Compare commits
27 Commits
Author | SHA1 | Date |
---|---|---|
Cole Robinson | 6a2f9fd5cf | |
Cole Robinson | dfb84783bc | |
Cole Robinson | 4d7edd7e33 | |
Cole Robinson | 5a6b758586 | |
Cole Robinson | ea06621f9b | |
Cole Robinson | 8963de0583 | |
Cole Robinson | fa4cd5da64 | |
Cole Robinson | 98de78b65f | |
Cole Robinson | 808a2e2dfa | |
Cole Robinson | f3d2a0c0ad | |
Cole Robinson | bedc3458f2 | |
Cole Robinson | 73cbb80400 | |
Daniel P. Berrange | 892ad72e62 | |
Cole Robinson | 9ddf6d447d | |
Cole Robinson | 25a79b6b3b | |
Cole Robinson | a05edfdf31 | |
Cole Robinson | 95141b20c8 | |
Cole Robinson | c2ff7549fb | |
Cole Robinson | dd1abadcd8 | |
Cole Robinson | 14f36a81e1 | |
Cole Robinson | a10f883040 | |
Cole Robinson | bd8b34f6e4 | |
Cole Robinson | bf4470bf85 | |
Cole Robinson | 4cf00646d5 | |
Cole Robinson | d76f65307f | |
Peter Robinson | 3fa9b818a6 | |
Paolo Bonzini | 6a417cc337 |
|
@ -9,7 +9,7 @@ f24 backported spice gl support
|
|||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
|
||||
index 30ccfe3..00e4a0b 100644
|
||||
index 568b64a..3c679e8 100644
|
||||
--- a/include/ui/spice-display.h
|
||||
+++ b/include/ui/spice-display.h
|
||||
@@ -25,7 +25,7 @@
|
||||
|
|
|
@ -0,0 +1,55 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 20 Jun 2016 16:32:39 +0200
|
||||
Subject: [PATCH] scsi: esp: fix migration
|
||||
|
||||
Commit 926cde5 ("scsi: esp: make cmdbuf big enough for maximum CDB size",
|
||||
2016-06-16) changed the size of a migrated field. Split it in two
|
||||
parts, and only migrate the second part in a new vmstate version.
|
||||
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit cc96677469388bad3d66479379735cf75db069e3)
|
||||
---
|
||||
hw/scsi/esp.c | 5 +++--
|
||||
include/migration/vmstate.h | 5 ++++-
|
||||
2 files changed, 7 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index baa0a2c..1f2f2d3 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -574,7 +574,7 @@ static bool esp_mem_accepts(void *opaque, hwaddr addr,
|
||||
|
||||
const VMStateDescription vmstate_esp = {
|
||||
.name ="esp",
|
||||
- .version_id = 3,
|
||||
+ .version_id = 4,
|
||||
.minimum_version_id = 3,
|
||||
.fields = (VMStateField[]) {
|
||||
VMSTATE_BUFFER(rregs, ESPState),
|
||||
@@ -585,7 +585,8 @@ const VMStateDescription vmstate_esp = {
|
||||
VMSTATE_BUFFER(ti_buf, ESPState),
|
||||
VMSTATE_UINT32(status, ESPState),
|
||||
VMSTATE_UINT32(dma, ESPState),
|
||||
- VMSTATE_BUFFER(cmdbuf, ESPState),
|
||||
+ VMSTATE_PARTIAL_BUFFER(cmdbuf, ESPState, 16),
|
||||
+ VMSTATE_BUFFER_START_MIDDLE_V(cmdbuf, ESPState, 16, 4),
|
||||
VMSTATE_UINT32(cmdlen, ESPState),
|
||||
VMSTATE_UINT32(do_cmd, ESPState),
|
||||
VMSTATE_UINT32(dma_left, ESPState),
|
||||
diff --git a/include/migration/vmstate.h b/include/migration/vmstate.h
|
||||
index 84ee355..853a2bd 100644
|
||||
--- a/include/migration/vmstate.h
|
||||
+++ b/include/migration/vmstate.h
|
||||
@@ -888,8 +888,11 @@ extern const VMStateInfo vmstate_info_bitmap;
|
||||
#define VMSTATE_PARTIAL_BUFFER(_f, _s, _size) \
|
||||
VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, 0, _size)
|
||||
|
||||
+#define VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, _v) \
|
||||
+ VMSTATE_STATIC_BUFFER(_f, _s, _v, NULL, _start, sizeof(typeof_field(_s, _f)))
|
||||
+
|
||||
#define VMSTATE_BUFFER_START_MIDDLE(_f, _s, _start) \
|
||||
- VMSTATE_STATIC_BUFFER(_f, _s, 0, NULL, _start, sizeof(typeof_field(_s, _f)))
|
||||
+ VMSTATE_BUFFER_START_MIDDLE_V(_f, _s, _start, 0)
|
||||
|
||||
#define VMSTATE_PARTIAL_VBUFFER(_f, _s, _size) \
|
||||
VMSTATE_VBUFFER(_f, _s, 0, NULL, 0, _size)
|
|
@ -1,33 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Thu, 5 May 2016 19:39:38 -0400
|
||||
Subject: [PATCH] ui: gtk: fix crash when terminal inner-border is NULL
|
||||
|
||||
VTE terminal inner-border can be NULL. The vte-0.36 (API 2.90)
|
||||
code checks for the condition too so I assume it's not just a bug
|
||||
|
||||
Fixes a crash on Fedora 24 with gtk 3.20
|
||||
---
|
||||
ui/gtk.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ui/gtk.c b/ui/gtk.c
|
||||
index f372a6d..9876d89 100644
|
||||
--- a/ui/gtk.c
|
||||
+++ b/ui/gtk.c
|
||||
@@ -340,10 +340,12 @@ static void gd_update_geometry_hints(VirtualConsole *vc)
|
||||
geo.min_height = geo.height_inc * VC_TERM_Y_MIN;
|
||||
mask |= GDK_HINT_MIN_SIZE;
|
||||
gtk_widget_style_get(vc->vte.terminal, "inner-border", &ib, NULL);
|
||||
- geo.base_width += ib->left + ib->right;
|
||||
- geo.base_height += ib->top + ib->bottom;
|
||||
- geo.min_width += ib->left + ib->right;
|
||||
- geo.min_height += ib->top + ib->bottom;
|
||||
+ if (ib) {
|
||||
+ geo.base_width += ib->left + ib->right;
|
||||
+ geo.base_height += ib->top + ib->bottom;
|
||||
+ geo.min_width += ib->left + ib->right;
|
||||
+ geo.min_height += ib->top + ib->bottom;
|
||||
+ }
|
||||
geo_widget = vc->vte.terminal;
|
||||
#endif
|
||||
}
|
|
@ -0,0 +1,33 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 8 Aug 2016 18:08:31 +0530
|
||||
Subject: [PATCH] net: vmxnet3: check for device_active before write
|
||||
|
||||
Vmxnet3 device emulator does not check if the device is active,
|
||||
before using it for write. It leads to a use after free issue,
|
||||
if the vmxnet3_io_bar0_write routine is called after the device is
|
||||
deactivated. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Acked-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 6c352ca9b4ee3e1e286ea9e8434bd8e69ac7d0d8)
|
||||
---
|
||||
hw/net/vmxnet3.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index 20f26b7..a6ce16e 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -1158,6 +1158,10 @@ vmxnet3_io_bar0_write(void *opaque, hwaddr addr,
|
||||
{
|
||||
VMXNET3State *s = opaque;
|
||||
|
||||
+ if (!s->device_active) {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (VMW_IS_MULTIREG_ADDR(addr, VMXNET3_REG_TXPROD,
|
||||
VMXNET3_DEVICE_MAX_TX_QUEUES, VMXNET3_REG_ALIGN)) {
|
||||
int tx_queue_idx =
|
|
@ -1,48 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Fri, 6 May 2016 12:36:46 -0400
|
||||
Subject: [PATCH] ui: sdl2: Release grab before opening console window
|
||||
|
||||
sdl 2.0.4 currently has a bug which causes our UI shortcuts to fire
|
||||
rapidly in succession:
|
||||
|
||||
https://bugzilla.libsdl.org/show_bug.cgi?id=3287
|
||||
|
||||
It's a toss up whether ctrl+alt+f or ctrl+alt+2 will fire an
|
||||
odd or even number of times, thus determining whether the action
|
||||
succeeds or fails.
|
||||
|
||||
Opening monitor/serial windows is doubly broken, since it will often
|
||||
lock the UI trying to grab the pointer:
|
||||
|
||||
0x00007fffef3720a5 in SDL_Delay_REAL () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef3688ba in X11_SetWindowGrab () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2f2da7 in SDL_SendWindowEvent () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2f080b in SDL_SetKeyboardFocus () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef35d784 in X11_DispatchFocusIn.isra.8 () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef35dbce in X11_DispatchEvent () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef35ee4a in X11_PumpEvents () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2eea6a in SDL_PumpEvents_REAL () at /lib64/libSDL2-2.0.so.0
|
||||
0x00007fffef2eeab5 in SDL_WaitEventTimeout_REAL () at /lib64/libSDL2-2.0.so.0
|
||||
0x000055555597eed0 in sdl2_poll_events (scon=0x55555876f928) at ui/sdl2.c:593
|
||||
|
||||
We can work around that hang by ungrabbing the pointer before launching
|
||||
a new window. This roughly matches what our sdl1 code does
|
||||
---
|
||||
ui/sdl2.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/ui/sdl2.c b/ui/sdl2.c
|
||||
index d042442..909038f 100644
|
||||
--- a/ui/sdl2.c
|
||||
+++ b/ui/sdl2.c
|
||||
@@ -357,6 +357,10 @@ static void handle_keydown(SDL_Event *ev)
|
||||
case SDL_SCANCODE_7:
|
||||
case SDL_SCANCODE_8:
|
||||
case SDL_SCANCODE_9:
|
||||
+ if (gui_grab) {
|
||||
+ sdl_grab_end(scon);
|
||||
+ }
|
||||
+
|
||||
win = ev->key.keysym.scancode - SDL_SCANCODE_1;
|
||||
if (win < sdl2_num_outputs) {
|
||||
sdl2_console[win].hidden = !sdl2_console[win].hidden;
|
|
@ -1,30 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Wed, 18 May 2016 11:44:33 -0400
|
||||
Subject: [PATCH] ui: spice: Exit if gl=on EGL init fails
|
||||
|
||||
The user explicitly requested spice GL, so if we know it isn't
|
||||
going to work we should exit
|
||||
|
||||
Signed-off-by: Cole Robinson <crobinso@redhat.com>
|
||||
---
|
||||
ui/spice-core.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ui/spice-core.c b/ui/spice-core.c
|
||||
index 61db3c1..da05054 100644
|
||||
--- a/ui/spice-core.c
|
||||
+++ b/ui/spice-core.c
|
||||
@@ -833,9 +833,11 @@ void qemu_spice_init(void)
|
||||
"incompatible with -spice port/tls-port");
|
||||
exit(1);
|
||||
}
|
||||
- if (egl_rendernode_init() == 0) {
|
||||
- display_opengl = 1;
|
||||
+ if (egl_rendernode_init() != 0) {
|
||||
+ error_report("Failed to initialize EGL render node for SPICE GL");
|
||||
+ exit(1);
|
||||
}
|
||||
+ display_opengl = 1;
|
||||
}
|
||||
#endif
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 27 Jul 2016 21:07:56 +0530
|
||||
Subject: [PATCH] virtio: check vring descriptor buffer length
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
An infinite loop unfolds in virtqueue_pop() if a buffer was
|
||||
of zero size. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
(cherry picked from commit 1e7aed70144b4673fc26e73062064b6724795e5f)
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 519bb03..20c4f39 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -458,6 +458,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
unsigned num_sg = *p_num_sg;
|
||||
assert(num_sg <= max_num_sg);
|
||||
|
||||
+ if (!sz) {
|
||||
+ error_report("virtio: zero sized buffers are not allowed");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
while (sz) {
|
||||
hwaddr len = sz;
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 6 Sep 2016 02:20:43 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: limit loop to fetch SG list
|
||||
|
||||
In PVSCSI paravirtual SCSI bus, pvscsi_convert_sglist can take a very
|
||||
long time or go into an infinite loop due to two different bugs:
|
||||
|
||||
1) the request descriptor data length is defined to be 64 bit. While
|
||||
building SG list from a request descriptor, it gets truncated to 32bit
|
||||
in routine 'pvscsi_convert_sglist'. This could lead to an infinite loop
|
||||
situation large 'dataLen' values when data_length is cast to uint32_t and
|
||||
chunk_size becomes always zero. Fix this by removing the incorrect cast.
|
||||
|
||||
2) pvscsi_get_next_sg_elem can be called arbitrarily many times if the
|
||||
element has a zero length. Get out of the loop early when this happens,
|
||||
by introducing an upper limit on the number of SG list elements.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1473108643-12983-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 49adc5d3f8c6bb75e55ebfeab109c5c37dea65e8)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index b845729..a13e72c 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -40,6 +40,8 @@
|
||||
#define PVSCSI_MAX_DEVS (64)
|
||||
#define PVSCSI_MSIX_NUM_VECTORS (1)
|
||||
|
||||
+#define PVSCSI_MAX_SG_ELEM 2048
|
||||
+
|
||||
#define PVSCSI_MAX_CMD_DATA_WORDS \
|
||||
(sizeof(PVSCSICmdDescSetupRings)/sizeof(uint32_t))
|
||||
|
||||
@@ -632,17 +634,16 @@ pvscsi_queue_pending_descriptor(PVSCSIState *s, SCSIDevice **d,
|
||||
static void
|
||||
pvscsi_convert_sglist(PVSCSIRequest *r)
|
||||
{
|
||||
- int chunk_size;
|
||||
+ uint32_t chunk_size, elmcnt = 0;
|
||||
uint64_t data_length = r->req.dataLen;
|
||||
PVSCSISGState sg = r->sg;
|
||||
- while (data_length) {
|
||||
- while (!sg.resid) {
|
||||
+ while (data_length && elmcnt < PVSCSI_MAX_SG_ELEM) {
|
||||
+ while (!sg.resid && elmcnt++ < PVSCSI_MAX_SG_ELEM) {
|
||||
pvscsi_get_next_sg_elem(&sg);
|
||||
trace_pvscsi_convert_sglist(r->req.context, r->sg.dataAddr,
|
||||
r->sg.resid);
|
||||
}
|
||||
- assert(data_length > 0);
|
||||
- chunk_size = MIN((unsigned) data_length, sg.resid);
|
||||
+ chunk_size = MIN(data_length, sg.resid);
|
||||
if (chunk_size) {
|
||||
qemu_sglist_add(&r->sgl, sg.dataAddr, chunk_size);
|
||||
}
|
|
@ -1,83 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 3 Feb 2016 13:55:00 +0100
|
||||
Subject: [PATCH] spice/gl: add & use qemu_spice_gl_monitor_config
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
(cherry picked from commit 39414ef4e93db9041e463a097084a407d0d374f0)
|
||||
---
|
||||
include/ui/spice-display.h | 1 +
|
||||
ui/spice-display.c | 30 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 31 insertions(+)
|
||||
|
||||
diff --git a/include/ui/spice-display.h b/include/ui/spice-display.h
|
||||
index 00e4a0b..3c679e8 100644
|
||||
--- a/include/ui/spice-display.h
|
||||
+++ b/include/ui/spice-display.h
|
||||
@@ -71,6 +71,7 @@ typedef struct QXLCookie {
|
||||
QXLRect area;
|
||||
int redraw;
|
||||
} render;
|
||||
+ void *data;
|
||||
} u;
|
||||
} QXLCookie;
|
||||
|
||||
diff --git a/ui/spice-display.c b/ui/spice-display.c
|
||||
index 242ab5f..2a77a54 100644
|
||||
--- a/ui/spice-display.c
|
||||
+++ b/ui/spice-display.c
|
||||
@@ -660,6 +660,11 @@ static void interface_async_complete(QXLInstance *sin, uint64_t cookie_token)
|
||||
qemu_bh_schedule(ssd->gl_unblock_bh);
|
||||
break;
|
||||
}
|
||||
+ case QXL_COOKIE_TYPE_IO:
|
||||
+ if (cookie->io == QXL_IO_MONITORS_CONFIG_ASYNC) {
|
||||
+ g_free(cookie->u.data);
|
||||
+ }
|
||||
+ break;
|
||||
#endif
|
||||
default:
|
||||
/* should never be called, used in qxl native mode only */
|
||||
@@ -795,6 +800,29 @@ static const DisplayChangeListenerOps display_listener_ops = {
|
||||
|
||||
#ifdef HAVE_SPICE_GL
|
||||
|
||||
+static void qemu_spice_gl_monitor_config(SimpleSpiceDisplay *ssd,
|
||||
+ int x, int y, int w, int h)
|
||||
+{
|
||||
+ QXLMonitorsConfig *config;
|
||||
+ QXLCookie *cookie;
|
||||
+
|
||||
+ config = g_malloc0(sizeof(QXLMonitorsConfig) + sizeof(QXLHead));
|
||||
+ config->count = 1;
|
||||
+ config->max_allowed = 1;
|
||||
+ config->heads[0].x = x;
|
||||
+ config->heads[0].y = y;
|
||||
+ config->heads[0].width = w;
|
||||
+ config->heads[0].height = h;
|
||||
+ cookie = qxl_cookie_new(QXL_COOKIE_TYPE_IO,
|
||||
+ QXL_IO_MONITORS_CONFIG_ASYNC);
|
||||
+ cookie->u.data = config;
|
||||
+
|
||||
+ spice_qxl_monitors_config_async(&ssd->qxl,
|
||||
+ (uintptr_t)config,
|
||||
+ MEMSLOT_GROUP_HOST,
|
||||
+ (uintptr_t)cookie);
|
||||
+}
|
||||
+
|
||||
static void qemu_spice_gl_block(SimpleSpiceDisplay *ssd, bool block)
|
||||
{
|
||||
uint64_t timeout;
|
||||
@@ -858,6 +886,8 @@ static void qemu_spice_gl_scanout(DisplayChangeListener *dcl,
|
||||
surface_width(ssd->ds),
|
||||
surface_height(ssd->ds),
|
||||
stride, fourcc, y_0_top);
|
||||
+
|
||||
+ qemu_spice_gl_monitor_config(ssd, x, y, w, h);
|
||||
}
|
||||
|
||||
static void qemu_spice_gl_update(DisplayChangeListener *dcl,
|
|
@ -1,32 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 7 Apr 2016 12:50:08 +0530
|
||||
Subject: [PATCH] i386: kvmvapic: initialise imm32 variable
|
||||
|
||||
When processing Task Priorty Register(TPR) access, it could leak
|
||||
automatic stack variable 'imm32' in patch_instruction().
|
||||
Initialise the variable to avoid it.
|
||||
|
||||
Reported by: Donghai Zdh <donghai.zdh@alibaba-inc.com>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1460013608-16670-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
|
||||
(cherry picked from commit 691a02e2ce0c413236a78dee6f2651c937b09fb0)
|
||||
---
|
||||
hw/i386/kvmvapic.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/i386/kvmvapic.c b/hw/i386/kvmvapic.c
|
||||
index c69f374..ff1e31a 100644
|
||||
--- a/hw/i386/kvmvapic.c
|
||||
+++ b/hw/i386/kvmvapic.c
|
||||
@@ -394,7 +394,7 @@ static void patch_instruction(VAPICROMState *s, X86CPU *cpu, target_ulong ip)
|
||||
CPUX86State *env = &cpu->env;
|
||||
VAPICHandlers *handlers;
|
||||
uint8_t opcode[2];
|
||||
- uint32_t imm32;
|
||||
+ uint32_t imm32 = 0;
|
||||
target_ulong current_pc = 0;
|
||||
target_ulong current_cs_base = 0;
|
||||
int current_flags = 0;
|
|
@ -0,0 +1,42 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 8 Sep 2016 18:15:54 +0530
|
||||
Subject: [PATCH] vmsvga: correct bitmap and pixmap size checks
|
||||
|
||||
When processing svga command DEFINE_CURSOR in vmsvga_fifo_run,
|
||||
the computed BITMAP and PIXMAP size are checked against the
|
||||
'cursor.mask[]' and 'cursor.image[]' array sizes in bytes.
|
||||
Correct these checks to avoid OOB memory access.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1473338754-15430-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 167d97a3def77ee2dbf6e908b0ecbfe2103977db)
|
||||
---
|
||||
hw/display/vmware_vga.c | 12 +++++++-----
|
||||
1 file changed, 7 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index e51a05e..6599cf0 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -676,11 +676,13 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
cursor.bpp = vmsvga_fifo_read(s);
|
||||
|
||||
args = SVGA_BITMAP_SIZE(x, y) + SVGA_PIXMAP_SIZE(x, y, cursor.bpp);
|
||||
- if (cursor.width > 256 ||
|
||||
- cursor.height > 256 ||
|
||||
- cursor.bpp > 32 ||
|
||||
- SVGA_BITMAP_SIZE(x, y) > sizeof cursor.mask ||
|
||||
- SVGA_PIXMAP_SIZE(x, y, cursor.bpp) > sizeof cursor.image) {
|
||||
+ if (cursor.width > 256
|
||||
+ || cursor.height > 256
|
||||
+ || cursor.bpp > 32
|
||||
+ || SVGA_BITMAP_SIZE(x, y)
|
||||
+ > sizeof(cursor.mask) / sizeof(cursor.mask[0])
|
||||
+ || SVGA_PIXMAP_SIZE(x, y, cursor.bpp)
|
||||
+ > sizeof(cursor.image) / sizeof(cursor.image[0])) {
|
||||
goto badcmd;
|
||||
}
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 19 May 2016 16:09:30 +0530
|
||||
Subject: [PATCH] esp: check command buffer length before write(CVE-2016-4439)
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer. While
|
||||
writing to this command buffer 's->cmdbuf[TI_BUFSZ=16]', a check
|
||||
was missing to validate input length. Add check to avoid OOB write
|
||||
access.
|
||||
|
||||
Fixes CVE-2016-4439.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1463654371-11169-2-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit c98c6c105f66f05aa0b7c1d2a4a3f716450907ef)
|
||||
---
|
||||
hw/scsi/esp.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 8961be2..01497e6 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -448,7 +448,11 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
|
||||
break;
|
||||
case ESP_FIFO:
|
||||
if (s->do_cmd) {
|
||||
- s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
+ if (s->cmdlen < TI_BUFSZ) {
|
||||
+ s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
+ } else {
|
||||
+ trace_esp_error_fifo_overrun();
|
||||
+ }
|
||||
} else if (s->ti_size == TI_BUFSZ - 1) {
|
||||
trace_esp_error_fifo_overrun();
|
||||
} else {
|
|
@ -0,0 +1,32 @@
|
|||
From: chaojianhu <chaojianhu@hotmail.com>
|
||||
Date: Tue, 9 Aug 2016 11:52:54 +0800
|
||||
Subject: [PATCH] hw/net: Fix a heap overflow in xlnx.xps-ethernetlite
|
||||
|
||||
The .receive callback of xlnx.xps-ethernetlite doesn't check the length
|
||||
of data before calling memcpy. As a result, the NetClientState object in
|
||||
heap will be overflowed. All versions of qemu with xlnx.xps-ethernetlite
|
||||
will be affected.
|
||||
|
||||
Reported-by: chaojianhu <chaojianhu@hotmail.com>
|
||||
Signed-off-by: chaojianhu <chaojianhu@hotmail.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit a0d1cbdacff5df4ded16b753b38fdd9da6092968)
|
||||
---
|
||||
hw/net/xilinx_ethlite.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/hw/net/xilinx_ethlite.c b/hw/net/xilinx_ethlite.c
|
||||
index bc846e7..12b7419 100644
|
||||
--- a/hw/net/xilinx_ethlite.c
|
||||
+++ b/hw/net/xilinx_ethlite.c
|
||||
@@ -197,6 +197,10 @@ static ssize_t eth_rx(NetClientState *nc, const uint8_t *buf, size_t size)
|
||||
}
|
||||
|
||||
D(qemu_log("%s %zd rxbase=%x\n", __func__, size, rxbase));
|
||||
+ if (size > (R_MAX - R_RX_BUF0 - rxbase) * 4) {
|
||||
+ D(qemu_log("ethlite packet is too big, size=%x\n", size));
|
||||
+ return -1;
|
||||
+ }
|
||||
memcpy(&s->regs[rxbase + R_RX_BUF0], buf, size);
|
||||
|
||||
s->regs[rxbase + R_RX_CTRL0] |= CTRL_S;
|
|
@ -1,73 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 19 May 2016 16:09:31 +0530
|
||||
Subject: [PATCH] esp: check dma length before reading scsi
|
||||
command(CVE-2016-4441)
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer.
|
||||
Routine get_cmd() uses DMA to read scsi commands into this buffer.
|
||||
Add check to validate DMA length against buffer size to avoid any
|
||||
overrun.
|
||||
|
||||
Fixes CVE-2016-4441.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1463654371-11169-3-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 6c1fef6b59563cc415f21e03f81539ed4b33ad90)
|
||||
---
|
||||
hw/scsi/esp.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 01497e6..591c817 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -82,7 +82,7 @@ void esp_request_cancelled(SCSIRequest *req)
|
||||
}
|
||||
}
|
||||
|
||||
-static uint32_t get_cmd(ESPState *s, uint8_t *buf)
|
||||
+static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
||||
{
|
||||
uint32_t dmalen;
|
||||
int target;
|
||||
@@ -92,6 +92,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf)
|
||||
dmalen = s->rregs[ESP_TCLO];
|
||||
dmalen |= s->rregs[ESP_TCMID] << 8;
|
||||
dmalen |= s->rregs[ESP_TCHI] << 16;
|
||||
+ if (dmalen > buflen) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
||||
} else {
|
||||
dmalen = s->ti_size;
|
||||
@@ -166,7 +169,7 @@ static void handle_satn(ESPState *s)
|
||||
s->dma_cb = handle_satn;
|
||||
return;
|
||||
}
|
||||
- len = get_cmd(s, buf);
|
||||
+ len = get_cmd(s, buf, sizeof(buf));
|
||||
if (len)
|
||||
do_cmd(s, buf);
|
||||
}
|
||||
@@ -180,7 +183,7 @@ static void handle_s_without_atn(ESPState *s)
|
||||
s->dma_cb = handle_s_without_atn;
|
||||
return;
|
||||
}
|
||||
- len = get_cmd(s, buf);
|
||||
+ len = get_cmd(s, buf, sizeof(buf));
|
||||
if (len) {
|
||||
do_busid_cmd(s, buf, 0);
|
||||
}
|
||||
@@ -192,7 +195,7 @@ static void handle_satn_stop(ESPState *s)
|
||||
s->dma_cb = handle_satn_stop;
|
||||
return;
|
||||
}
|
||||
- s->cmdlen = get_cmd(s, s->cmdbuf);
|
||||
+ s->cmdlen = get_cmd(s, s->cmdbuf, sizeof(s->cmdbuf));
|
||||
if (s->cmdlen) {
|
||||
trace_esp_handle_satn_stop(s->cmdlen);
|
||||
s->do_cmd = 1;
|
|
@ -0,0 +1,29 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 13 Sep 2016 03:20:03 -0700
|
||||
Subject: [PATCH] usb:xhci:fix memory leak in usb_xhci_exit
|
||||
|
||||
If the xhci uses msix, it doesn't free the corresponding
|
||||
memory, thus leading a memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 57d7d2e0.d4301c0a.d13e9.9a55@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit b53dd4495ced2432a0b652ea895e651d07336f7e)
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 43ba615..510a3e1 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -3689,8 +3689,7 @@ static void usb_xhci_exit(PCIDevice *dev)
|
||||
/* destroy msix memory region */
|
||||
if (dev->msix_table && dev->msix_pba
|
||||
&& dev->msix_entry_used) {
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_table_mmio);
|
||||
- memory_region_del_subregion(&xhci->mem, &dev->msix_pba_mmio);
|
||||
+ msix_uninit(dev, &xhci->mem, &xhci->mem);
|
||||
}
|
||||
|
||||
usb_bus_release(&xhci->bus);
|
|
@ -1,233 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Tue, 17 May 2016 10:54:54 +0200
|
||||
Subject: [PATCH] vga: add sr_vbe register set
|
||||
|
||||
Commit "fd3c136 vga: make sure vga register setup for vbe stays intact
|
||||
(CVE-2016-3712)." causes a regression. The win7 installer is unhappy
|
||||
because it can't freely modify vga registers any more while in vbe mode.
|
||||
|
||||
This patch introduces a new sr_vbe register set. The vbe_update_vgaregs
|
||||
will fill sr_vbe[] instead of sr[]. Normal vga register reads and
|
||||
writes go to sr[]. Any sr register read access happens through a new
|
||||
sr() helper function which will read from sr_vbe[] with vbe active and
|
||||
from sr[] otherwise.
|
||||
|
||||
This way we can allow guests update sr[] registers as they want, without
|
||||
allowing them disrupt vbe video modes that way.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Thomas Lamprecht <thomas@lamprecht.org>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1463475294-14119-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 94ef4f337fb614f18b765a8e0e878a4c23cdedcd)
|
||||
---
|
||||
hw/display/vga.c | 50 ++++++++++++++++++++++++++++----------------------
|
||||
hw/display/vga_int.h | 1 +
|
||||
2 files changed, 29 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vga.c b/hw/display/vga.c
|
||||
index 4a55ec6..9ebc54f 100644
|
||||
--- a/hw/display/vga.c
|
||||
+++ b/hw/display/vga.c
|
||||
@@ -149,6 +149,11 @@ static inline bool vbe_enabled(VGACommonState *s)
|
||||
return s->vbe_regs[VBE_DISPI_INDEX_ENABLE] & VBE_DISPI_ENABLED;
|
||||
}
|
||||
|
||||
+static inline uint8_t sr(VGACommonState *s, int idx)
|
||||
+{
|
||||
+ return vbe_enabled(s) ? s->sr_vbe[idx] : s->sr[idx];
|
||||
+}
|
||||
+
|
||||
static void vga_update_memory_access(VGACommonState *s)
|
||||
{
|
||||
hwaddr base, offset, size;
|
||||
@@ -163,8 +168,8 @@ static void vga_update_memory_access(VGACommonState *s)
|
||||
s->has_chain4_alias = false;
|
||||
s->plane_updated = 0xf;
|
||||
}
|
||||
- if ((s->sr[VGA_SEQ_PLANE_WRITE] & VGA_SR02_ALL_PLANES) ==
|
||||
- VGA_SR02_ALL_PLANES && s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if ((sr(s, VGA_SEQ_PLANE_WRITE) & VGA_SR02_ALL_PLANES) ==
|
||||
+ VGA_SR02_ALL_PLANES && sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
offset = 0;
|
||||
switch ((s->gr[VGA_GFX_MISC] >> 2) & 3) {
|
||||
case 0:
|
||||
@@ -234,7 +239,7 @@ static void vga_precise_update_retrace_info(VGACommonState *s)
|
||||
((s->cr[VGA_CRTC_OVERFLOW] >> 6) & 2)) << 8);
|
||||
vretr_end_line = s->cr[VGA_CRTC_V_SYNC_END] & 0xf;
|
||||
|
||||
- clocking_mode = (s->sr[VGA_SEQ_CLOCK_MODE] >> 3) & 1;
|
||||
+ clocking_mode = (sr(s, VGA_SEQ_CLOCK_MODE) >> 3) & 1;
|
||||
clock_sel = (s->msr >> 2) & 3;
|
||||
dots = (s->msr & 1) ? 8 : 9;
|
||||
|
||||
@@ -486,7 +491,6 @@ void vga_ioport_write(void *opaque, uint32_t addr, uint32_t val)
|
||||
printf("vga: write SR%x = 0x%02x\n", s->sr_index, val);
|
||||
#endif
|
||||
s->sr[s->sr_index] = val & sr_mask[s->sr_index];
|
||||
- vbe_update_vgaregs(s);
|
||||
if (s->sr_index == VGA_SEQ_CLOCK_MODE) {
|
||||
s->update_retrace_info(s);
|
||||
}
|
||||
@@ -680,13 +684,13 @@ static void vbe_update_vgaregs(VGACommonState *s)
|
||||
|
||||
if (s->vbe_regs[VBE_DISPI_INDEX_BPP] == 4) {
|
||||
shift_control = 0;
|
||||
- s->sr[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
+ s->sr_vbe[VGA_SEQ_CLOCK_MODE] &= ~8; /* no double line */
|
||||
} else {
|
||||
shift_control = 2;
|
||||
/* set chain 4 mode */
|
||||
- s->sr[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
+ s->sr_vbe[VGA_SEQ_MEMORY_MODE] |= VGA_SR04_CHN_4M;
|
||||
/* activate all planes */
|
||||
- s->sr[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
+ s->sr_vbe[VGA_SEQ_PLANE_WRITE] |= VGA_SR02_ALL_PLANES;
|
||||
}
|
||||
s->gr[VGA_GFX_MODE] = (s->gr[VGA_GFX_MODE] & ~0x60) |
|
||||
(shift_control << 5);
|
||||
@@ -836,7 +840,7 @@ uint32_t vga_mem_readb(VGACommonState *s, hwaddr addr)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
assert(addr < s->vram_size);
|
||||
ret = s->vram_ptr[addr];
|
||||
@@ -904,11 +908,11 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
break;
|
||||
}
|
||||
|
||||
- if (s->sr[VGA_SEQ_MEMORY_MODE] & VGA_SR04_CHN_4M) {
|
||||
+ if (sr(s, VGA_SEQ_MEMORY_MODE) & VGA_SR04_CHN_4M) {
|
||||
/* chain 4 mode : simplest access */
|
||||
plane = addr & 3;
|
||||
mask = (1 << plane);
|
||||
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
|
||||
assert(addr < s->vram_size);
|
||||
s->vram_ptr[addr] = val;
|
||||
#ifdef DEBUG_VGA_MEM
|
||||
@@ -921,7 +925,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
/* odd/even mode (aka text mode mapping) */
|
||||
plane = (s->gr[VGA_GFX_PLANE_READ] & 2) | (addr & 1);
|
||||
mask = (1 << plane);
|
||||
- if (s->sr[VGA_SEQ_PLANE_WRITE] & mask) {
|
||||
+ if (sr(s, VGA_SEQ_PLANE_WRITE) & mask) {
|
||||
addr = ((addr & ~1) << 1) | plane;
|
||||
if (addr >= s->vram_size) {
|
||||
return;
|
||||
@@ -996,7 +1000,7 @@ void vga_mem_writeb(VGACommonState *s, hwaddr addr, uint32_t val)
|
||||
|
||||
do_write:
|
||||
/* mask data according to sr[2] */
|
||||
- mask = s->sr[VGA_SEQ_PLANE_WRITE];
|
||||
+ mask = sr(s, VGA_SEQ_PLANE_WRITE);
|
||||
s->plane_updated |= mask; /* only used to detect font change */
|
||||
write_mask = mask16[mask];
|
||||
if (addr * sizeof(uint32_t) >= s->vram_size) {
|
||||
@@ -1152,10 +1156,10 @@ static void vga_get_text_resolution(VGACommonState *s, int *pwidth, int *pheight
|
||||
/* total width & height */
|
||||
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
|
||||
cwidth = 8;
|
||||
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
cwidth = 9;
|
||||
}
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
|
||||
cwidth = 16; /* NOTE: no 18 pixel wide */
|
||||
}
|
||||
width = (s->cr[VGA_CRTC_H_DISP] + 1);
|
||||
@@ -1197,7 +1201,7 @@ static void vga_draw_text(VGACommonState *s, int full_update)
|
||||
int64_t now = qemu_clock_get_ms(QEMU_CLOCK_VIRTUAL);
|
||||
|
||||
/* compute font data address (in plane 2) */
|
||||
- v = s->sr[VGA_SEQ_CHARACTER_MAP];
|
||||
+ v = sr(s, VGA_SEQ_CHARACTER_MAP);
|
||||
offset = (((v >> 4) & 1) | ((v << 1) & 6)) * 8192 * 4 + 2;
|
||||
if (offset != s->font_offsets[0]) {
|
||||
s->font_offsets[0] = offset;
|
||||
@@ -1506,11 +1510,11 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
}
|
||||
|
||||
if (shift_control == 0) {
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
disp_width <<= 1;
|
||||
}
|
||||
} else if (shift_control == 1) {
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
disp_width <<= 1;
|
||||
}
|
||||
}
|
||||
@@ -1574,7 +1578,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
|
||||
if (shift_control == 0) {
|
||||
full_update |= update_palette16(s);
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
v = VGA_DRAW_LINE4D2;
|
||||
} else {
|
||||
v = VGA_DRAW_LINE4;
|
||||
@@ -1582,7 +1586,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
bits = 4;
|
||||
} else if (shift_control == 1) {
|
||||
full_update |= update_palette16(s);
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 8) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 8) {
|
||||
v = VGA_DRAW_LINE2D2;
|
||||
} else {
|
||||
v = VGA_DRAW_LINE2;
|
||||
@@ -1629,7 +1633,7 @@ static void vga_draw_graphic(VGACommonState *s, int full_update)
|
||||
#if 0
|
||||
printf("w=%d h=%d v=%d line_offset=%d cr[0x09]=0x%02x cr[0x17]=0x%02x linecmp=%d sr[0x01]=0x%02x\n",
|
||||
width, height, v, line_offset, s->cr[9], s->cr[VGA_CRTC_MODE],
|
||||
- s->line_compare, s->sr[VGA_SEQ_CLOCK_MODE]);
|
||||
+ s->line_compare, sr(s, VGA_SEQ_CLOCK_MODE));
|
||||
#endif
|
||||
addr1 = (s->start_addr * 4);
|
||||
bwidth = (width * bits + 7) / 8;
|
||||
@@ -1781,6 +1785,7 @@ void vga_common_reset(VGACommonState *s)
|
||||
{
|
||||
s->sr_index = 0;
|
||||
memset(s->sr, '\0', sizeof(s->sr));
|
||||
+ memset(s->sr_vbe, '\0', sizeof(s->sr_vbe));
|
||||
s->gr_index = 0;
|
||||
memset(s->gr, '\0', sizeof(s->gr));
|
||||
s->ar_index = 0;
|
||||
@@ -1883,10 +1888,10 @@ static void vga_update_text(void *opaque, console_ch_t *chardata)
|
||||
/* total width & height */
|
||||
cheight = (s->cr[VGA_CRTC_MAX_SCAN] & 0x1f) + 1;
|
||||
cw = 8;
|
||||
- if (!(s->sr[VGA_SEQ_CLOCK_MODE] & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
+ if (!(sr(s, VGA_SEQ_CLOCK_MODE) & VGA_SR01_CHAR_CLK_8DOTS)) {
|
||||
cw = 9;
|
||||
}
|
||||
- if (s->sr[VGA_SEQ_CLOCK_MODE] & 0x08) {
|
||||
+ if (sr(s, VGA_SEQ_CLOCK_MODE) & 0x08) {
|
||||
cw = 16; /* NOTE: no 18 pixel wide */
|
||||
}
|
||||
width = (s->cr[VGA_CRTC_H_DISP] + 1);
|
||||
@@ -2053,6 +2058,7 @@ static int vga_common_post_load(void *opaque, int version_id)
|
||||
|
||||
/* force refresh */
|
||||
s->graphic_mode = -1;
|
||||
+ vbe_update_vgaregs(s);
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/hw/display/vga_int.h b/hw/display/vga_int.h
|
||||
index bdb43a5..3ce5544 100644
|
||||
--- a/hw/display/vga_int.h
|
||||
+++ b/hw/display/vga_int.h
|
||||
@@ -98,6 +98,7 @@ typedef struct VGACommonState {
|
||||
MemoryRegion chain4_alias;
|
||||
uint8_t sr_index;
|
||||
uint8_t sr[256];
|
||||
+ uint8_t sr_vbe[256];
|
||||
uint8_t gr_index;
|
||||
uint8_t gr[256];
|
||||
uint8_t ar_index;
|
|
@ -0,0 +1,35 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 19 Sep 2016 23:55:45 +0530
|
||||
Subject: [PATCH] virtio: add check for descriptor's mapped address
|
||||
|
||||
virtio back end uses set of buffers to facilitate I/O operations.
|
||||
If its size is too large, 'cpu_physical_memory_map' could return
|
||||
a null address. This would result in a null dereference while
|
||||
un-mapping descriptors. Add check to avoid it.
|
||||
|
||||
Reported-by: Qinghao Tang <luodalongde@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 973e7170dddefb491a48df5cba33b2ae151013a0)
|
||||
---
|
||||
hw/virtio/virtio.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
|
||||
index 20c4f39..3a470fc 100644
|
||||
--- a/hw/virtio/virtio.c
|
||||
+++ b/hw/virtio/virtio.c
|
||||
@@ -472,6 +472,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
|
||||
}
|
||||
|
||||
iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
|
||||
+ if (!iov[num_sg].iov_base) {
|
||||
+ error_report("virtio: bogus descriptor or out of resources");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
iov[num_sg].iov_len = len;
|
||||
addr[num_sg] = pa;
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
From: Cole Robinson <crobinso@redhat.com>
|
||||
Date: Thu, 26 May 2016 09:55:21 -0400
|
||||
Subject: [PATCH] hw/arm/virt: Reject gic-version=host for non-KVM
|
||||
|
||||
If you try to gic-version=host with TCG on a KVM aarch64 host,
|
||||
qemu segfaults, since host requires KVM APIs.
|
||||
|
||||
Explicitly reject gic-version=host if KVM is not enabled
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1339977
|
||||
(cherry picked from commit b1b3b0dd143b7995a7f4062966b80a2cf3e3c71e)
|
||||
---
|
||||
hw/arm/virt.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
|
||||
index 56d35c7..a535285 100644
|
||||
--- a/hw/arm/virt.c
|
||||
+++ b/hw/arm/virt.c
|
||||
@@ -1114,10 +1114,14 @@ static void machvirt_init(MachineState *machine)
|
||||
* KVM is not available yet
|
||||
*/
|
||||
if (!gic_version) {
|
||||
+ if (!kvm_enabled()) {
|
||||
+ error_report("gic-version=host requires KVM");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
gic_version = kvm_arm_vgic_probe();
|
||||
if (!gic_version) {
|
||||
error_report("Unable to determine GIC version supported by host");
|
||||
- error_printf("KVM acceleration is probably not supported\n");
|
||||
exit(1);
|
||||
}
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 22 Sep 2016 16:02:37 +0530
|
||||
Subject: [PATCH] net: mcf: limit buffer descriptor count
|
||||
|
||||
ColdFire Fast Ethernet Controller uses buffer descriptors to manage
|
||||
data flow to/fro receive & transmit queues. While transmitting
|
||||
packets, it could continue to read buffer descriptors if a buffer
|
||||
descriptor has length of zero and has crafted values in bd.flags.
|
||||
Set upper limit to number of buffer descriptors.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 070c4b92b8cd5390889716677a0b92444d6e087a)
|
||||
---
|
||||
hw/net/mcf_fec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 7c0398e..6d3418e 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -23,6 +23,7 @@ do { printf("mcf_fec: " fmt , ## __VA_ARGS__); } while (0)
|
||||
#define DPRINTF(fmt, ...) do {} while(0)
|
||||
#endif
|
||||
|
||||
+#define FEC_MAX_DESC 1024
|
||||
#define FEC_MAX_FRAME_SIZE 2032
|
||||
|
||||
typedef struct {
|
||||
@@ -149,7 +150,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
uint32_t addr;
|
||||
mcf_fec_bd bd;
|
||||
int frame_size;
|
||||
- int len;
|
||||
+ int len, descnt = 0;
|
||||
uint8_t frame[FEC_MAX_FRAME_SIZE];
|
||||
uint8_t *ptr;
|
||||
|
||||
@@ -157,7 +158,7 @@ static void mcf_fec_do_tx(mcf_fec_state *s)
|
||||
ptr = frame;
|
||||
frame_size = 0;
|
||||
addr = s->tx_descriptor;
|
||||
- while (1) {
|
||||
+ while (descnt++ < FEC_MAX_DESC) {
|
||||
mcf_fec_read_bd(&bd, addr);
|
||||
DPRINTF("tx_bd %x flags %04x len %d data %08x\n",
|
||||
addr, bd.flags, bd.length, bd.data);
|
|
@ -1,32 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 7 Apr 2016 15:56:02 +0530
|
||||
Subject: [PATCH] net: mipsnet: check packet length against buffer
|
||||
|
||||
When receiving packets over MIPSnet network device, it uses
|
||||
receive buffer of size 1514 bytes. In case the controller
|
||||
accepts large(MTU) packets, it could lead to memory corruption.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
|
||||
(cherry picked from commit 3af9187fc6caaf415ab9c0c6d92c9678f65cb17f)
|
||||
---
|
||||
hw/net/mipsnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c
|
||||
index 740cd98..cf8b823 100644
|
||||
--- a/hw/net/mipsnet.c
|
||||
+++ b/hw/net/mipsnet.c
|
||||
@@ -83,6 +83,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si
|
||||
if (!mipsnet_can_receive(nc))
|
||||
return 0;
|
||||
|
||||
+ if (size >= sizeof(s->rx_buffer)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->busy = 1;
|
||||
|
||||
/* Just accept everything. */
|
|
@ -0,0 +1,65 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 10 Oct 2016 12:46:22 +0200
|
||||
Subject: [PATCH] xhci: limit the number of link trbs we are willing to process
|
||||
|
||||
Needed to avoid we run in circles forever in case the guest builds
|
||||
an endless loop with link trbs.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Tested-by: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1476096382-7981-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 05f43d44e4bc26611ce25fd7d726e483f73363ce)
|
||||
---
|
||||
hw/usb/hcd-xhci.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
|
||||
index 510a3e1..4e9dea5 100644
|
||||
--- a/hw/usb/hcd-xhci.c
|
||||
+++ b/hw/usb/hcd-xhci.c
|
||||
@@ -53,6 +53,8 @@
|
||||
* to the specs when it gets them */
|
||||
#define ER_FULL_HACK
|
||||
|
||||
+#define TRB_LINK_LIMIT 4
|
||||
+
|
||||
#define LEN_CAP 0x40
|
||||
#define LEN_OPER (0x400 + 0x10 * MAXPORTS)
|
||||
#define LEN_RUNTIME ((MAXINTRS + 1) * 0x20)
|
||||
@@ -999,6 +1001,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
dma_addr_t *addr)
|
||||
{
|
||||
PCIDevice *pci_dev = PCI_DEVICE(xhci);
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1025,6 +1028,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb,
|
||||
ring->dequeue += TRB_SIZE;
|
||||
return type;
|
||||
} else {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return 0;
|
||||
+ }
|
||||
ring->dequeue = xhci_mask64(trb->parameter);
|
||||
if (trb->control & TRB_LK_TC) {
|
||||
ring->ccs = !ring->ccs;
|
||||
@@ -1042,6 +1048,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
bool ccs = ring->ccs;
|
||||
/* hack to bundle together the two/three TDs that make a setup transfer */
|
||||
bool control_td_set = 0;
|
||||
+ uint32_t link_cnt = 0;
|
||||
|
||||
while (1) {
|
||||
TRBType type;
|
||||
@@ -1057,6 +1064,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring)
|
||||
type = TRB_TYPE(trb);
|
||||
|
||||
if (type == TR_LINK) {
|
||||
+ if (++link_cnt > TRB_LINK_LIMIT) {
|
||||
+ return -length;
|
||||
+ }
|
||||
dequeue = xhci_mask64(trb.parameter);
|
||||
if (trb.control & TRB_LK_TC) {
|
||||
ccs = !ccs;
|
|
@ -1,100 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 23 May 2016 16:18:05 +0530
|
||||
Subject: [PATCH] scsi: pvscsi: check command descriptor ring buffer size
|
||||
(CVE-2016-4952)
|
||||
|
||||
Vmware Paravirtual SCSI emulation uses command descriptors to
|
||||
process SCSI commands. These descriptors come with their ring
|
||||
buffers. A guest could set the ring buffer size to an arbitrary
|
||||
value leading to OOB access issue. Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Message-Id: <1464000485-27041-1-git-send-email-ppandit@redhat.com>
|
||||
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@ravellosystems.com>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 3e831b40e015ba34dfb55ff11f767001839425ff)
|
||||
---
|
||||
hw/scsi/vmw_pvscsi.c | 24 ++++++++++++++++++++----
|
||||
1 file changed, 20 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/vmw_pvscsi.c b/hw/scsi/vmw_pvscsi.c
|
||||
index e690b4e..e1d6d06 100644
|
||||
--- a/hw/scsi/vmw_pvscsi.c
|
||||
+++ b/hw/scsi/vmw_pvscsi.c
|
||||
@@ -153,7 +153,7 @@ pvscsi_log2(uint32_t input)
|
||||
return log;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
{
|
||||
int i;
|
||||
@@ -161,6 +161,10 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
uint32_t req_ring_size, cmp_ring_size;
|
||||
m->rs_pa = ri->ringsStatePPN << VMW_PAGE_SHIFT;
|
||||
|
||||
+ if ((ri->reqRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)
|
||||
+ || (ri->cmpRingNumPages > PVSCSI_SETUP_RINGS_MAX_NUM_PAGES)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
req_ring_size = ri->reqRingNumPages * PVSCSI_MAX_NUM_REQ_ENTRIES_PER_PAGE;
|
||||
cmp_ring_size = ri->cmpRingNumPages * PVSCSI_MAX_NUM_CMP_ENTRIES_PER_PAGE;
|
||||
txr_len_log2 = pvscsi_log2(req_ring_size - 1);
|
||||
@@ -192,15 +196,20 @@ pvscsi_ring_init_data(PVSCSIRingInfo *m, PVSCSICmdDescSetupRings *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
-static void
|
||||
+static int
|
||||
pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
{
|
||||
int i;
|
||||
uint32_t len_log2;
|
||||
uint32_t ring_size;
|
||||
|
||||
+ if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
|
||||
+ return -1;
|
||||
+ }
|
||||
ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;
|
||||
len_log2 = pvscsi_log2(ring_size - 1);
|
||||
|
||||
@@ -220,6 +229,8 @@ pvscsi_ring_init_msg(PVSCSIRingInfo *m, PVSCSICmdDescSetupMsgRing *ri)
|
||||
|
||||
/* Flush ring state page changes */
|
||||
smp_wmb();
|
||||
+
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -770,7 +781,10 @@ pvscsi_on_cmd_setup_rings(PVSCSIState *s)
|
||||
trace_pvscsi_on_cmd_arrived("PVSCSI_CMD_SETUP_RINGS");
|
||||
|
||||
pvscsi_dbg_dump_tx_rings_config(rc);
|
||||
- pvscsi_ring_init_data(&s->rings, rc);
|
||||
+ if (pvscsi_ring_init_data(&s->rings, rc) < 0) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
+
|
||||
s->rings_info_valid = TRUE;
|
||||
return PVSCSI_COMMAND_PROCESSING_SUCCEEDED;
|
||||
}
|
||||
@@ -850,7 +864,9 @@ pvscsi_on_cmd_setup_msg_ring(PVSCSIState *s)
|
||||
}
|
||||
|
||||
if (s->rings_info_valid) {
|
||||
- pvscsi_ring_init_msg(&s->rings, rc);
|
||||
+ if (pvscsi_ring_init_msg(&s->rings, rc) < 0) {
|
||||
+ return PVSCSI_COMMAND_PROCESSING_FAILED;
|
||||
+ }
|
||||
s->msg_ring_info_valid = TRUE;
|
||||
}
|
||||
return sizeof(PVSCSICmdDescSetupMsgRing) / sizeof(uint32_t);
|
|
@ -0,0 +1,29 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:48:35 -0700
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci_process_itd
|
||||
|
||||
While processing isochronous transfer descriptors(iTD), if the page
|
||||
select(PG) field value is out of bands it will return. In this
|
||||
situation the ehci's sg list is not freed thus leading to a memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Thomas Huth <thuth@redhat.com>
|
||||
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
|
||||
(cherry picked from commit b16c129daf0fed91febbb88de23dae8271c8898a)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 43a8f7a..92241bb 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1426,6 +1426,7 @@ static int ehci_process_itd(EHCIState *ehci,
|
||||
if (off + len > 4096) {
|
||||
/* transfer crosses page border */
|
||||
if (pg == 6) {
|
||||
+ qemu_sglist_destroy(&ehci->isgl);
|
||||
return -1; /* avoid page pg + 1 */
|
||||
}
|
||||
ptr2 = (itd->bufptr[pg + 1] & ITD_BUFPTR_MASK);
|
|
@ -0,0 +1,74 @@
|
|||
From: Christophe Fergeau <cfergeau@redhat.com>
|
||||
Date: Fri, 14 Oct 2016 14:22:36 +0200
|
||||
Subject: [PATCH] qxl: Only emit QXL_INTERRUPT_CLIENT_MONITORS_CONFIG on config
|
||||
changes
|
||||
|
||||
Currently if the client keeps sending the same monitor config to
|
||||
QEMU/spice-server, QEMU will always raise
|
||||
a QXL_INTERRUPT_CLIENT_MONITORS_CONFIG regardless of whether there was a
|
||||
change or not.
|
||||
Guest-side (with fedora 25), the kernel QXL KMS driver will also forward the
|
||||
event to user-space without checking if there were actual changes.
|
||||
Next in line are gnome-shell/mutter (on a default f25 install), which
|
||||
will try to reconfigure everything without checking if there is anything
|
||||
to do.
|
||||
Where this gets ugly is that when applying the resolution changes,
|
||||
gnome-shell/mutter will call drmModeRmFB, drmModeAddFB, and
|
||||
drmModeSetCrtc, which will cause the primary surface to be destroyed and
|
||||
recreated by the QXL KMS driver. This in turn will cause the client to
|
||||
resend a client monitors config message, which will cause QEMU to reemit
|
||||
an interrupt with an unchanged monitors configuration, ...
|
||||
This causes https://bugzilla.redhat.com/show_bug.cgi?id=1266484
|
||||
|
||||
This commit makes sure that we only emit
|
||||
QXL_INTERRUPT_CLIENT_MONITORS_CONFIG when there are actual configuration
|
||||
changes the guest should act on.
|
||||
---
|
||||
hw/display/qxl.c | 20 +++++++++++++++++++-
|
||||
1 file changed, 19 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/qxl.c b/hw/display/qxl.c
|
||||
index 919dc5c..3cc8d38 100644
|
||||
--- a/hw/display/qxl.c
|
||||
+++ b/hw/display/qxl.c
|
||||
@@ -997,6 +997,7 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
QXLRom *rom = memory_region_get_ram_ptr(&qxl->rom_bar);
|
||||
int i;
|
||||
unsigned max_outputs = ARRAY_SIZE(rom->client_monitors_config.heads);
|
||||
+ bool config_changed = false;
|
||||
|
||||
if (qxl->revision < 4) {
|
||||
trace_qxl_client_monitors_config_unsupported_by_device(qxl->id,
|
||||
@@ -1027,6 +1028,21 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
}
|
||||
#endif
|
||||
|
||||
+ if (rom->client_monitors_config.count != MIN(monitors_config->num_of_monitors, max_outputs)) {
|
||||
+ config_changed = true;
|
||||
+ }
|
||||
+ for (i = 0 ; i < rom->client_monitors_config.count ; ++i) {
|
||||
+ VDAgentMonConfig *monitor = &monitors_config->monitors[i];
|
||||
+ QXLURect *rect = &rom->client_monitors_config.heads[i];
|
||||
+ /* monitor->depth ignored */
|
||||
+ if ((rect->left != monitor->x) ||
|
||||
+ (rect->top != monitor->y) ||
|
||||
+ (rect->right != monitor->x + monitor->width) ||
|
||||
+ (rect->bottom != monitor->y + monitor->height)) {
|
||||
+ config_changed = true;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
memset(&rom->client_monitors_config, 0,
|
||||
sizeof(rom->client_monitors_config));
|
||||
rom->client_monitors_config.count = monitors_config->num_of_monitors;
|
||||
@@ -1056,7 +1072,9 @@ static int interface_client_monitors_config(QXLInstance *sin,
|
||||
trace_qxl_interrupt_client_monitors_config(qxl->id,
|
||||
rom->client_monitors_config.count,
|
||||
rom->client_monitors_config.heads);
|
||||
- qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
|
||||
+ if (config_changed) {
|
||||
+ qxl_send_events(qxl, QXL_INTERRUPT_CLIENT_MONITORS_CONFIG);
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
|
|
@ -1,46 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 24 May 2016 13:37:44 +0530
|
||||
Subject: [PATCH] scsi: mptsas: infinite loop while fetching requests
|
||||
|
||||
The LSI SAS1068 Host Bus Adapter emulator in Qemu, periodically
|
||||
looks for requests and fetches them. A loop doing that in
|
||||
mptsas_fetch_requests() could run infinitely if 's->state' was
|
||||
not operational. Move check to avoid such a loop.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Message-Id: <1464077264-25473-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 06630554ccbdd25780aa03c3548aaff1eb56dffd)
|
||||
---
|
||||
hw/scsi/mptsas.c | 9 ++++-----
|
||||
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/mptsas.c b/hw/scsi/mptsas.c
|
||||
index 499c146..be88e16 100644
|
||||
--- a/hw/scsi/mptsas.c
|
||||
+++ b/hw/scsi/mptsas.c
|
||||
@@ -754,11 +754,6 @@ static void mptsas_fetch_request(MPTSASState *s)
|
||||
hwaddr addr;
|
||||
int size;
|
||||
|
||||
- if (s->state != MPI_IOC_STATE_OPERATIONAL) {
|
||||
- mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
/* Read the message header from the guest first. */
|
||||
addr = s->host_mfa_high_addr | MPTSAS_FIFO_GET(s, request_post);
|
||||
pci_dma_read(pci, addr, req, sizeof(hdr));
|
||||
@@ -789,6 +784,10 @@ static void mptsas_fetch_requests(void *opaque)
|
||||
{
|
||||
MPTSASState *s = opaque;
|
||||
|
||||
+ if (s->state != MPI_IOC_STATE_OPERATIONAL) {
|
||||
+ mptsas_set_fault(s, MPI_IOCSTATUS_INVALID_STATE);
|
||||
+ return;
|
||||
+ }
|
||||
while (!MPTSAS_FIFO_EMPTY(s, request_post)) {
|
||||
mptsas_fetch_request(s);
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Thu, 11 Aug 2016 00:42:20 +0530
|
||||
Subject: [PATCH] net: vmxnet: initialise local tx descriptor
|
||||
|
||||
In Vmxnet3 device emulator while processing transmit(tx) queue,
|
||||
when it reaches end of packet, it calls vmxnet3_complete_packet.
|
||||
In that local 'txcq_descr' object is not initialised, which could
|
||||
leak host memory bytes a guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit fdda170e50b8af062cf5741e12c4fb5e57a2eacf)
|
||||
---
|
||||
hw/net/vmxnet3.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/vmxnet3.c b/hw/net/vmxnet3.c
|
||||
index a6ce16e..360290d 100644
|
||||
--- a/hw/net/vmxnet3.c
|
||||
+++ b/hw/net/vmxnet3.c
|
||||
@@ -529,6 +529,7 @@ static void vmxnet3_complete_packet(VMXNET3State *s, int qidx, uint32_t tx_ridx)
|
||||
|
||||
VMXNET3_RING_DUMP(VMW_RIPRN, "TXC", qidx, &s->txq_descr[qidx].comp_ring);
|
||||
|
||||
+ memset(&txcq_descr, 0, sizeof(txcq_descr));
|
||||
txcq_descr.txdIdx = tx_ridx;
|
||||
txcq_descr.gen = vmxnet3_ring_curr_gen(&s->txq_descr[qidx].comp_ring);
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 16:01:29 +0530
|
||||
Subject: [PATCH] scsi: megasas: use appropriate property buffer size
|
||||
|
||||
When setting MegaRAID SAS controller properties via MegaRAID
|
||||
Firmware Interface(MFI) commands, a user supplied size parameter
|
||||
is used to set property value. Use appropriate size value to avoid
|
||||
OOB access issues.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464172291-2856-2-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 1b85898025c4cd95dce673d15e67e60e98e91731)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index a63a581..dcbd3e1 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -1446,7 +1446,7 @@ static int megasas_dcmd_set_properties(MegasasState *s, MegasasCmd *cmd)
|
||||
dcmd_size);
|
||||
return MFI_STAT_INVALID_PARAMETER;
|
||||
}
|
||||
- dma_buf_write((uint8_t *)&info, cmd->iov_size, &cmd->qsg);
|
||||
+ dma_buf_write((uint8_t *)&info, dcmd_size, &cmd->qsg);
|
||||
trace_megasas_dcmd_unsupported(cmd->index, cmd->iov_size);
|
||||
return MFI_STAT_OK;
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 30 Sep 2016 00:27:33 +0530
|
||||
Subject: [PATCH] net: pcnet: check rx/tx descriptor ring length
|
||||
|
||||
The AMD PC-Net II emulator has set of control and status(CSR)
|
||||
registers. Of these, CSR76 and CSR78 hold receive and transmit
|
||||
descriptor ring length respectively. This ring length could range
|
||||
from 1 to 65535. Setting ring length to zero leads to an infinite
|
||||
loop in pcnet_rdra_addr() or pcnet_transmit(). Add check to avoid it.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 34e29ce754c02bb6b3bdd244fbb85033460feaff)
|
||||
---
|
||||
hw/net/pcnet.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/net/pcnet.c b/hw/net/pcnet.c
|
||||
index 198a01f..3078de8 100644
|
||||
--- a/hw/net/pcnet.c
|
||||
+++ b/hw/net/pcnet.c
|
||||
@@ -1429,8 +1429,11 @@ static void pcnet_csr_writew(PCNetState *s, uint32_t rap, uint32_t new_value)
|
||||
case 47: /* POLLINT */
|
||||
case 72:
|
||||
case 74:
|
||||
+ break;
|
||||
case 76: /* RCVRL */
|
||||
case 78: /* XMTRL */
|
||||
+ val = (val > 0) ? val : 512;
|
||||
+ break;
|
||||
case 112:
|
||||
if (CSR_STOP(s) || CSR_SPND(s))
|
||||
break;
|
|
@ -1,31 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 17:41:44 +0530
|
||||
Subject: [PATCH] scsi: megasas: initialise local configuration data buffer
|
||||
|
||||
When reading MegaRAID SAS controller configuration via MegaRAID
|
||||
Firmware Interface(MFI) commands, routine megasas_dcmd_cfg_read
|
||||
uses an uninitialised local data buffer. Initialise this buffer
|
||||
to avoid stack information leakage.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464178304-12831-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d37af740730dbbb93960cd318e040372d04d6dcf)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index dcbd3e1..bf642d4 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -1293,7 +1293,7 @@ static int megasas_dcmd_ld_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
|
||||
static int megasas_dcmd_cfg_read(MegasasState *s, MegasasCmd *cmd)
|
||||
{
|
||||
- uint8_t data[4096];
|
||||
+ uint8_t data[4096] = { 0 };
|
||||
struct mfi_config_data *info;
|
||||
int num_pd_disks = 0, array_offset, ld_offset;
|
||||
BusChild *kid;
|
|
@ -1,33 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 25 May 2016 17:55:10 +0530
|
||||
Subject: [PATCH] scsi: megasas: check 'read_queue_head' index value
|
||||
|
||||
While doing MegaRAID SAS controller command frame lookup, routine
|
||||
'megasas_lookup_frame' uses 'read_queue_head' value as an index
|
||||
into 'frames[MEGASAS_MAX_FRAMES=2048]' array. Limit its value
|
||||
within array bounds to avoid any OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464179110-18593-1-git-send-email-ppandit@redhat.com>
|
||||
Reviewed-by: Alexander Graf <agraf@suse.de>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit b60bdd1f1ee1616b7a9aeeffb4088e1ce2710fb2)
|
||||
---
|
||||
hw/scsi/megasas.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index bf642d4..cc66d36 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -650,7 +650,9 @@ static int megasas_init_firmware(MegasasState *s, MegasasCmd *cmd)
|
||||
pa_hi = le32_to_cpu(initq->pi_addr_hi);
|
||||
s->producer_pa = ((uint64_t) pa_hi << 32) | pa_lo;
|
||||
s->reply_queue_head = ldl_le_pci_dma(pcid, s->producer_pa);
|
||||
+ s->reply_queue_head %= MEGASAS_MAX_FRAMES;
|
||||
s->reply_queue_tail = ldl_le_pci_dma(pcid, s->consumer_pa);
|
||||
+ s->reply_queue_tail %= MEGASAS_MAX_FRAMES;
|
||||
flags = le32_to_cpu(initq->flags);
|
||||
if (flags & MFI_QUEUE_FLAG_CONTEXT64) {
|
||||
s->flags |= MEGASAS_MASK_USE_QUEUE64;
|
|
@ -0,0 +1,32 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sun, 18 Sep 2016 19:07:11 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in virtio_gpu_resource_create_2d
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virtio gpu resource create dispatch, if the pixman format is zero
|
||||
it doesn't free the resource object allocated previously. Thus leading
|
||||
a host memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 57df486e.8379240a.c3620.ff81@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit cb3a0522b694cc5bb6424497b3f828ccd28fd1dd)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index c181fb3..d345276 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -323,6 +323,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g,
|
||||
qemu_log_mask(LOG_GUEST_ERROR,
|
||||
"%s: host couldn't handle guest format %d\n",
|
||||
__func__, c2d.format);
|
||||
+ g_free(res);
|
||||
cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
return;
|
||||
}
|
|
@ -0,0 +1,36 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix potential host memory leak in v9fs_read
|
||||
|
||||
In 9pfs read dispatch function, it doesn't free two QEMUIOVector
|
||||
object thus causing potential memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit e95c9a493a5a8d6f969e86c9f19f80ffe6587e19)
|
||||
---
|
||||
hw/9pfs/9p.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index d47f5de..afb1c4e 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1807,14 +1807,15 @@ static void v9fs_read(void *opaque)
|
||||
if (len < 0) {
|
||||
/* IO error return the error */
|
||||
err = len;
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
} while (count < max_count && len > 0);
|
||||
err = pdu_marshal(pdu, offset, "d", count);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_free_iovec;
|
||||
}
|
||||
err += offset + count;
|
||||
+out_free_iovec:
|
||||
qemu_iovec_destroy(&qiov);
|
||||
qemu_iovec_destroy(&qiov_full);
|
||||
} else if (fidp->fid_type == P9_FID_XATTR) {
|
|
@ -1,70 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:18 +0200
|
||||
Subject: [PATCH] vmsvga: move fifo sanity checks to vmsvga_fifo_length
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Sanity checks are applied when the fifo is enabled by the guest
|
||||
(SVGA_REG_CONFIG_DONE write). Which doesn't help much if the guest
|
||||
changes the fifo registers afterwards. Move the checks to
|
||||
vmsvga_fifo_length so they are done each time qemu is about to read
|
||||
from the fifo.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-2-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 521360267876d3b6518b328051a2e56bca55bef8)
|
||||
---
|
||||
hw/display/vmware_vga.c | 28 +++++++++++++++-------------
|
||||
1 file changed, 15 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 0c63fa8..63a7c05 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -555,6 +555,21 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
if (!s->config || !s->enable) {
|
||||
return 0;
|
||||
}
|
||||
+
|
||||
+ /* Check range and alignment. */
|
||||
+ if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
num = CMD(next_cmd) - CMD(stop);
|
||||
if (num < 0) {
|
||||
num += CMD(max) - CMD(min);
|
||||
@@ -1005,19 +1020,6 @@ static void vmsvga_value_write(void *opaque, uint32_t address, uint32_t value)
|
||||
case SVGA_REG_CONFIG_DONE:
|
||||
if (value) {
|
||||
s->fifo = (uint32_t *) s->fifo_ptr;
|
||||
- /* Check range and alignment. */
|
||||
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
- break;
|
||||
- }
|
||||
- if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
- break;
|
||||
- }
|
||||
vga_dirty_log_stop(&s->vga);
|
||||
}
|
||||
s->config = !!value;
|
|
@ -0,0 +1,56 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: allocate space for guest originated empty strings
|
||||
|
||||
If a guest sends an empty string paramater to any 9P operation, the current
|
||||
code unmarshals it into a V9fsString equal to { .size = 0, .data = NULL }.
|
||||
|
||||
This is unfortunate because it can cause NULL pointer dereference to happen
|
||||
at various locations in the 9pfs code. And we don't want to check str->data
|
||||
everywhere we pass it to strcmp() or any other function which expects a
|
||||
dereferenceable pointer.
|
||||
|
||||
This patch enforces the allocation of genuine C empty strings instead, so
|
||||
callers don't have to bother.
|
||||
|
||||
Out of all v9fs_iov_vunmarshal() users, only v9fs_xattrwalk() checks if
|
||||
the returned string is empty. It now uses v9fs_string_size() since
|
||||
name.data cannot be NULL anymore.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
[groug, rewritten title and changelog,
|
||||
fix empty string check in v9fs_xattrwalk()]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit ba42ebb863ab7d40adc79298422ed9596df8f73a)
|
||||
---
|
||||
fsdev/9p-iov-marshal.c | 2 +-
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c
|
||||
index fb40bdf..741e4d9 100644
|
||||
--- a/fsdev/9p-iov-marshal.c
|
||||
+++ b/fsdev/9p-iov-marshal.c
|
||||
@@ -127,7 +127,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset,
|
||||
str->data = g_malloc(str->size + 1);
|
||||
copied = v9fs_unpack(str->data, out_sg, out_num, offset,
|
||||
str->size);
|
||||
- if (copied > 0) {
|
||||
+ if (copied >= 0) {
|
||||
str->data[str->size] = 0;
|
||||
} else {
|
||||
v9fs_string_free(str);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index afb1c4e..856544d 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3151,7 +3151,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
goto out;
|
||||
}
|
||||
v9fs_path_copy(&xattr_fidp->path, &file_fidp->path);
|
||||
- if (name.data == NULL) {
|
||||
+ if (!v9fs_string_size(&name)) {
|
||||
/*
|
||||
* listxattr request. Get the size first
|
||||
*/
|
|
@ -1,36 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:19 +0200
|
||||
Subject: [PATCH] vmsvga: add more fifo checks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Make sure all fifo ptrs are within range.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-3-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit c2e3c54d3960bc53bfa3a5ce7ea7a050b9be267e)
|
||||
---
|
||||
hw/display/vmware_vga.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index 63a7c05..a26e62e 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -563,7 +563,10 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE) {
|
||||
+ if (CMD(max) > SVGA_FIFO_SIZE ||
|
||||
+ CMD(min) >= SVGA_FIFO_SIZE ||
|
||||
+ CMD(stop) >= SVGA_FIFO_SIZE ||
|
||||
+ CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
if (CMD(max) < CMD(min) + 10 * 1024) {
|
|
@ -0,0 +1,33 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 14:40:55 +0530
|
||||
Subject: [PATCH] net: rocker: set limit to DMA buffer size
|
||||
|
||||
Rocker network switch emulator has test registers to help debug
|
||||
DMA operations. While testing host DMA access, a buffer address
|
||||
is written to register 'TEST_DMA_ADDR' and its size is written to
|
||||
register 'TEST_DMA_SIZE'. When performing TEST_DMA_CTRL_INVERT
|
||||
test, if DMA buffer size was greater than 'INT_MAX', it leads to
|
||||
an invalid buffer access. Limit the DMA buffer size to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 8caed3d564672e8bc6d2e4c6a35228afd01f4723)
|
||||
---
|
||||
hw/net/rocker/rocker.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rocker/rocker.c b/hw/net/rocker/rocker.c
|
||||
index 30f2ce4..e9d215a 100644
|
||||
--- a/hw/net/rocker/rocker.c
|
||||
+++ b/hw/net/rocker/rocker.c
|
||||
@@ -860,7 +860,7 @@ static void rocker_io_writel(void *opaque, hwaddr addr, uint32_t val)
|
||||
rocker_msix_irq(r, val);
|
||||
break;
|
||||
case ROCKER_TEST_DMA_SIZE:
|
||||
- r->test_dma_size = val;
|
||||
+ r->test_dma_size = val & 0xFFFF;
|
||||
break;
|
||||
case ROCKER_TEST_DMA_ADDR + 4:
|
||||
r->test_dma_addr = ((uint64_t)val) << 32 | r->lower32;
|
|
@ -1,143 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:20 +0200
|
||||
Subject: [PATCH] vmsvga: shadow fifo registers
|
||||
|
||||
The fifo is normal ram. So kvm vcpu threads and qemu iothread can
|
||||
access the fifo in parallel without syncronization. Which in turn
|
||||
implies we can't use the fifo pointers in-place because the guest
|
||||
can try changing them underneath us. So add shadows for them, to
|
||||
make sure the guest can't modify them after we've applied sanity
|
||||
checks.
|
||||
|
||||
Fixes: CVE-2016-4454
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-4-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 7e486f7577764a07aa35588e119903c80a5c30a2)
|
||||
---
|
||||
hw/display/vmware_vga.c | 57 ++++++++++++++++++++++++-------------------------
|
||||
1 file changed, 28 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index a26e62e..de2567b 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -66,17 +66,11 @@ struct vmsvga_state_s {
|
||||
uint8_t *fifo_ptr;
|
||||
unsigned int fifo_size;
|
||||
|
||||
- union {
|
||||
- uint32_t *fifo;
|
||||
- struct QEMU_PACKED {
|
||||
- uint32_t min;
|
||||
- uint32_t max;
|
||||
- uint32_t next_cmd;
|
||||
- uint32_t stop;
|
||||
- /* Add registers here when adding capabilities. */
|
||||
- uint32_t fifo[0];
|
||||
- } *cmd;
|
||||
- };
|
||||
+ uint32_t *fifo;
|
||||
+ uint32_t fifo_min;
|
||||
+ uint32_t fifo_max;
|
||||
+ uint32_t fifo_next;
|
||||
+ uint32_t fifo_stop;
|
||||
|
||||
#define REDRAW_FIFO_LEN 512
|
||||
struct vmsvga_rect_s {
|
||||
@@ -198,7 +192,7 @@ enum {
|
||||
*/
|
||||
SVGA_FIFO_MIN = 0,
|
||||
SVGA_FIFO_MAX, /* The distance from MIN to MAX must be at least 10K */
|
||||
- SVGA_FIFO_NEXT_CMD,
|
||||
+ SVGA_FIFO_NEXT,
|
||||
SVGA_FIFO_STOP,
|
||||
|
||||
/*
|
||||
@@ -546,8 +540,6 @@ static inline void vmsvga_cursor_define(struct vmsvga_state_s *s,
|
||||
}
|
||||
#endif
|
||||
|
||||
-#define CMD(f) le32_to_cpu(s->cmd->f)
|
||||
-
|
||||
static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
{
|
||||
int num;
|
||||
@@ -556,38 +548,44 @@ static inline int vmsvga_fifo_length(struct vmsvga_state_s *s)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ s->fifo_min = le32_to_cpu(s->fifo[SVGA_FIFO_MIN]);
|
||||
+ s->fifo_max = le32_to_cpu(s->fifo[SVGA_FIFO_MAX]);
|
||||
+ s->fifo_next = le32_to_cpu(s->fifo[SVGA_FIFO_NEXT]);
|
||||
+ s->fifo_stop = le32_to_cpu(s->fifo[SVGA_FIFO_STOP]);
|
||||
+
|
||||
/* Check range and alignment. */
|
||||
- if ((CMD(min) | CMD(max) | CMD(next_cmd) | CMD(stop)) & 3) {
|
||||
+ if ((s->fifo_min | s->fifo_max | s->fifo_next | s->fifo_stop) & 3) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(min) < (uint8_t *) s->cmd->fifo - (uint8_t *) s->fifo) {
|
||||
+ if (s->fifo_min < sizeof(uint32_t) * 4) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) > SVGA_FIFO_SIZE ||
|
||||
- CMD(min) >= SVGA_FIFO_SIZE ||
|
||||
- CMD(stop) >= SVGA_FIFO_SIZE ||
|
||||
- CMD(next_cmd) >= SVGA_FIFO_SIZE) {
|
||||
+ if (s->fifo_max > SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_min >= SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_stop >= SVGA_FIFO_SIZE ||
|
||||
+ s->fifo_next >= SVGA_FIFO_SIZE) {
|
||||
return 0;
|
||||
}
|
||||
- if (CMD(max) < CMD(min) + 10 * 1024) {
|
||||
+ if (s->fifo_max < s->fifo_min + 10 * 1024) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
- num = CMD(next_cmd) - CMD(stop);
|
||||
+ num = s->fifo_next - s->fifo_stop;
|
||||
if (num < 0) {
|
||||
- num += CMD(max) - CMD(min);
|
||||
+ num += s->fifo_max - s->fifo_min;
|
||||
}
|
||||
return num >> 2;
|
||||
}
|
||||
|
||||
static inline uint32_t vmsvga_fifo_read_raw(struct vmsvga_state_s *s)
|
||||
{
|
||||
- uint32_t cmd = s->fifo[CMD(stop) >> 2];
|
||||
+ uint32_t cmd = s->fifo[s->fifo_stop >> 2];
|
||||
|
||||
- s->cmd->stop = cpu_to_le32(CMD(stop) + 4);
|
||||
- if (CMD(stop) >= CMD(max)) {
|
||||
- s->cmd->stop = s->cmd->min;
|
||||
+ s->fifo_stop += 4;
|
||||
+ if (s->fifo_stop >= s->fifo_max) {
|
||||
+ s->fifo_stop = s->fifo_min;
|
||||
}
|
||||
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
|
||||
return cmd;
|
||||
}
|
||||
|
||||
@@ -607,7 +605,7 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
len = vmsvga_fifo_length(s);
|
||||
while (len > 0) {
|
||||
/* May need to go back to the start of the command if incomplete */
|
||||
- cmd_start = s->cmd->stop;
|
||||
+ cmd_start = s->fifo_stop;
|
||||
|
||||
switch (cmd = vmsvga_fifo_read(s)) {
|
||||
case SVGA_CMD_UPDATE:
|
||||
@@ -766,7 +764,8 @@ static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
break;
|
||||
|
||||
rewind:
|
||||
- s->cmd->stop = cmd_start;
|
||||
+ s->fifo_stop = cmd_start;
|
||||
+ s->fifo[SVGA_FIFO_STOP] = cpu_to_le32(s->fifo_stop);
|
||||
break;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,34 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 11:28:08 +0530
|
||||
Subject: [PATCH] char: serial: check divider value against baud base
|
||||
|
||||
16550A UART device uses an oscillator to generate frequencies
|
||||
(baud base), which decide communication speed. This speed could
|
||||
be changed by dividing it by a divider. If the divider is
|
||||
greater than the baud base, speed is set to zero, leading to a
|
||||
divide by zero error. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1476251888-20238-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 3592fe0c919cf27a81d8e9f9b4f269553418bb01)
|
||||
---
|
||||
hw/char/serial.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index 6d815b5..3998131 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -152,8 +152,9 @@ static void serial_update_parameters(SerialState *s)
|
||||
int speed, parity, data_bits, stop_bits, frame_size;
|
||||
QEMUSerialSetParams ssp;
|
||||
|
||||
- if (s->divider == 0)
|
||||
+ if (s->divider == 0 || s->divider > s->baudbase) {
|
||||
return;
|
||||
+ }
|
||||
|
||||
/* Start bit. */
|
||||
frame_size = 1;
|
|
@ -1,42 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 30 May 2016 09:09:21 +0200
|
||||
Subject: [PATCH] vmsvga: don't process more than 1024 fifo commands at once
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
vmsvga_fifo_run is called in regular intervals (on each display update)
|
||||
and will resume where it left off. So we can simply exit the loop,
|
||||
without having to worry about how processing will continue.
|
||||
|
||||
Fixes: CVE-2016-4453
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1464592161-18348-5-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 4e68a0ee17dad7b8d870df0081d4ab2e079016c2)
|
||||
---
|
||||
hw/display/vmware_vga.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/vmware_vga.c b/hw/display/vmware_vga.c
|
||||
index de2567b..e51a05e 100644
|
||||
--- a/hw/display/vmware_vga.c
|
||||
+++ b/hw/display/vmware_vga.c
|
||||
@@ -597,13 +597,13 @@ static inline uint32_t vmsvga_fifo_read(struct vmsvga_state_s *s)
|
||||
static void vmsvga_fifo_run(struct vmsvga_state_s *s)
|
||||
{
|
||||
uint32_t cmd, colour;
|
||||
- int args, len;
|
||||
+ int args, len, maxloop = 1024;
|
||||
int x, y, dx, dy, width, height;
|
||||
struct vmsvga_cursor_definition_s cursor;
|
||||
uint32_t cmd_start;
|
||||
|
||||
len = vmsvga_fifo_length(s);
|
||||
- while (len > 0) {
|
||||
+ while (len > 0 && --maxloop > 0) {
|
||||
/* May need to go back to the start of the command if incomplete */
|
||||
cmd_start = s->fifo_stop;
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
From: Peter Lieven <pl@kamp.de>
|
||||
Date: Tue, 24 May 2016 10:59:28 +0200
|
||||
Subject: [PATCH] block/iscsi: avoid potential overflow of acb->task->cdb
|
||||
|
||||
at least in the path via virtio-blk the maximum size is not
|
||||
restricted.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Peter Lieven <pl@kamp.de>
|
||||
Message-Id: <1464080368-29584-1-git-send-email-pl@kamp.de>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit a6b3167fa0e825aebb5a7cd8b437b6d41584a196)
|
||||
---
|
||||
block/iscsi.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/block/iscsi.c b/block/iscsi.c
|
||||
index 302baf8..172e6cf 100644
|
||||
--- a/block/iscsi.c
|
||||
+++ b/block/iscsi.c
|
||||
@@ -837,6 +837,13 @@ static BlockAIOCB *iscsi_aio_ioctl(BlockDriverState *bs,
|
||||
return &acb->common;
|
||||
}
|
||||
|
||||
+ if (acb->ioh->cmd_len > SCSI_CDB_MAX_SIZE) {
|
||||
+ error_report("iSCSI: ioctl error CDB exceeds max size (%d > %d)",
|
||||
+ acb->ioh->cmd_len, SCSI_CDB_MAX_SIZE);
|
||||
+ qemu_aio_unref(acb);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
acb->task = malloc(sizeof(struct scsi_task));
|
||||
if (acb->task == NULL) {
|
||||
error_report("iSCSI: Failed to allocate task for scsi command. %s",
|
|
@ -0,0 +1,31 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 21 Oct 2016 17:39:29 +0530
|
||||
Subject: [PATCH] net: rtl8139: limit processing of ring descriptors
|
||||
|
||||
RTL8139 ethernet controller in C+ mode supports multiple
|
||||
descriptor rings, each with maximum of 64 descriptors. While
|
||||
processing transmit descriptor ring in 'rtl8139_cplus_transmit',
|
||||
it does not limit the descriptor count and runs forever. Add
|
||||
check to avoid it.
|
||||
|
||||
Reported-by: Andrew Henderson <hendersa@icculus.org>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit c7c35916692fe010fef25ac338443d3fe40be225)
|
||||
---
|
||||
hw/net/rtl8139.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/rtl8139.c b/hw/net/rtl8139.c
|
||||
index 1e5ec14..138fa62 100644
|
||||
--- a/hw/net/rtl8139.c
|
||||
+++ b/hw/net/rtl8139.c
|
||||
@@ -2379,7 +2379,7 @@ static void rtl8139_cplus_transmit(RTL8139State *s)
|
||||
{
|
||||
int txcount = 0;
|
||||
|
||||
- while (rtl8139_cplus_transmit_one(s))
|
||||
+ while (txcount < 64 && rtl8139_cplus_transmit_one(s))
|
||||
{
|
||||
++txcount;
|
||||
}
|
|
@ -0,0 +1,35 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 20 Oct 2016 13:10:24 +0530
|
||||
Subject: [PATCH] audio: intel-hda: check stream entry count during transfer
|
||||
|
||||
Intel HDA emulator uses stream of buffers during DMA data
|
||||
transfers. Each entry has buffer length and buffer pointer
|
||||
position, which are used to derive bytes to 'copy'. If this
|
||||
length and buffer pointer were to be same, 'copy' could be
|
||||
set to zero(0), leading to an infinite loop. Add check to
|
||||
avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
|
||||
Message-id: 1476949224-6865-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 0c0fc2b5fd534786051889459848764edd798050)
|
||||
---
|
||||
hw/audio/intel-hda.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/audio/intel-hda.c b/hw/audio/intel-hda.c
|
||||
index d372d4a..cd3b03c 100644
|
||||
--- a/hw/audio/intel-hda.c
|
||||
+++ b/hw/audio/intel-hda.c
|
||||
@@ -415,7 +415,8 @@ static bool intel_hda_xfer(HDACodecDevice *dev, uint32_t stnr, bool output,
|
||||
}
|
||||
|
||||
left = len;
|
||||
- while (left > 0) {
|
||||
+ s = st->bentries;
|
||||
+ while (left > 0 && s-- > 0) {
|
||||
copy = left;
|
||||
if (copy > st->bsize - st->lpib)
|
||||
copy = st->bsize - st->lpib;
|
|
@ -1,33 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 31 May 2016 23:23:27 +0530
|
||||
Subject: [PATCH] scsi: esp: check buffer length before reading scsi command
|
||||
|
||||
The 53C9X Fast SCSI Controller(FSC) comes with an internal 16-byte
|
||||
FIFO buffer. It is used to handle command and data transfer.
|
||||
Routine get_cmd() in non-DMA mode, uses 'ti_size' to read scsi
|
||||
command into a buffer. Add check to validate command length against
|
||||
buffer size to avoid any overrun.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-Id: <1464717207-7549-1-git-send-email-ppandit@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d3cdc49138c30be1d3c2f83d18f85d9fdee95f1a)
|
||||
---
|
||||
hw/scsi/esp.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 591c817..c2f6f8f 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -98,6 +98,9 @@ static uint32_t get_cmd(ESPState *s, uint8_t *buf, uint8_t buflen)
|
||||
s->dma_memory_read(s->dma_opaque, buf, dmalen);
|
||||
} else {
|
||||
dmalen = s->ti_size;
|
||||
+ if (dmalen > TI_BUFSZ) {
|
||||
+ return 0;
|
||||
+ }
|
||||
memcpy(buf, s->ti_buf, dmalen);
|
||||
buf[0] = buf[2] >> 5;
|
||||
}
|
|
@ -1,26 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Tue, 14 Jun 2016 15:10:24 +0200
|
||||
Subject: [PATCH] scsi: esp: respect FIFO invariant after message phase
|
||||
|
||||
The FIFO contains two bytes; hence the write ptr should be two bytes ahead
|
||||
of the read pointer.
|
||||
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit d020aa504cec8f525b55ba2ef982c09dc847c72e)
|
||||
---
|
||||
hw/scsi/esp.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index c2f6f8f..6407844 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -222,7 +222,7 @@ static void write_response(ESPState *s)
|
||||
} else {
|
||||
s->ti_size = 2;
|
||||
s->ti_rptr = 0;
|
||||
- s->ti_wptr = 0;
|
||||
+ s->ti_wptr = 2;
|
||||
s->rregs[ESP_RFLAGS] = 2;
|
||||
}
|
||||
esp_raise_irq(s);
|
|
@ -0,0 +1,48 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Mon, 24 Oct 2016 16:26:54 +0100
|
||||
Subject: [PATCH] timer: a9gtimer: remove loop to auto-increment comparator
|
||||
|
||||
ARM A9MP processor has a peripheral timer with an auto-increment
|
||||
register, which holds an increment step value. A user could set
|
||||
this value to zero. When auto-increment control bit is enabled,
|
||||
it leads to an infinite loop in 'a9_gtimer_update' while
|
||||
updating comparator value. Remove this loop incrementing the
|
||||
comparator value.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1476733226-11635-1-git-send-email-ppandit@redhat.com
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 6be8f5e2626e102433e569d9cece2120baf0c879)
|
||||
---
|
||||
hw/timer/a9gtimer.c | 14 +++++++-------
|
||||
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/hw/timer/a9gtimer.c b/hw/timer/a9gtimer.c
|
||||
index 772f85f..ce1dc63 100644
|
||||
--- a/hw/timer/a9gtimer.c
|
||||
+++ b/hw/timer/a9gtimer.c
|
||||
@@ -82,15 +82,15 @@ static void a9_gtimer_update(A9GTimerState *s, bool sync)
|
||||
if ((s->control & R_CONTROL_TIMER_ENABLE) &&
|
||||
(gtb->control & R_CONTROL_COMP_ENABLE)) {
|
||||
/* R2p0+, where the compare function is >= */
|
||||
- while (gtb->compare < update.new) {
|
||||
+ if (gtb->compare < update.new) {
|
||||
DB_PRINT("Compare event happened for CPU %d\n", i);
|
||||
gtb->status = 1;
|
||||
- if (gtb->control & R_CONTROL_AUTO_INCREMENT) {
|
||||
- DB_PRINT("Auto incrementing timer compare by %" PRId32 "\n",
|
||||
- gtb->inc);
|
||||
- gtb->compare += gtb->inc;
|
||||
- } else {
|
||||
- break;
|
||||
+ if (gtb->control & R_CONTROL_AUTO_INCREMENT && gtb->inc) {
|
||||
+ uint64_t inc =
|
||||
+ QEMU_ALIGN_UP(update.new - gtb->compare, gtb->inc);
|
||||
+ DB_PRINT("Auto incrementing timer compare by %"
|
||||
+ PRId64 "\n", inc);
|
||||
+ gtb->compare += inc;
|
||||
}
|
||||
}
|
||||
cdiff = (int64_t)gtb->compare - (int64_t)update.new + 1;
|
|
@ -0,0 +1,27 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Sat, 8 Oct 2016 05:07:25 -0700
|
||||
Subject: [PATCH] net: eepro100: fix memory leak in device uninit
|
||||
|
||||
The exit dispatch of eepro100 network card device doesn't free
|
||||
the 's->vmstate' field which was allocated in device realize thus
|
||||
leading a host memory leak. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 2634ab7fe29b3f75d0865b719caf8f310d634aae)
|
||||
---
|
||||
hw/net/eepro100.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/net/eepro100.c b/hw/net/eepro100.c
|
||||
index 9b4b9b5..c39fd19 100644
|
||||
--- a/hw/net/eepro100.c
|
||||
+++ b/hw/net/eepro100.c
|
||||
@@ -1843,6 +1843,7 @@ static void pci_nic_uninit(PCIDevice *pci_dev)
|
||||
EEPRO100State *s = DO_UPCAST(EEPRO100State, dev, pci_dev);
|
||||
|
||||
vmstate_unregister(&pci_dev->qdev, s->vmstate, s);
|
||||
+ g_free(s->vmstate);
|
||||
eeprom93xx_free(&pci_dev->qdev, s->eeprom);
|
||||
qemu_del_nic(s->nic);
|
||||
}
|
|
@ -1,76 +0,0 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Wed, 15 Jun 2016 14:29:33 +0200
|
||||
Subject: [PATCH] scsi: esp: clean up handle_ti/esp_do_dma if s->do_cmd
|
||||
|
||||
Avoid duplicated code between esp_do_dma and handle_ti. esp_do_dma
|
||||
has the same code that handle_ti contains after the call to esp_do_dma;
|
||||
but the code in handle_ti is never reached because it is in an "else if".
|
||||
Remove the else and also the pointless return.
|
||||
|
||||
esp_do_dma also has a partially dead assignment of the to_device
|
||||
variable. Sink it to the point where it's actually used.
|
||||
|
||||
Finally, assert that the other caller of esp_do_dma (esp_transfer_data)
|
||||
only transfers data and not a command. This is true because get_cmd
|
||||
cancels the old request synchronously before its caller handle_satn_stop
|
||||
sets do_cmd to 1.
|
||||
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 7f0b6e114ae4e142e2b3dfc9fac138f4a30edc4f)
|
||||
---
|
||||
hw/scsi/esp.c | 11 ++++-------
|
||||
1 file changed, 4 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 6407844..68d3e4d 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -245,15 +245,10 @@ static void esp_do_dma(ESPState *s)
|
||||
uint32_t len;
|
||||
int to_device;
|
||||
|
||||
- to_device = (s->ti_size < 0);
|
||||
len = s->dma_left;
|
||||
if (s->do_cmd) {
|
||||
trace_esp_do_dma(s->cmdlen, len);
|
||||
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
||||
- s->ti_size = 0;
|
||||
- s->cmdlen = 0;
|
||||
- s->do_cmd = 0;
|
||||
- do_cmd(s, s->cmdbuf);
|
||||
return;
|
||||
}
|
||||
if (s->async_len == 0) {
|
||||
@@ -263,6 +258,7 @@ static void esp_do_dma(ESPState *s)
|
||||
if (len > s->async_len) {
|
||||
len = s->async_len;
|
||||
}
|
||||
+ to_device = (s->ti_size < 0);
|
||||
if (to_device) {
|
||||
s->dma_memory_read(s->dma_opaque, s->async_buf, len);
|
||||
} else {
|
||||
@@ -318,6 +314,7 @@ void esp_transfer_data(SCSIRequest *req, uint32_t len)
|
||||
{
|
||||
ESPState *s = req->hba_private;
|
||||
|
||||
+ assert(!s->do_cmd);
|
||||
trace_esp_transfer_data(s->dma_left, s->ti_size);
|
||||
s->async_len = len;
|
||||
s->async_buf = scsi_req_get_buf(req);
|
||||
@@ -358,13 +355,13 @@ static void handle_ti(ESPState *s)
|
||||
s->dma_left = minlen;
|
||||
s->rregs[ESP_RSTAT] &= ~STAT_TC;
|
||||
esp_do_dma(s);
|
||||
- } else if (s->do_cmd) {
|
||||
+ }
|
||||
+ if (s->do_cmd) {
|
||||
trace_esp_handle_ti_cmd(s->cmdlen);
|
||||
s->ti_size = 0;
|
||||
s->cmdlen = 0;
|
||||
s->do_cmd = 0;
|
||||
do_cmd(s, s->cmdbuf);
|
||||
- return;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix information leak in xattr read
|
||||
|
||||
9pfs uses g_malloc() to allocate the xattr memory space, if the guest
|
||||
reads this memory before writing to it, this will leak host heap memory
|
||||
to the guest. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit eb687602853b4ae656e9236ee4222609f3a6887d)
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 856544d..0735246 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3259,7 +3259,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
- xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
+ xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
||||
out_nofid:
|
|
@ -1,70 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Thu, 16 Jun 2016 00:22:35 +0200
|
||||
Subject: [PATCH] scsi: esp: make cmdbuf big enough for maximum CDB size
|
||||
|
||||
While doing DMA read into ESP command buffer 's->cmdbuf', it could
|
||||
write past the 's->cmdbuf' area, if it was transferring more than 16
|
||||
bytes. Increase the command buffer size to 32, which is maximum when
|
||||
's->do_cmd' is set, and add a check on 'len' to avoid OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 926cde5f3e4d2504ed161ed0cb771ac7cad6fd11)
|
||||
---
|
||||
hw/scsi/esp.c | 6 ++++--
|
||||
include/hw/scsi/esp.h | 3 ++-
|
||||
2 files changed, 6 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/esp.c b/hw/scsi/esp.c
|
||||
index 68d3e4d..b4601ad 100644
|
||||
--- a/hw/scsi/esp.c
|
||||
+++ b/hw/scsi/esp.c
|
||||
@@ -248,6 +248,8 @@ static void esp_do_dma(ESPState *s)
|
||||
len = s->dma_left;
|
||||
if (s->do_cmd) {
|
||||
trace_esp_do_dma(s->cmdlen, len);
|
||||
+ assert (s->cmdlen <= sizeof(s->cmdbuf) &&
|
||||
+ len <= sizeof(s->cmdbuf) - s->cmdlen);
|
||||
s->dma_memory_read(s->dma_opaque, &s->cmdbuf[s->cmdlen], len);
|
||||
return;
|
||||
}
|
||||
@@ -345,7 +347,7 @@ static void handle_ti(ESPState *s)
|
||||
s->dma_counter = dmalen;
|
||||
|
||||
if (s->do_cmd)
|
||||
- minlen = (dmalen < 32) ? dmalen : 32;
|
||||
+ minlen = (dmalen < ESP_CMDBUF_SZ) ? dmalen : ESP_CMDBUF_SZ;
|
||||
else if (s->ti_size < 0)
|
||||
minlen = (dmalen < -s->ti_size) ? dmalen : -s->ti_size;
|
||||
else
|
||||
@@ -451,7 +453,7 @@ void esp_reg_write(ESPState *s, uint32_t saddr, uint64_t val)
|
||||
break;
|
||||
case ESP_FIFO:
|
||||
if (s->do_cmd) {
|
||||
- if (s->cmdlen < TI_BUFSZ) {
|
||||
+ if (s->cmdlen < ESP_CMDBUF_SZ) {
|
||||
s->cmdbuf[s->cmdlen++] = val & 0xff;
|
||||
} else {
|
||||
trace_esp_error_fifo_overrun();
|
||||
diff --git a/include/hw/scsi/esp.h b/include/hw/scsi/esp.h
|
||||
index 6c79527..d2c4886 100644
|
||||
--- a/include/hw/scsi/esp.h
|
||||
+++ b/include/hw/scsi/esp.h
|
||||
@@ -14,6 +14,7 @@ void esp_init(hwaddr espaddr, int it_shift,
|
||||
|
||||
#define ESP_REGS 16
|
||||
#define TI_BUFSZ 16
|
||||
+#define ESP_CMDBUF_SZ 32
|
||||
|
||||
typedef struct ESPState ESPState;
|
||||
|
||||
@@ -31,7 +32,7 @@ struct ESPState {
|
||||
SCSIBus bus;
|
||||
SCSIDevice *current_dev;
|
||||
SCSIRequest *current_req;
|
||||
- uint8_t cmdbuf[TI_BUFSZ];
|
||||
+ uint8_t cmdbuf[ESP_CMDBUF_SZ];
|
||||
uint32_t cmdlen;
|
||||
uint32_t do_cmd;
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_xattrcreate
|
||||
|
||||
The 'fs.xattr.value' field in V9fsFidState object doesn't consider the
|
||||
situation that this field has been allocated previously. Every time, it
|
||||
will be allocated directly. This leads to a host memory leak issue if
|
||||
the client sends another Txattrcreate message with the same fid number
|
||||
before the fid from the previous time got clunked.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, updated the changelog to indicate how the leak can occur]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit ff55e94d23ae94c8628b0115320157c763eb3e06)
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 0735246..54e5ed4 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3259,6 +3259,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
v9fs_string_copy(&xattr_fidp->fs.xattr.name, &name);
|
||||
+ g_free(xattr_fidp->fs.xattr.value);
|
||||
xattr_fidp->fs.xattr.value = g_malloc0(size);
|
||||
err = offset;
|
||||
put_fid(pdu, file_fidp);
|
|
@ -1,29 +0,0 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Jun 2016 16:44:03 +0530
|
||||
Subject: [PATCH] scsi: megasas: null terminate bios version buffer
|
||||
|
||||
While reading information via 'megasas_ctrl_get_info' routine,
|
||||
a local bios version buffer isn't null terminated. Add the
|
||||
terminating null byte to avoid any OOB access.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 844864fbae66935951529408831c2f22367a57b6)
|
||||
---
|
||||
hw/scsi/megasas.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index cc66d36..a9ffc32 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -773,6 +773,7 @@ static int megasas_ctrl_get_info(MegasasState *s, MegasasCmd *cmd)
|
||||
|
||||
ptr = memory_region_get_ram_ptr(&pci_dev->rom);
|
||||
memcpy(biosver, ptr + 0x41, 31);
|
||||
+ biosver[31] = 0;
|
||||
memcpy(info.image_component[1].name, "BIOS", 4);
|
||||
memcpy(info.image_component[1].version, biosver,
|
||||
strlen((const char *)biosver));
|
|
@ -0,0 +1,70 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: add xattrwalk_fid field in V9fsXattr struct
|
||||
|
||||
Currently, 9pfs sets the 'copied_len' field in V9fsXattr
|
||||
to -1 to tag xattr walk fid. As the 'copied_len' is also
|
||||
used to account for copied bytes, this may make confusion. This patch
|
||||
add a bool 'xattrwalk_fid' to tag the xattr walk fid.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit dd28fbbc2edc0822965d402d927ce646326d6954)
|
||||
---
|
||||
hw/9pfs/9p.c | 7 ++++---
|
||||
hw/9pfs/9p.h | 1 +
|
||||
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 54e5ed4..22690f2 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -308,7 +308,7 @@ static int v9fs_xattr_fid_clunk(V9fsPDU *pdu, V9fsFidState *fidp)
|
||||
{
|
||||
int retval = 0;
|
||||
|
||||
- if (fidp->fs.xattr.copied_len == -1) {
|
||||
+ if (fidp->fs.xattr.xattrwalk_fid) {
|
||||
/* getxattr/listxattr fid */
|
||||
goto free_value;
|
||||
}
|
||||
@@ -3166,7 +3166,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
*/
|
||||
xattr_fidp->fs.xattr.len = size;
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
- xattr_fidp->fs.xattr.copied_len = -1;
|
||||
+ xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||
if (size) {
|
||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
err = v9fs_co_llistxattr(pdu, &xattr_fidp->path,
|
||||
@@ -3199,7 +3199,7 @@ static void v9fs_xattrwalk(void *opaque)
|
||||
*/
|
||||
xattr_fidp->fs.xattr.len = size;
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
- xattr_fidp->fs.xattr.copied_len = -1;
|
||||
+ xattr_fidp->fs.xattr.xattrwalk_fid = true;
|
||||
if (size) {
|
||||
xattr_fidp->fs.xattr.value = g_malloc(size);
|
||||
err = v9fs_co_lgetxattr(pdu, &xattr_fidp->path,
|
||||
@@ -3255,6 +3255,7 @@ static void v9fs_xattrcreate(void *opaque)
|
||||
xattr_fidp = file_fidp;
|
||||
xattr_fidp->fid_type = P9_FID_XATTR;
|
||||
xattr_fidp->fs.xattr.copied_len = 0;
|
||||
+ xattr_fidp->fs.xattr.xattrwalk_fid = false;
|
||||
xattr_fidp->fs.xattr.len = size;
|
||||
xattr_fidp->fs.xattr.flags = flags;
|
||||
v9fs_string_init(&xattr_fidp->fs.xattr.name);
|
||||
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
|
||||
index 589b3a5..5750d67 100644
|
||||
--- a/hw/9pfs/9p.h
|
||||
+++ b/hw/9pfs/9p.h
|
||||
@@ -167,6 +167,7 @@ typedef struct V9fsXattr
|
||||
void *value;
|
||||
V9fsString name;
|
||||
int flags;
|
||||
+ bool xattrwalk_fid;
|
||||
} V9fsXattr;
|
||||
|
||||
/*
|
|
@ -1,26 +0,0 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 1 Jun 2016 16:08:36 +0200
|
||||
Subject: [PATCH] sdl2: skip init without outputs
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Tested-by: Cole Robinson <crobinso@redhat.com>
|
||||
Message-id: 1464790116-32405-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 8efa5f29f83816ae34f428143de49acbaacccb24)
|
||||
---
|
||||
ui/sdl2.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/ui/sdl2.c b/ui/sdl2.c
|
||||
index 909038f..30d2a3c 100644
|
||||
--- a/ui/sdl2.c
|
||||
+++ b/ui/sdl2.c
|
||||
@@ -794,6 +794,9 @@ void sdl_display_init(DisplayState *ds, int full_screen, int no_frame)
|
||||
}
|
||||
}
|
||||
sdl2_num_outputs = i;
|
||||
+ if (sdl2_num_outputs == 0) {
|
||||
+ return;
|
||||
+ }
|
||||
sdl2_console = g_new0(struct sdl2_console, sdl2_num_outputs);
|
||||
for (i = 0; i < sdl2_num_outputs; i++) {
|
||||
QemuConsole *con = qemu_console_lookup_by_index(i);
|
|
@ -0,0 +1,44 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: convert 'len/copied_len' field in V9fsXattr to the type
|
||||
of uint64_t
|
||||
|
||||
The 'len' in V9fsXattr comes from the 'size' argument in setxattr()
|
||||
function in guest. The setxattr() function's declaration is this:
|
||||
|
||||
int setxattr(const char *path, const char *name,
|
||||
const void *value, size_t size, int flags);
|
||||
|
||||
and 'size' is treated as u64 in linux kernel client code:
|
||||
|
||||
int p9_client_xattrcreate(struct p9_fid *fid, const char *name,
|
||||
u64 attr_size, int flags)
|
||||
|
||||
So the 'len' should have an type of 'uint64_t'.
|
||||
The 'copied_len' in V9fsXattr is used to account for copied bytes, it
|
||||
should also have an type of 'uint64_t'.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 8495f9ad26d398f01e208a53f1a5152483a16084)
|
||||
---
|
||||
hw/9pfs/9p.h | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.h b/hw/9pfs/9p.h
|
||||
index 5750d67..4e3bc52 100644
|
||||
--- a/hw/9pfs/9p.h
|
||||
+++ b/hw/9pfs/9p.h
|
||||
@@ -162,8 +162,8 @@ typedef struct V9fsConf
|
||||
|
||||
typedef struct V9fsXattr
|
||||
{
|
||||
- int64_t copied_len;
|
||||
- int64_t len;
|
||||
+ uint64_t copied_len;
|
||||
+ uint64_t len;
|
||||
void *value;
|
||||
V9fsString name;
|
||||
int flags;
|
|
@ -0,0 +1,89 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 12:00:40 +0100
|
||||
Subject: [PATCH] 9pfs: fix integer overflow issue in xattr read/write
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The v9fs_xattr_read() and v9fs_xattr_write() are passed a guest
|
||||
originated offset: they must ensure this offset does not go beyond
|
||||
the size of the extended attribute that was set in v9fs_xattrcreate().
|
||||
Unfortunately, the current code implement these checks with unsafe
|
||||
calculations on 32 and 64 bit values, which may allow a malicious
|
||||
guest to cause OOB access anyway.
|
||||
|
||||
Fix this by comparing the offset and the xattr size, which are
|
||||
both uint64_t, before trying to compute the effective number of bytes
|
||||
to read or write.
|
||||
|
||||
Suggested-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-By: Guido Günther <agx@sigxcpu.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 7e55d65c56a03dcd2c5d7c49d37c5a74b55d4bd6)
|
||||
---
|
||||
hw/9pfs/9p.c | 32 ++++++++++++--------------------
|
||||
1 file changed, 12 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 22690f2..5126459 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -1627,20 +1627,17 @@ static int v9fs_xattr_read(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
ssize_t err;
|
||||
size_t offset = 7;
|
||||
- int read_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t read_count;
|
||||
V9fsVirtioState *v = container_of(s, V9fsVirtioState, state);
|
||||
VirtQueueElement *elem = v->elems[pdu->idx];
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- read_count = xattr_len - off;
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
+ read_count = 0;
|
||||
+ } else {
|
||||
+ read_count = fidp->fs.xattr.len - off;
|
||||
+ }
|
||||
if (read_count > max_count) {
|
||||
read_count = max_count;
|
||||
- } else if (read_count < 0) {
|
||||
- /*
|
||||
- * read beyond XATTR value
|
||||
- */
|
||||
- read_count = 0;
|
||||
}
|
||||
err = pdu_marshal(pdu, offset, "d", read_count);
|
||||
if (err < 0) {
|
||||
@@ -1959,23 +1956,18 @@ static int v9fs_xattr_write(V9fsState *s, V9fsPDU *pdu, V9fsFidState *fidp,
|
||||
{
|
||||
int i, to_copy;
|
||||
ssize_t err = 0;
|
||||
- int write_count;
|
||||
- int64_t xattr_len;
|
||||
+ uint64_t write_count;
|
||||
size_t offset = 7;
|
||||
|
||||
|
||||
- xattr_len = fidp->fs.xattr.len;
|
||||
- write_count = xattr_len - off;
|
||||
- if (write_count > count) {
|
||||
- write_count = count;
|
||||
- } else if (write_count < 0) {
|
||||
- /*
|
||||
- * write beyond XATTR value len specified in
|
||||
- * xattrcreate
|
||||
- */
|
||||
+ if (fidp->fs.xattr.len < off) {
|
||||
err = -ENOSPC;
|
||||
goto out;
|
||||
}
|
||||
+ write_count = fidp->fs.xattr.len - off;
|
||||
+ if (write_count > count) {
|
||||
+ write_count = count;
|
||||
+ }
|
||||
err = pdu_marshal(pdu, offset, "d", write_count);
|
||||
if (err < 0) {
|
||||
return err;
|
|
@ -0,0 +1,30 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_link
|
||||
|
||||
The v9fs_link() function keeps a reference on the source fid object. This
|
||||
causes a memory leak since the reference never goes down to 0. This patch
|
||||
fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit 4c1586787ff43c9acd18a56c12d720e3e6be9f7c)
|
||||
---
|
||||
hw/9pfs/9p.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 5126459..0de545b 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2385,6 +2385,7 @@ static void v9fs_link(void *opaque)
|
||||
if (!err) {
|
||||
err = offset;
|
||||
}
|
||||
+ put_fid(pdu, oldfidp);
|
||||
out:
|
||||
put_fid(pdu, dfidp);
|
||||
out_nofid:
|
|
@ -0,0 +1,31 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 17 Oct 2016 14:13:58 +0200
|
||||
Subject: [PATCH] 9pfs: fix memory leak in v9fs_write
|
||||
|
||||
If an error occurs when marshalling the transfer length to the guest, the
|
||||
v9fs_write() function doesn't free an IO vector, thus leading to a memory
|
||||
leak. This patch fixes the issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
[groug, rephrased the changelog]
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
|
||||
(cherry picked from commit fdfcc9aeea1492f4b819a24c94dfb678145b1bf9)
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 0de545b..86f44db 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -2062,7 +2062,7 @@ static void v9fs_write(void *opaque)
|
||||
offset = 7;
|
||||
err = pdu_marshal(pdu, offset, "d", total);
|
||||
if (err < 0) {
|
||||
- goto out;
|
||||
+ goto out_qiov;
|
||||
}
|
||||
err += offset;
|
||||
trace_v9fs_write_return(pdu->tag, pdu->id, total, err);
|
|
@ -0,0 +1,71 @@
|
|||
From: Jan Beulich <JBeulich@suse.com>
|
||||
Date: Tue, 22 Nov 2016 05:56:51 -0700
|
||||
Subject: [PATCH] xen: fix ioreq handling
|
||||
|
||||
Avoid double fetches and bounds check size to avoid overflowing
|
||||
internal variables.
|
||||
|
||||
This is CVE-2016-9381 / XSA-197.
|
||||
|
||||
Reported-by: yanghongke <yanghongke@huawei.com>
|
||||
Signed-off-by: Jan Beulich <jbeulich@suse.com>
|
||||
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
|
||||
(cherry picked from commit b85f9dfdb156ae2a2a52f39a36e9f1f270614cd2)
|
||||
---
|
||||
xen-hvm.c | 16 +++++++++++++++-
|
||||
1 file changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/xen-hvm.c b/xen-hvm.c
|
||||
index 039680a..ba823c3 100644
|
||||
--- a/xen-hvm.c
|
||||
+++ b/xen-hvm.c
|
||||
@@ -797,6 +797,10 @@ static void cpu_ioreq_pio(ioreq_t *req)
|
||||
trace_cpu_ioreq_pio(req, req->dir, req->df, req->data_is_ptr, req->addr,
|
||||
req->data, req->count, req->size);
|
||||
|
||||
+ if (req->size > sizeof(uint32_t)) {
|
||||
+ hw_error("PIO: bad size (%u)", req->size);
|
||||
+ }
|
||||
+
|
||||
if (req->dir == IOREQ_READ) {
|
||||
if (!req->data_is_ptr) {
|
||||
req->data = do_inp(req->addr, req->size);
|
||||
@@ -833,6 +837,10 @@ static void cpu_ioreq_move(ioreq_t *req)
|
||||
trace_cpu_ioreq_move(req, req->dir, req->df, req->data_is_ptr, req->addr,
|
||||
req->data, req->count, req->size);
|
||||
|
||||
+ if (req->size > sizeof(req->data)) {
|
||||
+ hw_error("MMIO: bad size (%u)", req->size);
|
||||
+ }
|
||||
+
|
||||
if (!req->data_is_ptr) {
|
||||
if (req->dir == IOREQ_READ) {
|
||||
for (i = 0; i < req->count; i++) {
|
||||
@@ -997,11 +1005,13 @@ static int handle_buffered_iopage(XenIOState *state)
|
||||
req.df = 1;
|
||||
req.type = buf_req->type;
|
||||
req.data_is_ptr = 0;
|
||||
+ xen_rmb();
|
||||
qw = (req.size == 8);
|
||||
if (qw) {
|
||||
buf_req = &buf_page->buf_ioreq[(rdptr + 1) %
|
||||
IOREQ_BUFFER_SLOT_NUM];
|
||||
req.data |= ((uint64_t)buf_req->data) << 32;
|
||||
+ xen_rmb();
|
||||
}
|
||||
|
||||
handle_ioreq(state, &req);
|
||||
@@ -1032,7 +1042,11 @@ static void cpu_handle_ioreq(void *opaque)
|
||||
|
||||
handle_buffered_iopage(state);
|
||||
if (req) {
|
||||
- handle_ioreq(state, req);
|
||||
+ ioreq_t copy = *req;
|
||||
+
|
||||
+ xen_rmb();
|
||||
+ handle_ioreq(state, ©);
|
||||
+ req->data = copy.data;
|
||||
|
||||
if (req->state != STATE_IOREQ_INPROCESS) {
|
||||
fprintf(stderr, "Badness in I/O request ... not in service?!: "
|
|
@ -0,0 +1,73 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 18 Oct 2016 13:15:17 +0530
|
||||
Subject: [PATCH] display: cirrus: check vga bits per pixel(bpp) value
|
||||
|
||||
In Cirrus CLGD 54xx VGA Emulator, if cirrus graphics mode is VGA,
|
||||
'cirrus_get_bpp' returns zero(0), which could lead to a divide
|
||||
by zero error in while copying pixel data. The same could occur
|
||||
via blit pitch values. Add check to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 1476776717-24807-1-git-send-email-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 4299b90e9ba9ce5ca9024572804ba751aa1a7e70)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 3d712d5..bdb092e 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
+ if (!pitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
@@ -715,7 +718,7 @@ static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
s->cirrus_addr_mask));
|
||||
}
|
||||
|
||||
-static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
+static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
{
|
||||
int sx = 0, sy = 0;
|
||||
int dx = 0, dy = 0;
|
||||
@@ -729,6 +732,9 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
int width, height;
|
||||
|
||||
depth = s->vga.get_bpp(&s->vga) / 8;
|
||||
+ if (!depth) {
|
||||
+ return 0;
|
||||
+ }
|
||||
s->vga.get_resolution(&s->vga, &width, &height);
|
||||
|
||||
/* extra x, y */
|
||||
@@ -783,6 +789,8 @@ static void cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_width,
|
||||
s->cirrus_blt_height);
|
||||
+
|
||||
+ return 1;
|
||||
}
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
@@ -790,11 +798,9 @@ static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
if (blit_is_unsafe(s))
|
||||
return 0;
|
||||
|
||||
- cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
+ return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
||||
s->cirrus_blt_srcaddr - s->vga.start_addr,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
-
|
||||
- return 1;
|
||||
}
|
||||
|
||||
/***************************************
|
|
@ -0,0 +1,31 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 29 Nov 2016 00:38:39 +0530
|
||||
Subject: [PATCH] net: mcf: check receive buffer size register value
|
||||
|
||||
ColdFire Fast Ethernet Controller uses a receive buffer size
|
||||
register(EMRBR) to hold maximum size of all receive buffers.
|
||||
It is set by a user before any operation. If it was set to be
|
||||
zero, ColdFire emulator would go into an infinite loop while
|
||||
receiving data in mcf_fec_receive. Add check to avoid it.
|
||||
|
||||
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Signed-off-by: Jason Wang <jasowang@redhat.com>
|
||||
(cherry picked from commit 77d54985b85a0cb760330ec2bd92505e0a2a97a9)
|
||||
---
|
||||
hw/net/mcf_fec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/net/mcf_fec.c b/hw/net/mcf_fec.c
|
||||
index 6d3418e..8a69fa2 100644
|
||||
--- a/hw/net/mcf_fec.c
|
||||
+++ b/hw/net/mcf_fec.c
|
||||
@@ -393,7 +393,7 @@ static void mcf_fec_write(void *opaque, hwaddr addr,
|
||||
s->tx_descriptor = s->etdsr;
|
||||
break;
|
||||
case 0x188:
|
||||
- s->emrbr = value & 0x7f0;
|
||||
+ s->emrbr = value > 0 ? value & 0x7F0 : 0x7F0;
|
||||
break;
|
||||
default:
|
||||
hw_error("mcf_fec_write Bad address 0x%x\n", (int)addr);
|
|
@ -0,0 +1,34 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 02:53:11 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix information leak in getting capset info
|
||||
dispatch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virgl_cmd_get_capset_info dispatch function, the 'resp' hasn't
|
||||
been full initialized before writing to the guest. This will leak
|
||||
the 'resp.padding' and 'resp.hdr.padding' fieds to the guest. This
|
||||
patch fix this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5818661e.0860240a.77264.7a56@mx.google.com
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 42a8dadc74f8982fc269e54e3c5627b54d9f83d8)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index fa19294..5878809 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -345,6 +345,7 @@ static void virgl_cmd_get_capset_info(VirtIOGPU *g,
|
||||
|
||||
VIRTIO_GPU_FILL_CMD(info);
|
||||
|
||||
+ memset(&resp, 0, sizeof(resp));
|
||||
if (info.capset_index == 0) {
|
||||
resp.capset_id = VIRTIO_GPU_CAPSET_VIRGL;
|
||||
virgl_renderer_get_cap_set(resp.capset_id,
|
|
@ -0,0 +1,33 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 04:06:58 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix memory leak in update_cursor_data_virgl
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In update_cursor_data_virgl function, if the 'width'/ 'height'
|
||||
is not equal to current cursor's width/height it will return
|
||||
without free the 'data' allocated previously. This will lead
|
||||
a memory leak issue. This patch fix this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 58187760.41d71c0a.cca75.4cb9@mx.google.com
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 2d1cd6c7a91a4beb99a0c3a21be529222a708545)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index d345276..f41afc7 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -79,6 +79,7 @@ static void update_cursor_data_virgl(VirtIOGPU *g,
|
||||
|
||||
if (width != s->current_cursor->width ||
|
||||
height != s->current_cursor->height) {
|
||||
+ free(data);
|
||||
return;
|
||||
}
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 7 Nov 2016 21:57:46 -0800
|
||||
Subject: [PATCH] usbredir: free vm_change_state_handler in usbredir destroy
|
||||
dispatch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In usbredir destroy dispatch function, it doesn't free the vm change
|
||||
state handler once registered in usbredir_realize function. This will
|
||||
lead a memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58216976.d0236b0a.77b99.bcd6@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 07b026fd82d6cf11baf7d7c603c4f5f6070b35bf)
|
||||
---
|
||||
hw/usb/redirect.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
|
||||
index 8d80540..136cacc 100644
|
||||
--- a/hw/usb/redirect.c
|
||||
+++ b/hw/usb/redirect.c
|
||||
@@ -131,6 +131,7 @@ struct USBRedirDevice {
|
||||
struct usbredirfilter_rule *filter_rules;
|
||||
int filter_rules_count;
|
||||
int compatible_speedmask;
|
||||
+ VMChangeStateEntry *vmstate;
|
||||
};
|
||||
|
||||
#define TYPE_USB_REDIR "usb-redir"
|
||||
@@ -1406,7 +1407,8 @@ static void usbredir_realize(USBDevice *udev, Error **errp)
|
||||
qemu_chr_add_handlers(dev->cs, usbredir_chardev_can_read,
|
||||
usbredir_chardev_read, usbredir_chardev_event, dev);
|
||||
|
||||
- qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
|
||||
+ dev->vmstate =
|
||||
+ qemu_add_vm_change_state_handler(usbredir_vm_state_change, dev);
|
||||
}
|
||||
|
||||
static void usbredir_cleanup_device_queues(USBRedirDevice *dev)
|
||||
@@ -1443,6 +1445,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
|
||||
}
|
||||
|
||||
free(dev->filter_rules);
|
||||
+ qemu_del_vm_change_state_handler(dev->vmstate);
|
||||
}
|
||||
|
||||
static int usbredir_check_filter(USBRedirDevice *dev)
|
|
@ -0,0 +1,28 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 8 Nov 2016 04:11:10 -0800
|
||||
Subject: [PATCH] usb: ehci: fix memory leak in ehci_init_transfer
|
||||
|
||||
In ehci_init_transfer function, if the 'cpage' is bigger than 4,
|
||||
it doesn't free the 'p->sgl' once allocated previously thus leading
|
||||
a memory leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5821c0f4.091c6b0a.e0c92.e811@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 791f97758e223de3290592d169f8e6339c281714)
|
||||
---
|
||||
hw/usb/hcd-ehci.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/hw/usb/hcd-ehci.c b/hw/usb/hcd-ehci.c
|
||||
index 92241bb..b8559e2 100644
|
||||
--- a/hw/usb/hcd-ehci.c
|
||||
+++ b/hw/usb/hcd-ehci.c
|
||||
@@ -1190,6 +1190,7 @@ static int ehci_init_transfer(EHCIPacket *p)
|
||||
while (bytes > 0) {
|
||||
if (cpage > 4) {
|
||||
fprintf(stderr, "cpage out of range (%d)\n", cpage);
|
||||
+ qemu_sglist_destroy(&p->sgl);
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: adjust the order of resource cleanup in device
|
||||
unrealize
|
||||
|
||||
Unrealize should undo things that were set during realize in
|
||||
reverse order. So should do in the error path in realize.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 4774718e5c194026ba5ee7a28d9be49be3080e42)
|
||||
---
|
||||
hw/9pfs/9p.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 86f44db..6979c58 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3481,8 +3481,8 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
|
||||
rc = 0;
|
||||
out:
|
||||
if (rc) {
|
||||
- g_free(s->ctx.fs_root);
|
||||
g_free(s->tag);
|
||||
+ g_free(s->ctx.fs_root);
|
||||
v9fs_path_free(&path);
|
||||
}
|
||||
return rc;
|
||||
@@ -3490,8 +3490,8 @@ out:
|
||||
|
||||
void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
|
||||
{
|
||||
- g_free(s->ctx.fs_root);
|
||||
g_free(s->tag);
|
||||
+ g_free(s->ctx.fs_root);
|
||||
}
|
||||
|
||||
static void __attribute__((__constructor__)) v9fs_set_fd_limit(void)
|
|
@ -0,0 +1,53 @@
|
|||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: add cleanup operation in FileOperations
|
||||
|
||||
Currently, the backend of VirtFS doesn't have a cleanup
|
||||
function. This will lead resource leak issues if the backed
|
||||
driver allocates resources. This patch addresses this issue.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 702dbcc274e2ca43be20ba64c758c0ca57dab91d)
|
||||
---
|
||||
fsdev/file-op-9p.h | 1 +
|
||||
hw/9pfs/9p.c | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/fsdev/file-op-9p.h b/fsdev/file-op-9p.h
|
||||
index b8c2602..0681021 100644
|
||||
--- a/fsdev/file-op-9p.h
|
||||
+++ b/fsdev/file-op-9p.h
|
||||
@@ -99,6 +99,7 @@ struct FileOperations
|
||||
{
|
||||
int (*parse_opts)(QemuOpts *, struct FsDriverEntry *);
|
||||
int (*init)(struct FsContext *);
|
||||
+ void (*cleanup)(struct FsContext *);
|
||||
int (*lstat)(FsContext *, V9fsPath *, struct stat *);
|
||||
ssize_t (*readlink)(FsContext *, V9fsPath *, char *, size_t);
|
||||
int (*chmod)(FsContext *, V9fsPath *, FsCred *);
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 6979c58..84be1c8 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3481,6 +3481,9 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
|
||||
rc = 0;
|
||||
out:
|
||||
if (rc) {
|
||||
+ if (s->ops->cleanup && s->ctx.private) {
|
||||
+ s->ops->cleanup(&s->ctx);
|
||||
+ }
|
||||
g_free(s->tag);
|
||||
g_free(s->ctx.fs_root);
|
||||
v9fs_path_free(&path);
|
||||
@@ -3490,6 +3493,9 @@ out:
|
||||
|
||||
void v9fs_device_unrealize_common(V9fsState *s, Error **errp)
|
||||
{
|
||||
+ if (s->ops->cleanup) {
|
||||
+ s->ops->cleanup(&s->ctx);
|
||||
+ }
|
||||
g_free(s->tag);
|
||||
g_free(s->ctx.fs_root);
|
||||
}
|
|
@ -0,0 +1,44 @@
|
|||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: add cleanup operation for handle backend driver
|
||||
|
||||
In the init operation of handle backend dirver, it allocates a
|
||||
handle_data struct and opens a mount file. We should free these
|
||||
resources when the 9pfs device is unrealized. This is what this
|
||||
patch does.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 971f406b77a6eb84e0ad27dcc416b663765aee30)
|
||||
---
|
||||
hw/9pfs/9p-handle.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p-handle.c b/hw/9pfs/9p-handle.c
|
||||
index 8940414..6ce923d 100644
|
||||
--- a/hw/9pfs/9p-handle.c
|
||||
+++ b/hw/9pfs/9p-handle.c
|
||||
@@ -651,6 +651,14 @@ out:
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static void handle_cleanup(FsContext *ctx)
|
||||
+{
|
||||
+ struct handle_data *data = ctx->private;
|
||||
+
|
||||
+ close(data->mountfd);
|
||||
+ g_free(data);
|
||||
+}
|
||||
+
|
||||
static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
|
||||
{
|
||||
const char *sec_model = qemu_opt_get(opts, "security_model");
|
||||
@@ -673,6 +681,7 @@ static int handle_parse_opts(QemuOpts *opts, struct FsDriverEntry *fse)
|
||||
FileOperations handle_ops = {
|
||||
.parse_opts = handle_parse_opts,
|
||||
.init = handle_init,
|
||||
+ .cleanup = handle_cleanup,
|
||||
.lstat = handle_lstat,
|
||||
.readlink = handle_readlink,
|
||||
.close = handle_close,
|
|
@ -0,0 +1,44 @@
|
|||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Wed, 23 Nov 2016 13:53:34 +0100
|
||||
Subject: [PATCH] 9pfs: add cleanup operation for proxy backend driver
|
||||
|
||||
In the init operation of proxy backend dirver, it allocates a
|
||||
V9fsProxy struct and some other resources. We should free these
|
||||
resources when the 9pfs device is unrealized. This is what this
|
||||
patch does.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Greg Kurz <groug@kaod.org>
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
(cherry picked from commit 898ae90a44551d25b8e956fd87372d303c82fe68)
|
||||
---
|
||||
hw/9pfs/9p-proxy.c | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/hw/9pfs/9p-proxy.c b/hw/9pfs/9p-proxy.c
|
||||
index 00a4eb2..7c6aaf3 100644
|
||||
--- a/hw/9pfs/9p-proxy.c
|
||||
+++ b/hw/9pfs/9p-proxy.c
|
||||
@@ -1181,9 +1181,22 @@ static int proxy_init(FsContext *ctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static void proxy_cleanup(FsContext *ctx)
|
||||
+{
|
||||
+ V9fsProxy *proxy = ctx->private;
|
||||
+
|
||||
+ g_free(proxy->out_iovec.iov_base);
|
||||
+ g_free(proxy->in_iovec.iov_base);
|
||||
+ if (ctx->export_flags & V9FS_PROXY_SOCK_NAME) {
|
||||
+ close(proxy->sockfd);
|
||||
+ }
|
||||
+ g_free(proxy);
|
||||
+}
|
||||
+
|
||||
FileOperations proxy_ops = {
|
||||
.parse_opts = proxy_parse_opts,
|
||||
.init = proxy_init,
|
||||
+ .cleanup = proxy_cleanup,
|
||||
.lstat = proxy_lstat,
|
||||
.readlink = proxy_readlink,
|
||||
.close = proxy_close,
|
|
@ -0,0 +1,29 @@
|
|||
From: Greg Kurz <groug@kaod.org>
|
||||
Date: Tue, 3 Jan 2017 17:28:44 +0100
|
||||
Subject: [PATCH] 9pfs: fix crash when fsdev is missing
|
||||
|
||||
If the user passes -device virtio-9p without the corresponding -fsdev, QEMU
|
||||
dereferences a NULL pointer and crashes.
|
||||
|
||||
This is a 2.8 regression introduced by commit 702dbcc274e2c.
|
||||
|
||||
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||||
Reviewed-by: Li Qiang <liq3ea@gmail.com>
|
||||
(cherry picked from commit f2b58c43758efc61e2a49b899f5e58848489d0dc)
|
||||
---
|
||||
hw/9pfs/9p.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c
|
||||
index 84be1c8..be2095a 100644
|
||||
--- a/hw/9pfs/9p.c
|
||||
+++ b/hw/9pfs/9p.c
|
||||
@@ -3481,7 +3481,7 @@ int v9fs_device_realize_common(V9fsState *s, Error **errp)
|
||||
rc = 0;
|
||||
out:
|
||||
if (rc) {
|
||||
- if (s->ops->cleanup && s->ctx.private) {
|
||||
+ if (s->ops && s->ops->cleanup && s->ctx.private) {
|
||||
s->ops->cleanup(&s->ctx);
|
||||
}
|
||||
g_free(s->tag);
|
|
@ -0,0 +1,37 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 14 Dec 2016 12:31:56 +0530
|
||||
Subject: [PATCH] display: virtio-gpu-3d: check virgl capabilities max_size
|
||||
|
||||
Virtio GPU device while processing 'VIRTIO_GPU_CMD_GET_CAPSET'
|
||||
command, retrieves the maximum capabilities size to fill in the
|
||||
response object. It continues to fill in capabilities even if
|
||||
retrieved 'max_size' is zero(0), thus resulting in OOB access.
|
||||
Add check to avoid it.
|
||||
|
||||
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20161214070156.23368-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit abd7f08b2353f43274b785db8c7224f082ef4d31)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index 5878809..bb2e9a1 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -369,8 +369,12 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
||||
|
||||
virgl_renderer_get_cap_set(gc.capset_id, &max_ver,
|
||||
&max_size);
|
||||
- resp = g_malloc(sizeof(*resp) + max_size);
|
||||
+ if (!max_size) {
|
||||
+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
|
||||
+ return;
|
||||
+ }
|
||||
|
||||
+ resp = g_malloc(sizeof(*resp) + max_size);
|
||||
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
||||
virgl_renderer_fill_caps(gc.capset_id,
|
||||
gc.capset_version,
|
|
@ -0,0 +1,37 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 1 Nov 2016 05:37:57 -0700
|
||||
Subject: [PATCH] virtio-gpu: fix information leak in capset get dispatch
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
In virgl_cmd_get_capset function, it uses g_malloc to allocate
|
||||
a response struct to the guest. As the 'resp'struct hasn't been full
|
||||
initialized it will lead the 'resp->padding' field to the guest.
|
||||
Use g_malloc0 to avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58188cae.4a6ec20a.3d2d1.aff2@mx.google.com
|
||||
|
||||
[ kraxel: resolved conflict ]
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 85d9d044471f93c48c5c396f7e217b4ef12f69f8)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index bb2e9a1..420187e 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -374,7 +374,7 @@ static void virgl_cmd_get_capset(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
- resp = g_malloc(sizeof(*resp) + max_size);
|
||||
+ resp = g_malloc0(sizeof(*resp) + max_size);
|
||||
resp->hdr.type = VIRTIO_GPU_RESP_OK_CAPSET;
|
||||
virgl_renderer_fill_caps(gc.capset_id,
|
||||
gc.capset_version,
|
|
@ -0,0 +1,41 @@
|
|||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Mon, 28 Nov 2016 21:29:25 -0500
|
||||
Subject: [PATCH] virtio-gpu: call cleanup mapping function in resource destroy
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the guest destroy the resource before detach banking, the 'iov'
|
||||
and 'addrs' field in resource is not freed thus leading memory
|
||||
leak issue. This patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 1480386565-10077-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit b8e23926c568f2e963af39028b71c472e3023793)
|
||||
---
|
||||
hw/display/virtio-gpu.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
|
||||
index f41afc7..4ccc8bc 100644
|
||||
--- a/hw/display/virtio-gpu.c
|
||||
+++ b/hw/display/virtio-gpu.c
|
||||
@@ -23,6 +23,8 @@
|
||||
static struct virtio_gpu_simple_resource*
|
||||
virtio_gpu_find_resource(VirtIOGPU *g, uint32_t resource_id);
|
||||
|
||||
+static void virtio_gpu_cleanup_mapping(struct virtio_gpu_simple_resource *res);
|
||||
+
|
||||
#ifdef CONFIG_VIRGL
|
||||
#include "virglrenderer.h"
|
||||
#define VIRGL(_g, _virgl, _simple, ...) \
|
||||
@@ -349,6 +351,7 @@ static void virtio_gpu_resource_destroy(VirtIOGPU *g,
|
||||
struct virtio_gpu_simple_resource *res)
|
||||
{
|
||||
pixman_image_unref(res->image);
|
||||
+ virtio_gpu_cleanup_mapping(res);
|
||||
QTAILQ_REMOVE(&g->reslist, res, next);
|
||||
g_free(res);
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 14 Dec 2016 18:30:21 -0800
|
||||
Subject: [PATCH] audio: ac97: add exit function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the ac97 device emulation doesn't have a exit function,
|
||||
hot unplug this device will leak some memory. Add a exit function to
|
||||
avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 58520052.4825ed0a.27a71.6cae@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 12351a91da97b414eec8cdb09f1d9f41e535a401)
|
||||
---
|
||||
hw/audio/ac97.c | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/hw/audio/ac97.c b/hw/audio/ac97.c
|
||||
index cbd959e..c306575 100644
|
||||
--- a/hw/audio/ac97.c
|
||||
+++ b/hw/audio/ac97.c
|
||||
@@ -1387,6 +1387,16 @@ static void ac97_realize(PCIDevice *dev, Error **errp)
|
||||
ac97_on_reset (&s->dev.qdev);
|
||||
}
|
||||
|
||||
+static void ac97_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ AC97LinkState *s = DO_UPCAST(AC97LinkState, dev, dev);
|
||||
+
|
||||
+ AUD_close_in(&s->card, s->voice_pi);
|
||||
+ AUD_close_out(&s->card, s->voice_po);
|
||||
+ AUD_close_in(&s->card, s->voice_mc);
|
||||
+ AUD_remove_card(&s->card);
|
||||
+}
|
||||
+
|
||||
static int ac97_init (PCIBus *bus)
|
||||
{
|
||||
pci_create_simple (bus, -1, "AC97");
|
||||
@@ -1404,6 +1414,7 @@ static void ac97_class_init (ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
|
||||
|
||||
k->realize = ac97_realize;
|
||||
+ k->exit = ac97_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_82801AA_5;
|
||||
k->revision = 0x01;
|
|
@ -0,0 +1,52 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 14 Dec 2016 18:32:22 -0800
|
||||
Subject: [PATCH] audio: es1370: add exit function
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Currently the es1370 device emulation doesn't have a exit function,
|
||||
hot unplug this device will leak some memory. Add a exit function to
|
||||
avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 585200c9.a968ca0a.1ab80.4c98@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da)
|
||||
---
|
||||
hw/audio/es1370.c | 14 ++++++++++++++
|
||||
1 file changed, 14 insertions(+)
|
||||
|
||||
diff --git a/hw/audio/es1370.c b/hw/audio/es1370.c
|
||||
index 8449b5f..883ec69 100644
|
||||
--- a/hw/audio/es1370.c
|
||||
+++ b/hw/audio/es1370.c
|
||||
@@ -1041,6 +1041,19 @@ static void es1370_realize(PCIDevice *dev, Error **errp)
|
||||
es1370_reset (s);
|
||||
}
|
||||
|
||||
+static void es1370_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ ES1370State *s = ES1370(dev);
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < 2; ++i) {
|
||||
+ AUD_close_out(&s->card, s->dac_voice[i]);
|
||||
+ }
|
||||
+
|
||||
+ AUD_close_in(&s->card, s->adc_voice);
|
||||
+ AUD_remove_card(&s->card);
|
||||
+}
|
||||
+
|
||||
static int es1370_init (PCIBus *bus)
|
||||
{
|
||||
pci_create_simple (bus, -1, TYPE_ES1370);
|
||||
@@ -1053,6 +1066,7 @@ static void es1370_class_init (ObjectClass *klass, void *data)
|
||||
PCIDeviceClass *k = PCI_DEVICE_CLASS (klass);
|
||||
|
||||
k->realize = es1370_realize;
|
||||
+ k->exit = es1370_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_ENSONIQ;
|
||||
k->device_id = PCI_DEVICE_ID_ENSONIQ_ES1370;
|
||||
k->class_id = PCI_CLASS_MULTIMEDIA_AUDIO;
|
|
@ -0,0 +1,43 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Mon, 28 Nov 2016 17:49:04 -0800
|
||||
Subject: [PATCH] watchdog: 6300esb: add exit function
|
||||
|
||||
When the Intel 6300ESB watchdog is hot unplug. The timer allocated
|
||||
in realize isn't freed thus leaking memory leak. This patch avoid
|
||||
this through adding the exit function.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <583cde9c.3223ed0a.7f0c2.886e@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit eb7a20a3616085d46aa6b4b4224e15587ec67e6e)
|
||||
---
|
||||
hw/watchdog/wdt_i6300esb.c | 9 +++++++++
|
||||
1 file changed, 9 insertions(+)
|
||||
|
||||
diff --git a/hw/watchdog/wdt_i6300esb.c b/hw/watchdog/wdt_i6300esb.c
|
||||
index a83d951..49b3cd1 100644
|
||||
--- a/hw/watchdog/wdt_i6300esb.c
|
||||
+++ b/hw/watchdog/wdt_i6300esb.c
|
||||
@@ -428,6 +428,14 @@ static void i6300esb_realize(PCIDevice *dev, Error **errp)
|
||||
/* qemu_register_coalesced_mmio (addr, 0x10); ? */
|
||||
}
|
||||
|
||||
+static void i6300esb_exit(PCIDevice *dev)
|
||||
+{
|
||||
+ I6300State *d = WATCHDOG_I6300ESB_DEVICE(dev);
|
||||
+
|
||||
+ timer_del(d->timer);
|
||||
+ timer_free(d->timer);
|
||||
+}
|
||||
+
|
||||
static WatchdogTimerModel model = {
|
||||
.wdt_name = "i6300esb",
|
||||
.wdt_description = "Intel 6300ESB",
|
||||
@@ -441,6 +449,7 @@ static void i6300esb_class_init(ObjectClass *klass, void *data)
|
||||
k->config_read = i6300esb_config_read;
|
||||
k->config_write = i6300esb_config_write;
|
||||
k->realize = i6300esb_realize;
|
||||
+ k->exit = i6300esb_exit;
|
||||
k->vendor_id = PCI_VENDOR_ID_INTEL;
|
||||
k->device_id = PCI_DEVICE_ID_INTEL_ESB_9;
|
||||
k->class_id = PCI_CLASS_SYSTEM_OTHER;
|
|
@ -0,0 +1,38 @@
|
|||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Thu, 29 Dec 2016 03:11:26 -0500
|
||||
Subject: [PATCH] virtio-gpu-3d: fix memory leak in resource attach backing
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
If the virgl_renderer_resource_attach_iov function fails the
|
||||
'res_iovs' will be leaked. Add check of the return value to
|
||||
free the 'res_iovs' when failing.
|
||||
|
||||
Signed-off-by: Li Qiang <liq3ea@gmail.com>
|
||||
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
|
||||
Message-id: 1482999086-59795-1-git-send-email-liq3ea@gmail.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 33243031dad02d161225ba99d782616da133f689)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 7 +++++--
|
||||
1 file changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index 420187e..4cffab5 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -289,8 +289,11 @@ static void virgl_resource_attach_backing(VirtIOGPU *g,
|
||||
return;
|
||||
}
|
||||
|
||||
- virgl_renderer_resource_attach_iov(att_rb.resource_id,
|
||||
- res_iovs, att_rb.nr_entries);
|
||||
+ ret = virgl_renderer_resource_attach_iov(att_rb.resource_id,
|
||||
+ res_iovs, att_rb.nr_entries);
|
||||
+
|
||||
+ if (ret != 0)
|
||||
+ virtio_gpu_cleanup_mapping_iov(res_iovs, att_rb.nr_entries);
|
||||
}
|
||||
|
||||
static void virgl_resource_detach_backing(VirtIOGPU *g,
|
|
@ -0,0 +1,34 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 7 Feb 2017 18:29:59 +0000
|
||||
Subject: [PATCH] sd: sdhci: check data length during dma_memory_read
|
||||
|
||||
While doing multi block SDMA transfer in routine
|
||||
'sdhci_sdma_transfer_multi_blocks', the 's->fifo_buffer' starting
|
||||
index 'begin' and data length 's->data_count' could end up to be same.
|
||||
This could lead to an OOB access issue. Correct transfer data length
|
||||
to avoid it.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
Message-id: 20170130064736.9236-1-ppandit@redhat.com
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 42922105beb14c2fc58185ea022b9f72fb5465e9)
|
||||
---
|
||||
hw/sd/sdhci.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index d28b587..f4cf5c7 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -535,7 +535,7 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
boundary_count -= block_size - begin;
|
||||
}
|
||||
dma_memory_read(&address_space_memory, s->sdmasysad,
|
||||
- &s->fifo_buffer[begin], s->data_count);
|
||||
+ &s->fifo_buffer[begin], s->data_count - begin);
|
||||
s->sdmasysad += s->data_count - begin;
|
||||
if (s->data_count == block_size) {
|
||||
for (n = 0; n < block_size; n++) {
|
|
@ -0,0 +1,61 @@
|
|||
From: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Date: Mon, 2 Jan 2017 11:03:33 +0100
|
||||
Subject: [PATCH] megasas: fix guest-triggered memory leak
|
||||
|
||||
If the guest sets the sglist size to a value >=2GB, megasas_handle_dcmd
|
||||
will return MFI_STAT_MEMORY_NOT_AVAILABLE without freeing the memory.
|
||||
Avoid this by returning only the status from map_dcmd, and loading
|
||||
cmd->iov_size in the caller.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 765a707000e838c30b18d712fe6cb3dd8e0435f3)
|
||||
---
|
||||
hw/scsi/megasas.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/scsi/megasas.c b/hw/scsi/megasas.c
|
||||
index a9ffc32..d42d34b 100644
|
||||
--- a/hw/scsi/megasas.c
|
||||
+++ b/hw/scsi/megasas.c
|
||||
@@ -682,14 +682,14 @@ static int megasas_map_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||
trace_megasas_dcmd_invalid_sge(cmd->index,
|
||||
cmd->frame->header.sge_count);
|
||||
cmd->iov_size = 0;
|
||||
- return -1;
|
||||
+ return -EINVAL;
|
||||
}
|
||||
iov_pa = megasas_sgl_get_addr(cmd, &cmd->frame->dcmd.sgl);
|
||||
iov_size = megasas_sgl_get_len(cmd, &cmd->frame->dcmd.sgl);
|
||||
pci_dma_sglist_init(&cmd->qsg, PCI_DEVICE(s), 1);
|
||||
qemu_sglist_add(&cmd->qsg, iov_pa, iov_size);
|
||||
cmd->iov_size = iov_size;
|
||||
- return cmd->iov_size;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
static void megasas_finish_dcmd(MegasasCmd *cmd, uint32_t iov_size)
|
||||
@@ -1562,19 +1562,20 @@ static const struct dcmd_cmd_tbl_t {
|
||||
|
||||
static int megasas_handle_dcmd(MegasasState *s, MegasasCmd *cmd)
|
||||
{
|
||||
- int opcode, len;
|
||||
+ int opcode;
|
||||
int retval = 0;
|
||||
+ size_t len;
|
||||
const struct dcmd_cmd_tbl_t *cmdptr = dcmd_cmd_tbl;
|
||||
|
||||
opcode = le32_to_cpu(cmd->frame->dcmd.opcode);
|
||||
trace_megasas_handle_dcmd(cmd->index, opcode);
|
||||
- len = megasas_map_dcmd(s, cmd);
|
||||
- if (len < 0) {
|
||||
+ if (megasas_map_dcmd(s, cmd) < 0) {
|
||||
return MFI_STAT_MEMORY_NOT_AVAILABLE;
|
||||
}
|
||||
while (cmdptr->opcode != -1 && cmdptr->opcode != opcode) {
|
||||
cmdptr++;
|
||||
}
|
||||
+ len = cmd->iov_size;
|
||||
if (cmdptr->opcode == -1) {
|
||||
trace_megasas_dcmd_unhandled(cmd->index, opcode, len);
|
||||
retval = megasas_dcmd_dummy(s, cmd);
|
|
@ -0,0 +1,45 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Mon, 23 Jan 2017 11:26:50 +0100
|
||||
Subject: [PATCH] virtio-gpu: fix resource leak in virgl_cmd_resource_unref
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
When the guest sends VIRTIO_GPU_CMD_RESOURCE_UNREF without detaching the
|
||||
backing storage beforehand (VIRTIO_GPU_CMD_RESOURCE_DETACH_BACKING)
|
||||
we'll leak memory.
|
||||
|
||||
This patch fixes it for 3d mode, simliar to the 2d mode fix in commit
|
||||
"b8e2392 virtio-gpu: call cleanup mapping function in resource destroy".
|
||||
|
||||
Reported-by: 李强 <liqiang6-s@360.cn>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485167210-4757-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 5e8e3c4c75c199aa1017db816fca02be2a9f8798)
|
||||
---
|
||||
hw/display/virtio-gpu-3d.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/display/virtio-gpu-3d.c b/hw/display/virtio-gpu-3d.c
|
||||
index 4cffab5..e78b3c8 100644
|
||||
--- a/hw/display/virtio-gpu-3d.c
|
||||
+++ b/hw/display/virtio-gpu-3d.c
|
||||
@@ -76,10 +76,18 @@ static void virgl_cmd_resource_unref(VirtIOGPU *g,
|
||||
struct virtio_gpu_ctrl_command *cmd)
|
||||
{
|
||||
struct virtio_gpu_resource_unref unref;
|
||||
+ struct iovec *res_iovs = NULL;
|
||||
+ int num_iovs = 0;
|
||||
|
||||
VIRTIO_GPU_FILL_CMD(unref);
|
||||
trace_virtio_gpu_cmd_res_unref(unref.resource_id);
|
||||
|
||||
+ virgl_renderer_resource_detach_iov(unref.resource_id,
|
||||
+ &res_iovs,
|
||||
+ &num_iovs);
|
||||
+ if (res_iovs != NULL && num_iovs != 0) {
|
||||
+ virtio_gpu_cleanup_mapping_iov(res_iovs, num_iovs);
|
||||
+ }
|
||||
virgl_renderer_resource_unref(unref.resource_id);
|
||||
}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Fri, 3 Feb 2017 00:52:28 +0530
|
||||
Subject: [PATCH] usb: ccid: check ccid apdu length
|
||||
|
||||
CCID device emulator uses Application Protocol Data Units(APDU)
|
||||
to exchange command and responses to and from the host.
|
||||
The length in these units couldn't be greater than 65536. Add
|
||||
check to ensure the same. It'd also avoid potential integer
|
||||
overflow in emulated_apdu_from_guest.
|
||||
|
||||
Reported-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170202192228.10847-1-ppandit@redhat.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit c7dfbf322595ded4e70b626bf83158a9f3807c6a)
|
||||
---
|
||||
hw/usb/dev-smartcard-reader.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/dev-smartcard-reader.c b/hw/usb/dev-smartcard-reader.c
|
||||
index af4b851..fc32b00 100644
|
||||
--- a/hw/usb/dev-smartcard-reader.c
|
||||
+++ b/hw/usb/dev-smartcard-reader.c
|
||||
@@ -967,7 +967,7 @@ static void ccid_on_apdu_from_guest(USBCCIDState *s, CCID_XferBlock *recv)
|
||||
DPRINTF(s, 1, "%s: seq %d, len %d\n", __func__,
|
||||
recv->hdr.bSeq, len);
|
||||
ccid_add_pending_answer(s, (CCID_Header *)recv);
|
||||
- if (s->card) {
|
||||
+ if (s->card && len <= BULK_OUT_DATA_SIZE) {
|
||||
ccid_card_apdu_from_guest(s->card, recv->abData, len);
|
||||
} else {
|
||||
DPRINTF(s, D_WARN, "warning: discarded apdu\n");
|
|
@ -0,0 +1,51 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Tue, 28 Feb 2017 12:08:14 +0000
|
||||
Subject: [PATCH] sd: sdhci: check transfer mode register in multi block
|
||||
transfer
|
||||
|
||||
In the SDHCI protocol, the transfer mode register value
|
||||
is used during multi block transfer to check if block count
|
||||
register is enabled and should be updated. Transfer mode
|
||||
register could be set such that, block count register would
|
||||
not be updated, thus leading to an infinite loop. Add check
|
||||
to avoid it.
|
||||
|
||||
Reported-by: Wjjzhang <wjjzhang@tencent.com>
|
||||
Reported-by: Jiang Xin <jiangxin1@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Message-id: 20170214185225.7994-3-ppandit@redhat.com
|
||||
Reviewed-by: Alistair Francis <alistair.francis@xilinx.com>
|
||||
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
|
||||
(cherry picked from commit 6e86d90352adf6cb08295255220295cf23c4286e)
|
||||
---
|
||||
hw/sd/sdhci.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/hw/sd/sdhci.c b/hw/sd/sdhci.c
|
||||
index f4cf5c7..fedc786 100644
|
||||
--- a/hw/sd/sdhci.c
|
||||
+++ b/hw/sd/sdhci.c
|
||||
@@ -485,6 +485,11 @@ static void sdhci_sdma_transfer_multi_blocks(SDHCIState *s)
|
||||
uint32_t boundary_chk = 1 << (((s->blksize & 0xf000) >> 12) + 12);
|
||||
uint32_t boundary_count = boundary_chk - (s->sdmasysad % boundary_chk);
|
||||
|
||||
+ if (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || !s->blkcnt) {
|
||||
+ qemu_log_mask(LOG_UNIMP, "infinite transfer is not supported\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
/* XXX: Some sd/mmc drivers (for example, u-boot-slp) do not account for
|
||||
* possible stop at page boundary if initial address is not page aligned,
|
||||
* allow them to work properly */
|
||||
@@ -796,11 +801,6 @@ static void sdhci_data_transfer(void *opaque)
|
||||
if (s->trnmod & SDHC_TRNS_DMA) {
|
||||
switch (SDHC_DMA_TYPE(s->hostctl)) {
|
||||
case SDHC_CTRL_SDMA:
|
||||
- if ((s->trnmod & SDHC_TRNS_MULTI) &&
|
||||
- (!(s->trnmod & SDHC_TRNS_BLK_CNT_EN) || s->blkcnt == 0)) {
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
if ((s->blkcnt == 1) || !(s->trnmod & SDHC_TRNS_MULTI)) {
|
||||
sdhci_sdma_transfer_single_block(s);
|
||||
} else {
|
|
@ -0,0 +1,49 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Tue, 7 Feb 2017 02:23:33 -0800
|
||||
Subject: [PATCH] usb: ohci: limit the number of link eds
|
||||
|
||||
The guest may builds an infinite loop with link eds. This patch
|
||||
limit the number of linked ed to avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-id: 5899a02e.45ca240a.6c373.93c1@mx.google.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb)
|
||||
---
|
||||
hw/usb/hcd-ohci.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c
|
||||
index 16d9ff7..1af518d 100644
|
||||
--- a/hw/usb/hcd-ohci.c
|
||||
+++ b/hw/usb/hcd-ohci.c
|
||||
@@ -42,6 +42,8 @@
|
||||
|
||||
#define OHCI_MAX_PORTS 15
|
||||
|
||||
+#define ED_LINK_LIMIT 4
|
||||
+
|
||||
static int64_t usb_frame_time;
|
||||
static int64_t usb_bit_time;
|
||||
|
||||
@@ -1184,7 +1186,7 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
|
||||
uint32_t next_ed;
|
||||
uint32_t cur;
|
||||
int active;
|
||||
-
|
||||
+ uint32_t link_cnt = 0;
|
||||
active = 0;
|
||||
|
||||
if (head == 0)
|
||||
@@ -1199,6 +1201,11 @@ static int ohci_service_ed_list(OHCIState *ohci, uint32_t head, int completion)
|
||||
|
||||
next_ed = ed.next & OHCI_DPTR_MASK;
|
||||
|
||||
+ if (++link_cnt > ED_LINK_LIMIT) {
|
||||
+ ohci_die(ohci);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if ((ed.head & OHCI_ED_H) || (ed.flags & OHCI_ED_K)) {
|
||||
uint32_t addr;
|
||||
/* Cancel pending packets for ED that have been paused. */
|
|
@ -0,0 +1,69 @@
|
|||
From: Bruce Rogers <brogers@suse.com>
|
||||
Date: Mon, 9 Jan 2017 13:35:20 -0700
|
||||
Subject: [PATCH] display: cirrus: ignore source pitch value as needed in
|
||||
blit_is_unsafe
|
||||
|
||||
Commit 4299b90 added a check which is too broad, given that the source
|
||||
pitch value is not required to be initialized for solid fill operations.
|
||||
This patch refines the blit_is_unsafe() check to ignore source pitch in
|
||||
that case. After applying the above commit as a security patch, we
|
||||
noticed the SLES 11 SP4 guest gui failed to initialize properly.
|
||||
|
||||
Signed-off-by: Bruce Rogers <brogers@suse.com>
|
||||
Message-id: 20170109203520.5619-1-brogers@suse.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 913a87885f589d263e682c2eb6637c6e14538061)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index bdb092e..379910d 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s)
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
+ if (dst_only) {
|
||||
+ return false;
|
||||
+ }
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
|
@ -0,0 +1,47 @@
|
|||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Wed, 25 Jan 2017 14:48:57 +0100
|
||||
Subject: [PATCH] cirrus: handle negative pitch in cirrus_invalidate_region()
|
||||
|
||||
cirrus_invalidate_region() calls memory_region_set_dirty()
|
||||
on a per-line basis, always ranging from off_begin to
|
||||
off_begin+bytesperline. With a negative pitch off_begin
|
||||
marks the top most used address and thus we need to do an
|
||||
initial shift backwards by a line for negative pitches of
|
||||
backward blits, otherwise the first iteration covers the
|
||||
line going from the start offset forwards instead of
|
||||
backwards.
|
||||
Additionally since the start address is inclusive, if we
|
||||
shift by a full `bytesperline` we move to the first address
|
||||
*not* included in the blit, so we only shift by one less
|
||||
than bytesperline.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-id: 1485352137-29367-1-git-send-email-w.bumiller@proxmox.com
|
||||
|
||||
[ kraxel: codestyle fixes ]
|
||||
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit f153b563f8cf121aebf5a2fff5f0110faf58ccb3)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 379910d..0f05e45 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -661,9 +661,14 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
int off_cur;
|
||||
int off_cur_end;
|
||||
|
||||
+ if (off_pitch < 0) {
|
||||
+ off_begin -= bytesperline - 1;
|
||||
+ }
|
||||
+
|
||||
for (y = 0; y < lines; y++) {
|
||||
off_cur = off_begin;
|
||||
off_cur_end = (off_cur + bytesperline) & s->cirrus_addr_mask;
|
||||
+ assert(off_cur_end >= off_cur);
|
||||
memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
|
||||
off_begin += off_pitch;
|
||||
}
|
|
@ -0,0 +1,99 @@
|
|||
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Date: Tue, 24 Jan 2017 16:35:38 +0100
|
||||
Subject: [PATCH] cirrus: allow zero source pitch in pattern fill rops
|
||||
|
||||
The rops used by cirrus_bitblt_common_patterncopy only use
|
||||
the destination pitch, so the source pitch shoul allowed to
|
||||
be zero and the blit with used for the range check around the
|
||||
source address.
|
||||
|
||||
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Message-id: 1485272138-23249-1-git-send-email-w.bumiller@proxmox.com
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 5858dd1801883309bdd208d72ddb81c4e9fee30c)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 27 +++++++++++++++++++--------
|
||||
1 file changed, 19 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 0f05e45..98f089e 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,9 +272,6 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
- if (!pitch) {
|
||||
- return true;
|
||||
- }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
@@ -294,8 +291,11 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
+ bool zero_src_pitch_ok)
|
||||
{
|
||||
+ int32_t check_pitch;
|
||||
+
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
assert(s->cirrus_blt_height > 0);
|
||||
@@ -304,6 +304,10 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
return true;
|
||||
}
|
||||
|
||||
+ if (!s->cirrus_blt_dstpitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
@@ -311,7 +315,13 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
if (dst_only) {
|
||||
return false;
|
||||
}
|
||||
- if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
+
|
||||
+ check_pitch = s->cirrus_blt_srcpitch;
|
||||
+ if (!zero_src_pitch_ok && !check_pitch) {
|
||||
+ check_pitch = s->cirrus_blt_width;
|
||||
+ }
|
||||
+
|
||||
+ if (blit_region_is_unsafe(s, check_pitch,
|
||||
s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
return true;
|
||||
}
|
||||
@@ -681,8 +691,9 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
|
||||
dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
|
||||
- if (blit_is_unsafe(s, false))
|
||||
+ if (blit_is_unsafe(s, false, true)) {
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
(*s->cirrus_rop) (s, dst, src,
|
||||
s->cirrus_blt_dstpitch, 0,
|
||||
@@ -699,7 +710,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s, true)) {
|
||||
+ if (blit_is_unsafe(s, true, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -803,7 +814,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s, false))
|
||||
+ if (blit_is_unsafe(s, false, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
|
@ -0,0 +1,101 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 25 Jan 2017 11:09:56 +0100
|
||||
Subject: [PATCH] cirrus: fix blit address mask handling
|
||||
|
||||
Apply the cirrus_addr_mask to cirrus_blt_dstaddr and cirrus_blt_srcaddr
|
||||
right after assigning them, in cirrus_bitblt_start(), instead of having
|
||||
this all over the place in the cirrus code, and missing a few places.
|
||||
|
||||
Reported-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485338996-17095-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 60cd23e85151525ab26591394c4e7e06fa07d216)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 25 ++++++++++++-------------
|
||||
1 file changed, 12 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 98f089e..7db6409 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -309,7 +309,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
}
|
||||
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
- s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) {
|
||||
+ s->cirrus_blt_dstaddr)) {
|
||||
return true;
|
||||
}
|
||||
if (dst_only) {
|
||||
@@ -322,7 +322,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
}
|
||||
|
||||
if (blit_region_is_unsafe(s, check_pitch,
|
||||
- s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) {
|
||||
+ s->cirrus_blt_srcaddr)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -689,7 +689,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
{
|
||||
uint8_t *dst;
|
||||
|
||||
- dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask);
|
||||
+ dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
|
||||
if (blit_is_unsafe(s, false, true)) {
|
||||
return 0;
|
||||
@@ -714,7 +714,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
- rop_func(s, s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
+ rop_func(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
|
||||
@@ -732,9 +732,8 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s,
|
||||
- s->vga.vram_ptr + ((s->cirrus_blt_srcaddr & ~7) &
|
||||
- s->cirrus_addr_mask));
|
||||
+ return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
|
||||
+ (s->cirrus_blt_srcaddr & ~7));
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -788,10 +787,8 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
if (notify)
|
||||
graphic_hw_update(s->vga.con);
|
||||
|
||||
- (*s->cirrus_rop) (s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
- s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_srcaddr & s->cirrus_addr_mask),
|
||||
+ (*s->cirrus_rop) (s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
+ s->vga.vram_ptr + s->cirrus_blt_srcaddr,
|
||||
s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_width, s->cirrus_blt_height);
|
||||
|
||||
@@ -842,8 +839,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
} else {
|
||||
/* at least one scan line */
|
||||
do {
|
||||
- (*s->cirrus_rop)(s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_dstaddr & s->cirrus_addr_mask),
|
||||
+ (*s->cirrus_rop)(s, s->vga.vram_ptr + s->cirrus_blt_dstaddr,
|
||||
s->cirrus_bltbuf, 0, 0, s->cirrus_blt_width, 1);
|
||||
cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
|
||||
s->cirrus_blt_width, 1);
|
||||
@@ -962,6 +958,9 @@ static void cirrus_bitblt_start(CirrusVGAState * s)
|
||||
s->cirrus_blt_modeext = s->vga.gr[0x33];
|
||||
blt_rop = s->vga.gr[0x32];
|
||||
|
||||
+ s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
|
||||
+ s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
|
||||
+
|
||||
#ifdef DEBUG_BITBLT
|
||||
printf("rop=0x%02x mode=0x%02x modeext=0x%02x w=%d h=%d dpitch=%d spitch=%d daddr=0x%08x saddr=0x%08x writemask=0x%02x\n",
|
||||
blt_rop,
|
|
@ -0,0 +1,45 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 1 Feb 2017 09:35:01 +0100
|
||||
Subject: [PATCH] cirrus: fix oob access issue (CVE-2017-2615)
|
||||
|
||||
When doing bitblt copy in backward mode, we should minus the
|
||||
blt width first just like the adding in the forward mode. This
|
||||
can avoid the oob access of the front of vga's vram.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
|
||||
{ kraxel: with backward blits (negative pitch) addr is the topmost
|
||||
address, so check it as-is against vram size ]
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: Laszlo Ersek <lersek@redhat.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Fixes: d3532a0db02296e687711b8cdc7791924efccea0 (CVE-2014-8106)
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Message-id: 1485938101-26602-1-git-send-email-kraxel@redhat.com
|
||||
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
|
||||
(cherry picked from commit 62d4c6bd5263bb8413a06c80144fc678df6dfb64)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 7db6409..16f27e8 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -274,10 +274,9 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
{
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
- + ((int64_t)s->cirrus_blt_height-1) * pitch;
|
||||
- int32_t max = addr
|
||||
- + s->cirrus_blt_width;
|
||||
- if (min < 0 || max > s->vga.vram_size) {
|
||||
+ + ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
+ - s->cirrus_blt_width;
|
||||
+ if (min < -1 || addr >= s->vga.vram_size) {
|
||||
return true;
|
||||
}
|
||||
} else {
|
|
@ -0,0 +1,101 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 9 Feb 2017 14:02:20 +0100
|
||||
Subject: [PATCH] cirrus: fix patterncopy checks
|
||||
|
||||
The blit_region_is_unsafe checks don't work correctly for the
|
||||
patterncopy source. It's a fixed-sized region, which doesn't
|
||||
depend on cirrus_blt_{width,height}. So go do the check in
|
||||
cirrus_bitblt_common_patterncopy instead, then tell blit_is_unsafe that
|
||||
it doesn't need to verify the source. Also handle the case where we
|
||||
blit from cirrus_bitbuf correctly.
|
||||
|
||||
This patch replaces 5858dd1801883309bdd208d72ddb81c4e9fee30c.
|
||||
|
||||
Security impact: I think for the most part error on the safe side this
|
||||
time, refusing blits which should have been allowed.
|
||||
|
||||
Only exception is placing the blit source at the end of the video ram,
|
||||
so cirrus_blt_srcaddr + 256 goes beyond the end of video memory. But
|
||||
even in that case I'm not fully sure this actually allows read access to
|
||||
host memory. To trick the commit 5858dd18 security checks one has to
|
||||
pick very small cirrus_blt_{width,height} values, which in turn implies
|
||||
only a fraction of the blit source will actually be used.
|
||||
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Reviewed-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
|
||||
Message-id: 1486645341-5010-1-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 95280c31cda79bb1d0968afc7b19a220b3a9d986)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 36 ++++++++++++++++++++++++++++++------
|
||||
1 file changed, 30 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 16f27e8..6bd13fc 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -683,14 +683,39 @@ static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
|
||||
}
|
||||
}
|
||||
|
||||
-static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s,
|
||||
- const uint8_t * src)
|
||||
+static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
{
|
||||
+ uint32_t patternsize;
|
||||
uint8_t *dst;
|
||||
+ uint8_t *src;
|
||||
|
||||
dst = s->vga.vram_ptr + s->cirrus_blt_dstaddr;
|
||||
|
||||
- if (blit_is_unsafe(s, false, true)) {
|
||||
+ if (videosrc) {
|
||||
+ switch (s->vga.get_bpp(&s->vga)) {
|
||||
+ case 8:
|
||||
+ patternsize = 64;
|
||||
+ break;
|
||||
+ case 15:
|
||||
+ case 16:
|
||||
+ patternsize = 128;
|
||||
+ break;
|
||||
+ case 24:
|
||||
+ case 32:
|
||||
+ default:
|
||||
+ patternsize = 256;
|
||||
+ break;
|
||||
+ }
|
||||
+ s->cirrus_blt_srcaddr &= ~(patternsize - 1);
|
||||
+ if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ src = s->vga.vram_ptr + s->cirrus_blt_srcaddr;
|
||||
+ } else {
|
||||
+ src = s->cirrus_bltbuf;
|
||||
+ }
|
||||
+
|
||||
+ if (blit_is_unsafe(s, true, true)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -731,8 +756,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
|
||||
{
|
||||
- return cirrus_bitblt_common_patterncopy(s, s->vga.vram_ptr +
|
||||
- (s->cirrus_blt_srcaddr & ~7));
|
||||
+ return cirrus_bitblt_common_patterncopy(s, true);
|
||||
}
|
||||
|
||||
static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
@@ -831,7 +855,7 @@ static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
|
||||
|
||||
if (s->cirrus_srccounter > 0) {
|
||||
if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
|
||||
- cirrus_bitblt_common_patterncopy(s, s->cirrus_bltbuf);
|
||||
+ cirrus_bitblt_common_patterncopy(s, false);
|
||||
the_end:
|
||||
s->cirrus_srccounter = 0;
|
||||
cirrus_bitblt_reset(s);
|
|
@ -0,0 +1,100 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Thu, 9 Feb 2017 14:02:21 +0100
|
||||
Subject: [PATCH] Revert "cirrus: allow zero source pitch in pattern fill rops"
|
||||
|
||||
This reverts commit 5858dd1801883309bdd208d72ddb81c4e9fee30c.
|
||||
|
||||
Conflicts:
|
||||
hw/display/cirrus_vga.c
|
||||
|
||||
Cc: Wolfgang Bumiller <w.bumiller@proxmox.com>
|
||||
Cc: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
|
||||
Reviewed-by: Laurent Vivier <lvivier@redhat.com>
|
||||
Message-id: 1486645341-5010-2-git-send-email-kraxel@redhat.com
|
||||
(cherry picked from commit 12e97ec39931e5321645fd483ab761319d48bf16)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 26 ++++++++------------------
|
||||
1 file changed, 8 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 6bd13fc..0e47cf8 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -272,6 +272,9 @@ static void cirrus_update_memory_access(CirrusVGAState *s);
|
||||
static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
int32_t pitch, int32_t addr)
|
||||
{
|
||||
+ if (!pitch) {
|
||||
+ return true;
|
||||
+ }
|
||||
if (pitch < 0) {
|
||||
int64_t min = addr
|
||||
+ ((int64_t)s->cirrus_blt_height - 1) * pitch
|
||||
@@ -290,11 +293,8 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s,
|
||||
return false;
|
||||
}
|
||||
|
||||
-static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
- bool zero_src_pitch_ok)
|
||||
+static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
|
||||
{
|
||||
- int32_t check_pitch;
|
||||
-
|
||||
/* should be the case, see cirrus_bitblt_start */
|
||||
assert(s->cirrus_blt_width > 0);
|
||||
assert(s->cirrus_blt_height > 0);
|
||||
@@ -303,10 +303,6 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
return true;
|
||||
}
|
||||
|
||||
- if (!s->cirrus_blt_dstpitch) {
|
||||
- return true;
|
||||
- }
|
||||
-
|
||||
if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
|
||||
s->cirrus_blt_dstaddr)) {
|
||||
return true;
|
||||
@@ -314,13 +310,7 @@ static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only,
|
||||
if (dst_only) {
|
||||
return false;
|
||||
}
|
||||
-
|
||||
- check_pitch = s->cirrus_blt_srcpitch;
|
||||
- if (!zero_src_pitch_ok && !check_pitch) {
|
||||
- check_pitch = s->cirrus_blt_width;
|
||||
- }
|
||||
-
|
||||
- if (blit_region_is_unsafe(s, check_pitch,
|
||||
+ if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
|
||||
s->cirrus_blt_srcaddr)) {
|
||||
return true;
|
||||
}
|
||||
@@ -715,7 +705,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s, bool videosrc)
|
||||
src = s->cirrus_bltbuf;
|
||||
}
|
||||
|
||||
- if (blit_is_unsafe(s, true, true)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -734,7 +724,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
|
||||
{
|
||||
cirrus_fill_t rop_func;
|
||||
|
||||
- if (blit_is_unsafe(s, true, true)) {
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
return 0;
|
||||
}
|
||||
rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
|
||||
@@ -834,7 +824,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
|
||||
|
||||
static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
|
||||
{
|
||||
- if (blit_is_unsafe(s, false, false))
|
||||
+ if (blit_is_unsafe(s, false))
|
||||
return 0;
|
||||
|
||||
return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr,
|
|
@ -0,0 +1,46 @@
|
|||
From: Gerd Hoffmann <kraxel@redhat.com>
|
||||
Date: Wed, 8 Feb 2017 11:18:36 +0100
|
||||
Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo
|
||||
(CVE-2017-2620)
|
||||
|
||||
CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination
|
||||
and blit width, at all. Oops. Fix it.
|
||||
|
||||
Security impact: high.
|
||||
|
||||
The missing blit destination check allows to write to host memory.
|
||||
Basically same as CVE-2014-8106 for the other blit variants.
|
||||
|
||||
Cc: qemu-stable@nongnu.org
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 92f2b88cea48c6aeba8de568a45f2ed958f3c298)
|
||||
---
|
||||
hw/display/cirrus_vga.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c
|
||||
index 0e47cf8..a093dc8 100644
|
||||
--- a/hw/display/cirrus_vga.c
|
||||
+++ b/hw/display/cirrus_vga.c
|
||||
@@ -899,6 +899,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
{
|
||||
int w;
|
||||
|
||||
+ if (blit_is_unsafe(s, true)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
|
||||
s->cirrus_srcptr = &s->cirrus_bltbuf[0];
|
||||
s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
|
||||
@@ -924,6 +928,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
|
||||
}
|
||||
s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
|
||||
}
|
||||
+
|
||||
+ /* the blit_is_unsafe call above should catch this */
|
||||
+ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
|
||||
+
|
||||
s->cirrus_srcptr = s->cirrus_bltbuf;
|
||||
s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
|
||||
cirrus_update_memory_access(s);
|
|
@ -0,0 +1,99 @@
|
|||
From: Peter Lieven <pl@kamp.de>
|
||||
Date: Thu, 30 Jun 2016 12:00:46 +0200
|
||||
Subject: [PATCH] vnc-enc-tight: use thread local storage for palette
|
||||
|
||||
currently the color counting palette is allocated from heap, used and destroyed
|
||||
for each single subrect. Use a static palette per thread for this purpose and
|
||||
avoid the malloc and free for each update.
|
||||
|
||||
Signed-off-by: Peter Lieven <pl@kamp.de>
|
||||
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Message-id: 1467280846-9674-1-git-send-email-pl@kamp.de
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 095497ffc66b7f031ff2a17f1e50f5cb105ce588)
|
||||
---
|
||||
ui/vnc-enc-tight.c | 23 ++++++++++++-----------
|
||||
1 file changed, 12 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
|
||||
index 678c5df..877c093 100644
|
||||
--- a/ui/vnc-enc-tight.c
|
||||
+++ b/ui/vnc-enc-tight.c
|
||||
@@ -349,7 +349,7 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
|
||||
tight_fill_palette##bpp(VncState *vs, int x, int y, \
|
||||
int max, size_t count, \
|
||||
uint32_t *bg, uint32_t *fg, \
|
||||
- VncPalette **palette) { \
|
||||
+ VncPalette *palette) { \
|
||||
uint##bpp##_t *data; \
|
||||
uint##bpp##_t c0, c1, ci; \
|
||||
int i, n0, n1; \
|
||||
@@ -396,23 +396,23 @@ tight_detect_smooth_image(VncState *vs, int w, int h)
|
||||
return 0; \
|
||||
} \
|
||||
\
|
||||
- *palette = palette_new(max, bpp); \
|
||||
- palette_put(*palette, c0); \
|
||||
- palette_put(*palette, c1); \
|
||||
- palette_put(*palette, ci); \
|
||||
+ palette_init(palette, max, bpp); \
|
||||
+ palette_put(palette, c0); \
|
||||
+ palette_put(palette, c1); \
|
||||
+ palette_put(palette, ci); \
|
||||
\
|
||||
for (i++; i < count; i++) { \
|
||||
if (data[i] == ci) { \
|
||||
continue; \
|
||||
} else { \
|
||||
ci = data[i]; \
|
||||
- if (!palette_put(*palette, (uint32_t)ci)) { \
|
||||
+ if (!palette_put(palette, (uint32_t)ci)) { \
|
||||
return 0; \
|
||||
} \
|
||||
} \
|
||||
} \
|
||||
\
|
||||
- return palette_size(*palette); \
|
||||
+ return palette_size(palette); \
|
||||
}
|
||||
|
||||
DEFINE_FILL_PALETTE_FUNCTION(8)
|
||||
@@ -421,7 +421,7 @@ DEFINE_FILL_PALETTE_FUNCTION(32)
|
||||
|
||||
static int tight_fill_palette(VncState *vs, int x, int y,
|
||||
size_t count, uint32_t *bg, uint32_t *fg,
|
||||
- VncPalette **palette)
|
||||
+ VncPalette *palette)
|
||||
{
|
||||
int max;
|
||||
|
||||
@@ -1458,9 +1458,11 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
|
||||
}
|
||||
#endif
|
||||
|
||||
+static __thread VncPalette color_count_palette;
|
||||
+
|
||||
static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
|
||||
{
|
||||
- VncPalette *palette = NULL;
|
||||
+ VncPalette *palette = &color_count_palette;
|
||||
uint32_t bg = 0, fg = 0;
|
||||
int colors;
|
||||
int ret = 0;
|
||||
@@ -1489,7 +1491,7 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
|
||||
}
|
||||
#endif
|
||||
|
||||
- colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, &palette);
|
||||
+ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette);
|
||||
|
||||
#ifdef CONFIG_VNC_JPEG
|
||||
if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
|
||||
@@ -1502,7 +1504,6 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
|
||||
ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
|
||||
#endif
|
||||
|
||||
- palette_destroy(palette);
|
||||
return ret;
|
||||
}
|
||||
|
|
@ -0,0 +1,84 @@
|
|||
From: Peter Lieven <pl@kamp.de>
|
||||
Date: Fri, 15 Jul 2016 11:45:11 +0200
|
||||
Subject: [PATCH] vnc-tight: fix regression with libxenstore
|
||||
|
||||
commit 095497ff added thread local storage for the color counting
|
||||
palette. Unfortunately, a VncPalette is about 7kB on a x86_64 system.
|
||||
This memory is reserved from the stack of every thread and it
|
||||
exhausted the stack space of a libxenstore thread.
|
||||
|
||||
Fix this by allocating memory only for the VNC encoding thread.
|
||||
|
||||
Fixes: 095497ffc66b7f031ff2a17f1e50f5cb105ce588
|
||||
Reported-by: Juergen Gross <jgross@suse.com>
|
||||
Tested-by: Juergen Gross <jgross@suse.com>
|
||||
Signed-off-by: Peter Lieven <pl@kamp.de>
|
||||
Message-id: 1468575911-20656-1-git-send-email-pl@kamp.de
|
||||
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
|
||||
(cherry picked from commit 66668d197fa40747e835e15617eda2f1bc80982f)
|
||||
---
|
||||
ui/vnc-enc-tight.c | 28 +++++++++++++++++++++-------
|
||||
1 file changed, 21 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/ui/vnc-enc-tight.c b/ui/vnc-enc-tight.c
|
||||
index 877c093..49df85e 100644
|
||||
--- a/ui/vnc-enc-tight.c
|
||||
+++ b/ui/vnc-enc-tight.c
|
||||
@@ -1458,11 +1458,17 @@ static int send_sub_rect_jpeg(VncState *vs, int x, int y, int w, int h,
|
||||
}
|
||||
#endif
|
||||
|
||||
-static __thread VncPalette color_count_palette;
|
||||
+static __thread VncPalette *color_count_palette;
|
||||
+static __thread Notifier vnc_tight_cleanup_notifier;
|
||||
+
|
||||
+static void vnc_tight_cleanup(Notifier *n, void *value)
|
||||
+{
|
||||
+ g_free(color_count_palette);
|
||||
+ color_count_palette = NULL;
|
||||
+}
|
||||
|
||||
static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
|
||||
{
|
||||
- VncPalette *palette = &color_count_palette;
|
||||
uint32_t bg = 0, fg = 0;
|
||||
int colors;
|
||||
int ret = 0;
|
||||
@@ -1471,6 +1477,12 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
|
||||
bool allow_jpeg = true;
|
||||
#endif
|
||||
|
||||
+ if (!color_count_palette) {
|
||||
+ color_count_palette = g_malloc(sizeof(VncPalette));
|
||||
+ vnc_tight_cleanup_notifier.notify = vnc_tight_cleanup;
|
||||
+ qemu_thread_atexit_add(&vnc_tight_cleanup_notifier);
|
||||
+ }
|
||||
+
|
||||
vnc_framebuffer_update(vs, x, y, w, h, vs->tight.type);
|
||||
|
||||
vnc_tight_start(vs);
|
||||
@@ -1491,17 +1503,19 @@ static int send_sub_rect(VncState *vs, int x, int y, int w, int h)
|
||||
}
|
||||
#endif
|
||||
|
||||
- colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, palette);
|
||||
+ colors = tight_fill_palette(vs, x, y, w * h, &bg, &fg, color_count_palette);
|
||||
|
||||
#ifdef CONFIG_VNC_JPEG
|
||||
if (allow_jpeg && vs->tight.quality != (uint8_t)-1) {
|
||||
- ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors, palette,
|
||||
- force_jpeg);
|
||||
+ ret = send_sub_rect_jpeg(vs, x, y, w, h, bg, fg, colors,
|
||||
+ color_count_palette, force_jpeg);
|
||||
} else {
|
||||
- ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
|
||||
+ ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors,
|
||||
+ color_count_palette);
|
||||
}
|
||||
#else
|
||||
- ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors, palette);
|
||||
+ ret = send_sub_rect_nojpeg(vs, x, y, w, h, bg, fg, colors,
|
||||
+ color_count_palette);
|
||||
#endif
|
||||
|
||||
return ret;
|
|
@ -0,0 +1,35 @@
|
|||
From: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Date: Wed, 12 Oct 2016 18:07:41 +0530
|
||||
Subject: [PATCH] dma: rc4030: limit interval timer reload value
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The JAZZ RC4030 chipset emulator has a periodic timer and
|
||||
associated interval reload register. The reload value is used
|
||||
as divider when computing timer's next tick value. If reload
|
||||
value is large, it could lead to divide by zero error. Limit
|
||||
the interval reload value to avoid it.
|
||||
|
||||
Reported-by: Huawei PSIRT <psirt@huawei.com>
|
||||
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
|
||||
Tested-by: Hervé Poussineau <hpoussin@reactos.org>
|
||||
Signed-off-by: Yongbok Kim <yongbok.kim@imgtec.com>
|
||||
(cherry picked from commit c0a3172fa6bbddcc73192f2a2c48d0bf3a7ba61c)
|
||||
---
|
||||
hw/dma/rc4030.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/hw/dma/rc4030.c b/hw/dma/rc4030.c
|
||||
index a06c235..1814ca6 100644
|
||||
--- a/hw/dma/rc4030.c
|
||||
+++ b/hw/dma/rc4030.c
|
||||
@@ -459,7 +459,7 @@ static void rc4030_write(void *opaque, hwaddr addr, uint64_t data,
|
||||
break;
|
||||
/* Interval timer reload */
|
||||
case 0x0228:
|
||||
- s->itr = val;
|
||||
+ s->itr = val & 0x01FF;
|
||||
qemu_irq_lower(s->timer_irq);
|
||||
set_next_tick(s);
|
||||
break;
|
|
@ -0,0 +1,37 @@
|
|||
From: Li Qiang <liqiang6-s@360.cn>
|
||||
Date: Wed, 4 Jan 2017 00:43:16 -0800
|
||||
Subject: [PATCH] serial: fix memory leak in serial exit
|
||||
|
||||
The serial_exit_core function doesn't free some resources.
|
||||
This can lead memory leak when hotplug and unplug. This
|
||||
patch avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
Message-Id: <586cb5ab.f31d9d0a.38ac3.acf2@mx.google.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
(cherry picked from commit 8409dc884a201bf74b30a9d232b6bbdd00cb7e2b)
|
||||
---
|
||||
hw/char/serial.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
diff --git a/hw/char/serial.c b/hw/char/serial.c
|
||||
index 3998131..ebf507b 100644
|
||||
--- a/hw/char/serial.c
|
||||
+++ b/hw/char/serial.c
|
||||
@@ -869,6 +869,16 @@ void serial_realize_core(SerialState *s, Error **errp)
|
||||
void serial_exit_core(SerialState *s)
|
||||
{
|
||||
qemu_chr_add_handlers(s->chr, NULL, NULL, NULL, NULL);
|
||||
+
|
||||
+ timer_del(s->modem_status_poll);
|
||||
+ timer_free(s->modem_status_poll);
|
||||
+
|
||||
+ timer_del(s->fifo_timeout_timer);
|
||||
+ timer_free(s->fifo_timeout_timer);
|
||||
+
|
||||
+ fifo8_destroy(&s->recv_fifo);
|
||||
+ fifo8_destroy(&s->xmit_fifo);
|
||||
+
|
||||
qemu_unregister_reset(serial_reset, s);
|
||||
}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# The KVM HV implementation on Power can require a significant amount
|
||||
# of unswappable memory (about half of which also needs to be host
|
||||
# physically contiguous) to hold the guest's Hash Page Table (HPT) -
|
||||
# roughly 1/64th of the guest's RAM size, minimum 16MiB.
|
||||
#
|
||||
# These limits allow unprivileged users to start smallish VMs, such as
|
||||
# those used by libguestfs.
|
||||
#
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1293024
|
||||
#
|
||||
* hard memlock 65536
|
||||
* soft memlock 65536
|
323
qemu.spec
323
qemu.spec
|
@ -8,7 +8,7 @@
|
|||
# need_qemu_kvm should only ever be used by x86
|
||||
%global need_qemu_kvm 1
|
||||
%endif
|
||||
%ifarch ppc64 ppc64le
|
||||
%ifarch %{power64}
|
||||
%global kvm_package system-ppc
|
||||
%endif
|
||||
%ifarch s390x
|
||||
|
@ -45,6 +45,11 @@
|
|||
%global have_xen 1
|
||||
%endif
|
||||
|
||||
# Matches edk2.spec ExclusiveArch
|
||||
%ifarch %{ix86} x86_64 %{arm} aarch64
|
||||
%global have_edk2 1
|
||||
%endif
|
||||
|
||||
# Temp hack for https://bugzilla.redhat.com/show_bug.cgi?id=1343892
|
||||
# We'll manually turn on hardened build later in this spec
|
||||
%undefine _hardened_build
|
||||
|
@ -59,8 +64,8 @@
|
|||
|
||||
Summary: QEMU is a FAST! processor emulator
|
||||
Name: qemu
|
||||
Version: 2.6.0
|
||||
Release: 5%{?rcrel}%{?dist}
|
||||
Version: 2.6.2
|
||||
Release: 8%{?rcrel}%{?dist}
|
||||
Epoch: 2
|
||||
License: GPLv2+ and LGPLv2+ and BSD
|
||||
Group: Development/Tools
|
||||
|
@ -91,62 +96,157 @@ Source13: qemu-kvm.sh
|
|||
Source20: kvm.conf
|
||||
# /etc/sysctl.d/50-kvm-s390x.conf
|
||||
Source21: 50-kvm-s390x.conf
|
||||
# /etc/security/limits.d/95-kvm-ppc64-memlock.conf
|
||||
Source22: 95-kvm-ppc64-memlock.conf
|
||||
|
||||
# Adjust spice gl version check to expect F24 backported version
|
||||
# Not for upstream, f24 only
|
||||
Patch0001: 0001-spice-F24-spice-has-backported-gl-support.patch
|
||||
# Fix gtk UI crash when switching to monitor (bz #1333424)
|
||||
Patch0002: 0002-ui-gtk-fix-crash-when-terminal-inner-border-is-NULL.patch
|
||||
# Fix sdl2 UI lockup lockup when switching to monitor
|
||||
Patch0003: 0003-ui-sdl2-Release-grab-before-opening-console-window.patch
|
||||
# Explicitly error if spice GL setup fails
|
||||
Patch0004: 0004-ui-spice-Exit-if-gl-on-EGL-init-fails.patch
|
||||
# Fix monitor resizing with virgl (bz #1337564)
|
||||
Patch0005: 0005-spice-gl-add-use-qemu_spice_gl_monitor_config.patch
|
||||
# CVE-2016-4020: memory leak in kvmvapic.c (bz #1326904)
|
||||
Patch0006: 0006-i386-kvmvapic-initialise-imm32-variable.patch
|
||||
# CVE-2016-4439: scsi: esb: OOB write #1 (bz #1337503)
|
||||
Patch0007: 0007-esp-check-command-buffer-length-before-write-CVE-201.patch
|
||||
# CVE-2016-4441: scsi: esb: OOB write #2 (bz #1337506)
|
||||
Patch0008: 0008-esp-check-dma-length-before-reading-scsi-command-CVE.patch
|
||||
# Fix regression installing windows 7 with qxl/vga (bz #1339267)
|
||||
Patch0009: 0009-vga-add-sr_vbe-register-set.patch
|
||||
# Fix crash with aarch64 gic-version=host and accel=tcg (bz #1339977)
|
||||
Patch0010: 0010-hw-arm-virt-Reject-gic-version-host-for-non-KVM.patch
|
||||
# CVE-2016-4002: net: buffer overflow in MIPSnet (bz #1326083)
|
||||
Patch0011: 0011-net-mipsnet-check-packet-length-against-buffer.patch
|
||||
# CVE-2016-4952 scsi: pvscsi: out-of-bounds access issue
|
||||
Patch0012: 0012-scsi-pvscsi-check-command-descriptor-ring-buffer-siz.patch
|
||||
# CVE-2016-4964: scsi: mptsas infinite loop (bz #1339157)
|
||||
Patch0013: 0013-scsi-mptsas-infinite-loop-while-fetching-requests.patch
|
||||
# CVE-2016-5106: scsi: megasas: out-of-bounds write (bz #1339581)
|
||||
Patch0014: 0014-scsi-megasas-use-appropriate-property-buffer-size.patch
|
||||
# CVE-2016-5105: scsi: megasas: stack information leakage (bz #1339585)
|
||||
Patch0015: 0015-scsi-megasas-initialise-local-configuration-data-buf.patch
|
||||
# CVE-2016-5107: scsi: megasas: out-of-bounds read (bz #1339573)
|
||||
Patch0016: 0016-scsi-megasas-check-read_queue_head-index-value.patch
|
||||
# CVE-2016-4454: display: vmsvga: out-of-bounds read (bz #1340740)
|
||||
Patch0017: 0017-vmsvga-move-fifo-sanity-checks-to-vmsvga_fifo_length.patch
|
||||
Patch0018: 0018-vmsvga-add-more-fifo-checks.patch
|
||||
Patch0019: 0019-vmsvga-shadow-fifo-registers.patch
|
||||
# CVE-2016-4453: display: vmsvga: infinite loop (bz #1340744)
|
||||
Patch0020: 0020-vmsvga-don-t-process-more-than-1024-fifo-commands-at.patch
|
||||
# CVE-2016-5126: block: iscsi: buffer overflow (bz #1340925)
|
||||
Patch0021: 0021-block-iscsi-avoid-potential-overflow-of-acb-task-cdb.patch
|
||||
# CVE-2016-5238: scsi: esp: OOB write (bz #1341932)
|
||||
Patch0022: 0022-scsi-esp-check-buffer-length-before-reading-scsi-com.patch
|
||||
Patch0023: 0023-scsi-esp-respect-FIFO-invariant-after-message-phase.patch
|
||||
Patch0024: 0024-scsi-esp-clean-up-handle_ti-esp_do_dma-if-s-do_cmd.patch
|
||||
# CVE-2016-5338: scsi: esp: OOB r/w access (bz #1343325)
|
||||
Patch0025: 0025-scsi-esp-make-cmdbuf-big-enough-for-maximum-CDB-size.patch
|
||||
# CVE-2016-5337: scsi: megasas: information leakage (bz #1343910)
|
||||
Patch0026: 0026-scsi-megasas-null-terminate-bios-version-buffer.patch
|
||||
# Fix crash with -nodefaults -sdl (bz #1340931)
|
||||
Patch0027: 0027-sdl2-skip-init-without-outputs.patch
|
||||
# CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma (bz #1360600)
|
||||
Patch0002: 0002-scsi-esp-fix-migration.patch
|
||||
# CVE-2016-6833: vmxnet3: use-after-free (bz #1368982)
|
||||
Patch0003: 0003-net-vmxnet3-check-for-device_active-before-write.patch
|
||||
# CVE-2016-6490: virtio: infinite loop in virtqueue_pop (bz #1361428)
|
||||
Patch0004: 0004-virtio-check-vring-descriptor-buffer-length.patch
|
||||
# CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
Patch0005: 0005-scsi-pvscsi-limit-loop-to-fetch-SG-list.patch
|
||||
# CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
Patch0006: 0006-vmsvga-correct-bitmap-and-pixmap-size-checks.patch
|
||||
# CVE-2016-7161: net: Heap overflow in xlnx.xps-ethernetlite (bz #1379298)
|
||||
Patch0007: 0007-hw-net-Fix-a-heap-overflow-in-xlnx.xps-ethernetlite.patch
|
||||
# CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
Patch0008: 0008-usb-xhci-fix-memory-leak-in-usb_xhci_exit.patch
|
||||
# CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
Patch0009: 0009-virtio-add-check-for-descriptor-s-mapped-address.patch
|
||||
# CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
Patch0010: 0010-net-mcf-limit-buffer-descriptor-count.patch
|
||||
# CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
Patch0011: 0011-xhci-limit-the-number-of-link-trbs-we-are-willing-to.patch
|
||||
# CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
Patch0012: 0012-usb-ehci-fix-memory-leak-in-ehci_process_itd.patch
|
||||
# Fix flickering display with boxes + wayland VM (bz #1266484)
|
||||
Patch0013: 0013-qxl-Only-emit-QXL_INTERRUPT_CLIENT_MONITORS_CONFIG-o.patch
|
||||
# CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz
|
||||
# #1366370)
|
||||
Patch0014: 0014-net-vmxnet-initialise-local-tx-descriptor.patch
|
||||
# CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196)
|
||||
Patch0015: 0015-net-pcnet-check-rx-tx-descriptor-ring-length.patch
|
||||
# CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667)
|
||||
Patch0016: 0016-virtio-gpu-fix-memory-leak-in-virtio_gpu_resource_cr.patch
|
||||
# CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286)
|
||||
Patch0017: 0017-9pfs-fix-potential-host-memory-leak-in-v9fs_read.patch
|
||||
# CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz
|
||||
# #1383292)
|
||||
Patch0018: 0018-9pfs-allocate-space-for-guest-originated-empty-strin.patch
|
||||
# CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898)
|
||||
Patch0019: 0019-net-rocker-set-limit-to-DMA-buffer-size.patch
|
||||
# CVE-2016-8669: divide by zero error in serial_update_parameters (bz
|
||||
# #1384911)
|
||||
Patch0020: 0020-char-serial-check-divider-value-against-baud-base.patch
|
||||
# CVE-2016-8910: rtl8139: infinite loop while transmit in C+ mode (bz
|
||||
# #1388047)
|
||||
Patch0021: 0021-net-rtl8139-limit-processing-of-ring-descriptors.patch
|
||||
# CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053)
|
||||
Patch0022: 0022-audio-intel-hda-check-stream-entry-count-during-tran.patch
|
||||
# Infinite loop vulnerability in a9_gtimer_update (bz #1388300)
|
||||
Patch0023: 0023-timer-a9gtimer-remove-loop-to-auto-increment-compara.patch
|
||||
# CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539)
|
||||
Patch0024: 0024-net-eepro100-fix-memory-leak-in-device-uninit.patch
|
||||
# CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643)
|
||||
Patch0025: 0025-9pfs-fix-information-leak-in-xattr-read.patch
|
||||
# CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz
|
||||
# #1389551)
|
||||
Patch0026: 0026-9pfs-fix-memory-leak-in-v9fs_xattrcreate.patch
|
||||
# CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687)
|
||||
Patch0027: 0027-9pfs-add-xattrwalk_fid-field-in-V9fsXattr-struct.patch
|
||||
Patch0028: 0028-9pfs-convert-len-copied_len-field-in-V9fsXattr-to-th.patch
|
||||
Patch0029: 0029-9pfs-fix-integer-overflow-issue-in-xattr-read-write.patch
|
||||
# CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704)
|
||||
Patch0030: 0030-9pfs-fix-memory-leak-in-v9fs_link.patch
|
||||
# CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713)
|
||||
Patch0031: 0031-9pfs-fix-memory-leak-in-v9fs_write.patch
|
||||
# CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385)
|
||||
Patch0032: 0032-xen-fix-ioreq-handling.patch
|
||||
# CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz
|
||||
# #1399054)
|
||||
Patch0033: 0033-display-cirrus-check-vga-bits-per-pixel-bpp-value.patch
|
||||
# CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz
|
||||
# #1400830)
|
||||
Patch0034: 0034-net-mcf-check-receive-buffer-size-register-value.patch
|
||||
# CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz
|
||||
# #1402247)
|
||||
Patch0035: 0035-virtio-gpu-fix-information-leak-in-getting-capset-in.patch
|
||||
# CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz
|
||||
# #1402258)
|
||||
Patch0036: 0036-virtio-gpu-fix-memory-leak-in-update_cursor_data_vir.patch
|
||||
# CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz
|
||||
# #1402266)
|
||||
Patch0037: 0037-usbredir-free-vm_change_state_handler-in-usbredir-de.patch
|
||||
# CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz
|
||||
# #1402273)
|
||||
Patch0038: 0038-usb-ehci-fix-memory-leak-in-ehci_init_transfer.patch
|
||||
# CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz
|
||||
# #1402277)
|
||||
Patch0039: 0039-9pfs-adjust-the-order-of-resource-cleanup-in-device-.patch
|
||||
Patch0040: 0040-9pfs-add-cleanup-operation-in-FileOperations.patch
|
||||
Patch0041: 0041-9pfs-add-cleanup-operation-for-handle-backend-driver.patch
|
||||
Patch0042: 0042-9pfs-add-cleanup-operation-for-proxy-backend-driver.patch
|
||||
Patch0043: 0043-9pfs-fix-crash-when-fsdev-is-missing.patch
|
||||
# CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities
|
||||
# (bz #1406368)
|
||||
Patch0044: 0044-display-virtio-gpu-3d-check-virgl-capabilities-max_s.patch
|
||||
# CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz
|
||||
# #1402263)
|
||||
Patch0045: 0045-virtio-gpu-fix-information-leak-in-capset-get-dispat.patch
|
||||
# CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz
|
||||
# #1402285)
|
||||
Patch0046: 0046-virtio-gpu-call-cleanup-mapping-function-in-resource.patch
|
||||
# CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110)
|
||||
Patch0047: 0047-audio-ac97-add-exit-function.patch
|
||||
# CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)
|
||||
Patch0048: 0048-audio-es1370-add-exit-function.patch
|
||||
# CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200)
|
||||
Patch0049: 0049-watchdog-6300esb-add-exit-function.patch
|
||||
# CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283)
|
||||
Patch0050: 0050-virtio-gpu-3d-fix-memory-leak-in-resource-attach-bac.patch
|
||||
# CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz
|
||||
# #1417560)
|
||||
Patch0051: 0051-sd-sdhci-check-data-length-during-dma_memory_read.patch
|
||||
# CVE-2017-5857: virtio-gpu-3d: host memory leakage in
|
||||
# virgl_cmd_resource_unref (bz #1418383)
|
||||
Patch0052: 0052-megasas-fix-guest-triggered-memory-leak.patch
|
||||
# CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344)
|
||||
Patch0053: 0053-virtio-gpu-fix-resource-leak-in-virgl_cmd_resource_u.patch
|
||||
# CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz
|
||||
# #1419700)
|
||||
Patch0054: 0054-usb-ccid-check-ccid-apdu-length.patch
|
||||
# CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz
|
||||
# #1422001)
|
||||
Patch0055: 0055-sd-sdhci-check-transfer-mode-register-in-multi-block.patch
|
||||
# CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz
|
||||
# #1429434)
|
||||
Patch0056: 0056-usb-ohci-limit-the-number-of-link-eds.patch
|
||||
# CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz
|
||||
# #1418206)
|
||||
Patch0057: 0057-display-cirrus-ignore-source-pitch-value-as-needed-i.patch
|
||||
Patch0058: 0058-cirrus-handle-negative-pitch-in-cirrus_invalidate_re.patch
|
||||
Patch0059: 0059-cirrus-allow-zero-source-pitch-in-pattern-fill-rops.patch
|
||||
Patch0060: 0060-cirrus-fix-blit-address-mask-handling.patch
|
||||
Patch0061: 0061-cirrus-fix-oob-access-issue-CVE-2017-2615.patch
|
||||
# CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419)
|
||||
Patch0062: 0062-cirrus-fix-patterncopy-checks.patch
|
||||
Patch0063: 0063-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil.patch
|
||||
Patch0064: 0064-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput.patch
|
||||
# Fix xen pv graphical display failure (bz #1350264)
|
||||
Patch0065: 0065-vnc-enc-tight-use-thread-local-storage-for-palette.patch
|
||||
Patch0066: 0066-vnc-tight-fix-regression-with-libxenstore.patch
|
||||
# CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
|
||||
Patch0067: 0067-dma-rc4030-limit-interval-timer-reload-value.patch
|
||||
# CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
|
||||
Patch0068: 0068-serial-fix-memory-leak-in-serial-exit.patch
|
||||
|
||||
|
||||
# documentation deps
|
||||
BuildRequires: texi2html
|
||||
BuildRequires: texinfo
|
||||
# For /usr/bin/pod2man
|
||||
BuildRequires: perl-podlators
|
||||
|
@ -447,7 +547,9 @@ Requires: seavgabios-bin
|
|||
Requires: seabios-bin >= 1.7.5
|
||||
Requires: sgabios-bin
|
||||
Requires: ipxe-roms-qemu
|
||||
%if 0%{?have_edk2:1}
|
||||
Requires: edk2-ovmf
|
||||
%endif
|
||||
%if 0%{?have_seccomp:1}
|
||||
Requires: libseccomp >= 1.0.0
|
||||
%endif
|
||||
|
@ -634,7 +736,9 @@ This package provides the system emulator for Moxie boards.
|
|||
Summary: QEMU system emulator for AArch64
|
||||
Group: Development/Tools
|
||||
Requires: %{name}-common = %{epoch}:%{version}-%{release}
|
||||
%if 0%{?have_edk2:1}
|
||||
Requires: edk2-aarch64
|
||||
%endif
|
||||
%description system-aarch64
|
||||
QEMU is a generic and open source processor emulator which achieves a good
|
||||
emulation speed by using dynamic translation.
|
||||
|
@ -902,6 +1006,11 @@ install -d %{buildroot}%{_sysconfdir}/sysctl.d
|
|||
install -m 0644 %{_sourcedir}/50-kvm-s390x.conf %{buildroot}%{_sysconfdir}/sysctl.d
|
||||
%endif
|
||||
|
||||
%ifarch %{power64}
|
||||
install -d %{buildroot}%{_sysconfdir}/security/limits.d
|
||||
install -m 0644 %{_sourcedir}/95-kvm-ppc64-memlock.conf %{buildroot}%{_sysconfdir}/security/limits.d
|
||||
%endif
|
||||
|
||||
|
||||
# Install kvm specific bits
|
||||
%if %{have_kvm}
|
||||
|
@ -1025,7 +1134,7 @@ for i in dummy \
|
|||
%ifnarch m68k
|
||||
qemu-m68k \
|
||||
%endif
|
||||
%ifnarch ppc ppc64 ppc64le
|
||||
%ifnarch ppc %{power64}
|
||||
qemu-ppc qemu-ppc64abi32 qemu-ppc64 \
|
||||
%endif
|
||||
%ifnarch sparc sparc64
|
||||
|
@ -1045,8 +1154,8 @@ for i in dummy \
|
|||
chmod 644 %{buildroot}%{_exec_prefix}/lib/binfmt.d/$i-dynamic.conf
|
||||
|
||||
%if %{user_static}
|
||||
grep /$i:\$ %{_sourcedir}/qemu.binfmt > %{buildroot}%{_exec_prefix}/lib/binfmt.d/$i-static.conf
|
||||
perl -i -p -e "s/$i/$i-static/" %{buildroot}%{_exec_prefix}/lib/binfmt.d/$i-static.conf
|
||||
grep /$i:\$ %{_sourcedir}/qemu.binfmt | tr -d '\n' > %{buildroot}%{_exec_prefix}/lib/binfmt.d/$i-static.conf
|
||||
perl -i -p -e "s|/usr/bin/$i|/usr/bin/$i-static|" %{buildroot}%{_exec_prefix}/lib/binfmt.d/$i-static.conf
|
||||
chmod 644 %{buildroot}%{_exec_prefix}/lib/binfmt.d/$i-static.conf
|
||||
%endif
|
||||
|
||||
|
@ -1554,8 +1663,9 @@ getent passwd qemu >/dev/null || \
|
|||
%{_datadir}/%{name}/ppc_rom.bin
|
||||
%{_datadir}/%{name}/spapr-rtas.bin
|
||||
%{_datadir}/%{name}/u-boot.e500
|
||||
%ifarch ppc64 ppc64le
|
||||
%ifarch %{power64}
|
||||
%{?kvm_files:}
|
||||
%{_sysconfdir}/security/limits.d/95-kvm-ppc64-memlock.conf
|
||||
%endif
|
||||
|
||||
|
||||
|
@ -1595,6 +1705,107 @@ getent passwd qemu >/dev/null || \
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Apr 13 2017 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-8
|
||||
- Fix xen pv graphical display failure (bz #1350264)
|
||||
- CVE-2016-8667: dma: divide by zero error in set_next_tick (bz #1384876)
|
||||
- CVE-2017-5579: serial: fix memory leak in serial exit (bz #1416161)
|
||||
|
||||
* Wed Mar 15 2017 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-7
|
||||
- CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110)
|
||||
- CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210)
|
||||
- CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200)
|
||||
- CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283)
|
||||
- CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz
|
||||
#1417560)
|
||||
- CVE-2017-5857: virtio-gpu-3d: host memory leakage in
|
||||
virgl_cmd_resource_unref (bz #1418383)
|
||||
- CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344)
|
||||
- CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz
|
||||
#1419700)
|
||||
- CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz
|
||||
#1422001)
|
||||
- CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz
|
||||
#1429434)
|
||||
- CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz
|
||||
#1418206)
|
||||
- CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419)
|
||||
|
||||
* Mon Jan 16 2017 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-6
|
||||
- CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz
|
||||
#1366370)
|
||||
- CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196)
|
||||
- CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667)
|
||||
- CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286)
|
||||
- CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz
|
||||
#1383292)
|
||||
- CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898)
|
||||
- CVE-2016-8669: divide by zero error in serial_update_parameters (bz
|
||||
#1384911)
|
||||
- CVE-2016-8910: rtl8139: infinite loop while transmit in C+ mode (bz
|
||||
#1388047)
|
||||
- CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053)
|
||||
- Infinite loop vulnerability in a9_gtimer_update (bz #1388300)
|
||||
- CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539)
|
||||
- CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643)
|
||||
- CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz
|
||||
#1389551)
|
||||
- CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687)
|
||||
- CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704)
|
||||
- CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713)
|
||||
- CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385)
|
||||
- CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz
|
||||
#1399054)
|
||||
- CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz
|
||||
#1400830)
|
||||
- CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz
|
||||
#1402247)
|
||||
- CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz
|
||||
#1402258)
|
||||
- CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz
|
||||
#1402266)
|
||||
- CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz
|
||||
#1402273)
|
||||
- CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz
|
||||
#1402277)
|
||||
- CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities
|
||||
(bz #1406368)
|
||||
- CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz
|
||||
#1402263)
|
||||
- CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz
|
||||
#1402285)
|
||||
|
||||
* Sun Nov 06 2016 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-5
|
||||
- Fix qemu-user-static binfmt on f24 (bz 1388250)
|
||||
|
||||
* Tue Oct 25 2016 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-4
|
||||
- Fix PPC64 build with memlock file (bz #1387601)
|
||||
- Fix qemu-user-static binfmt paths (bz #1388250)
|
||||
- Use F flag in binfmt for qemu-user-static (bz #1384615)
|
||||
|
||||
* Wed Oct 19 2016 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-3
|
||||
- Fix flickering display with boxes + wayland VM (bz #1266484)
|
||||
- Add ppc64 kvm memlock file (bz #1293024)
|
||||
|
||||
* Sat Oct 15 2016 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-2
|
||||
- CVE-2016-6351: scsi: esp: OOB write access in esp_do_dma (bz #1360600)
|
||||
- CVE-2016-6833: vmxnet3: use-after-free (bz #1368982)
|
||||
- CVE-2016-6490: virtio: infinite loop in virtqueue_pop (bz #1361428)
|
||||
- CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480)
|
||||
- CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709)
|
||||
- CVE-2016-7161: net: Heap overflow in xlnx.xps-ethernetlite (bz #1379298)
|
||||
- CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838)
|
||||
- CVE-2016-7422: virtio: null pointer dereference (bz #1376756)
|
||||
- CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193)
|
||||
- CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322)
|
||||
- CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669)
|
||||
- Don't depend on edk2 roms where they aren't available (bz #1373576)
|
||||
|
||||
* Fri Sep 30 2016 Cole Robinson <crobinso@redhat.com> - 2:2.6.2-1
|
||||
- Rebased to version 2.6.2
|
||||
|
||||
* Fri Aug 19 2016 Cole Robinson <crobinso@redhat.com> - 2:2.6.1-1
|
||||
- Rebase to 2.6.1 stable
|
||||
|
||||
* Wed Jul 13 2016 Daniel Berrange <berrange@redhat.com> - 2:2.6.0-5
|
||||
- Introduce qemu-user-static sub-RPM
|
||||
|
||||
|
|
Loading…
Reference in New Issue