qga/win32: Fix local privilege escalation issue (CVE-2023-0664)

Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>

0001-target-i386-the-sgx_epc_get_section-stub-is-reachabl.patch

@@ -1,10 +1,10 @@
+From 375a476bcdefe65057a38fe6ae3f50b941e63ddd Mon Sep 17 00:00:00 2001
 From: Paolo Bonzini <pbonzini@redhat.com>
 Date: Tue, 1 Feb 2022 20:09:37 +0100
 Subject: [PATCH] target/i386: the sgx_epc_get_section stub is reachable
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
-Content-type: text/plain
 
 The sgx_epc_get_section stub is reachable from cpu_x86_cpuid.  It
 should not assert, instead it should just return true just like
@@ -28,3 +28,6 @@ index 26833eb233..16b1dfd90b 100644
 -    g_assert_not_reached();
 +    return true;
  }
+-- 
+2.37.0.rc2
+

0002-virtio-scsi-fix-ctrl-and-event-handler-functions-in-.patch

@@ -1,8 +1,8 @@
+From 7a5a6dbbf40f7d2313173573b99dd26069f7e309 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Wed, 27 Apr 2022 15:35:36 +0100
 Subject: [PATCH] virtio-scsi: fix ctrl and event handler functions in
  dataplane mode
-Content-type: text/plain
 
 Commit f34e8d8b8d48d73f36a67b6d5e492ef9784b5012 ("virtio-scsi: prepare
 virtio_scsi_handle_cmd for dataplane") prepared the virtio-scsi cmd
@@ -106,3 +106,6 @@ index 34a968ecfb..417fbc71d6 100644
      virtio_scsi_acquire(s);
      virtio_scsi_handle_event_vq(s, vq);
      virtio_scsi_release(s);
+-- 
+2.37.0.rc2
+

0003-virtio-scsi-don-t-waste-CPU-polling-the-event-virtqu.patch

@@ -1,7 +1,7 @@
+From 5a595325d84fe48fcef921b0810073906ff9284b Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:27:45 +0100
 Subject: [PATCH] virtio-scsi: don't waste CPU polling the event virtqueue
-Content-type: text/plain
 
 The virtio-scsi event virtqueue is not emptied by its handler function.
 This is typical for rx virtqueues where the device uses buffers when
@@ -89,3 +89,6 @@ index b31c4507f5..b62a35fdca 100644
  void virtio_queue_aio_detach_host_notifier(VirtQueue *vq, AioContext *ctx);
  VirtQueue *virtio_vector_first_queue(VirtIODevice *vdev, uint16_t vector);
  VirtQueue *virtio_vector_next_queue(VirtQueue *vq);
+-- 
+2.37.0.rc2
+

0004-virtio-scsi-clean-up-virtio_scsi_handle_event_vq.patch

@@ -1,7 +1,7 @@
+From 5edca84f63de972dd08e0c63c7c67003df237f23 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:06 +0100
 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_event_vq()
-Content-type: text/plain
 
 virtio_scsi_handle_event_vq() is only called from hw/scsi/virtio-scsi.c
 now and its return value is no longer used. Remove the function
@@ -49,3 +49,6 @@ index 543681bc18..5957597825 100644
  bool virtio_scsi_handle_cmd_vq(VirtIOSCSI *s, VirtQueue *vq);
  bool virtio_scsi_handle_ctrl_vq(VirtIOSCSI *s, VirtQueue *vq);
  void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
+-- 
+2.37.0.rc2
+

0005-virtio-scsi-clean-up-virtio_scsi_handle_ctrl_vq.patch

@@ -1,7 +1,7 @@
+From 4c4bec46e2ccbcb1e8360b118b46681369e3f05c Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:12 +0100
 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_ctrl_vq()
-Content-type: text/plain
 
 virtio_scsi_handle_ctrl_vq() is only called from hw/scsi/virtio-scsi.c
 now and its return value is no longer used. Remove the function
@@ -52,3 +52,6 @@ index 5957597825..44dc3b81ec 100644
  void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
  void virtio_scsi_free_req(VirtIOSCSIReq *req);
  void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+-- 
+2.37.0.rc2
+

0006-virtio-scsi-clean-up-virtio_scsi_handle_cmd_vq.patch

@@ -1,7 +1,7 @@
+From 67a97290efc0e89c7c48bba46ed68de35121b9de Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:19 +0100
 Subject: [PATCH] virtio-scsi: clean up virtio_scsi_handle_cmd_vq()
-Content-type: text/plain
 
 virtio_scsi_handle_cmd_vq() is only called from hw/scsi/virtio-scsi.c
 now and its return value is no longer used. Remove the function
@@ -64,3 +64,6 @@ index 44dc3b81ec..2497530064 100644
  void virtio_scsi_init_req(VirtIOSCSI *s, VirtQueue *vq, VirtIOSCSIReq *req);
  void virtio_scsi_free_req(VirtIOSCSIReq *req);
  void virtio_scsi_push_event(VirtIOSCSI *s, SCSIDevice *dev,
+-- 
+2.37.0.rc2
+

0007-virtio-scsi-move-request-related-items-from-.h-to-.c.patch

@@ -1,7 +1,7 @@
+From 8c2d952c608b15e188db90e26b7238d35f5cf289 Mon Sep 17 00:00:00 2001
 From: Stefan Hajnoczi <stefanha@redhat.com>
 Date: Tue, 17 May 2022 09:28:26 +0100
 Subject: [PATCH] virtio-scsi: move request-related items from .h to .c
-Content-type: text/plain
 
 There is no longer a need to expose the request and related APIs in
 virtio-scsi.h since there are no callers outside virtio-scsi.c.
@@ -155,3 +155,6 @@ index 2497530064..abdda2cbd0 100644
  
  void virtio_scsi_dataplane_setup(VirtIOSCSI *s, Error **errp);
  int virtio_scsi_dataplane_start(VirtIODevice *s);
+-- 
+2.37.0.rc2
+

0008-Disable-flakey-dbus-display-test.patch

@@ -1,7 +1,7 @@
+From 7bbf88bfd6b5200926294788386398193afe623f Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Sat, 4 Jun 2022 20:28:58 -0400
 Subject: [PATCH] Disable flakey dbus-display-test
-Content-type: text/plain
 
 Signed-off-by: Cole Robinson <crobinso@redhat.com>
 ---
@@ -34,3 +34,6 @@ index d25f82bb5a..d085604727 100644
  qtest_executables = {}
  foreach dir : target_dirs
    if not dir.endswith('-softmmu')
+-- 
+2.37.0.rc2
+

0009-Fix-iotests-with-modules-and-qemu-system-s390x.patch

@@ -1,7 +1,7 @@
+From 1917ca47ce2234b7d279f16aa7ef1ff165902d1f Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Sat, 4 Jun 2022 20:29:46 -0400
 Subject: [PATCH] Fix iotests with modules and qemu-system-s390x
-Content-type: text/plain
 
 Signed-off-by: Cole Robinson <crobinso@redhat.com>
 ---
@@ -30,3 +30,6 @@ index 227e0a5be9..97f8e0a15f 100644
                  grep ^name | sed -e 's/^name "//' -e 's/".*$//')
      for device
      do
+-- 
+2.37.0.rc2
+

0010-Skip-iotests-entirely.patch

@@ -1,7 +1,7 @@
+From 830cda479ec661b752c9c2566bcca0ac22bb478b Mon Sep 17 00:00:00 2001
 From: Cole Robinson <crobinso@redhat.com>
 Date: Sun, 5 Jun 2022 12:48:29 -0400
 Subject: [PATCH] Skip iotests entirely
-Content-type: text/plain
 
 Getting sporadic failures like described here:
 https://www.mail-archive.com/qemu-devel@nongnu.org/msg887683.html
@@ -24,3 +24,6 @@ index f59496396c..09cc735da4 100755
  # QEMU_CHECK_BLOCK_AUTO is used to disable some unstable sub-tests
  export QEMU_CHECK_BLOCK_AUTO=1
  export PYTHONUTF8=1
+-- 
+2.37.0.rc2
+

0011-linux-user-fix-compat-with-glibc-2.36-sys-mount.h.patch

@@ -1,4 +1,4 @@
-From a7f14aae85022007a4c77e0792a1abb0509a08eb Mon Sep 17 00:00:00 2001
+From 7605dc625bfd03c4f6bb8daddde909aac3e4badb Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
 Date: Tue, 2 Aug 2022 12:34:23 -0400
 Subject: [PATCH] linux-user: fix compat with glibc >= 2.36 sys/mount.h
@@ -53,7 +53,7 @@ Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
  2 files changed, 20 insertions(+)
 
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
-index b27a6552aa..52d178afe7 100644
+index f65045efe6..834a86183c 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
 @@ -95,7 +95,25 @@
@@ -83,10 +83,10 @@ index b27a6552aa..52d178afe7 100644
  #if defined(CONFIG_FIEMAP)
  #include <linux/fiemap.h>
 diff --git a/meson.build b/meson.build
-index 294e9a8f32..30a380752c 100644
+index 861de93c4f..8ca99671ec 100644
 --- a/meson.build
 +++ b/meson.build
-@@ -1963,6 +1963,8 @@ config_host_data.set('HAVE_OPTRESET',
+@@ -1686,6 +1686,8 @@ config_host_data.set('HAVE_OPTRESET',
                       cc.has_header_symbol('getopt.h', 'optreset'))
  config_host_data.set('HAVE_IPPROTO_MPTCP',
                       cc.has_header_symbol('netinet/in.h', 'IPPROTO_MPTCP'))
@@ -96,5 +96,5 @@ index 294e9a8f32..30a380752c 100644
  # has_member
  config_host_data.set('HAVE_SIGEV_NOTIFY_THREAD_ID',
 -- 
-2.37.1
+2.37.0.rc2
 

0012-vga-avoid-crash-if-no-default-vga-card.patch

@@ -1,3 +1,4 @@
+From ac42f1e87f4f963836461691be22e39128b4eff2 Mon Sep 17 00:00:00 2001
 From: Guo Zhi <qtxuning1999@sjtu.edu.cn>
 Date: Tue, 3 May 2022 17:17:24 +0800
 Subject: [PATCH] vga: avoid crash if no default vga card
@@ -21,7 +22,7 @@ index 6f646531a0..b16c1c48fa 100644
 --- a/softmmu/vl.c
 +++ b/softmmu/vl.c
 @@ -974,7 +974,8 @@ static void select_vgahw(const MachineClass *machine_class, const char *p)
-
+ 
              if (vga_interface_available(t) && ti->opt_name) {
                  printf("%-20s %s%s\n", ti->opt_name, ti->name ?: "",
 -                       g_str_equal(ti->opt_name, def) ? " (default)" : "");
@@ -30,3 +31,6 @@ index 6f646531a0..b16c1c48fa 100644
              }
          }
          exit(0);
+-- 
+2.37.0.rc2
+

0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch

@@ -1,3 +1,4 @@
+From 754371b1f2f872156dda4cb4aa16b510c142c381 Mon Sep 17 00:00:00 2001
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Tue, 5 Jul 2022 22:05:43 +0200
 Subject: [PATCH] scsi/lsi53c895a: fix use-after-free in lsi_do_msgout
@@ -39,7 +40,7 @@ index c8773f73f7..ad5f5e5f39 100644
                  scsi_req_cancel(s->current->req);
 +                current_req = NULL;
              }
-
+ 
              /* As the current implemented devices scsi_disk and scsi_generic
 diff --git a/tests/qtest/fuzz-lsi53c895a-test.c b/tests/qtest/fuzz-lsi53c895a-test.c
 index ba5d468970..0f968024c8 100644
@@ -48,7 +49,7 @@ index ba5d468970..0f968024c8 100644
 @@ -8,6 +8,79 @@
  #include "qemu/osdep.h"
  #include "libqos/libqtest.h"
-
+ 
 +/*
 + * This used to trigger a UAF in lsi_do_msgout()
 + * https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -132,5 +133,8 @@ index ba5d468970..0f968024c8 100644
 +        qtest_add_func("fuzz/lsi53c895a/lsi_do_msgout_cancel_req",
 +                       test_lsi_do_msgout_cancel_req);
      }
-
+ 
      return g_test_run();
+-- 
+2.37.0.rc2
+

0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch

@@ -1,3 +1,4 @@
+From effa979582e34687688df36c9a10b33862f2581f Mon Sep 17 00:00:00 2001
 From: Mauro Matteo Cascella <mcascell@redhat.com>
 Date: Sun, 25 Sep 2022 22:45:11 +0200
 Subject: [PATCH] ui/vnc-clipboard: fix integer underflow in
@@ -35,7 +36,7 @@ index 310a873c21..8a2e176b64 100644
                               " which exceeds our limit of 1MB.", dlen);
 @@ -2456,8 +2456,13 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
          }
-
+ 
          if (read_s32(data, 4) < 0) {
 -            vnc_client_cut_text_ext(vs, abs(read_s32(data, 4)),
 -                                    read_u32(data, 8), data + 12);
@@ -49,3 +50,6 @@ index 310a873c21..8a2e176b64 100644
              break;
          }
          vnc_client_cut_text(vs, read_u32(data, 4), data + 8);
+-- 
+2.37.0.rc2
+

0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch

@@ -0,0 +1,92 @@
+From 9be9b8e36940756582c453c6bf08daa6955f916e Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Tue, 10 May 2022 17:10:19 +0200
+Subject: [PATCH] coroutine: Rename qemu_coroutine_inc/dec_pool_size()
+
+It's true that these functions currently affect the batch size in which
+coroutines are reused (i.e. moved from the global release pool to the
+allocation pool of a specific thread), but this is a bug and will be
+fixed in a separate patch.
+
+In fact, the comment in the header file already just promises that it
+influences the pool size, so reflect this in the name of the functions.
+As a nice side effect, the shorter function name makes some line
+wrapping unnecessary.
+
+Cc: qemu-stable@nongnu.org
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220510151020.105528-2-kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 98e3ab35054b946f7c2aba5408822532b0920b53)
+---
+ hw/block/virtio-blk.c    | 6 ++----
+ include/qemu/coroutine.h | 6 +++---
+ util/qemu-coroutine.c    | 4 ++--
+ 3 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c
+index 540c38f829..6a1cc41877 100644
+--- a/hw/block/virtio-blk.c
++++ b/hw/block/virtio-blk.c
+@@ -1215,8 +1215,7 @@ static void virtio_blk_device_realize(DeviceState *dev, Error **errp)
+     for (i = 0; i < conf->num_queues; i++) {
+         virtio_add_queue(vdev, conf->queue_size, virtio_blk_handle_output);
+     }
+-    qemu_coroutine_increase_pool_batch_size(conf->num_queues * conf->queue_size
+-                                            / 2);
++    qemu_coroutine_inc_pool_size(conf->num_queues * conf->queue_size / 2);
+     virtio_blk_data_plane_create(vdev, conf, &s->dataplane, &err);
+     if (err != NULL) {
+         error_propagate(errp, err);
+@@ -1253,8 +1252,7 @@ static void virtio_blk_device_unrealize(DeviceState *dev)
+     for (i = 0; i < conf->num_queues; i++) {
+         virtio_del_queue(vdev, i);
+     }
+-    qemu_coroutine_decrease_pool_batch_size(conf->num_queues * conf->queue_size
+-                                            / 2);
++    qemu_coroutine_dec_pool_size(conf->num_queues * conf->queue_size / 2);
+     qemu_del_vm_change_state_handler(s->change);
+     blockdev_mark_auto_del(s->blk);
+     virtio_cleanup(vdev);
+diff --git a/include/qemu/coroutine.h b/include/qemu/coroutine.h
+index c828a95ee0..5b621d1295 100644
+--- a/include/qemu/coroutine.h
++++ b/include/qemu/coroutine.h
+@@ -334,12 +334,12 @@ void coroutine_fn yield_until_fd_readable(int fd);
+ /**
+  * Increase coroutine pool size
+  */
+-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size);
++void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size);
+ 
+ /**
+- * Devcrease coroutine pool size
++ * Decrease coroutine pool size
+  */
+-void qemu_coroutine_decrease_pool_batch_size(unsigned int additional_pool_size);
++void qemu_coroutine_dec_pool_size(unsigned int additional_pool_size);
+ 
+ #include "qemu/lockable.h"
+ 
+diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
+index c03b2422ff..faca0ca97c 100644
+--- a/util/qemu-coroutine.c
++++ b/util/qemu-coroutine.c
+@@ -205,12 +205,12 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
+     return co->ctx;
+ }
+ 
+-void qemu_coroutine_increase_pool_batch_size(unsigned int additional_pool_size)
++void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
+ {
+     qatomic_add(&pool_batch_size, additional_pool_size);
+ }
+ 
+-void qemu_coroutine_decrease_pool_batch_size(unsigned int removing_pool_size)
++void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
+ {
+     qatomic_sub(&pool_batch_size, removing_pool_size);
+ }
+-- 
+2.37.0.rc2
+

0016-coroutine-Revert-to-constant-batch-size.patch

@@ -0,0 +1,123 @@
+From f1ea4c55f0e9bb05db980f27b392617ef6615954 Mon Sep 17 00:00:00 2001
+From: Kevin Wolf <kwolf@redhat.com>
+Date: Tue, 10 May 2022 17:10:20 +0200
+Subject: [PATCH] coroutine: Revert to constant batch size
+
+Commit 4c41c69e changed the way the coroutine pool is sized because for
+virtio-blk devices with a large queue size and heavy I/O, it was just
+too small and caused coroutines to be deleted and reallocated soon
+afterwards. The change made the size dynamic based on the number of
+queues and the queue size of virtio-blk devices.
+
+There are two important numbers here: Slightly simplified, when a
+coroutine terminates, it is generally stored in the global release pool
+up to a certain pool size, and if the pool is full, it is freed.
+Conversely, when allocating a new coroutine, the coroutines in the
+release pool are reused if the pool already has reached a certain
+minimum size (the batch size), otherwise we allocate new coroutines.
+
+The problem after commit 4c41c69e is that it not only increases the
+maximum pool size (which is the intended effect), but also the batch
+size for reusing coroutines (which is a bug). It means that in cases
+with many devices and/or a large queue size (which defaults to the
+number of vcpus for virtio-blk-pci), many thousand coroutines could be
+sitting in the release pool without being reused.
+
+This is not only a waste of memory and allocations, but it actually
+makes the QEMU process likely to hit the vm.max_map_count limit on Linux
+because each coroutine requires two mappings (its stack and the guard
+page for the stack), causing it to abort() in qemu_alloc_stack() because
+when the limit is hit, mprotect() starts to fail with ENOMEM.
+
+In order to fix the problem, change the batch size back to 64 to avoid
+uselessly accumulating coroutines in the release pool, but keep the
+dynamic maximum pool size so that coroutines aren't freed too early
+in heavy I/O scenarios.
+
+Note that this fix doesn't strictly make it impossible to hit the limit,
+but this would only happen if most of the coroutines are actually in use
+at the same time, not just sitting in a pool. This is the same behaviour
+as we already had before commit 4c41c69e. Fully preventing this would
+require allowing qemu_coroutine_create() to return an error, but it
+doesn't seem to be a scenario that people hit in practice.
+
+Cc: qemu-stable@nongnu.org
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2079938
+Fixes: 4c41c69e05fe28c0f95f8abd2ebf407e95a4f04b
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+Message-Id: <20220510151020.105528-3-kwolf@redhat.com>
+Tested-by: Hiroki Narukawa <hnarukaw@yahoo-corp.jp>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 9ec7a59b5aad4b736871c378d30f5ef5ec51cb52)
+---
+ util/qemu-coroutine.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/util/qemu-coroutine.c b/util/qemu-coroutine.c
+index faca0ca97c..804f672e0a 100644
+--- a/util/qemu-coroutine.c
++++ b/util/qemu-coroutine.c
+@@ -20,14 +20,20 @@
+ #include "qemu/coroutine_int.h"
+ #include "block/aio.h"
+ 
+-/** Initial batch size is 64, and is increased on demand */
++/**
++ * The minimal batch size is always 64, coroutines from the release_pool are
++ * reused as soon as there are 64 coroutines in it. The maximum pool size starts
++ * with 64 and is increased on demand so that coroutines are not deleted even if
++ * they are not immediately reused.
++ */
+ enum {
+-    POOL_INITIAL_BATCH_SIZE = 64,
++    POOL_MIN_BATCH_SIZE = 64,
++    POOL_INITIAL_MAX_SIZE = 64,
+ };
+ 
+ /** Free list to speed up creation */
+ static QSLIST_HEAD(, Coroutine) release_pool = QSLIST_HEAD_INITIALIZER(pool);
+-static unsigned int pool_batch_size = POOL_INITIAL_BATCH_SIZE;
++static unsigned int pool_max_size = POOL_INITIAL_MAX_SIZE;
+ static unsigned int release_pool_size;
+ static __thread QSLIST_HEAD(, Coroutine) alloc_pool = QSLIST_HEAD_INITIALIZER(pool);
+ static __thread unsigned int alloc_pool_size;
+@@ -51,7 +57,7 @@ Coroutine *qemu_coroutine_create(CoroutineEntry *entry, void *opaque)
+     if (CONFIG_COROUTINE_POOL) {
+         co = QSLIST_FIRST(&alloc_pool);
+         if (!co) {
+-            if (release_pool_size > qatomic_read(&pool_batch_size)) {
++            if (release_pool_size > POOL_MIN_BATCH_SIZE) {
+                 /* Slow path; a good place to register the destructor, too.  */
+                 if (!coroutine_pool_cleanup_notifier.notify) {
+                     coroutine_pool_cleanup_notifier.notify = coroutine_pool_cleanup;
+@@ -88,12 +94,12 @@ static void coroutine_delete(Coroutine *co)
+     co->caller = NULL;
+ 
+     if (CONFIG_COROUTINE_POOL) {
+-        if (release_pool_size < qatomic_read(&pool_batch_size) * 2) {
++        if (release_pool_size < qatomic_read(&pool_max_size) * 2) {
+             QSLIST_INSERT_HEAD_ATOMIC(&release_pool, co, pool_next);
+             qatomic_inc(&release_pool_size);
+             return;
+         }
+-        if (alloc_pool_size < qatomic_read(&pool_batch_size)) {
++        if (alloc_pool_size < qatomic_read(&pool_max_size)) {
+             QSLIST_INSERT_HEAD(&alloc_pool, co, pool_next);
+             alloc_pool_size++;
+             return;
+@@ -207,10 +213,10 @@ AioContext *coroutine_fn qemu_coroutine_get_aio_context(Coroutine *co)
+ 
+ void qemu_coroutine_inc_pool_size(unsigned int additional_pool_size)
+ {
+-    qatomic_add(&pool_batch_size, additional_pool_size);
++    qatomic_add(&pool_max_size, additional_pool_size);
+ }
+ 
+ void qemu_coroutine_dec_pool_size(unsigned int removing_pool_size)
+ {
+-    qatomic_sub(&pool_batch_size, removing_pool_size);
++    qatomic_sub(&pool_max_size, removing_pool_size);
+ }
+-- 
+2.37.0.rc2
+

0017-hw-usb-hcd-xhci-Fix-unbounded-loop-in-xhci_ring_chain_length.patch

@@ -0,0 +1,70 @@
+From: Thomas Huth <thuth@redhat.com>
+Date: Thu, 4 Aug 2022 15:13:00 +0200
+Subject: [PATCH] hw/usb/hcd-xhci: Fix unbounded loop in
+ xhci_ring_chain_length() (CVE-2020-14394)
+
+The loop condition in xhci_ring_chain_length() is under control of
+the guest, and additionally the code does not check for failed DMA
+transfers (e.g. if reaching the end of the RAM), so the loop there
+could run for a very long time or even forever. Fix it by checking
+the return value of dma_memory_read() and by introducing a maximum
+loop length.
+
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/646
+Message-Id: <20220804131300.96368-1-thuth@redhat.com>
+Reviewed-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+---
+ hw/usb/hcd-xhci.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
+index 0cd0a5e540..213d0be6b6 100644
+--- a/hw/usb/hcd-xhci.c
++++ b/hw/usb/hcd-xhci.c
+@@ -21,6 +21,7 @@
+
+ #include "qemu/osdep.h"
+ #include "qemu/timer.h"
++#include "qemu/log.h"
+ #include "qemu/module.h"
+ #include "qemu/queue.h"
+ #include "migration/vmstate.h"
+@@ -725,10 +726,14 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+     bool control_td_set = 0;
+     uint32_t link_cnt = 0;
+
+-    while (1) {
++    do {
+         TRBType type;
+-        dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
+-                        MEMTXATTRS_UNSPECIFIED);
++        if (dma_memory_read(xhci->as, dequeue, &trb, TRB_SIZE,
++                        MEMTXATTRS_UNSPECIFIED) != MEMTX_OK) {
++            qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA memory access failed!\n",
++                          __func__);
++            return -1;
++        }
+         le64_to_cpus(&trb.parameter);
+         le32_to_cpus(&trb.status);
+         le32_to_cpus(&trb.control);
+@@ -762,7 +767,17 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
+         if (!control_td_set && !(trb.control & TRB_TR_CH)) {
+             return length;
+         }
+-    }
++
++        /*
++         * According to the xHCI spec, Transfer Ring segments should have
++         * a maximum size of 64 kB (see chapter "6 Data Structures")
++         */
++    } while (length < TRB_LINK_LIMIT * 65536 / TRB_SIZE);
++
++    qemu_log_mask(LOG_GUEST_ERROR, "%s: exceeded maximum tranfer ring size!\n",
++                          __func__);
++
++    return -1;
+ }
+
+ static void xhci_er_reset(XHCIState *xhci, int v)

0018-hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt.patch

@@ -0,0 +1,78 @@
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@redhat.com>
+Date: Mon, 6 Sep 2021 17:31:03 +0200
+Subject: [PATCH] hw/display/ati_2d: Fix buffer overflow in ati_2d_blt
+ (CVE-2021-3638)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When building QEMU with DEBUG_ATI defined then running with
+'-device ati-vga,romfile="" -d unimp,guest_errors -trace ati\*'
+we get:
+
+  ati_mm_write 4 0x16c0 DP_CNTL <- 0x1
+  ati_mm_write 4 0x146c DP_GUI_MASTER_CNTL <- 0x2
+  ati_mm_write 4 0x16c8 DP_MIX <- 0xff0000
+  ati_mm_write 4 0x16c4 DP_DATATYPE <- 0x2
+  ati_mm_write 4 0x224 CRTC_OFFSET <- 0x0
+  ati_mm_write 4 0x142c DST_PITCH_OFFSET <- 0xfe00000
+  ati_mm_write 4 0x1420 DST_Y <- 0x3fff
+  ati_mm_write 4 0x1410 DST_HEIGHT <- 0x3fff
+  ati_mm_write 4 0x1588 DST_WIDTH_X <- 0x3fff3fff
+  ati_2d_blt: vram:0x7fff5fa00000 addr:0 ds:0x7fff61273800 stride:2560 bpp:32 rop:0xff
+  ati_2d_blt: 0 0 0, 0 127 0, (0,0) -> (16383,16383) 16383x16383 > ^
+  ati_2d_blt: pixman_fill(dst:0x7fff5fa00000, stride:254, bpp:8, x:16383, y:16383, w:16383, h:16383, xor:0xff000000)
+  Thread 3 "qemu-system-i38" received signal SIGSEGV, Segmentation fault.
+  (gdb) bt
+  #0  0x00007ffff7f62ce0 in sse2_fill.lto_priv () at /lib64/libpixman-1.so.0
+  #1  0x00007ffff7f09278 in pixman_fill () at /lib64/libpixman-1.so.0
+  #2  0x0000555557b5a9af in ati_2d_blt (s=0x631000028800) at hw/display/ati_2d.c:196
+  #3  0x0000555557b4b5a2 in ati_mm_write (opaque=0x631000028800, addr=5512, data=1073692671, size=4) at hw/display/ati.c:843
+  #4  0x0000555558b90ec4 in memory_region_write_accessor (mr=0x631000039cc0, addr=5512, ..., size=4, ...) at softmmu/memory.c:492
+
+Commit 584acf34cb0 ("ati-vga: Fix reverse bit blts") introduced
+the local dst_x and dst_y which adjust the (x, y) coordinates
+depending on the direction in the SRCCOPY ROP3 operation, but
+forgot to address the same issue for the PATCOPY, BLACKNESS and
+WHITENESS operations, which also call pixman_fill().
+
+Fix that now by using the adjusted coordinates in the pixman_fill
+call, and update the related debug printf().
+
+Reported-by: Qiang Liu <qiangliu@zju.edu.cn>
+Fixes: 584acf34cb0 ("ati-vga: Fix reverse bit blts")
+Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Tested-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Message-Id: <20210906153103.1661195-1-philmd@redhat.com>
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+---
+ hw/display/ati_2d.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/display/ati_2d.c b/hw/display/ati_2d.c
+index 4dc10ea795..692bec91de 100644
+--- a/hw/display/ati_2d.c
++++ b/hw/display/ati_2d.c
+@@ -84,7 +84,7 @@ void ati_2d_blt(ATIVGAState *s)
+     DPRINTF("%d %d %d, %d %d %d, (%d,%d) -> (%d,%d) %dx%d %c %c\n",
+             s->regs.src_offset, s->regs.dst_offset, s->regs.default_offset,
+             s->regs.src_pitch, s->regs.dst_pitch, s->regs.default_pitch,
+-            s->regs.src_x, s->regs.src_y, s->regs.dst_x, s->regs.dst_y,
++            s->regs.src_x, s->regs.src_y, dst_x, dst_y,
+             s->regs.dst_width, s->regs.dst_height,
+             (s->regs.dp_cntl & DST_X_LEFT_TO_RIGHT ? '>' : '<'),
+             (s->regs.dp_cntl & DST_Y_TOP_TO_BOTTOM ? 'v' : '^'));
+@@ -180,11 +180,11 @@ void ati_2d_blt(ATIVGAState *s)
+         dst_stride /= sizeof(uint32_t);
+         DPRINTF("pixman_fill(%p, %d, %d, %d, %d, %d, %d, %x)\n",
+                 dst_bits, dst_stride, bpp,
+-                s->regs.dst_x, s->regs.dst_y,
++                dst_x, dst_y,
+                 s->regs.dst_width, s->regs.dst_height,
+                 filler);
+         pixman_fill((uint32_t *)dst_bits, dst_stride, bpp,
+-                    s->regs.dst_x, s->regs.dst_y,
++                    dst_x, dst_y,
+                     s->regs.dst_width, s->regs.dst_height,
+                     filler);
+         if (dst_bits >= s->vga.vram_ptr + s->vga.vbe_start_addr &&

0019-hw-acpi-erst.c-Fix-memory-handling-issues.patch

@@ -0,0 +1,58 @@
+From: "Christian A. Ehrhardt" <lk@c--e.de>
+Date: Mon, 24 Oct 2022 17:42:33 +0200
+Subject: [PATCH] hw/acpi/erst.c: Fix memory handling issues
+
+- Fix memset argument order: The second argument is
+  the value, the length goes last.
+- Fix an integer overflow reported by Alexander Bulekov.
+
+Both issues allow the guest to overrun the host buffer
+allocated for the ERST memory device.
+
+Cc: Eric DeVolder <eric.devolder@oracle.com
+Cc: Alexander Bulekov <alxndr@bu.edu>
+Cc: qemu-stable@nongnu.org
+Fixes: f7e26ffa590 ("ACPI ERST: support for ACPI ERST feature")
+Tested-by: Alexander Bulekov <alxndr@bu.edu>
+Signed-off-by: Christian A. Ehrhardt <lk@c--e.de>
+Message-Id: <20221024154233.1043347-1-lk@c--e.de>
+Fixes: https://gitlab.com/qemu-project/qemu/-/issues/1268
+Reviewed-by: Alexander Bulekov <alxndr@bu.edu>
+Reviewed-by: Eric DeVolder <eric.devolder@oracle.com>
+Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+---
+ hw/acpi/erst.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/hw/acpi/erst.c b/hw/acpi/erst.c
+index de509c2b48..f092ce4d49 100644
+--- a/hw/acpi/erst.c
++++ b/hw/acpi/erst.c
+@@ -632,7 +632,7 @@ static unsigned read_erst_record(ERSTDeviceState *s)
+         if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
+             rc = STATUS_FAILED;
+         }
+-        if ((s->record_offset + record_length) > exchange_length) {
++        if (record_length > exchange_length - s->record_offset) {
+             rc = STATUS_FAILED;
+         }
+         /* If all is ok, copy the record to the exchange buffer */
+@@ -681,7 +681,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
+     if (record_length < UEFI_CPER_RECORD_MIN_SIZE) {
+         return STATUS_FAILED;
+     }
+-    if ((s->record_offset + record_length) > exchange_length) {
++    if (record_length > exchange_length - s->record_offset) {
+         return STATUS_FAILED;
+     }
+
+@@ -713,7 +713,7 @@ static unsigned write_erst_record(ERSTDeviceState *s)
+     if (nvram) {
+         /* Write the record into the slot */
+         memcpy(nvram, exchange, record_length);
+-        memset(nvram + record_length, exchange_length - record_length, 0xFF);
++        memset(nvram + record_length, 0xFF, exchange_length - record_length);
+         /* If a new record, increment the record_count */
+         if (!record_found) {
+             uint32_t record_count;

0020-hw-display-qxl-Avoid-buffer-overrun-qxl_phys2virt.patch

@@ -0,0 +1,438 @@
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:37 +0100
+Subject: [PATCH] hw/display/qxl: Have qxl_log_command Return early if no
+ log_cmd handler
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Only 3 command types are logged: no need to call qxl_phys2virt()
+for the other types. Using different cases will help to pass
+different structure sizes to qxl_phys2virt() in a pair of commits.
+
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-2-philmd@linaro.org>
+---
+ hw/display/qxl-logger.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
+index 68bfa47568..1bcf803db6 100644
+--- a/hw/display/qxl-logger.c
++++ b/hw/display/qxl-logger.c
+@@ -247,6 +247,16 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+             qxl_name(qxl_type, ext->cmd.type),
+             compat ? "(compat)" : "");
+
++    switch (ext->cmd.type) {
++    case QXL_CMD_DRAW:
++        break;
++    case QXL_CMD_SURFACE:
++        break;
++    case QXL_CMD_CURSOR:
++        break;
++    default:
++        goto out;
++    }
+     data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
+     if (!data) {
+         return 1;
+@@ -269,6 +279,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+         qxl_log_cmd_cursor(qxl, data, ext->group_id);
+         break;
+     }
++out:
+     fprintf(stderr, "\n");
+     return 0;
+ }
+
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:38 +0100
+Subject: [PATCH] hw/display/qxl: Document qxl_phys2virt()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-3-philmd@linaro.org>
+---
+ hw/display/qxl.h | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+diff --git a/hw/display/qxl.h b/hw/display/qxl.h
+index e74de9579d..78b3a6c9ba 100644
+--- a/hw/display/qxl.h
++++ b/hw/display/qxl.h
+@@ -147,6 +147,25 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
+ #define QXL_DEFAULT_REVISION (QXL_REVISION_STABLE_V12 + 1)
+
+ /* qxl.c */
++/**
++ * qxl_phys2virt: Get a pointer within a PCI VRAM memory region.
++ *
++ * @qxl: QXL device
++ * @phys: physical offset of buffer within the VRAM
++ * @group_id: memory slot group
++ *
++ * Returns a host pointer to a buffer placed at offset @phys within the
++ * active slot @group_id of the PCI VGA RAM memory region associated with
++ * the @qxl device. If the slot is inactive, or the offset is out
++ * of the memory region, returns NULL.
++ *
++ * Use with care; by the time this function returns, the returned pointer is
++ * not protected by RCU anymore.  If the caller is not within an RCU critical
++ * section and does not hold the iothread lock, it must have other means of
++ * protecting the pointer, such as a reference to the region that includes
++ * the incoming ram_addr_t.
++ *
++ */
+ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
+ void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
+     G_GNUC_PRINTF(2, 3);
+
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:39 +0100
+Subject: [PATCH] hw/display/qxl: Pass requested buffer size to qxl_phys2virt()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently qxl_phys2virt() doesn't check for buffer overrun.
+In order to do so in the next commit, pass the buffer size
+as argument.
+
+For QXLCursor in qxl_render_cursor() -> qxl_cursor() we
+verify the size of the chunked data ahead, checking we can
+access 'sizeof(QXLCursor) + chunk->data_size' bytes.
+Since in the SPICE_CURSOR_TYPE_MONO case the cursor is
+assumed to fit in one chunk, no change are required.
+In SPICE_CURSOR_TYPE_ALPHA the ahead read is handled in
+qxl_unpack_chunks().
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Acked-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-4-philmd@linaro.org>
+---
+ hw/display/qxl-logger.c | 11 ++++++++---
+ hw/display/qxl-render.c | 20 ++++++++++++++++----
+ hw/display/qxl.c        | 14 +++++++++-----
+ hw/display/qxl.h        |  4 +++-
+ 4 files changed, 36 insertions(+), 13 deletions(-)
+
+diff --git a/hw/display/qxl-logger.c b/hw/display/qxl-logger.c
+index 1bcf803db6..35c38f6252 100644
+--- a/hw/display/qxl-logger.c
++++ b/hw/display/qxl-logger.c
+@@ -106,7 +106,7 @@ static int qxl_log_image(PCIQXLDevice *qxl, QXLPHYSICAL addr, int group_id)
+     QXLImage *image;
+     QXLImageDescriptor *desc;
+
+-    image = qxl_phys2virt(qxl, addr, group_id);
++    image = qxl_phys2virt(qxl, addr, group_id, sizeof(QXLImage));
+     if (!image) {
+         return 1;
+     }
+@@ -214,7 +214,8 @@ int qxl_log_cmd_cursor(PCIQXLDevice *qxl, QXLCursorCmd *cmd, int group_id)
+                 cmd->u.set.position.y,
+                 cmd->u.set.visible ? "yes" : "no",
+                 cmd->u.set.shape);
+-        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id);
++        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, group_id,
++                               sizeof(QXLCursor));
+         if (!cursor) {
+             return 1;
+         }
+@@ -236,6 +237,7 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+ {
+     bool compat = ext->flags & QXL_COMMAND_FLAG_COMPAT;
+     void *data;
++    size_t datasz;
+     int ret;
+
+     if (!qxl->cmdlog) {
+@@ -249,15 +251,18 @@ int qxl_log_command(PCIQXLDevice *qxl, const char *ring, QXLCommandExt *ext)
+
+     switch (ext->cmd.type) {
+     case QXL_CMD_DRAW:
++        datasz = compat ? sizeof(QXLCompatDrawable) : sizeof(QXLDrawable);
+         break;
+     case QXL_CMD_SURFACE:
++        datasz = sizeof(QXLSurfaceCmd);
+         break;
+     case QXL_CMD_CURSOR:
++        datasz = sizeof(QXLCursorCmd);
+         break;
+     default:
+         goto out;
+     }
+-    data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++    data = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id, datasz);
+     if (!data) {
+         return 1;
+     }
+diff --git a/hw/display/qxl-render.c b/hw/display/qxl-render.c
+index ca217004bf..fcfd40c3ac 100644
+--- a/hw/display/qxl-render.c
++++ b/hw/display/qxl-render.c
+@@ -107,7 +107,9 @@ static void qxl_render_update_area_unlocked(PCIQXLDevice *qxl)
+         qxl->guest_primary.resized = 0;
+         qxl->guest_primary.data = qxl_phys2virt(qxl,
+                                                 qxl->guest_primary.surface.mem,
+-                                                MEMSLOT_GROUP_GUEST);
++                                                MEMSLOT_GROUP_GUEST,
++                                                qxl->guest_primary.abs_stride
++                                                * height);
+         if (!qxl->guest_primary.data) {
+             goto end;
+         }
+@@ -228,7 +230,8 @@ static void qxl_unpack_chunks(void *dest, size_t size, PCIQXLDevice *qxl,
+         if (offset == size) {
+             return;
+         }
+-        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id);
++        chunk = qxl_phys2virt(qxl, chunk->next_chunk, group_id,
++                              sizeof(QXLDataChunk) + chunk->data_size);
+         if (!chunk) {
+             return;
+         }
+@@ -295,7 +298,8 @@ fail:
+ /* called from spice server thread context only */
+ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
+ {
+-    QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++    QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++                                      sizeof(QXLCursorCmd));
+     QXLCursor *cursor;
+     QEMUCursor *c;
+
+@@ -314,7 +318,15 @@ int qxl_render_cursor(PCIQXLDevice *qxl, QXLCommandExt *ext)
+     }
+     switch (cmd->type) {
+     case QXL_CURSOR_SET:
+-        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id);
++        /* First read the QXLCursor to get QXLDataChunk::data_size ... */
++        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
++                               sizeof(QXLCursor));
++        if (!cursor) {
++            return 1;
++        }
++        /* Then read including the chunked data following QXLCursor. */
++        cursor = qxl_phys2virt(qxl, cmd->u.set.shape, ext->group_id,
++                               sizeof(QXLCursor) + cursor->chunk.data_size);
+         if (!cursor) {
+             return 1;
+         }
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index adbdbcaeb6..c1ab202f98 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -274,7 +274,8 @@ static void qxl_spice_monitors_config_async(PCIQXLDevice *qxl, int replay)
+                                           QXL_IO_MONITORS_CONFIG_ASYNC));
+     }
+
+-    cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST);
++    cfg = qxl_phys2virt(qxl, qxl->guest_monitors_config, MEMSLOT_GROUP_GUEST,
++                        sizeof(QXLMonitorsConfig));
+     if (cfg != NULL && cfg->count == 1) {
+         qxl->guest_primary.resized = 1;
+         qxl->guest_head0_width  = cfg->heads[0].width;
+@@ -459,7 +460,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
+     switch (le32_to_cpu(ext->cmd.type)) {
+     case QXL_CMD_SURFACE:
+     {
+-        QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++        QXLSurfaceCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++                                           sizeof(QXLSurfaceCmd));
+
+         if (!cmd) {
+             return 1;
+@@ -494,7 +496,8 @@ static int qxl_track_command(PCIQXLDevice *qxl, struct QXLCommandExt *ext)
+     }
+     case QXL_CMD_CURSOR:
+     {
+-        QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id);
++        QXLCursorCmd *cmd = qxl_phys2virt(qxl, ext->cmd.data, ext->group_id,
++                                          sizeof(QXLCursorCmd));
+
+         if (!cmd) {
+             return 1;
+@@ -1456,7 +1459,8 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+ }
+
+ /* can be also called from spice server thread context */
+-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id)
++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
++                    size_t size)
+ {
+     uint64_t offset;
+     uint32_t slot;
+@@ -1964,7 +1968,7 @@ static void qxl_dirty_surfaces(PCIQXLDevice *qxl)
+         }
+
+         cmd = qxl_phys2virt(qxl, qxl->guest_surfaces.cmds[i],
+-                            MEMSLOT_GROUP_GUEST);
++                            MEMSLOT_GROUP_GUEST, sizeof(QXLSurfaceCmd));
+         assert(cmd);
+         assert(cmd->type == QXL_SURFACE_CMD_CREATE);
+         qxl_dirty_one_surface(qxl, cmd->u.surface_create.data,
+diff --git a/hw/display/qxl.h b/hw/display/qxl.h
+index 78b3a6c9ba..bf03138ab4 100644
+--- a/hw/display/qxl.h
++++ b/hw/display/qxl.h
+@@ -153,6 +153,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
+  * @qxl: QXL device
+  * @phys: physical offset of buffer within the VRAM
+  * @group_id: memory slot group
++ * @size: size of the buffer
+  *
+  * Returns a host pointer to a buffer placed at offset @phys within the
+  * active slot @group_id of the PCI VGA RAM memory region associated with
+@@ -166,7 +167,8 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
+  * the incoming ram_addr_t.
+  *
+  */
+-void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id);
++void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL phys, int group_id,
++                    size_t size);
+ void qxl_set_guest_bug(PCIQXLDevice *qxl, const char *msg, ...)
+     G_GNUC_PRINTF(2, 3);
+
+
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:40 +0100
+Subject: [PATCH] hw/display/qxl: Avoid buffer overrun in qxl_phys2virt
+ (CVE-2022-4144)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Have qxl_get_check_slot_offset() return false if the requested
+buffer size does not fit within the slot memory region.
+
+Similarly qxl_phys2virt() now returns NULL in such case, and
+qxl_dirty_one_surface() aborts.
+
+This avoids buffer overrun in the host pointer returned by
+memory_region_get_ram_ptr().
+
+Fixes: CVE-2022-4144 (out-of-bounds read)
+Reported-by: Wenxu Yin (@awxylitol)
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1336
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-5-philmd@linaro.org>
+---
+ hw/display/qxl.c | 27 +++++++++++++++++++++++----
+ hw/display/qxl.h |  2 +-
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index c1ab202f98..91c0fe698c 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -1424,11 +1424,13 @@ static void qxl_reset_surfaces(PCIQXLDevice *d)
+
+ /* can be also called from spice server thread context */
+ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+-                                      uint32_t *s, uint64_t *o)
++                                      uint32_t *s, uint64_t *o,
++                                      size_t size_requested)
+ {
+     uint64_t phys   = le64_to_cpu(pqxl);
+     uint32_t slot   = (phys >> (64 -  8)) & 0xff;
+     uint64_t offset = phys & 0xffffffffffff;
++    uint64_t size_available;
+
+     if (slot >= NUM_MEMSLOTS) {
+         qxl_set_guest_bug(qxl, "slot too large %d >= %d", slot,
+@@ -1452,6 +1454,23 @@ static bool qxl_get_check_slot_offset(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+                           slot, offset, qxl->guest_slots[slot].size);
+         return false;
+     }
++    size_available = memory_region_size(qxl->guest_slots[slot].mr);
++    if (qxl->guest_slots[slot].offset + offset >= size_available) {
++        qxl_set_guest_bug(qxl,
++                          "slot %d offset %"PRIu64" > region size %"PRIu64"\n",
++                          slot, qxl->guest_slots[slot].offset + offset,
++                          size_available);
++        return false;
++    }
++    size_available -= qxl->guest_slots[slot].offset + offset;
++    if (size_requested > size_available) {
++        qxl_set_guest_bug(qxl,
++                          "slot %d offset %"PRIu64" size %zu: "
++                          "overrun by %"PRIu64" bytes\n",
++                          slot, offset, size_requested,
++                          size_requested - size_available);
++        return false;
++    }
+
+     *s = slot;
+     *o = offset;
+@@ -1471,7 +1490,7 @@ void *qxl_phys2virt(PCIQXLDevice *qxl, QXLPHYSICAL pqxl, int group_id,
+         offset = le64_to_cpu(pqxl) & 0xffffffffffff;
+         return (void *)(intptr_t)offset;
+     case MEMSLOT_GROUP_GUEST:
+-        if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset)) {
++        if (!qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size)) {
+             return NULL;
+         }
+         ptr = memory_region_get_ram_ptr(qxl->guest_slots[slot].mr);
+@@ -1937,9 +1956,9 @@ static void qxl_dirty_one_surface(PCIQXLDevice *qxl, QXLPHYSICAL pqxl,
+     uint32_t slot;
+     bool rc;
+
+-    rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset);
+-    assert(rc == true);
+     size = (uint64_t)height * abs(stride);
++    rc = qxl_get_check_slot_offset(qxl, pqxl, &slot, &offset, size);
++    assert(rc == true);
+     trace_qxl_surfaces_dirty(qxl->id, offset, size);
+     qxl_set_dirty(qxl->guest_slots[slot].mr,
+                   qxl->guest_slots[slot].offset + offset,
+diff --git a/hw/display/qxl.h b/hw/display/qxl.h
+index bf03138ab4..7894bd5134 100644
+--- a/hw/display/qxl.h
++++ b/hw/display/qxl.h
+@@ -157,7 +157,7 @@ OBJECT_DECLARE_SIMPLE_TYPE(PCIQXLDevice, PCI_QXL)
+  *
+  * Returns a host pointer to a buffer placed at offset @phys within the
+  * active slot @group_id of the PCI VGA RAM memory region associated with
+- * the @qxl device. If the slot is inactive, or the offset is out
++ * the @qxl device. If the slot is inactive, or the offset + size are out
+  * of the memory region, returns NULL.
+  *
+  * Use with care; by the time this function returns, the returned pointer is
+
+From: =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>
+Date: Mon, 28 Nov 2022 21:27:41 +0100
+Subject: [PATCH] hw/display/qxl: Assert memory slot fits in preallocated
+ MemoryRegion
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
+Message-Id: <20221128202741.4945-6-philmd@linaro.org>
+---
+ hw/display/qxl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/hw/display/qxl.c b/hw/display/qxl.c
+index 91c0fe698c..8fe4e6b8cd 100644
+--- a/hw/display/qxl.c
++++ b/hw/display/qxl.c
+@@ -1384,6 +1384,7 @@ static int qxl_add_memslot(PCIQXLDevice *d, uint32_t slot_id, uint64_t delta,
+         qxl_set_guest_bug(d, "%s: pci_region = %d", __func__, pci_region);
+         return 1;
+     }
++    assert(guest_end - pci_start <= memory_region_size(mr));
+
+     virt_start = (intptr_t)memory_region_get_ram_ptr(mr);
+     memslot.slot_id = slot_id;

0021-linux-user-use-max-instead-of-qemu32-qemu64-by-default.patch

@@ -0,0 +1,81 @@
+From ea3de64a58f5f157a75280bcddf884c5bda391be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Fri, 23 Sep 2022 12:04:13 +0100
+Subject: [PATCH 21/21] linux-user: use 'max' instead of 'qemu32' / 'qemu64' by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'qemu64' CPU model implements the least featureful x86_64 CPU that's
+possible. Historically this hasn't been an issue since it was rare for
+OS distros to build with a higher mandatory CPU baseline.
+
+With RHEL-9, however, the entire distro is built for the x86_64-v2 ABI
+baseline:
+
+  https://developers.redhat.com/blog/2021/01/05/building-red-hat-enterprise-linux-9-for-the-x86-64-v2-microarchitecture-level
+
+It is likely that other distros may take similar steps in the not too
+distant future. For example, it has been suggested for Fedora on a
+number of occasions.
+
+This new baseline is not compatible with the qemu64 CPU model though.
+While it is possible to pass a '-cpu xxx' flag to qemu-x86_64, the
+usage of QEMU doesn't always allow for this. For example, the args
+are typically controlled via binfmt rules that the user has no ability
+to change. This impacts users who are trying to use podman on aarch64
+platforms, to run containers with x86_64 content. There's no arg to
+podman that can be used to change the qemu-x86_64 args, and a non-root
+user of podman can not change binfmt rules without elevating privileges:
+
+  https://github.com/containers/podman/issues/15456#issuecomment-1228210973
+
+Changing to the 'max' CPU model gives 'qemu-x86_64' maximum
+compatibility with binaries it is likely to encounter in the wild,
+and not likely to have a significant downside for existing usage.
+
+Most other architectures already use an 'any' CPU model, which is
+often mapped to 'max' (or similar) already, rather than the oldest
+possible CPU model.
+
+For the sake of consistency the 'i386' architecture is also changed
+from using 'qemu32' to 'max'.
+
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Message-Id: <20220923110413.70593-1-berrange@redhat.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+---
+ linux-user/i386/target_elf.h   | 2 +-
+ linux-user/x86_64/target_elf.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/linux-user/i386/target_elf.h b/linux-user/i386/target_elf.h
+index 1c6142e..238a9ab 100644
+--- a/linux-user/i386/target_elf.h
++++ b/linux-user/i386/target_elf.h
+@@ -9,6 +9,6 @@
+ #define I386_TARGET_ELF_H
+ static inline const char *cpu_get_model(uint32_t eflags)
+ {
+-    return "qemu32";
++    return "max";
+ }
+ #endif
+diff --git a/linux-user/x86_64/target_elf.h b/linux-user/x86_64/target_elf.h
+index 7b76a90..3f628f8 100644
+--- a/linux-user/x86_64/target_elf.h
++++ b/linux-user/x86_64/target_elf.h
+@@ -9,6 +9,6 @@
+ #define X86_64_TARGET_ELF_H
+ static inline const char *cpu_get_model(uint32_t eflags)
+ {
+-    return "qemu64";
++    return "max";
+ }
+ #endif
+-- 
+2.39.0
+

0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch

@@ -0,0 +1,99 @@
+From 2b30e95684fec72e1c2db9dd350cb6967181b825 Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Thu, 29 Sep 2022 13:05:22 -0700
+Subject: [PATCH] block: move bdrv_qiov_is_aligned to file-posix
+
+There is only user of bdrv_qiov_is_aligned(), so move the alignment
+function to there and make it static.
+
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Message-Id: <20220929200523.3218710-2-kbusch@meta.com>
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit a7c5f67a78569f8c275ea4ea9962e9c79b9d03cb)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/file-posix.c       | 21 +++++++++++++++++++++
+ block/io.c               | 21 ---------------------
+ include/block/block-io.h |  1 -
+ 3 files changed, 21 insertions(+), 22 deletions(-)
+
+diff --git a/block/file-posix.c b/block/file-posix.c
+index 39a3d6d..0185b4e 100644
+--- a/block/file-posix.c
++++ b/block/file-posix.c
+@@ -2047,6 +2047,27 @@ static int coroutine_fn raw_thread_pool_submit(BlockDriverState *bs,
+     return thread_pool_submit_co(pool, func, arg);
+ }
+ 
++/*
++ * Check if all memory in this vector is sector aligned.
++ */
++static bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
++{
++    int i;
++    size_t alignment = bdrv_min_mem_align(bs);
++    IO_CODE();
++
++    for (i = 0; i < qiov->niov; i++) {
++        if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
++            return false;
++        }
++        if (qiov->iov[i].iov_len % alignment) {
++            return false;
++        }
++    }
++
++    return true;
++}
++
+ static int coroutine_fn raw_co_prw(BlockDriverState *bs, uint64_t offset,
+                                    uint64_t bytes, QEMUIOVector *qiov, int type)
+ {
+diff --git a/block/io.c b/block/io.c
+index 3280144..e44fc43 100644
+--- a/block/io.c
++++ b/block/io.c
+@@ -3296,27 +3296,6 @@ void *qemu_try_blockalign0(BlockDriverState *bs, size_t size)
+     return mem;
+ }
+ 
+-/*
+- * Check if all memory in this vector is sector aligned.
+- */
+-bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
+-{
+-    int i;
+-    size_t alignment = bdrv_min_mem_align(bs);
+-    IO_CODE();
+-
+-    for (i = 0; i < qiov->niov; i++) {
+-        if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
+-            return false;
+-        }
+-        if (qiov->iov[i].iov_len % alignment) {
+-            return false;
+-        }
+-    }
+-
+-    return true;
+-}
+-
+ void bdrv_io_plug(BlockDriverState *bs)
+ {
+     BdrvChild *child;
+diff --git a/include/block/block-io.h b/include/block/block-io.h
+index 5e3f346..80810e1 100644
+--- a/include/block/block-io.h
++++ b/include/block/block-io.h
+@@ -141,7 +141,6 @@ void *qemu_blockalign(BlockDriverState *bs, size_t size);
+ void *qemu_blockalign0(BlockDriverState *bs, size_t size);
+ void *qemu_try_blockalign(BlockDriverState *bs, size_t size);
+ void *qemu_try_blockalign0(BlockDriverState *bs, size_t size);
+-bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov);
+ 
+ void bdrv_enable_copy_on_read(BlockDriverState *bs);
+ void bdrv_disable_copy_on_read(BlockDriverState *bs);
+-- 
+2.39.2
+

0023-block-use-the-request-length-for-iov-alignment.patch

@@ -0,0 +1,42 @@
+From cd316ab11b01b3470148612e6df9891faf1fb311 Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Thu, 29 Sep 2022 13:05:23 -0700
+Subject: [PATCH] block: use the request length for iov alignment
+
+An iov length needs to be aligned to the logical block size, which may
+be larger than the memory alignment.
+
+Tested-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Message-Id: <20220929200523.3218710-3-kbusch@meta.com>
+Reviewed-by: Kevin Wolf <kwolf@redhat.com>
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+(cherry picked from commit 25474d90aa50bd32e0de395a33d8de42dd6f2aef)
+Signed-off-by: Kevin Wolf <kwolf@redhat.com>
+---
+ block/file-posix.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/block/file-posix.c b/block/file-posix.c
+index 0185b4e..6818b0e 100644
+--- a/block/file-posix.c
++++ b/block/file-posix.c
+@@ -2054,13 +2054,14 @@ static bool bdrv_qiov_is_aligned(BlockDriverState *bs, QEMUIOVector *qiov)
+ {
+     int i;
+     size_t alignment = bdrv_min_mem_align(bs);
++    size_t len = bs->bl.request_alignment;
+     IO_CODE();
+ 
+     for (i = 0; i < qiov->niov; i++) {
+         if ((uintptr_t) qiov->iov[i].iov_base % alignment) {
+             return false;
+         }
+-        if (qiov->iov[i].iov_len % alignment) {
++        if (qiov->iov[i].iov_len % len) {
+             return false;
+         }
+     }
+-- 
+2.39.2
+

0024-qga-win32-local-privilege-escalation.patch

@@ -0,0 +1,129 @@
+From f45ee21bebeda4fc1fdd2c359a8a5bfeb1fd4459 Mon Sep 17 00:00:00 2001
+From: Konstantin Kostiuk <kkostiuk@redhat.com>
+Date: Fri, 3 Mar 2023 21:20:07 +0200
+Subject: [PATCH] qga/win32: Remove change action from MSI installer
+
+Remove the 'change' button from "Programs and Features" because it does
+not checks if a user is an admin or not. The installer has no components
+to choose from and always installs everything. So the 'change' button is
+not obviously needed but can create a security issue.
+
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+fixes: CVE-2023-0664 (part 1 of 2)
+
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
+Reported-by: Brian Wiltse <brian.wiltse@live.com>
+---
+ qga/installer/qemu-ga.wxs | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index 0950e8c6be..b62e709a4c 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -58,6 +58,7 @@
+       />
+     <Media Id="1" Cabinet="qemu_ga.$(env.QEMU_GA_VERSION).cab" EmbedCab="yes" />
+     <Property Id="WHSLogo">1</Property>
++    <Property Id="ARPNOMODIFY" Value="yes" Secure="yes" />
+     <MajorUpgrade
+       DowngradeErrorMessage="Error: A newer version of QEMU guest agent is already installed."
+       />
+
+From 020caf0b49dbfef8bc9ec7f02c93c3d5097bb932 Mon Sep 17 00:00:00 2001
+From: Konstantin Kostiuk <kkostiuk@redhat.com>
+Date: Fri, 3 Mar 2023 21:20:08 +0200
+Subject: [PATCH] qga/win32: Use rundll for VSS installation
+
+The custom action uses cmd.exe to run VSS Service installation
+and removal which causes an interactive command shell to spawn.
+This shell can be used to execute any commands as a SYSTEM user.
+Even if call qemu-ga.exe directly the interactive command shell
+will be spawned as qemu-ga.exe is a console application and used
+by users from the console as well as a service.
+
+As VSS Service runs from DLL which contains the installer and
+uninstaller code, it can be run directly by rundll32.exe without
+any interactive command shell.
+
+Add specific entry points for rundll which is just a wrapper
+for COMRegister/COMUnregister functions with proper arguments.
+
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2167423
+fixes: CVE-2023-0664 (part 2 of 2)
+
+Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
+Reviewed-by: Yan Vugenfirer <yvugenfi@redhat.com>
+Reported-by: Brian Wiltse <brian.wiltse@live.com>
+---
+ qga/installer/qemu-ga.wxs | 10 +++++-----
+ qga/vss-win32/install.cpp |  9 +++++++++
+ qga/vss-win32/qga-vss.def |  2 ++
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/qga/installer/qemu-ga.wxs b/qga/installer/qemu-ga.wxs
+index b62e709a4c..11b66a22e6 100644
+--- a/qga/installer/qemu-ga.wxs
++++ b/qga/installer/qemu-ga.wxs
+@@ -143,22 +143,22 @@
+       </Directory>
+     </Directory>
+
+-    <Property Id="cmd" Value="cmd.exe"/>
++    <Property Id="rundll" Value="rundll32.exe"/>
+     <Property Id="REINSTALLMODE" Value="amus"/>
+
+     <?ifdef var.InstallVss?>
+     <CustomAction Id="RegisterCom"
+-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-install'
++              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMRegister'
+               Execute="deferred"
+-              Property="cmd"
++              Property="rundll"
+               Impersonate="no"
+               Return="check"
+               >
+     </CustomAction>
+     <CustomAction Id="UnRegisterCom"
+-              ExeCommand='/c "[qemu_ga_directory]qemu-ga.exe" -s vss-uninstall'
++              ExeCommand='"[qemu_ga_directory]qga-vss.dll",DLLCOMUnregister'
+               Execute="deferred"
+-              Property="cmd"
++              Property="rundll"
+               Impersonate="no"
+               Return="check"
+               >
+diff --git a/qga/vss-win32/install.cpp b/qga/vss-win32/install.cpp
+index b57508fbe0..68662a6dfc 100644
+--- a/qga/vss-win32/install.cpp
++++ b/qga/vss-win32/install.cpp
+@@ -357,6 +357,15 @@ out:
+     return hr;
+ }
+
++STDAPI_(void) CALLBACK DLLCOMRegister(HWND, HINSTANCE, LPSTR, int)
++{
++    COMRegister();
++}
++
++STDAPI_(void) CALLBACK DLLCOMUnregister(HWND, HINSTANCE, LPSTR, int)
++{
++    COMUnregister();
++}
+
+ static BOOL CreateRegistryKey(LPCTSTR key, LPCTSTR value, LPCTSTR data)
+ {
+diff --git a/qga/vss-win32/qga-vss.def b/qga/vss-win32/qga-vss.def
+index 927782c31b..ee97a81427 100644
+--- a/qga/vss-win32/qga-vss.def
++++ b/qga/vss-win32/qga-vss.def
+@@ -1,6 +1,8 @@
+ LIBRARY      "QGA-PROVIDER.DLL"
+
+ EXPORTS
++	DLLCOMRegister
++	DLLCOMUnregister
+ 	COMRegister		PRIVATE
+ 	COMUnregister		PRIVATE
+ 	DllCanUnloadNow		PRIVATE

qemu.spec

@@ -317,7 +317,7 @@ Obsoletes: %{name}-system-unicore32-core <= %{epoch}:%{version}-%{release}
 %endif
 
 # To prevent rpmdev-bumpspec breakage
-%global baserelease 10
+%global baserelease 15
 
 Summary: QEMU is a FAST! processor emulator
 Name: qemu
@@ -360,6 +360,26 @@ Patch: 0012-vga-avoid-crash-if-no-default-vga-card.patch
 Patch: 0013-scsi-lsi53c895a-fix-use-after-free-in-lsi_do_msgout.patch
 # vnc-clipboard: fix integer underflow (CVE-2022-3165)
 Patch: 0014-ui-vnc-clipboard-fix-integer-underflow-in-vnc_client.patch
+# Fix "failed to set up stack guard page: Cannot allocate memory"
+# https://bugzilla.redhat.com/show_bug.cgi?id=2143006
+Patch: 0015-coroutine-Rename-qemu_coroutine_inc-dec_pool_size.patch
+Patch: 0016-coroutine-Revert-to-constant-batch-size.patch
+# hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394)
+Patch: 0017-hw-usb-hcd-xhci-Fix-unbounded-loop-in-xhci_ring_chain_length.patch
+# ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638)
+Patch: 0018-hw-display-ati_2d-Fix-buffer-overflow-in-ati_2d_blt.patch
+# acpi erst: memory corruption issues (CVE-2022-4172)
+Patch: 0019-hw-acpi-erst.c-Fix-memory-handling-issues.patch
+# qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144)
+Patch: 0020-hw-display-qxl-Avoid-buffer-overrun-qxl_phys2virt.patch
+# linux-user: default to -cpu max (rhbz#2121700)
+Patch: 0021-linux-user-use-max-instead-of-qemu32-qemu64-by-default.patch
+#block: Fix memory alignment of requests (rhbz#2174139)
+Patch: 0022-block-move-bdrv_qiov_is_aligned-to-file-posix.patch
+Patch: 0023-block-use-the-request-length-for-iov-alignment.patch
+# qga/win32: Fix local privilege escalation issue (CVE-2023-0664)
+Patch: 0024-qga-win32-local-privilege-escalation.patch
+
 
 BuildRequires: meson >= %{meson_version}
 BuildRequires: zlib-devel
@@ -2724,6 +2744,26 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \
 
 
 %changelog
+* Sun Mar 26 2023 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-15
+- qga/win32: Fix local privilege escalation issue (CVE-2023-0664) (rhbz#2175700)
+
+* Tue Feb 28 2023 Eduardo Lima (Etrunko) <etrunko@redhat.com> -  2:7.0.0-14
+- block: Fix memory alignment of requests (rhbz#2174139)
+- Disable the tests on i686
+
+* Thu Jan 19 2023 Christophe Fergeau <cfergeau@redhat.com> - 2:7.0.0-13
+- linux-user: default to -cpu max (rhbz#2121700)
+
+* Tue Dec 06 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-12
+- hcd-xhci: infinite loop in xhci_ring_chain_length (CVE-2020-14394) (rhbz#1908050)
+- ati-vga: out-of-bounds write in ati_2d_blt (CVE-2021-3638) (rhbz#1979882)
+- acpi erst: memory corruption issues (CVE-2022-4172) (rhbz#2149106)
+- qxl: qxl_phys2virt unsafe address translation (CVE-2022-4144) (rhbz#2148542)
+
+* Wed Nov 16 2022 Richard W.M. Jones <rjones@redhat.com> - 7.0.0-11
+- Fix "failed to set up stack guard page: Cannot allocate memory"
+  (rhbz#2143006)
+
 * Tue Oct 18 2022 Mauro Matteo Cascella <mcascell@redhat.com> - 2:7.0.0-10
 - vga: avoid crash if no default vga card (rhbz#2095639)
 - lsi53c895a: fix use-after-free in lsi_do_msgout (CVE-2022-0216) (rhbz#2070902)