[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 35fc1f: vmstate: reduce code duplication
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] 35fc1f: vmstate: reduce code duplication |
|
Date: |
Wed, 07 May 2014 08:30:07 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 35fc1f71899fd42323bd8f33da18f0211e0d2727
https://github.com/qemu/qemu/commit/35fc1f71899fd42323bd8f33da18f0211e0d2727
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M vmstate.c
Log Message:
-----------
vmstate: reduce code duplication
move size offset and number of elements math out
to functions, to reduce code duplication.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 5bf81c8d63db0216a4d29dc87f9ce530bb791dd1
https://github.com/qemu/qemu/commit/5bf81c8d63db0216a4d29dc87f9ce530bb791dd1
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M include/migration/vmstate.h
M vmstate.c
Log Message:
-----------
vmstate: add VMS_MUST_EXIST
Can be used to verify a required field exists or validate
state in some other way.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 4082f0889ba04678fc14816c53e1b9251ea9207e
https://github.com/qemu/qemu/commit/4082f0889ba04678fc14816c53e1b9251ea9207e
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M include/migration/vmstate.h
Log Message:
-----------
vmstate: add VMSTATE_VALIDATE
Validate state using VMS_ARRAY with num = 0 and VMS_MUST_EXIST
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 71f7fe48e10a8437c9d42d859389f37157f59980
https://github.com/qemu/qemu/commit/71f7fe48e10a8437c9d42d859389f37157f59980
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M include/hw/virtio/virtio-net.h
Log Message:
-----------
virtio-net: fix buffer overflow on invalid state load
CVE-2013-4148 QEMU 1.0 integer conversion in
virtio_net_load()@hw/net/virtio-net.c
Deals with loading a corrupted savevm image.
> n->mac_table.in_use = qemu_get_be32(f);
in_use is int so it can get negative when assigned 32bit unsigned value.
> /* MAC_TABLE_ENTRIES may be different from the saved image */
> if (n->mac_table.in_use <= MAC_TABLE_ENTRIES) {
passing this check ^^^
> qemu_get_buffer(f, n->mac_table.macs,
> n->mac_table.in_use * ETH_ALEN);
with good in_use value, "n->mac_table.in_use * ETH_ALEN" can get
positive and bigger than mac_table.macs. For example 0x81000000
satisfies this condition when ETH_ALEN is 6.
Fix it by making the value unsigned.
For consistency, change first_multi as well.
Note: all call sites were audited to confirm that
making them unsigned didn't cause any issues:
it turns out we actually never do math on them,
so it's easy to validate because both values are
always <= MAC_TABLE_ENTRIES.
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Laszlo Ersek <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: eea750a5623ddac7a61982eec8f1c93481857578
https://github.com/qemu/qemu/commit/eea750a5623ddac7a61982eec8f1c93481857578
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: out-of-bounds buffer write on invalid state load
CVE-2013-4150 QEMU 1.5.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
Since we have lots of function pointers around, RCE might be possible.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Acked-by: Jason Wang <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: cc45995294b92d95319b4782750a3580cabdbc0c
https://github.com/qemu/qemu/commit/cc45995294b92d95319b4782750a3580cabdbc0c
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: out-of-bounds buffer write on invalid state load
CVE-2013-4151 QEMU 1.0 out-of-bounds buffer write in
address@hidden/virtio/virtio.c
So we have this code since way back when:
num = qemu_get_be32(f);
for (i = 0; i < num; i++) {
vdev->vq[i].vring.num = qemu_get_be32(f);
array of vqs has size VIRTIO_PCI_QUEUE_MAX, so
on invalid input this will write beyond end of buffer.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5
https://github.com/qemu/qemu/commit/ae2158ad6ce0845b2fae2a22aa7f19c0d7a71ce5
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/ide/ahci.c
Log Message:
-----------
ahci: fix buffer overrun on invalid state load
CVE-2013-4526
Within hw/ide/ahci.c, VARRAY refers to ports which is also loaded. So
we use the old version of ports to read the array but then allow any
value for ports. This can cause the code to overflow.
There's no reason to migrate ports - it never changes.
So just make sure it matches.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 3f1c49e2136fa08ab1ef3183fd55def308829584
https://github.com/qemu/qemu/commit/3f1c49e2136fa08ab1ef3183fd55def308829584
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/timer/hpet.c
Log Message:
-----------
hpet: fix buffer overrun on invalid state load
CVE-2013-4527 hw/timer/hpet.c buffer overrun
hpet is a VARRAY with a uint8 size but static array of 32
To fix, make sure num_timers is valid using VMSTATE_VALID hook.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 5f691ff91d323b6f97c6600405a7f9dc115a0ad1
https://github.com/qemu/qemu/commit/5f691ff91d323b6f97c6600405a7f9dc115a0ad1
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/pci/pcie_aer.c
Log Message:
-----------
hw/pci/pcie_aer.c: fix buffer overruns on invalid state load
4) CVE-2013-4529
hw/pci/pcie_aer.c pcie aer log can overrun the buffer if log_num is
too large
There are two issues in this file:
1. log_max from remote can be larger than on local
then buffer will overrun with data coming from state file.
2. log_num can be larger then we get data corruption
again with an overflow but not adversary controlled.
Fix both issues.
Reported-by: Anthony Liguori <address@hidden>
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: d8d0a0bc7e194300e53a346d25fe5724fd588387
https://github.com/qemu/qemu/commit/d8d0a0bc7e194300e53a346d25fe5724fd588387
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/ssi/pl022.c
Log Message:
-----------
pl022: fix buffer overun on invalid state load
CVE-2013-4530
pl022.c did not bounds check tx_fifo_head and
rx_fifo_head after loading them from file and
before they are used to dereference array.
Reported-by: Michael S. Tsirkin <address@hidden
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62
https://github.com/qemu/qemu/commit/d2ef4b61fe6d33d2a5dcf100a9b9440de341ad62
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M vmstate.c
Log Message:
-----------
vmstate: fix buffer overflow in target-arm/machine.c
CVE-2013-4531
cpreg_vmstate_indexes is a VARRAY_INT32. A negative value for
cpreg_vmstate_array_len will cause a buffer overflow.
VMSTATE_INT32_LE was supposed to protect against this
but doesn't because it doesn't validate that input is
non-negative.
Fix this macro to valide the value appropriately.
The only other user of VMSTATE_INT32_LE doesn't
ever use negative numbers so it doesn't care.
Reported-by: Anthony Liguori <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 4b53c2c72cb5541cf394033b528a6fe2a86c0ac1
https://github.com/qemu/qemu/commit/4b53c2c72cb5541cf394033b528a6fe2a86c0ac1
Author: Michael Roth <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: avoid buffer overrun on incoming migration
CVE-2013-6399
vdev->queue_sel is read from the wire, and later used in the
emulation code as an index into vdev->vq[]. If the value of
vdev->queue_sel exceeds the length of vdev->vq[], currently
allocated to be VIRTIO_PCI_QUEUE_MAX elements, subsequent PIO
operations such as VIRTIO_PCI_QUEUE_PFN can be used to overrun
the buffer with arbitrary data originating from the source.
Fix this by failing migration if the value from the wire exceeds
VIRTIO_PCI_QUEUE_MAX.
Signed-off-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 36cf2a37132c7f01fa9adb5f95f5312b27742fd4
https://github.com/qemu/qemu/commit/36cf2a37132c7f01fa9adb5f95f5312b27742fd4
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: validate num_sg when mapping
CVE-2013-4535
CVE-2013-4536
Both virtio-block and virtio-serial read,
VirtQueueElements are read in as buffers, and passed to
virtqueue_map_sg(), where num_sg is taken from the wire and can force
writes to indicies beyond VIRTQUEUE_MAX_SIZE.
To fix, validate num_sg.
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Cc: Amit Shah <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: caa881abe0e01f9931125a0977ec33c5343e4aa7
https://github.com/qemu/qemu/commit/caa881abe0e01f9931125a0977ec33c5343e4aa7
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/arm/pxa2xx.c
Log Message:
-----------
pxa2xx: avoid buffer overrun on incoming migration
CVE-2013-4533
s->rx_level is read from the wire and used to determine how many bytes
to subsequently read into s->rx_fifo[]. If s->rx_level exceeds the
length of s->rx_fifo[] the buffer can be overrun with arbitrary data
from the wire.
Fix this by validating rx_level against the size of s->rx_fifo.
Cc: Don Koch <address@hidden>
Reported-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Reviewed-by: Don Koch <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: ead7a57df37d2187813a121308213f41591bd811
https://github.com/qemu/qemu/commit/ead7a57df37d2187813a121308213f41591bd811
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/display/ssd0323.c
Log Message:
-----------
ssd0323: fix buffer overun on invalid state load
CVE-2013-4538
s->cmd_len used as index in ssd0323_transfer() to store 32-bit field.
Possible this field might then be supplied by guest to overwrite a
return addr somewhere. Same for row/col fields, which are indicies into
framebuffer array.
To fix validate after load.
Additionally, validate that the row/col_start/end are within bounds;
otherwise the guest can provoke an overrun by either setting the _end
field so large that the row++ increments just walk off the end of the
array, or by setting the _start value to something bogus and then
letting the "we hit end of row" logic reset row to row_start.
For completeness, validate mode as well.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Peter Maydell <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 5193be3be35f29a35bc465036cd64ad60d43385f
https://github.com/qemu/qemu/commit/5193be3be35f29a35bc465036cd64ad60d43385f
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/input/tsc210x.c
Log Message:
-----------
tsc210x: fix buffer overrun on invalid state load
CVE-2013-4539
s->precision, nextprecision, function and nextfunction
come from wire and are used
as idx into resolution[] in TSC_CUT_RESOLUTION.
Validate after load to avoid buffer overrun.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 52f91c3723932f8340fe36c8ec8b18a757c37b2b
https://github.com/qemu/qemu/commit/52f91c3723932f8340fe36c8ec8b18a757c37b2b
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/gpio/zaurus.c
Log Message:
-----------
zaurus: fix buffer overrun on invalid state load
CVE-2013-4540
Within scoop_gpio_handler_update, if prev_level has a high bit set, then
we get bit > 16 and that causes a buffer overrun.
Since prev_level comes from wire indirectly, this can
happen on invalid state load.
Similarly for gpio_level and gpio_dir.
To fix, limit to 16 bit.
Reported-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 3c3ce981423e0d6c18af82ee62f1850c2cda5976
https://github.com/qemu/qemu/commit/3c3ce981423e0d6c18af82ee62f1850c2cda5976
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/scsi/virtio-scsi.c
Log Message:
-----------
virtio-scsi: fix buffer overrun on invalid state load
CVE-2013-4542
hw/scsi/scsi-bus.c invokes load_request.
virtio_scsi_load_request does:
qemu_get_buffer(f, (unsigned char *)&req->elem, sizeof(req->elem));
this probably can make elem invalid, for example,
make in_num or out_num huge, then:
virtio_scsi_parse_req(s, vs->cmd_vqs[n], req);
will do:
if (req->elem.out_num > 1) {
qemu_sgl_init_external(req, &req->elem.out_sg[1],
&req->elem.out_addr[1],
req->elem.out_num - 1);
} else {
qemu_sgl_init_external(req, &req->elem.in_sg[1],
&req->elem.in_addr[1],
req->elem.in_num - 1);
}
and this will access out of array bounds.
Note: this adds security checks within assert calls since
SCSIBusInfo's load_request cannot fail.
For now simply disable builds with NDEBUG - there seems
to be little value in supporting these.
Cc: Andreas Färber <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 3476436a44c29725efef0cabf5b3ea4e70054d57
https://github.com/qemu/qemu/commit/3476436a44c29725efef0cabf5b3ea4e70054d57
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/pci/pci.c
M include/migration/vmstate.h
M target-arm/machine.c
Log Message:
-----------
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
As the macro verifies the value is positive, rename it
to make the function clearer.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 9f8e9895c504149d7048e9fc5eb5cbb34b16e49a
https://github.com/qemu/qemu/commit/9f8e9895c504149d7048e9fc5eb5cbb34b16e49a
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/usb/bus.c
Log Message:
-----------
usb: sanity check setup_index+setup_len in post_load
CVE-2013-4541
s->setup_len and s->setup_index are fed into usb_packet_copy as
size/offset into s->data_buf, it's possible for invalid state to exploit
this to load arbitrary data.
setup_len and setup_index should be checked to make sure
they are not negative.
Cc: Gerd Hoffmann <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Gerd Hoffmann <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 767adce2d9cd397de3418caa16be35ea18d56f22
https://github.com/qemu/qemu/commit/767adce2d9cd397de3418caa16be35ea18d56f22
Author: Peter Maydell <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M docs/migration.txt
M vmstate.c
Log Message:
-----------
savevm: Ignore minimum_version_id_old if there is no load_state_old
At the moment we require vmstate definitions to set minimum_version_id_old
to the same value as minimum_version_id if they do not provide a
load_state_old handler. Since the load_state_old functionality is
required only for a handful of devices that need to retain migration
compatibility with a pre-vmstate implementation, this means the bulk
of devices have pointless boilerplate. Relax the definition so that
minimum_version_id_old is ignored if there is no load_state_old handler.
Note that under the old scheme we would segfault if the vmstate
specified a minimum_version_id_old that was less than minimum_version_id
but did not provide a load_state_old function, and the incoming state
specified a version number between minimum_version_id_old and
minimum_version_id. Under the new scheme this will just result in
our failing the migration.
Signed-off-by: Peter Maydell <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: a9c380db3b8c6af19546a68145c8d1438a09c92b
https://github.com/qemu/qemu/commit/a9c380db3b8c6af19546a68145c8d1438a09c92b
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/sd/ssi-sd.c
Log Message:
-----------
ssi-sd: fix buffer overrun on invalid state load
CVE-2013-4537
s->arglen is taken from wire and used as idx
in ssi_sd_transfer().
Validate it before access.
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e
https://github.com/qemu/qemu/commit/73d963c0a75cb99c6aaa3f6f25e427aa0b35a02e
Author: Michael Roth <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/intc/openpic.c
Log Message:
-----------
openpic: avoid buffer overrun on incoming migration
CVE-2013-4534
opp->nb_cpus is read from the wire and used to determine how many
IRQDest elements to read into opp->dst[]. If the value exceeds the
length of opp->dst[], MAX_CPU, opp->dst[] can be overrun with arbitrary
data from the wire.
Fix this by failing migration if the value read from the wire exceeds
MAX_CPU.
Signed-off-by: Michael Roth <address@hidden>
Reviewed-by: Alexander Graf <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 98f93ddd84800f207889491e0b5d851386b459cf
https://github.com/qemu/qemu/commit/98f93ddd84800f207889491e0b5d851386b459cf
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/net/virtio-net.c
Log Message:
-----------
virtio-net: out-of-bounds buffer write on load
CVE-2013-4149 QEMU 1.3.0 out-of-bounds buffer write in
virtio_net_load()@hw/net/virtio-net.c
> } else if (n->mac_table.in_use) {
> uint8_t *buf = g_malloc0(n->mac_table.in_use);
We are allocating buffer of size n->mac_table.in_use
> qemu_get_buffer(f, buf, n->mac_table.in_use * ETH_ALEN);
and read to the n->mac_table.in_use size buffer n->mac_table.in_use *
ETH_ALEN bytes, corrupting memory.
If adversary controls state then memory written there is controlled
by adversary.
Reviewed-by: Michael Roth <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: a890a2f9137ac3cf5b607649e66a6f3a5512d8dc
https://github.com/qemu/qemu/commit/a890a2f9137ac3cf5b607649e66a6f3a5512d8dc
Author: Michael S. Tsirkin <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M hw/virtio/virtio.c
Log Message:
-----------
virtio: validate config_len on load
Malformed input can have config_len in migration stream
exceed the array size allocated on destination, the
result will be heap overflow.
To fix, that config_len matches on both sides.
CVE-2014-0182
Reported-by: "Dr. David Alan Gilbert" <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
--
v2: use %ix and %zx to print config_len values
Signed-off-by: Juan Quintela <address@hidden>
Commit: ca99993adc9205c905dba5dc1bb819959ada7200
https://github.com/qemu/qemu/commit/ca99993adc9205c905dba5dc1bb819959ada7200
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M migration.c
Log Message:
-----------
Disallow outward migration while awaiting incoming migration
QEMU will assert if you attempt to start an outgoing migration on
a QEMU that's sitting waiting for an incoming migration (started
with -incoming), so disallow it with a proper error.
(This is a fix for https://bugzilla.redhat.com/show_bug.cgi?id=1086987 )
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Andreas Färber <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 548f52ea06951c20f0b91cae6cde0512ec073c83
https://github.com/qemu/qemu/commit/548f52ea06951c20f0b91cae6cde0512ec073c83
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M include/migration/qemu-file.h
M qemu-file.c
Log Message:
-----------
Make qemu_peek_buffer loop until it gets it's data
Make qemu_peek_buffer repeatedly call fill_buffer until it gets
all the data it requires, or until there is an error.
At the moment, qemu_peek_buffer will try one qemu_fill_buffer if there
isn't enough data waiting, however the kernel is entitled to return
just a few bytes, and still leave qemu_peek_buffer with less bytes
than it needed. I've seen this fail in a dev world, and I think it
could theoretically fail in the peeking of the subsection headers in
the current world.
Comment qemu_peek_byte to point out it's not guaranteed to work for
non-continuous peeks
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: ChenLiang <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: e30d1d8c7195848abb28a8c734a82b845b8b456a
https://github.com/qemu/qemu/commit/e30d1d8c7195848abb28a8c734a82b845b8b456a
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
Count used RAMBlock pages for migration_dirty_pages
This is a fix for a bug* triggered by a migration after hot unplugging
a few virtio-net NICs, that caused migration never to converge, because
'migration_dirty_pages' is incorrectly initialised.
'migration_dirty_pages' is used as a tally of the number of outstanding
dirty pages, to give the migration code an idea of how much more data
will need to be transferred, and thus whether it can end the iterative
phase.
It was initialised to the total size of the RAMBlock address space,
however hotunplug can leave this space sparse, and hence
migration_dirty_pages ended up too large.
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
(* https://bugzilla.redhat.com/show_bug.cgi?id=1074913 )
Signed-off-by: Juan Quintela <address@hidden>
Commit: 0d6ab3ab9149767eba192ec5ad659fd34e55a291
https://github.com/qemu/qemu/commit/0d6ab3ab9149767eba192ec5ad659fd34e55a291
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
M include/migration/migration.h
M include/sysemu/arch_init.h
M vl.c
Log Message:
-----------
Provide init function for ram migration
Provide ram_mig_init (like blk_mig_init) for vl.c to initialise stuff
to do with ram migration (currently in arch_init.c).
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Gonglei <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: d97326eec2ca1313eaf0b5cffd69af5663b5af5d
https://github.com/qemu/qemu/commit/d97326eec2ca1313eaf0b5cffd69af5663b5af5d
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
Init the XBZRLE.lock in ram_mig_init
Initialising the XBZRLE.lock earlier simplifies the lock use.
Based on Markus's patch in:
http://lists.gnu.org/archive/html/qemu-devel/2014-03/msg03879.html
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Gonglei <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: d99598cc9929ad6993ad3d19d9b1ec1d891f0d7f
https://github.com/qemu/qemu/commit/d99598cc9929ad6993ad3d19d9b1ec1d891f0d7f
Author: Dr. David Alan Gilbert <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M migration-tcp.c
M migration-unix.c
Log Message:
-----------
Coverity: Fix failure path for qemu_accept in migration
Coverity defects 1005733 & 1005734 complain about passing a negative
value to closesocket in the error paths on incoming migration.
Stash the error value and print it in the message (previously we gave
no indication of the reason for the failure)
Use error_report
Signed-off-by: Dr. David Alan Gilbert <address@hidden>
Reviewed-by: Markus Armbruster <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 21a246a43b606ee833f907d589d8dcbb54a2761e
https://github.com/qemu/qemu/commit/21a246a43b606ee833f907d589d8dcbb54a2761e
Author: ChenLiang <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
migration: remove duplicate code
version_id is checked twice in the ram_load.
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 1534ee93cc6be992c05577886b24bd44c37ecff6
https://github.com/qemu/qemu/commit/1534ee93cc6be992c05577886b24bd44c37ecff6
Author: ChenLiang <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
XBZRLE: Fix one XBZRLE corruption issues
The page may not be inserted into cache after executing save_xbzrle_page.
In case of failure to insert, the original page should be sent rather
than the page in the cache.
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Juan Quintela <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 71411d358000cf90ced348b1ce9142c13b5a93cd
https://github.com/qemu/qemu/commit/71411d358000cf90ced348b1ce9142c13b5a93cd
Author: ChenLiang <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
Log Message:
-----------
migration: Add counts of updating the dirty bitmap
Add counts to log the times of updating the dirty bitmap.
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 58570ed894631904bcdbcd1e8b34479cebe2aae9
https://github.com/qemu/qemu/commit/58570ed894631904bcdbcd1e8b34479cebe2aae9
Author: ChenLiang <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
M hmp.c
M include/migration/migration.h
M migration.c
M qapi-schema.json
M qmp-commands.hx
Log Message:
-----------
migration: expose the bitmap_sync_count to the end
expose the count that logs the times of updating the dirty bitmap to
end user.
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: 8bc3923343e91902ca541112b3bdb5448f8d288e
https://github.com/qemu/qemu/commit/8bc3923343e91902ca541112b3bdb5448f8d288e
Author: ChenLiang <address@hidden>
Date: 2014-05-05 (Mon, 05 May 2014)
Changed paths:
M arch_init.c
M hmp.c
M include/migration/migration.h
M migration.c
M qapi-schema.json
M qmp-commands.hx
Log Message:
-----------
migration: expose xbzrle cache miss rate
expose xbzrle cache miss rate
Signed-off-by: ChenLiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Juan Quintela <address@hidden>
Commit: c9541f67df48b2c01c4a3d0d7b719b51c6ac9f38
https://github.com/qemu/qemu/commit/c9541f67df48b2c01c4a3d0d7b719b51c6ac9f38
Author: Peter Maydell <address@hidden>
Date: 2014-05-07 (Wed, 07 May 2014)
Changed paths:
M arch_init.c
M docs/migration.txt
M hmp.c
M hw/arm/pxa2xx.c
M hw/display/ssd0323.c
M hw/gpio/zaurus.c
M hw/ide/ahci.c
M hw/input/tsc210x.c
M hw/intc/openpic.c
M hw/net/virtio-net.c
M hw/pci/pci.c
M hw/pci/pcie_aer.c
M hw/scsi/virtio-scsi.c
M hw/sd/ssi-sd.c
M hw/ssi/pl022.c
M hw/timer/hpet.c
M hw/usb/bus.c
M hw/virtio/virtio.c
M include/hw/virtio/virtio-net.h
M include/migration/migration.h
M include/migration/qemu-file.h
M include/migration/vmstate.h
M include/sysemu/arch_init.h
M migration-tcp.c
M migration-unix.c
M migration.c
M qapi-schema.json
M qemu-file.c
M qmp-commands.hx
M target-arm/machine.c
M vl.c
M vmstate.c
Log Message:
-----------
Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20140505'
into staging
migration/next for 20140505
# gpg: Signature made Mon 05 May 2014 21:27:24 BST using RSA key ID 5872D723
# gpg: Can't check signature: public key not found
* remotes/juanquintela/tags/migration/20140505: (36 commits)
migration: expose xbzrle cache miss rate
migration: expose the bitmap_sync_count to the end
migration: Add counts of updating the dirty bitmap
XBZRLE: Fix one XBZRLE corruption issues
migration: remove duplicate code
Coverity: Fix failure path for qemu_accept in migration
Init the XBZRLE.lock in ram_mig_init
Provide init function for ram migration
Count used RAMBlock pages for migration_dirty_pages
Make qemu_peek_buffer loop until it gets it's data
Disallow outward migration while awaiting incoming migration
virtio: validate config_len on load
virtio-net: out-of-bounds buffer write on load
openpic: avoid buffer overrun on incoming migration
ssi-sd: fix buffer overrun on invalid state load
savevm: Ignore minimum_version_id_old if there is no load_state_old
usb: sanity check setup_index+setup_len in post_load
vmstate: s/VMSTATE_INT32_LE/VMSTATE_INT32_POSITIVE_LE/
virtio-scsi: fix buffer overrun on invalid state load
zaurus: fix buffer overrun on invalid state load
...
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/7f8fea8b3d31...c9541f67df48
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 35fc1f: vmstate: reduce code duplication,
GitHub <=