||
if (!cmd) {
|
||||
return 1;
|
||||
@@ -1456,7 +1459,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||
}
|
||||
|
||||
/* can be also called from spice server thread context */
|
||||
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
|
||||
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
|
||||
+ size_t size)
|
||||
{
|
||||
uint64_t offset;
|
||||
uint32_t slot;
|
||||
@@ -1964,7 +1968,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
|
||||
}
|
||||
|
||||
cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
|
||||
- MEMSLOT_GROUP_GUEST);
|
||||
+ MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd));
|
||||
assert(cmd);
|
||||
assert(cmd->type == QXL_SURFACE_CMD_CREATE);
|
||||
qxl_dirty_one_surface(qxl, cmd->u.surface_create.data,
|
||||
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
|
||||
index 78b3a6c9ba..bf03138ab4 100644
|
||||
--- a/hw/display/qxl.h
|
||||
+++ b/hw/display/qxl.h
|
||||
@@ -153,6 +153,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||
* @qxl: QXL device
|
||||
* @phys: physical offset of buffer within the VRAM
|
||||
* @group_id: memory slot group
|
||||
+ * @size: size of the buffer
|
||||
*
|
||||
* Returns a host pointer to a buffer placed at offset @phys within the
|
||||
* active slot @group_id of the PCI VGA RAM memory region associated with
|
||||
@@ -166,7 +167,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||
* the incoming ram_addr_t.
|
||||
*
|
||||
*/
|
||||
-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
|
||||
+void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
|
||||
+ size_t size);
|
||||
void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
|
||||
G_GNUC_PRINTF(2, 3);
|
||||
|
||||
|
||||
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||
Date: Mon, 28 Nov 2022 21:27:40 +0100
|
||||
Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
|
||||
(CVE-2022-4144)
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Have qxl_get_check_slot_offset() return false if the requested
|
||||
buffer size does not fit within the slot memory region.
|
||||
|
||||
Similarly qxl_phys2virt() now returns NULL in such case, and
|
||||
qxl_dirty_one_surface() aborts.
|
||||
|
||||
This avoids buffer overrun in the host pointer returned by
|
||||
memory_region_get_ram_ptr().
|
||||
|
||||
Fixes: CVE-2022-4144 (out-of-bounds read)
|
||||
Reported-by: Wenxu Yin (@awxylitol)
|
||||
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
|
||||
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20221128202741.4945-5-philmd@linaro.org>
|
||||
---
|
||||
hw/display/qxl.c | 27 +++++++++++++++++++++++----
|
||||
hw/display/qxl.h | 2 +-
|
||||
2 files changed, 24 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index c1ab202f98..91c0fe698c 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -1424,11 +1424,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
|
||||
|
||||
/* can be also called from spice server thread context */
|
||||
static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||
- uint32_t *s, uint64_t *o)
|
||||
+ uint32_t *s, uint64_t *o,
|
||||
+ size_t size_requested)
|
||||
{
|
||||
uint64_t phys = le64_to_cpu(pqxl);
|
||||
uint32_t slot = (phys >> (64 - 8)) & 0xff;
|
||||
uint64_t offset = phys & 0xffffffffffff;
|
||||
+ uint64_t size_available;
|
||||
|
||||
if (slot >= NUM_MEMSLOTS) {
|
||||
qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
|
||||
@@ -1452,6 +1454,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||
slot, offset, qxl->guest_slots[slot].size);
|
||||
return false;
|
||||
}
|
||||
+ size_available = memory_region_size(qxl->guest_slots[slot].mr);
|
||||
+ if (qxl->guest_slots[slot].offset + offset >= size_available) {
|
||||
+ qxl_set_guest_bug(qxl,
|
||||
+ "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
|
||||
+ slot, qxl->guest_slots[slot].offset + offset,
|
||||
+ size_available);
|
||||
+ return false;
|
||||
+ }
|
||||
+ size_available -= qxl->guest_slots[slot].offset + offset;
|
||||
+ if (size_requested > size_available) {
|
||||
+ qxl_set_guest_bug(qxl,
|
||||
+ "slot %d offset %"PRIu64" size %zu: "
|
||||
+ "overrun by %"PRIu64" bytes\n",
|
||||
+ slot, offset, size_requested,
|
||||
+ size_requested - size_available);
|
||||
+ return false;
|
||||
+ }
|
||||
|
||||
*s = slot;
|
||||
*o = offset;
|
||||
@@ -1471,7 +1490,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
|
||||
offset = le64_to_cpu(pqxl) & 0xffffffffffff;
|
||||
return (void *)(intptr_t)offset;
|
||||
case MEMSLOT_GROUP_GUEST:
|
||||
- if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
|
||||
+ if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
|
||||
return NULL;
|
||||
}
|
||||
ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
|
||||
@@ -1937,9 +1956,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
|
||||
uint32_t slot;
|
||||
bool rc;
|
||||
|
||||
- rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
|
||||
- assert(rc == true);
|
||||
size = (uint64_t)height * abs(stride);
|
||||
+ rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
|
||||
+ assert(rc == true);
|
||||
trace_qxl_surfaces_dirty(qxl->id, offset, size);
|
||||
qxl_set_dirty(qxl->guest_slots[slot].mr,
|
||||
qxl->guest_slots[slot].offset + offset,
|
||||
diff --git a/hw/display/qxl.h b/hw/display/qxl.h
|
||||
index bf03138ab4..7894bd5134 100644
|
||||
--- a/hw/display/qxl.h
|
||||
+++ b/hw/display/qxl.h
|
||||
@@ -157,7 +157,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
|
||||
*
|
||||
* Returns a host pointer to a buffer placed at offset @phys within the
|
||||
* active slot @group_id of the PCI VGA RAM memory region associated with
|
||||
- * the @qxl device. If the slot is inactive, or the offset is out
|
||||
+ * the @qxl device. If the slot is inactive, or the offset + size are out
|
||||
* of the memory region, returns NULL.
|
||||
*
|
||||
* Use with care; by the time this function returns, the returned pointer is
|
||||
|
||||
From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
|
||||
Date: Mon, 28 Nov 2022 21:27:41 +0100
|
||||
Subject: [PATCH] hw/display/qxl: Assert memory slot fits in preallocated
|
||||
MemoryRegion
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
|
||||
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-Id: <20221128202741.4945-6-philmd@linaro.org>
|
||||
---
|
||||
hw/display/qxl.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index 91c0fe698c..8fe4e6b8cd 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -1384,6 +1384,7 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
|
||||
qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region);
|
||||
return 1;
|
||||
}
|
||||
+ assert(guest_end - pci_start <= memory_region_size(mr));
|
||||
|
||||
virt_start = (intptr_t)memory_region_get_ram_ptr(mr);
|
||||
memslot.slot_id = slot_id;
|
|
@ -0,0 +1,81 @@
|
|||
From ea3de64a58f5f157a75280bcddf884c5bda391be Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
|
||||
Date: Fri, 23 Sep 2022 12:04:13 +0100
|
||||
Subject: [PATCH 21/21] linux-user: use 'max' instead of 'qemu32' / 'qemu64' by
|
||||
default
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The 'qemu64' CPU model implements the least featureful x86_64 CPU that's
|
||||
possible. Historically this hasn't been an issue since it was rare for
|
||||
OS distros to build with a higher mandatory CPU baseline.
|
||||
|
||||
With RHEL-9, however, the entire distro is built for the x86_64-v2 ABI
|
||||
baseline:
|
||||
|
||||
https://developers.redhat.com/blog/2021/01/05/building-red-hat-enterprise-linux-9-for-the-x86-64-v2-microarchitecture-level
|
||||
|
||||
It is likely that other distros may take similar steps in the not too
|
||||
distant future. For example, it has been suggested for Fedora on a
|
||||
number of occasions.
|
||||
|
||||
This new baseline is not compatible with the qemu64 CPU model though.
|
||||
While it is possible to pass a '-cpu xxx' flag to qemu-x86_64, the
|
||||
usage of QEMU doesn't always allow for this. For example, the args
|
||||
are typically controlled via binfmt rules that the user has no ability
|
||||
to change. This impacts users who are trying to use podman on aarch64
|
||||
platforms, to run containers with x86_64 content. There's no arg to
|
||||
podman that can be used to change the qemu-x86_64 args, and a non-root
|
||||
user of podman can not change binfmt rules without elevating privileges:
|
||||
|
||||
https://github.com/containers/podman/issues/15456#issuecomment-1228210973
|
||||
|
||||
Changing to the 'max' CPU model gives 'qemu-x86_64' maximum
|
||||
compatibility with binaries it is likely to encounter in the wild,
|
||||
and not likely to have a significant downside for existing usage.
|
||||
|
||||
Most other architectures already use an 'any' CPU model, which is
|
||||
often mapped to 'max' (or similar) already, rather than the oldest
|
||||
possible CPU model.
|
||||
|
||||
For the sake of consistency the 'i386' architecture is also changed
|
||||
from using 'qemu32' to 'max'.
|
||||
|
||||
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
|
||||
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
|
||||
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
||||
Message-Id: <20220923110413.70593-1-berrange@redhat.com>
|
||||
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
|
||||
---
|
||||
linux-user/i386/target_elf.h | 2 +-
|
||||
linux-user/x86_64/target_elf.h | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/linux-user/i386/target_elf.h b/linux-user/i386/target_elf.h
|
||||
index 1c6142e..238a9ab 100644
|
||||
--- a/linux-user/i386/target_elf.h
|
||||
+++ b/linux-user/i386/target_elf.h
|
||||
@@ -9,6 +9,6 @@
|
||||
#define I386_TARGET_ELF_H
|
||||
static inline const char *cpu_get_model(uint32_t eflags)
|
||||
{
|
||||
- return "qemu32";
|
||||
+ return "max";
|
||||
}
|
||||
#endif
|
||||
diff --git a/linux-user/x86_64/target_elf.h b/linux-user/x86_64/target_elf.h
|
||||
index 7b76a90..3f628f8 100644
|
||||
--- a/linux-user/x86_64/target_elf.h
|
||||
+++ b/linux-user/x86_64/target_elf.h
|
||||
@@ -9,6 +9,6 @@
|
||||
#define X86_64_TARGET_ELF_H
|
||||
static inline const char *cpu_get_model(uint32_t eflags)
|
||||
{
|
||||
- return "qemu64";
|
||||
+ return "max";
|
||||
}
|
||||
#endif
|
||||
--
|
||||
2.39.0
|
||||
|
|
@ -0,0 +1,99 @@
|
|||
From 2b30e95684fec72e1c2db9dd350cb6967181b825 Mon Sep 17 00:00:00 2001
|
||||
From: Keith Busch <kbusch@kernel.org>
|
||||
Date: Thu, 29 Sep 2022 13:05:22 -0700
|
||||
Subject: [PATCH] block: move bdrv_qiov_is_aligned to file-posix
|
||||
|
||||
There is only user of bdrv_qiov_is_aligned(), so move the alignment
|
||||
function to there and make it static.
|
||||
|
||||
Signed-off-by: Keith Busch <kbusch@kernel.org>
|
||||
Message-Id: <20220929200523.3218710-2-kbusch@meta.com>
|
||||
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit a7c5f67a78569f8c275ea4ea9962e9c79b9d03cb)
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
---
|
||||
block/file-posix.c | 21 +++++++++++++++++++++
|
||||
block/io.c | 21 ---------------------
|
||||
include/block/block-io.h | 1 -
|
||||
3 files changed, 21 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/block/file-posix.c b/block/file-posix.c
|
||||
index 39a3d6d..0185b4e 100644
|
||||
--- a/block/file-posix.c
|
||||
+++ b/block/file-posix.c
|
||||
@@ -2047,6 +2047,27 @@ static int coroutine_fn raw_thread_pool_submit(BlockDriverState *bs,
|
||||
return thread_pool_submit_co(pool, func, arg);
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Check if all memory in this vector is sector aligned.
|
||||
+ */
|
||||
+static bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
|
||||
+{
|
||||
+ int i;
|
||||
+ size_t alignment = bdrv_min_mem_align(bs);
|
||||
+ IO_CODE();
|
||||
+
|
||||
+ for (i = 0; i < qiov->niov; i++) {
|
||||
+ if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ if (qiov->iov[i].iov_len % alignment) {
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
static int coroutine_fn raw_co_prw(BlockDriverState *bs, uint64_t offset,
|
||||
uint64_t bytes, QEMUIOVector *qiov, int type)
|
||||
{
|
||||
diff --git a/block/io.c b/block/io.c
|
||||
index 3280144..e44fc43 100644
|
||||
--- a/block/io.c
|
||||
+++ b/block/io.c
|
||||
@@ -3296,27 +3296,6 @@ void *qemu_try_blockalign0(BlockDriverState *bs, size_t size)
|
||||
return mem;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Check if all memory in this vector is sector aligned.
|
||||
- */
|
||||
-bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
|
||||
-{
|
||||
- int i;
|
||||
- size_t alignment = bdrv_min_mem_align(bs);
|
||||
- IO_CODE();
|
||||
-
|
||||
- for (i = 0; i < qiov->niov; i++) {
|
||||
- if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
|
||||
- return false;
|
||||
- }
|
||||
- if (qiov->iov[i].iov_len % alignment) {
|
||||
- return false;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- return true;
|
||||
-}
|
||||
-
|
||||
void bdrv_io_plug(BlockDriverState *bs)
|
||||
{
|
||||
BdrvChild *child;
|
||||
diff --git a/include/block/block-io.h b/include/block/block-io.h
|
||||
index 5e3f346..80810e1 100644
|
||||
--- a/include/block/block-io.h
|
||||
+++ b/include/block/block-io.h
|
||||
@@ -141,7 +141,6 @@ void *qemu_blockalign(BlockDriverState *bs, size_t size);
|
||||
void *qemu_blockalign0(BlockDriverState *bs, size_t size);
|
||||
void *qemu_try_blockalign(BlockDriverState *bs, size_t size);
|
||||
void *qemu_try_blockalign0(BlockDriverState *bs, size_t size);
|
||||
-bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov);
|
||||
|
||||
void bdrv_enable_copy_on_read(BlockDriverState *bs);
|
||||
void bdrv_disable_copy_on_read(BlockDriverState *bs);
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From cd316ab11b01b3470148612e6df9891faf1fb311 Mon Sep 17 00:00:00 2001
|
||||
From: Keith Busch <kbusch@kernel.org>
|
||||
Date: Thu, 29 Sep 2022 13:05:23 -0700
|
||||
Subject: [PATCH] block: use the request length for iov alignment
|
||||
|
||||
An iov length needs to be aligned to the logical block size, which may
|
||||
be larger than the memory alignment.
|
||||
|
||||
Tested-by: Jens Axboe <axboe@kernel.dk>
|
||||
Signed-off-by: Keith Busch <kbusch@kernel.org>
|
||||
Message-Id: <20220929200523.3218710-3-kbusch@meta.com>
|
||||
Reviewed-by: Kevin Wolf <kwolf@redhat.com>
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
(cherry picked from commit 25474d90aa50bd32e0de395a33d8de42dd6f2aef)
|
||||
Signed-off-by: Kevin Wolf <kwolf@redhat.com>
|
||||
---
|
||||
block/file-posix.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/block/file-posix.c b/block/file-posix.c
|
||||
index 0185b4e..6818b0e 100644
|
||||
--- a/block/file-posix.c
|
||||
+++ b/block/file-posix.c
|
||||
@@ -2054,13 +2054,14 @@ static bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
|
||||
{
|
||||
int i;
|
||||
size_t alignment = bdrv_min_mem_align(bs);
|
||||
+ size_t len = bs->bl.request_alignment;
|
||||
IO_CODE();
|
||||
|
||||
for (i = 0; i < qiov->niov; i++) {
|
||||
if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
|
||||
return false;
|
||||
}
|
||||
- if (qiov->iov[i].iov_len % alignment) {
|
||||
+ if (qiov->iov[i].iov_len % len) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.39.2
|
||||
|
|
@ -0,0 +1,129 @@
|
|||
From f45ee21bebeda4fc1fdd2c359a8a5bfeb1fd4459 Mon Sep 17 00:00:00 2001
|
||||
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 21:20:07 +0200
|
||||
Subject: [PATCH] qga/win32: Remove change action from MSI installer
|
||||
|
||||
Remove the 'change' button from "Programs and Features" because it does
|
||||
not checks if a user is an admin or not. The installer has no components
|
||||
to choose from and always installs everything. So the 'change' button is
|
||||
not obviously needed but can create a security issue.
|
||||
|
||||
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
||||
fixes: CVE-2023-0664 (part 1 of 2)
|
||||
|
||||
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
||||
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
||||
---
|
||||
qga/installer/qemu-ga.wxs | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
||||
index 0950e8c6be..b62e709a4c 100644
|
||||
--- a/qga/installer/qemu-ga.wxs
|
||||
+++ b/qga/installer/qemu-ga.wxs
|
||||
@@ -58,6 +58,7 @@
|
||||
/>
|
||||
<Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
|
||||
<Property Id="WHSLogo">1</Property>
|
||||
+ <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
|
||||
<MajorUpgrade
|
||||
DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
|
||||
/>
|
||||
|
||||
From 020caf0b49dbfef8bc9ec7f02c93c3d5097bb932 Mon Sep 17 00:00:00 2001
|
||||
From: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Date: Fri, 3 Mar 2023 21:20:08 +0200
|
||||
Subject: [PATCH] qga/win32: Use rundll for VSS installation
|
||||
|
||||
The custom action uses cmd.exe to run VSS Service installation
|
||||
and removal which causes an interactive command shell to spawn.
|
||||
This shell can be used to execute any commands as a SYSTEM user.
|
||||
Even if call qemu-ga.exe directly the interactive command shell
|
||||
will be spawned as qemu-ga.exe is a console application and used
|
||||
by users from the console as well as a service.
|
||||
|
||||
As VSS Service runs from DLL which contains the installer and
|
||||
uninstaller code, it can be run directly by rundll32.exe without
|
||||
any interactive command shell.
|
||||
|
||||
Add specific entry points for rundll which is just a wrapper
|
||||
for COMRegister/COMUnregister functions with proper arguments.
|
||||
|
||||
resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
|
||||
fixes: CVE-2023-0664 (part 2 of 2)
|
||||
|
||||
Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
|
||||
Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
|
||||
Reported-by: Brian Wiltse <brian.wiltse@live.com>
|
||||
---
|
||||
qga/installer/qemu-ga.wxs | 10 +++++-----
|
||||
qga/vss-win32/install.cpp | 9 +++++++++
|
||||
qga/vss-win32/qga-vss.def | 2 ++
|
||||
3 files changed, 16 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
|
||||
index b62e709a4c..11b66a22e6 100644
|
||||
--- a/qga/installer/qemu-ga.wxs
|
||||
+++ b/qga/installer/qemu-ga.wxs
|
||||
@@ -143,22 +143,22 @@
|
||||
</Directory>
|
||||
</Directory>
|
||||
|
||||
- <Property Id="cmd" Value="cmd.exe"/>
|
||||
+ <Property Id="rundll" Value="rundll32.exe"/>
|
||||
<Property Id="REINSTALLMODE" Value="amus"/>
|
||||
|
||||
<?ifdef var.InstallVss?>
|
||||
<CustomAction Id="RegisterCom"
|
||||
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
|
||||
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
|
||||
Execute="deferred"
|
||||
- Property="cmd"
|
||||
+ Property="rundll"
|
||||
Impersonate="no"
|
||||
Return="check"
|
||||
>
|
||||
</CustomAction>
|
||||
<CustomAction Id="UnRegisterCom"
|
||||
- ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
|
||||
+ ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
|
||||
Execute="deferred"
|
||||
- Property="cmd"
|
||||
+ Property="rundll"
|
||||
Impersonate="no"
|
||||
Return="check"
|
||||
>
|
||||
diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
|
||||
index b57508fbe0..68662a6dfc 100644
|
||||
--- a/qga/vss-win32/install.cpp
|
||||
+++ b/qga/vss-win32/install.cpp
|
||||
@@ -357,6 +357,15 @@ out:
|
||||
return hr;
|
||||
}
|
||||
|
||||
+STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
|
||||
+{
|
||||
+ COMRegister();
|
||||
+}
|
||||
+
|
||||
+STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
|
||||
+{
|
||||
+ COMUnregister();
|
||||
+}
|
||||
|
||||
static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
|
||||
{
|
||||
diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
|
||||
index 927782c31b..ee97a81427 100644
|
||||
--- a/qga/vss-win32/qga-vss.def
|
||||
+++ b/qga/vss-win32/qga-vss.def
|
||||
@@ -1,6 +1,8 @@
|
||||
LIBRARY "QGA-PROVIDER.DLL"
|
||||
|
||||
EXPORTS
|
||||
+ DLLCOMRegister
|
||||
+ DLLCOMUnregister
|
||||
COMRegister PRIVATE
|
||||
COMUnregister PRIVATE
|
||||
DllCanUnloadNow PRIVATE
|
42
qemu.spec
42
qemu.spec
|
@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
|
|||
%endif
|
||||
|
||||
# To prevent rpmdev-bumpspec breakage
|
||||
%global baserelease 10
|
||||
%global baserelease 15
|
||||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
|
@ -360,6 +360,26 @@ Patch: 0012-vga-avoid-crash-if-no-default-vga-card.patch
|
|||
Patch: 0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
|
||||
# vnc-clipboard: fix integer underflow (CVE-2022-3165)
|
||||
Patch: 0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch
|
||||
# Fix "failed to set up stack guard page: Cannot allocate memory"
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2143006
|
||||
Patch: 0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch
|
||||
Patch: 0016-coroutine-Revert-to-constant-batch-size.patch
|
||||
# hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394)
|
||||
Patch: 0017-hw-usb-hcd-xhci-Fix-unbounded-loop-in-xhci_ring_chain_length.patch
|
||||
# ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638)
|
||||
Patch: 0018-hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt.patch
|
||||
# acpi erst: memory corruption issues (CVE-2022-4172)
|
||||
Patch: 0019-hw-acpi-erst.c-Fix-memory-handling-issues.patch
|
||||
# qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144)
|
||||
Patch: 0020-hw-display-qxl-Avoid-buffer-overrun-qxl_phys2virt.patch
|
||||
# linux-user: default to -cpu max (rhbz#2121700)
|
||||
Patch: 0021-linux-user-use-max-instead-of-qemu32-qemu64-by-default.patch
|
||||
#block: Fix memory alignment of requests (rhbz#2174139)
|
||||
Patch: 0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
|
||||
Patch: 0023-block-use-the-request-length-for-iov-alignment.patch
|
||||
# qga/win32: Fix local privilege escalation issue (CVE-2023-0664)
|
||||
Patch: 0024-qga-win32-local-privilege-escalation.patch
|
||||
|
||||
|
||||
BuildRequires: meson >= %{meson_version}
|
||||
BuildRequires: zlib-devel
|
||||
|
@ -2724,6 +2744,26 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
|
|||
|
||||
|
||||
%changelog
|
||||
* Sun Mar 26 2023 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-15
|
||||
- qga/win32: Fix local privilege escalation issue (CVE-2023-0664) (rhbz#2175700)
|
||||
|
||||
* Tue Feb 28 2023 Eduardo Lima (Etrunko) <etrunko@redhat.com> - 2:7.0.0-14
|
||||
- block: Fix memory alignment of requests (rhbz#2174139)
|
||||
- Disable the tests on i686
|
||||
|
||||
* Thu Jan 19 2023 Christophe Fergeau <cfergeau@redhat.com> - 2:7.0.0-13
|
||||
- linux-user: default to -cpu max (rhbz#2121700)
|
||||
|
||||
* Tue Dec 06 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-12
|
||||
- hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394) (rhbz#1908050)
|
||||
- ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638) (rhbz#1979882)
|
||||
- acpi erst: memory corruption issues (CVE-2022-4172) (rhbz#2149106)
|
||||
- qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144) (rhbz#2148542)
|
||||
|
||||
* Wed Nov 16 2022 Richard W.M. Jones <rjones@redhat.com> - 7.0.0-11
|
||||
- Fix "failed to set up stack guard page: Cannot allocate memory"
|
||||
(rhbz#2143006)
|
||||
|
||||
* Tue Oct 18 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-10
|
||||
- vga: avoid crash if no default vga card (rhbz#2095639)
|
||||
- lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) (rhbz#2070902)
|
||||
|
|
Loading…
Reference in New Issue